CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-04-30 08:28:18 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
2b34bdece97548af2fae4cbd6233f65f8e733c9b
securityonion/salt/logstash/pipelines/config/1112_preprocess_bro_smtp.conf
T

66 lines
2.1 KiB
Plaintext
Raw Blame History

# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Doug Burks
# Last Update: 2/7/2018
#
# This conf file is based on accepting logs for smtp.log from Bro systems
filter {
if [type] == "bro_smtp" {
# If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
if [message] =~ /^{.*}$/ {
json {
source => "message"
}
mutate {
rename => { "ts" => "timestamp" }
#uid
rename => { "id.orig_h" => "source_ip" }
rename => { "id.orig_p" => "source_port" }
rename => { "id.resp_h" => "destination_ip" }
rename => { "id.resp_p" => "destination_port" }
#trans_depth
#helo
rename => { "mailfrom" => "mail_from" }
rename => { "rcptto" => "recipient_to" }
rename => { "date" => "mail_date" }
#from
#to
#cc
#reply_to
rename => { "msg_id" => "message_id" }
#in_reply_to
#subject
#x_originating_ip
#first_received
#second_received
#last_reply
#path
rename => { "user_agent" => "useragent" }
#tls
#fuids
#is_webmail
}
mutate {
convert => { "tls" => "string" }
convert => { "is_webmail" => "string" }
}
} else {
grok {
match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<trans_depth>(.*?))\t(?<helo>(.*?))\t(?<mail_from>(.*?))\t(?<recipient_to>(.*?))\t(?<mail_date>(.*?))\t(?<from>(.*?))\t(?<to>(.*?))\t(?<cc>(.*?))\t(?<reply_to>(.*?))\t(?<message_id>(.*?))\t(?<in_reply_to>(.*?))\t(?<subject>(.*?))\t(?<x_originating_ip>(.*?))\t(?<first_received>(.*))\t(?<second_received>(.*))\t(?<last_reply>(.*))\t(?<path>(.*))\t(?<useragent>(.*))\t(?<tls>(.*))\t(?<fuids>(.*))\t(?<is_webmail>(.*))" ]
}
}
if [useragent] == "-" {
mutate {
remove_field => [ "useragent" ]
}
}
mutate {
#add_tag => [ "conf_file_1112"]
}
}
}
Reference in New Issue View Git Blame Copy Permalink