CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-03-06 12:56:24 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
a9f2073d049da4e6942ad72f806c07e5610e4479
securityonion/salt/logstash/files/conf.d/1123_preprocess_bro_x509.conf
Mike Reeves 5a6c66bde5 Initial Commit
2018-02-05 12:36:27 -05:00

124 lines
4.5 KiB
Plaintext
Raw Blame History

# Original Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Doug Burks
# Last Update: 5/13/2017
#
# This conf file is based on accepting logs for x509.log from Bro systems
filter {
if [type] == "bro_x509" {
grok {
match => [ "message", "(?<timestamp>(.*?))\t(?<id>(.*?))\t(?<certificate_version>(.*?))\t(?<certificate_serial>(.*?))\t(?<certificate_subject>(.*?))\t(?<certificate_issuer>(.*?))\t(?<certificate_not_valid_before>(.*?))\t(?<certificate_not_valid_after>(.*?))\t(?<certificate_key_algorithm>(.*?))\t(?<certificate_signing_algorithm>(.*))\t(?<certificate_key_type>(.*))\t(?<certificate_key_length>(.*))\t(?<certificate_exponent>(.*))\t(?<certificate_curve>(.*))\t(?<san_dns>(.*))\t(?<san_uri>(.*))\t(?<san_email>(.*))\t(?<san_ip>(.*))\t(?<basic_constraints_ca>(.*))\t(?<basic_constraints_path_length>(.*))" ]
}
mutate {
gsub => [ "certificate_issuer", "\\\\,", "|" ]
gsub => [ "certificate_subject", "\\\\,", "|" ]
}
kv {
include_keys => [ "CN", "C", "O", "OU", "ST", "SN", "L", "DC", "GN", "pseudonym", "serialNumber", "title", "initials" ]
field_split => ","
source => "certificate_issuer"
}
mutate {
rename => { "CN" => "issuer_common_name"}
rename => { "C" => "issuer_country_code"}
rename => { "O" => "issuer_organization"}
rename => { "OU" => "issuer_organization_unit"}
rename => { "ST" => "issuer_state"}
rename => { "SN" => "issuer_surname"}
rename => { "L" => "issuer_locality"}
rename => { "DC" => "issuer_distinguished_name"}
rename => { "GN" => "issuer_given_name"}
rename => { "pseudonym" => "issuer_pseudonym"}
rename => { "serialNumber" => "issuer_serial_number"}
rename => { "title" => "issuer_title"}
rename => { "initials" => "issuer_initials"}
}
kv {
include_keys => [ "CN", "C", "O", "OU", "ST", "SN", "L", "GN", "pseudonym", "serialNumber", "title", "initials" ]
field_split => ","
source => "certificate_subject"
}
mutate {
rename => { "CN" => "certificate_common_name"}
rename => { "C" => "certificate_country_code"}
rename => { "O" => "certificate_organization"}
rename => { "OU" => "certificate_organization_unit"}
rename => { "ST" => "certificate_state"}
rename => { "SN" => "certificate_surname"}
rename => { "L" => "certificate_locality"}
rename => { "GN" => "certificate_given_name"}
rename => { "pseudonym" => "certificate_pseudonym"}
rename => { "serialNumber" => "certificate_serial_number"}
rename => { "title" => "certificate_title"}
rename => { "initials" => "certificate_initials"}
convert => [ "certificate_key_length", "integer" ]
convert => [ "certificate_not_valid_after", "integer" ]
convert => [ "certificate_not_valid_before", "integer" ]
}
if [query] == "-" {
mutate {
remove_field => [ "query" ]
}
}
if [san_dns] == "-" {
mutate {
remove_field => [ "san_dns" ]
}
}
if [san_email] == "-" {
mutate {
remove_field => [ "san_email" ]
}
}
if [san_uri] == "-" {
mutate {
remove_field => [ "san_uri" ]
}
}
if [san_ip] == "-" {
mutate {
remove_field => [ "san_ip" ]
}
}
if [certificate_common_name] {
ruby {
code => "event.set('certificate_common_name_length', event.get('certificate_common_name').length)"
}
}
if [issuer_common_name] {
ruby {
code => "event.set('issuer_common_name_length', event.get('issuer_common_name').length)"
}
}
if [certificate_not_valid_after] == "-" {
mutate {
remove_field => [ "certificate_not_valid_after" ]
}
}
if [certificate_not_valid_before] == "-" {
mutate {
remove_field => [ "certificate_not_valid_before" ]
}
}
if [certificate_not_valid_after] and [certificate_not_valid_before] {
ruby {
code => "event.set('certificate_number_days_valid', ((event.get('certificate_not_valid_after') - event.get('certificate_not_valid_before')) / 86400).ceil)"
}
date {
match => [ "certificate_not_valid_after", "UNIX" ]
target => "certificate_not_valid_after"
}
date {
match => [ "certificate_not_valid_before", "UNIX" ]
target => "certificate_not_valid_before"
}
}
mutate {
#add_tag => [ "conf_file_1123"]
}
}
}
Reference in New Issue View Git Blame Copy Permalink