Merge pull request #15114 from Security-Onion-Solutions/filters

Filters

salt/zeek/policy/custom/filters/dns

@@ -0,0 +1,30 @@
+hook DNS::log_policy(rec: DNS::Info, id: Log::ID, filter: Log::Filter)
+    {
+       # Only put a single name per line otherwise there will be memory issues!
+       # If the query comes back blank don't log
+       if (!rec?$query)
+          break;
+
+       # If the query comes back with one of these don't log
+       if (rec?$query && /google.com$/ in rec$query)
+           break;
+
+       # If the query comes back with one of these don't log
+       if (rec?$query && /.apple.com$/ in rec$query)
+           break;
+
+       # Don't log reverse lookups
+       if (rec?$query && /.in-addr.arpa/ in to_lower(rec$query))
+           break;
+
+       # Don't log netbios lookups. This generates a cray amount of logs
+       if (rec?$qtype_name && /NB/ in rec$qtype_name)
+           break;
+    }
+
+event zeek_init()
+{
+    Log::remove_default_filter(DNS::LOG);
+    local filter: Log::Filter = [$name="dns-filter"];
+    Log::add_filter(DNS::LOG, filter);
+}

salt/zeek/policy/custom/filters/files

@@ -0,0 +1,13 @@
+hook Files::log_policy(rec: Files::Info, id: Log::ID, filter: Log::Filter)
+    {
+       # Turn off a specific mimetype
+           if (rec?$mime_type && ( /soap+xml/ | /json/ | /xml/ | /x509/ )in rec$mime_type)
+               break;
+    }
+
+event zeek_init()
+{
+    Log::remove_default_filter(Files::LOG);
+    local filter: Log::Filter = [$name="files-filter"];
+    Log::add_filter(Files::LOG, filter);
+}

salt/zeek/policy/custom/filters/httphost

@@ -0,0 +1,20 @@
+### HTTP filter by host entries by string #####
+ 
+module Filterhttp;
+ 
+export {
+    global remove_host_entries: set[string] = {"www.genevalab.com", "www.google.com"};
+ }
+ 
+hook HTTP::log_policy(rec: HTTP::Info, id: Log::ID, filter: Log::Filter)
+   {
+   # Remove HTTP host entries
+ if ( ! rec?$host || rec$host in remove_host_entries )
+       break;
+   }
+event zeek_init()
+{
+   Log::remove_default_filter(HTTP::LOG);
+   local filter: Log::Filter = [$name="http-filter"];
+   Log::add_filter(HTTP::LOG, filter);
+}

salt/zeek/policy/custom/filters/httpuri

@@ -0,0 +1,14 @@
+### HTTP filter by uri using pattern ####
+ 
+hook HTTP::log_policy(rec: HTTP::Info, id: Log::ID, filter: Log::Filter)
+   {
+   # Remove HTTP uri entries by regex
+ if ( rec?$uri && /^\/kratos\// in rec$uri )
+       break;
+   }
+event zeek_init()
+{
+   Log::remove_default_filter(HTTP::LOG);
+   local filter: Log::Filter = [$name="http-filter"];
+   Log::add_filter(HTTP::LOG, filter);
+}

salt/zeek/policy/custom/filters/ssl

@@ -0,0 +1,29 @@
+### Log filter by JA3S md5 hash:
+hook SSL::log_policy(rec: SSL::Info, id: Log::ID, filter: Log::Filter)
+    {
+       # SSL log filter Ja3s by md5           
+           if (rec?c$ssl$ja3s_cipher && ( /623de93db17d313345d7ea481e7443cf/ )in rec$c$ssl$ja3s_cipher)
+               break;
+    }
+
+event zeek_init()
+{
+    Log::remove_default_filter(SSL::LOG);
+    local filter: Log::Filter = [$name="ssl-filter"];
+    Log::add_filter(SSL::LOG, filter);
+}
+
+### Log filter by server name:
+hook SSL::log_policy(rec: SSL::Info, id: Log::ID, filter: Log::Filter)
+  {
+    # SSL log filter by server name
+    if (rec?$server_name && ( /api.github.com$/ ) in rec$server_name)
+       break;
+  }
+
+event zeek_init()
+{
+   Log::remove_default_filter(SSL::LOG);
+   local filter: Log::Filter = [$name="ssl-filter"];
+   Log::add_filter(SSL::LOG, filter);
+}

salt/zeek/policy/custom/filters/tunnel

@@ -0,0 +1,17 @@
+global tunnel_subnet: set[subnet]={
+									
+	10.19.0.0/24
+			
+};
+
+hook Tunnel::log_policy(rec: Tunnel::Info, id: Log::ID, Filter: Log::Filter)
+	{
+	if (rec$id$orig_h in tunnel_subnet || rec$id$resp_h in tunnel_subnet)
+		break;
+	}
+event zeek_init()
+{
+    Log::remove_default_filter(Tunnel::LOG);
+    local filter: Log::Filter = [$name="tunnel-filter"];
+    Log::add_filter(Tunnel::LOG, filter);
+}

salt/zeek/soc_zeek.yaml

@@ -61,6 +61,48 @@ zeek:
           global: True
           advanced: True
           duplicates: True
+        dns:
+          description: DNS Filter for Zeek. This is an advanced setting and will take further action to enable.
+          helpLink: zeek.html
+          file: True
+          global: True
+          advanced: True
+          duplicates: True
+        files:
+          description: Files Filter for Zeek. This is an advanced setting and will take further action to enable.
+          helpLink: zeek.html
+          file: True
+          global: True
+          advanced: True
+          duplicates: True
+        httphost:
+          description: HTTP Hosts Filter for Zeek. This is an advanced setting and will take further action to enable.
+          helpLink: zeek.html
+          file: True
+          global: True
+          advanced: True
+          duplicates: True
+        httpuri:
+          description: HTTP URI Filter for Zeek. This is an advanced setting and will take further action to enable.
+          helpLink: zeek.html
+          file: True
+          global: True
+          advanced: True
+          duplicates: True
+        ssl:
+          description: SSL Filter for Zeek. This is an advanced setting and will take further action to enable.
+          helpLink: zeek.html
+          file: True
+          global: True
+          advanced: True
+          duplicates: True
+        tunnel:
+          description: Tunnel Filter for Zeek. This is an advanced setting and will take further action to enable.
+          helpLink: zeek.html
+          file: True
+          global: True
+          advanced: True
+          duplicates: True
   file_extraction:
     description: Contains a list of file or MIME types Zeek will extract from the network streams. Values must adhere to the following format - {"MIME_TYPE":"FILE_EXTENSION"}
     forcedType: "[]{}"