# Original Author: Justin Henderson # SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics # Updated by: Wes Lambert # Last Update: 12/14/2017 # # This conf file is based on accepting logs for ssl.log from Bro systems filter { if [type] == "bro_ssl" { # This is the initial parsing of the log mutate { gsub => [ "message", "[\"']", "" ] } csv { columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","version","cipher","curve","server_name","resumed","last_alert","next_protocol","established","certificate_chain_fuids","client_certificate_chain_fuids","certificate_subject","certificate_issuer","client_subject","client_issuer","validation_status","ja3"] separator => " " } mutate { gsub => [ "subject", "\\\\,", "|" ] } kv { include_keys => [ "CN", "C", "O", "OU", "ST", "SN", "L", "DC", "GN", "pseudonym", "serialNumber", "title", "initials" ] field_split => "," source => "certificate_issuer" } mutate { rename => { "CN" => "issuer_common_name"} rename => { "C" => "issuer_country_code"} rename => { "O" => "issuer_organization"} rename => { "OU" => "issuer_organization_unit"} rename => { "ST" => "issuer_state"} rename => { "SN" => "issuer_surname"} rename => { "L" => "issuer_locality"} rename => { "DC" => "issuer_distinguished_name"} rename => { "GN" => "issuer_given_name"} rename => { "pseudonym" => "issuer_pseudonym"} rename => { "serialNumber" => "issuer_serial_number"} rename => { "title" => "issuer_title"} rename => { "initials" => "issuer_initials"} } kv { include_keys => [ "CN", "C", "O", "OU", "ST", "SN", "L", "GN", "pseudonym", "serialNumber", "title", "initials" ] field_split => "," source => "certificate_subject" } mutate { rename => { "CN" => "certificate_common_name"} rename => { "C" => "certificate_country_code"} rename => { "O" => "certificate_organization"} rename => { "OU" => "certificate_organization_unit"} rename => { "ST" => "certificate_state"} rename => { "SN" => "certificate_surname"} rename => { "L" => "certificate_locality"} rename => { "GN" => "certificate_given_name"} rename => { "pseudonym" => "certificate_pseudonym"} rename => { "serialNumber" => "certificate_serial_number"} rename => { "title" => "certificate_title"} rename => { "initials" => "certificate_initials"} } if [certificate_subject] == "-" { mutate { remove_field => [ "certificate_subject" ] } } if [certificate_issuer] == "-" { mutate { remove_field => [ "certificate_issuer" ] } } if [certificate_common_name] { ruby { code => "event.set('certificate_common_name_length', event.get('certificate_common_name').length)" } } if [issuer_common_name] { ruby { code => "event.set('issuer_common_name_length', event.get('issuer_common_name').length)" } } if [server_name] == "-" { mutate { remove_field => [ "server_name" ] } } else { ruby { code => "event.set('server_name_length', event.get('server_name').length)" } } if [certificate_chain_fuids] == "-" { mutate { remove_field => [ "certificate_chain_fuids" ] } } else { ruby { code => "event.set('certificate_chain_count', event.get('certificate_chain_fuids').count(',') + 1)" } mutate { convert => [ "certificate_chain_length", "integer" ] } } if [client_certificate_chain_fuids] == "-" { mutate { remove_field => [ "client_certificate_chain_fuids" ] } } if [client_issuer] == "-" { mutate { remove_field => [ "client_issuer" ] } } if [client_subject] == "-" { mutate { remove_field => [ "client_subject" ] } } if [curve] == "-" { mutate { remove_field => [ "curve" ] } } if [issuer] == "-" { mutate { remove_field => [ "issuer" ] } } if [query] == "-" { mutate { remove_field => [ "query" ] } } if [subject] == "-" { mutate { remove_field => [ "subject" ] } } if [validation_status] == "-" { mutate { remove_field => [ "validation_status" ] } } if [ja3] == "-" { mutate { remove_field => [ "ja3" ] } } mutate { #add_tag => [ "conf_file_1116"] } } }