CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-27 19:33:14 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
8ef356d638c99f61d5fdb2260a2669e8af0678d0
securityonion/salt/logstash/files/conf.d/1116_preprocess_bro_ssl.conf
Mike Reeves 5a6c66bde5 Initial Commit
2018-02-05 12:36:27 -05:00

150 lines
4.5 KiB
Plaintext
Raw Blame History

# Original Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Wes Lambert
# Last Update: 12/14/2017
#
# This conf file is based on accepting logs for ssl.log from Bro systems
filter {
if [type] == "bro_ssl" {
# This is the initial parsing of the log
mutate {
gsub => [ "message", "[\"']", "" ]
}
csv {
columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","version","cipher","curve","server_name","resumed","last_alert","next_protocol","established","certificate_chain_fuids","client_certificate_chain_fuids","certificate_subject","certificate_issuer","client_subject","client_issuer","validation_status","ja3"]
separator => " "
}
mutate {
gsub => [ "subject", "\\\\,", "|" ]
}
kv {
include_keys => [ "CN", "C", "O", "OU", "ST", "SN", "L", "DC", "GN", "pseudonym", "serialNumber", "title", "initials" ]
field_split => ","
source => "certificate_issuer"
}
mutate {
rename => { "CN" => "issuer_common_name"}
rename => { "C" => "issuer_country_code"}
rename => { "O" => "issuer_organization"}
rename => { "OU" => "issuer_organization_unit"}
rename => { "ST" => "issuer_state"}
rename => { "SN" => "issuer_surname"}
rename => { "L" => "issuer_locality"}
rename => { "DC" => "issuer_distinguished_name"}
rename => { "GN" => "issuer_given_name"}
rename => { "pseudonym" => "issuer_pseudonym"}
rename => { "serialNumber" => "issuer_serial_number"}
rename => { "title" => "issuer_title"}
rename => { "initials" => "issuer_initials"}
}
kv {
include_keys => [ "CN", "C", "O", "OU", "ST", "SN", "L", "GN", "pseudonym", "serialNumber", "title", "initials" ]
field_split => ","
source => "certificate_subject"
}
mutate {
rename => { "CN" => "certificate_common_name"}
rename => { "C" => "certificate_country_code"}
rename => { "O" => "certificate_organization"}
rename => { "OU" => "certificate_organization_unit"}
rename => { "ST" => "certificate_state"}
rename => { "SN" => "certificate_surname"}
rename => { "L" => "certificate_locality"}
rename => { "GN" => "certificate_given_name"}
rename => { "pseudonym" => "certificate_pseudonym"}
rename => { "serialNumber" => "certificate_serial_number"}
rename => { "title" => "certificate_title"}
rename => { "initials" => "certificate_initials"}
}
if [certificate_subject] == "-" {
mutate {
remove_field => [ "certificate_subject" ]
}
}
if [certificate_issuer] == "-" {
mutate {
remove_field => [ "certificate_issuer" ]
}
}
if [certificate_common_name] {
ruby {
code => "event.set('certificate_common_name_length', event.get('certificate_common_name').length)"
}
}
if [issuer_common_name] {
ruby {
code => "event.set('issuer_common_name_length', event.get('issuer_common_name').length)"
}
}
if [server_name] == "-" {
mutate {
remove_field => [ "server_name" ]
}
} else {
ruby {
code => "event.set('server_name_length', event.get('server_name').length)"
}
}
if [certificate_chain_fuids] == "-" {
mutate {
remove_field => [ "certificate_chain_fuids" ]
}
} else {
ruby {
code => "event.set('certificate_chain_count', event.get('certificate_chain_fuids').count(',') + 1)"
}
mutate {
convert => [ "certificate_chain_length", "integer" ]
}
}
if [client_certificate_chain_fuids] == "-" {
mutate {
remove_field => [ "client_certificate_chain_fuids" ]
}
}
if [client_issuer] == "-" {
mutate {
remove_field => [ "client_issuer" ]
}
}
if [client_subject] == "-" {
mutate {
remove_field => [ "client_subject" ]
}
}
if [curve] == "-" {
mutate {
remove_field => [ "curve" ]
}
}
if [issuer] == "-" {
mutate {
remove_field => [ "issuer" ]
}
}
if [query] == "-" {
mutate {
remove_field => [ "query" ]
}
}
if [subject] == "-" {
mutate {
remove_field => [ "subject" ]
}
}
if [validation_status] == "-" {
mutate {
remove_field => [ "validation_status" ]
}
}
if [ja3] == "-" {
mutate {
remove_field => [ "ja3" ]
}
}
mutate {
#add_tag => [ "conf_file_1116"]
}
}
}
Reference in New Issue View Git Blame Copy Permalink