mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-05-05 19:08:10 +02:00
m0duspwnens
67 lines
2.6 KiB
Plaintext
67 lines
2.6 KiB
Plaintext
# Author: Justin Henderson
|
|
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
|
|
# Updated by: Doug Burks and Wes Lambert
|
|
# Last Update: 10/30/2018
|
|
#
|
|
# This conf file is based on accepting logs for ssh.log from Bro systems
|
|
filter {
|
|
if [type] == "bro_ssh" {
|
|
# If message looks like json, try to parse it as such. Otherwise, fall back to csv or grok.
|
|
if [message] =~ /^{.*}$/ {
|
|
json {
|
|
source => "message"
|
|
}
|
|
|
|
mutate {
|
|
rename => { "ts" => "timestamp" }
|
|
#uid
|
|
rename => { "id.orig_h" => "source_ip" }
|
|
rename => { "id.orig_p" => "source_port" }
|
|
rename => { "id.resp_h" => "destination_ip" }
|
|
rename => { "id.resp_p" => "destination_port" }
|
|
#version
|
|
#convert => { "version" => "string" }
|
|
rename => { "auth_success" => "authentication_success" }
|
|
rename => { "auth_attempts" => "authentication_attempts" }
|
|
#direction
|
|
#client
|
|
#server
|
|
rename => { "cipher_alg" => "cipher_algorithm" }
|
|
rename => { "compression_alg" => "compression_algorithm" }
|
|
rename => { "cshka" => "client_host_key_algorithms" }
|
|
rename => { "host_key_alg" => "host_key_algorithm" }
|
|
rename => { "hasshAlgorithms" => "hassh_algorithms" }
|
|
rename => { "hasshServer" => "hassh_server" }
|
|
rename => { "hasshServerAlgorithms" => "hassh_server_algorithms" }
|
|
rename => { "hasshVersion" => "hassh_version" }
|
|
rename => { "kex_alg" => "kex_algorithm" }
|
|
rename => { "mac_alg" => "mac_algorithm" }
|
|
rename => { "sshka" => "server_host_key_algorithms" }
|
|
#host_key
|
|
#destination_country_code
|
|
#destination_region
|
|
#destination_city
|
|
#destination_latitude
|
|
#destination_longitude
|
|
}
|
|
|
|
mutate {
|
|
convert => { "authentication_success" => "string" }
|
|
}
|
|
|
|
} else {
|
|
mutate {
|
|
gsub => [ "message", "[\"']", "" ]
|
|
}
|
|
csv {
|
|
columns => ["timestamp","uid","source_ip","source_port","destination_ip","destination_port","version","authentication_success","authentication_attempts","direction","client","server","cipher_algorithm","mac_algorithm","compression_algorithm","kex_algorithm","host_key_algorithm","host_key","destination_country_code","destination_region","destination_city","destination_latitude","destination_longitude","hassh_version","hassh","hassh_server","client_host_key_algorithms","hassh_algorithms","server_host_key_algorithms","hassh_server_algorithms"]
|
|
separator => " "
|
|
}
|
|
}
|
|
|
|
mutate {
|
|
#add_tag => [ "conf_file_1115"]
|
|
}
|
|
}
|
|
}
|