mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 09:12:45 +01:00
35 lines
3.3 KiB
HTTP
35 lines
3.3 KiB
HTTP
{
|
|
"description" : "zeek.http",
|
|
"processors" : [
|
|
{ "remove": { "field": ["host"], "ignore_failure": true } },
|
|
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
|
|
{ "rename": { "field": "message2.trans_depth", "target_field": "http.trans_depth", "ignore_missing": true } },
|
|
{ "rename": { "field": "message2.method", "target_field": "http.method", "ignore_missing": true } },
|
|
{ "rename": { "field": "message2.host", "target_field": "http.virtual_host", "ignore_missing": true } },
|
|
{ "rename": { "field": "message2.uri", "target_field": "http.uri", "ignore_missing": true } },
|
|
{ "rename": { "field": "message2.referrer", "target_field": "http.referrer", "ignore_missing": true } },
|
|
{ "rename": { "field": "message2.version", "target_field": "http.version", "ignore_missing": true } },
|
|
{ "rename": { "field": "message2.user_agent", "target_field": "http.useragent", "ignore_missing": true } },
|
|
{ "rename": { "field": "message2.request_body_len", "target_field": "http.request.body.length", "ignore_missing": true } },
|
|
{ "rename": { "field": "message2.response_body_len","target_field": "http.response.body.length", "ignore_missing": true } },
|
|
{ "rename": { "field": "message2.status_code", "target_field": "http.status_code", "ignore_missing": true } },
|
|
{ "rename": { "field": "message2.status_msg", "target_field": "http.status_message", "ignore_missing": true } },
|
|
{ "rename": { "field": "message2.info_code", "target_field": "http.info_code", "ignore_missing": true } },
|
|
{ "rename": { "field": "message2.info_msg", "target_field": "http.info_message", "ignore_missing": true } },
|
|
{ "remove": { "field": "message2.tags", "ignore_failure": true } },
|
|
{ "rename": { "field": "message2.username", "target_field": "http.user", "ignore_missing": true } },
|
|
{ "rename": { "field": "message2.password", "target_field": "http.password", "ignore_missing": true } },
|
|
{ "rename": { "field": "message2.proxied", "target_field": "http.proxied", "ignore_missing": true } },
|
|
{ "rename": { "field": "message2.orig_fuids", "target_field": "log.id.orig_fuids", "ignore_missing": true } },
|
|
{ "rename": { "field": "message2.orig_filenames", "target_field": "file.orig_filenames", "ignore_missing": true } },
|
|
{ "rename": { "field": "message2.orig_mime_types", "target_field": "file.orig_mime_types", "ignore_missing": true } },
|
|
{ "rename": { "field": "message2.resp_fuids", "target_field": "log.id.resp_fuids", "ignore_missing": true } },
|
|
{ "rename": { "field": "message2.resp_filenames", "target_field": "file.resp_filenames", "ignore_missing": true } },
|
|
{ "rename": { "field": "message2.resp_mime_types", "target_field": "file.resp_mime_types", "ignore_missing": true } },
|
|
{ "script": { "lang": "painless", "source": "ctx.uri_length = ctx.uri.length()", "ignore_failure": true } },
|
|
{ "script": { "lang": "painless", "source": "ctx.useragent_length = ctx.useragent.length()", "ignore_failure": true } },
|
|
{ "script": { "lang": "painless", "source": "ctx.virtual_host_length = ctx.virtual_host.length()", "ignore_failure": true } },
|
|
{ "pipeline": { "name": "zeek.common" } }
|
|
]
|
|
}
|