diff --git a/salt/elasticsearch/files/ingest/suricata.dns b/salt/elasticsearch/files/ingest/suricata.dns index e9fab994c..94ae5f73b 100644 --- a/salt/elasticsearch/files/ingest/suricata.dns +++ b/salt/elasticsearch/files/ingest/suricata.dns @@ -25,6 +25,13 @@ { "rename": { "field": "message2.dns.tx_id", + "target_field": "dns.tx_id", + "ignore_missing": true + } + }, + { + "rename": { + "field": "message2.dns.id", "target_field": "dns.id", "ignore_missing": true } @@ -36,6 +43,14 @@ "ignore_missing": true } }, + { + "pipeline": { + "name": "suricata.dnsv3", + "ignore_missing_pipeline": true, + "if": "ctx?.dns?.version != null && ctx?.dns?.version == 3", + "ignore_failure": true + } + }, { "rename": { "field": "message2.dns.rrname", @@ -78,6 +93,13 @@ "ignore_missing": true } }, + { + "rename": { + "field": "message2.dns.opcode", + "target_field": "dns.opcode", + "ignore_missing": true + } + }, { "rename": { "field": "message2.dns.rcode", diff --git a/salt/elasticsearch/files/ingest/suricata.dnsv3 b/salt/elasticsearch/files/ingest/suricata.dnsv3 new file mode 100644 index 000000000..02b7f94ed --- /dev/null +++ b/salt/elasticsearch/files/ingest/suricata.dnsv3 @@ -0,0 +1,88 @@ +{ + "processors": [ + { + "rename": { + "field": "message2.dns.queries", + "target_field": "dns.queries", + "ignore_missing": true, + "ignore_failure": true + } + }, + { + "script": { + "source": "if (ctx?.dns?.queries != null && ctx?.dns?.queries.length > 0) {\n if (ctx.dns == null) {\n ctx.dns = new HashMap();\n }\n if (ctx.dns.query == null) {\n ctx.dns.query = new HashMap();\n }\n ctx.dns.query.name = ctx?.dns?.queries[0].rrname;\n}" + } + }, + { + "script": { + "source": "if (ctx?.dns?.queries != null && ctx?.dns?.queries.length > 0) {\n if (ctx.dns == null) {\n ctx.dns = new HashMap();\n }\n if (ctx.dns.query == null) {\n ctx.dns.query = new HashMap();\n }\n ctx.dns.query.type_name = ctx?.dns?.queries[0].rrtype;\n}" + } + }, + { + "foreach": { + "field": "dns.queries", + "processor": { + "rename": { + "field": "_ingest._value.rrname", + "target_field": "_ingest._value.name", + "ignore_missing": true + } + }, + "ignore_failure": true + } + }, + { + "foreach": { + "field": "dns.queries", + "processor": { + "rename": { + "field": "_ingest._value.rrtype", + "target_field": "_ingest._value.type_name", + "ignore_missing": true + } + }, + "ignore_failure": true + } + }, + { + "script": { + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.name != null && q.name.contains('.')) {\n q.top_level_domain = q.name.substring(q.name.lastIndexOf('.') + 1);\n }\n }\n}" + } + }, + { + "script": { + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.name != null && q.name.contains('.')) {\n q.query_without_tld = q.name.substring(0, q.name.lastIndexOf('.'));\n }\n }\n}" + } + }, + { + "script": { + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.query_without_tld != null && q.query_without_tld.contains('.')) {\n q.parent_domain = q.query_without_tld.substring(q.query_without_tld.lastIndexOf('.') + 1);\n }\n }\n}" + } + }, + { + "script": { + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.query_without_tld != null && q.query_without_tld.contains('.')) {\n q.subdomain = q.query_without_tld.substring(0, q.query_without_tld.lastIndexOf('.'));\n }\n }\n}" + } + }, + { + "script": { + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.parent_domain != null && q.top_level_domain != null) {\n q.highest_registered_domain = q.parent_domain + \".\" + q.top_level_domain;\n }\n }\n}" + } + }, + { + "script": { + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.subdomain != null) {\n q.subdomain_length = q.subdomain.length();\n }\n }\n}" + } + }, + { + "script": { + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.parent_domain != null) {\n q.parent_domain_length = q.parent_domain.length();\n }\n }\n}" + } + }, + { + "script": { + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n q.remove('query_without_tld');\n }\n}" + } + } + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/suricata.tld b/salt/elasticsearch/files/ingest/suricata.tld new file mode 100644 index 000000000..f87a82d3d --- /dev/null +++ b/salt/elasticsearch/files/ingest/suricata.tld @@ -0,0 +1,45 @@ +{ + "description": "Duplicate of dns.tld for use within suricata.dns events that use dns.queries[] inplace of dns.query.x ", + "processors": [ + { + "script": { + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.name != null && q.name.contains('.')) {\n q.top_level_domain = q.name.substring(q.name.lastIndexOf('.') + 1);\n }\n }\n}" + } + }, + { + "script": { + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.name != null && q.name.contains('.')) {\n q.query_without_tld = q.name.substring(0, q.name.lastIndexOf('.'));\n }\n }\n}" + } + }, + { + "script": { + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.query_without_tld != null && q.query_without_tld.contains('.')) {\n q.parent_domain = q.query_without_tld.substring(q.query_without_tld.lastIndexOf('.') + 1);\n }\n }\n}" + } + }, + { + "script": { + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.query_without_tld != null && q.query_without_tld.contains('.')) {\n q.subdomain = q.query_without_tld.substring(0, q.query_without_tld.lastIndexOf('.'));\n }\n }\n}" + } + }, + { + "script": { + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.parent_domain != null && q.top_level_domain != null) {\n q.highest_registered_domain = q.parent_domain + \".\" + q.top_level_domain;\n }\n }\n}" + } + }, + { + "script": { + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.subdomain != null) {\n q.subdomain_length = q.subdomain.length();\n }\n }\n}" + } + }, + { + "script": { + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n if (q.parent_domain != null) {\n q.parent_domain_length = q.parent_domain.length();\n }\n }\n}" + } + }, + { + "script": { + "source": "if (ctx.dns != null && ctx.dns.queries != null) {\n for (def q : ctx.dns.queries) {\n q.remove('query_without_tld');\n }\n}" + } + } + ] +} \ No newline at end of file