mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-14 21:22:48 +01:00
93 lines
3.0 KiB
Plaintext
93 lines
3.0 KiB
Plaintext
# Author: Justin Henderson
|
|
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
|
|
# Email: justin@hasecuritysolution.com
|
|
# Last Update: 12/9/2016
|
|
#
|
|
# This conf file is based on accepting logs for suricata json events
|
|
filter {
|
|
if [type] == "suricata" {
|
|
if "test_data" not in [tags] {
|
|
date {
|
|
match => [ "timestamp", "ISO8601" ]
|
|
}
|
|
} else {
|
|
mutate {
|
|
remove_field => [ "netflow.start","netflow.end","timestamp" ]
|
|
}
|
|
}
|
|
if [event_type] == "fileinfo" {
|
|
ruby {
|
|
code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;"
|
|
}
|
|
}
|
|
# I recommend renaming the fields below to be consistent with other log sources. This makes it easy to "pivot" between logs
|
|
mutate {
|
|
rename => [ "src_ip", "source_ip" ]
|
|
rename => [ "dest_ip", "destination_ip" ]
|
|
rename => [ "src_port", "source_port" ]
|
|
rename => [ "dest_port", "destination_port" ]
|
|
}
|
|
# This will translate the alert.severity field into a severity field of either High, Medium, or Low
|
|
if [event_type] == "alert" {
|
|
if [alert][severity] == 1 {
|
|
mutate {
|
|
add_field => { "severity" => "High" }
|
|
}
|
|
}
|
|
if [alert][severity] == 2 {
|
|
mutate {
|
|
add_field => { "severity" => "Medium" }
|
|
}
|
|
}
|
|
if [alert][severity] == 3 {
|
|
mutate {
|
|
add_field => { "severity" => "Low" }
|
|
}
|
|
}
|
|
# If the alert is a Snort GPL alert break it apart for easier reading and categorization
|
|
if [alert][signature] =~ "GPL " {
|
|
# This will parse out the category type from the alert
|
|
grok {
|
|
match => { "[alert][signature]" => "GPL\s+%{DATA:category}\s" }
|
|
}
|
|
# This will store the category
|
|
mutate {
|
|
add_field => { "rule_type" => "Snort GPL" }
|
|
lowercase => [ "category" ]
|
|
}
|
|
}
|
|
# If the alert is an Emerging Threat alert break it apart for easier reading and categorization
|
|
if [alert][signature] =~ "ET " {
|
|
# This will parse out the category type from the alert
|
|
grok {
|
|
match => { "[alert][signature]" => "ET\s+%{DATA:category}\s" }
|
|
}
|
|
# This will store the category
|
|
mutate {
|
|
add_field => { "rule_type" => "Emerging Threats" }
|
|
lowercase => [ "category" ]
|
|
}
|
|
}
|
|
# This section adds URLs to lookup information about a rule online
|
|
if [rule_type] == "Snort GPL" {
|
|
mutate {
|
|
add_field => [ "signature_info", "https://www.snort.org/search?query=%{[alert][gid]}-%{[alert][signature_id]}" ]
|
|
}
|
|
}
|
|
if [rule_type] == "Emerging Threats" {
|
|
mutate {
|
|
add_field => [ "signature_info", "http://doc.emergingthreats.net/%{[alert][signature_id]}" ]
|
|
}
|
|
}
|
|
}
|
|
if "_grokparsefailure" not in [tags] and "_csvparsefailure" not in [tags] and "_jsonparsefailure" not in [tags] {
|
|
# mutate {
|
|
# remove_field => [ "message" ]
|
|
# }
|
|
}
|
|
mutate {
|
|
#add_tag => [ "conf_file_6400"]
|
|
}
|
|
}
|
|
}
|