From 6b8e2e2643542a5540aaf3df148348b7084cd903 Mon Sep 17 00:00:00 2001
From: Mike Reeves <reevesmk@gmail.com>
Date: Wed, 1 Oct 2025 19:58:07 -0400
Subject: [PATCH 1/3] Add Filters

---
 .claude/settings.local.json              |  9 +++++
 salt/zeek/policy/custom/filters/dns      | 30 +++++++++++++++++
 salt/zeek/policy/custom/filters/files    |  1 +
 salt/zeek/policy/custom/filters/httphost | 20 +++++++++++
 salt/zeek/policy/custom/filters/httpuri  | 14 ++++++++
 salt/zeek/policy/custom/filters/ssl      | 29 ++++++++++++++++
 salt/zeek/policy/custom/filters/tunnel   | 17 ++++++++++
 salt/zeek/soc_zeek.yaml                  | 42 ++++++++++++++++++++++++
 8 files changed, 162 insertions(+)
 create mode 100644 .claude/settings.local.json
 create mode 100644 salt/zeek/policy/custom/filters/dns
 create mode 100644 salt/zeek/policy/custom/filters/files
 create mode 100644 salt/zeek/policy/custom/filters/httphost
 create mode 100644 salt/zeek/policy/custom/filters/httpuri
 create mode 100644 salt/zeek/policy/custom/filters/ssl
 create mode 100644 salt/zeek/policy/custom/filters/tunnel

diff --git a/.claude/settings.local.json b/.claude/settings.local.json
new file mode 100644
index 000000000..9f305e068
--- /dev/null
+++ b/.claude/settings.local.json
@@ -0,0 +1,9 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(grep:*)"
+    ],
+    "deny": []
+  },
+  "enableAllProjectMcpServers": false
+}
\ No newline at end of file
diff --git a/salt/zeek/policy/custom/filters/dns b/salt/zeek/policy/custom/filters/dns
new file mode 100644
index 000000000..e79032c19
--- /dev/null
+++ b/salt/zeek/policy/custom/filters/dns
@@ -0,0 +1,30 @@
+hook DNS::log_policy(rec: DNS::Info, id: Log::ID, filter: Log::Filter)
+    {
+       # Only put a single name per line otherwise there will be memory issues!
+       # If the query comes back blank don't log
+       if (!rec?$query)
+          break;
+
+       # If the query comes back with one of these don't log
+       if (rec?$query && /google.com$/ in rec$query)
+           break;
+
+       # If the query comes back with one of these don't log
+       if (rec?$query && /.apple.com$/ in rec$query)
+           break;
+
+       # Don't log reverse lookups
+       if (rec?$query && /.in-addr.arpa/ in to_lower(rec$query))
+           break;
+
+       # Don't log netbios lookups. This generates a cray amount of logs
+       if (rec?$qtype_name && /NB/ in rec$qtype_name)
+           break;
+    }
+
+event zeek_init()
+{
+    Log::remove_default_filter(DNS::LOG);
+    local filter: Log::Filter = [$name="dns-filter"];
+    Log::add_filter(DNS::LOG, filter);
+}
\ No newline at end of file
diff --git a/salt/zeek/policy/custom/filters/files b/salt/zeek/policy/custom/filters/files
new file mode 100644
index 000000000..867e2c849
--- /dev/null
+++ b/salt/zeek/policy/custom/filters/files
@@ -0,0 +1 @@
+# Placeholder
\ No newline at end of file
diff --git a/salt/zeek/policy/custom/filters/httphost b/salt/zeek/policy/custom/filters/httphost
new file mode 100644
index 000000000..29c682d33
--- /dev/null
+++ b/salt/zeek/policy/custom/filters/httphost
@@ -0,0 +1,20 @@
+### HTTP filter by host entries by string #####
+ 
+module Filterhttp;
+ 
+export {
+    global remove_host_entries: set[string] = {"www.genevalab.com", "www.google.com"};
+ }
+ 
+hook HTTP::log_policy(rec: HTTP::Info, id: Log::ID, filter: Log::Filter)
+   {
+   # Remove HTTP host entries
+ if ( ! rec?$host || rec$host in remove_host_entries )
+       break;
+   }
+event zeek_init()
+{
+   Log::remove_default_filter(HTTP::LOG);
+   local filter: Log::Filter = [$name="http-filter"];
+   Log::add_filter(HTTP::LOG, filter);
+}
\ No newline at end of file
diff --git a/salt/zeek/policy/custom/filters/httpuri b/salt/zeek/policy/custom/filters/httpuri
new file mode 100644
index 000000000..9a57cc5ff
--- /dev/null
+++ b/salt/zeek/policy/custom/filters/httpuri
@@ -0,0 +1,14 @@
+### HTTP filter by uri using pattern ####
+ 
+hook HTTP::log_policy(rec: HTTP::Info, id: Log::ID, filter: Log::Filter)
+   {
+   # Remove HTTP uri entries by regex
+ if ( rec?$uri && /^\/kratos\// in rec$uri )
+       break;
+   }
+event zeek_init()
+{
+   Log::remove_default_filter(HTTP::LOG);
+   local filter: Log::Filter = [$name="http-filter"];
+   Log::add_filter(HTTP::LOG, filter);
+}
\ No newline at end of file
diff --git a/salt/zeek/policy/custom/filters/ssl b/salt/zeek/policy/custom/filters/ssl
new file mode 100644
index 000000000..e7be0f768
--- /dev/null
+++ b/salt/zeek/policy/custom/filters/ssl
@@ -0,0 +1,29 @@
+### Log filter by JA3S md5 hash:
+hook SSL::log_policy(rec: SSL::Info, id: Log::ID, filter: Log::Filter)
+    {
+       # SSL log filter Ja3s by md5           
+           if (rec?c$ssl$ja3s_cipher && ( /623de93db17d313345d7ea481e7443cf/ )in rec$c$ssl$ja3s_cipher)
+               break;
+    }
+
+event zeek_init()
+{
+    Log::remove_default_filter(SSL::LOG);
+    local filter: Log::Filter = [$name="ssl-filter"];
+    Log::add_filter(SSL::LOG, filter);
+}
+
+### Log filter by server name:
+hook SSL::log_policy(rec: SSL::Info, id: Log::ID, filter: Log::Filter)
+  {
+    # SSL log filter by server name
+    if (rec?$server_name && ( /api.github.com$/ ) in rec$server_name)
+       break;
+  }
+
+event zeek_init()
+{
+   Log::remove_default_filter(SSL::LOG);
+   local filter: Log::Filter = [$name="ssl-filter"];
+   Log::add_filter(SSL::LOG, filter);
+}
\ No newline at end of file
diff --git a/salt/zeek/policy/custom/filters/tunnel b/salt/zeek/policy/custom/filters/tunnel
new file mode 100644
index 000000000..dd58caa4d
--- /dev/null
+++ b/salt/zeek/policy/custom/filters/tunnel
@@ -0,0 +1,17 @@
+global tunnel_subnet: set[subnet]={
+									
+	10.19.0.0/24
+			
+};
+
+hook Tunnel::log_policy(rec: Tunnel::Info, id: Log::ID, Filter: Log::Filter)
+	{
+	if (rec$id$orig_h in tunnel_subnet || rec$id$resp_h in tunnel_subnet)
+		break;
+	}
+event zeek_init()
+{
+    Log::remove_default_filter(Tunnel::LOG);
+    local filter: Log::Filter = [$name="tunnel-filter"];
+    Log::add_filter(Tunnel::LOG, filter);
+}
\ No newline at end of file
diff --git a/salt/zeek/soc_zeek.yaml b/salt/zeek/soc_zeek.yaml
index b3b655083..929b9debd 100644
--- a/salt/zeek/soc_zeek.yaml
+++ b/salt/zeek/soc_zeek.yaml
@@ -61,6 +61,48 @@ zeek:
           global: True
           advanced: True
           duplicates: True
+        dns:
+          description: DNS Filter for Zeek. This is an advanced setting and will take further action to enable.
+          helpLink: zeek.html
+          file: True
+          global: True
+          advanced: True
+          duplicates: True
+        files:
+          description: Files Filter for Zeek. This is an advanced setting and will take further action to enable.
+          helpLink: zeek.html
+          file: True
+          global: True
+          advanced: True
+          duplicates: True
+        httphost:
+          description: HTTP Hosts Filter for Zeek. This is an advanced setting and will take further action to enable.
+          helpLink: zeek.html
+          file: True
+          global: True
+          advanced: True
+          duplicates: True
+        httpuri:
+          description: HTTP URI Filter for Zeek. This is an advanced setting and will take further action to enable.
+          helpLink: zeek.html
+          file: True
+          global: True
+          advanced: True
+          duplicates: True
+        ssl:
+          description: SSL Filter for Zeek. This is an advanced setting and will take further action to enable.
+          helpLink: zeek.html
+          file: True
+          global: True
+          advanced: True
+          duplicates: True
+        tunnel:
+          description: Tunnel Filter for Zeek. This is an advanced setting and will take further action to enable.
+          helpLink: zeek.html
+          file: True
+          global: True
+          advanced: True
+          duplicates: True
   file_extraction:
     description: Contains a list of file or MIME types Zeek will extract from the network streams. Values must adhere to the following format - {"MIME_TYPE":"FILE_EXTENSION"}
     forcedType: "[]{}"

From 9752d6169916271c7dce7b630dfa81d1ee162cf7 Mon Sep 17 00:00:00 2001
From: Mike Reeves <reevesmk@gmail.com>
Date: Wed, 1 Oct 2025 19:59:28 -0400
Subject: [PATCH 2/3] Add Filters

---
 .claude/settings.local.json | 9 ---------
 1 file changed, 9 deletions(-)
 delete mode 100644 .claude/settings.local.json

diff --git a/.claude/settings.local.json b/.claude/settings.local.json
deleted file mode 100644
index 9f305e068..000000000
--- a/.claude/settings.local.json
+++ /dev/null
@@ -1,9 +0,0 @@
-{
-  "permissions": {
-    "allow": [
-      "Bash(grep:*)"
-    ],
-    "deny": []
-  },
-  "enableAllProjectMcpServers": false
-}
\ No newline at end of file

From c16bf50493f673c50695dc1168fb4501e8a3504f Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Tue, 7 Oct 2025 14:20:25 -0400
Subject: [PATCH 3/3] Update files

---
 salt/zeek/policy/custom/filters/files | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/salt/zeek/policy/custom/filters/files b/salt/zeek/policy/custom/filters/files
index 867e2c849..311f37cc2 100644
--- a/salt/zeek/policy/custom/filters/files
+++ b/salt/zeek/policy/custom/filters/files
@@ -1 +1,13 @@
-# Placeholder
\ No newline at end of file
+hook Files::log_policy(rec: Files::Info, id: Log::ID, filter: Log::Filter)
+    {
+       # Turn off a specific mimetype
+           if (rec?$mime_type && ( /soap+xml/ | /json/ | /xml/ | /x509/ )in rec$mime_type)
+               break;
+    }
+
+event zeek_init()
+{
+    Log::remove_default_filter(Files::LOG);
+    local filter: Log::Filter = [$name="files-filter"];
+    Log::add_filter(Files::LOG, filter);
+}