CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
5a6c66bde50fb2ed73b5619851e33b61b83a051b
securityonion/salt/logstash/files/conf.d/1100_preprocess_bro_conn.conf
Mike Reeves 5a6c66bde5 Initial Commit
2018-02-05 12:36:27 -05:00

45 lines
2.5 KiB
Plaintext
Raw Blame History

# Original Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Wes Lambert
# Last Update: 12/14/2017
#
# This conf file is based on accepting logs for conn.log from Bro systems
filter {
if [type] == "bro_conn" {
# This is the initial parsing of the log
mutate {
gsub => [ "message", "[\"']", "" ]
}
csv {
columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","protocol","service","duration","original_bytes","respond_bytes","connection_state","local_orig","local_respond","missed_bytes","history","original_packets","original_ipbytes","respond_packets","respond_ipbytes","tunnel_parents","original_country_code","respond_country_code","sensor_name"]
# If you use a custom delimiter, change the following value in between the quotes to your delimiter. Otherwise, insert a literal <tab> in between the two quotes on your logstash system, use a text editor like nano that doesn't convert tabs to spaces.
separator => " "
}
translate {
field => "connection_state"
destination => "connection_state_description"
dictionary => [
"S0", "Connection attempt seen, no reply",
"S1", "Connection established, not terminated",
"S2", "Connection established and close attempt by originator seen (but no reply from responder)",
"S3", "Connection established and close attempt by responder seen (but no reply from originator)",
"SF", "Normal SYN/FIN completion",
"REJ", "Connection attempt rejected",
"RSTO", "Connection established, originator aborted (sent a RST)",
"RSTR", "Established, responder aborted",
"RSTOS0", "Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder",
"RSTRH", "Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator",
"SH", "Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was 'half' open)",
"SHR", "Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator",
"OTH", "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed)"
]
}
mutate {
#add_tag => [ "conf_file_1100"]
}
}
}
Reference in New Issue View Git Blame Copy Permalink