CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-10 11:12:51 +01:00
Code Issues Packages Projects Releases Wiki Activity

Remove postprocess configuration

Browse Source
This commit is contained in:
Wes
2022-09-14 14:20:24 +00:00
parent e3cd8a9c6a
commit d1a8b88eb9
7 changed files with 0 additions and 240 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
salt/logstash/pipelines/config/so/8000_postprocess_bro_cleanup.conf
View File

@@ -1,17 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if "bro" in [tags] {
if "_grokparsefailure" not in [tags] and "_csvparsefailure" not in [tags] and "_jsonparsefailure" not in [tags] {
#mutate {
# remove_field => [ "message" ]
#}
}
mutate {
#add_tag => [ "conf_file_8000"]
}
}
}

58
salt/logstash/pipelines/config/so/8001_postprocess_common_ip_augmentation.conf
View File

@@ -1,58 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Doug Burks
# Last Update: 5/20/2017
filter {
if [source_ip] {
if [source_ip] == "-" {
mutate {
replace => { "source_ip" => "0.0.0.0" }
}
}
if [source_ip] =~ "10\." or [source_ip] =~ "192\.168\." or [source_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [source_ip] =~ "fe80::20c:29ff:fe19:f7d" or [source_ip] =~ "::1" {
mutate {
}
} else {
geoip {
source => "[source_ip]"
target => "source_geo"
}
}
if [source_ip] {
mutate {
add_field => { "ips" => "%{source_ip}" }
add_field => { "source_ips" => [ "%{source_ip}" ] }
}
}
}
if [destination_ip] {
if [destination_ip] == "-" {
mutate {
replace => { "destination_ip" => "0.0.0.0" }
}
}
if [destination_ip] =~ "10\." or [destination_ip] =~ "192\.168\." or [destination_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." or [destination_ip] =~ "239.255.255.250" or [destination_ip] =~ "224\.0\.0\." or [destination_ip] =~ "255.255.255.255" or [destination_ip] =~ "ff02::fb" or [destination_ip] =~ "fe80::20c:29ff:fe19:f7d" or [destination_ip] =~ "224\.0\.1\." {
mutate {
}
}
else {
geoip {
source => "[destination_ip]"
target => "destination_geo"
}
}
}
if [destination_ip] {
mutate {
add_field => { "ips" => "%{destination_ip}" }
add_field => { "destination_ips" => [ "%{destination_ip}" ] }
}
}
}
#if [source_ip] or [destination_ip] {
# mutate {
#add_tag => [ "conf_file_8001"]
# }
#}

47
salt/logstash/pipelines/config/so/8006_postprocess_dns.conf
View File

@@ -1,47 +0,0 @@
# Original Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Doug Burks
# Last Update: 5/13/2017
filter {
if [type] == "bro_dns" or "dns" in [tags] {
# Used for whois lookups - can create log loop
if [query] =~ "^whois\." {
drop { }
}
# REPLACE test.int with your internal domain
if [query] and [query] !~ "\.test\.int$" {
mutate {
lowercase => [ "query" ]
}
if [query_type_name] != "NB" and [query_type_name] != "TKEY" and [query_type_name] != "NBSTAT" and [query_type_name] != "PTR" {
tld {
source => "query"
}
ruby {
code => "event.set('query_length', event.get('query').length)"
}
mutate {
rename => { "[SubLog][sessionid]" => "sub_session_id" }
rename => { "[tld][domain]" => "highest_registered_domain" }
rename => { "[tld][trd]" => "subdomain" }
rename => { "[tld][tld]" => "top_level_domain" }
rename => { "[tld][sld]" => "parent_domain" }
}
if [parent_domain] {
ruby {
code => "event.set('parent_domain_length', event.get('parent_domain').length)"
}
}
if [subdomain] {
ruby {
code => "event.set('subdomain_length', event.get('subdomain').length)"
}
}
}
}
mutate {
#add_tag => [ "conf_file_8006"]
}
}
}

27
salt/logstash/pipelines/config/so/8007_postprocess_http.conf
View File

@@ -1,27 +0,0 @@
# Original Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Doug Burks
# Last Update: 5/13/2017
filter {
if [type] == "bro_http" {
if [uri] {
ruby {
code => "event.set('uri_length', event.get('uri').length)"
}
}
if [virtual_host] {
ruby {
code => "event.set('virtual_host_length', event.get('virtual_host').length)"
}
}
if [useragent] {
ruby {
code => "event.set('useragent_length', event.get('useragent').length)"
}
}
mutate {
##add_tag => [ "conf_file_8007"]
}
}
}

63
salt/logstash/pipelines/config/so/8200_postprocess_tagging.conf
View File

@@ -1,63 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
if [destination_ip] {
if [destination_ip] =~ "10\." or [destination_ip] =~ "192\.168\." or [destination_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." {
mutate {
add_tag => [ "internal_destination" ]
}
} else {
mutate {
add_tag => [ "external_destination" ]
}
}
if "internal_destination" not in [tags] {
if [destination_ip] == "198.41.0.4" or [destination_ip] == "192.228.79.201" or [destination_ip] == "192.33.4.12" or [destination_ip] == "199.7.91.13" or [destination_ip] == "192.203.230.10" or [destination_ip] == "192.5.5.241" or [destination_ip] == "192.112.36.4" or [destination_ip] == "198.97.190.53" or [destination_ip] == "192.36.148.17" or [destination_ip] == "192.58.128.30" or [destination_ip] == "193.0.14.129" or [destination_ip] == "199.7.83.42" or [destination_ip] == "202.12.27.33" {
mutate {
add_tag => [ "root_dns_server" ]
}
}
}
# Customize this section to your environment
if [destination_ip] == "74.40.74.40" or [destination_ip] == "74.40.74.41" {
mutate {
add_tag => [ "authorized_dns_server" ]
}
}
}
if [source_ip] {
if [source_ip] =~ "10\." or [source_ip] =~ "192\.168\." or [source_ip] =~ "172\.(1[6-9]|2[0-9]|3[0-1])\." {
mutate {
add_tag => [ "internal_source" ]
}
} else {
mutate {
add_tag => [ "external_source" ]
}
}
if "internal_source" not in [tags] {
if [source_ip] == "198.41.0.4" or [source_ip] == "192.228.79.201" or [source_ip] == "192.33.4.12" or [source_ip] == "199.7.91.13" or [source_ip] == "192.203.230.10" or [source_ip] == "192.5.5.241" or [source_ip] == "192.112.36.4" or [source_ip] == "198.97.190.53" or [source_ip] == "192.36.148.17" or [source_ip] == "192.58.128.30" or [source_ip] == "193.0.14.129" or [source_ip] == "199.7.83.42" or [source_ip] == "202.12.27.33" {
mutate {
add_tag => [ "root_dns_server" ]
}
}
}
# Customize this section to your environment
if [destination_ip] == "74.40.74.40" and "authorized_dns_server" not in [tags] or [destination_ip] == "74.40.74.41" and "authorized_dns_server" not in [tags] {
mutate {
add_tag => [ "authorized_dns_server" ]
}
}
mutate {
##add_tag => [ "conf_file_8200"]
}
}
if [type] =~ /ossec|snort|firewall/ or "firewall" in [tags] {
mutate {
remove_tag => [ "syslog" ]
}
}
}

19
salt/logstash/pipelines/config/so/8998_postprocess_log_elapsed.conf
View File

@@ -1,19 +0,0 @@
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Email: justin@hasecuritysolution.com
# Last Update: 12/9/2016
filter {
ruby {
code => "event.set('task_end', Time.now.to_f)"
}
ruby {
code => "event.set('logstash_time', event.get('task_end') - event.get('task_start'))"
}
mutate {
remove_field => [ 'task_start', 'task_end' ]
}
mutate {
#add_tag => [ "conf_file_8998"]
}
}

9
salt/logstash/pipelines/config/so/8999_postprocess_rename_type.conf
View File

@@ -1,9 +0,0 @@
# Author: Doug Burks
# Last Update: 12/10/2017
filter {
mutate {
rename => [ "type", "event_type" ]
remove_field => [ "host" ]
}
}