CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'dev' of https://github.com/Security-Onion-Solutions/securityonion-saltstack into dev

Browse Source
This commit is contained in:
m0duspwnens
2020-03-13 07:56:39 -04:00
parent 1222f2cf0e 8b0509aa4a
commit f40d6d8ba9
102 changed files with 12942 additions and 1112 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
pillar/logstash/eval.sls
View File

@@ -5,11 +5,6 @@ logstash:
- so/0800_input_eval.conf
- so/1002_preprocess_json.conf
- so/1033_preprocess_snort.conf
- so/6500_ossec.conf
- so/6501_ossec_sysmon.conf
- so/6502_ossec_autoruns.conf
- so/6600_winlogbeat_sysmon.conf
- so/6700_winlogbeat.conf
- so/7100_osquery_wel.conf
- so/8999_postprocess_rename_type.conf
- so/9000_output_bro.conf.jinja
@@ -21,8 +16,8 @@ logstash:
- so/9600_output_ossec.conf.jinja
- so/9700_output_strelka.conf.jinja
templates:
- so/beats-template.json
- so/logstash-ossec-template.json
- so/logstash-strelka-template.json
- so/logstash-template.json
- so/logstash-bro-template.json
- so/so-beats-template.json
- so/so-ossec-template.json
- so/so-strelka-template.json
- so/so-template.json
- so/so-zeek-template.json

16
pillar/top.sls
View File

@@ -3,19 +3,19 @@ base:
- patch.needs_restarting
- docker.config
'G@role:so-mastersearch or G@role:so-heavynode':
'*_mastersearch or *_heavynode':
- match: compound
- logstash
- logstash.master
- logstash.search
'G@role:so-sensor':
'*_sensor':
- static
- firewall.*
- brologs
- minions.{{ grains.id }}
'G@role:so-master or G@role:so-mastersearch':
'*_master or *_mastersearch':
- match: compound
- static
- firewall.*
@@ -23,11 +23,11 @@ base:
- auth
- minions.{{ grains.id }}
'G@role:so-master':
'*_master':
- logstash
- logstash.master
'G@role:so-eval':
'*_eval':
- static
- firewall.*
- data.*
@@ -37,18 +37,18 @@ base:
- logstash.eval
- minions.{{ grains.id }}
'G@role:so-node':
'*_node':
- static
- firewall.*
- minions.{{ grains.id }}
'G@role:so-heavynode':
'*_heavynode':
- static
- firewall.*
- brologs
- minions.{{ grains.id }}
'G@role:so-helix':
'*_helix':
- static
- firewall.*
- fireeye

9
salt/elasticsearch/files/ingest/bro_common
View File

@@ -1,9 +0,0 @@
{
"description" : "bro_common",
"processors" : [
{ "rename": { "field": "@timestamp", "target_field": "timestamp", "ignore_missing": true } },
{ "date": { "field": "message2.ts", "target_field": "@timestamp", "formats": ["ISO8601", "UNIX"], "ignore_failure": true } },
{ "remove": { "field": "message2.ts", "ignore_failure": true } },
{ "pipeline": { "name": "common" } }
]
}

48
salt/elasticsearch/files/ingest/bro_conn
View File

@@ -1,48 +0,0 @@
{
"description" : "bro_conn",
"processors" : [
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } },
{ "rename": { "field": "message2.service", "target_field": "service", "ignore_missing": true } },
{ "rename": { "field": "message2.duration", "target_field": "duration", "ignore_missing": true } },
{ "rename": { "field": "message2.orig_bytes", "target_field": "original_bytes", "ignore_missing": true } },
{ "rename": { "field": "message2.resp_bytes", "target_field": "respond_bytes", "ignore_missing": true } },
{ "rename": { "field": "message2.conn_state", "target_field": "connection_state", "ignore_missing": true } },
{ "rename": { "field": "message2.local_orig", "target_field": "local_orig", "ignore_missing": true } },
{ "rename": { "field": "message2.local_resp", "target_field": "local_respond", "ignore_missing": true } },
{ "rename": { "field": "message2.missed_bytes", "target_field": "missed_bytes", "ignore_missing": true } },
{ "rename": { "field": "message2.history", "target_field": "history", "ignore_missing": true } },
{ "rename": { "field": "message2.orig_pkts", "target_field": "original_packets", "ignore_missing": true } },
{ "rename": { "field": "message2.orig_ip_bytes", "target_field": "original_ip_bytes", "ignore_missing": true } },
{ "rename": { "field": "message2.resp_pkts", "target_field": "respond_packets", "ignore_missing": true } },
{ "rename": { "field": "message2.resp_ip_bytes", "target_field": "respond_ip_bytes", "ignore_missing": true } },
{ "rename": { "field": "message2.tunnel_parents", "target_field": "tunnel_parents", "ignore_missing": true } },
{ "rename": { "field": "message2.orig_cc", "target_field": "original_country_code","ignore_missing": true } },
{ "rename": { "field": "message2.resp_cc", "target_field": "respond_country_code", "ignore_missing": true } },
{ "rename": { "field": "message2.sensorname", "target_field": "sensor_name", "ignore_missing": true } },
{ "script": { "lang": "painless", "source": "ctx.total_bytes = (ctx.original_bytes + ctx.respond_bytes)", "ignore_failure": true } },
{ "set": { "if": "ctx.connection_state == 'S0'", "field": "connection_state_description", "value": "Connection attempt seen, no reply" } },
{ "set": { "if": "ctx.connection_state == 'S1'", "field": "connection_state_description", "value": "Connection established, not terminated" } },
{ "set": { "if": "ctx.connection_state == 'S2'", "field": "connection_state_description", "value": "Connection established and close attempt by originator seen (but no reply from responder)" } },
{ "set": { "if": "ctx.connection_state == 'S3'", "field": "connection_state_description", "value": "Connection established and close attempt by responder seen (but no reply from originator)" } },
{ "set": { "if": "ctx.connection_state == 'SF'", "field": "connection_state_description", "value": "Normal SYN/FIN completion" } },
{ "set": { "if": "ctx.connection_state == 'REJ'", "field": "connection_state_description", "value": "Connection attempt rejected" } },
{ "set": { "if": "ctx.connection_state == 'RSTO'", "field": "connection_state_description", "value": "Connection established, originator aborted (sent a RST)" } },
{ "set": { "if": "ctx.connection_state == 'RSTR'", "field": "connection_state_description", "value": "Established, responder aborted" } },
{ "set": { "if": "ctx.connection_state == 'RSTOS0'","field": "connection_state_description", "value": "Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder" } },
{ "set": { "if": "ctx.connection_state == 'RSTRH'", "field": "connection_state_description", "value": "Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator" } },
{ "set": { "if": "ctx.connection_state == 'SH'", "field": "connection_state_description", "value": "Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was 'half' open)" } },
{ "set": { "if": "ctx.connection_state == 'SHR'", "field": "connection_state_description", "value": "Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator" } },
{ "set": { "if": "ctx.connection_state == 'OTH'", "field": "connection_state_description", "value": "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed)" } },
{ "pipeline": { "name": "bro_common" } }
]
}

20
salt/elasticsearch/files/ingest/bro_dce_rpc
View File

@@ -1,20 +0,0 @@
{
"description" : "bro_dce_rpc",
"processors" : [
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "message2.rtt", "target_field": "rtt", "ignore_missing": true } },
{ "rename": { "field": "message2.named_pipe", "target_field": "named_pipe", "ignore_missing": true } },
{ "rename": { "field": "message2.endpoint", "target_field": "endpoint", "ignore_missing": true } },
{ "rename": { "field": "message2.operation", "target_field": "operation", "ignore_missing": true } },
{ "pipeline": { "name": "bro_common" } }
]
}

19
salt/elasticsearch/files/ingest/bro_dnp3
View File

@@ -1,19 +0,0 @@
{
"description" : "bro_dnp3",
"processors" : [
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "message2.fc_request", "target_field": "fc_request", "ignore_missing": true } },
{ "rename": { "field": "message2.fc_reply", "target_field": "fc_reply", "ignore_missing": true } },
{ "rename": { "field": "message2.iin", "target_field": "iin", "ignore_missing": true } },
{ "pipeline": { "name": "bro_common" } }
]
}

35
salt/elasticsearch/files/ingest/bro_dns
View File

@@ -1,35 +0,0 @@
{
"description" : "bro_dns",
"processors" : [
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } },
{ "rename": { "field": "message2.trans_id", "target_field": "transaction_id", "ignore_missing": true } },
{ "rename": { "field": "message2.rtt", "target_field": "rtt", "ignore_missing": true } },
{ "rename": { "field": "message2.query", "target_field": "query", "ignore_missing": true } },
{ "rename": { "field": "message2.qclass", "target_field": "query_class", "ignore_missing": true } },
{ "rename": { "field": "message2.qclass_name", "target_field": "query_class_name", "ignore_missing": true } },
{ "rename": { "field": "message2.qtype", "target_field": "query_type", "ignore_missing": true } },
{ "rename": { "field": "message2.qtype_name", "target_field": "query_type_name", "ignore_missing": true } },
{ "rename": { "field": "message2.rcode", "target_field": "rcode", "ignore_missing": true } },
{ "rename": { "field": "message2.rcode_name", "target_field": "rcode_name", "ignore_missing": true } },
{ "rename": { "field": "message2.AA", "target_field": "aa", "ignore_missing": true } },
{ "rename": { "field": "message2.TC", "target_field": "tc", "ignore_missing": true } },
{ "rename": { "field": "message2.RD", "target_field": "rd", "ignore_missing": true } },
{ "rename": { "field": "message2.RA", "target_field": "ra", "ignore_missing": true } },
{ "rename": { "field": "message2.Z", "target_field": "z", "ignore_missing": true } },
{ "rename": { "field": "message2.answers", "target_field": "answers", "ignore_missing": true } },
{ "rename": { "field": "message2.TTLs", "target_field": "ttls", "ignore_missing": true } },
{ "rename": { "field": "message2.rejected", "target_field": "rejected", "ignore_missing": true } },
{ "script": { "lang": "painless", "source": "ctx.query_length = ctx.query.length()", "ignore_failure": true } },
{ "pipeline": { "name": "bro_common" } }
]
}

32
salt/elasticsearch/files/ingest/bro_files
View File

@@ -1,32 +0,0 @@
{
"description" : "bro_files",
"processors" : [
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.fuid", "target_field": "fuid", "ignore_missing": true } },
{ "rename": { "field": "message2.tx_hosts", "target_field": "file_ip", "ignore_missing": true } },
{ "rename": { "field": "message2.rx_hosts.0", "target_field": "destination.ip", "ignore_missing": true } },
{ "remove": { "field": "message2.rx_hosts", "ignore_missing": true } },
{ "rename": { "field": "message2.conn_uids", "target_field": "uid", "ignore_missing": true } },
{ "remove": { "field": "source", "ignore_missing": true } },
{ "rename": { "field": "message2.source", "target_field": "file_source", "ignore_missing": true } },
{ "rename": { "field": "message2.depth", "target_field": "depth", "ignore_missing": true } },
{ "rename": { "field": "message2.analyzers", "target_field": "analyzer", "ignore_missing": true } },
{ "rename": { "field": "message2.mime_type", "target_field": "mimetype", "ignore_missing": true } },
{ "rename": { "field": "message2.filename", "target_field": "file_name", "ignore_missing": true } },
{ "rename": { "field": "message2.duration", "target_field": "duration", "ignore_missing": true } },
{ "rename": { "field": "message2.local_orig", "target_field": "local_orig", "ignore_missing": true } },
{ "rename": { "field": "message2.is_orig", "target_field": "is_orig", "ignore_missing": true } },
{ "rename": { "field": "message2.seen_bytes", "target_field": "seen_bytes", "ignore_missing": true } },
{ "rename": { "field": "message2.total_bytes", "target_field": "total_bytes", "ignore_missing": true } },
{ "rename": { "field": "message2.missing_bytes", "target_field": "missing_bytes", "ignore_missing": true } },
{ "rename": { "field": "message2.overflow_bytes", "target_field": "overflow_bytes", "ignore_missing": true } },
{ "rename": { "field": "message2.timedout", "target_field": "timed_out", "ignore_missing": true } },
{ "rename": { "field": "message2.parent_fuid", "target_field": "parent_fuid", "ignore_missing": true } },
{ "rename": { "field": "message2.md5", "target_field": "md5", "ignore_missing": true } },
{ "rename": { "field": "message2.sha1", "target_field": "sha1", "ignore_missing": true } },
{ "rename": { "field": "message2.extracted", "target_field": "extracted", "ignore_missing": true } },
{ "rename": { "field": "message2.extracted_cutoff", "target_field": "extracted_cutoff", "ignore_missing": true } },
{ "rename": { "field": "message2.extracted_size", "target_field": "extracted_size", "ignore_missing": true } },
{ "pipeline": { "name": "bro_common" } }
]
}

33
salt/elasticsearch/files/ingest/bro_ftp
View File

@@ -1,33 +0,0 @@
{
"description" : "bro_http",
"processors" : [
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "message2.user", "target_field": "username", "ignore_missing": true } },
{ "rename": { "field": "message2.password", "target_field": "password", "ignore_missing": true } },
{ "rename": { "field": "message2.command", "target_field": "ftp_command", "ignore_missing": true } },
{ "rename": { "field": "message2.arg", "target_field": "ftp_argument", "ignore_missing": true } },
{ "rename": { "field": "message2.mime_type", "target_field": "mimetype", "ignore_missing": true } },
{ "rename": { "field": "message2.file_size", "target_field": "file_size", "ignore_missing": true } },
{ "rename": { "field": "message2.reply_code", "target_field": "reply_code", "ignore_missing": true } },
{ "rename": { "field": "message2.reply_msg", "target_field": "reply_message", "ignore_missing": true } },
{ "dot_expander": { "field": "data_channel.passive", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.data_channel.passive","target_field": "data_channel_passive", "ignore_missing": true } },
{ "dot_expander": { "field": "data_channel.orig_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.data_channel.orig_h","target_field": "data_channel_source.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "data_channel.resp_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.data_channel.resp_h","target_field": "data_channel_destination.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "data_channel.resp_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.data_channel.resp_p","target_field": "data_channel_destination.port", "ignore_missing": true } },
{ "rename": { "field": "message2.fuid", "target_field": "fuid", "ignore_missing": true } },
{ "pipeline": { "name": "bro_common" } }
]
}

42
salt/elasticsearch/files/ingest/bro_http
View File

@@ -1,42 +0,0 @@
{
"description" : "bro_http",
"processors" : [
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "message2.trans_depth", "target_field": "trans_depth", "ignore_missing": true } },
{ "rename": { "field": "message2.method", "target_field": "method", "ignore_missing": true } },
{ "rename": { "field": "message2.host", "target_field": "virtual_host", "ignore_missing": true } },
{ "rename": { "field": "message2.uri", "target_field": "uri", "ignore_missing": true } },
{ "rename": { "field": "message2.referrer", "target_field": "referrer", "ignore_missing": true } },
{ "rename": { "field": "message2.version", "target_field": "version", "ignore_missing": true } },
{ "rename": { "field": "message2.user_agent", "target_field": "useragent", "ignore_missing": true } },
{ "rename": { "field": "message2.request_body_len", "target_field": "request_body_length", "ignore_missing": true } },
{ "rename": { "field": "message2.response_body_len","target_field": "response_body_length", "ignore_missing": true } },
{ "rename": { "field": "message2.status_code", "target_field": "status_code", "ignore_missing": true } },
{ "rename": { "field": "message2.status_msg", "target_field": "status_message", "ignore_missing": true } },
{ "rename": { "field": "message2.info_code", "target_field": "info_code", "ignore_missing": true } },
{ "rename": { "field": "message2.info_msg", "target_field": "info_message", "ignore_missing": true } },
{ "remove": { "field": "message2.tags", "ignore_failure": true } },
{ "rename": { "field": "message2.username", "target_field": "user", "ignore_missing": true } },
{ "rename": { "field": "message2.password", "target_field": "password", "ignore_missing": true } },
{ "rename": { "field": "message2.proxied", "target_field": "proxied", "ignore_missing": true } },
{ "rename": { "field": "message2.orig_fuids", "target_field": "orig_fuids", "ignore_missing": true } },
{ "rename": { "field": "message2.orig_filenames", "target_field": "orig_filenames", "ignore_missing": true } },
{ "rename": { "field": "message2.orig_mime_types", "target_field": "orig_mime_types", "ignore_missing": true } },
{ "rename": { "field": "message2.resp_fuids", "target_field": "resp_fuids", "ignore_missing": true } },
{ "rename": { "field": "message2.resp_filenames", "target_field": "resp_filenames", "ignore_missing": true } },
{ "rename": { "field": "message2.resp_mime_types", "target_field": "resp_mime_types", "ignore_missing": true } },
{ "script": { "lang": "painless", "source": "ctx.uri_length = ctx.uri.length()", "ignore_failure": true } },
{ "script": { "lang": "painless", "source": "ctx.useragent_length = ctx.useragent.length()", "ignore_failure": true } },
{ "script": { "lang": "painless", "source": "ctx.virtual_host_length = ctx.virtual_host.length()", "ignore_failure": true } },
{ "pipeline": { "name": "bro_common" } }
]
}

29
salt/elasticsearch/files/ingest/bro_intel
View File

@@ -1,29 +0,0 @@
{
"description" : "bro_intel",
"processors" : [
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } },
{ "dot_expander": { "field": "seen.indicator", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.seen.indicator", "target_field": "indicator", "ignore_missing": true } },
{ "dot_expander": { "field": "seen.indicator_type", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.seen.indicator_type", "target_field": "indicator_type", "ignore_missing": true } },
{ "dot_expander": { "field": "seen.where", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.seen.where", "target_field": "seen_where", "ignore_missing": true } },
{ "dot_expander": { "field": "seen.node", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.seen.node", "target_field": "seen_node", "ignore_missing": true } },
{ "rename": { "field": "message2.matched", "target_field": "matched", "ignore_missing": true } },
{ "rename": { "field": "message2.sources", "target_field": "sources", "ignore_missing": true } },
{ "rename": { "field": "message2.fuid", "target_field": "fuid", "ignore_missing": true } },
{ "rename": { "field": "message2.file_mime_type", "target_field": "mimetype", "ignore_missing": true } },
{ "rename": { "field": "message2.file_desc", "target_field": "file_description", "ignore_missing": true } },
{ "pipeline": { "name": "bro_common" } }
]
}

25
salt/elasticsearch/files/ingest/bro_irc
View File

@@ -1,25 +0,0 @@
{
"description" : "bro_irc",
"processors" : [
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "message2.nick", "target_field": "nick", "ignore_missing": true } },
{ "rename": { "field": "message2.user", "target_field": "irc_username", "ignore_missing": true } },
{ "rename": { "field": "message2.command", "target_field": "irc_command", "ignore_missing": true } },
{ "rename": { "field": "message2.value", "target_field": "value", "ignore_missing": true } },
{ "rename": { "field": "message2.addl", "target_field": "additional_info", "ignore_missing": true } },
{ "rename": { "field": "message2.dcc_file_name", "target_field": "dcc_file_name", "ignore_missing": true } },
{ "rename": { "field": "message2.dcc_file_size", "target_field": "dcc_file_size", "ignore_missing": true } },
{ "rename": { "field": "message2.dcc_mime_type", "target_field": "dcc_mime_type", "ignore_missing": true } },
{ "rename": { "field": "message2.fuid", "target_field": "fuid", "ignore_missing": true } },
{ "pipeline": { "name": "bro_common" } }
]
}

30
salt/elasticsearch/files/ingest/bro_kerberos
View File

@@ -1,30 +0,0 @@
{
"description" : "bro_kerberos",
"processors" : [
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "message2.request_type", "target_field": "request_type", "ignore_missing": true } },
{ "rename": { "field": "message2.client", "target_field": "client", "ignore_missing": true } },
{ "rename": { "field": "message2.service", "target_field": "service", "ignore_missing": true } },
{ "rename": { "field": "message2.success", "target_field": "kerberos_success", "ignore_missing": true } },
{ "rename": { "field": "message2.error_msg", "target_field": "error_message", "ignore_missing": true } },
{ "rename": { "field": "message2.from", "target_field": "valid_from", "ignore_missing": true } },
{ "rename": { "field": "message2.till", "target_field": "valid_till", "ignore_missing": true } },
{ "rename": { "field": "message2.cipher", "target_field": "cipher", "ignore_missing": true } },
{ "rename": { "field": "message2.forwardable", "target_field": "forwardable", "ignore_missing": true } },
{ "rename": { "field": "message2.renewable", "target_field": "renewable", "ignore_missing": true } },
{ "rename": { "field": "message2.client_cert_subject", "target_field": "client_certificate_subject", "ignore_missing": true } },
{ "rename": { "field": "message2.client_cert_fuid", "target_field": "client_certificate_fuid", "ignore_missing": true } },
{ "rename": { "field": "message2.server_cert_subject", "target_field": "server_certificate_subject", "ignore_missing": true } },
{ "rename": { "field": "message2.server_cert_fuid", "target_field": "server_certificate_fuid", "ignore_missing": true } },
{ "pipeline": { "name": "bro_common" } }
]
}

18
salt/elasticsearch/files/ingest/bro_modbus
View File

@@ -1,18 +0,0 @@
{
"description" : "bro_modbus",
"processors" : [
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "message2.func", "target_field": "function", "ignore_missing": true } },
{ "rename": { "field": "message2.exception", "target_field": "exception", "ignore_missing": true } },
{ "pipeline": { "name": "bro_common" } }
]
}

21
salt/elasticsearch/files/ingest/bro_mysql
View File

@@ -1,21 +0,0 @@
{
"description" : "bro_mysql",
"processors" : [
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "message2.cmd", "target_field": "mysql_command", "ignore_missing": true } },
{ "rename": { "field": "message2.arg", "target_field": "mysql_argument", "ignore_missing": true } },
{ "rename": { "field": "message2.success", "target_field": "mysql_success", "ignore_missing": true } },
{ "rename": { "field": "message2.rows", "target_field": "rows", "ignore_missing": true } },
{ "rename": { "field": "message2.response", "target_field": "response", "ignore_missing": true } },
{ "pipeline": { "name": "bro_common" } }
]
}

24
salt/elasticsearch/files/ingest/bro_ntlm
View File

@@ -1,24 +0,0 @@
{
"description" : "bro_ntlm",
"processors" : [
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "message2.hostname", "target_field": "hostname", "ignore_missing": true } },
{ "rename": { "field": "message2.domainname", "target_field": "domain_name", "ignore_missing": true } },
{ "rename": { "field": "message2.success", "target_field": "ntlm_success", "ignore_missing": true } },
{ "rename": { "field": "message2.status", "target_field": "status", "ignore_missing": true } },
{ "rename": { "field": "message2.username", "target_field": "username", "ignore_missing": true } },
{ "rename": { "field": "message2.server_dns_computer_name", "target_field": "server_dns_computer_name", "ignore_missing": true } },
{ "rename": { "field": "message2.server_nb_computer_name", "target_field": "server_nb_computer_name", "ignore_missing": true } },
{ "rename": { "field": "message2.server_tree_name", "target_field": "server_tree_name", "ignore_missing": true } },
{ "pipeline": { "name": "bro_common" } }
]
}

23
salt/elasticsearch/files/ingest/bro_pe
View File

@@ -1,23 +0,0 @@
{
"description" : "bro_pe",
"processors" : [
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id", "target_field": "fuid", "ignore_missing": true } },
{ "rename": { "field": "message2.machine", "target_field": "machine", "ignore_missing": true } },
{ "rename": { "field": "message2.compile_ts", "target_field": "compile_ts", "ignore_missing": true } },
{ "rename": { "field": "message2.os", "target_field": "os", "ignore_missing": true } },
{ "rename": { "field": "message2.subsystem", "target_field": "subsystem", "ignore_missing": true } },
{ "rename": { "field": "message2.is_exe", "target_field": "is_exe", "ignore_missing": true } },
{ "rename": { "field": "message2.is_64bit", "target_field": "is_64bit", "ignore_missing": true } },
{ "rename": { "field": "message2.uses_aslr", "target_field": "uses_aslr", "ignore_missing": true } },
{ "rename": { "field": "message2.uses_dep", "target_field": "uses_dep", "ignore_missing": true } },
{ "rename": { "field": "message2.uses_code_integrity","target_field": "uses_code_integrity","ignore_missing": true } },
{ "rename": { "field": "message2.uses_seh", "target_field": "uses_seh", "ignore_missing": true } },
{ "rename": { "field": "message2.has_import_table", "target_field": "has_import_table", "ignore_missing": true } },
{ "rename": { "field": "message2.has_export_table", "target_field": "has_export_table", "ignore_missing": true } },
{ "rename": { "field": "message2.has_cert_table", "target_field": "has_cert_table", "ignore_missing": true } },
{ "rename": { "field": "message2.has_debug_data", "target_field": "has_debug_data", "ignore_missing": true } },
{ "rename": { "field": "message2.section_names", "target_field": "section_names", "ignore_missing": true } },
{ "pipeline": { "name": "bro_common" } }
]
}

25
salt/elasticsearch/files/ingest/bro_radius
View File

@@ -1,25 +0,0 @@
{
"description" : "bro_radius",
"processors" : [
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "message2.username", "target_field": "username", "ignore_missing": true } },
{ "rename": { "field": "message2.mac", "target_field": "mac", "ignore_missing": true } },
{ "rename": { "field": "message2.framed_addr", "target_field": "framed_addr", "ignore_missing": true } },
{ "rename": { "field": "message2.remote_ip", "target_field": "remote_ip", "ignore_missing": true } },
{ "rename": { "field": "message2.connect_info", "target_field": "connect_info", "ignore_missing": true } },
{ "rename": { "field": "message2.reply_msg", "target_field": "reply_message", "ignore_missing": true } },
{ "rename": { "field": "message2.result", "target_field": "result", "ignore_missing": true } },
{ "remove": { "field": "message2.ttl", "ignore_failure": true } },
{ "rename": { "field": "message2.logged", "target_field": "logged", "ignore_missing": true } },
{ "pipeline": { "name": "bro_common" } }
]
}

31
salt/elasticsearch/files/ingest/bro_rdp
View File

@@ -1,31 +0,0 @@
{
"description" : "bro_rdp",
"processors" : [
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "message2.cookie", "target_field": "cookie", "ignore_missing": true } },
{ "rename": { "field": "message2.result", "target_field": "result", "ignore_missing": true } },
{ "rename": { "field": "message2.security_protocol","target_field": "security_protocol", "ignore_missing": true } },
{ "rename": { "field": "message2.keyboard_layout", "target_field": "keyboard_layout", "ignore_missing": true } },
{ "rename": { "field": "message2.client_build", "target_field": "client_build", "ignore_missing": true } },
{ "rename": { "field": "message2.client_name", "target_field": "client_name", "ignore_missing": true } },
{ "rename": { "field": "message2.client_dig_product_id", "target_field": "client_digital_product_id", "ignore_missing": true } },
{ "rename": { "field": "message2.desktop_width", "target_field": "desktop_width", "ignore_missing": true } },
{ "rename": { "field": "message2.desktop_height", "target_field": "desktop_height", "ignore_missing": true } },
{ "rename": { "field": "message2.requested_color_depth", "target_field": "requested_color_depth", "ignore_missing": true } },
{ "rename": { "field": "message2.cert_type", "target_field": "certificate_type", "ignore_missing": true } },
{ "rename": { "field": "message2.cert_count", "target_field": "certificate_count", "ignore_missing": true } },
{ "rename": { "field": "message2.cert_permanent", "target_field": "certificate_permanent","ignore_missing": true } },
{ "rename": { "field": "message2.encryption_level", "target_field": "encryption_level", "ignore_missing": true } },
{ "rename": { "field": "message2.encryption_method","target_field": "encryption_method", "ignore_missing": true } },
{ "pipeline": { "name": "bro_common" } }
]
}

26
salt/elasticsearch/files/ingest/bro_rfb
View File

@@ -1,26 +0,0 @@
{
"description" : "bro_rfb",
"processors" : [
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "message2.client_major_version", "target_field": "client_major_version", "ignore_missing": true } },
{ "rename": { "field": "message2.client_minor_version", "target_field": "client_minor_version", "ignore_missing": true } },
{ "rename": { "field": "message2.server_major_version", "target_field": "server_major_version", "ignore_missing": true } },
{ "rename": { "field": "message2.server_minor_version", "target_field": "server_minor_version", "ignore_missing": true } },
{ "rename": { "field": "message2.authentication_method", "target_field": "authentication_method","ignore_missing": true } },
{ "rename": { "field": "message2.auth", "target_field": "auth", "ignore_missing": true } },
{ "rename": { "field": "message2.share_flag", "target_field": "share_flag", "ignore_missing": true } },
{ "rename": { "field": "message2.desktop_name", "target_field": "desktop_name", "ignore_missing": true } },
{ "rename": { "field": "message2.width", "target_field": "width", "ignore_missing": true } },
{ "rename": { "field": "message2.height", "target_field": "height", "ignore_missing": true } },
{ "pipeline": { "name": "bro_common" } }
]
}

22
salt/elasticsearch/files/ingest/bro_signatures
View File

@@ -1,22 +0,0 @@
{
"description" : "bro_signatures",
"processors" : [
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "message2.note", "target_field": "note", "ignore_missing": true } },
{ "rename": { "field": "message2.sig_id", "target_field": "signature_id", "ignore_missing": true } },
{ "rename": { "field": "message2.event_msg", "target_field": "event_message", "ignore_missing": true } },
{ "rename": { "field": "message2.sub_msg", "target_field": "sub_message", "ignore_missing": true } },
{ "rename": { "field": "message2.sig_count", "target_field": "signature_count", "ignore_missing": true } },
{ "rename": { "field": "message2.host_count", "target_field": "host_count", "ignore_missing": true } },
{ "pipeline": { "name": "bro_common" } }
]
}

37
salt/elasticsearch/files/ingest/bro_sip
View File

@@ -1,37 +0,0 @@
{
"description" : "bro_sip",
"processors" : [
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "message2.trans_depth", "target_field": "trans_depth", "ignore_missing": true } },
{ "rename": { "field": "message2.method", "target_field": "method", "ignore_missing": true } },
{ "rename": { "field": "message2.uri", "target_field": "uri", "ignore_missing": true } },
{ "rename": { "field": "message2.date", "target_field": "date", "ignore_missing": true } },
{ "rename": { "field": "message2.request_from", "target_field": "request_from", "ignore_missing": true } },
{ "rename": { "field": "message2.request_to", "target_field": "request_to", "ignore_missing": true } },
{ "rename": { "field": "message2.response_from", "target_field": "response_from", "ignore_missing": true } },
{ "rename": { "field": "message2.response_to", "target_field": "response_to", "ignore_missing": true } },
{ "rename": { "field": "message2.reply_to", "target_field": "reply_to", "ignore_missing": true } },
{ "rename": { "field": "message2.call_id", "target_field": "call_id", "ignore_missing": true } },
{ "rename": { "field": "message2.seq", "target_field": "seq", "ignore_missing": true } },
{ "rename": { "field": "message2.subject", "target_field": "subject", "ignore_missing": true } },
{ "rename": { "field": "message2.request_path", "target_field": "request_path", "ignore_missing": true } },
{ "rename": { "field": "message2.response_path", "target_field": "response_path", "ignore_missing": true } },
{ "rename": { "field": "message2.user_agent", "target_field": "user_agent", "ignore_missing": true } },
{ "rename": { "field": "message2.status_code", "target_field": "status_code", "ignore_missing": true } },
{ "rename": { "field": "message2.status_msg", "target_field": "status_msg", "ignore_missing": true } },
{ "rename": { "field": "message2.warning", "target_field": "warning", "ignore_missing": true } },
{ "rename": { "field": "message2.request_body_len", "target_field": "request_body_length", "ignore_missing": true } },
{ "rename": { "field": "message2.response_body_len","target_field": "response_body_length", "ignore_missing": true } },
{ "rename": { "field": "message2.content_type", "target_field": "content_type", "ignore_missing": true } },
{ "pipeline": { "name": "bro_common" } }
]
}

31
salt/elasticsearch/files/ingest/bro_smb_files
View File

@@ -1,31 +0,0 @@
{
"description" : "bro_smb_files",
"processors" : [
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "message2.fuid", "target_field": "fuid", "ignore_missing": true } },
{ "rename": { "field": "message2.action", "target_field": "action", "ignore_missing": true } },
{ "remove": { "field": "path", "ignore_failure": true } },
{ "rename": { "field": "message2.path", "target_field": "path", "ignore_missing": true } },
{ "rename": { "field": "message2.name", "target_field": "name", "ignore_missing": true } },
{ "rename": { "field": "message2.size", "target_field": "size", "ignore_missing": true } },
{ "rename": { "field": "message2.prev_name", "target_field": "prev_name", "ignore_missing": true } },
{ "dot_expander": { "field": "times.modified", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.times.modified", "target_field": "times_modified", "ignore_missing": true } },
{ "dot_expander": { "field": "times.accessed", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.times.accessed", "target_field": "times_accessed", "ignore_missing": true } },
{ "dot_expander": { "field": "times.created", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.times.created", "target_field": "times_created", "ignore_missing": true } },
{ "dot_expander": { "field": "times.changed", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.times.changed", "target_field": "times_changed", "ignore_missing": true } },
{ "pipeline": { "name": "bro_common" } }
]
}

21
salt/elasticsearch/files/ingest/bro_smb_mapping
View File

@@ -1,21 +0,0 @@
{
"description" : "bro_smb_files",
"processors" : [
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } },
{ "remove": { "field": "path", "ignore_failure": true } },
{ "rename": { "field": "message2.path", "target_field": "path", "ignore_missing": true } },
{ "rename": { "field": "message2.service", "target_field": "service", "ignore_missing": true } },
{ "rename": { "field": "message2.native_file_system", "target_field": "native_file_system", "ignore_missing": true } },
{ "rename": { "field": "message2.share_type", "target_field": "share_type", "ignore_missing": true } },
{ "pipeline": { "name": "bro_common" } }
]
}

38
salt/elasticsearch/files/ingest/bro_smtp
View File

@@ -1,38 +0,0 @@
{
"description" : "bro_smtp",
"processors" : [
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "remove": { "field": "path", "ignore_failure": true } },
{ "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "message2.trans_depth", "target_field": "trans_depth", "ignore_missing": true } },
{ "rename": { "field": "message2.helo", "target_field": "helo", "ignore_missing": true } },
{ "rename": { "field": "message2.mailfrom", "target_field": "mail_from", "ignore_missing": true } },
{ "rename": { "field": "message2.rcptto", "target_field": "recipient_to", "ignore_missing": true } },
{ "rename": { "field": "message2.date", "target_field": "mail_date", "ignore_missing": true } },
{ "rename": { "field": "message2.from", "target_field": "from", "ignore_missing": true } },
{ "rename": { "field": "message2.to", "target_field": "to", "ignore_missing": true } },
{ "rename": { "field": "message2.cc", "target_field": "cc", "ignore_missing": true } },
{ "rename": { "field": "message2.reply_to", "target_field": "reply_to", "ignore_missing": true } },
{ "rename": { "field": "message2.msg_id", "target_field": "message_id", "ignore_missing": true } },
{ "rename": { "field": "message2.in_reply_to", "target_field": "in_reply_to", "ignore_missing": true } },
{ "rename": { "field": "message2.subject", "target_field": "subject", "ignore_missing": true } },
{ "rename": { "field": "message2.x_originating_ip", "target_field": "x_originating_ip", "ignore_missing": true } },
{ "rename": { "field": "message2.first_received", "target_field": "first_received", "ignore_missing": true } },
{ "rename": { "field": "message2.second_received", "target_field": "second_received", "ignore_missing": true } },
{ "rename": { "field": "message2.last_reply", "target_field": "last_reply", "ignore_missing": true } },
{ "rename": { "field": "message2.path", "target_field": "path", "ignore_missing": true } },
{ "rename": { "field": "message2.user_agent", "target_field": "useragent", "ignore_missing": true } },
{ "rename": { "field": "message2.tls", "target_field": "tls", "ignore_missing": true } },
{ "rename": { "field": "message2.fuids", "target_field": "fuids", "ignore_missing": true } },
{ "rename": { "field": "message2.is_webmail", "target_field": "is_webmail", "ignore_missing": true } },
{ "pipeline": { "name": "bro_common" } }
]
}

25
salt/elasticsearch/files/ingest/bro_snmp
View File

@@ -1,25 +0,0 @@
{
"description" : "bro_snmp",
"processors" : [
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "message2.duration", "target_field": "duration", "ignore_missing": true } },
{ "rename": { "field": "message2.version", "target_field": "version", "ignore_missing": true } },
{ "rename": { "field": "message2.community", "target_field": "community", "ignore_missing": true } },
{ "rename": { "field": "message2.get_requests", "target_field": "get_requests", "ignore_missing": true } },
{ "rename": { "field": "message2.get_bulk_requests","target_field": "get_bulk_requests", "ignore_missing": true } },
{ "rename": { "field": "message2.get_responses", "target_field": "get_responses", "ignore_missing": true } },
{ "rename": { "field": "message2.set_requests", "target_field": "set_requests", "ignore_missing": true } },
{ "rename": { "field": "message2.display_string", "target_field": "display_string", "ignore_missing": true } },
{ "rename": { "field": "message2.up_since", "target_field": "up_since", "ignore_missing": true } },
{ "pipeline": { "name": "bro_common" } }
]
}

28
salt/elasticsearch/files/ingest/bro_socks
View File

@@ -1,28 +0,0 @@
{
"description" : "bro_socks",
"processors" : [
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "message2.version", "target_field": "version", "ignore_missing": true } },
{ "rename": { "field": "message2.user", "target_field": "user", "ignore_missing": true } },
{ "rename": { "field": "message2.password", "target_field": "password", "ignore_missing": true } },
{ "rename": { "field": "message2.status", "target_field": "status", "ignore_missing": true } },
{ "rename": { "field": "message2.request_host", "target_field": "request_host", "ignore_missing": true } },
{ "dot_expander": { "field": "request.name", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.request.name", "target_field": "request_name", "ignore_missing": true } },
{ "rename": { "field": "message2.request_p", "target_field": "request_port", "ignore_missing": true } },
{ "dot_expander": { "field": "bound.host", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.bound.host", "target_field": "bound_host", "ignore_missing": true } },
{ "rename": { "field": "message2.bound_name", "target_field": "bound_name", "ignore_missing": true } },
{ "rename": { "field": "message2.bound_p", "target_field": "bound_port", "ignore_missing": true } },
{ "pipeline": { "name": "bro_common" } }
]
}

40
salt/elasticsearch/files/ingest/bro_ssh
View File

@@ -1,40 +0,0 @@
{
"description" : "bro_conn",
"processors" : [
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "message2.version", "target_field": "version", "ignore_missing": true } },
{ "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } },
{ "rename": { "field": "message2.hassh", "target_field": "hassh", "ignore_missing": true } },
{ "rename": { "field": "message2.auth_success", "target_field": "authentication_success", "ignore_missing": true } },
{ "rename": { "field": "message2.auth_attempts", "target_field": "authentication_attempts", "ignore_missing": true } },
{ "rename": { "field": "message2.direction", "target_field": "direction", "ignore_missing": true } },
{ "rename": { "field": "message2.client", "target_field": "client", "ignore_missing": true } },
{ "rename": { "field": "message2.server", "target_field": "server", "ignore_missing": true } },
{ "rename": { "field": "message2.cipher_alg", "target_field": "cipher_algorithm", "ignore_missing": true } },
{ "rename": { "field": "message2.compression_alg", "target_field": "compression_algorithm", "ignore_missing": true } },
{ "rename": { "field": "message2.cshka", "target_field": "client_host_key_algorithms", "ignore_missing": true } },
{ "rename": { "field": "message2.host_key_alg", "target_field": "host_key_algorithm", "ignore_missing": true } },
{ "rename": { "field": "message2.hasshAlgorithms", "target_field": "hassh_algorithms", "ignore_missing": true } },
{ "rename": { "field": "message2.hasshServer", "target_field": "hassh_server", "ignore_missing": true } },
{ "rename": { "field": "message2.hasshVersion", "target_field": "hassh_version", "ignore_missing": true } },
{ "rename": { "field": "message2.kex_alg", "target_field": "kex_algorithm", "ignore_missing": true } },
{ "rename": { "field": "message2.mac_alg", "target_field": "mac_algorithm", "ignore_missing": true } },
{ "rename": { "field": "message2.sshka", "target_field": "server_host_key_algorithms", "ignore_missing": true } },
{ "rename": { "field": "message2.host_key", "target_field": "host_key", "ignore_missing": true } },
{ "rename": { "field": "message2.destination_region", "target_field": "destination_region", "ignore_missing": true } },
{ "rename": { "field": "message2.destination_city", "target_field": "destination_city", "ignore_missing": true } },
{ "rename": { "field": "message2.destination_latitude", "target_field": "destination_latitude", "ignore_missing": true } },
{ "rename": { "field": "message2.destination_longitude", "target_field": "destination_longitude", "ignore_missing": true } },
{ "rename": { "field": "message2.destination_country_code", "target_field": "destination_country_code", "ignore_missing": true } },
{ "rename": { "field": "message2.hasshServerAlgorithms", "target_field": "hassh_server_algorithms", "ignore_missing": true } },
{ "pipeline": { "name": "bro_common" } }
]
}

33
salt/elasticsearch/files/ingest/bro_ssl
View File

@@ -1,33 +0,0 @@
{
"description" : "bro_ssl",
"processors" : [
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "message2.version", "target_field": "version", "ignore_missing": true } },
{ "rename": { "field": "message2.cipher", "target_field": "cipher", "ignore_missing": true } },
{ "rename": { "field": "message2.curve", "target_field": "curve", "ignore_missing": true } },
{ "rename": { "field": "message2.server_name", "target_field": "server_name", "ignore_missing": true } },
{ "rename": { "field": "message2.resumed", "target_field": "resumed", "ignore_missing": true } },
{ "rename": { "field": "message2.last_alert", "target_field": "last_alert", "ignore_missing": true } },
{ "rename": { "field": "message2.next_protocol", "target_field": "next_protocol", "ignore_missing": true } },
{ "rename": { "field": "message2.established", "target_field": "established", "ignore_missing": true } },
{ "rename": { "field": "message2.cert_chain_fuids", "target_field": "certificate_chain_fuids", "ignore_missing": true } },
{ "rename": { "field": "message2.client_cert_chain_fuids", "target_field": "client_certificate_chain_fuids", "ignore_missing": true } },
{ "rename": { "field": "message2.subject", "target_field": "certificate_subject", "ignore_missing": true } },
{ "rename": { "field": "message2.issuer", "target_field": "certificate_issuer", "ignore_missing": true } },
{ "rename": { "field": "message2.client_subject", "target_field": "client_subject", "ignore_missing": true } },
{ "rename": { "field": "message2.client_issuer", "target_field": "client_issuer", "ignore_missing": true } },
{ "rename": { "field": "message2.validation_status","target_field": "validation_status", "ignore_missing": true } },
{ "rename": { "field": "message2.ja3", "target_field": "ja3", "ignore_missing": true } },
{ "rename": { "field": "message2.ja3s", "target_field": "ja3s", "ignore_missing": true } },
{ "pipeline": { "name": "bro_common_ssl" } }
]
}

21
salt/elasticsearch/files/ingest/bro_syslog
View File

@@ -1,21 +0,0 @@
{
"description" : "bro_syslog",
"processors" : [
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } },
{ "rename": { "field": "message2.facility", "target_field": "facility", "ignore_missing": true } },
{ "rename": { "field": "message2.severity", "target_field": "severity", "ignore_missing": true } },
{ "remove": { "field": "message", "ignore_failure": true } },
{ "rename": { "field": "message2.message", "target_field": "message", "ignore_missing": true } },
{ "pipeline": { "name": "bro_common" } }
]
}

7
salt/elasticsearch/files/ingest/bro_tunnel
View File

@@ -1,7 +0,0 @@
{
"description" : "bro_tunnel",
"processors" : [
{ "set": { "field": "event_type", "value": "bro_tunnels" } },
{ "pipeline": { "name": "bro_tunnels" } }
]
}

20
salt/elasticsearch/files/ingest/bro_weird
View File

@@ -1,20 +0,0 @@
{
"description" : "bro_weird",
"processors" : [
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "message2.name", "target_field": "name", "ignore_missing": true } },
{ "rename": { "field": "message2.addl", "target_field": "additional_info", "ignore_missing": true } },
{ "rename": { "field": "message2.notice", "target_field": "notice", "ignore_missing": true } },
{ "rename": { "field": "message2.peer", "target_field": "peer", "ignore_missing": true } },
{ "pipeline": { "name": "bro_common" } }
]
}

4
salt/elasticsearch/files/ingest/common
View File

@@ -44,8 +44,8 @@
},
{
"remove": {
"field": "index_name_prefix",
"ignore_failure": true
"field": [ "index_name_prefix"],
"ignore_failure": false
}
}
]

67
salt/elasticsearch/files/ingest/ossec
View File

@@ -6,48 +6,47 @@
{ "rename": { "field": "message2.data", "target_field": "data", "ignore_missing": true } },
{ "rename": { "field": "message2.decoder", "target_field": "decoder", "ignore_missing": true } },
{ "rename": { "field": "message2.full_log", "target_field": "full_log", "ignore_missing": true } },
{ "rename": { "field": "message2.id", "target_field": "id", "ignore_missing": true } },
{ "rename": { "field": "message2.id", "target_field": "log.id.id", "ignore_missing": true } },
{ "rename": { "field": "message2.location", "target_field": "location", "ignore_missing": true } },
{ "rename": { "field": "message2.manager", "target_field": "manager", "ignore_missing": true } },
{ "rename": { "field": "message2.predecoder", "target_field": "predecoder", "ignore_missing": true } },
{ "rename": { "field": "message2.timestamp", "target_field": "timestamp", "ignore_missing": true } },
{ "rename": { "field": "message2.rule", "target_field": "wazuh-rule", "ignore_missing": true } },
{ "rename": { "field": "message2.rule", "target_field": "rule", "ignore_missing": true } },
{ "rename": { "field": "data.command", "target_field": "command", "ignore_missing": true } },
{ "rename": { "field": "data.dstip", "target_field": "destination_ip", "ignore_missing": true } },
{ "rename": { "field": "data.dstport", "target_field": "destination_port", "ignore_missing": true } },
{ "rename": { "field": "data.dstuser", "target_field": "escalated_user", "ignore_missing": true } },
{ "rename": { "field": "data.srcip", "target_field": "source_ip", "ignore_missing": true } },
{ "rename": { "field": "data.srcuser", "target_field": "username", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata.destinationHostname", "target_field": "destination_hostname", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata.destinationIp", "target_field": "destination_ip", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata.destinationPort", "target_field": "destination_port", "ignore_missing": true } },
{ "rename": { "field": "data.dstip", "target_field": "destination.ip", "ignore_missing": true } },
{ "rename": { "field": "data.dstport", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "data.dstuser", "target_field": "user.escalated", "ignore_missing": true } },
{ "rename": { "field": "data.srcip", "target_field": "source.ip", "ignore_missing": true } },
{ "rename": { "field": "data.srcuser", "target_field": "source.user", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata.destinationHostname", "target_field": "destination.hostname", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata.destinationIp", "target_field": "destination.ip", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata.destinationPort", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata.image", "target_field": "image_path", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata.parentImage", "target_field": "parent_image_path", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata.sourceHostname", "target_field": "source_hostname", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata.sourceHostname", "target_field": "source.hostname", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata.sourceIp", "target_field": "source_ip", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata.sourcePort", "target_field": "source_port", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata.targetFilename", "target_field": "target_filename", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata.user", "target_field": "username", "ignore_missing": true } },
{ "rename": { "field": "data.win.system.eventID", "target_field": "event_id", "ignore_missing": true } },
{ "rename": { "field": "predecoder.program_name", "target_field": "process", "ignore_missing": true } },
{ "rename": { "field": "wazuh-rule.level", "target_field": "alert_level", "ignore_missing": true } },
{ "rename": { "field": "wazuh-rule.description", "target_field": "description", "ignore_missing": true } },
{ "set": { "if": "ctx.alert_level == 1", "field": "classification", "value": "None" } },
{ "set": { "if": "ctx.alert_level == 2", "field": "classification", "value": "System low priority notification" } },
{ "set": { "if": "ctx.alert_level == 3", "field": "classification", "value": "Successful/authorized event" } },
{ "set": { "if": "ctx.alert_level == 4", "field": "classification", "value": "System low priority error" } },
{ "set": { "if": "ctx.alert_level == 5", "field": "classification", "value": "User generated error" } },
{ "set": { "if": "ctx.alert_level == 6", "field": "classification", "value": "Low relevance attack" } },
{ "set": { "if": "ctx.alert_level == 7", "field": "classification", "value": "\"Bad word\" matching" } },
{ "set": { "if": "ctx.alert_level == 8", "field": "classification", "value": "First time seen" } },
{ "set": { "if": "ctx.alert_level == 9", "field": "classification", "value": "Error from invalid source" } },
{ "set": { "if": "ctx.alert_level == 10", "field": "classification", "value": "Multiple user generated errors" } },
{ "set": { "if": "ctx.alert_level == 11", "field": "classification", "value": "Integrity checking warning" } },
{ "set": { "if": "ctx.alert_level == 12", "field": "classification", "value": "High importance event" } },
{ "set": { "if": "ctx.alert_level == 13", "field": "classification", "value": "Unusal error (high importance)" } },
{ "set": { "if": "ctx.alert_level == 14", "field": "classification", "value": "High importance security event" } },
{ "set": { "if": "ctx.alert_level == 15", "field": "classification", "value": "Severe attack" } },
{ "append": { "if": "ctx.alert_level != null", "field": "tags", "value": ["alert"] } },
{ "rename": { "field": "data.win.eventdata.sourcePort", "target_field": "source.port", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata.targetFilename", "target_field": "file.target", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata.user", "target_field": "user.name", "ignore_missing": true } },
{ "rename": { "field": "data.win.system.eventID", "target_field": "event.code", "ignore_missing": true } },
{ "rename": { "field": "predecoder.program_name", "target_field": "process.name", "ignore_missing": true } },
{ "set": { "if": "ctx.rule.level == 1", "field": "category", "value": "None" } },
{ "set": { "if": "ctx.rule.level == 2", "field": "category", "value": "System low priority notification" } },
{ "set": { "if": "ctx.rule.level == 3", "field": "category", "value": "Successful/authorized event" } },
{ "set": { "if": "ctx.rule.level == 4", "field": "rule.category", "value": "System low priority error" } },
{ "set": { "if": "ctx.rule.level == 5", "field": "rule.category", "value": "User generated error" } },
{ "set": { "if": "ctx.rule.level == 6", "field": "rule.category", "value": "Low relevance attack" } },
{ "set": { "if": "ctx.rule.level == 7", "field": "rule.category", "value": "\"Bad word\" matching" } },
{ "set": { "if": "ctx.rule.level == 8", "field": "rule.category", "value": "First time seen" } },
{ "set": { "if": "ctx.rule.level == 9", "field": "rule.category", "value": "Error from invalid source" } },
{ "set": { "if": "ctx.rule.level == 10", "field": "rule.category", "value": "Multiple user generated errors" } },
{ "set": { "if": "ctx.rule.level == 11", "field": "rule.category", "value": "Integrity checking warning" } },
{ "set": { "if": "ctx.rule.level == 12", "field": "rule.category", "value": "High importance event" } },
{ "set": { "if": "ctx.rule.level == 13", "field": "rule.category", "value": "Unusal error (high importance)" } },
{ "set": { "if": "ctx.rule.level == 14", "field": "rule.category", "value": "High importance security event" } },
{ "set": { "if": "ctx.rule.level == 15", "field": "rule.category", "value": "Severe attack" } },
{ "append": { "if": "ctx.rule.level != null", "field": "tags", "value": ["alert"] } },
{ "remove": { "field": [ "host", "predecoder", "decoder" ], "ignore_missing": true, "ignore_failure": false } },
{ "pipeline": { "name": "common" } }
]
}

24
salt/elasticsearch/files/ingest/zeek.common Normal file
View File

@@ -0,0 +1,24 @@
{
"description" : "zeek.common",
"processors" : [
{ "rename": { "field": "@timestamp", "target_field": "es.timestamp", "ignore_missing": true } },
{ "rename": { "field": "message2.uid", "target_field": "log.id.uid", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } },
{ "set": { "field": "client.ip", "value": "{{source.ip}}" } },
{ "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } },
{ "set": { "field": "client.port", "value": "{{source.port}}" } },
{ "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } },
{ "set": { "field": "server.ip", "value": "{{destination.ip}}" } },
{ "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } },
{ "set": { "field": "server.port", "value": "{{destination.port}}" } },
{ "set": { "field": "event.module", "value": "zeek" } },
{ "grok": { "field": "event_type", "patterns": ["zeek.%{WORD:event.dataset}"] } },
{ "date": { "field": "message2.ts", "target_field": "@timestamp", "formats": ["ISO8601", "UNIX"], "ignore_failure": true } },
{ "remove": { "field": ["message2.ts", "path"], "ignore_failure": true } },
{ "pipeline": { "name": "common" } }
]
}

4
salt/elasticsearch/files/ingest/bro_common_ssl → salt/elasticsearch/files/ingest/zeek.common_ssl
View File

@@ -1,5 +1,5 @@
{
"description" : "bro_common_ssl",
"description" : "zeek.common_ssl",
"processors" : [
{
"kv": {
@@ -51,7 +51,7 @@
{ "script":{ "lang": "painless", "source": "ctx.server_name_length = ctx.server_name.length()", "ignore_failure": true } },
{
"pipeline": {
"name": "bro_common"
"name": "zeek.common"
}
}
]

40
salt/elasticsearch/files/ingest/zeek.conn Normal file
View File

@@ -0,0 +1,40 @@
{
"description" : "zeek.conn",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": false } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } },
{ "rename": { "field": "message2.service", "target_field": "network.protocol", "ignore_missing": true } },
{ "rename": { "field": "message2.duration", "target_field": "event.duration", "ignore_missing": true } },
{ "rename": { "field": "message2.orig_bytes", "target_field": "client.bytes", "ignore_missing": true } },
{ "rename": { "field": "message2.resp_bytes", "target_field": "server.bytes", "ignore_missing": true } },
{ "rename": { "field": "message2.conn_state", "target_field": "connection.state", "ignore_missing": true } },
{ "rename": { "field": "message2.local_orig", "target_field": "connection.local.originator", "ignore_missing": true } },
{ "rename": { "field": "message2.local_resp", "target_field": "connection.local.responder", "ignore_missing": true } },
{ "rename": { "field": "message2.missed_bytes", "target_field": "connection.bytes.missed", "ignore_missing": true } },
{ "rename": { "field": "message2.history", "target_field": "connection.history", "ignore_missing": true } },
{ "rename": { "field": "message2.orig_pkts", "target_field": "client.packets", "ignore_missing": true } },
{ "rename": { "field": "message2.orig_ip_bytes", "target_field": "client.ip_bytes", "ignore_missing": true } },
{ "rename": { "field": "message2.resp_pkts", "target_field": "server.packets", "ignore_missing": true } },
{ "rename": { "field": "message2.resp_ip_bytes", "target_field": "server.ip_bytes", "ignore_missing": true } },
{ "rename": { "field": "message2.tunnel_parents", "target_field": "connection.tunnel_parents", "ignore_missing": true } },
{ "rename": { "field": "message2.orig_cc", "target_field": "client.country_code","ignore_missing": true } },
{ "rename": { "field": "message2.resp_cc", "target_field": "server.country_code", "ignore_missing": true } },
{ "rename": { "field": "message2.sensorname", "target_field": "observer.name", "ignore_missing": true } },
{ "script": { "lang": "painless", "source": "ctx.connection.bytes.total = (ctx.client.bytes + ctx.server.bytes)", "ignore_failure": true } },
{ "set": { "if": "ctx.connection.state == 'S0'", "field": "connection.state_description", "value": "Connection attempt seen, no reply" } },
{ "set": { "if": "ctx.connection.state == 'S1'", "field": "connection.state_description", "value": "Connection established, not terminated" } },
{ "set": { "if": "ctx.connection.state == 'S2'", "field": "connection.state_description", "value": "Connection established and close attempt by originator seen (but no reply from responder)" } },
{ "set": { "if": "ctx.connection.state == 'S3'", "field": "connection.state_description", "value": "Connection established and close attempt by responder seen (but no reply from originator)" } },
{ "set": { "if": "ctx.connection.state == 'SF'", "field": "connection.state_description", "value": "Normal SYN/FIN completion" } },
{ "set": { "if": "ctx.connection.state == 'REJ'", "field": "connection.state_description", "value": "Connection attempt rejected" } },
{ "set": { "if": "ctx.connection.state == 'RSTO'", "field": "connection.state_description", "value": "Connection established, originator aborted (sent a RST)" } },
{ "set": { "if": "ctx.connection.state == 'RSTR'", "field": "connection.state_description", "value": "Established, responder aborted" } },
{ "set": { "if": "ctx.connection.state == 'RSTOS0'","field": "connection.state_description", "value": "Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder" } },
{ "set": { "if": "ctx.connection.state == 'RSTRH'", "field": "connection.state_description", "value": "Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator" } },
{ "set": { "if": "ctx.connection.state == 'SH'", "field": "connection.state_description", "value": "Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was 'half' open)" } },
{ "set": { "if": "ctx.connection.state == 'SHR'", "field": "connection.state_description", "value": "Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator" } },
{ "set": { "if": "ctx.connection.state == 'OTH'", "field": "connection.state_description", "value": "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed)" } },
{ "pipeline": { "name": "zeek.common" } }
]
}

12
salt/elasticsearch/files/ingest/zeek.dce_rpc Normal file
View File

@@ -0,0 +1,12 @@
{
"description" : "zeek.dce_rpc",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.rtt", "target_field": "event.duration", "ignore_missing": true } },
{ "rename": { "field": "message2.named_pipe", "target_field": "named_pipe", "ignore_missing": true } },
{ "rename": { "field": "message2.endpoint", "target_field": "endpoint", "ignore_missing": true } },
{ "rename": { "field": "message2.operation", "target_field": "operation", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

29
salt/elasticsearch/files/ingest/bro_dhcp → salt/elasticsearch/files/ingest/zeek.dhcp
View File

@@ -1,20 +1,21 @@
{
"description" : "bro_dhcp",
"description" : "zeek.dhcp",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.uids", "target_field": "uid", "ignore_missing": true } },
{ "rename": { "field": "message2.mac", "target_field": "mac", "ignore_missing": true } },
{ "rename": { "field": "message2.assigned_ip", "target_field": "assigned_ip", "ignore_missing": true } },
{ "rename": { "field": "message2.lease_time", "target_field": "lease_time", "ignore_missing": true } },
{ "rename": { "field": "message2.trans_id", "target_field": "transaction_id", "ignore_missing": true } },
{ "rename": { "field": "message2.assigned_addr", "target_field": "assigned_ip", "ignore_missing": true } },
{ "rename": { "field": "message2.client_addr", "target_field": "source.ip", "ignore_missing": true } },
{ "rename": { "field": "message2.server_addr", "target_field": "destination.ip", "ignore_missing": true } },
{ "rename": { "field": "message2.requested_addr", "target_field": "requested_ip", "ignore_missing": true } },
{ "rename": { "field": "message2.domain", "target_field": "domain_name", "ignore_missing": true } },
{ "rename": { "field": "message2.host_name", "target_field": "hostname", "ignore_missing": true } },
{ "rename": { "field": "message2.duration", "target_field": "duration", "ignore_missing": true } },
{ "rename": { "field": "message2.uids", "target_field": "log.id.uids", "ignore_missing": true } },
{ "rename": { "field": "message2.mac", "target_field": "host.mac", "ignore_missing": true } },
{ "rename": { "field": "message2.assigned_ip", "target_field": "dhcp.assigned_ip", "ignore_missing": true } },
{ "rename": { "field": "message2.lease_time", "target_field": "dhcp.lease_time", "ignore_missing": true } },
{ "rename": { "field": "message2.trans_id", "target_field": "dhcp.transaction_id", "ignore_missing": true } },
{ "rename": { "field": "message2.assigned_addr", "target_field": "dhcp.assigned_ip", "ignore_missing": true } },
{ "rename": { "field": "message2.client_addr", "target_field": "client.address", "ignore_missing": true } },
{ "rename": { "field": "message2.server_addr", "target_field": "server.address", "ignore_missing": true } },
{ "rename": { "field": "message2.requested_addr", "target_field": "dhcp.requested_address", "ignore_missing": true } },
{ "rename": { "field": "message2.domain", "target_field": "host.domain", "ignore_missing": true } },
{ "rename": { "field": "message2.host_name", "target_field": "host.hostname", "ignore_missing": true } },
{ "rename": { "field": "message2.duration", "target_field": "event.duration", "ignore_missing": true } },
{ "rename": { "field": "message2.msg_types", "target_field": "message_types", "ignore_missing": true } },
{ "pipeline": { "name": "bro_common" } }
{ "pipeline": { "name": "zeek.common" } }
]
}

11
salt/elasticsearch/files/ingest/zeek.dnp3 Normal file
View File

@@ -0,0 +1,11 @@
{
"description" : "zeek.dnp3",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.fc_request", "target_field": "fc_request", "ignore_missing": true } },
{ "rename": { "field": "message2.fc_reply", "target_field": "fc_reply", "ignore_missing": true } },
{ "rename": { "field": "message2.iin", "target_field": "iin", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

28
salt/elasticsearch/files/ingest/zeek.dns Normal file
View File

@@ -0,0 +1,28 @@
{
"description" : "zeek.dns",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } },
{ "rename": { "field": "message2.trans_id", "target_field": "dns.id", "ignore_missing": true } },
{ "rename": { "field": "message2.rtt", "target_field": "event.duration", "ignore_missing": true } },
{ "rename": { "field": "message2.query", "target_field": "dns.query.name", "ignore_missing": true } },
{ "rename": { "field": "message2.qclass", "target_field": "dns.query.class", "ignore_missing": true } },
{ "rename": { "field": "message2.qclass_name", "target_field": "dns.query.class_name", "ignore_missing": true } },
{ "rename": { "field": "message2.qtype", "target_field": "dns.query.type", "ignore_missing": true } },
{ "rename": { "field": "message2.qtype_name", "target_field": "dns.query.type_name", "ignore_missing": true } },
{ "rename": { "field": "message2.rcode", "target_field": "dns.response.code", "ignore_missing": true } },
{ "rename": { "field": "message2.rcode_name", "target_field": "dns.response.code_name", "ignore_missing": true } },
{ "rename": { "field": "message2.AA", "target_field": "dns.authoritative", "ignore_missing": true } },
{ "rename": { "field": "message2.TC", "target_field": "dns.truncated", "ignore_missing": true } },
{ "rename": { "field": "message2.RD", "target_field": "dns.recursion.desired", "ignore_missing": true } },
{ "rename": { "field": "message2.RA", "target_field": "dns.recursion.available", "ignore_missing": true } },
{ "rename": { "field": "message2.Z", "target_field": "dns.reserved", "ignore_missing": true } },
{ "rename": { "field": "message2.answers", "target_field": "dns.answers", "ignore_missing": true } },
{ "rename": { "field": "message2.TTLs", "target_field": "dns.ttls", "ignore_missing": true } },
{ "rename": { "field": "message2.rejected", "target_field": "dns.query.rejected", "ignore_missing": true } },
{ "script": { "lang": "painless", "source": "ctx.dns.query.length = ctx.dns.query.name.length()", "ignore_failure": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

5
salt/elasticsearch/files/ingest/bro_dpd → salt/elasticsearch/files/ingest/zeek.dpd
View File

@@ -1,6 +1,7 @@
{
"description" : "bro_dpd",
"description" : "zeek.dpd",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
@@ -14,6 +15,6 @@
{ "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } },
{ "rename": { "field": "message2.analyzer", "target_field": "analyzer", "ignore_missing": true } },
{ "rename": { "field": "message2.failure_reason", "target_field": "failure_reason", "ignore_missing": true } },
{ "pipeline": { "name": "bro_common" } }
{ "pipeline": { "name": "zeek.common" } }
]
}

34
salt/elasticsearch/files/ingest/zeek.files Normal file
View File

@@ -0,0 +1,34 @@
{
"description" : "zeek.files",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.fuid", "target_field": "log.id.fuid", "ignore_missing": true } },
{ "rename": { "field": "message2.rx_hosts", "target_field": "file.receive_ip", "ignore_missing": true } },
{ "rename": { "field": "message2.tx_hosts", "target_field": "file.transmit_ip", "ignore_missing": true } },
{ "set": { "field": "server.ip", "value": "{{source.ip}}", "ignore_failure": true } },
{ "set": { "field": "client.ip", "value": "{{destination.ip}}", "ignore_failure": true } },
{ "rename": { "field": "message2.conn_uids", "target_field": "log.id.uids", "ignore_missing": true } },
{ "remove": { "field": "source", "ignore_missing": true } },
{ "rename": { "field": "message2.source", "target_field": "file.source", "ignore_missing": true } },
{ "rename": { "field": "message2.depth", "target_field": "file.depth", "ignore_missing": true } },
{ "rename": { "field": "message2.analyzers", "target_field": "file.analyzer", "ignore_missing": true } },
{ "rename": { "field": "message2.mime_type", "target_field": "file.mime_type", "ignore_missing": true } },
{ "rename": { "field": "message2.filename", "target_field": "file.name", "ignore_missing": true } },
{ "rename": { "field": "message2.duration", "target_field": "event.duration", "ignore_missing": true } },
{ "rename": { "field": "message2.local_orig", "target_field": "file.local_orig", "ignore_missing": true } },
{ "rename": { "field": "message2.is_orig", "target_field": "file.is_orig", "ignore_missing": true } },
{ "rename": { "field": "message2.seen_bytes", "target_field": "file.bytes.seen", "ignore_missing": true } },
{ "rename": { "field": "message2.total_bytes", "target_field": "file.bytes.total", "ignore_missing": true } },
{ "rename": { "field": "message2.missing_bytes", "target_field": "file.bytes.missing", "ignore_missing": true } },
{ "rename": { "field": "message2.overflow_bytes", "target_field": "file.bytes.overflow", "ignore_missing": true } },
{ "rename": { "field": "message2.timedout", "target_field": "file.timed_out", "ignore_missing": true } },
{ "rename": { "field": "message2.parent_fuid", "target_field": "log.id.parent_fuid", "ignore_missing": true } },
{ "rename": { "field": "message2.md5", "target_field": "hash.md5", "ignore_missing": true } },
{ "rename": { "field": "message2.sha1", "target_field": "hash.sha1", "ignore_missing": true } },
{ "rename": { "field": "message2.extracted", "target_field": "file.extracted.filename", "ignore_missing": true } },
{ "rename": { "field": "message2.extracted_cutoff", "target_field": "file.extracted.cutoff", "ignore_missing": true } },
{ "rename": { "field": "message2.extracted_size", "target_field": "file.extracted.size", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

25
salt/elasticsearch/files/ingest/zeek.ftp Normal file
View File

@@ -0,0 +1,25 @@
{
"description" : "zeek.http",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.user", "target_field": "ftp.user", "ignore_missing": true } },
{ "rename": { "field": "message2.password", "target_field": "ftp.password", "ignore_missing": true } },
{ "rename": { "field": "message2.command", "target_field": "ftp.command", "ignore_missing": true } },
{ "rename": { "field": "message2.arg", "target_field": "ftp.argument", "ignore_missing": true } },
{ "rename": { "field": "message2.mime_type", "target_field": "file.mimetype", "ignore_missing": true } },
{ "rename": { "field": "message2.file_size", "target_field": "file.size", "ignore_missing": true } },
{ "rename": { "field": "message2.reply_code", "target_field": "server.reply_code", "ignore_missing": true } },
{ "rename": { "field": "message2.reply_msg", "target_field": "server.reply_message", "ignore_missing": true } },
{ "dot_expander": { "field": "data_channel.passive", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.data_channel.passive","target_field": "ftp.data_channel_passive", "ignore_missing": true } },
{ "dot_expander": { "field": "data_channel.orig_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.data_channel.orig_h","target_field": "ftp.data_channel_source.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "data_channel.resp_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.data_channel.resp_h","target_field": "ftp.data_channel_destination.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "data_channel.resp_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.data_channel.resp_p","target_field": "ftp.data_channel_destination.port", "ignore_missing": true } },
{ "rename": { "field": "message2.fuid", "target_field": "fuid", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

34
salt/elasticsearch/files/ingest/zeek.http Normal file
View File

@@ -0,0 +1,34 @@
{
"description" : "zeek.http",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.trans_depth", "target_field": "http.trans_depth", "ignore_missing": true } },
{ "rename": { "field": "message2.method", "target_field": "http.method", "ignore_missing": true } },
{ "rename": { "field": "message2.host", "target_field": "http.virtual_host", "ignore_missing": true } },
{ "rename": { "field": "message2.uri", "target_field": "http.uri", "ignore_missing": true } },
{ "rename": { "field": "message2.referrer", "target_field": "http.referrer", "ignore_missing": true } },
{ "rename": { "field": "message2.version", "target_field": "http.version", "ignore_missing": true } },
{ "rename": { "field": "message2.user_agent", "target_field": "http.useragent", "ignore_missing": true } },
{ "rename": { "field": "message2.request_body_len", "target_field": "http.request.body.length", "ignore_missing": true } },
{ "rename": { "field": "message2.response_body_len","target_field": "http.response.body.length", "ignore_missing": true } },
{ "rename": { "field": "message2.status_code", "target_field": "http.status_code", "ignore_missing": true } },
{ "rename": { "field": "message2.status_msg", "target_field": "http.status_message", "ignore_missing": true } },
{ "rename": { "field": "message2.info_code", "target_field": "http.info_code", "ignore_missing": true } },
{ "rename": { "field": "message2.info_msg", "target_field": "http.info_message", "ignore_missing": true } },
{ "remove": { "field": "message2.tags", "ignore_failure": true } },
{ "rename": { "field": "message2.username", "target_field": "http.user", "ignore_missing": true } },
{ "rename": { "field": "message2.password", "target_field": "http.password", "ignore_missing": true } },
{ "rename": { "field": "message2.proxied", "target_field": "http.proxied", "ignore_missing": true } },
{ "rename": { "field": "message2.orig_fuids", "target_field": "log.id.orig_fuids", "ignore_missing": true } },
{ "rename": { "field": "message2.orig_filenames", "target_field": "file.orig_filenames", "ignore_missing": true } },
{ "rename": { "field": "message2.orig_mime_types", "target_field": "file.orig_mime_types", "ignore_missing": true } },
{ "rename": { "field": "message2.resp_fuids", "target_field": "log.id.resp_fuids", "ignore_missing": true } },
{ "rename": { "field": "message2.resp_filenames", "target_field": "file.resp_filenames", "ignore_missing": true } },
{ "rename": { "field": "message2.resp_mime_types", "target_field": "file.resp_mime_types", "ignore_missing": true } },
{ "script": { "lang": "painless", "source": "ctx.uri_length = ctx.uri.length()", "ignore_failure": true } },
{ "script": { "lang": "painless", "source": "ctx.useragent_length = ctx.useragent.length()", "ignore_failure": true } },
{ "script": { "lang": "painless", "source": "ctx.virtual_host_length = ctx.virtual_host.length()", "ignore_failure": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

20
salt/elasticsearch/files/ingest/zeek.intel Normal file
View File

@@ -0,0 +1,20 @@
{
"description" : "zeek.intel",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.seen.indicator", "target_field": "intel.indicator", "ignore_missing": true } },
{ "dot_expander": { "field": "seen.indicator_type", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.seen.indicator_type", "target_field": "intel.indicator_type", "ignore_missing": true } },
{ "dot_expander": { "field": "seen.where", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.seen.where", "target_field": "intel.seen_where", "ignore_missing": true } },
{ "dot_expander": { "field": "seen.node", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.seen.node", "target_field": "intel.seen_node", "ignore_missing": true } },
{ "rename": { "field": "message2.matched", "target_field": "intel.matched", "ignore_missing": true } },
{ "rename": { "field": "message2.sources", "target_field": "intel.sources", "ignore_missing": true } },
{ "rename": { "field": "message2.fuid", "target_field": "log.id.fuid", "ignore_missing": true } },
{ "rename": { "field": "message2.file_mime_type", "target_field": "file.mimetype", "ignore_missing": true } },
{ "rename": { "field": "message2.file_desc", "target_field": "file.description", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

17
salt/elasticsearch/files/ingest/zeek.irc Normal file
View File

@@ -0,0 +1,17 @@
{
"description" : "zeek.irc",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.nick", "target_field": "irc.nickname", "ignore_missing": true } },
{ "rename": { "field": "message2.user", "target_field": "irc.username", "ignore_missing": true } },
{ "rename": { "field": "message2.command", "target_field": "irc.command.type", "ignore_missing": true } },
{ "rename": { "field": "message2.value", "target_field": "irc.command.value", "ignore_missing": true } },
{ "rename": { "field": "message2.addl", "target_field": "irc.command.info", "ignore_missing": true } },
{ "rename": { "field": "message2.dcc_file_name", "target_field": "file.name", "ignore_missing": true } },
{ "rename": { "field": "message2.dcc_file_size", "target_field": "file.size", "ignore_missing": true } },
{ "rename": { "field": "message2.dcc_mime_type", "target_field": "file.mime_type", "ignore_missing": true } },
{ "rename": { "field": "message2.fuid", "target_field": "log.id.fuid", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

22
salt/elasticsearch/files/ingest/zeek.kerberos Normal file
View File

@@ -0,0 +1,22 @@
{
"description" : "zeek.kerberos",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.request_type", "target_field": "kerberos.request_type", "ignore_missing": true } },
{ "rename": { "field": "message2.client", "target_field": "kerberos.client", "ignore_missing": true } },
{ "rename": { "field": "message2.service", "target_field": "kerberos.service", "ignore_missing": true } },
{ "rename": { "field": "message2.success", "target_field": "kerberos.success", "ignore_missing": true } },
{ "rename": { "field": "message2.error_msg", "target_field": "kerberos.error_message", "ignore_missing": true } },
{ "rename": { "field": "message2.from", "target_field": "kerberos.ticket.valid.from", "ignore_missing": true } },
{ "rename": { "field": "message2.till", "target_field": "kerberos.ticket.valid.until", "ignore_missing": true } },
{ "rename": { "field": "message2.cipher", "target_field": "kerberos.ticket.cipher", "ignore_missing": true } },
{ "rename": { "field": "message2.forwardable", "target_field": "kerberos.ticket.forwardable", "ignore_missing": true } },
{ "rename": { "field": "message2.renewable", "target_field": "kerberos.ticket.renewable", "ignore_missing": true } },
{ "rename": { "field": "message2.client_cert_subject", "target_field": "kerberos.client.certificate.subject", "ignore_missing": true } },
{ "rename": { "field": "message2.client_cert_fuid", "target_field": "log.id.client_certificate_fuid", "ignore_missing": true } },
{ "rename": { "field": "message2.server_cert_subject", "target_field": "kerberos.server.certificate.subject", "ignore_missing": true } },
{ "rename": { "field": "message2.server_cert_fuid", "target_field": "log.id.server_certificate_fuid", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

10
salt/elasticsearch/files/ingest/zeek.modbus Normal file
View File

@@ -0,0 +1,10 @@
{
"description" : "zeek.modbus",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.func", "target_field": "modbus.function", "ignore_missing": true } },
{ "rename": { "field": "message2.exception", "target_field": "modbus.exception", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

13
salt/elasticsearch/files/ingest/zeek.mysql Normal file
View File

@@ -0,0 +1,13 @@
{
"description" : "zeek.mysql",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.cmd", "target_field": "mysql.command", "ignore_missing": true } },
{ "rename": { "field": "message2.arg", "target_field": "mysql.argument", "ignore_missing": true } },
{ "rename": { "field": "message2.success", "target_field": "mysql.success", "ignore_missing": true } },
{ "rename": { "field": "message2.rows", "target_field": "mysql.rows", "ignore_missing": true } },
{ "rename": { "field": "message2.response", "target_field": "mysql.response", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

22
salt/elasticsearch/files/ingest/bro_notice → salt/elasticsearch/files/ingest/zeek.notice
View File

@@ -1,21 +1,11 @@
{
"description" : "bro_notice",
"description" : "zeek.notice",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "remove": { "field": "message2.dst", "ignore_failure": true } },
{ "remove": { "field": "message2.src", "ignore_failure": true } },
{ "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } },
{ "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "message2.fuid", "target_field": "fuid", "ignore_missing": true } },
{ "rename": { "field": "message2.mime", "target_field": "file_mime_type", "ignore_missing": true } },
{ "rename": { "field": "message2.desc", "target_field": "file_description", "ignore_missing": true } },
{ "rename": { "field": "message2.fuid", "target_field": "log.id.fuid", "ignore_missing": true } },
{ "rename": { "field": "message2.mime", "target_field": "file.mimetype", "ignore_missing": true } },
{ "rename": { "field": "message2.desc", "target_field": "file.description", "ignore_missing": true } },
{ "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } },
{ "rename": { "field": "message2.note", "target_field": "note", "ignore_missing": true } },
{ "rename": { "field": "message2.msg", "target_field": "msg", "ignore_missing": true } },
@@ -31,6 +21,6 @@
{ "rename": { "field": "message2.destination_city", "target_field": "destination_city", "ignore_missing": true } },
{ "rename": { "field": "message2.destination_latitude", "target_field": "destination_latitude", "ignore_missing": true } },
{ "rename": { "field": "message2.destination_longitude", "target_field": "destination_longitude", "ignore_missing": true } },
{ "pipeline": { "name": "bro_common" } }
{ "pipeline": { "name": "zeek.common" } }
]
}

16
salt/elasticsearch/files/ingest/zeek.ntlm Normal file
View File

@@ -0,0 +1,16 @@
{
"description" : "zeek.ntlm",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.hostname", "target_field": "host.name", "ignore_missing": true } },
{ "rename": { "field": "message2.domainname", "target_field": "host.domain", "ignore_missing": true } },
{ "rename": { "field": "message2.success", "target_field": "ntlm.success", "ignore_missing": true } },
{ "rename": { "field": "message2.status", "target_field": "ntlm.status", "ignore_missing": true } },
{ "rename": { "field": "message2.username", "target_field": "user.name", "ignore_missing": true } },
{ "rename": { "field": "message2.server_dns_computer_name", "target_field": "ntlm.server.dns.name", "ignore_missing": true } },
{ "rename": { "field": "message2.server_nb_computer_name", "target_field": "ntlm.server.nb.name", "ignore_missing": true } },
{ "rename": { "field": "message2.server_tree_name", "target_field": "ntlm.server.tree.name", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

24
salt/elasticsearch/files/ingest/zeek.pe Normal file
View File

@@ -0,0 +1,24 @@
{
"description" : "zeek.pe",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id", "target_field": "log.id.fuid", "ignore_missing": true } },
{ "rename": { "field": "message2.machine", "target_field": "file.machine", "ignore_missing": true } },
{ "rename": { "field": "message2.compile_ts", "target_field": "file.compile_timestamp", "ignore_missing": true } },
{ "rename": { "field": "message2.os", "target_field": "file.os", "ignore_missing": true } },
{ "rename": { "field": "message2.subsystem", "target_field": "file.subsystem", "ignore_missing": true } },
{ "rename": { "field": "message2.is_exe", "target_field": "file.is_exe", "ignore_missing": true } },
{ "rename": { "field": "message2.is_64bit", "target_field": "file.is_64bit", "ignore_missing": true } },
{ "rename": { "field": "message2.uses_aslr", "target_field": "file.aslr", "ignore_missing": true } },
{ "rename": { "field": "message2.uses_dep", "target_field": "file.dep", "ignore_missing": true } },
{ "rename": { "field": "message2.uses_code_integrity","target_field": "file.code_integrity","ignore_missing": true } },
{ "rename": { "field": "message2.uses_seh", "target_field": "file.seh", "ignore_missing": true } },
{ "rename": { "field": "message2.has_import_table", "target_field": "file.table.import", "ignore_missing": true } },
{ "rename": { "field": "message2.has_export_table", "target_field": "file.table.export", "ignore_missing": true } },
{ "rename": { "field": "message2.has_cert_table", "target_field": "file.table.cert", "ignore_missing": true } },
{ "rename": { "field": "message2.has_debug_data", "target_field": "file.debug_data", "ignore_missing": true } },
{ "rename": { "field": "message2.section_names", "target_field": "file.section_names", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

16
salt/elasticsearch/files/ingest/zeek.radius Normal file
View File

@@ -0,0 +1,16 @@
{
"description" : "zeek.radius",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.username", "target_field": "user.name", "ignore_missing": true } },
{ "rename": { "field": "message2.mac", "target_field": "host.mac", "ignore_missing": true } },
{ "rename": { "field": "message2.framed_addr", "target_field": "framed_addr", "ignore_missing": true } },
{ "rename": { "field": "message2.remote_ip", "target_field": "destination.ip", "ignore_missing": true } },
{ "rename": { "field": "message2.connect_info", "target_field": "radius.connect_info", "ignore_missing": true } },
{ "rename": { "field": "message2.reply_msg", "target_field": "radius.reply_message", "ignore_missing": true } },
{ "rename": { "field": "message2.result", "target_field": "radius.result", "ignore_missing": true } },
{ "rename": { "field": "message2.logged", "target_field": "radius.logged", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

23
salt/elasticsearch/files/ingest/zeek.rdp Normal file
View File

@@ -0,0 +1,23 @@
{
"description" : "zeek.rdp",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.cookie", "target_field": "rdp.cookie", "ignore_missing": true } },
{ "rename": { "field": "message2.result", "target_field": "rdp.result", "ignore_missing": true } },
{ "rename": { "field": "message2.security_protocol","target_field": "rdp.security_protocol", "ignore_missing": true } },
{ "rename": { "field": "message2.keyboard_layout", "target_field": "rdp.keyboard_layout", "ignore_missing": true } },
{ "rename": { "field": "message2.client_build", "target_field": "rdp.client_build", "ignore_missing": true } },
{ "rename": { "field": "message2.client_name", "target_field": "client.name", "ignore_missing": true } },
{ "rename": { "field": "message2.client_dig_product_id", "target_field": "client.id.product", "ignore_missing": true } },
{ "rename": { "field": "message2.desktop_width", "target_field": "rdp.desktop.width", "ignore_missing": true } },
{ "rename": { "field": "message2.desktop_height", "target_field": "rdp.desktop.height", "ignore_missing": true } },
{ "rename": { "field": "message2.requested_color_depth", "target_field": "rdp.requested_color_depth", "ignore_missing": true } },
{ "rename": { "field": "message2.cert_type", "target_field": "rdp.certificate_type", "ignore_missing": true } },
{ "rename": { "field": "message2.cert_count", "target_field": "rdp.certificate_count", "ignore_missing": true } },
{ "rename": { "field": "message2.cert_permanent", "target_field": "rdp.certificate_permanent","ignore_missing": true } },
{ "rename": { "field": "message2.encryption_level", "target_field": "rdp.encryption_level", "ignore_missing": true } },
{ "rename": { "field": "message2.encryption_method","target_field": "rdp.encryption_method", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

18
salt/elasticsearch/files/ingest/zeek.rfb Normal file
View File

@@ -0,0 +1,18 @@
{
"description" : "zeek.rfb",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.client_major_version", "target_field": "rfb.client_major_version", "ignore_missing": true } },
{ "rename": { "field": "message2.client_minor_version", "target_field": "rfb.client_minor_version", "ignore_missing": true } },
{ "rename": { "field": "message2.server_major_version", "target_field": "rfb.server_major_version", "ignore_missing": true } },
{ "rename": { "field": "message2.server_minor_version", "target_field": "rfb.server_minor_version", "ignore_missing": true } },
{ "rename": { "field": "message2.authentication_method", "target_field": "rfb.authentication.method","ignore_missing": true } },
{ "rename": { "field": "message2.auth", "target_field": "rfb.authenticaiton.success", "ignore_missing": true } },
{ "rename": { "field": "message2.share_flag", "target_field": "rfb.share_flag", "ignore_missing": true } },
{ "rename": { "field": "message2.desktop_name", "target_field": "rfb.desktop.name", "ignore_missing": true } },
{ "rename": { "field": "message2.width", "target_field": "rfb.desktop.width", "ignore_missing": true } },
{ "rename": { "field": "message2.height", "target_field": "rfb.desktop.height", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

14
salt/elasticsearch/files/ingest/zeek.signatures Normal file
View File

@@ -0,0 +1,14 @@
{
"description" : "zeek.signatures",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.note", "target_field": "note", "ignore_missing": true } },
{ "rename": { "field": "message2.sig_id", "target_field": "signature_id", "ignore_missing": true } },
{ "rename": { "field": "message2.event_msg", "target_field": "event_message", "ignore_missing": true } },
{ "rename": { "field": "message2.sub_msg", "target_field": "sub_message", "ignore_missing": true } },
{ "rename": { "field": "message2.sig_count", "target_field": "signature_count", "ignore_missing": true } },
{ "rename": { "field": "message2.host_count", "target_field": "host.count", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

29
salt/elasticsearch/files/ingest/zeek.sip Normal file
View File

@@ -0,0 +1,29 @@
{
"description" : "zeek.sip",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.trans_depth", "target_field": "sip.transaction.depth", "ignore_missing": true } },
{ "rename": { "field": "message2.method", "target_field": "sip.method", "ignore_missing": true } },
{ "rename": { "field": "message2.uri", "target_field": "sip.uri", "ignore_missing": true } },
{ "rename": { "field": "message2.date", "target_field": "sip.date", "ignore_missing": true } },
{ "rename": { "field": "message2.request_from", "target_field": "sip.request.from", "ignore_missing": true } },
{ "rename": { "field": "message2.request_to", "target_field": "sip.request.to", "ignore_missing": true } },
{ "rename": { "field": "message2.response_from", "target_field": "sip.response.from", "ignore_missing": true } },
{ "rename": { "field": "message2.response_to", "target_field": "sip.response.to", "ignore_missing": true } },
{ "rename": { "field": "message2.reply_to", "target_field": "sip.reply_to", "ignore_missing": true } },
{ "rename": { "field": "message2.call_id", "target_field": "sip.call_id", "ignore_missing": true } },
{ "rename": { "field": "message2.seq", "target_field": "sip.seq", "ignore_missing": true } },
{ "rename": { "field": "message2.subject", "target_field": "sip.subject", "ignore_missing": true } },
{ "rename": { "field": "message2.request_path", "target_field": "sip.request.path", "ignore_missing": true } },
{ "rename": { "field": "message2.response_path", "target_field": "sip.response.path", "ignore_missing": true } },
{ "rename": { "field": "message2.user_agent", "target_field": "client.user_agent", "ignore_missing": true } },
{ "rename": { "field": "message2.status_code", "target_field": "server.status_code", "ignore_missing": true } },
{ "rename": { "field": "message2.status_msg", "target_field": "server.status_message", "ignore_missing": true } },
{ "rename": { "field": "message2.warning", "target_field": "sip.warning", "ignore_missing": true } },
{ "rename": { "field": "message2.request_body_len", "target_field": "sip.request.body.length", "ignore_missing": true } },
{ "rename": { "field": "message2.response_body_len","target_field": "sip.response.body.length", "ignore_missing": true } },
{ "rename": { "field": "message2.content_type", "target_field": "sip.content_type", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

23
salt/elasticsearch/files/ingest/zeek.smb_files Normal file
View File

@@ -0,0 +1,23 @@
{
"description" : "zeek.smb_files",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.fuid", "target_field": "log.id.fuid", "ignore_missing": true } },
{ "rename": { "field": "message2.action", "target_field": "file.action", "ignore_missing": true } },
{ "remove": { "field": "path", "ignore_failure": true } },
{ "rename": { "field": "message2.path", "target_field": "file.path", "ignore_missing": true } },
{ "rename": { "field": "message2.name", "target_field": "file.name", "ignore_missing": true } },
{ "rename": { "field": "message2.size", "target_field": "file.size", "ignore_missing": true } },
{ "rename": { "field": "message2.prev_name", "target_field": "file.previous_name", "ignore_missing": true } },
{ "dot_expander": { "field": "times.modified", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.times.modified", "target_field": "file.times_modified", "ignore_missing": true } },
{ "dot_expander": { "field": "times.accessed", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.times.accessed", "target_field": "file.times_accessed", "ignore_missing": true } },
{ "dot_expander": { "field": "times.created", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.times.created", "target_field": "file.times_created", "ignore_missing": true } },
{ "dot_expander": { "field": "times.changed", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.times.changed", "target_field": "file.times_changed", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

12
salt/elasticsearch/files/ingest/zeek.smb_mapping Normal file
View File

@@ -0,0 +1,12 @@
{
"description" : "zeek.smb_files",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.path", "target_field": "smb.path", "ignore_missing": true } },
{ "rename": { "field": "message2.service", "target_field": "smb.service", "ignore_missing": true } },
{ "rename": { "field": "message2.native_file_system", "target_field": "smb.file_system", "ignore_missing": true } },
{ "rename": { "field": "message2.share_type", "target_field": "smb.share_type", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

30
salt/elasticsearch/files/ingest/zeek.smtp Normal file
View File

@@ -0,0 +1,30 @@
{
"description" : "zeek.smtp",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "remove": { "field": "path", "ignore_failure": true } },
{ "rename": { "field": "message2.trans_depth", "target_field": "smtp.transaction_depth", "ignore_missing": true } },
{ "rename": { "field": "message2.helo", "target_field": "smtp.helo", "ignore_missing": true } },
{ "rename": { "field": "message2.mailfrom", "target_field": "smtp.mail_from", "ignore_missing": true } },
{ "rename": { "field": "message2.rcptto", "target_field": "smtp.recipient_to", "ignore_missing": true } },
{ "rename": { "field": "message2.date", "target_field": "smtp.mail_date", "ignore_missing": true } },
{ "rename": { "field": "message2.from", "target_field": "smtp.from", "ignore_missing": true } },
{ "rename": { "field": "message2.to", "target_field": "smtp.to", "ignore_missing": true } },
{ "rename": { "field": "message2.cc", "target_field": "smtp.cc", "ignore_missing": true } },
{ "rename": { "field": "message2.reply_to", "target_field": "smtp.reply_to", "ignore_missing": true } },
{ "rename": { "field": "message2.msg_id", "target_field": "smtp.message_id", "ignore_missing": true } },
{ "rename": { "field": "message2.in_reply_to", "target_field": "smtp.in_reply_to", "ignore_missing": true } },
{ "rename": { "field": "message2.subject", "target_field": "smtp.subject", "ignore_missing": true } },
{ "rename": { "field": "message2.x_originating_ip", "target_field": "smtp.x_originating_ip", "ignore_missing": true } },
{ "rename": { "field": "message2.first_received", "target_field": "smtp.first_received", "ignore_missing": true } },
{ "rename": { "field": "message2.second_received", "target_field": "smtp.second_received", "ignore_missing": true } },
{ "rename": { "field": "message2.last_reply", "target_field": "smtp.last_reply", "ignore_missing": true } },
{ "rename": { "field": "message2.path", "target_field": "smtp.path", "ignore_missing": true } },
{ "rename": { "field": "message2.user_agent", "target_field": "smtp.useragent", "ignore_missing": true } },
{ "rename": { "field": "message2.tls", "target_field": "smtp.tls", "ignore_missing": true } },
{ "rename": { "field": "message2.fuids", "target_field": "log.id.fuids", "ignore_missing": true } },
{ "rename": { "field": "message2.is_webmail", "target_field": "smtp.is_webmail", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

17
salt/elasticsearch/files/ingest/zeek.snmp Normal file
View File

@@ -0,0 +1,17 @@
{
"description" : "zeek.snmp",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.duration", "target_field": "event.duration", "ignore_missing": true } },
{ "rename": { "field": "message2.version", "target_field": "snmp.version", "ignore_missing": true } },
{ "rename": { "field": "message2.community", "target_field": "snmp.community", "ignore_missing": true } },
{ "rename": { "field": "message2.get_requests", "target_field": "snmp.get.requests", "ignore_missing": true } },
{ "rename": { "field": "message2.get_bulk_requests","target_field": "snmp.get.bulk_requests", "ignore_missing": true } },
{ "rename": { "field": "message2.get_responses", "target_field": "snmp.get.responses", "ignore_missing": true } },
{ "rename": { "field": "message2.set_requests", "target_field": "snmp.set.requests", "ignore_missing": true } },
{ "rename": { "field": "message2.display_string", "target_field": "snmp.display_string", "ignore_missing": true } },
{ "rename": { "field": "message2.up_since", "target_field": "snmp.up_since", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

20
salt/elasticsearch/files/ingest/zeek.socks Normal file
View File

@@ -0,0 +1,20 @@
{
"description" : "zeek.socks",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.version", "target_field": "socks.version", "ignore_missing": true } },
{ "rename": { "field": "message2.user", "target_field": "socks.user", "ignore_missing": true } },
{ "rename": { "field": "message2.password", "target_field": "socks.password", "ignore_missing": true } },
{ "rename": { "field": "message2.status", "target_field": "socks.status", "ignore_missing": true } },
{ "rename": { "field": "message2.request_host", "target_field": "socks.request.host", "ignore_missing": true } },
{ "dot_expander": { "field": "request.name", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.request.name", "target_field": "socks.request.name", "ignore_missing": true } },
{ "rename": { "field": "message2.request_p", "target_field": "socks.request.port", "ignore_missing": true } },
{ "dot_expander": { "field": "bound.host", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.bound.host", "target_field": "socks.bound.host", "ignore_missing": true } },
{ "rename": { "field": "message2.bound_name", "target_field": "socks.bound.name", "ignore_missing": true } },
{ "rename": { "field": "message2.bound_p", "target_field": "socks.bound.port", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

22
salt/elasticsearch/files/ingest/bro_software → salt/elasticsearch/files/ingest/zeek.software
View File

@@ -1,23 +1,23 @@
{
"description" : "bro_software",
"description" : "zeek.software",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } },
{ "dot_expander": { "field": "version.major", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.version.major", "target_field": "version_major", "ignore_missing": true } },
{ "rename": { "field": "message2.version.major", "target_field": "software.version.major", "ignore_missing": true } },
{ "dot_expander": { "field": "version.minor", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.version.minor", "target_field": "version_minor", "ignore_missing": true } },
{ "rename": { "field": "message2.version.minor", "target_field": "software.version.minor", "ignore_missing": true } },
{ "dot_expander": { "field": "version.minor2", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.version.minor2", "target_field": "version_minor2", "ignore_missing": true } },
{ "rename": { "field": "message2.version.minor2", "target_field": "software.version.minor2", "ignore_missing": true } },
{ "dot_expander": { "field": "version.minor3", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.version.minor3", "target_field": "version_minor3", "ignore_missing": true } },
{ "rename": { "field": "message2.version.minor3", "target_field": "version.minor3", "ignore_missing": true } },
{ "dot_expander": { "field": "version.addl", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.version.addl", "target_field": "version_additional_info", "ignore_missing": true } },
{ "rename": { "field": "message2.version.addl", "target_field": "software.version.additional_info", "ignore_missing": true } },
{ "rename": { "field": "message2.host", "target_field": "source.ip", "ignore_missing": true } },
{ "rename": { "field": "message2.host_p", "target_field": "source.port", "ignore_missing": true } },
{ "rename": { "field": "message2.software_type", "target_field": "software_type", "ignore_missing": true } },
{ "rename": { "field": "message2.name", "target_field": "name", "ignore_missing": true } },
{ "rename": { "field": "message2.unparsed_version", "target_field": "unparsed_version", "ignore_missing": true } },
{ "pipeline": { "name": "bro_common" } }
{ "rename": { "field": "message2.software_type", "target_field": "software.type", "ignore_missing": true } },
{ "rename": { "field": "message2.name", "target_field": "software.name", "ignore_missing": true } },
{ "rename": { "field": "message2.unparsed_version", "target_field": "software.version.unparsed", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

32
salt/elasticsearch/files/ingest/zeek.ssh Normal file
View File

@@ -0,0 +1,32 @@
{
"description" : "zeek.conn",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.version", "target_field": "ssh.version", "ignore_missing": true } },
{ "rename": { "field": "message2.hassh", "target_field": "hash.hassh", "ignore_missing": true } },
{ "rename": { "field": "message2.auth_success", "target_field": "ssh.authentication.success", "ignore_missing": true } },
{ "rename": { "field": "message2.auth_attempts", "target_field": "ssh.authentication.attempts", "ignore_missing": true } },
{ "rename": { "field": "message2.direction", "target_field": "ssh.direction", "ignore_missing": true } },
{ "rename": { "field": "message2.client", "target_field": "ssh.client", "ignore_missing": true } },
{ "rename": { "field": "message2.server", "target_field": "ssh.server", "ignore_missing": true } },
{ "rename": { "field": "message2.cipher_alg", "target_field": "ssh.cipher_algorithm", "ignore_missing": true } },
{ "rename": { "field": "message2.compression_alg", "target_field": "ssh.compression_algorithm", "ignore_missing": true } },
{ "rename": { "field": "message2.cshka", "target_field": "ssh.client_host_key_algorithms", "ignore_missing": true } },
{ "rename": { "field": "message2.host_key_alg", "target_field": "ssh.host_key_algorithm", "ignore_missing": true } },
{ "rename": { "field": "message2.hasshAlgorithms", "target_field": "ssh.hassh_algorithms", "ignore_missing": true } },
{ "rename": { "field": "message2.hasshServer", "target_field": "ssh.hassh_server", "ignore_missing": true } },
{ "rename": { "field": "message2.hasshVersion", "target_field": "ssh.hassh_version", "ignore_missing": true } },
{ "rename": { "field": "message2.kex_alg", "target_field": "ssh.kex_algorithm", "ignore_missing": true } },
{ "rename": { "field": "message2.mac_alg", "target_field": "ssh.mac_algorithm", "ignore_missing": true } },
{ "rename": { "field": "message2.sshka", "target_field": "ssh.server_host_key_algorithms", "ignore_missing": true } },
{ "rename": { "field": "message2.host_key", "target_field": "ssh.host_key", "ignore_missing": true } },
{ "rename": { "field": "message2.destination_region", "target_field": "destination.region", "ignore_missing": true } },
{ "rename": { "field": "message2.destination_city", "target_field": "destination.city", "ignore_missing": true } },
{ "rename": { "field": "message2.destination_latitude", "target_field": "destination.latitude", "ignore_missing": true } },
{ "rename": { "field": "message2.destination_longitude", "target_field": "destination.longitude", "ignore_missing": true } },
{ "rename": { "field": "message2.destination_country_code", "target_field": "destination.country_code", "ignore_missing": true } },
{ "rename": { "field": "message2.hasshServerAlgorithms", "target_field": "ssh.hassh_server_algorithms", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

25
salt/elasticsearch/files/ingest/zeek.ssl Normal file
View File

@@ -0,0 +1,25 @@
{
"description" : "zeek.ssl",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.version", "target_field": "ssl.version", "ignore_missing": true } },
{ "rename": { "field": "message2.cipher", "target_field": "ssl.cipher", "ignore_missing": true } },
{ "rename": { "field": "message2.curve", "target_field": "ssl.curve", "ignore_missing": true } },
{ "rename": { "field": "message2.server_name", "target_field": "ssl.server_name", "ignore_missing": true } },
{ "rename": { "field": "message2.resumed", "target_field": "ssl.resumed", "ignore_missing": true } },
{ "rename": { "field": "message2.last_alert", "target_field": "ssl.last_alert", "ignore_missing": true } },
{ "rename": { "field": "message2.next_protocol", "target_field": "ssl.next_protocol", "ignore_missing": true } },
{ "rename": { "field": "message2.established", "target_field": "ssl.established", "ignore_missing": true } },
{ "rename": { "field": "message2.cert_chain_fuids", "target_field": "ssl.certificate.chain_fuids", "ignore_missing": true } },
{ "rename": { "field": "message2.client_cert_chain_fuids", "target_field": "ssl.client.certificate.chain_fuids", "ignore_missing": true } },
{ "rename": { "field": "message2.subject", "target_field": "ssl.certificate.subject", "ignore_missing": true } },
{ "rename": { "field": "message2.issuer", "target_field": "ssl.certificate.issuer", "ignore_missing": true } },
{ "rename": { "field": "message2.client_subject", "target_field": "ssl.client.subject", "ignore_missing": true } },
{ "rename": { "field": "message2.client_issuer", "target_field": "ssl.client.issuer", "ignore_missing": true } },
{ "rename": { "field": "message2.validation_status","target_field": "ssl.validation_status", "ignore_missing": true } },
{ "rename": { "field": "message2.ja3", "target_field": "hash.ja3", "ignore_missing": true } },
{ "rename": { "field": "message2.ja3s", "target_field": "hash.ja3s", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common_ssl" } }
]
}

13
salt/elasticsearch/files/ingest/zeek.syslog Normal file
View File

@@ -0,0 +1,13 @@
{
"description" : "zeek.syslog",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } },
{ "rename": { "field": "message2.facility", "target_field": "syslog.facility", "ignore_missing": true } },
{ "rename": { "field": "message2.severity", "target_field": "syslog.severity", "ignore_missing": true } },
{ "remove": { "field": "message", "ignore_failure": true } },
{ "rename": { "field": "message2.message", "target_field": "message", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

8
salt/elasticsearch/files/ingest/zeek.tunnel Normal file
View File

@@ -0,0 +1,8 @@
{
"description" : "zeek.tunnel",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "set": { "field": "event_type", "value": "zeek.tunnels" } },
{ "pipeline": { "name": "zeek.tunnels" } }
]
}

5
salt/elasticsearch/files/ingest/bro_tunnels → salt/elasticsearch/files/ingest/zeek.tunnels
View File

@@ -1,6 +1,7 @@
{
"description" : "bro_tunnels",
"description" : "zeek.tunnels",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.uid", "target_field": "uid", "ignore_missing": true } },
{ "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } },
@@ -13,6 +14,6 @@
{ "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "message2.tunnel_type", "target_field": "tunnel_type", "ignore_missing": true } },
{ "rename": { "field": "message2.action", "target_field": "action", "ignore_missing": true } },
{ "pipeline": { "name": "bro_common" } }
{ "pipeline": { "name": "zeek.common" } }
]
}

12
salt/elasticsearch/files/ingest/zeek.weird Normal file
View File

@@ -0,0 +1,12 @@
{
"description" : "zeek.weird",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.name", "target_field": "weird.name", "ignore_missing": true } },
{ "rename": { "field": "message2.addl", "target_field": "weird.additional_info", "ignore_missing": true } },
{ "rename": { "field": "message2.notice", "target_field": "weird.notice", "ignore_missing": true } },
{ "rename": { "field": "message2.peer", "target_field": "weird.peer", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

41
salt/elasticsearch/files/ingest/bro_x509 → salt/elasticsearch/files/ingest/zeek.x509
View File

@@ -1,44 +1,45 @@
{
"description" : "bro_x509",
"description" : "zeek.x509",
"processors" : [
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id", "target_field": "id", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.version", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.version", "target_field": "certificate_version", "ignore_missing": true } },
{ "rename": { "field": "message2.certificate.version", "target_field": "x509.certificate.version", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.serial", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.serial", "target_field": "certificate_serial", "ignore_missing": true } },
{ "rename": { "field": "message2.certificate.serial", "target_field": "x509.certificate.serial", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.subject", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.subject", "target_field": "certificate_subject", "ignore_missing": true } },
{ "rename": { "field": "message2.certificate.subject", "target_field": "x509.certificate.subject", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.issuer", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.issuer", "target_field": "certificate_issuer", "ignore_missing": true } },
{ "rename": { "field": "message2.certificate.issuer", "target_field": "x509.certificate.issuer", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.not_valid_before", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.not_valid_before", "target_field": "certificate_not_valid_before", "ignore_missing": true } },
{ "rename": { "field": "message2.certificate.not_valid_before", "target_field": "x509.certificate.not_valid_before", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.not_valid_after", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.not_valid_after", "target_field": "certificate_not_valid_after", "ignore_missing": true } },
{ "rename": { "field": "message2.certificate.not_valid_after", "target_field": "x509.certificate.not_valid_after", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.key_alg", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.key_alg", "target_field": "certificate_key_algorithm", "ignore_missing": true } },
{ "rename": { "field": "message2.certificate.key_alg", "target_field": "x509.certificate.key.algorithm", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.sig_alg", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.sig_alg", "target_field": "certificate_signing_algorithm", "ignore_missing": true } },
{ "rename": { "field": "message2.certificate.sig_alg", "target_field": "x509.certificate.signing_algorithm", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.key_type", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.key_type", "target_field": "certificate_key_type", "ignore_missing": true } },
{ "rename": { "field": "message2.certificate.key_type", "target_field": "x509.certificate.key.type", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.key_length", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.key_length", "target_field": "certificate_key_length", "ignore_missing": true } },
{ "rename": { "field": "message2.certificate.key_length", "target_field": "x509.certificate.key.length", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.exponent", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.exponent", "target_field": "certificate_exponent", "ignore_missing": true } },
{ "rename": { "field": "message2.certificate.exponent", "target_field": "x509.certificate.exponent", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.curve", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.curve", "target_field": "certificate_curve", "ignore_missing": true } },
{ "rename": { "field": "message2.certificate.curve", "target_field": "x509.certificate.curve", "ignore_missing": true } },
{ "dot_expander": { "field": "san.dns", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.san.dns", "target_field": "san_dns", "ignore_missing": true } },
{ "rename": { "field": "message2.san.dns", "target_field": "x509.san_dns", "ignore_missing": true } },
{ "dot_expander": { "field": "san.uri", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.san.uri", "target_field": "san_uri", "ignore_missing": true } },
{ "rename": { "field": "message2.san.uri", "target_field": "x509.san_uri", "ignore_missing": true } },
{ "dot_expander": { "field": "san.email", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.san.email", "target_field": "san_email", "ignore_missing": true } },
{ "rename": { "field": "message2.san.email", "target_field": "x509.san_email", "ignore_missing": true } },
{ "dot_expander": { "field": "san.ip", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.san.ip", "target_field": "san_ip", "ignore_missing": true } },
{ "rename": { "field": "message2.san.ip", "target_field": "x509.san_ip", "ignore_missing": true } },
{ "dot_expander": { "field": "basic_constraints.ca", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.basic_constraints.ca", "target_field": "basic_constraints_ca", "ignore_missing": true } },
{ "rename": { "field": "message2.basic_constraints.ca", "target_field": "x509.basic_constraints.ca", "ignore_missing": true } },
{ "dot_expander": { "field": "basic_constraints.path_length", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.basic_constraints.path_length", "target_field": "basic_constraints_path_length", "ignore_missing": true } },
{ "pipeline": { "name": "bro_common_ssl" } }
{ "rename": { "field": "message2.basic_constraints.path_length", "target_field": "x509.basic_constraints.path_length", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common_ssl" } }
]
}

144
salt/logstash/pipelines/config/so/0800_input_eval.conf
View File

@@ -9,182 +9,182 @@ input {
}
file {
path => "/nsm/zeek/logs/current/conn*.log"
type => "bro_conn"
tags => ["bro"]
type => "zeek.conn"
tags => ["zeek"]
}
file {
path => "/nsm/zeek/logs/current/dce_rpc*.log"
type => "bro_dce_rpc"
tags => ["bro"]
type => "zeek.dce_rpc"
tags => ["zeek"]
}
file {
path => "/nsm/zeek/logs/current/dhcp*.log"
type => "bro_dhcp"
tags => ["bro"]
type => "zeek.dhcp"
tags => ["zeek"]
}
file {
path => "/nsm/zeek/logs/current/dnp3*.log"
type => "bro_dnp3"
tags => ["bro"]
type => "zeek.dnp3"
tags => ["zeek"]
}
file {
path => "/nsm/zeek/logs/current/dns*.log"
type => "bro_dns"
tags => ["bro"]
type => "zeek.dns"
tags => ["zeek"]
}
file {
path => "/nsm/zeek/logs/current/dpd*.log"
type => "bro_dpd"
tags => ["bro"]
type => "zeek.dpd"
tags => ["zeek"]
}
file {
path => "/nsm/zeek/logs/current/files*.log"
type => "bro_files"
tags => ["bro"]
type => "zeek.files"
tags => ["zeek"]
}
file {
path => "/nsm/zeek/logs/current/ftp*.log"
type => "bro_ftp"
tags => ["bro"]
type => "zeek.ftp"
tags => ["zeek"]
}
file {
path => "/nsm/zeek/logs/current/http*.log"
type => "bro_http"
tags => ["bro"]
type => "zeek.http"
tags => ["zeek"]
}
file {
path => "/nsm/zeek/logs/current/intel*.log"
type => "bro_intel"
tags => ["bro"]
type => "zeek.intel"
tags => ["zeek"]
}
file {
path => "/nsm/zeek/logs/current/irc*.log"
type => "bro_irc"
tags => ["bro"]
type => "zeek.irc"
tags => ["zeek"]
}
file {
path => "/nsm/zeek/logs/current/kerberos*.log"
type => "bro_kerberos"
tags => ["bro"]
type => "zeek.kerberos"
tags => ["zeek"]
}
file {
path => "/nsm/zeek/logs/current/modbus*.log"
type => "bro_modbus"
tags => ["bro"]
type => "zeek.modbus"
tags => ["zeek"]
}
file {
path => "/nsm/zeek/logs/current/mysql*.log"
type => "bro_mysql"
tags => ["bro"]
type => "zeek.mysql"
tags => ["zeek"]
}
file {
path => "/nsm/zeek/logs/current/notice*.log"
type => "bro_notice"
tags => ["bro"]
type => "zeek.notice"
tags => ["zeek"]
}
file {
path => "/nsm/zeek/logs/current/ntlm*.log"
type => "bro_ntlm"
tags => ["bro"]
type => "zeek.ntlm"
tags => ["zeek"]
}
file {
path => "/nsm/zeek/logs/current/pe*.log"
type => "bro_pe"
tags => ["bro"]
type => "zeek.pe"
tags => ["zeek"]
}
file {
path => "/nsm/zeek/logs/current/radius*.log"
type => "bro_radius"
tags => ["bro"]
type => "zeek.radius"
tags => ["zeek"]
}
file {
path => "/nsm/zeek/logs/current/rdp*.log"
type => "bro_rdp"
tags => ["bro"]
type => "zeek.rdp"
tags => ["zeek"]
}
file {
path => "/nsm/zeek/logs/current/rfb*.log"
type => "bro_rfb"
tags => ["bro"]
type => "zeek.rfb"
tags => ["zeek"]
}
file {
path => "/nsm/zeek/logs/current/signatures*.log"
type => "bro_signatures"
tags => ["bro"]
type => "zeek.signatures"
tags => ["zeek"]
}
file {
path => "/nsm/zeek/logs/current/sip*.log"
type => "bro_sip"
tags => ["bro"]
type => "zeek.sip"
tags => ["zeek"]
}
file {
path => "/nsm/zeek/logs/current/smb_files*.log"
type => "bro_smb_files"
tags => ["bro"]
type => "zeek.smb_files"
tags => ["zeek"]
}
file {
path => "/nsm/zeek/logs/current/smb_mapping*.log"
type => "bro_smb_mapping"
tags => ["bro"]
type => "zeek.smb_mapping"
tags => ["zeek"]
}
file {
path => "/nsm/zeek/logs/current/smtp*.log"
type => "bro_smtp"
tags => ["bro"]
type => "zeek.smtp"
tags => ["zeek"]
}
file {
path => "/nsm/zeek/logs/current/snmp*.log"
type => "bro_snmp"
tags => ["bro"]
type => "zeek.snmp"
tags => ["zeek"]
}
file {
path => "/nsm/zeek/logs/current/socks*.log"
type => "bro_socks"
tags => ["bro"]
type => "zeek.socks"
tags => ["zeek"]
}
file {
path => "/nsm/zeek/logs/current/software*.log"
type => "bro_software"
tags => ["bro"]
type => "zeek.software"
tags => ["zeek"]
}
file {
path => "/nsm/zeek/logs/current/ssh*.log"
type => "bro_ssh"
tags => ["bro"]
type => "zeek.ssh"
tags => ["zeek"]
}
file {
path => "/nsm/zeek/logs/current/ssl*.log"
type => "bro_ssl"
tags => ["bro"]
type => "zeek.ssl"
tags => ["zeek"]
}
file {
path => "/nsm/zeek/logs/current/syslog*.log"
type => "bro_syslog"
tags => ["bro"]
type => "zeek.syslog"
tags => ["zeek"]
}
file {
path => "/nsm/zeek/logs/current/tunnel*.log"
type => "bro_tunnels"
tags => ["bro"]
type => "zeek.tunnels"
tags => ["zeek"]
}
file {
path => "/nsm/zeek/logs/current/weird*.log"
type => "bro_weird"
tags => ["bro"]
type => "zeek.weird"
tags => ["zeek"]
}
file {
path => "/nsm/zeek/logs/current/x509*.log"
type => "bro_x509"
tags => ["bro"]
type => "zeek.x509"
tags => ["zeek"]
}
file {
path => "/wazuh/alerts/alerts.json"
type => "ossec"
}
file {
path => "/wazuh/archives/archives.json"
type => "ossec_archive"
}
# file {
# path => "/wazuh/archives/archives.json"
# type => "ossec_archive"
# }
file {
path => "/osquery/logs/result.log"
type => "osquery"

1
salt/logstash/pipelines/config/so/8999_postprocess_rename_type.conf
View File

@@ -4,5 +4,6 @@
filter {
mutate {
rename => [ "type", "event_type" ]
remove_field => [ "host" ]
}
}

10
salt/logstash/pipelines/config/so/9000_output_bro.conf.jinja
View File

@@ -10,21 +10,21 @@
filter {
if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
if "zeek" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
mutate {
##add_tag => [ "conf_file_9000"]
}
}
}
output {
if "bro" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
if "zeek" in [tags] and "test_data" not in [tags] and "import" not in [tags] {
# stdout { codec => rubydebug }
elasticsearch {
pipeline => "%{event_type}"
hosts => "{{ ES }}"
index => "logstash-bro-%{+YYYY.MM.dd}"
template_name => "logstash-bro"
template => "/logstash-bro-template.json"
index => "so-zeek-%{+YYYY.MM.dd}"
template_name => "so-zeek"
template => "/so-zeek-template.json"
template_overwrite => true
}
}

4
salt/logstash/pipelines/config/so/9001_output_switch.conf.jinja
View File

@@ -20,8 +20,8 @@ output {
#stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-switch-%{+YYYY.MM.dd}"
template => "/logstash-template.json"
index => "so-switch-%{+YYYY.MM.dd}"
template => "/so-template.json"
}
}
}

4
salt/logstash/pipelines/config/so/9002_output_import.conf.jinja
View File

@@ -18,9 +18,9 @@ output {
# stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-import-%{+YYYY.MM.dd}"
index => "so-import-%{+YYYY.MM.dd}"
template_name => "logstash"
template => "/logstash-template.json"
template => "/so-template.json"
template_overwrite => true
}
}

4
salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja
View File

@@ -20,8 +20,8 @@ output {
#stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-flow-%{+YYYY.MM.dd}"
template => "/logstash-template.json"
index => "so-flow-%{+YYYY.MM.dd}"
template => "/so-template.json"
}
}
}

2
salt/logstash/pipelines/config/so/9026_output_dhcp.conf.jinja
View File

@@ -20,7 +20,7 @@ output {
#stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
template => "/logstash-template.json"
template => "/so-template.json"
}
}
}

2
salt/logstash/pipelines/config/so/9029_output_esxi.conf.jinja
View File

@@ -19,7 +19,7 @@ output {
if [event_type] == "esxi" and "test_data" not in [tags] {
elasticsearch {
hosts => "{{ ES }}"
template => "/logstash-template.json"
template => "/so-template.json"
}
}
}

2
salt/logstash/pipelines/config/so/9030_output_greensql.conf.jinja
View File

@@ -19,7 +19,7 @@ output {
if [event_type] == "greensql" and "test_data" not in [tags] {
elasticsearch {
hosts => "{{ ES }}"
template => "/logstash-template.json"
template => "/so-template.json"
}
}
}

2
salt/logstash/pipelines/config/so/9031_output_iis.conf.jinja
View File

@@ -20,7 +20,7 @@ output {
#stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
template => "/logstash-template.json"
template => "/so-template.json"
}
}
}

2
salt/logstash/pipelines/config/so/9032_output_mcafee.conf.jinja
View File

@@ -20,7 +20,7 @@ output {
#stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
template => "/logstash-template.json"
template => "/so-template.json"
}
}
}

4
salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja
View File

@@ -20,9 +20,9 @@ output {
#stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-ids-%{+YYYY.MM.dd}"
index => "so-ids-%{+YYYY.MM.dd}"
template_name => "logstash"
template => "/logstash-template.json"
template => "/so-template.json"
template_overwrite => true
}
}

4
salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja
View File

@@ -19,9 +19,9 @@ output {
if "syslog" in [tags] and "test_data" not in [tags] {
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-syslog-%{+YYYY.MM.dd}"
index => "so-syslog-%{+YYYY.MM.dd}"
template_name => "logstash"
template => "/logstash-template.json"
template => "/so-template.json"
template_overwrite => true
}
}

4
salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja
View File

@@ -12,8 +12,8 @@ output {
if "osquery" in [tags] {
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-osquery-%{+YYYY.MM.dd}"
template => "/logstash-template.json"
index => "so-osquery-%{+YYYY.MM.dd}"
template => "/so-template.json"
}
}
}

4
salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja
View File

@@ -20,9 +20,9 @@ output {
# stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-firewall-%{+YYYY.MM.dd}"
index => "so-firewall-%{+YYYY.MM.dd}"
template_name => "logstash"
template => "/logstash-template.json"
template => "/so-template.json"
template_overwrite => true
}
}

4
salt/logstash/pipelines/config/so/9300_output_windows.conf.jinja
View File

@@ -20,8 +20,8 @@ output {
#stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-windows-%{+YYYY.MM.dd}"
template => "/logstash-template.json"
index => "so-windows-%{+YYYY.MM.dd}"
template => "/so-template.json"
}
}
}

4
salt/logstash/pipelines/config/so/9301_output_dns_windows.conf.jinja
View File

@@ -20,8 +20,8 @@ output {
#stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-%{+YYYY.MM.dd}"
template => "/logstash-template.json"
index => "so-%{+YYYY.MM.dd}"
template => "/so-template.json"
}
}
}

4
salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja
View File

@@ -20,8 +20,8 @@ output {
#stdout { codec => rubydebug }
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-ids-%{+YYYY.MM.dd}"
template => "/logstash-template.json"
index => "so-ids-%{+YYYY.MM.dd}"
template => "/so-template.json"
}
}
}

6
salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja
View File

@@ -16,9 +16,9 @@ output {
if "beat" in [tags] {
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-beats-%{+YYYY.MM.dd}"
template_name => "logstash-beats"
template => "/beats-template.json"
index => "so-beats-%{+YYYY.MM.dd}"
template_name => "so-beats"
template => "/so-beats-template.json"
template_overwrite => true
}
}

7
salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja
View File

@@ -19,10 +19,11 @@ filter {
output {
if [event_type] =~ "ossec" or "ossec" in [tags] {
elasticsearch {
pipeline => "%{event_type}"
hosts => "{{ ES }}"
index => "logstash-ossec-%{+YYYY.MM.dd}"
template_name => "logstash-ossec"
template => "/logstash-ossec-template.json"
index => "so-ossec-%{+YYYY.MM.dd}"
template_name => "so-ossec"
template => "/so-ossec-template.json"
template_overwrite => true
}
}

6
salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja
View File

@@ -20,9 +20,9 @@ output {
if [event_type] =~ "strelka" {
elasticsearch {
hosts => "{{ ES }}"
index => "logstash-strelka-%{+YYYY.MM.dd}"
template_name => "logstash-strelka"
template => "/logstash-strelka-template.json"
index => "so-strelka-%{+YYYY.MM.dd}"
template_name => "so-strelka"
template => "/so-strelka-template.json"
template_overwrite => true
}
}

1288
salt/logstash/pipelines/templates/so/so-beats-template.json Normal file
View File

File diff suppressed because it is too large Load Diff

3466
salt/logstash/pipelines/templates/so/so-ossec-template.json Normal file
View File

File diff suppressed because it is too large Load Diff

24
salt/logstash/pipelines/templates/so/so-strelka-template.json Normal file
View File

@@ -0,0 +1,24 @@
{
"index_patterns": ["so-strelka-*"],
"version":50001,
"order" : 0,
"settings":{
"number_of_replicas":0,
"number_of_shards":1,
"index.refresh_interval":"30s"
},
"mappings":{
"doc":{
"dynamic": false,
"date_detection": false,
"properties":{
"@timestamp":{
"type":"date"
},
"@version":{
"type":"keyword"
}
}
}
}
}

3600
salt/logstash/pipelines/templates/so/so-template.json Normal file
View File

File diff suppressed because it is too large Load Diff

3599
salt/logstash/pipelines/templates/so/so-zeek-template.json Normal file
View File

File diff suppressed because it is too large Load Diff

19
salt/ssl/init.sls
View File

@@ -1,17 +1,24 @@
{% set master = salt['grains.get']('master') %}
{% set master_minion_id = master.split(".")[0] %}
{%- set masterip = salt['pillar.get']('static:masterip', '') -%}
{% set masterip = salt['pillar.get']('static:masterip', '') %}
{% set global_ca_text = [] %}
{% set global_ca_server = [] %}
{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %}
{% if 'master' in grains.id.split('_')|last or 'eval' in grains.id.split('_')|last %}
{% set trusttheca_text = salt['mine.get'](grains.id, 'x509.get_pem_entries')[grains.id]['/etc/pki/ca.crt']|replace('\n', '') %}
{% set ca_server = grains.id %}
{% else %}
{% set trusttheca_text = salt['mine.get'](master_minion_id, 'x509.get_pem_entries')[master_minion_id]['/etc/pki/ca.crt']|replace('\n', '') %}
{% set ca_server = master_minion_id %}
{% set x509dict = salt['mine.get']('*', 'x509.get_pem_entries') %}
{% for host in x509dict %}
{% if 'master' in host.split('_')|last %}
{% do global_ca_text.append(x509dict[host].get('/etc/pki/ca.crt')|replace('\n', '')) %}
{% do global_ca_server.append(host) %}
{% endif %}
{% endfor %}
{% set trusttheca_text = global_ca_text[0] %}
{% set ca_server = global_ca_server[0] %}
{% endif %}
# Trust the CA
trusttheca:
x509.pem_managed:
- name: /etc/ssl/certs/intca.crt

28
salt/top.sls
View File

@@ -11,7 +11,7 @@ base:
- patch.os.schedule
- motd
'G@role:so-helix':
'*_helix':
- ca
- ssl
- registry
@@ -26,7 +26,7 @@ base:
- filebeat
- schedule
'G@role:so-sensor':
'*_sensor':
- ca
- ssl
- common
@@ -43,7 +43,7 @@ base:
{%- endif %}
- schedule
'G@role:so-eval':
'*_eval':
- ca
- ssl
- registry
@@ -89,7 +89,7 @@ base:
{%- endif %}
'G@role:so-master':
'*_master':
- ca
- ssl
- registry
@@ -133,8 +133,8 @@ base:
# Search node logic
'G@role:so-node and I@node:node_type:parser':
- match: pillar
'*_node and I@node:node_type:parser':
- match: compound
- common
- firewall
- logstash
@@ -143,8 +143,8 @@ base:
{%- endif %}
- schedule
'G@role:so-node and I@node:node_type:hot':
- match: pillar
'*_node and I@node:node_type:hot':
- match: compound
- common
- firewall
- logstash
@@ -155,8 +155,8 @@ base:
{%- endif %}
- schedule
'G@role:so-node and I@node:node_type:warm':
- match: pillar
'*_node and I@node:node_type:warm':
- match: compound
- common
- firewall
- elasticsearch
@@ -165,7 +165,7 @@ base:
{%- endif %}
- schedule
'G@role:so-node and I@node:node_type:search':
'*_node and I@node:node_type:search':
- match: compound
- ca
- ssl
@@ -183,7 +183,7 @@ base:
{%- endif %}
- schedule
'G@role:mastersensor':
'*_mastersensor':
- common
- firewall
- sensor
@@ -194,7 +194,7 @@ base:
{%- endif %}
- schedule
'G@role:so-mastersearch':
'*_mastersearch':
- ca
- ssl
- registry
@@ -238,7 +238,7 @@ base:
- domainstats
{%- endif %}
'G@role:so-heavynode':
'*_heavynode':
- ca
- ssl
- common

119
setup/so-functions
View File

@@ -268,7 +268,7 @@ copy_master_config() {
copy_minion_tmp_files() {
if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
if [ $INSTALLTYPE == 'MASTER' ] || [ $INSTALLTYPE == 'EVAL' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
echo "Copying pillar and salt files in $TMP to /opt/so/saltstack"
cp -Rv $TMP/pillar/ /opt/so/saltstack/ >> $SETUPLOG 2>&1
if [ -d $TMP/salt ] ; then
@@ -407,7 +407,7 @@ docker_install() {
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum -y update
yum -y install docker-ce python36-docker
if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
if [ $INSTALLTYPE == 'MASTER' ] || [ $INSTALLTYPE == 'EVAL' ]; then
docker_registry
echo "Restarting Docker" >> $SETUPLOG 2>&1
systemctl restart docker
@@ -421,9 +421,13 @@ docker_install() {
else
if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
if [ $INSTALLTYPE == 'MASTER' ] || [ $INSTALLTYPE == 'EVAL' ]; then
apt-get update >> $SETUPLOG 2>&1
apt-get -y install docker-ce python3-docker >> $SETUPLOG 2>&1
if [ $OSVER != "xenial" ]; then
apt-get -y install docker-ce python3-docker >> $SETUPLOG 2>&1
else
apt-get -y install docker-ce python-docker >> $SETUPLOG 2>&1
fi
docker_registry >> $SETUPLOG 2>&1
echo "Restarting Docker" >> $SETUPLOG 2>&1
systemctl restart docker >> $SETUPLOG 2>&1
@@ -431,7 +435,11 @@ docker_install() {
apt-key add $TMP/gpg/docker.pub >> $SETUPLOG 2>&1
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" >> $SETUPLOG 2>&1
apt-get update >> $SETUPLOG 2>&1
apt-get -y install docker-ce python3-docker >> $SETUPLOG 2>&1
if [ $OSVER != "xenial" ]; then
apt-get -y install docker-ce python3-docker >> $SETUPLOG 2>&1
else
apt-get -y install docker-ce python-docker >> $SETUPLOG 2>&1
fi
docker_registry >> $SETUPLOG 2>&1
echo "Restarting Docker" >> $SETUPLOG 2>&1
systemctl restart docker >> $SETUPLOG 2>&1
@@ -603,7 +611,14 @@ get_filesystem_root(){
get_main_ip() {
# Get the main IP address the box is using
MAINIP=$(ip route get 1 | awk '{print $NF;exit}')
# Add some logic because Bubntu 18.04 like to be different
if [ $OSVER == 'bionic' ]; then
MAINIP=$(ip route get 1 | awk '{print $7;exit}')
else
MAINIP=$(ip route get 1 | awk '{print $NF;exit}')
fi
MAININT=$(ip route get 1 | awk '{print $5;exit}')
}
@@ -651,8 +666,13 @@ install_master() {
#wget --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH
else
apt-get install -y salt-common=2019.2.3+ds-1 salt-master=2019.2.3+ds-1 salt-minion=2019.2.3+ds-1 libssl-dev python-m2crypto
apt-mark hold salt-common salt-master salt-minion
if [ $OSVER != "xenial" ]; then
apt-get install -y salt-common=2019.2.3+ds-1 salt-master=2019.2.3+ds-1 salt-minion=2019.2.3+ds-1 libssl-dev python-m2crypto
apt-mark hold salt-common salt-master salt-minion
else
apt-get install -y salt-common=2019.2.3+ds-1 salt-master=2019.2.3+ds-1 salt-minion=2019.2.3+ds-1 libssl-dev python-m2crypto
apt-mark hold salt-common salt-master salt-minion
fi
fi
copy_master_config
@@ -664,7 +684,7 @@ ls_heapsize() {
# Determine LS Heap Size
if [ $TOTAL_MEM -ge 32000 ] || [ $INSTALLTYPE == 'MASTERSEARCH' ] || [ $INSTALLTYPE == 'HEAVYNODE' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ]; then
LS_HEAP_SIZE="1000m"
elif [ $INSTALLTYPE == 'EVALMODE' ]; then
elif [ $INSTALLTYPE == 'EVAL' ]; then
LS_HEAP_SIZE="700m"
else
# If minimal RAM, then set minimal heap
@@ -683,7 +703,7 @@ master_pillar() {
echo " mainint: $MAININT" >> $PILLARFILE
echo " esheap: $ES_HEAP_SIZE" >> $PILLARFILE
echo " esclustername: {{ grains.host }}" >> $PILLARFILE
if [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
if [ $INSTALLTYPE == 'EVAL' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
echo " freq: 0" >> $PILLARFILE
echo " domainstats: 0" >> $PILLARFILE
echo " ls_pipeline_batch_size: 125" >> $PILLARFILE
@@ -875,7 +895,7 @@ saltify() {
if [ $OS == 'centos' ]; then
ADDUSER=adduser
if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
if [ $INSTALLTYPE == 'MASTER' ] || [ $INSTALLTYPE == 'EVAL' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
reserve_group_ids
yum -y install wget https://repo.saltstack.com/py3/redhat/salt-py3-repo-latest-2.el7.noarch.rpm
cp /etc/yum.repos.d/salt-py3-latest.repo /etc/yum.repos.d/salt-py3-2019-2.repo
@@ -1036,7 +1056,7 @@ EOF
yum -y update exclude=salt*
systemctl enable salt-minion
if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
if [ $INSTALLTYPE == 'MASTER' ] || [ $INSTALLTYPE == 'EVAL' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
yum -y install salt-master-2019.2.3 python3 python36-m2crypto salt-minion-2019.2.3 python36-dateutil python36-mysql python36-docker
systemctl enable salt-master
else
@@ -1049,6 +1069,12 @@ EOF
ADDUSER=useradd
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" upgrade
if [ $OSVER != "xenial" ]; then
# Switch to Python 3 as default is this is not xenial
update-alternatives --install /usr/bin/python python /usr/bin/python3.6 10
fi
# Add the pre-requisites for installing docker-ce
apt-get -y install ca-certificates curl software-properties-common apt-transport-https openssl jq >> $SETUPLOG 2>&1
@@ -1056,14 +1082,21 @@ EOF
UVER=$(grep VERSION_ID /etc/os-release | awk -F '[ "]' '{print $2}')
# Nasty hack but required for now
if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
# Install the repo for salt
wget --inet4-only -O - https://repo.saltstack.com/apt/ubuntu/$UVER/amd64/latest/SALTSTACK-GPG-KEY.pub | apt-key add -
wget --inet4-only -O - https://repo.saltstack.com/apt/ubuntu/$UVER/amd64/2019.2/SALTSTACK-GPG-KEY.pub | apt-key add -
echo "deb http://repo.saltstack.com/apt/ubuntu/$UVER/amd64/latest xenial main" > /etc/apt/sources.list.d/saltstack.list
echo "deb http://repo.saltstack.com/apt/ubuntu/$UVER/amd64/2019.2 xenial main" > /etc/apt/sources.list.d/saltstack2019.list
if [ $INSTALLTYPE == 'MASTER' ] || [ $INSTALLTYPE == 'EVAL' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
if [ $OSVER != "xenial" ]; then
# Install the repo for salt py3 edition
wget --inet4-only -O - https://repo.saltstack.com/py3/ubuntu/$UVER/amd64/3000/SALTSTACK-GPG-KEY.pub | apt-key add -
wget --inet4-only -O - https://repo.saltstack.com/py3/ubuntu/$UVER/amd64/2019.2/SALTSTACK-GPG-KEY.pub | apt-key add -
echo "deb http://repo.saltstack.com/py3/ubuntu/$UVER/amd64/latest $OSVER main" > /etc/apt/sources.list.d/saltstack.list
echo "deb http://repo.saltstack.com/py3/ubuntu/$UVER/amd64/2019.2 $OSVER main" > /etc/apt/sources.list.d/saltstack2019.list
else
# Install the repo for salt
wget --inet4-only -O - https://repo.saltstack.com/apt/ubuntu/$UVER/amd64/latest/SALTSTACK-GPG-KEY.pub | apt-key add -
wget --inet4-only -O - https://repo.saltstack.com/apt/ubuntu/$UVER/amd64/2019.2/SALTSTACK-GPG-KEY.pub | apt-key add -
echo "deb http://repo.saltstack.com/apt/ubuntu/$UVER/amd64/latest $OSVER main" > /etc/apt/sources.list.d/saltstack.list
echo "deb http://repo.saltstack.com/apt/ubuntu/$UVER/amd64/2019.2 $OSVER main" > /etc/apt/sources.list.d/saltstack2019.list
fi
# Lets get the docker repo added
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
@@ -1081,10 +1114,14 @@ EOF
# Initialize the new repos
apt-get update >> $SETUPLOG 2>&1
# Need to add python packages here
apt-get -y install salt-minion=2019.2.3+ds-1 salt-common=2019.2.3+ds-1 python-dateutil python-m2crypto >> $SETUPLOG 2>&1
apt-mark hold salt-minion salt-common
if [ $OSVER != "xenial" ]; then
apt-get -y install salt-minion=2019.2.3+ds-1 salt-common=2019.2.3+ds-1 python3-dateutil python3-m2crypto >> $SETUPLOG 2>&1
apt-mark hold salt-minion salt-common
else
# Need to add python packages here
apt-get -y install salt-minion=2019.2.3+ds-1 salt-common=2019.2.3+ds-1 python-dateutil python-m2crypto >> $SETUPLOG 2>&1
apt-mark hold salt-minion salt-common
fi
else
# Copy down the gpg keys and install them from the master
@@ -1094,13 +1131,18 @@ EOF
echo "Using apt-key add to add SALTSTACK-GPG-KEY.pub and GPG-KEY-WAZUH"
apt-key add $TMP/gpg/SALTSTACK-GPG-KEY.pub
apt-key add $TMP/gpg/GPG-KEY-WAZUH
echo "deb http://repo.saltstack.com/apt/ubuntu/$UVER/amd64/2019.2 xenial main" > /etc/apt/sources.list.d/saltstack.list
echo "deb http://repo.saltstack.com/apt/ubuntu/$UVER/amd64/latest $OSVER main" > /etc/apt/sources.list.d/saltstack.list
echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list
# Initialize the new repos
apt-get update >> $SETUPLOG 2>&1
apt-get -y install salt-minion=2019.2.3+ds-1 salt-common=2019.2.3+ds-1 python-dateutil python-m2crypto >> $SETUPLOG 2>&1
apt-mark hold salt-minion salt-common
if [ $OSVER != "xenial" ]; then
apt-get -y install salt-minion=2019.2.3+ds-1 salt-common=2019.2.3+ds-1 python3-dateutil python3-m2crypto >> $SETUPLOG 2>&1
apt-mark hold salt-minion salt-common
else
# Need to add python packages here
apt-get -y install salt-minion=2019.2.3+ds-1 salt-common=2019.2.3+ds-1 python-dateutil python-m2crypto >> $SETUPLOG 2>&1
apt-mark hold salt-minion salt-common
fi
fi
fi
@@ -1109,7 +1151,7 @@ EOF
salt_checkin() {
# Master State to Fix Mine Usage
if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
if [ $INSTALLTYPE == 'MASTER' ] || [ $INSTALLTYPE == 'EVAL' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
echo "Building Certificate Authority"
salt-call state.apply ca >> $SETUPLOG 2>&1
echo " *** Restarting Salt to fix any SSL errors. ***"
@@ -1167,7 +1209,11 @@ salt_install_mysql_deps() {
if [ $OS == 'centos' ]; then
yum -y install mariadb-devel
elif [ $OS == 'ubuntu' ]; then
apt-get -y install python-mysqldb
if [ $OSVER != "xenial" ]; then
apt-get -y install python3-mysqldb >> $SETUPLOG 2>&1
else
apt-get -y install python-mysqldb
fi
fi
}
@@ -1234,8 +1280,7 @@ set_hostname() {
echo "::1 localhost localhost.localdomain localhost6 localhost6.localdomain6" >> /etc/hosts
echo $HOSTNAME > /etc/hostname
HOSTNAME=$(cat /etc/hostname)
MINION_ID=$(echo $HOSTNAME | awk -F. {'print $1'})
if [ $INSTALLTYPE != 'MASTERONLY' ] || [ $INSTALLTYPE != 'EVALMODE' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
if [ $INSTALLTYPE != 'MASTER' ] || [ $INSTALLTYPE != 'EVAL' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
if [[ $TESTHOST = *"not found"* ]] || [[ $TESTHOST = *"connection timed out"* ]]; then
if ! grep -q $MSRVIP /etc/hosts; then
echo "$MSRVIP $MSRV" >> /etc/hosts
@@ -1257,21 +1302,21 @@ set_hostname_iso() {
set_initial_firewall_policy() {
get_main_ip
if [ $INSTALLTYPE == 'MASTERONLY' ]; then
if [ $INSTALLTYPE == 'MASTER' ]; then
printf " - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/minions.sls
printf " - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/masterfw.sls
/opt/so/saltstack/pillar/data/addtotab.sh mastertab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM
fi
if [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
if [ $INSTALLTYPE == 'EVAL' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
printf " - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/minions.sls
printf " - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/masterfw.sls
printf " - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/forward_nodes.sls
printf " - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/search_nodes.sls
if [ $INSTALLTYPE == 'EVALMODE' ]; then
if [ $INSTALLTYPE == 'EVAL' ]; then
/opt/so/saltstack/pillar/data/addtotab.sh evaltab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM bond0
elif [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
/opt/so/saltstack/pillar/data/addtotab.sh mastersearchtab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM
/opt/so/saltstack/pillar/data/addtotab.sh nodestab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM
fi
fi
@@ -1281,7 +1326,7 @@ set_initial_firewall_policy() {
printf " - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/forward_nodes.sls
fi
if [ $INSTALLTYPE == 'SENSORONLY' ]; then
if [ $INSTALLTYPE == 'SENSOR' ]; then
ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions $MAINIP
ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh forward_nodes $MAINIP
ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh sensorstab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM bond0
@@ -1334,7 +1379,7 @@ set_management_interface() {
set_node_type() {
# Determine the node type based on whiplash choice
if [ $INSTALLTYPE == 'SEARCHNODE' ] || [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ] || [ $INSTALLTYPE == 'HEAVYNODE' ] ; then
if [ $INSTALLTYPE == 'SEARCHNODE' ] || [ $INSTALLTYPE == 'EVAL' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ] || [ $INSTALLTYPE == 'HEAVYNODE' ] ; then
NODETYPE='search'
fi
if [ $INSTALLTYPE == 'PARSINGNODE' ]; then

Some files were not shown because too many files have changed in this diff Show More