Merge pull request #9329 from Security-Onion-Solutions/hotfix/2.3.190

Hotfix/2.3.190

HOTFIX

@@ -1 +1 @@
-
+20221207

README.md

@@ -1,6 +1,6 @@
-## Security Onion 2.3.140
+## Security Onion 2.3
 
-Security Onion 2.3.140 is here!
+Security Onion 2.3 is here!
 
 ## Screenshots
 

VERIFY_ISO.md

@@ -1,18 +1,18 @@
-### 2.3.140-20220718 ISO image built on 2022/07/18
+### 2.3.190-20221207 ISO image built on 2022/12/07
 
 
 
 ### Download and Verify
 
-2.3.140-20220718 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220718.iso
+2.3.190-20221207 ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-2.3.190-20221207.iso
 
-MD5: 9570065548DBFA6230F28FF623A8B61A  
-SHA1: D48B2CC81DF459C3EBBC0C54BD9AAFAB4327CB75  
-SHA256: 0E31E15EDFD3392B9569FCCAF1E4518432ECB0D7A174CCA745F2F22CDAC4A034 
+MD5: F7F222325A5C1C880E11B667FEE913CA  
+SHA1: F7DFE818A0CED391548CDF0DE3B4D2A24E16A532  
+SHA256: 95E62E0D347A80C8A9CD4979D6F6BE8B302A12424A888410025E9AAB8BD504B2 
 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220718.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.190-20221207.iso.sig
 
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS  
@@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma
 
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220718.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.190-20221207.iso.sig
 ```
 
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220718.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.3.190-20221207.iso
 ```
 
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.3.140-20220718.iso.sig securityonion-2.3.140-20220718.iso
+gpg --verify securityonion-2.3.190-20221207.iso.sig securityonion-2.3.190-20221207.iso
 ```
 
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Mon 18 Jul 2022 10:16:05 AM EDT using RSA key ID FE507013
+gpg: Signature made Wed 07 Dec 2022 02:36:23 PM EST using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.

VERSION

@@ -1 +1 @@
-2.3.140
+2.3.190

pillar/zeek/init.sls

@@ -48,6 +48,19 @@ zeek:
       - securityonion/bpfconf
       - securityonion/communityid
       - securityonion/file-extraction
+      - oui-logging
+      - icsnpp-modbus
+      - icsnpp-dnp3
+      - icsnpp-bacnet
+      - icsnpp-ethercat
+      - icsnpp-enip
+      - icsnpp-opcua-binary
+      - icsnpp-bsap
+      - icsnpp-s7comm
+      - zeek-plugin-tds
+      - zeek-plugin-profinet
+      - zeek-spicy-wireguard
+      - zeek-spicy-stun
     '@load-sigs':
       - frameworks/signatures/detect-windows-shells
     redef:

salt/common/files/sensor-rotate.conf

@@ -20,3 +20,16 @@
     dateext
     dateyesterday
 }
+
+/opt/so/log/strelka/filecheck.log
+{
+    daily
+    rotate 14
+    missingok
+    copytruncate
+    compress
+    create
+    extension .log
+    dateext
+    dateyesterday
+}

salt/common/init.sls

@@ -38,15 +38,15 @@ socore:
 soconfperms:
   file.directory:
     - name: /opt/so/conf
-    - uid: 939
-    - gid: 939
+    - user: 939
+    - group: 939
     - dir_mode: 770
 
 sostatusconf:
   file.directory:
     - name: /opt/so/conf/so-status
-    - uid: 939
-    - gid: 939
+    - user: 939
+    - group: 939
     - dir_mode: 770
 
 so-status.conf:
@@ -57,8 +57,8 @@ so-status.conf:
 sosaltstackperms:
   file.directory:
     - name: /opt/so/saltstack
-    - uid: 939
-    - gid: 939
+    - user: 939
+    - group: 939
     - dir_mode: 770
 
 so_log_perms:

salt/common/tools/sbin/so-pcap-export

@@ -20,7 +20,7 @@ if [ $# -lt 2 ]; then
   exit 1
 fi
 
-docker exec -it so-sensoroni scripts/stenoquery.sh "$1" -w /nsm/pcapout/$2.pcap
+docker exec -t so-sensoroni scripts/stenoquery.sh "$1" -w /nsm/pcapout/$2.pcap
 
 echo ""
 echo "If successful, the output was written to: /nsm/pcapout/$2.pcap"

salt/common/tools/sbin/so-zeek-logs

@@ -10,39 +10,118 @@ zeek_logs_enabled() {
 }
 
 whiptail_manager_adv_service_zeeklogs() {
-  BLOGS=$(whiptail --title "so-zeek-logs" --checklist "Please Select Logs to Send:" 24 78 12 \
-  "conn" "Connection Logging" ON \
-  "dce_rpc" "RPC Logs" ON \
-  "dhcp" "DHCP Logs" ON \
-  "dnp3" "DNP3 Logs" ON \
-  "dns" "DNS Logs" ON \
-  "dpd" "DPD Logs" ON \
-  "files" "Files Logs" ON \
-  "ftp" "FTP Logs" ON \
-  "http" "HTTP Logs" ON \
-  "intel" "Intel Hits Logs" ON \
-  "irc" "IRC Chat Logs" ON \
-  "kerberos" "Kerberos Logs" ON \
-  "modbus" "MODBUS Logs" ON \
-  "notice" "Zeek Notice Logs" ON \
-  "ntlm" "NTLM Logs" ON \
-  "pe" "PE Logs" ON \
-  "radius" "Radius Logs" ON \
-  "rfb" "RFB Logs" ON \
-  "rdp" "RDP Logs" ON \
-  "sip" "SIP Logs" ON \
-  "smb_files" "SMB Files Logs" ON \
-  "smb_mapping" "SMB Mapping Logs" ON \
-  "smtp" "SMTP Logs" ON \
-  "snmp" "SNMP Logs" ON \
-  "ssh" "SSH Logs" ON \
-  "ssl" "SSL Logs" ON \
-  "syslog" "Syslog Logs" ON \
-  "tunnel" "Tunnel Logs" ON \
-  "weird" "Zeek Weird Logs" ON \
-  "mysql" "MySQL Logs" ON \
-  "socks" "SOCKS Logs" ON \
-  "x509" "x.509 Logs" ON 3>&1 1>&2 2>&3 )
+  BLOGS=$(whiptail --title "so-zeek-logs" --checklist "Please select logs to send:" 24 78 12 \
+  "conn" "" ON \
+  "dce_rpc" "" ON \
+  "dhcp" "" ON \
+  "dnp3" "" ON \
+  "dns" "" ON \
+  "dpd" "" ON \
+  "files" "" ON \
+  "ftp" "" ON \
+  "http" "" ON \
+  "intel" "" ON \
+  "irc" "" ON \
+  "kerberos" "" ON \
+  "modbus" "" ON \
+  "notice" "" ON \
+  "ntlm" "" ON \
+  "pe" "" ON \
+  "radius" "" ON \
+  "rfb" "" ON \
+  "rdp" "" ON \
+  "sip" "" ON \
+  "smb_files" "" ON \
+  "smb_mapping" "" ON \
+  "smtp" "" ON \
+  "snmp" "" ON \
+  "software" "" ON \
+  "ssh" "" ON \
+  "ssl" "" ON \
+  "syslog" "" ON \
+  "tunnel" "" ON \
+  "weird" "" ON \
+  "mysql" "" ON \
+  "socks" "" ON \
+  "x509" "" ON \
+  "bacnet" "" ON \
+  "bacnet_discovery" "" ON \
+  "bacnet_property" "" ON \
+  "bsap_ip_header" "" ON \
+  "bsap_ip_rdb" "" ON \
+  "bsap_ip_unknown" "" ON \
+  "bsap_serial_header" "" ON \
+  "bsap_serial_rdb" "" ON \
+  "bsap_serial_rdb_ext" "" ON \
+  "bsap_serial_unknown" "" ON \
+  "cip" "" ON \
+  "cip_identity" "" ON \
+  "cip_io" "" ON \
+  "cotp" "" ON \
+  "dnp3_control" "" ON \
+  "dnp3_objects" "" ON \
+  "ecat_aoe_info" "" ON \
+  "ecat_arp_info" "" OFF \
+  "ecat_coe_info" "" ON \
+  "ecat_dev_info" "" ON \
+  "ecat_foe_info" "" ON \
+  "ecat_log_address" "" ON \
+  "ecat_registers" "" ON \
+  "ecat_soe_info" "" ON \
+  "enip" "" ON \
+  "modbus_detailed" "" ON \
+  "modbus_mask_write_register" "" ON \
+  "modbus_read_write_multiple_registers" "" ON \
+  "opcua_binary" "" ON \
+  "opcua_binary_activate_session" "" ON \
+  "opcua_binary_activate_session_client_software_cert" "" ON \
+  "opcua_binary_activate_session_diagnostic_info" "" ON \
+  "opcua_binary_activate_session_locale_id" "" ON \
+  "opcua_binary_browse" "" ON \
+  "opcua_binary_browse_description" "" ON \
+  "opcua_binary_browse_diagnostic_info" "" ON \
+  "opcua_binary_browse_request_continuation_point" "" ON \
+  "opcua_binary_browse_response_references" "" ON \
+  "opcua_binary_browse_result" "" ON \
+  "opcua_binary_create_session" "" ON \
+  "opcua_binary_create_session_discovery" "" ON \
+  "opcua_binary_create_session_endpoints" "" ON \
+  "opcua_binary_create_session_user_token" "" ON \
+  "opcua_binary_create_subscription" "" ON \
+  "opcua_binary_diag_info_detail" "" ON \
+  "opcua_binary_get_endpoints" "" ON \
+  "opcua_binary_get_endpoints_description" "" ON \
+  "opcua_binary_get_endpoints_discovery" "" ON \
+  "opcua_binary_get_endpoints_locale_id" "" ON \
+  "opcua_binary_get_endpoints_profile_uri" "" ON \
+  "opcua_binary_get_endpoints_user_token" "" ON \
+  "opcua_binary_opensecure_channel" "" ON \
+  "opcua_binary_read" "" ON \
+  "opcua_binary_read_array_dims" "" ON \
+  "opcua_binary_read_array_dims_link" "" ON \
+  "opcua_binary_read_diagnostic_info" "" ON \
+  "opcua_binary_read_extension_object" "" ON \
+  "opcua_binary_read_extension_object_link" "" ON \
+  "opcua_binary_read_nodes_to_read" "" ON \
+  "opcua_binary_read_results" "" ON \
+  "opcua_binary_read_results_link" "" ON \
+  "opcua_binary_read_status_code" "" ON \
+  "opcua_binary_read_variant_data" "" ON \
+  "opcua_binary_read_variant_data_link" "" ON \
+  "opcua_binary_status_code_detail" "" ON \
+  "profinet" "" ON \
+  "profinet_dce_rpc" "" ON \
+  "profinet_debug" "" ON \
+  "s7comm" "" ON \
+  "s7comm_plus" "" ON \
+  "s7comm_read_szl" "" ON \
+  "s7comm_upload_download" "" ON \
+  "stun" "" ON \
+  "stun_nat" "" ON \
+  "tds" "" ON \
+  "tds_rpc" "" ON \
+  "tds_sql_batch" "" ON \
+  "wireguard" "" ON 3>&1 1>&2 2>&3 )
   
   local exitstatus=$?
 

salt/common/tools/sbin/soup

@@ -203,7 +203,7 @@ check_airgap() {
 
 check_local_mods() {
   local salt_local=/opt/so/saltstack/local
-
+  local_ignore_arr=("/opt/so/saltstack/local/salt/zeek/policy/intel/intel.dat")
   local_mod_arr=()
 
   while IFS= read -r -d '' local_file; do
@@ -211,10 +211,12 @@ check_local_mods() {
     default_file="${DEFAULT_SALT_DIR}${stripped_path}"
     if [[ -f $default_file ]]; then
       file_diff=$(diff "$default_file" "$local_file" )
+      if [[ ! " ${local_ignore_arr[*]} " =~ " ${local_file} " ]]; then
         if [[ $(echo "$file_diff" | grep -c "^<") -gt 0 ]]; then
           local_mod_arr+=( "$local_file" )
         fi
       fi
+    fi
   done< <(find $salt_local -type f -print0)
 
   if [[ ${#local_mod_arr} -gt 0 ]]; then
@@ -223,11 +225,24 @@ check_local_mods() {
       echo "  $file_str"
     done
     echo ""
-    echo "To reference this list later, check $SOUP_LOG"
-    sleep 10
+    echo "To reference this list later, check $SOUP_LOG".
+    echo
+    if [[ -z $UNATTENDED ]] && ! [[ "${1}" == "skip-prompt" ]]; then
+      while true; do
+        read -p "Please review the local modifications shown above as they may cause problems during or after the update.
+
+Would you like to proceed with the update anyway?
+
+If so, type 'YES'. Otherwise, type anything else to exit SOUP. " yn
+
+        case $yn in
+          [yY][eE][sS] ) echo "Local modifications accepted.  Continuing..."; break;;
+          * ) exit 0;;
+        esac
+      done
+    fi
   fi
 }
-
 # {% endraw %}
 
 check_pillar_items() {
@@ -371,6 +386,81 @@ clone_to_tmp() {
   fi
 }
 
+elastalert_indices_check() {
+  echo "Checking Elastalert indices for compatibility..."
+  # Wait for ElasticSearch to initialize
+  echo -n "Waiting for ElasticSearch..."
+  COUNT=0
+  ELASTICSEARCH_CONNECTED="no"
+  while [[ "$COUNT" -le 240 ]]; do
+    so-elasticsearch-query / -k --output /dev/null
+      if [ $? -eq 0 ]; then
+        ELASTICSEARCH_CONNECTED="yes"
+        echo "connected!"
+          break
+      else
+        ((COUNT+=1))
+        sleep 1
+        echo -n "."
+      fi
+  done
+
+  # Unable to connect to Elasticsearch
+  if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then
+    echo
+    echo -e "Connection attempt timed out.  Unable to connect to ElasticSearch.  \nPlease try: \n  -checking log(s) in /var/log/elasticsearch/\n  -running 'sudo docker ps' \n  -running 'sudo so-elastic-restart'"
+    echo
+    exit 1
+  fi
+
+  MAJOR_ES_VERSION=$(so-elasticsearch-query / | jq -r .version.number | cut -d '.' -f1)
+  if [[ "$MAJOR_ES_VERSION" -lt "8" ]]; then
+
+    # Stop Elastalert to prevent Elastalert indices from being re-created
+    if grep -q "^so-elastalert$" /opt/so/conf/so-status/so-status.conf ; then
+      so-elastalert-stop || true
+    fi
+
+    # Check Elastalert indices
+    echo "Deleting Elastalert indices to prevent issues with upgrade to Elastic 8..."
+    CHECK_COUNT=0
+    while [[ "$CHECK_COUNT" -le 2 ]]; do
+      # Delete Elastalert indices
+      for i in $(so-elasticsearch-query _cat/indices | grep elastalert | awk '{print $3}'); do
+        so-elasticsearch-query $i -XDELETE;
+         done
+
+      # Check to ensure Elastalert indices are deleted
+      COUNT=0
+      ELASTALERT_INDICES_DELETED="no"
+      while [[ "$COUNT" -le 240 ]]; do
+        RESPONSE=$(so-elasticsearch-query "elastalert*")
+        if [[ "$RESPONSE" == "{}" ]]; then
+          ELASTALERT_INDICES_DELETED="yes"
+          break
+        else
+          ((COUNT+=1))
+          sleep 1
+          echo -n "."
+        fi
+      done
+      ((CHECK_COUNT+=1))
+    done
+
+    # If we were unable to delete the Elastalert indices, exit the script
+    if [ "$ELASTALERT_INDICES_DELETED" == "yes" ]; then
+      echo "Elastalert indices successfully deleted."
+    else
+      echo
+      echo -e "Unable to connect to delete Elastalert indices. Exiting."
+      echo
+      exit 1
+    fi
+  else
+    echo "Major Elasticsearch version is 8 or greater...skipping Elastalert index maintenance."
+  fi
+}
+
 enable_highstate() {
     echo "Enabling highstate."
     salt-call state.enable highstate -l info --local
@@ -380,7 +470,7 @@ enable_highstate() {
 es_version_check() {
     CHECK_ES=$(echo $INSTALLEDVERSION | awk -F. '{print $3}')
   
-    if [ "$CHECK_ES" -lt "110" ]; then
+    if [[ "$CHECK_ES" -lt "110" ]]; then
       echo "You are currently running Security Onion $INSTALLEDVERSION. You will need to update to version 2.3.130 before updating to 2.3.140 or higher."
       echo ""
       echo "If your deployment has Internet access, you can use the following command to update to 2.3.130:"
@@ -454,6 +544,13 @@ preupgrade_changes() {
     [[ "$INSTALLEDVERSION" == 2.3.110 ]] && up_to_2.3.120
     [[ "$INSTALLEDVERSION" == 2.3.120 ]] && up_to_2.3.130
     [[ "$INSTALLEDVERSION" == 2.3.130 ]] && up_to_2.3.140
+    [[ "$INSTALLEDVERSION" == 2.3.140 ]] && up_to_2.3.150
+    [[ "$INSTALLEDVERSION" == 2.3.150 ]] && up_to_2.3.160
+    [[ "$INSTALLEDVERSION" == 2.3.160 ]] && up_to_2.3.170
+    [[ "$INSTALLEDVERSION" == 2.3.170 ]] && up_to_2.3.180
+    [[ "$INSTALLEDVERSION" == 2.3.180 ]] && up_to_2.3.181
+    [[ "$INSTALLEDVERSION" == 2.3.181 ]] && up_to_2.3.182
+    [[ "$INSTALLEDVERSION" == 2.3.182 ]] && up_to_2.3.190
     true
 }
 
@@ -470,7 +567,13 @@ postupgrade_changes() {
     [[ "$POSTVERSION" == 2.3.110 ]] && post_to_2.3.120
     [[ "$POSTVERSION" == 2.3.120 ]] && post_to_2.3.130
     [[ "$POSTVERSION" == 2.3.130 ]] && post_to_2.3.140
-    
+    [[ "$POSTVERSION" == 2.3.140 ]] && post_to_2.3.150
+    [[ "$POSTVERSION" == 2.3.150 ]] && post_to_2.3.160
+    [[ "$POSTVERSION" == 2.3.160 ]] && post_to_2.3.170
+    [[ "$POSTVERSION" == 2.3.170 ]] && post_to_2.3.180
+    [[ "$POSTVERSION" == 2.3.180 ]] && post_to_2.3.181
+    [[ "$POSTVERSION" == 2.3.181 ]] && post_to_2.3.182
+    [[ "$POSTVERSION" == 2.3.182 ]] && post_to_2.3.190
 
     true
 }
@@ -554,7 +657,40 @@ post_to_2.3.140() {
   POSTVERSION=2.3.140
 }
 
+post_to_2.3.150() {
+  echo "Nothing to do for .150"
+  POSTVERSION=2.3.150
+}
 
+post_to_2.3.160() {
+  echo "Nothing to do for .160"
+  POSTVERSION=2.3.160
+}
+
+post_to_2.3.170() {
+  echo "Nothing to do for .170"
+  POSTVERSION=2.3.170
+}
+
+post_to_2.3.180() {
+  echo "Nothing to do for .180"
+  POSTVERSION=2.3.180
+}
+
+post_to_2.3.181() {
+  echo "Nothing to do for .181"
+  POSTVERSION=2.3.181
+}
+
+post_to_2.3.182() {
+  echo "Nothing to do for .182"
+  POSTVERSION=2.3.182
+}
+
+post_to_2.3.190() {
+  echo "Nothing to do for .190"
+  POSTVERSION=2.3.190
+}
 
 stop_salt_master() {
     # kill all salt jobs across the grid because the hang indefinitely if they are queued and salt-master restarts
@@ -825,44 +961,50 @@ up_to_2.3.130() {
 }
 
 up_to_2.3.140() {
-  ## Deleting Elastalert indices to prevent issues with upgrade to Elastic 8 ##
-  echo "Deleting Elastalert indices to prevent issues with upgrade to Elastic 8..."
-  # Wait for ElasticSearch to initialize
-  echo -n "Waiting for ElasticSearch..."
-  COUNT=0
-  ELASTICSEARCH_CONNECTED="no" 
-  while [[ "$COUNT" -le 240 ]]; do
-    so-elasticsearch-query / -k --output /dev/null
-      if [ $? -eq 0 ]; then
-        ELASTICSEARCH_CONNECTED="yes"
-        echo "connected!"
-          break
-      else
-        ((COUNT+=1))
-        sleep 1
-        echo -n "."
-      fi
-  done
-  if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then
-    echo
-    echo -e "Connection attempt timed out.  Unable to connect to ElasticSearch.  \nPlease try: \n  -checking log(s) in /var/log/elasticsearch/\n  -running 'sudo docker ps' \n  -running 'sudo so-elastic-restart'"
-    echo
-    exit 1
-   fi
-   
-   # Delete Elastalert indices
-   for i in $(so-elasticsearch-query _cat/indices | grep elastalert | awk '{print $3}'); do so-elasticsearch-query $i -XDELETE; done
-   # Check to ensure Elastalert indices have been deleted
-   RESPONSE=$(so-elasticsearch-query elastalert*)
-   if [[ "$RESPONSE" == "{}" ]]; then
-     echo "Elastalert indices have been deleted."
-   else
-     fail "Something went wrong. Could not delete the Elastalert indices. Exiting."
-   fi
+   elastalert_indices_check
    ##
    INSTALLEDVERSION=2.3.140
 }
 
+up_to_2.3.150() {
+  echo "Upgrading to 2.3.150"
+  INSTALLEDVERSION=2.3.150
+}
+
+up_to_2.3.160() {
+  echo "Upgrading to 2.3.160"
+  INSTALLEDVERSION=2.3.160
+}
+
+up_to_2.3.170() {
+  echo "Upgrading to 2.3.170"
+  INSTALLEDVERSION=2.3.170
+}
+
+up_to_2.3.180() {
+  echo "Upgrading to 2.3.180"
+  INSTALLEDVERSION=2.3.180
+}
+
+up_to_2.3.181() {
+  echo "Upgrading to 2.3.181"
+  INSTALLEDVERSION=2.3.181
+}
+
+up_to_2.3.182() {
+  echo "Upgrading to 2.3.182"
+  INSTALLEDVERSION=2.3.182
+}
+
+up_to_2.3.190() {
+  echo "Upgrading to 2.3.190"
+  if [ -d /nsm/zeek/extracted/complete ]; then
+    chown -R zeek:socore /nsm/zeek/extracted/complete
+    chmod 770 /nsm/zeek/extracted/complete
+  fi
+  INSTALLEDVERSION=2.3.190
+}
+
 verify_upgradespace() {
   CURRENTSPACE=$(df -BG / | grep -v Avail | awk '{print $4}' | sed 's/.$//')
   if [ "$CURRENTSPACE" -lt "10" ]; then
@@ -1178,10 +1320,12 @@ main() {
   verify_latest_update_script
   es_version_check
   es_indices_check
+  elastalert_indices_check
   echo ""
   set_palette
   check_elastic_license
   echo ""
+  check_local_mods
   check_os_updates
 
   echo "Generating new repo archive"
@@ -1346,7 +1490,7 @@ main() {
     fi
 
     echo "Checking for local modifications."
-    check_local_mods
+    check_local_mods skip-prompt
 
     echo "Checking sudoers file."
     check_sudoers

salt/curator/files/bin/so-curator-closed-delete-delete

@@ -29,7 +29,7 @@ LOG="/opt/so/log/curator/so-curator-closed-delete.log"
 
 overlimit() {
 
-        [[ $(du -hs --block-size=1GB /nsm/elasticsearch/nodes | awk '{print $1}' ) -gt "{{LOG_SIZE_LIMIT}}" ]]
+        [[ $(du -hs --block-size=1GB /nsm/elasticsearch/indices | awk '{print $1}' ) -gt "{{LOG_SIZE_LIMIT}}" ]]
 }
 
 closedindices() {

salt/elasticsearch/defaults.yaml

@@ -55,6 +55,10 @@ elasticsearch:
     indices:
       id_field_data:
         enabled: false
+    ingest:
+      geoip:
+        downloader:
+          enabled: false
     logger:
       org:
         elasticsearch:

salt/elasticsearch/files/ingest/sysmon

@@ -25,6 +25,11 @@
     { "set":           { "if": "ctx.event?.code == '15'",   "field": "event.dataset", "value": "file_create_stream_hash", "override": true }  },
     { "set":           { "if": "ctx.event?.code == '16'",   "field": "event.dataset", "value": "config_change", "override": true }  },
     { "set":           { "if": "ctx.event?.code == '22'",   "field": "event.dataset", "value": "dns_query", "override": true }  },
+    { "kv":            {"field":  "winlog.event_data.Hashes",  "target_field": "file.hash",    "field_split": ",",     "value_split": "=",     "ignore_missing": true } },
+    { "kv":            {"field":  "winlog.event_data.Hash",  "target_field": "file.hash",    "field_split": ",",     "value_split": "=",     "ignore_missing": true } },
+    { "rename":      { "field": "file.hash.IMPHASH", "target_field": "hash.imphash",	"ignore_missing":true } },
+    { "rename":      { "field": "file.hash.MD5", "target_field": "hash.md5",    "ignore_missing":true } },
+    { "rename":      { "field": "file.hash.SHA256", "target_field": "hash.sha256",    "ignore_missing":true } },
     { "rename":      { "field": "winlog.event_data.SubjectUserName",	"target_field": "user.name",		"ignore_missing": true 	} },
     { "rename":      { "field": "winlog.event_data.DestinationHostname",	"target_field": "destination.hostname",	"ignore_missing": true 	} },
     { "rename":      { "field": "winlog.event_data.DestinationIp",	"target_field": "destination.ip",	"ignore_missing": true 	} },
@@ -64,6 +69,10 @@
     { "rename":      { "field": "winlog.event_data.SourcePort", 	"target_field": "source.port",		"ignore_missing": true 	} },   
     { "rename":      { "field": "winlog.event_data.targetFilename",	"target_field": "file.target",	"ignore_missing": true 	} },
     { "rename":      { "field": "winlog.event_data.TargetFilename",     "target_field": "file.target",    "ignore_missing": true  } },
+    { "rename":      { "field": "winlog.event_data.QueryResults",       "target_field": "dns.answers.name",    "ignore_missing": true  } },
+    { "rename":      { "field": "winlog.event_data.QueryName",          "target_field": "dns.query.name",    "ignore_missing": true  } },
+    { "remove":      { "field": "winlog.event_data.Hash",		"ignore_missing": true  } },
+    { "remove":      { "field": "winlog.event_data.Hashes",		"ignore_missing": true  } },
     { "community_id": {} }
   ]
 }

salt/elasticsearch/files/ingest/zeek.bacnet

@@ -0,0 +1,14 @@
+{
+  "description" : "zeek.bacnet",
+  "processors" : [
+    { "remove":         { "field": ["host"],								"ignore_failure": true	} },
+    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
+    { "rename": 	{ "field": "message2.is_orig",		"target_field": "bacnet.is_orig",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.bvlc_function",	"target_field": "bacnet.bclv.function",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.pdu_type",		"target_field": "bacnet.pdu.type",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.pdu_service",	"target_field": "bacnet.pdu.service",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.invoke_id",	"target_field": "bacnet.invoke.id",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.result_code",	"target_field": "bacnet.result.code",	"ignore_missing": true 	} },
+    { "pipeline":       { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.bacnet_discovery

@@ -0,0 +1,15 @@
+{
+  "description" : "zeek.bacnet_discovery",
+  "processors" : [
+    { "remove":         { "field": ["host"],									"ignore_failure": true	} },
+    { "json":		{ "field": "message",			"target_field": "message2",			"ignore_failure": true	} },
+    { "rename":         { "field": "message2.is_orig",		"target_field": "bacnet.is_orig",		"ignore_missing": true  } },
+    { "rename":         { "field": "message2.pdu_service",	"target_field": "bacnet.pdu.service",		"ignore_missing": true  } },
+    { "rename":         { "field": "message2.object_type",	"target_field": "bacnet.object.type",		"ignore_missing": true  } },
+    { "rename":         { "field": "message2.instance_number",	"target_field": "bacnet.instance.number",	"ignore_missing": true  } },
+    { "rename":         { "field": "message2.vendor",		"target_field": "bacnet.vendor",		"ignore_missing": true  } },
+    { "rename":         { "field": "message2.range",		"target_field": "bacnet.range",			"ignore_missing": true  } },
+    { "rename":         { "field": "message2.object_name",	"target_field": "bacnet.object.name",		"ignore_missing": true  } },
+    { "pipeline":       { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.bacnet_property

@@ -0,0 +1,15 @@
+{
+  "description" : "zeek.bacnet_property",
+  "processors" : [
+    { "remove":         { "field": ["host"],									"ignore_failure": true	} },
+    { "json":           { "field": "message",			"target_field": "message2",			"ignore_failure": true  } },
+    { "rename":         { "field": "message2.is_orig",          "target_field": "bacnet.is_orig",         "ignore_missing": true  } },
+    { "rename":         { "field": "message2.instance_number",	"target_field": "bacnet.instance.number",	"ignore_missing": true  } },
+    { "rename":         { "field": "message2.pdu_service",	"target_field": "bacnet.pdu.service",		"ignore_missing": true  } },
+    { "rename":         { "field": "message2.object_type",	"target_field": "bacnet.object.type",		"ignore_missing": true  } },
+    { "rename":         { "field": "message2.property",		"target_field": "bacnet.property",		"ignore_missing": true  } },
+    { "rename":         { "field": "message2.array_index",	"target_field": "bacnet.array.index",		"ignore_missing": true  } },
+    { "rename":         { "field": "message2.value",		"target_field": "bacnet.value",			"ignore_missing": true  } },
+    { "pipeline":       { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.bsap_ip_header

@@ -0,0 +1,10 @@
+{
+  "description" : "zeek.bsap_ip_header",
+  "processors" : [
+    { "remove":         { "field": ["host"],									"ignore_failure": true	} },
+    { "json":		{ "field": "message",			"target_field": "message2",			"ignore_failure": true	} },
+    { "rename": 	{ "field": "message2.num_msg",		"target_field": "bsap.number.messages",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.type_name",	"target_field": "bsap.message.type",		"ignore_missing": true 	} },
+    { "pipeline":       { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.bsap_ip_rdb

@@ -0,0 +1,20 @@
+{
+  "description" : "zeek.bsap_ip_rdb",
+  "processors" : [
+    { "remove":         { "field": ["host"],										"ignore_failure": true	} },
+    { "json":		{ "field": "message",			"target_field": "message2",				"ignore_failure": true	} },
+    { "rename": 	{ "field": "message2.header_size",	"target_field": "bsap.header.length",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.mes_seq",		"target_field": "bsap.message.sequence",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.res_seq",		"target_field": "bsap.response.sequence",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.data_len",		"target_field": "bsap.data.length",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.sequence",		"target_field": "bsap.function.sequence",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.app_func_code",	"target_field": "bsap.application.function",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.node_status",	"target_field": "bsap.node.status",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.func_code",	"target_field": "bsap.application.sub_function",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.variable_count",	"target_field": "bsap.variable.count",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.variables",	"target_field": "bsap.vector.variables",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.variable_value",	"target_field": "bsap.vector.variable.value",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.value",		"target_field": "bsap.value",				"ignore_missing": true 	} },
+    { "pipeline":       { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.bsap_ip_unknown

@@ -0,0 +1,9 @@
+{
+  "description" : "zeek.bsap_ip_unknown",
+  "processors" : [
+    { "remove":         { "field": ["host"],							"ignore_failure": true	} },
+    { "json":		{ "field": "message",		"target_field": "message2",		"ignore_failure": true	} },
+    { "rename": 	{ "field": "message2.data",	"target_field": "bsap.ip.unknown.data",	"ignore_missing": true 	} },
+    { "pipeline":       { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.bsap_serial_header

@@ -0,0 +1,17 @@
+{
+  "description" : "zeek.bsap_serial_header",
+  "processors" : [
+    { "remove":         { "field": ["host"],									"ignore_failure": true	} },
+    { "json":		{ "field": "message",			"target_field": "message2",			"ignore_failure": true	} },
+    { "rename": 	{ "field": "message2.ser",		"target_field": "bsap.message.serial_number",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dadd",		"target_field": "bsap.destination.address",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.sadd",		"target_field": "bsap.source.address",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ctl",		"target_field": "bsap.control.byte",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dfun",		"target_field": "bsap.destination.function",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.seq",		"target_field": "bsap.message.sequence",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.sfun",		"target_field": "bsap.source.function",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.nsb",		"target_field": "bsap.node.status_byte",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.type_name",	"target_field": "bsap.message.type",		"ignore_missing": true 	} },
+    { "pipeline":       { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb

@@ -0,0 +1,11 @@
+{
+  "description" : "zeek.bsap_serial_rdb",
+  "processors" : [
+    { "remove":         { "field": ["host"],									"ignore_failure": true  } },
+    { "json":		{ "field": "message",			"target_field": "message2",			"ignore_failure": true	} },
+    { "rename": 	{ "field": "message2.func_code",	"target_field": "bsap.rdb.function",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.variables",	"target_field": "bsap.vector.variables",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.variable_value",	"target_field": "bsap.vector.value",		"ignore_missing": true 	} },
+    { "pipeline":       { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.bsap_serial_rdb_ext

@@ -0,0 +1,13 @@
+{
+  "description" : "zeek.bsap_serial_rdb_ext",
+  "processors" : [
+    { "remove":         { "field": ["host"],								"ignore_failure": true  } },
+    { "json":		{ "field": "message",		"target_field": "message2",			"ignore_failure": true	} },
+    { "rename": 	{ "field": "message2.dfun",	"target_field": "bsap.destination.function",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.seq",	"target_field": "bsap.message_sequence",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.nsb",	"target_field": "bsap.node_status_byte",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.extfun",	"target_field": "bsap.extension.function",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.data",	"target_field": "bsap.extension.function_data",	"ignore_missing": true 	} },
+    { "pipeline":       { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.bsap_serial_unknown

@@ -0,0 +1,9 @@
+{
+  "description" : "zeek.bsap_serial_unknown",
+  "processors" : [
+    { "remove":         { "field": ["host"],								"ignore_failure": true  } },
+    { "json":		{ "field": "message",		"target_field": "message2",			"ignore_failure": true	} },
+    { "rename": 	{ "field": "message2.data",	"target_field": "bsap.serial.unknown.data",	"ignore_missing": true 	} },
+    { "pipeline":       { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.cip

@@ -0,0 +1,19 @@
+{
+  "description" : "zeek.cip",
+  "processors" : [
+    { "remove":         { "field": ["host"],											"ignore_failure": true	} },
+    { "json":		{ "field": "message",				"target_field": "message2",				"ignore_failure": true	} },
+    { "rename": 	{ "field": "message2.is_orig",			"target_field": "cip.is_orig",			        "ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.cip_sequence_count",	"target_field": "cip.sequence_count",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.direction",		"target_field": "cip.direction",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.cip_service_code",		"target_field": "cip.service_code",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.cip_service",		"target_field": "cip.service",				"ignore_missing": true 	} },
+    { "convert":	{ "field": "cip.service",			"type": "string",					"ignore_missing": true  } },
+    { "rename": 	{ "field": "message2.cip_status",		"target_field": "cip.status_code",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.class_id",			"target_field": "cip.request.path.class.id",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.class_name",		"target_field": "cip.request.path.class.name",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.instance_id",		"target_field": "cip.request.path.instance.id",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.attribute_id",		"target_field": "cip.request.path.attribute.id",	"ignore_missing": true 	} },
+    { "pipeline":       { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.cip_identity

@@ -0,0 +1,21 @@
+{
+  "description" : "zeek.cip_identity",
+  "processors" : [
+    { "remove":         { "field": ["host"],										"ignore_failure": true	} },
+    { "json":		{ "field": "message",				"target_field": "message2",			"ignore_failure": true	} },
+    { "rename": 	{ "field": "message2.encapsulation_version",	"target_field": "cip.encapsulation.version",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.socket_address",		"target_field": "cip.socket.address",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.socket_port",		"target_field": "cip.socket.port",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.vendor_id",		"target_field": "cip.vendor.id",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.vendor_name",		"target_field": "cip.vendor.name",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.device_type_id",		"target_field": "cip.device.type.id",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.device_type_name",		"target_field": "cip.device.type.name",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.product_code",		"target_field": "cip.device.product.code",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.revision",			"target_field": "cip.device.revision",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.device_status",		"target_field": "cip.device.status",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.serial_number",		"target_field": "cip.device.serial_number",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.product_name",		"target_field": "cip.device.product.name",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.device_state",		"target_field": "cip.device.state",		"ignore_missing": true 	} },
+    { "pipeline":       { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.cip_io

@@ -0,0 +1,13 @@
+{
+  "description" : "zeek.cip_io",
+  "processors" : [
+    { "remove":         { "field": ["host"],								"ignore_failure": true	} },
+    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
+    { "rename": 	{ "field": "message2.is_orig",		"target_field": "cip.is_orig",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.connection_id",	"target_field": "cip.connection.id",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.sequence_number",	"target_field": "cip.sequence_number",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.data_length",	"target_field": "cip.data.length",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.io_data",		"target_field": "cip.io.data",		"ignore_missing": true 	} },
+    { "pipeline":       { "name": "zeek.common"	} }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.conn

@@ -17,24 +17,25 @@
     { "rename": 	{ "field": "message2.orig_ip_bytes", 	"target_field": "client.ip_bytes",	"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.resp_pkts", 	"target_field": "server.packets",	"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.resp_ip_bytes", 	"target_field": "server.ip_bytes",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.orig_mac_oui", 	"target_field": "client.oui",	"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.tunnel_parents",	"target_field": "log.id.tunnel_parents",	"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.orig_cc", 		"target_field": "client.country_code","ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.resp_cc", 		"target_field": "server.country_code",	"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.sensorname", 	"target_field": "observer.name",		"ignore_missing": true 	} },
     { "script":         { "lang": "painless", "source": "ctx.network.bytes = (ctx.client.bytes + ctx.server.bytes)", "ignore_failure": true } },
-    { "set": { "if": "ctx.connection.state == 'S0'",    "field": "connection.state_description", "value": "Connection attempt seen, no reply" } },
-    { "set": { "if": "ctx.connection.state == 'S1'",    "field": "connection.state_description", "value": "Connection established, not terminated" } },
-    { "set": { "if": "ctx.connection.state == 'S2'",    "field": "connection.state_description", "value": "Connection established and close attempt by originator seen (but no reply from responder)" } },
-    { "set": { "if": "ctx.connection.state == 'S3'",    "field": "connection.state_description", "value": "Connection established and close attempt by responder seen (but no reply from originator)" } },
-    { "set": { "if": "ctx.connection.state == 'SF'",    "field": "connection.state_description", "value": "Normal SYN/FIN completion" } },
-    { "set": { "if": "ctx.connection.state == 'REJ'",   "field": "connection.state_description", "value": "Connection attempt rejected" } },
-    { "set": { "if": "ctx.connection.state == 'RSTO'",  "field": "connection.state_description", "value": "Connection established, originator aborted (sent a RST)" } },
-    { "set": { "if": "ctx.connection.state == 'RSTR'",  "field": "connection.state_description", "value": "Established, responder aborted" } },
-    { "set": { "if": "ctx.connection.state == 'RSTOS0'","field": "connection.state_description", "value": "Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder" } },
-    { "set": { "if": "ctx.connection.state == 'RSTRH'", "field": "connection.state_description", "value": "Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator" } },
-    { "set": { "if": "ctx.connection.state == 'SH'",    "field": "connection.state_description", "value": "Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was 'half' open)" } },
-    { "set": { "if": "ctx.connection.state == 'SHR'",   "field": "connection.state_description", "value": "Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator" } },
-    { "set": { "if": "ctx.connection.state == 'OTH'",   "field": "connection.state_description", "value": "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed)" } },
+    { "set": { "if": "ctx.connection?.state == 'S0'",    "field": "connection.state_description", "value": "Connection attempt seen, no reply" } },
+    { "set": { "if": "ctx.connection?.state == 'S1'",    "field": "connection.state_description", "value": "Connection established, not terminated" } },
+    { "set": { "if": "ctx.connection?.state == 'S2'",    "field": "connection.state_description", "value": "Connection established and close attempt by originator seen (but no reply from responder)" } },
+    { "set": { "if": "ctx.connection?.state == 'S3'",    "field": "connection.state_description", "value": "Connection established and close attempt by responder seen (but no reply from originator)" } },
+    { "set": { "if": "ctx.connection?.state == 'SF'",    "field": "connection.state_description", "value": "Normal SYN/FIN completion" } },
+    { "set": { "if": "ctx.connection?.state == 'REJ'",   "field": "connection.state_description", "value": "Connection attempt rejected" } },
+    { "set": { "if": "ctx.connection?.state == 'RSTO'",  "field": "connection.state_description", "value": "Connection established, originator aborted (sent a RST)" } },
+    { "set": { "if": "ctx.connection?.state == 'RSTR'",  "field": "connection.state_description", "value": "Established, responder aborted" } },
+    { "set": { "if": "ctx.connection?.state == 'RSTOS0'","field": "connection.state_description", "value": "Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder" } },
+    { "set": { "if": "ctx.connection?.state == 'RSTRH'", "field": "connection.state_description", "value": "Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator" } },
+    { "set": { "if": "ctx.connection?.state == 'SH'",    "field": "connection.state_description", "value": "Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was 'half' open)" } },
+    { "set": { "if": "ctx.connection?.state == 'SHR'",   "field": "connection.state_description", "value": "Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator" } },
+    { "set": { "if": "ctx.connection?.state == 'OTH'",   "field": "connection.state_description", "value": "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed)" } },
     { "pipeline": 	{ "name": "zeek.common" } }
   ]
 }

salt/elasticsearch/files/ingest/zeek.cotp

@@ -0,0 +1,10 @@
+{
+  "description" : "zeek.cotp",
+  "processors" : [
+    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
+    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
+    { "rename": 	{ "field": "message2.pdu_code", 		"target_field": "cotp.pdu.code",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.pdu_name", 	"target_field": "cotp.pdu.name",		"ignore_missing": true 	} },
+    { "pipeline":       { "name": "zeek.common"                                                                                   } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.dnp3_control

@@ -0,0 +1,16 @@
+{
+  "description" : "zeek.dnp3_control",
+  "processors" : [
+    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
+    { "json":		{ "field": "message",			"target_field": "message2",		        "ignore_failure": true	} },
+    { "rename":         { "field": "message2.block_type",       "target_field": "dnp3.block_type",              "ignore_missing": true  } },
+    { "rename": 	{ "field": "message2.function_code",	"target_field": "dnp3.function_code",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.index_number", 	"target_field": "dnp3.index_number",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.trip_control_code","target_field": "dnp3.trip_control_code",	"ignore_missing": true 	} },
+    { "rename":  	{ "field": "message2.operation_type",	"target_field": "dnp3.operation_type",  	"ignore_missing": true  } },
+    { "rename": 	{ "field": "message2.execute_count", 	"target_field": "dnp3.execute_count",  		"ignore_missing": true  } },
+    { "rename":         { "field": "message2.on_time",          "target_field": "dnp3.on_time",                 "ignore_missing": true  } },
+    { "rename":         { "field": "message2.off_time",         "target_field": "dnp3.off_time",                "ignore_missing": true  } },
+    { "pipeline":       { "name": "zeek.common"                                                                                   } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.dnp3_objects

@@ -0,0 +1,13 @@
+{
+  "description" : "zeek.dnp3_objects",
+  "processors" : [
+    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
+    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
+    { "rename": 	{ "field": "message2.function_code",	"target_field": "dnp3.function_code",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.object_type", 	"target_field": "dnp3.object_type",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.object_count", 	"target_field": "dnp3.object_count",		"ignore_missing": true 	} },
+    { "rename":  	{ "field": "message2.range_low",	"target_field": "dnp3.range_low",  		"ignore_missing": true  } },
+    { "rename": 	{ "field": "message2.range_high", 	"target_field": "dnp3.range_high",  		"ignore_missing": true  } },
+    { "pipeline":       { "name": "zeek.common"                                                                                   } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.ecat_aoe_info

@@ -0,0 +1,17 @@
+{
+  "description" : "zeek.ecat_aoe_info",
+  "processors" : [
+    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
+    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
+    { "rename": 	{ "field": "message2.targetid", 		"target_field": "destination.mac",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.targetport", 	"target_field": "destination.port",		"ignore_missing": true 	} },
+    { "convert":        { "field": "destination.port",       "type": "integer",                     "ignore_missing": true  } },
+    { "rename": 	{ "field": "message2.senderid", 		"target_field": "source.mac",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.senderport", 	"target_field": "source.port",		"ignore_missing": true 	} },
+    { "convert":        { "field": "source.port",       "type": "integer",                     "ignore_missing": true  } },
+    { "rename": 	{ "field": "message2.cmd", 		"target_field": "ecat.command",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.stateflags", 	"target_field": "ecat.state.flags",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.data", 		"target_field": "ecat.data",		"ignore_missing": true 	} },
+    { "pipeline":       { "name": "zeek.common"                                                                                   } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.ecat_arp_info

@@ -0,0 +1,15 @@
+{
+  "description" : "zeek.ecat_arp_info",
+  "processors" : [
+    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
+    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
+    { "rename": 	{ "field": "message2.arp_type", 		"target_field": "ecat.arp.type",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.mac_src", 	"target_field": "source.mac",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.mac_dst", 		"target_field": "destination.mac",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.SPA", 	"target_field": "source.ip",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.SHA", 		"target_field": "ecat.sender.hardware.address",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.TPA", 	"target_field": "destination.ip",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.THA", 		"target_field": "ecat.target.hardware.address",		"ignore_missing": true 	} },
+    { "pipeline":       { "name": "zeek.common"                                                                                   } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.ecat_coe_info

@@ -0,0 +1,14 @@
+{
+  "description" : "zeek.ecat_coe_info",
+  "processors" : [
+    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
+    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
+    { "rename": 	{ "field": "message2.number", 		"target_field": "ecat.message.number",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.Type", 	"target_field": "ecat.message.type",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.req_resp", 		"target_field": "ecat.request.response_type",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.index", 	"target_field": "ecat.index",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.subindex", 		"target_field": "ecat.sub.index",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dataoffset", 	"target_field": "ecat.data_offset",		"ignore_missing": true 	} },
+    { "pipeline":       { "name": "zeek.common"                                                                                   } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.ecat_dev_info

@@ -0,0 +1,18 @@
+{
+  "description" : "zeek.ecat_dev_info",
+  "processors" : [
+    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
+    { "json":		{ "field": "message",			"target_field": "message2",		          "ignore_failure": true	} },
+    { "rename": 	{ "field": "message2.slave_id",         "target_field": "ecat.slave.address",		  "ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.revision", 	"target_field": "ecat.revision",		  "ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dev_type",         "target_field": "ecat.device.type",		  "ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.build", 	        "target_field": "ecat.build.version",		  "ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.fmmucnt", 		"target_field": "ecat.fieldbus.memory_mgmt_unit", "ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.smcount", 	        "target_field": "ecat.sync.manager_count",	  "ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.ports", 		"target_field": "ecat.port",		          "ignore_missing": true 	} },
+    { "convert":        { "field": "ecat.port",                 "type": "integer",                                "ignore_missing": true  } },
+    { "rename": 	{ "field": "message2.dpram", 	        "target_field": "ecat.ram.size",		  "ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.features", 	"target_field": "ecat.features",		"ignore_missing": true 	} },
+    { "pipeline":       { "name": "zeek.common"                                                                                   } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.ecat_foe_info

@@ -0,0 +1,14 @@
+{
+  "description" : "zeek.ecat_foe_info",
+  "processors" : [
+    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
+    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
+    { "rename": 	{ "field": "message2.opcode", 		"target_field": "ecat.operation.code",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.reserved", 	"target_field": "ecat.reserved",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.packet_num", 		"target_field": "ecat.packet_number",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.error_code", 	"target_field": "ecat.error_code",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.filename", 		"target_field": "ecat.filename",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.data", 		"target_field": "ecat.data",		"ignore_missing": true 	} },
+    { "pipeline":       { "name": "zeek.common"                                                                                   } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.ecat_log_address

@@ -0,0 +1,14 @@
+{
+  "description" : "zeek.ecat_log_address",
+  "processors" : [
+    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
+    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
+    { "rename": 	{ "field": "message2.srcmac", 		"target_field": "source.mac",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dstmac", 	"target_field": "destination.mac",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.Log_Addr", 	"target_field": "ecat.log.address",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.Length", 		"target_field": "ecat.length",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.Command", 		"target_field": "ecat.command",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.data", 		"target_field": "ecat.data",		"ignore_missing": true 	} },
+    { "pipeline":       { "name": "zeek.common"                                                                                   } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.ecat_registers

@@ -0,0 +1,15 @@
+{
+  "description" : "zeek.ecat_registers",
+  "processors" : [
+    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
+    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
+    { "rename": 	{ "field": "message2.srcmac", 		"target_field": "source.mac",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dstmac", 	"target_field": "destination.mac",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.Command", 		"target_field": "ecat.command",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.Slave_Addr", 	"target_field": "ecat.slave.address",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.Register_Type", 		"target_field": "ecat.register.type",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.Register_Addr", 	"target_field": "ecat.register.address",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.data", 		"target_field": "ecat.data",		"ignore_missing": true 	} },
+    { "pipeline":       { "name": "zeek.common"                                                                                   } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.ecat_soe_info

@@ -0,0 +1,14 @@
+{
+  "description" : "zeek.ecat_soe_info",
+  "processors" : [
+    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
+    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
+    { "rename": 	{ "field": "message2.opcode", 		"target_field": "ecat.operation.code",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.incomplete", 	"target_field": "ecat.function.check",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.error", 		"target_field": "ecat.error",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.drive_num", 	"target_field": "ecat.drive.number",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.element_flags", 		"target_field": "ecat.element.flags",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.index", 	"target_field": "ecat.index",		"ignore_missing": true 	} },
+    { "pipeline":       { "name": "zeek.common"                                                                                   } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.enip

@@ -0,0 +1,16 @@
+{
+  "description" : "zeek.enip",
+  "processors" : [
+    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
+    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
+    { "rename": 	{ "field": "message2.is_orig", 		"target_field": "enip.is_orig",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.enip_command_code", 	"target_field": "enip.command_code",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.enip_command", 		"target_field": "enip.command",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.length", 	"target_field": "enip.length",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.session_handle", 		"target_field": "enip.session.handle",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.enip_status", 	"target_field": "enip.status_code",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.sender_context", 		"target_field": "enip.sender.context",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.options", 		"target_field": "enip.options",		"ignore_missing": true 	} },
+    { "pipeline":       { "name": "zeek.common"                                                                                   } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.modbus_detailed

@@ -0,0 +1,14 @@
+{
+  "description" : "zeek.modbus_detailed",
+  "processors" : [
+    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
+    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
+    { "rename": 	{ "field": "message2.unit_id", 		"target_field": "modbus.unit_id",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.func", 		"target_field": "modbus.function",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.network_direction", "target_field": "modbus.network.direction",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.address",	        "target_field": "modbus.address",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.quality", 	        "target_field": "modbus.quality",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.values", 	"target_field": "modbus.values",		"ignore_missing": true 	} },
+    { "pipeline":       { "name": "zeek.common"                                                                                   } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.modbus_mask_write_register

@@ -0,0 +1,14 @@
+{
+  "description" : "zeek.modbus_mask_write_register",
+  "processors" : [
+    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
+    { "json":		{ "field": "message",			 "target_field": "message2",		        "ignore_failure": true	} },
+    { "rename": 	{ "field": "message2.unit_id", 		 "target_field": "modbus.unit_id",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.func", 		 "target_field": "modbus.function",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.network_direction", "target_field": "modbus.network.direction",    "ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.address",	         "target_field": "modbus.address",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.and_mask",	         "target_field": "modbus.and_mask",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.or_mask", 	         "target_field": "modbus.or_mask",		"ignore_missing": true 	} },
+    { "pipeline":       { "name": "zeek.common"                                                                                   } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.modbus_read_write_multiple_registers

@@ -0,0 +1,16 @@
+{
+  "description" : "zeek.read_write_multiple_registers",
+  "processors" : [
+    { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
+    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
+    { "rename": 	{ "field": "message2.unit_id", 		"target_field": "modbus.unit_id",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.func", 		"target_field": "modbus.function",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.network_direction", "target_field": "modbus.network.direction",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.write_start_address",	"target_field": "modbus.write.start.address",		"ignore_missing": true 	} },
+     { "rename":         { "field": "message2.write_registers",  "target_field": "modbus.write.registers",         "ignore_missing": true  } },
+     { "rename":         { "field": "message2.read_start_address",  "target_field": "modbus.read.start.address",         "ignore_missing": true  } },
+    { "rename": 	{ "field": "message2.read.quality", 	  "target_field": "modbus.read.quality",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.read_registers", 	"target_field": "modbus.read.registers",		"ignore_missing": true 	} },
+    { "pipeline":       { "name": "zeek.common"                                                                                   } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary

@@ -0,0 +1,32 @@
+{
+  "description" : "zeek.opcua_binary",
+  "processors" : [
+    { "remove":   { "field": ["host"],												"ignore_failure": true } },
+    { "json":     { "field": "message",					"target_field": "message2",				"ignore_failure": true } },
+    { "rename":   { "field": "message2.msg_type",			"target_field": "opcua.message_type",			"ignore_missing": true } },
+    { "rename":   { "field": "message2.is_final",			"target_field": "opcua.final",				"ignore_missing": true } },
+    { "rename":   { "field": "message2.msg_size",			"target_field": "opcua.message_size",			"ignore_missing": true } },
+    { "rename":   { "field": "message2.snd_buf_size",			"target_field": "opcua.sender.buffer_size",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.seq_number",			"target_field": "opcua.sequence_number",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.sec_channel_id",			"target_field": "opcua.secure_channel_id",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.seq_number",			"target_field": "opcua.sequence_number",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.opcua_link_id",			"target_field": "opcua.link_id",			"ignore_missing": true } },
+    { "rename":   { "field": "message2.request_id",			"target_field": "opcua.request_id",			"ignore_missing": true } },
+    { "rename":   { "field": "message2.namespace_idx",			"target_field": "opcua.namespace_index",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.encoding_mask",			"target_field": "opcua.encoding_mask",			"ignore_missing": true } },
+    { "convert":  { "field": "opcua.encoding_mask", 			"type": "string",
+ "ignore_missing": true } },
+    { "rename":   { "field": "message2.identifier",			"target_field": "opcua.identifier",			"ignore_missing": true } },
+    { "rename":   { "field": "message2.identifier_str",			"target_field": "opcua.identifier_string",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.req_hdr_node_id_type",		"target_field": "opcua.request.header.node.id_type",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.req_hdr_node_id_numeric",	"target_field": "opcua.request.header.node.id_numeric",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.req_hdr_timestamp",		"target_field": "opcua.request.header.timestamp",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.req_hdr_request_handle",		"target_field": "opcua.request.handle",			"ignore_missing": true } },
+    { "rename":   { "field": "message2.req_hdr_return_diag",		"target_field": "opcua.request.header.return_diag",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.req_hdr_audit_entry_id",		"target_field": "opcua.request.header.audit_entry_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.req_hdr_timeout_hint",		"target_field": "opcua.request.header.timeout_hint",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.req_hdr_add_hdr_type_id",	"target_field": "opcua.request.header.type_id",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.req_hdr_add_hdr_enc_mask",	"target_field": "opcua.request.header.enc_mask",	"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session

@@ -0,0 +1,19 @@
+{
+  "description" : "zeek.opcua_binary_activate_session",
+  "processors" : [
+    { "remove":   { "field": ["host"],                                                                                  "ignore_failure": true } },
+    { "json":     { "field": "message",			               "target_field": "message2",		        "ignore_failure": true} },
+    { "rename":   { "field": "message2.opcua_link_id",                 "target_field": "opcua.link_id",                 "ignore_missing": true } },
+    { "rename":   { "field": "message2.ext_obj_type_id_namespace_idx", "target_field": "opcua.namespace_index",         "ignore_missing": true } },
+    { "rename":   { "field": "message2.ext_obj_type_id_encoding_mask", "target_field": "opcua.encoding_mask",           "ignore_missing": true } },
+    { "convert":  { "field": "opcua.encoding_mask",                    "type": "string",                                "ignore_missing": true } },
+    { "rename":   { "field": "message2.ext_obj_type_id_numeric",       "target_field": "opcua.identifier_numeric",      "ignore_missing": true } },
+    { "rename":   { "field": "message2.ext_obj_type_id_str",           "target_field": "opcua.identifier_string",       "ignore_missing": true } },
+    { "rename":   { "field": "message2.ext_obj_encoding",              "target_field": "opcua.encoding",                "ignore_missing": true } },
+    { "rename":   { "field": "message2.ext_obj_policy_id",             "target_field": "opcua.policy_id",               "ignore_missing": true } },
+    { "rename":   { "field": "message2.ext_obj_user_name",             "target_field": "opcua.user_name",               "ignore_missing": true } }, 
+    { "rename":   { "field": "message2.ext_obj_password",              "target_field": "opcua.password",                "ignore_missing": true } },
+    { "rename":   { "field": "message2.server_nonce",                  "target_field": "opcua.server_nonce",            "ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_client_software_cert

@@ -0,0 +1,11 @@
+{
+  "description" : "zeek.opcua_binary_activate_session_client_software_cert",
+  "processors" : [
+    { "remove":   { "field": ["host"],												"ignore_failure": true } },
+    { "json":     { "field": "message",					"target_field": "message2",				"ignore_failure": true } },
+    { "rename":   { "field": "message2.client_software_cert_link_id",	"target_field": "opcua.client_software_cert_link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.cert_data", 			"target_field": "opcua.certificate.data",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.cert_signature",			"target_field": "opcua.certificate.signature",		"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_diagnostic_info

@@ -0,0 +1,10 @@
+{
+  "description" : "zeek.opcua_binary_activate_session_diagnostic_info",
+  "processors" : [
+    { "remove":   { "field": ["host"],														"ignore_failure": true } },
+    { "json":     { "field": "message",						"target_field": "message2",					"ignore_failure": true } },
+    { "rename":   { "field": "message2.activate_session_diag_info_link_id",	"target_field": "opcua.activate_session_diag_info_link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.diag_info_link_id",			"target_field": "opcua.diag_info_link_id",			"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session_locale_id

@@ -0,0 +1,10 @@
+{
+  "description" : "zeek.opcua_binary_activate_session_locale_id",
+  "processors" : [
+    { "remove":   { "field": ["host"],									"ignore_failure": true } },
+    { "json":     { "field": "message",				"target_field": "message2",		"ignore_failure": true } },
+    { "rename":   { "field": "message2.opcua_locale_link_id",	"target_field": "opcua.locale_link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.local_id",		"target_field": "opcua.local_id",	"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary_browse

@@ -0,0 +1,18 @@
+{
+  "description" : "zeek.opcua_binary_browse",
+  "processors" : [
+    { "remove":   { "field": ["host"],													"ignore_failure": true } },
+    { "json":     { "field": "message",						"target_field": "message2",				"ignore_failure": true } },
+    { "rename":   { "field": "message2.opcua_link_id",				"target_field": "opcua.link_id",			"ignore_missing": true } },
+    { "rename":   { "field": "message2.browse_service_type",			"target_field": "opcua.service_type",			"ignore_missing": true } },
+    { "rename":   { "field": "message2.browse_view_id_encoding_mask",		"target_field": "opcua.encoding_mask",			"ignore_missing": true } },
+    { "convert":  { "field": "opcua.encoding_mask",                             "type": "string",
+         "ignore_missing": true } },
+    { "rename":   { "field": "message2.browse_view_id_numeric",			"target_field": "opcua.identifier_numeric",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.browse_view_description_timestamp",	"target_field": "opcua.view_description_timestamp",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.browse_view_description_view_version",	"target_field": "opcua.description_view_version",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.browse_description_link_id",		"target_field": "opcua.description_link_id",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.req_max_ref_nodes",			"target_field": "opcua.request.max_ref_nodes",		"ignore_missing": true } },  
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_description

@@ -0,0 +1,17 @@
+{
+  "description" : "zeek.opcua_binary_browse_description",
+  "processors" : [
+    { "remove":   { "field": ["host"],														"ignore_failure": true } },
+    { "json":     { "field": "message",						"target_field": "message2",					"ignore_failure": true } },
+    { "rename":   { "field": "message2.browse_description_link_id",     	"target_field": "opcua.browse_description_link_id",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.browse_description_encoding_mask",     	"target_field": "opcua.browse_description_encoding_mask",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.browse_description_numeric",           	"target_field": "opcua.browse_description_numeric",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.browse_direction",                     	"target_field": "opcua.browse_direction",			"ignore_missing": true } },
+    { "rename":   { "field": "message2.browse_description_ref_encoding_mask", 	"target_field": "opcua.browse_description_ref_encoding_mask",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.browse_description_ref_numeric",       	"target_field": "opcua.browse_description_ref_numeric",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.browse_description_include_subtypes",  	"target_field": "opcua.browse_description_include_subtypes",	"ignore_missing": true } },  
+    { "rename":   { "field": "message2.browse_node_class_mask",               	"target_field": "opcua.browse_node_class_mask",			"ignore_missing": true } },
+    { "rename":   { "field": "message2.browse_result_mask",                   	"target_field": "opcua.browse_result_mask",			"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_diagnostic_info

@@ -0,0 +1,10 @@
+{
+  "description" : "zeek.opcua_binary_browse_diagnostic_info",
+  "processors" : [
+    { "remove":   { "field": ["host"],													"ignore_failure": true } },
+    { "json":     { "field": "message",					"target_field": "message2",					"ignore_failure": true } },
+    { "rename":   { "field": "message2.browse_diag_info_link_id",	"target_field": "opcua.browse_session_diag_info_link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.diag_info_link_id", 		"target_field": "opcua.diag_info_link_id",			"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_request_continuation_point

@@ -0,0 +1,10 @@
+{
+  "description" : "zeek.opcua_binary_browse_request_continuation_point",
+  "processors" : [
+    { "remove":   { "field": ["host"],										"ignore_failure": true } },
+    { "json":     { "field": "message",				"target_field": "message2",			"ignore_failure": true } },
+    { "rename":   { "field": "message2.browse_next_link_id",	"target_field": "opcua.browse_next_link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.continuation_point", 	"target_field": "opcua.continuation_point",	"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_response_references

@@ -0,0 +1,22 @@
+{
+  "description" : "zeek.opcua_binary_browse_response_references",
+  "processors" : [
+    { "remove":   { "field": ["host"],													"ignore_failure": true } },
+    { "json":     { "field": "message",			                        "target_field": "message2",				"ignore_failure": true } },
+    { "rename":   { "field": "message2.browse_reference_link_id",               "target_field": "opcua.link_id",			"ignore_missing": true } },
+    { "rename":   { "field": "message2.browse_response_ref_encoding_mask",      "target_field": "opcua.reference_encoding_mask",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.browse_response_ref_numeric",            "target_field": "opcua.reference_numeric",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.browse_response_is_forward",             "target_field": "opcua.is_forward",			"ignore_missing": true } },
+    { "rename":   { "field": "message2.response_ref_type_encoding_mask",	"target_field": "opcua.reference_type_encoding_mask",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.browse_response_ref_type_namespace_idx", "target_field": "opcua.namespace_index",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.browse_response_ref_type_numeric",       "target_field": "opcua.reference_type_numeric",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.browse_response_ref_name",               "target_field": "opcua.reference_name",			"ignore_missing": true } },
+    { "rename":   { "field": "message2.browse_response_display_name_mask",      "target_field": "opcua.display_name_mask",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.browse_response_display_name_locale",    "target_field": "opcua.display_name_local",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.browse_response_display_name_text",      "target_field": "opcua.display_name_text",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.browse_response_node_class",             "target_field": "opcua.node_class",			"ignore_missing": true } }, 
+    { "rename":   { "field": "message2.browse_response_type_def_encoding_mask",	"target_field": "opcua.type_def_encoding_mask",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.browse_response_type_def_numeric",	"target_field": "opcua.type_def_numeric",		"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary_browse_result

@@ -0,0 +1,11 @@
+{
+  "description" : "zeek.opcua_binary_browse_result",
+  "processors" : [
+    { "remove":   { "field": ["host"],											"ignore_failure": true } },
+    { "json":     { "field": "message",					"target_field": "message2",			"ignore_failure": true } },
+    { "rename":   { "field": "message2.browse_response_link_id",	"target_field": "opcua.response_link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.browse_reference_link_id",	"target_field": "opcua.reference_link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.status_code_link_id",		"target_field": "opcua.status_code_link_id",	"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session

@@ -0,0 +1,19 @@
+{
+  "description" : "zeek.opcua_binary_create_session",
+  "processors" : [
+    { "remove":   { "field": ["host"],                                                                                      "ignore_failure": true } },
+    { "json":     { "field": "message",			            "target_field": "message2",		                    "ignore_failure": true} },
+    { "rename":   { "field": "message2.opcua_link_id",              "target_field": "opcua.link_id",                        "ignore_missing": true } },
+    { "rename":   { "field": "message2.session_id_encoding_mask",   "target_field": "opcua.session_id_encoding_mask",       "ignore_missing": true } },
+    { "rename":   { "field": "message2.session_id_namespace_idx",   "target_field": "opcua.session_id_namespace_index",     "ignore_missing": true } },
+    { "rename":   { "field": "message2.session_id_guid",            "target_field": "opcua.session_id_guid",                "ignore_missing": true } },
+    { "rename":   { "field": "message2.auth_token_encoding_mask",   "target_field": "opcua.auth_token_encoding_mask",       "ignore_missing": true } },
+    { "rename":   { "field": "message2.auth_token_namespace_idx",   "target_field": "opcua.auth_token_namespace_index",     "ignore_missing": true } },
+    { "rename":   { "field": "message2.auth_token_guid",            "target_field": "opcua.auth_token_guid",                "ignore_missing": true } },
+    { "rename":   { "field": "message2.revised_session_timeout",    "target_field": "opcua.revised_session_timeout",        "ignore_missing": true } },
+    { "rename":   { "field": "message2.server_nonce",               "target_field": "opcua.server_nonce",                   "ignore_missing": true } },
+    { "rename":   { "field": "message2.endpoint_link_id",           "target_field": "opcua.endpoint_link_id",               "ignore_missing": true } },
+    { "rename":   { "field": "message2.max_req_msg_size",           "target_field": "opcua.request.max_message_size",       "ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_discovery

@@ -0,0 +1,11 @@
+{
+  "description" : "zeek.opcua_binary_create_session_discovery",
+  "processors" : [
+    { "remove":   { "field": ["host"],												"ignore_failure": true } },
+    { "json":     { "field": "message",					"target_field": "message2",				"ignore_failure": true } },
+    { "rename":   { "field": "message2.discovery_profile_link_id",	"target_field": "opcua.discovery_profile_link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.discovery_profile_uri", 		"target_field": "opcua.discovery_profile_uri",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.discovery_profile_url", 		"target_field": "opcua.discovery_profile_url",		"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_endpoints

@@ -0,0 +1,22 @@
+{
+  "description" : "zeek.opcua_binary_create_session_endpoints",
+  "processors" : [
+    { "remove":   { "field": ["host"],										"ignore_failure": true } },
+    { "json":     { "field": "message",				"target_field": "message2",			"ignore_failure": true } },
+    { "rename":   { "field": "message2.endpoint_link_id",	"target_field": "opcua.endpoint_link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.endpoint_url",		"target_field": "opcua.endpoint_url",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.application_uri",	"target_field": "opcua.application_uri",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.product_uri",		"target_field": "opcua.product_uri",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.encoding_mask",		"target_field": "opcua.encoding_mask",		"ignore_missing": true } },
+    { "convert":  { "field": "opcua.encoding_mask",             "type": "string",                               "ignore_missing": true } },
+    { "rename":   { "field": "message2.locale",			"target_field": "opcua.locale",			"ignore_missing": true } },
+    { "rename":   { "field": "message2.text",			"target_field": "opcua.text",			"ignore_missing": true } },
+    { "rename":   { "field": "message2.application_type",	"target_field": "opcua.application_type",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.message_security_mode",	"target_field": "opcua.message_security_mode",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.security_policy_uri",	"target_field": "opcua.security_policy_uri",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.user_token_link_id",	"target_field": "opcua.user_token_link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.transport_profile_uri",	"target_field": "opcua.transport_profile_uri",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.security_level",		"target_field": "opcua.security_level",		"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_user_token

@@ -0,0 +1,11 @@
+{
+  "description" : "zeek.opcua_binary_create_session_user_token",
+  "processors" : [
+    { "remove":   { "field": ["host"],										"ignore_failure": true } },
+    { "json":     { "field": "message",				"target_field": "message2",			"ignore_failure": true } },
+    { "rename":   { "field": "message2.user_token_link_id",	"target_field": "opcua.user_token_link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.user_token_link_id",	"target_field": "opcua.user_token_policy_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.user_token_link_id",	"target_field": "opcua.user_token_type",	"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary_create_subscription

@@ -0,0 +1,15 @@
+{
+  "description" : "zeek.opcua_binary_create_subscription",
+  "processors" : [
+    { "remove":   { "field": ["host"],                                                                                              "ignore_failure": true } },
+    { "json":     { "field": "message",			                 "target_field": "message2",		                    "ignore_failure": true } },
+    { "rename":   { "field": "message2.opcua_link_id",                   "target_field": "opcua.link_id",                           "ignore_missing": true } },
+    { "rename":   { "field": "message2.requested_publishing_interval",   "target_field": "opcua.publish_interval",                  "ignore_missing": true } },
+    { "rename":   { "field": "message2.requested_lifetime_count",        "target_field": "opcua.lifetime_count",                    "ignore_missing": true } },
+    { "rename":   { "field": "message2.requested_max_keep_alive_count",  "target_field": "opcua.max_keepalive",                     "ignore_missing": true } },
+    { "rename":   { "field": "message2.max_notifications_per_publish",   "target_field": "opcua.max_notifications",                 "ignore_missing": true } },
+    { "rename":   { "field": "message2.publishing_enabled",              "target_field": "opcua.publish_enabled",                   "ignore_missing": true } },
+    { "rename":   { "field": "message2.priority",                        "target_field": "opcua.priority",                          "ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary_diag_info_detail

@@ -0,0 +1,21 @@
+{
+  "description" : "zeek.opcua_binary_diag_info_detail",
+  "processors" : [
+    { "remove":   { "field": ["host"],										"ignore_failure": true } },
+    { "json":     { "field": "message",				"target_field": "message2",			"ignore_failure": true } },
+    { "rename":   { "field": "message2.diag_info_link_id",	"target_field": "opcua.diag_info_link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.source", 		"target_field": "opcua.source",			"ignore_missing": true } },
+    { "rename":   { "field": "message2.source_str", 		"target_field": "opcua.source_string",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.inner_diag_level",	"target_field": "opcua.inner_diag_level",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.has_symbolic_id",	"target_field": "opcua.has_symbolic_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.has_namespace_uri",	"target_field": "opcua.has_namespace_uri",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.has_locale",		"target_field": "opcua.has_locale",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.has_locale_txt",		"target_field": "opcua.has_locale_txt",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.has_addl_info",		"target_field": "opcua.has_addl_info",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.addl_info",		"target_field": "opcua.addl_info",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.has_inner_stat_code",	"target_field": "opcua.has_inner_stat_code",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.inner_stat_code",	"target_field": "opcua.inner_stat_code",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.has_inner_diag_info",	"target_field": "opcua.has_inner_diag_info",	"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints

@@ -0,0 +1,10 @@
+{
+  "description" : "zeek.opcua_binary_get_endpoints",
+  "processors" : [
+    { "remove":   { "field": ["host"],								"ignore_failure": true } },
+    { "json":     { "field": "message",			"target_field": "message2",		"ignore_failure": true } },
+    { "rename":   { "field": "message2.opcua_link_id",	"target_field": "opcua.link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.endpoint_url",	"target_field": "opcua.endpoint_url",	"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description

@@ -0,0 +1,23 @@
+{
+  "description" : "zeek.opcua_binary_get_endpoints_description",
+  "processors" : [
+    { "remove":   { "field": ["host"],												"ignore_failure": true } },
+    { "json":     { "field": "message",					"target_field": "message2",				"ignore_failure": true } },
+    { "rename":   { "field": "message2.endpoint_description_link_id",	"target_field": "opcua.endpoint_description_link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.application_uri",		"target_field": "opcua.application_uri",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.endpoint_uri",			"target_field": "opcua.endpoint_uri",			"ignore_missing": true } },
+    { "rename":   { "field": "message2.product_uri",			"target_field": "opcua.product_uri",			"ignore_missing": true } },
+    { "rename":   { "field": "message2.encoding_mask",			"target_field": "opcua.encoding_mask",			"ignore_missing": true } },
+    { "convert":  { "field": "opcua.encoding_mask",                     "type": "string",
+ "ignore_missing": true } },
+    { "rename":   { "field": "message2.locale",				"target_field": "opcua.locale",				"ignore_missing": true } },
+    { "rename":   { "field": "message2.text",				"target_field": "opcua.text",				"ignore_missing": true } },
+    { "rename":   { "field": "message2.application_type",		"target_field": "opcua.application_type",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.message_security_mode",		"target_field": "opcua.message_security_mode",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.security_policy_uri",		"target_field": "opcua.security_policy_uri",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.user_token_link_id",		"target_field": "opcua.user_token_link_id",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.transport_profile_uri",		"target_field": "opcua.transport_profile_uri",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.security_level",			"target_field": "opcua.security_level",			"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_discovery

@@ -0,0 +1,10 @@
+{
+  "description" : "zeek.opcua_binary_get_endpoints_discovery",
+  "processors" : [
+    { "remove":   { "field": ["host"],												"ignore_failure": true } },
+    { "json":     { "field": "message",					"target_field": "message2",				"ignore_failure": true } },
+    { "rename":   { "field": "message2.discovery_profile_link_id",	"target_field": "opcua.discovery_profile_link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.discovery_profile_url", 		"target_field": "opcua.discovery_profile_url",		"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_locale_id

@@ -0,0 +1,10 @@
+{
+  "description" : "zeek.opcua_binary_get_endpoints_locale_id",
+  "processors" : [
+    { "remove":   { "field": ["host"],									"ignore_failure": true } },
+    { "json":     { "field": "message",				"target_field": "message2",		"ignore_failure": true } },
+    { "rename":   { "field": "message2.opcua_locale_link_id",	"target_field": "opcua.locale_link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.local_id", 		"target_field": "opcua.local_id",	"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_profile_uri

@@ -0,0 +1,10 @@
+{
+  "description" : "zeek.opcua_binary_get_endpoints_profile_uri",
+  "processors" : [
+    { "remove":   { "field": ["host"],										"ignore_failure": true } },
+    { "json":     { "field": "message",				"target_field": "message2",			"ignore_failure": true } },
+    { "rename":   { "field": "message2.profile_uri_link_id",	"target_field": "opcua.profile_uri_link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.profile_uri",		"target_field": "opcua.profile_uri",		"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_user_token

@@ -0,0 +1,11 @@
+{
+  "description" : "zeek.opcua_binary_get_endpoints_user_token",
+  "processors" : [
+    { "remove":   { "field": ["host"],                                                                                                         "ignore_failure": true } },
+    { "json":     { "field": "message",			                 "target_field": "message2",		                               "ignore_failure": true } },
+    { "rename":   { "field": "message2.user_token_link_id", 	         "target_field": "opcua.user_token_link_id",		               "ignore_missing": true } },
+    { "rename":   { "field": "message2.user_token_type",                 "target_field": "opcua.user_token_type",                              "ignore_missing": true } },
+    { "rename":   { "field": "message2.user_token_sec_policy_uri",       "target_field": "opcua.user_token_security_policy_uri",               "ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary_opensecure_channel

@@ -0,0 +1,15 @@
+{
+  "description" : "zeek.opcua_binary_opensecure_channel",
+  "processors" : [
+    { "remove":   { "field": ["host"],												"ignore_failure": true } },
+    { "json":     { "field": "message",					"target_field": "message2",				"ignore_failure": true } },
+    { "rename":   { "field": "message2.opcua_link_id",			"target_field": "opcua.link_id",			"ignore_missing": true } },
+    { "rename":   { "field": "message2.server_proto_ver",		"target_field": "opcua.server_proto_ver",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.sec_token_sec_channel_id",	"target_field": "opcua.sec_token_sec_channel_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.sec_token_id",			"target_field": "opcua.sec_token_id",			"ignore_missing": true } },
+    { "rename":   { "field": "message2.sec_token_created_at",		"target_field": "opcua.sec_token_created_at",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.sec_token_revised_time",		"target_field": "opcua.sec_token_revised_time",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.server_nonce",			"target_field": "opcua.server_nonce",			"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary_read

@@ -0,0 +1,10 @@
+{
+  "description" : "zeek.opcua_binary_read",
+  "processors" : [
+    { "remove":   { "field": ["host"],										"ignore_failure": true } },
+    { "json":     { "field": "message",				"target_field": "message2",			"ignore_failure": true } },
+    { "rename":   { "field": "message2.opcua_link_id",		"target_field": "opcua.link_id",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.read_results_link_id",	"target_field": "opcua.read_results_link_id",	"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims

@@ -0,0 +1,10 @@
+{
+  "description" : "zeek.opcua_binary_read_array_dims",
+  "processors" : [
+    { "remove":   { "field": ["host"],										"ignore_failure": true } },
+    { "json":     { "field": "message",				"target_field": "message2",			"ignore_failure": true } },
+    { "rename":   { "field": "message2.array_dim_link_id",	"target_field": "opcua.array_dim_link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.dimension",		"target_field": "opcua.dimension",		"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary_read_array_dims_link

@@ -0,0 +1,10 @@
+{
+  "description" : "zeek.opcua_binary_read_array_dims_link",
+  "processors" : [
+    { "remove":   { "field": ["host"],												"ignore_failure": true } },
+    { "json":     { "field": "message",					"target_field": "message2",				"ignore_failure": true } },
+    { "rename":   { "field": "message2.variant_data_array_dim_link_id",	"target_field": "opcua.variant_data_array_dim_link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.array_dim_link_id",		"target_field": "opcua.array_dim_link_id",		"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary_read_diagnostic_info

@@ -0,0 +1,10 @@
+{
+  "description" : "zeek.opcua_binary_read_diagnostic_info",
+  "processors" : [
+    { "remove":   { "field": ["host"],										"ignore_failure": true } },
+    { "json":     { "field": "message",				"target_field": "message2",			"ignore_failure": true } },
+    { "rename":   { "field": "message2.read_diag_info_link_id",	"target_field": "opcua.read_diag_info_link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.diag_info_link_id",	"target_field": "opcua.diag_info_link_id",	"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object

@@ -0,0 +1,14 @@
+{
+  "description" : "zeek.opcua_binary_read_extension_object",
+  "processors" : [
+    { "remove":   { "field": ["host"],													"ignore_failure": true } },
+    { "json":     { "field": "message",					"target_field": "message2",					"ignore_failure": true } },
+    { "rename":   { "field": "message2.ext_obj_link_id",		"target_field": "opcua.ext_obj_link_id",			"ignore_missing": true } },
+    { "rename":   { "field": "message2.ext_obj_node_id_encoding_mask",	"target_field": "opcua.ext_obj_node_id_encoding_mask",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.ext_obj_node_id_namespace_idx",	"target_field": "opcua.ext_obj_node_id_namespace_index",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.ext_obj_node_id_numeric",	"target_field": "opcua.ext_obj_node_id_numeric",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.ext_obj_type_id_str",		"target_field": "opcua.ext_obj_type_id_string",			"ignore_missing": true } },
+    { "rename":   { "field": "message2.ext_obj_encoding",		"target_field": "opcua.ext_obj_encoding",			"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary_read_extension_object_link

@@ -0,0 +1,10 @@
+{
+  "description" : "zeek.opcua_binary_read_extension_object_link",
+  "processors" : [
+    { "remove":   { "field": ["host"],												"ignore_failure": true } },
+    { "json":     { "field": "message",					"target_field": "message2",				"ignore_failure": true } },
+    { "rename":   { "field": "message2.variant_data_ext_obj_link_id",	"target_field": "opcua.variant_data_ext_obj_link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.ext_obj_link_id",		"target_field": "opcua.ext_obj_link_id",		"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary_read_nodes_to_read

@@ -0,0 +1,15 @@
+{
+  "description" : "zeek.opcua_binary_read_nodes_to_read",
+  "processors" : [
+    { "remove":   { "field": ["host"],											"ignore_failure": true } },
+    { "json":     { "field": "message",					"target_field": "message2",			"ignore_failure": true } },
+    { "rename":   { "field": "message2.nodes_to_read_link_id",	"target_field": "opcua.nodes_to_read_link_id",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.node_id_encoding_mask",	"target_field": "opcua.node_id_encoding_mask",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.node_id_numeric",	"target_field": "opcua.node_id_numeric",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.attribute_id",		"target_field": "opcua.attribute_id",			"ignore_missing": true } },
+    { "rename":   { "field": "message2.attribute_id_str",	"target_field": "opcua.attribute_id_string",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.data_encoding_name_idx",	"target_field": "opcua.data_encoding_name_index",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.data_encoding_name",	"target_field": "opcua.data_encoding_name",		"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results

@@ -0,0 +1,17 @@
+{
+  "description" : "zeek.opcua_binary_read_results",
+  "processors" : [
+    { "remove":   { "field": ["host"],														"ignore_failure": true } },
+    { "json":     { "field": "message",						"target_field": "message2",					"ignore_failure": true } },
+    { "rename":   { "field": "message2.results_link_id",			"target_field": "opcua.results_link_id",			"ignore_missing": true } },
+    { "rename":   { "field": "message2.level",					"target_field": "opcua.level",					"ignore_missing": true } },
+    { "rename":   { "field": "message2.data_value_encoding_mask",		"target_field": "opcua.data_value_encoding_mask",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.data_variant_encoding_mask",		"target_field": "opcua.data_variant_encoding_mask",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.data_variant_data_type",			"target_field": "opcua.data_variant_data_type",			"ignore_missing": true } },
+    { "rename":   { "field": "message2.data_variant_data_type_str",		"target_field": "opcua.data_variant_data_type_string",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.built_in_data_type",			"target_field": "opcua.built_in_data_type",			"ignore_missing": true } },
+    { "rename":   { "field": "message2.built_in_data_type_str",			"target_field": "opcua.built_in_data_type_string",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.read_results_variant_data_link_id",	"target_field": "opcua.read_results_variant_data_link_id",	"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary_read_results_link

@@ -0,0 +1,10 @@
+{
+  "description" : "zeek.opcua_binary_read_results_link",
+  "processors" : [
+    { "remove":   { "field": ["host"],														"ignore_failure": true } },
+    { "json":     { "field": "message",						"target_field": "message2",					"ignore_failure": true } },
+    { "rename":   { "field": "message2.read_results_link_id",			"target_field": "opcua.read_results_link_id",			"ignore_missing": true } },
+    { "rename":   { "field": "message2.results_link_id",			"target_field": "opcua.results_link_id",			"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary_read_status_code

@@ -0,0 +1,10 @@
+{
+  "description" : "zeek.opcua_binary_read_status_code",
+  "processors" : [
+    { "remove":   { "field": ["host"],												"ignore_failure": true } },
+    { "json":     { "field": "message",					"target_field": "message2",				"ignore_failure": true } },
+    { "rename":   { "field": "message2.read_status_code_link_id",	"target_field": "opcua.read_status_code_link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.status_code_link_id",		"target_field": "opcua.status_code_link_id",		"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary_read_variant_data

@@ -0,0 +1,10 @@
+{
+  "description" : "zeek.opcua_binary_read_variant_data",
+  "processors" : [
+    { "remove":   { "field": ["host"],														"ignore_failure": true } },
+    { "json":     { "field": "message",						"target_field": "message2",					"ignore_failure": true } },
+    { "rename":   { "field": "message2.read_variant_data_link_id",		"target_field": "opcua.read_variant_data_link_id",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.variant_data_value_signed_numeric",	"target_field": "opcua.variant_data_value_signed_numeric",	"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary_read_variant_data_link

@@ -0,0 +1,10 @@
+{
+  "description" : "zeek.opcua_binary_read_variant_data_link",
+  "processors" : [
+    { "remove":   { "field": ["host"],														"ignore_failure": true } },
+    { "json":     { "field": "message",						"target_field": "message2",					"ignore_failure": true } },
+    { "rename":   { "field": "message2.read_results_variant_data_link_id",	"target_field": "opcua.read_results_variant_data_link_id",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.read_variant_data_link_id",		"target_field": "opcua.read_variant_data_link_id",		"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.opcua_binary_status_code_detail

@@ -0,0 +1,21 @@
+{
+  "description" : "zeek.opcua_binary_status_code_detail",
+  "processors" : [
+    { "remove":   { "field": ["host"],                                                                                              "ignore_failure": true } },
+    { "json":     { "field": "message",			             "target_field": "message2",		                    "ignore_failure": true } },
+    { "rename":   { "field": "message2.status_code", 	             "target_field": "opcua.status_code",	                    "ignore_missing": true } },
+    { "rename":   { "field": "message2.status_code_link_id",         "target_field": "opcua.status_code_link_id",                   "ignore_missing": true } },
+    { "rename":   { "field": "message2.source", 	             "target_field": "opcua.source",		                    "ignore_missing": true } },
+    { "rename":   { "field": "message2.source_str", 		     "target_field": "opcua.source_string",		            "ignore_missing": true } },
+    { "rename":   { "field": "message2.source_level", 	             "target_field": "opcua.source_level",		            "ignore_missing": true } },
+    { "rename":   { "field": "message2.severity", 	             "target_field": "opcua.severity",		                    "ignore_missing": true } },
+    { "rename":   { "field": "message2.severity_str",                "target_field": "opcua.severity_string",	                    "ignore_missing": true } },
+    { "rename":   { "field": "message2.sub_code", 		     "target_field": "opcua.sub_code",		                    "ignore_missing": true } },
+    { "rename":   { "field": "message2.sub_code_str",                "target_field": "opcua.sub_code_string",                       "ignore_missing": true } },
+    { "rename":   { "field": "message2.structure_changed",           "target_field": "opcua.structure_changed",                     "ignore_missing": true } },
+    { "rename":   { "field": "message2.semantics_changed",           "target_field": "opcua.semantics_changed",                     "ignore_missing": true } },
+    { "rename":   { "field": "message2.info_type",            	     "target_field": "opcua.info_type",                             "ignore_missing": true } },
+    { "rename":   { "field": "message2.info_type_str",               "target_field": "opcua.info_type_string",                      "ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.profinet

@@ -0,0 +1,13 @@
+{
+  "description" : "zeek.profinet",
+  "processors" : [
+    { "remove":   { "field": ["host"],                                                                                          "ignore_failure": true } },
+    { "json":     { "field": "message",			             "target_field": "message2",		                "ignore_failure": true} },
+    { "rename":   { "field": "message2.operation_type",               "target_field": "profinet.operation_type",                           "ignore_missing": true } },
+    { "rename":   { "field": "message2.block_version",                  "target_field": "profinet.block_version",                      "ignore_missing": true } },
+    { "rename":   { "field": "message2.slot_number",         "target_field": "profinet.slot_number",                     "ignore_missing": true } },
+    { "rename":   { "field": "message2.subslot_number",         "target_field": "profinet.subslot_number",                     "ignore_missing": true } },
+    { "rename":   { "field": "message2.index",         "target_field": "profinet.index",                     "ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.profinet_dce_rpc

@@ -0,0 +1,15 @@
+{
+  "description" : "zeek.profinet_dce_rpc",
+  "processors" : [
+    { "remove":   { "field": ["host"],                                                                                          "ignore_failure": true } },
+    { "json":     { "field": "message",			             "target_field": "message2",		                "ignore_failure": true} },
+    { "rename":   { "field": "message2.version",               "target_field": "profinet.version",                           "ignore_missing": true } },
+    { "rename":   { "field": "message2.packet_type",                  "target_field": "profinet.packet_type",                      "ignore_missing": true } },
+    { "rename":   { "field": "message2.object_uuid",         "target_field": "profinet.object_uuid",                     "ignore_missing": true } },
+    { "rename":   { "field": "message2.interface_uuid",         "target_field": "profinet.interface_uuid",                     "ignore_missing": true } },
+    { "rename":   { "field": "message2.activity_uuid",         "target_field": "profinet.activity_uuid",                     "ignore_missing": true } },
+    { "rename":   { "field": "message2.server_boot_time",         "target_field": "profinet.server.boot_time",                     "ignore_missing": true } },
+    { "rename":   { "field": "message2.operation",         "target_field": "profinet.operation",                     "ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.s7comm

@@ -0,0 +1,15 @@
+{
+  "description" : "zeek.s7comm",
+  "processors" : [
+    { "remove":   { "field": ["host"],								"ignore_failure": true } },
+    { "json":     { "field": "message",			"target_field": "message2",		"ignore_failure": true } },
+    { "rename":   { "field": "message2.rosctr_code",	"target_field": "s7.ros.control.code",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.rosctr_name",	"target_field": "s7.ros.control.name",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.pdu_reference",	"target_field": "s7.pdu_reference",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.function_code",	"target_field": "s7.function.code",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.function_name",	"target_field": "s7.function.name",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.error_class",	"target_field": "s7.error.class",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.error_code",	"target_field": "s7.error.code",	"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.s7comm_plus

@@ -0,0 +1,11 @@
+{
+  "description" : "zeek.s7comm_plus",
+  "processors" : [
+    { "remove":   { "field": ["host"],								"ignore_failure": true } },
+    { "json":     { "field": "message",			"target_field": "message2",		"ignore_failure": true } },
+    { "rename":   { "field": "message2.version",	"target_field": "s7.version",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.opcode",		"target_field": "s7.opcode.value",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.opcode_name",	"target_field": "s7.opcode.name",	"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.s7comm_read_szl

@@ -0,0 +1,15 @@
+{
+  "description" : "zeek.s7comm_read_szl",
+  "processors" : [
+    { "remove":   { "field": ["host"],									"ignore_failure": true } },
+    { "json":     { "field": "message",				"target_field": "message2",		"ignore_failure": true } },
+    { "rename":   { "field": "message2.pdu_reference",		"target_field": "s7.pdu_reference",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.method",			"target_field": "s7.method",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.szl_id",			"target_field": "s7.szl_id",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.szl_id_name",		"target_field": "s7.szl_id_name",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.szl_index",		"target_field": "s7.szl_index",		"ignore_missing": true } },
+    { "rename":   { "field": "message2.return_code",		"target_field": "s7.return_code",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.return_code_name",	"target_field": "s7.return_code_name",	"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.s7comm_upload_download

@@ -0,0 +1,18 @@
+{
+  "description" : "zeek.s7comm_upload_download",
+  "processors" : [
+    { "remove":   { "field": ["host"],									"ignore_failure": true } },
+    { "json":     { "field": "message",				"target_field": "message2",		"ignore_failure": true } },
+    { "rename":   { "field": "message2.rosctr",                 "target_field": "s7.ros.control.name",  "ignore_missing": true } },
+    { "rename":   { "field": "message2.pdu_reference",		"target_field": "s7.pdu_reference",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.function_code",		"target_field": "s7.function_code",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.function_status",        "target_field": "s7.function_status",   "ignore_missing": true } },
+    { "rename":   { "field": "message2.session_id",             "target_field": "s7.session_id",        "ignore_missing": true } },
+    { "rename":   { "field": "message2.blocklength",            "target_field": "s7.block.length",      "ignore_missing": true } },
+    { "rename":   { "field": "message2.filename",               "target_field": "s7.file.name",         "ignore_missing": true } },
+    { "rename":   { "field": "message2.block_type",             "target_field": "s7.block.type",        "ignore_missing": true } },
+    { "rename":   { "field": "message2.block_number",           "target_field": "s7.block.number",      "ignore_missing": true } },
+    { "rename":   { "field": "message2.destination_filesystem", "target_field": "s7.destination.filesystem", "ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.stun

@@ -0,0 +1,15 @@
+{
+  "description" : "zeek.stun",
+  "processors" : [
+    { "remove":   { "field": ["host"],                                                                                          "ignore_failure": true } },
+    { "json":     { "field": "message",			             "target_field": "message2",		                "ignore_failure": true} },
+    { "rename":   { "field": "message2.proto",               "target_field": "network.protocol",                           "ignore_missing": true } },
+    { "rename":   { "field": "message2.is_orig",                  "target_field": "stun.is_orig",                      "ignore_missing": true } },
+    { "rename":   { "field": "message2.trans_id",         "target_field": "stun.id",                     "ignore_missing": true } },
+    { "rename":   { "field": "message2.method",               "target_field": "stun.method",                "ignore_missing": true } },
+    { "rename":   { "field": "message2.class",    "target_field": "stun.class",        "ignore_missing": true } },
+    { "rename":   { "field": "message2.attr_types", "target_field": "stun.attribute.types",          "ignore_missing": true } },
+    { "rename":   { "field": "message2.attr_vals",           "target_field": "stun.attribute.values",               "ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.stun_nat

@@ -0,0 +1,13 @@
+{
+  "description" : "zeek.stun_nat",
+  "processors" : [
+    { "remove":   { "field": ["host"],                                                                                          "ignore_failure": true } },
+    { "json":     { "field": "message",			             "target_field": "message2",		                "ignore_failure": true} },
+    { "rename":   { "field": "message2.proto",               "target_field": "network.protocol",                           "ignore_missing": true } },
+    { "rename":   { "field": "message2.is_orig",                  "target_field": "stun.is_orig",                      "ignore_missing": true } },
+    { "rename":   { "field": "message2.wan_addrs",         "target_field": "stun.wan.addresses",                     "ignore_missing": true } },
+    { "rename":   { "field": "message2.wan_ports",               "target_field": "stun.wan.ports",                "ignore_missing": true } },
+    { "rename":   { "field": "message2.lan_addrs",    "target_field": "stun.lan.addresses",        "ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.tds

@@ -0,0 +1,9 @@
+{
+  "description" : "zeek.tds",
+  "processors" : [
+    { "remove":         { "field": ["host"],						"ignore_failure": true	} },
+    { "json":		{ "field": "message",		"target_field": "message2",	"ignore_failure": true	} },
+    { "rename": 	{ "field": "message2.command",	"target_field": "tds.command",	"ignore_missing": true 	} },
+    { "pipeline":       { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.tds_rpc

@@ -0,0 +1,10 @@
+{
+  "description" : "zeek.tds_rpc",
+  "processors" : [
+    { "remove":         { "field": ["host"],								"ignore_failure": true	} },
+    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
+    { "rename": 	{ "field": "message2.procedure_name",	"target_field": "tds.procedure_name",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.parameters",	"target_field": "tds.parameters",	"ignore_missing": true 	} },
+    { "pipeline":       { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.tds_sql_batch

@@ -0,0 +1,10 @@
+{
+  "description" : "zeek.tds_sql_batch",
+  "processors" : [
+    { "remove":         { "field": ["host"],								"ignore_failure": true	} },
+    { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
+    { "rename": 	{ "field": "message2.header_type",	"target_field": "tds.header_type",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.query",		"target_field": "tds.query",		"ignore_missing": true 	} },
+    { "pipeline":       { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/files/ingest/zeek.wireguard

@@ -0,0 +1,11 @@
+{
+  "description" : "zeek.wireguard",
+  "processors" : [
+    { "remove":   { "field": ["host"],									"ignore_failure": true } },
+    { "json":     { "field": "message",			"target_field": "message2",			"ignore_failure": true } },
+    { "rename":   { "field": "message2.established",	"target_field": "wireguard.established",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.initiations",	"target_field": "wireguard.initiations",	"ignore_missing": true } },
+    { "rename":   { "field": "message2.responses",	"target_field": "wireguard.responses",		"ignore_missing": true } },
+    { "pipeline": { "name": "zeek.common" } }
+  ]
+}

salt/elasticsearch/templates/component/so/so-scan-mappings.json

@@ -62,6 +62,17 @@
                   }
                 }
               }
+	    },
+           "elf": {
+              "properties": {
+                "sections": {
+                  "properties": {
+                    "entropy": {
+                      "type": "long"
+                    }
+                  }
+                }
+              }
 	    }
           }
         }
@@ -69,3 +80,22 @@
     }
   }
 }
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

salt/filebeat/etc/filebeat.yml

@@ -144,6 +144,10 @@ filebeat.inputs:
       dataset: {{ LOGNAME }}
       category: network
   processors:
+    {%- if LOGNAME is match('^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*') %}
+  - add_tags:
+      tags: ["ics"]
+    {%- endif %}
   - drop_fields:
       fields: ["source", "prospector", "input", "offset", "beat"]
  
@@ -161,6 +165,10 @@ filebeat.inputs:
       category: network
       imported: true
   processors:
+    {%- if LOGNAME is match('^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*') %}
+  - add_tags:
+      tags: ["ics"]
+    {%- endif %}
   - add_tags:
       tags: ["import"]
   - dissect:

salt/grafana/defaults.yaml

@@ -3085,12 +3085,6 @@ grafana:
             y: 16
             h: 8
             w: 24
-        elasticsearch_pipeline_time_nontc_graph:
-          gridPos:
-            x: 0
-            y: 24
-            h: 8
-            w: 24
 
 
     pipeline_overview_tc:
@@ -3140,9 +3134,3 @@ grafana:
             y: 16
             h: 8
             w: 24
-        elasticsearch_pipeline_time_tc_graph:
-          gridPos:
-            x: 0
-            y: 24
-            h: 8
-            w: 24

salt/idstools/etc/rulecat.conf

@@ -31,7 +31,7 @@
   {%- elif RULESET == 'ETPRO' %}
 --etpro={{ OINKCODE }}
   {%- elif RULESET == 'TALOS' %}
---url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ OINKCODE }}
+--url=https://www.snort.org/rules/snortrules-snapshot-29200.tar.gz?oinkcode={{ OINKCODE }}
   {%- endif %}
 {%- endif %}
 {%- if URLS != None %}

salt/kibana/bin/so-kibana-config-load

@@ -59,7 +59,7 @@ update() {
 
     IFS=$'\r\n' GLOBIGNORE='*' command eval  'LINES=($(cat $1))'
     for i in "${LINES[@]}"; do
-      RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.3.2" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ")
+      RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.4.3" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ")
       echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi
     done
  

salt/kibana/files/config_saved_objects.ndjson

@@ -1 +1 @@
-{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n  \"from\": \"now-24h\",\n  \"to\": \"now\"\n}"},"coreMigrationVersion": "8.3.2","id": "8.3.2","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}
+{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n  \"from\": \"now-24h\",\n  \"to\": \"now\"\n}"},"coreMigrationVersion": "8.4.3","id": "8.4.3","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}

salt/salt/minion.sls

@@ -81,11 +81,20 @@ set_log_levels:
       - "log_level: error"
       - "log_level_logfile: error"
 
-salt_minion_service_unit_file:
-  file.managed:
+delete_pre_150_start_delay:
+  file.line:
     - name: {{ SYSTEMD_UNIT_FILE }}
-    - source: salt://salt/service/salt-minion.service.jinja
+    - match: ^ExecStartPre=*
+    - mode: delete
+    - onchanges_in:
+      - module: systemd_reload
+
+salt_minion_service_start_delay:
+  file.managed:
+    - name: /etc/systemd/system/salt-minion.service.d/start-delay.conf
+    - source: salt://salt/service/start-delay.conf.jinja
     - template: jinja
+    - makedirs: True
     - defaults:
         service_start_delay: {{ service_start_delay }}
     - onchanges_in:
@@ -109,7 +118,7 @@ salt_minion_service:
       - file: mine_functions
 {% if INSTALLEDSALTVERSION|string == SALTVERSION|string %}
       - file: set_log_levels
-      - file: salt_minion_service_unit_file
+      - file: salt_minion_service_start_delay
 {% endif %}
     - order: last
 

salt/salt/service/salt-minion.service.jinja

@@ -1,15 +0,0 @@
-[Unit]
-Description=The Salt Minion
-Documentation=man:salt-minion(1) file:///usr/share/doc/salt/html/contents.html https://docs.saltstack.com/en/latest/contents.html
-After=network.target salt-master.service
-
-[Service]
-KillMode=process
-Type=notify
-NotifyAccess=all
-LimitNOFILE=8192
-ExecStart=/usr/bin/salt-minion
-ExecStartPre=/bin/sleep {{ salt['pillar.get']('salt:minion:service_start_delay', service_start_delay) }}
-
-[Install]
-WantedBy=multi-user.target

salt/salt/service/start-delay.conf.jinja

@@ -0,0 +1,2 @@
+[Service]
+ExecStartPre=/bin/sleep {{ salt['pillar.get']('salt:minion:service_start_delay', service_start_delay) }}