mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-04-25 22:17:49 +02:00
m0duspwnens
78 lines
2.8 KiB
Plaintext
78 lines
2.8 KiB
Plaintext
# Author: Justin Henderson
|
|
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
|
|
# Updated by: Doug Burks
|
|
#
|
|
# This conf file is based on accepting logs for http.log from Bro systems
|
|
filter {
|
|
if [type] == "bro_http" {
|
|
# If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
|
|
if [message] =~ /^{.*}$/ {
|
|
|
|
# Rename logstash tags field to avoid being overwritten by Bro's http tags field
|
|
mutate {
|
|
rename => { "tags" => "tags-orig" }
|
|
}
|
|
json {
|
|
source => "message"
|
|
}
|
|
|
|
mutate {
|
|
rename => { "ts" => "timestamp" }
|
|
#uid
|
|
rename => { "id.orig_h" => "source_ip" }
|
|
rename => { "id.orig_p" => "source_port" }
|
|
rename => { "id.resp_h" => "destination_ip" }
|
|
rename => { "id.resp_p" => "destination_port" }
|
|
#trans_depth
|
|
#method
|
|
rename => { "host" => "virtual_host" }
|
|
#uri
|
|
#referrer
|
|
#version
|
|
#convert => { "version" => "string" }
|
|
rename => { "user_agent" => "useragent" }
|
|
#origin
|
|
rename => { "request_body_len" => "request_body_length" }
|
|
rename => { "response_body_len" => "response_body_length" }
|
|
#status_code
|
|
#status_message
|
|
rename => { "status_msg" => "status_message" }
|
|
#info_code
|
|
rename => { "info_msg" => "info_message" }
|
|
#tags
|
|
# Rename http tags field to http-tags
|
|
rename => { "tags" => "http-tags" }
|
|
# Rename logstash tags field to tags
|
|
rename => { "tags-orig" => "tags" }
|
|
#username
|
|
#password
|
|
#proxied
|
|
#orig_fuids
|
|
#orig_filenames
|
|
#orig_mime_types
|
|
#resp_fuids
|
|
#resp_filenames
|
|
#resp_mime_types
|
|
}
|
|
if [http-tags] {
|
|
mutate {
|
|
remove_field => [ "http-tags" ]
|
|
}
|
|
}
|
|
} else {
|
|
grok {
|
|
match => [ "message", "(?<timestamp>(.*?))\t(?<uid>(.*?))\t(?<source_ip>(.*?))\t(?<source_port>(.*?))\t(?<destination_ip>(.*?))\t(?<destination_port>(.*?))\t(?<trans_depth>(.*?))\t(?<method>(.*?))\t(?<virtual_host>(.*?))\t(?<uri>(.*?))\t(?<referrer>(.*?))\t(?<version>(.*?))\t(?<useragent>(.*?))\t(?<origin>(.*?))\t(?<request_body_length>(.*?))\t(?<response_body_length>(.*?))\t(?<status_code>(.*?))\t(?<status_message>(.*?))\t(?<info_code>(.*?))\t(?<info_message>(.*?))\t(?<tags>(.*))\t(?<username>(.*))\t(?<password>(.*))\t(?<proxied>(.*))\t(?<orig_fuids>(.*))\t(?<orig_filenames>(.*?))\t(?<orig_mime_types>(.*))\t(?<resp_fuids>(.*))\t(?<resp_filenames>(.*?))\t(?<resp_mime_types>(.*))" ]
|
|
}
|
|
}
|
|
|
|
if [useragent] == "-" {
|
|
mutate {
|
|
remove_field => [ "useragent" ]
|
|
}
|
|
}
|
|
mutate {
|
|
#add_tag => [ "conf_file_1106"]
|
|
}
|
|
}
|
|
}
|