CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
3d71d2a76c8cb8ffb7e1f37523e7608ee3bef40b
securityonion/salt/logstash/files/conf.d/6000_bro.conf
Mike Reeves 5a6c66bde5 Initial Commit
2018-02-05 12:36:27 -05:00

137 lines
4.3 KiB
Plaintext
Raw Blame History

# Original Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Doug Burks
# Last Update: 5/16/2017
#
# This conf file is based on accepting logs for conn.log from Bro systems
filter {
if "bro" in [tags] {
if [duration] == "-" {
mutate {
replace => [ "duration", "0" ]
}
}
if [original_bytes] == "-" {
mutate {
replace => [ "original_bytes", "0" ]
}
}
# If MissedBytes is unspecified set it to zero so it is an integer
if [missed_bytes] == "-" {
mutate {
replace => [ "missed_bytes", "0" ]
}
}
# If OriginalIPBytes is unspecified set it to zero so it is an integer
if [original_ip_bytes] == "-" {
mutate {
replace => [ "original_ip_bytes", "0" ]
}
}
# If RespondBytes is unspecified set it to zero so it is an integer
if [respond_bytes] == "-" {
mutate {
replace => [ "respond_bytes", "0" ]
}
}
# If RespondIPBytes is unspecified set it to zero so it is an integer
if [respond_ip_bytes] == "-" {
mutate {
replace => [ "respond_ip_bytes", "0" ]
}
}
if [source_port] == "-" {
mutate {
remove_field => ["source_port"]
}
}
if [destination_port] == "-" {
mutate {
remove_field => ["destination_port"]
}
}
if [virtual_host] == "-" {
mutate {
remove_field => ["virtual_host"]
}
}
# I renamed conn_uids to uid so that it is easy to pivot to all things tied to a connection
mutate {
rename => [ "connection_uids", "uid" ]
}
# If total_bytes is set to "-" change it to 0 so it is an integer
if [total_bytes] == "-" {
mutate {
replace => [ "total_bytes", "0" ]
}
}
# If seen_bytes is set to "-" change it to 0 so it is an integer
if [seen_bytes] == "-" {
mutate {
replace => [ "seen_bytes", "0" ]
}
}
# If missing_bytes is set to "-" change it to 0 so it is an integer
if [missing_bytes] == "-" {
mutate {
replace => [ "missing_bytes", "0" ]
}
}
# If pverflow_bytes is set to "-" change it to 0 so it is an integer
if [overflow_bytes] == "-" {
mutate {
replace => [ "overflow_bytes", "0" ]
}
}
# I recommend changing the field types below to integer or floats so searches can do greater than or less than
# and also so math functions can be ran against them
mutate {
convert => [ "bound_port", "integer" ]
convert => [ "data_channel_destination_port", "integer" ]
convert => [ "destination_port", "integer" ]
convert => [ "depth", "integer" ]
convert => [ "duration", "float" ]
convert => [ "info_code", "integer" ]
convert => [ "missed_bytes", "integer" ]
convert => [ "missing_bytes", "integer" ]
convert => [ "n", "integer" ]
convert => [ "original_bytes", "integer" ]
convert => [ "original_packets", "integer" ]
convert => [ "original_ip_bytes", "integer" ]
convert => [ "overflow_bytes", "integer" ]
convert => [ "p", "integer" ]
convert => [ "query_class", "integer" ]
convert => [ "query_type", "integer" ]
convert => [ "rcode", "integer" ]
convert => [ "request_body_length", "integer" ]
convert => [ "request_port", "integer" ]
convert => [ "respond_bytes", "integer" ]
convert => [ "respond_packets", "integer" ]
convert => [ "respond_ip_bytes", "integer" ]
convert => [ "response_body_length", "integer" ]
convert => [ "seen_bytes", "integer" ]
convert => [ "source_port", "integer" ]
convert => [ "status_code", "integer" ]
convert => [ "suppress_for", "float" ]
convert => [ "total_bytes", "integer" ]
convert => [ "trans_depth", "integer" ]
convert => [ "transaction_id", "integer" ]
lowercase => [ "query" ]
#remove_field => [ "timestamp" ]
}
# Combine OriginalBytes and RespondBytes and save the value to total_bytes
if [original_bytes] {
if [respond_bytes] {
ruby {
code => "event.set('total_bytes', event.get('original_bytes') + event.get('respond_bytes'))"
}
}
}
mutate {
#add_tag => [ "conf_file_6000"]
}
}
}
Reference in New Issue View Git Blame Copy Permalink