From 2e2fce14da748d983fd2a709df705a9b8b39f3d0 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Fri, 11 Oct 2024 09:50:32 -0600 Subject: [PATCH] some cleanup and improvements of the zeek logstash pipeline idaholab/Malcolm#592 --- docs/contributing-logstash.md | 8 +- logstash/maps/malcolm_severity.yaml | 2 +- ...1_input_zeek.conf => 0100_input_zeek.conf} | 0 ...{10_zeek_prep.conf => 1000_zeek_prep.conf} | 0 logstash/pipelines/zeek/1001_zeek_parse.conf | 82 + logstash/pipelines/zeek/1011_zeek_bacnet.conf | 146 + .../pipelines/zeek/1012_zeek_bestguess.conf | 37 + logstash/pipelines/zeek/1013_zeek_bsap.conf | 185 + logstash/pipelines/zeek/1014_zeek_conn.conf | 85 + .../pipelines/zeek/1015_zeek_dce_rpc.conf | 43 + logstash/pipelines/zeek/1016_zeek_dhcp.conf | 77 + .../pipelines/zeek/1017_zeek_diagnostic.conf | 336 + logstash/pipelines/zeek/1018_zeek_dnp3.conf | 103 + logstash/pipelines/zeek/1019_zeek_dns.conf | 47 + logstash/pipelines/zeek/1020_zeek_ecat.conf | 346 + logstash/pipelines/zeek/1021_zeek_enip.conf | 140 + logstash/pipelines/zeek/1022_zeek_files.conf | 72 + logstash/pipelines/zeek/1023_zeek_ftp.conf | 42 + .../pipelines/zeek/1024_zeek_genisys.conf | 49 + .../pipelines/zeek/1025_zeek_ge_srtp.conf | 46 + logstash/pipelines/zeek/1026_zeek_gquic.conf | 43 + .../pipelines/zeek/1027_zeek_hart_ip.conf | 210 + logstash/pipelines/zeek/1028_zeek_http.conf | 59 + logstash/pipelines/zeek/1029_zeek_intel.conf | 56 + logstash/pipelines/zeek/1030_zeek_ipsec.conf | 50 + logstash/pipelines/zeek/1031_zeek_irc.conf | 43 + .../pipelines/zeek/1032_zeek_kerberos.conf | 50 + logstash/pipelines/zeek/1033_zeek_known.conf | 202 + logstash/pipelines/zeek/1034_zeek_ldap.conf | 100 + logstash/pipelines/zeek/1035_zeek_login.conf | 35 + logstash/pipelines/zeek/1036_zeek_modbus.conf | 210 + logstash/pipelines/zeek/1037_zeek_mqtt.conf | 115 + logstash/pipelines/zeek/1038_zeek_mysql.conf | 40 + logstash/pipelines/zeek/1039_zeek_notice.conf | 53 + logstash/pipelines/zeek/1040_zeek_ntlm.conf | 51 + logstash/pipelines/zeek/1041_zeek_ntp.conf | 42 + logstash/pipelines/zeek/1042_zeek_ocsp.conf | 39 + .../zeek/1043_zeek_opcua_binary.conf | 1598 ++++ logstash/pipelines/zeek/1044_zeek_ospf.conf | 59 + logstash/pipelines/zeek/1045_zeek_pe.conf | 43 + .../pipelines/zeek/1046_zeek_profinet.conf | 115 + logstash/pipelines/zeek/1047_zeek_radius.conf | 46 + logstash/pipelines/zeek/1048_zeek_rdp.conf | 46 + logstash/pipelines/zeek/1049_zeek_rfb.conf | 39 + logstash/pipelines/zeek/1050_zeek_s7comm.conf | 186 + .../pipelines/zeek/1051_zeek_signatures.conf | 40 + logstash/pipelines/zeek/1052_zeek_sip.conf | 43 + logstash/pipelines/zeek/1053_zeek_smb.conf | 131 + logstash/pipelines/zeek/1054_zeek_smtp.conf | 48 + logstash/pipelines/zeek/1055_zeek_snmp.conf | 43 + logstash/pipelines/zeek/1056_zeek_socks.conf | 40 + .../pipelines/zeek/1057_zeek_software.conf | 47 + logstash/pipelines/zeek/1058_zeek_ssh.conf | 87 + logstash/pipelines/zeek/1059_zeek_ssl.conf | 54 + logstash/pipelines/zeek/1060_zeek_stun.conf | 96 + .../zeek/1061_zeek_synchrophasor.conf | 242 + logstash/pipelines/zeek/1062_zeek_syslog.conf | 40 + logstash/pipelines/zeek/1063_zeek_tds.conf | 115 + logstash/pipelines/zeek/1064_zeek_tftp.conf | 43 + logstash/pipelines/zeek/1065_zeek_tunnel.conf | 48 + logstash/pipelines/zeek/1066_zeek_weird.conf | 35 + .../pipelines/zeek/1067_zeek_wireguard.conf | 45 + logstash/pipelines/zeek/1068_zeek_x509.conf | 63 + .../pipelines/zeek/1199_zeek_unknown.conf | 27 + logstash/pipelines/zeek/11_zeek_parse.conf | 6411 ----------------- ...zeek_mutate.conf => 1200_zeek_mutate.conf} | 2 +- ...ormalize.conf => 1300_zeek_normalize.conf} | 2 +- ...ek_convert.conf => 1400_zeek_convert.conf} | 0 .../{19_severity.conf => 1900_severity.conf} | 0 ...ek_forward.conf => 9900_zeek_forward.conf} | 0 logstash/scripts/logstash-start.sh | 5 + scripts/zeek_script_to_malcolm_boilerplate.py | 9 +- shared/bin/zeek_carve_logger.py | 12 +- 73 files changed, 6675 insertions(+), 6429 deletions(-) rename logstash/pipelines/zeek/{01_input_zeek.conf => 0100_input_zeek.conf} (100%) rename logstash/pipelines/zeek/{10_zeek_prep.conf => 1000_zeek_prep.conf} (100%) create mode 100644 logstash/pipelines/zeek/1001_zeek_parse.conf create mode 100644 logstash/pipelines/zeek/1011_zeek_bacnet.conf create mode 100644 logstash/pipelines/zeek/1012_zeek_bestguess.conf create mode 100644 logstash/pipelines/zeek/1013_zeek_bsap.conf create mode 100644 logstash/pipelines/zeek/1014_zeek_conn.conf create mode 100644 logstash/pipelines/zeek/1015_zeek_dce_rpc.conf create mode 100644 logstash/pipelines/zeek/1016_zeek_dhcp.conf create mode 100644 logstash/pipelines/zeek/1017_zeek_diagnostic.conf create mode 100644 logstash/pipelines/zeek/1018_zeek_dnp3.conf create mode 100644 logstash/pipelines/zeek/1019_zeek_dns.conf create mode 100644 logstash/pipelines/zeek/1020_zeek_ecat.conf create mode 100644 logstash/pipelines/zeek/1021_zeek_enip.conf create mode 100644 logstash/pipelines/zeek/1022_zeek_files.conf create mode 100644 logstash/pipelines/zeek/1023_zeek_ftp.conf create mode 100644 logstash/pipelines/zeek/1024_zeek_genisys.conf create mode 100644 logstash/pipelines/zeek/1025_zeek_ge_srtp.conf create mode 100644 logstash/pipelines/zeek/1026_zeek_gquic.conf create mode 100644 logstash/pipelines/zeek/1027_zeek_hart_ip.conf create mode 100644 logstash/pipelines/zeek/1028_zeek_http.conf create mode 100644 logstash/pipelines/zeek/1029_zeek_intel.conf create mode 100644 logstash/pipelines/zeek/1030_zeek_ipsec.conf create mode 100644 logstash/pipelines/zeek/1031_zeek_irc.conf create mode 100644 logstash/pipelines/zeek/1032_zeek_kerberos.conf create mode 100644 logstash/pipelines/zeek/1033_zeek_known.conf create mode 100644 logstash/pipelines/zeek/1034_zeek_ldap.conf create mode 100644 logstash/pipelines/zeek/1035_zeek_login.conf create mode 100644 logstash/pipelines/zeek/1036_zeek_modbus.conf create mode 100644 logstash/pipelines/zeek/1037_zeek_mqtt.conf create mode 100644 logstash/pipelines/zeek/1038_zeek_mysql.conf create mode 100644 logstash/pipelines/zeek/1039_zeek_notice.conf create mode 100644 logstash/pipelines/zeek/1040_zeek_ntlm.conf create mode 100644 logstash/pipelines/zeek/1041_zeek_ntp.conf create mode 100644 logstash/pipelines/zeek/1042_zeek_ocsp.conf create mode 100644 logstash/pipelines/zeek/1043_zeek_opcua_binary.conf create mode 100644 logstash/pipelines/zeek/1044_zeek_ospf.conf create mode 100644 logstash/pipelines/zeek/1045_zeek_pe.conf create mode 100644 logstash/pipelines/zeek/1046_zeek_profinet.conf create mode 100644 logstash/pipelines/zeek/1047_zeek_radius.conf create mode 100644 logstash/pipelines/zeek/1048_zeek_rdp.conf create mode 100644 logstash/pipelines/zeek/1049_zeek_rfb.conf create mode 100644 logstash/pipelines/zeek/1050_zeek_s7comm.conf create mode 100644 logstash/pipelines/zeek/1051_zeek_signatures.conf create mode 100644 logstash/pipelines/zeek/1052_zeek_sip.conf create mode 100644 logstash/pipelines/zeek/1053_zeek_smb.conf create mode 100644 logstash/pipelines/zeek/1054_zeek_smtp.conf create mode 100644 logstash/pipelines/zeek/1055_zeek_snmp.conf create mode 100644 logstash/pipelines/zeek/1056_zeek_socks.conf create mode 100644 logstash/pipelines/zeek/1057_zeek_software.conf create mode 100644 logstash/pipelines/zeek/1058_zeek_ssh.conf create mode 100644 logstash/pipelines/zeek/1059_zeek_ssl.conf create mode 100644 logstash/pipelines/zeek/1060_zeek_stun.conf create mode 100644 logstash/pipelines/zeek/1061_zeek_synchrophasor.conf create mode 100644 logstash/pipelines/zeek/1062_zeek_syslog.conf create mode 100644 logstash/pipelines/zeek/1063_zeek_tds.conf create mode 100644 logstash/pipelines/zeek/1064_zeek_tftp.conf create mode 100644 logstash/pipelines/zeek/1065_zeek_tunnel.conf create mode 100644 logstash/pipelines/zeek/1066_zeek_weird.conf create mode 100644 logstash/pipelines/zeek/1067_zeek_wireguard.conf create mode 100644 logstash/pipelines/zeek/1068_zeek_x509.conf create mode 100644 logstash/pipelines/zeek/1199_zeek_unknown.conf delete mode 100644 logstash/pipelines/zeek/11_zeek_parse.conf rename logstash/pipelines/zeek/{12_zeek_mutate.conf => 1200_zeek_mutate.conf} (99%) rename logstash/pipelines/zeek/{13_zeek_normalize.conf => 1300_zeek_normalize.conf} (99%) rename logstash/pipelines/zeek/{14_zeek_convert.conf => 1400_zeek_convert.conf} (100%) rename logstash/pipelines/zeek/{19_severity.conf => 1900_severity.conf} (100%) rename logstash/pipelines/zeek/{99_zeek_forward.conf => 9900_zeek_forward.conf} (100%) diff --git a/docs/contributing-logstash.md b/docs/contributing-logstash.md index 2cfcb085d..3309ec358 100644 --- a/docs/contributing-logstash.md +++ b/docs/contributing-logstash.md @@ -34,12 +34,12 @@ Finally, in the [`./config/logstash.env` file](malcolm-config.md#MalcolmConfigEn The following modifications must be made in order for Malcolm to parse new Zeek log files: -1. Add a parsing section to [`logstash/pipelines/zeek/11_zeek_parse.conf`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/logstash/pipelines/zeek/11_zeek_parse.conf) +1. Add a parsing filter file named so that it sorts after [`logstash/pipelines/zeek/1001_zeek_parse.conf`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/logstash/pipelines/zeek/1001_zeek_parse.conf) but before [`logstash/pipelines/zeek/1199_zeek_unknown.conf`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/logstash/pipelines/zeek/1199_zeek_unknown.conf) * Follow patterns for existing log files as an example * For common Zeek fields such as the `id` four-tuple, timestamp, etc., use the same convention used by existing Zeek logs in that file (e.g., `ts`, `uid`, `orig_h`, `orig_p`, `resp_h`, `resp_p`) - * Take care, especially when copy-pasting filter code, the Zeek delimiter isn't modified from a tab character to a space character (see "*zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP*" warnings in that file) -1. If necessary, perform log normalization in [`logstash/pipelines/zeek/13_zeek_normalize.conf`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/logstash/pipelines/zeek/13_zeek_normalize.conf) for values such as action (`event.action`), result (`event.result`), application protocol version (`network.protocol_version`), etc. -1. If necessary, define conversions for floating point or integer values in [`logstash/pipelines/zeek/14_zeek_convert.conf`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/logstash/pipelines/zeek/14_zeek_convert.conf) + * The [`logstash/scripts/logstash-start.sh`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/logstash/scripts/logstash-start.sh) Logstash container startup script should automatically fix any issues with parsing the Zeek tab delimiter (e.g., converting spaces in the `dissect` and `split` filters to tabs) +1. If necessary, perform log normalization in [`logstash/pipelines/zeek/1300_zeek_normalize.conf`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/logstash/pipelines/zeek/1300_zeek_normalize.conf) for values such as action (`event.action`), result (`event.result`), application protocol version (`network.protocol_version`), etc. +1. If necessary, define conversions for floating point or integer values in [`logstash/pipelines/zeek/1400_zeek_convert.conf`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/logstash/pipelines/zeek/1400_zeek_convert.conf) 1. Identify the new fields and add them as described in [Adding new log fields](contributing-new-log-fields.md#NewFields) The script [`scripts/zeek_script_to_malcolm_boilerplate.py`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/scripts/zeek_script_to_malcolm_boilerplate.py) may help by autogenerating these filters. diff --git a/logstash/maps/malcolm_severity.yaml b/logstash/maps/malcolm_severity.yaml index b6c43d01d..96bb74e0a 100644 --- a/logstash/maps/malcolm_severity.yaml +++ b/logstash/maps/malcolm_severity.yaml @@ -1,4 +1,4 @@ -# keys should match the event.severity_tags values set in 19_severity.conf +# keys should match the event.severity_tags values set in 1900_severity.conf "Cross-segment traffic": 20 "External traffic": 20 "Inbound traffic": 50 diff --git a/logstash/pipelines/zeek/01_input_zeek.conf b/logstash/pipelines/zeek/0100_input_zeek.conf similarity index 100% rename from logstash/pipelines/zeek/01_input_zeek.conf rename to logstash/pipelines/zeek/0100_input_zeek.conf diff --git a/logstash/pipelines/zeek/10_zeek_prep.conf b/logstash/pipelines/zeek/1000_zeek_prep.conf similarity index 100% rename from logstash/pipelines/zeek/10_zeek_prep.conf rename to logstash/pipelines/zeek/1000_zeek_prep.conf diff --git a/logstash/pipelines/zeek/1001_zeek_parse.conf b/logstash/pipelines/zeek/1001_zeek_parse.conf new file mode 100644 index 000000000..454ba8e53 --- /dev/null +++ b/logstash/pipelines/zeek/1001_zeek_parse.conf @@ -0,0 +1,82 @@ +######################## +# zeek -> arkime session creation and enrichment +# +# see https://docs.zeek.org/en/stable/script-reference/log-files.html for Zeek logfile documentation +# +# see source.zeeklogs.js for the Arkime code that turns these into UI fields +# +# to profile, debug: +# - get filters sorted by execution time (where in > 0) +# $ docker compose exec logstash curl -XGET http://localhost:9600/_node/stats/pipelines | jq -r '.. | .filters? // empty | .[] | objects | select (.events.in > 0) | [.id, .events.in, .events.out, .events.duration_in_millis] | join (";")' | sort -n -t ';' -k4 +# - get filters where in != out +# $ docker compose exec logstash curl -XGET http://localhost:9600/_node/stats/pipelines | jq -r '.. | .filters? // empty | .[] | objects | select (.events.in != .events.out) | [.id, .events.in, .events.out, .events.duration_in_millis] | join (";")' +# +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + # handle JSON-formatted Zeek logs right out of the gate, we'll do the field renaming below + if ([message] =~ /^{.*}$/) { json { + id => "json_zeek_message_parse" + source => "[message]" + target => "[zeek_cols]" + add_tag => [ "_jsonparsesuccess" ] + } } + + + # in JSON, do some global renaming of common fields to make them match the names we'd + # be assigning to them if we were reading TSV + if ("_jsonparsesuccess" in [tags]) { + + # some of the ICSNPP parsers do an interesting thing to handle source and destination fields + # (see https://github.com/cisagov/icsnpp-bacnet/?tab=readme-ov-file#source-and-destination-fields) + # so check for and handle those first + ruby { + id => "ruby_zeek_json_determine_source_destination_fields" + code => " + if ![event.get('[zeek_cols][source_h]').to_s, + event.get('[zeek_cols][source_p]').to_s, + event.get('[zeek_cols][destination_h]').to_s, + event.get('[zeek_cols][destination_p]').to_s].reject{ |e| e.nil? || e.empty? || (e == '0') }.empty? then + event.set('[@metadata][icsnpp_source_dest_fields]', 'true') + end + " + } + if ([@metadata][icsnpp_source_dest_fields]) { + mutate { + id => "mutate_rename_zeek_json_common_reversed_direction_fields" + rename => { "[zeek_cols][id.orig_h]" => "[zeek_cols][drop_orig_h]" } + rename => { "[zeek_cols][id.orig_p]" => "[zeek_cols][drop_orig_p]" } + rename => { "[zeek_cols][id.resp_h]" => "[zeek_cols][drop_resp_h]" } + rename => { "[zeek_cols][id.resp_p]" => "[zeek_cols][drop_resp_p]" } + rename => { "[zeek_cols][source_h]" => "[zeek_cols][orig_h]" } + rename => { "[zeek_cols][source_p]" => "[zeek_cols][orig_p]" } + rename => { "[zeek_cols][destination_h]" => "[zeek_cols][resp_h]" } + rename => { "[zeek_cols][destination_p]" => "[zeek_cols][resp_p]" } + } + + } else { + mutate { + id => "mutate_rename_zeek_json_common_fields" + rename => { "[zeek_cols][id.orig_h]" => "[zeek_cols][orig_h]" } + rename => { "[zeek_cols][id.orig_p]" => "[zeek_cols][orig_p]" } + rename => { "[zeek_cols][id.resp_h]" => "[zeek_cols][resp_h]" } + rename => { "[zeek_cols][id.resp_p]" => "[zeek_cols][resp_p]" } + } + } # icsnpp_source_dest_fields or not + } # _jsonparsesuccess in tags + + # for non-JSON: + # The Dissect is WAY faster than CSV, and quite a bit faster than mutate.split. However, it + # is not as flexible when it comes to missing or extra columns + # (See https://github.com/logstash-plugins/logstash-filter-dissect/issues/62) + # + # So, if the dissect filter fails, we're going to fall back to split-then-zip solution. + # This should be a good tradeoff between performance (in the case where the Zeek logs + # match what we think they should look like) and flexibility (when they don't). + # + # The one drawback is that if you make a change to the fields in dissect, make sure + # you make the corresponding change in the ruby init code. + +} # end Filter diff --git a/logstash/pipelines/zeek/1011_zeek_bacnet.conf b/logstash/pipelines/zeek/1011_zeek_bacnet.conf new file mode 100644 index 000000000..841a0b415 --- /dev/null +++ b/logstash/pipelines/zeek/1011_zeek_bacnet.conf @@ -0,0 +1,146 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "bacnet") { + ############################################################################################################################# + # bacnet.log + # https://github.com/cisagov/ICSNPP + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_bacnet" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][bvlc_function]} %{[zeek_cols][pdu_type]} %{[zeek_cols][pdu_service]} %{[zeek_cols][invoke_id]} %{[zeek_cols][result_code]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_bacnet" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_bacnet" + init => "@zeek_bacnet_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'bvlc_function', 'pdu_type', 'pdu_service', 'invoke_id', 'result_code' ]" + code => "event.set('[zeek_cols]', @zeek_bacnet_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_bacnet" + add_field => { + "[zeek_cols][proto]" => "udp" + "[zeek_cols][service]" => "bacnet" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "bacnet_device_control") { + ############################################################################################################################# + # bacnet_device_control.log + # https://github.com/cisagov/ICSNPP + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_bacnet_device_control" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][invoke_id]} %{[zeek_cols][pdu_service]} %{[zeek_cols][time_duration]} %{[zeek_cols][device_state]} %{[zeek_cols][password]} %{[zeek_cols][result]} %{[zeek_cols][result_code]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_bacnet_device_control" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_bacnet_device_control" + init => "@zeek_bacnet_device_control_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'invoke_id', 'pdu_service', 'time_duration', 'device_state', 'password', 'result', 'result_code' ]" + code => "event.set('[zeek_cols]', @zeek_bacnet_device_control_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_bacnet_device_control" + add_field => { + "[zeek_cols][proto]" => "udp" + "[zeek_cols][service]" => "bacnet" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "bacnet_discovery") { + ############################################################################################################################# + # bacnet_discovery.log + # https://github.com/cisagov/ICSNPP + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_bacnet_discovery" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][pdu_service]} %{[zeek_cols][device_id_type]} %{[zeek_cols][device_id_number]} %{[zeek_cols][object_type]} %{[zeek_cols][instance_number]} %{[zeek_cols][vendor]} %{[zeek_cols][range]} %{[zeek_cols][object_name]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_bacnet_discovery" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_bacnet_discovery" + init => "@zeek_bacnet_discovery_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'pdu_service', 'device_id_type', 'device_id_number', 'object_type', 'instance_number', 'vendor', 'range', 'object_name' ]" + code => "event.set('[zeek_cols]', @zeek_bacnet_discovery_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_bacnet_discovery" + add_field => { + "[zeek_cols][proto]" => "udp" + "[zeek_cols][service]" => "bacnet" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "bacnet_property") { + ############################################################################################################################# + # bacnet_property.log + # https://github.com/cisagov/ICSNPP + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_bacnet_property" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][invoke_id]} %{[zeek_cols][pdu_service]} %{[zeek_cols][object_type]} %{[zeek_cols][instance_number]} %{[zeek_cols][property]} %{[zeek_cols][array_index]} %{[zeek_cols][value]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_bacnet_property" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_bacnet_property" + init => "@zeek_bacnet_property_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'invoke_id', 'pdu_service', 'object_type', 'instance_number', 'property', 'array_index', 'value' ]" + code => "event.set('[zeek_cols]', @zeek_bacnet_property_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_bacnet_property" + add_field => { + "[zeek_cols][proto]" => "udp" + "[zeek_cols][service]" => "bacnet" + } + add_tag => [ "ics" ] + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1012_zeek_bestguess.conf b/logstash/pipelines/zeek/1012_zeek_bestguess.conf new file mode 100644 index 000000000..9067f3f09 --- /dev/null +++ b/logstash/pipelines/zeek/1012_zeek_bestguess.conf @@ -0,0 +1,37 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "bestguess") { + ############################################################################################################################# + # bestguess.log + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_bestguess" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][name]} %{[zeek_cols][category]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_bestguess" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_bestguess" + init => "@zeek_bestguess_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'name', 'category' ]" + code => "event.set('[zeek_cols]', @zeek_bestguess_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { id => "mutate_add_tag_ics_best_guess_log" + add_tag => [ "ics_best_guess" ] } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1013_zeek_bsap.conf b/logstash/pipelines/zeek/1013_zeek_bsap.conf new file mode 100644 index 000000000..8a9f8f0b6 --- /dev/null +++ b/logstash/pipelines/zeek/1013_zeek_bsap.conf @@ -0,0 +1,185 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + if ([log_source] == "bsap_ip_header") { + ############################################################################################################################# + # bsap_ip_header.log + # https://github.com/cisagov/ICSNPP + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_bsap_ip_header" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][num_msg]} %{[zeek_cols][type_name]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_bsap_ip_header" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_bsap_ip_header" + init => "@zeek_bsap_ip_header_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'num_msg', 'type_name' ]" + code => "event.set('[zeek_cols]', @zeek_bsap_ip_header_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_bsap_ip_header" + add_field => { + "[zeek_cols][proto]" => "udp" + "[zeek_cols][service]" => "bsap" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "bsap_ip_rdb") { + ############################################################################################################################# + # bsap_ip_rdb.log + # https://github.com/cisagov/ICSNPP + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_bsap_ip_rdb" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][header_size]} %{[zeek_cols][mes_seq]} %{[zeek_cols][res_seq]} %{[zeek_cols][data_len]} %{[zeek_cols][sequence]} %{[zeek_cols][app_func_code]} %{[zeek_cols][node_status]} %{[zeek_cols][func_code]} %{[zeek_cols][variable_count]} %{[zeek_cols][variables]} %{[zeek_cols][variable_value]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_bsap_ip_rdb" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_bsap_ip_rdb" + init => "@zeek_bsap_ip_rdb_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'header_size', 'mes_seq', 'res_seq', 'data_len', 'sequence', 'app_func_code', 'node_status', 'func_code', 'variable_count', 'variables', 'variable_value' ]" + code => "event.set('[zeek_cols]', @zeek_bsap_ip_rdb_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_bsap_ip_rdb" + add_field => { + "[zeek_cols][proto]" => "udp" + "[zeek_cols][service]" => "bsap" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "bsap_serial_header") { + ############################################################################################################################# + # bsap_serial_header.log + # https://github.com/cisagov/ICSNPP + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_bsap_serial_header" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][ser]} %{[zeek_cols][dadd]} %{[zeek_cols][sadd]} %{[zeek_cols][ctl]} %{[zeek_cols][dfun]} %{[zeek_cols][seq]} %{[zeek_cols][sfun]} %{[zeek_cols][nsb]} %{[zeek_cols][type_name]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_bsap_serial_header" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_bsap_serial_header" + init => "@zeek_bsap_serial_header_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'ser', 'dadd', 'sadd', 'ctl', 'dfun', 'seq', 'sfun', 'nsb', 'type_name' ]" + code => "event.set('[zeek_cols]', @zeek_bsap_serial_header_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_bsap_serial_header" + add_field => { + "[zeek_cols][proto]" => "serial" + "[zeek_cols][service]" => "bsap" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "bsap_serial_rdb") { + ############################################################################################################################# + # bsap_serial_rdb.log + # https://github.com/cisagov/ICSNPP + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_bsap_serial_rdb" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][func_code]} %{[zeek_cols][variable_count]} %{[zeek_cols][variables]} %{[zeek_cols][variable_value]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_bsap_serial_rdb" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_bsap_serial_rdb" + init => "@zeek_bsap_serial_rdb_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'func_code', 'variable_count', 'variables', 'variable_value' ]" + code => "event.set('[zeek_cols]', @zeek_bsap_serial_rdb_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_bsap_serial_rdb" + add_field => { + "[zeek_cols][proto]" => "serial" + "[zeek_cols][service]" => "bsap" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "bsap_serial_rdb_ext") { + ############################################################################################################################# + # bsap_serial_rdb_ext.log + # https://github.com/cisagov/ICSNPP + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_bsap_serial_rdb_ext" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][dfun]} %{[zeek_cols][seq]} %{[zeek_cols][sfun]} %{[zeek_cols][nsb]} %{[zeek_cols][extfun]} %{[zeek_cols][data]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_bsap_serial_rdb_ext" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_bsap_serial_rdb_ext" + init => "@zeek_bsap_serial_rdb_ext_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'dfun', 'seq', 'sfun', 'nsb', 'extfun', 'data' ]" + code => "event.set('[zeek_cols]', @zeek_bsap_serial_rdb_ext_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_bsap_serial_rdb_ext" + add_field => { + "[zeek_cols][proto]" => "serial" + "[zeek_cols][service]" => "bsap" + } + add_tag => [ "ics" ] + } + + # for now, drop hex-encoded binary data for size + if ([zeek_cols][data]) { + mutate { id => "mutate_remove_field_zeek_bsap_serial_rdb_ext_data" + remove_field => [ "[zeek_cols][data]" ] } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1014_zeek_conn.conf b/logstash/pipelines/zeek/1014_zeek_conn.conf new file mode 100644 index 000000000..29f2cb613 --- /dev/null +++ b/logstash/pipelines/zeek/1014_zeek_conn.conf @@ -0,0 +1,85 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "conn") { + ############################################################################################################################# + # conn.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/conn/main.zeek.html#type-Conn::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_conn_with_all_fields" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][service]} %{[zeek_cols][duration]} %{[zeek_cols][orig_bytes]} %{[zeek_cols][resp_bytes]} %{[zeek_cols][conn_state]} %{[zeek_cols][local_orig]} %{[zeek_cols][local_resp]} %{[zeek_cols][missed_bytes]} %{[zeek_cols][history]} %{[zeek_cols][orig_pkts]} %{[zeek_cols][orig_ip_bytes]} %{[zeek_cols][resp_pkts]} %{[zeek_cols][resp_ip_bytes]} %{[zeek_cols][tunnel_parents]} %{[zeek_cols][vlan]} %{[zeek_cols][inner_vlan]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][resp_l2_addr]} %{[zeek_cols][community_id]} %{[zeek_cols][ja4l]} %{[zeek_cols][ja4ls]} %{[zeek_cols][ja4t]} %{[zeek_cols][ja4ts]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_conn" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_conn" + init => "@zeek_conn_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'service', 'duration', 'orig_bytes', 'resp_bytes', 'conn_state', 'local_orig', 'local_resp', 'missed_bytes', 'history', 'orig_pkts', 'orig_ip_bytes', 'resp_pkts', 'resp_ip_bytes', 'tunnel_parents', 'vlan', 'inner_vlan', 'orig_l2_addr', 'resp_l2_addr', 'community_id', 'ja4l', 'ja4ls', 'ja4t', 'ja4ts' ]" + code => "event.set('[zeek_cols]', @zeek_conn_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + # normalize service string(s) + + # For some reason, even in JSON, I have service strings like: + # ...,"proto":"udp","service":"profinet,profinet_dce_rpc,spicy_profinet_io_cm,profinet",... + # so whatever reason it's not already an array. Split it here. + mutate { id => "mutate_split_zeek_conn_commas" + split => { "[zeek_cols][service]" => "," } } + + # some services are named like blah_udp/blah_tcp/blah_data, and we don't care about the suffix + mutate { id => "mutate_gsub_field_zeek_conn_service_protocol_suffix" + gsub => [ "[zeek_cols][service]", "[_-](tcp|udp|data)", "" ] } + + # if it's coming from spicy, we don't care to have that in the service name + mutate { id => "mutate_gsub_field_zeek_conn_service_spicy_prefix" + gsub => [ "[zeek_cols][service]", "spicy_", "" ] } + + mutate { id => "mutate_gsub_field_zeek_conn_service_spicy_cipher_suffix" + gsub => [ "[zeek_cols][service]", "(_hmac)?(_(sha|md)\d+)?$", "" ] } + + if ([zeek_cols][orig_ip_bytes]) and ([zeek_cols][orig_ip_bytes] != '-') and ([zeek_cols][orig_ip_bytes] != '(empty)') and ([zeek_cols][orig_ip_bytes] != '') { + mutate { id => "mutate_add_field_zeek_srcBytes" + add_field => { "[source][bytes]" => "%{[zeek_cols][orig_ip_bytes]}" } } + } + if ([zeek_cols][resp_ip_bytes]) and ([zeek_cols][resp_ip_bytes] != '-') and ([zeek_cols][resp_ip_bytes] != '(empty)') and ([zeek_cols][resp_ip_bytes] != '') { + mutate { id => "mutate_add_field_zeek_dstBytes" + add_field => { "[destination][bytes]" => "%{[zeek_cols][resp_ip_bytes]}" } } + } + if ([zeek_cols][orig_pkts]) and ([zeek_cols][orig_pkts] != '-') and ([zeek_cols][orig_pkts] != '(empty)') and ([zeek_cols][orig_pkts] != '') { + mutate { id => "mutate_add_field_zeek_srcPackets" + add_field => { "[source][packets]" => "%{[zeek_cols][orig_pkts]}" } } + } + if ([zeek_cols][orig_bytes]) and ([zeek_cols][orig_bytes] != '-') and ([zeek_cols][orig_bytes] != '(empty)') and ([zeek_cols][orig_bytes] != '') { + mutate { id => "mutate_add_field_zeek_srcDataBytes" + add_field => { "[client][bytes]" => "%{[zeek_cols][orig_bytes]}" } } + } + if ([zeek_cols][resp_pkts]) and ([zeek_cols][resp_pkts] != '-') and ([zeek_cols][resp_pkts] != '(empty)') and ([zeek_cols][resp_pkts] != '') { + mutate { id => "mutate_add_field_zeek_dstPackets" + add_field => { "[destination][packets]" => "%{[zeek_cols][resp_pkts]}" } } + } + if ([zeek_cols][resp_bytes]) and ([zeek_cols][resp_bytes] != '-') and ([zeek_cols][resp_bytes] != '(empty)') and ([zeek_cols][resp_bytes] != '') { + mutate { id => "mutate_add_field_zeek_dstDataBytes" + add_field => { "[server][bytes]" => "%{[zeek_cols][resp_bytes]}" } } + } + if ([zeek_cols][tunnel_parents]) and ([zeek_cols][tunnel_parents] != '(empty)') and ([zeek_cols][tunnel_parents] != '-') and ([zeek_cols][tunnel_parents] != '') { + if ("_jsonparsesuccess" not in [tags]) { mutate { id => "mutate_split_zeek_tunnel_parents" + split => { "[zeek_cols][tunnel_parents]" => "," } } } + mutate { id => "mutate_add_field_zeek_conn_rootId" + add_field => { "[rootId]" => "%{[zeek_cols][tunnel_parents][0]}" } } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1015_zeek_dce_rpc.conf b/logstash/pipelines/zeek/1015_zeek_dce_rpc.conf new file mode 100644 index 000000000..e2efbab9c --- /dev/null +++ b/logstash/pipelines/zeek/1015_zeek_dce_rpc.conf @@ -0,0 +1,43 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "dce_rpc") { + ############################################################################################################################# + # dce_rpc.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/dce-rpc/main.zeek.html#type-DCE_RPC::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_dce_rpc" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][rtt]} %{[zeek_cols][named_pipe]} %{[zeek_cols][endpoint]} %{[zeek_cols][operation]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_dce_rpc" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_dce_rpc" + init => "@zeek_dce_rpc_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'rtt', 'named_pipe', 'endpoint', 'operation' ]" + code => "event.set('[zeek_cols]', @zeek_dce_rpc_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_dce_rpc" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "dce_rpc" + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1016_zeek_dhcp.conf b/logstash/pipelines/zeek/1016_zeek_dhcp.conf new file mode 100644 index 000000000..f94df57df --- /dev/null +++ b/logstash/pipelines/zeek/1016_zeek_dhcp.conf @@ -0,0 +1,77 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "dhcp") { + ############################################################################################################################# + # dhcp.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/dhcp/main.zeek.html#type-DHCP::Info + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_dhcp_fields" + rename => { "[zeek_cols][uids]" => "[zeek_cols][uid]" } + rename => { "[zeek_cols][client_addr]" => "[zeek_cols][orig_h]" } + rename => { "[zeek_cols][server_addr]" => "[zeek_cols][orig_p]" } + rename => { "[zeek_cols][mac]" => "[zeek_cols][orig_l2_addr]" } + rename => { "[zeek_cols][requested_addr]" => "[zeek_cols][requested_ip]" } + rename => { "[zeek_cols][assigned_addr]" => "[zeek_cols][assigned_ip]" } + } + + } else { + dissect { + id => "dissect_zeek_dhcp_with_all_fields" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][resp_h]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][host_name]} %{[zeek_cols][client_fqdn]} %{[zeek_cols][domain]} %{[zeek_cols][requested_ip]} %{[zeek_cols][assigned_ip]} %{[zeek_cols][lease_time]} %{[zeek_cols][client_message]} %{[zeek_cols][server_message]} %{[zeek_cols][msg_types]} %{[zeek_cols][duration]} %{[zeek_cols][client_software]} %{[zeek_cols][server_software]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_dhcp" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_dhcp" + init => "@zeek_dhcp_field_names = [ 'ts', 'uid', 'orig_h', 'resp_h', 'orig_l2_addr', 'host_name', 'client_fqdn', 'domain', 'requested_ip', 'assigned_ip', 'lease_time', 'client_message', 'server_message', 'msg_types', 'duration', 'client_software', 'server_software' ]" + code => "event.set('[zeek_cols]', @zeek_dhcp_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_dhcp_msg_types" + split => { "[zeek_cols][msg_types]" => "," } } + if ([zeek_cols][uid]) and + ([zeek_cols][uid] != '(empty)') and + ([zeek_cols][uid] != '') { + mutate { id => "mutate_split_zeek_dhcp_uids" + split => { "[zeek_cols][uid]" => "," } } + } + } + + if ([zeek_cols][uid] and [zeek_cols][uid][0]) { + mutate { id => "mutate_add_field_zeek_dhcp_uids" + add_field => { "[rootId]" => "%{[zeek_cols][uid][0]}" } } + } + + if ((![zeek_cols][orig_p]) and (![zeek_cols][resp_p])) { + mutate { + id => "mutate_add_field_zeek_dhcp_ports" + add_field => { + "[zeek_cols][orig_p]" => 68 + "[zeek_cols][resp_p]" => 67 + } + } + } + + mutate { + id => "mutate_add_fields_zeek_dhcp" + add_field => { + "[zeek_cols][proto]" => "udp" + "[zeek_cols][service]" => "dhcp" + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1017_zeek_diagnostic.conf b/logstash/pipelines/zeek/1017_zeek_diagnostic.conf new file mode 100644 index 000000000..b1c7025aa --- /dev/null +++ b/logstash/pipelines/zeek/1017_zeek_diagnostic.conf @@ -0,0 +1,336 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + if ([log_source] == "analyzer") { + ############################################################################################################################# + # analyzer.log + # Zeek Logging analyzer confirmations and violations into analyzer.log + # https://docs.zeek.org/en/master/scripts/base/frameworks/analyzer/logging.zeek.html + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_diagnostic_analyzer" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][cause]} %{[zeek_cols][analyzer_kind]} %{[zeek_cols][analyzer_name]} %{[zeek_cols][uid]} %{[zeek_cols][fuid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][failure_reason]} %{[zeek_cols][failure_data]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_diagnostic_analyzer" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_diagnostic_analyzer" + init => "@zeek_diagnostic_analyzer_field_names = [ 'ts', 'cause', 'analyzer_kind', 'analyzer_name', 'uid', 'fuid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'failure_reason', 'failure_data' ]" + code => "event.set('[zeek_cols]', @zeek_diagnostic_analyzer_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + # we are *not* adding the _zeekdiagnostic even though it could arguably be classified as such, the reason being that + # the UID/FUID and IP/ports make it suitable to be searched with the network data + + } else if ([log_source] == "broker") { + ############################################################################################################################# + # broker.log + # https://docs.zeek.org/en/master/scripts/base/frameworks/broker/log.zeek.html + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_broker_fields" + rename => { "[zeek_cols][ty]" => "[zeek_cols][event_type]" } + rename => { "[zeek_cols][ev]" => "[zeek_cols][event_action]" } + rename => { "[zeek_cols][peer.address]" => "[zeek_cols][peer_ip]" } + rename => { "[zeek_cols][peer.bound_port]" => "[zeek_cols][peer_port]" } + rename => { "[zeek_cols][message]" => "[zeek_cols][peer_message]" } + } + + } else { + dissect { + id => "dissect_zeek_diagnostic_broker" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][event_type]} %{[zeek_cols][event_action]} %{[zeek_cols][peer_ip]} %{[zeek_cols][peer_port]} %{[zeek_cols][peer_message]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_diagnostic_broker" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_diagnostic_broker" + init => "@zeek_diagnostic_broker_field_names = [ 'ts', 'event_type', 'event_action', 'peer_ip', 'peer_port', 'peer_message' ]" + code => "event.set('[zeek_cols]', @zeek_diagnostic_broker_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { id => "mutate_add_tag_zeek_diagnostic_broker" + add_tag => [ "_zeekdiagnostic" ] } + + } else if ([log_source] == "capture_loss") { + ############################################################################################################################# + # capture_loss.log + # Reports analysis of missing traffic. Zeek bases its conclusions on analysis of TCP sequence numbers. + # https://docs.zeek.org/en/master/logs/capture-loss-and-reporter.html + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_diagnostic_capture_loss" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][ts_delta]} %{[zeek_cols][peer]} %{[zeek_cols][gaps]} %{[zeek_cols][acks]} %{[zeek_cols][percent_lost]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_diagnostic_capture_loss" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_diagnostic_capture_loss" + init => "@zeek_diagnostic_capture_loss_field_names = [ 'ts', 'ts_delta', 'peer', 'gaps', 'acks', 'percent_lost' ]" + code => "event.set('[zeek_cols]', @zeek_diagnostic_capture_loss_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { id => "mutate_add_tag_zeek_diagnostic_capture_loss" + add_tag => [ "_zeekdiagnostic" ] } + + } else if ([log_source] == "cluster") { + ############################################################################################################################# + # cluster.log + # Logging for establishing and controlling a cluster of Zeek instances + # https://docs.zeek.org/en/master/scripts/base/frameworks/cluster/main.zeek.html#type-Cluster::Info + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_cluster_fields" + rename => { "[zeek_cols][message]" => "[zeek_cols][node_message]" } + } + + } else { + dissect { + id => "dissect_zeek_diagnostic_cluster" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][node]} %{[zeek_cols][node_message]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_diagnostic_cluster" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_diagnostic_cluster" + init => "@zeek_diagnostic_cluster_field_names = [ 'ts', 'node', 'node_message' ]" + code => "event.set('[zeek_cols]', @zeek_diagnostic_cluster_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { id => "mutate_add_tag_zeek_diagnostic_cluster" + add_tag => [ "_zeekdiagnostic" ] } + + } else if ([log_source] == "config") { + ############################################################################################################################# + # config.log + # Logging for Zeek configuration changes + # https://docs.zeek.org/en/master/scripts/base/frameworks/config/main.zeek.html#type-Config::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_diagnostic_config" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][value_name]} %{[zeek_cols][value_old]} %{[zeek_cols][value_new]} %{[zeek_cols][location]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_diagnostic_config" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_diagnostic_config" + init => "@zeek_diagnostic_config_field_names = [ 'ts', 'value_name', 'value_old', 'value_new', 'location' ]" + code => "event.set('[zeek_cols]', @zeek_diagnostic_config_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { id => "mutate_add_tag_zeek_diagnostic_config" + add_tag => [ "_zeekdiagnostic" ] } + + } else if ([log_source] == "packet_filter") { + ############################################################################################################################# + # packet_filter.log + # https://docs.zeek.org/en/master/scripts/base/frameworks/packet-filter/main.zeek.html#type-PacketFilter::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_diagnostic_packet_filter" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][node]} %{[zeek_cols][filter]} %{[zeek_cols][init]} %{[zeek_cols][success]} %{[zeek_cols][failure_reason]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_diagnostic_packet_filter" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_diagnostic_packet_filter" + init => "@zeek_diagnostic_packet_filter_field_names = [ 'ts', 'node', 'filter', 'init', 'success', 'failure_reason' ]" + code => "event.set('[zeek_cols]', @zeek_diagnostic_packet_filter_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { id => "mutate_add_tag_zeek_diagnostic_packet_filter" + add_tag => [ "_zeekdiagnostic" ] } + + } else if ([log_source] == "print") { + ############################################################################################################################# + # print.log + # https://docs.zeek.org/en/master/scripts/base/frameworks/logging/main.zeek.html#type-Log::PrintLogInfo + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_diagnostic_print" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][vals]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_diagnostic_print" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_diagnostic_print" + init => "@zeek_diagnostic_print_field_names = [ 'ts', 'vals' ]" + code => "event.set('[zeek_cols]', @zeek_diagnostic_print_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "split_zeek_diagnostic_print_vals" + split => { "[zeek_cols][vals]" => "," } } + } + + mutate { id => "mutate_add_tag_zeek_diagnostic_print" + add_tag => [ "_zeekdiagnostic" ] } + + + } else if ([log_source] == "reporter") { + ############################################################################################################################# + # reporter.log + # https://docs.zeek.org/en/master/scripts/base/frameworks/reporter/main.zeek.html#type-Reporter::Info + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_reporter_fields" + rename => { "[zeek_cols][message]" => "[zeek_cols][msg]" } + } + + } else { + dissect { + id => "dissect_zeek_diagnostic_reporter" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][level]} %{[zeek_cols][msg]} %{[zeek_cols][location]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_diagnostic_reporter" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_diagnostic_reporter" + init => "@zeek_diagnostic_reporter_field_names = [ 'ts', 'level', 'msg', 'location' ]" + code => "event.set('[zeek_cols]', @zeek_diagnostic_reporter_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { id => "mutate_add_tag_zeek_diagnostic_reporter" + add_tag => [ "_zeekdiagnostic" ] } + + } else if ([log_source] == "stats") { + ############################################################################################################################# + # stats.log + # https://docs.zeek.org/en/master/scripts/policy/misc/stats.zeek.html#type-Stats::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_diagnostic_stats" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][peer]} %{[zeek_cols][mem]} %{[zeek_cols][pkts_proc]} %{[zeek_cols][bytes_recv]} %{[zeek_cols][pkts_dropped]} %{[zeek_cols][pkts_link]} %{[zeek_cols][pkt_lag]} %{[zeek_cols][pkts_filtered]} %{[zeek_cols][events_proc]} %{[zeek_cols][events_queued]} %{[zeek_cols][active_tcp_conns]} %{[zeek_cols][active_udp_conns]} %{[zeek_cols][active_icmp_conns]} %{[zeek_cols][tcp_conns]} %{[zeek_cols][udp_conns]} %{[zeek_cols][icmp_conns]} %{[zeek_cols][timers]} %{[zeek_cols][active_timers]} %{[zeek_cols][files]} %{[zeek_cols][active_files]} %{[zeek_cols][dns_requests]} %{[zeek_cols][active_dns_requests]} %{[zeek_cols][reassem_tcp_size]} %{[zeek_cols][reassem_file_size]} %{[zeek_cols][reassem_frag_size]} %{[zeek_cols][reassem_unknown_size]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_diagnostic_stats" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_diagnostic_stats" + init => "@zeek_diagnostic_stats_field_names = [ 'ts', 'peer', 'mem', 'pkts_proc', 'bytes_recv', 'pkts_dropped', 'pkts_link', 'pkt_lag', 'pkts_filtered', 'events_proc', 'events_queued', 'active_tcp_conns', 'active_udp_conns', 'active_icmp_conns', 'tcp_conns', 'udp_conns', 'icmp_conns', 'timers', 'active_timers', 'files', 'active_files', 'dns_requests', 'active_dns_requests', 'reassem_tcp_size', 'reassem_file_size', 'reassem_frag_size', 'reassem_unknown_size' ]" + code => "event.set('[zeek_cols]', @zeek_diagnostic_stats_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { id => "mutate_add_tag_zeek_diagnostic_stats" + add_tag => [ "_zeekdiagnostic" ] } + + } else if ([log_source] == "dpd") { + ############################################################################################################################# + # dpd.log + # https://docs.zeek.org/en/stable/scripts/base/frameworks/dpd/main.zeek.html#type-DPD::Info + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_dpd_fields" + rename => { "[zeek_cols][analyzer]" => "[zeek_cols][service]" } + } + + } else { + dissect { + id => "dissect_zeek_dpd" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][service]} %{[zeek_cols][failure_reason]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_dpd" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_dpd" + init => "@zeek_dpd_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'service', 'failure_reason' ]" + code => "event.set('[zeek_cols]', @zeek_dpd_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { id => "mutate_lowercase_zeek_dpd_service" + lowercase => [ "[zeek_cols][service]" ] } + + # normalize service string(s) + if ([zeek_cols][service] =~ /^spicy_/) { + # if it's coming from spicy, we don't care to have that in the service name + mutate { id => "mutate_gsub_field_zeek_dpd_service_spicy_prefix" + gsub => [ "[zeek_cols][service]", "^spicy_", "" ] } + + # some spicy services are named like blah_udp or blah_tcp, + # and we don't care about the _udp/_tcp suffix + mutate { id => "mutate_gsub_field_zeek_dpd_service_spicy_suffix" + gsub => [ "[zeek_cols][service]", "_(tcp|udp)(_hmac)?(_(sha|md)\d+)?$", "" ] } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1018_zeek_dnp3.conf b/logstash/pipelines/zeek/1018_zeek_dnp3.conf new file mode 100644 index 000000000..846343c79 --- /dev/null +++ b/logstash/pipelines/zeek/1018_zeek_dnp3.conf @@ -0,0 +1,103 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "dnp3") { + ############################################################################################################################# + # dnp3.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/dnp3/main.zeek.html#type-DNP3::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_dnp3" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][fc_request]} %{[zeek_cols][fc_reply]} %{[zeek_cols][iin]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_dnp3" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_dnp3" + init => "@zeek_dnp3_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'fc_request', 'fc_reply', 'iin' ]" + code => "event.set('[zeek_cols]', @zeek_dnp3_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_dnp3" + add_field => { "[zeek_cols][service]" => "dnp3" } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "dnp3_control") { + ############################################################################################################################# + # dnp3_control.log + # https://github.com/cisagov/ICSNPP + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_dnp3_control" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][block_type]} %{[zeek_cols][function_code]} %{[zeek_cols][index_number]} %{[zeek_cols][trip_control_code]} %{[zeek_cols][operation_type]} %{[zeek_cols][execute_count]} %{[zeek_cols][on_time]} %{[zeek_cols][off_time]} %{[zeek_cols][status_code]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_dnp3_control" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_dnp3_control" + init => "@zeek_dnp3_control_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'block_type', 'function_code', 'index_number', 'trip_control_code', 'operation_type', 'execute_count', 'on_time', 'off_time', 'status_code' ]" + code => "event.set('[zeek_cols]', @zeek_dnp3_control_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_dnp3_control" + add_field => { "[zeek_cols][service]" => "dnp3" } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "dnp3_objects") { + ############################################################################################################################# + # dnp3_objects.log + # https://github.com/cisagov/ICSNPP + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_dnp3_objects" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][function_code]} %{[zeek_cols][object_type]} %{[zeek_cols][object_count]} %{[zeek_cols][range_low]} %{[zeek_cols][range_high]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_dnp3_objects" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_dnp3_objects" + init => "@zeek_dnp3_objects_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'function_code', 'object_type', 'object_count', 'range_low', 'range_high' ]" + code => "event.set('[zeek_cols]', @zeek_dnp3_objects_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_dnp3_objects" + add_field => { "[zeek_cols][service]" => "dnp3" } + add_tag => [ "ics" ] + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1019_zeek_dns.conf b/logstash/pipelines/zeek/1019_zeek_dns.conf new file mode 100644 index 000000000..7971b0e31 --- /dev/null +++ b/logstash/pipelines/zeek/1019_zeek_dns.conf @@ -0,0 +1,47 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "dns") { + ############################################################################################################################# + # dns.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/dns/main.zeek.html#type-DNS::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_dns" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][trans_id]} %{[zeek_cols][rtt]} %{[zeek_cols][query]} %{[zeek_cols][qclass]} %{[zeek_cols][qclass_name]} %{[zeek_cols][qtype]} %{[zeek_cols][qtype_name]} %{[zeek_cols][rcode]} %{[zeek_cols][rcode_name]} %{[zeek_cols][AA]} %{[zeek_cols][TC]} %{[zeek_cols][RD]} %{[zeek_cols][RA]} %{[zeek_cols][Z]} %{[zeek_cols][answers]} %{[zeek_cols][TTLs]} %{[zeek_cols][rejected]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_dns" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_dns" + init => "@zeek_dns_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'trans_id', 'rtt', 'query', 'qclass', 'qclass_name', 'qtype', 'qtype_name', 'rcode', 'rcode_name', 'AA', 'TC', 'RD', 'RA', 'Z', 'answers', 'TTLs', 'rejected' ]" + code => "event.set('[zeek_cols]', @zeek_dns_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_dns_commas" + split => { "[zeek_cols][TTLs]" => "," + "[zeek_cols][answers]" => "," } } + } + + # remove C_ prefix from qclass_name + mutate { id => "mutate_gsub_field_zeek_dns_qclass_name" + gsub => [ "[zeek_cols][qclass_name]", "^C_", "" ] } + + mutate { + id => "mutate_add_fields_zeek_dns" + add_field => { "[zeek_cols][service]" => "dns" } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1020_zeek_ecat.conf b/logstash/pipelines/zeek/1020_zeek_ecat.conf new file mode 100644 index 000000000..b3272fc21 --- /dev/null +++ b/logstash/pipelines/zeek/1020_zeek_ecat.conf @@ -0,0 +1,346 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "ecat_registers") { + ############################################################################################################################# + # ecat_registers.log + # https://github.com/cisagov/icsnpp-ethercat + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_ecat_registers_fields" + rename => { "[zeek_cols][srcmac]" => "[zeek_cols][orig_l2_addr]" } + rename => { "[zeek_cols][dstmac]" => "[zeek_cols][resp_l2_addr]" } + rename => { "[zeek_cols][Command]" => "[zeek_cols][command]" } + rename => { "[zeek_cols][Slave_Addr]" => "[zeek_cols][server_addr]" } + rename => { "[zeek_cols][Register_Type]" => "[zeek_cols][register_type]" } + rename => { "[zeek_cols][Register_Addr]" => "[zeek_cols][register_addr]" } + } + + } else { + dissect { + id => "dissect_zeek_ecat_registers" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][resp_l2_addr]} %{[zeek_cols][command]} %{[zeek_cols][server_addr]} %{[zeek_cols][register_type]} %{[zeek_cols][register_addr]} %{[zeek_cols][data]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ecat_registers" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ecat_registers" + init => "@zeek_ecat_registers_field_names = [ 'ts', 'orig_l2_addr', 'resp_l2_addr', 'command', 'server_addr', 'register_type', 'register_addr', 'data' ]" + code => "event.set('[zeek_cols]', @zeek_ecat_registers_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_ecat_registers" + add_field => { + "[zeek_cols][service]" => "ethercat" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "ecat_log_address") { + ############################################################################################################################# + # ecat_log_address.log + # https://github.com/cisagov/icsnpp-ethercat + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_ecat_log_address_fields" + rename => { "[zeek_cols][srcmac]" => "[zeek_cols][orig_l2_addr]" } + rename => { "[zeek_cols][dstmac]" => "[zeek_cols][resp_l2_addr]" } + rename => { "[zeek_cols][Log_Addr]" => "[zeek_cols][log_addr]" } + rename => { "[zeek_cols][Length]" => "[zeek_cols][length]" } + rename => { "[zeek_cols][Command]" => "[zeek_cols][command]" } + } + + } else { + dissect { + id => "dissect_zeek_ecat_log_address" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][resp_l2_addr]} %{[zeek_cols][log_addr]} %{[zeek_cols][length]} %{[zeek_cols][command]} %{[zeek_cols][data]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ecat_log_address" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ecat_log_address" + init => "@zeek_ecat_log_address_field_names = [ 'ts', 'orig_l2_addr', 'resp_l2_addr', 'log_addr', 'length', 'command', 'data' ]" + code => "event.set('[zeek_cols]', @zeek_ecat_log_address_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_ecat_log_address" + add_field => { + "[zeek_cols][service]" => "ethercat" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "ecat_dev_info") { + ############################################################################################################################# + # ecat_dev_info.log + # https://github.com/cisagov/icsnpp-ethercat + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_ecat_dev_info_fields" + rename => { "[zeek_cols][slave_id]" => "[zeek_cols][server_id]" } + } + + } else { + dissect { + id => "dissect_zeek_ecat_dev_info" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][server_id]} %{[zeek_cols][revision]} %{[zeek_cols][dev_type]} %{[zeek_cols][build]} %{[zeek_cols][fmmucnt]} %{[zeek_cols][smcount]} %{[zeek_cols][ports]} %{[zeek_cols][dpram]} %{[zeek_cols][features]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ecat_dev_info" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ecat_dev_info" + init => "@zeek_ecat_dev_info_field_names = [ 'ts', 'server_id', 'revision', 'dev_type', 'build', 'fmmucnt', 'smcount', 'ports', 'dpram', 'features' ]" + code => "event.set('[zeek_cols]', @zeek_ecat_dev_info_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_ecat_dev_info" + add_field => { + "[zeek_cols][service]" => "ethercat" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "ecat_aoe_info") { + ############################################################################################################################# + # ecat_aoe_info.log + # https://github.com/cisagov/icsnpp-ethercat + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_ecat_aoe_info_fields" + rename => { "[zeek_cols][targetid]" => "[zeek_cols][resp_l2_addr]" } + rename => { "[zeek_cols][targetport]" => "[zeek_cols][resp_port]" } + rename => { "[zeek_cols][senderid]" => "[zeek_cols][orig_l2_addr]" } + rename => { "[zeek_cols][senderport]" => "[zeek_cols][orig_port]" } + rename => { "[zeek_cols][cmd]" => "[zeek_cols][command]" } + rename => { "[zeek_cols][stateflags]" => "[zeek_cols][state]" } + } + + } else { + dissect { + id => "dissect_zeek_ecat_aoe_info" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][resp_l2_addr]} %{[zeek_cols][resp_port]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][orig_port]} %{[zeek_cols][command]} %{[zeek_cols][state]} %{[zeek_cols][data]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ecat_aoe_info" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ecat_aoe_info" + init => "@zeek_ecat_aoe_info_field_names = [ 'ts', 'resp_l2_addr', 'resp_port', 'orig_l2_addr', 'orig_port', 'command', 'state', 'data' ]" + code => "event.set('[zeek_cols]', @zeek_ecat_aoe_info_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_ecat_aoe_info" + add_field => { + "[zeek_cols][service]" => "ethercat" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "ecat_coe_info") { + ############################################################################################################################# + # ecat_coe_info.log + # https://github.com/cisagov/icsnpp-ethercat + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_ecat_coe_info_fields" + rename => { "[zeek_cols][Type]" => "[zeek_cols][type]" } + } + + } else { + dissect { + id => "dissect_zeek_ecat_coe_info" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][number]} %{[zeek_cols][type]} %{[zeek_cols][req_resp]} %{[zeek_cols][index]} %{[zeek_cols][subindex]} %{[zeek_cols][dataoffset]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ecat_coe_info" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ecat_coe_info" + init => "@zeek_ecat_coe_info_field_names = [ 'ts', 'number', 'type', 'req_resp', 'index', 'subindex', 'dataoffset' ]" + code => "event.set('[zeek_cols]', @zeek_ecat_coe_info_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_ecat_coe_info" + add_field => { + "[zeek_cols][service]" => "ethercat" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "ecat_foe_info") { + ############################################################################################################################# + # ecat_foe_info.log + # https://github.com/cisagov/icsnpp-ethercat + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_ecat_foe_info_fields" + rename => { "[zeek_cols][opCode]" => "[zeek_cols][opcode]" } + } + + } else { + dissect { + id => "dissect_zeek_ecat_foe_info" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][opcode]} %{[zeek_cols][reserved]} %{[zeek_cols][packet_num]} %{[zeek_cols][error_code]} %{[zeek_cols][filename]} %{[zeek_cols][data]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ecat_foe_info" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ecat_foe_info" + init => "@zeek_ecat_foe_info_field_names = [ 'ts', 'opcode', 'reserved', 'packet_num', 'error_code', 'filename', 'data' ]" + code => "event.set('[zeek_cols]', @zeek_ecat_foe_info_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_ecat_foe_info" + add_field => { + "[zeek_cols][service]" => "ethercat" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "ecat_soe_info") { + ############################################################################################################################# + # ecat_soe_info.log + # https://github.com/cisagov/icsnpp-ethercat + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_ecat_soe_info_fields" + rename => { "[zeek_cols][opCode]" => "[zeek_cols][opcode]" } + rename => { "[zeek_cols][element_flags]" => "[zeek_cols][element]" } + } + + } else { + dissect { + id => "dissect_zeek_ecat_soe_info" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][opcode]} %{[zeek_cols][incomplete]} %{[zeek_cols][error]} %{[zeek_cols][drive_num]} %{[zeek_cols][element]} %{[zeek_cols][index]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ecat_soe_info" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ecat_soe_info" + init => "@zeek_ecat_soe_info_field_names = [ 'ts', 'opcode', 'incomplete', 'error', 'drive_num', 'element', 'index' ]" + code => "event.set('[zeek_cols]', @zeek_ecat_soe_info_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_ecat_soe_info" + add_field => { + "[zeek_cols][service]" => "ethercat" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "ecat_arp_info") { + ############################################################################################################################# + # ecat_arp_info.log + # https://github.com/cisagov/icsnpp-ethercat + # + # NOTE: I currently have this disabled via policy hook in local.zeek, as it is including ALL arps and + # not just those from ethercat traffic which can be misleading (i.e., indicating ecat traffic where there is none) + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_ecat_arp_info_fields" + rename => { "[zeek_cols][mac_src]" => "[zeek_cols][orig_l2_addr]" } + rename => { "[zeek_cols][mac_dst]" => "[zeek_cols][resp_l2_addr]" } + rename => { "[zeek_cols][SPA]" => "[zeek_cols][orig_proto_addr]" } + rename => { "[zeek_cols][SHA]" => "[zeek_cols][orig_hw_addr]" } + rename => { "[zeek_cols][TPA]" => "[zeek_cols][resp_proto_addr]" } + rename => { "[zeek_cols][THA]" => "[zeek_cols][resp_hw_addr]" } + } + + } else { + dissect { + id => "dissect_zeek_ecat_arp_info" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][arp_type]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][resp_l2_addr]} %{[zeek_cols][orig_proto_addr]} %{[zeek_cols][orig_hw_addr]} %{[zeek_cols][resp_proto_addr]} %{[zeek_cols][resp_hw_addr]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ecat_arp_info" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ecat_arp_info" + init => "@zeek_ecat_arp_info_field_names = [ 'ts', 'arp_type', 'orig_l2_addr', 'resp_l2_addr', 'orig_proto_addr', 'orig_hw_addr', 'resp_proto_addr', 'resp_hw_addr' ]" + code => "event.set('[zeek_cols]', @zeek_ecat_arp_info_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_ecat_arp_info" + add_field => { + "[zeek_cols][service]" => "ethercat" + } + } + + # TODO: check orig_proto_addr/orig_hw_addr resp_proto_addr/resp_hw_addr and convert to ip, etc. if necessary? + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1021_zeek_enip.conf b/logstash/pipelines/zeek/1021_zeek_enip.conf new file mode 100644 index 000000000..2a2f9e8f2 --- /dev/null +++ b/logstash/pipelines/zeek/1021_zeek_enip.conf @@ -0,0 +1,140 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "cip") { + ############################################################################################################################# + # cip.log + # https://github.com/cisagov/ICSNPP + # + # todo: class_id, instance_id is a hex integer, should it be converted to an integer? + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_cip" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][packet_correlation_id]} %{[zeek_cols][cip_sequence_count]} %{[zeek_cols][direction]} %{[zeek_cols][cip_service_code]} %{[zeek_cols][cip_service]} %{[zeek_cols][cip_status_code]} %{[zeek_cols][cip_status]} %{[zeek_cols][cip_extended_status_code]} %{[zeek_cols][cip_extended_status]} %{[zeek_cols][class_id]} %{[zeek_cols][class_name]} %{[zeek_cols][instance_id]} %{[zeek_cols][attribute_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_cip" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_cip" + init => "@zeek_cip_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'packet_correlation_id', 'cip_sequence_count', 'direction', 'cip_service_code', 'cip_service', 'cip_status_code', 'cip_status', 'cip_extended_status_code', 'cip_extended_status', 'class_id', 'class_name', 'instance_id', 'attribute_id' ]" + code => "event.set('[zeek_cols]', @zeek_cip_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_cip" + add_field => { "[zeek_cols][service]" => "cip" } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "cip_identity") { + ############################################################################################################################# + # cip_identity.log + # https://github.com/cisagov/ICSNPP + # + # TODO: device_status and device_state are a hex int string, convert to int? + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_cip_identity" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][packet_correlation_id]} %{[zeek_cols][encapsulation_version]} %{[zeek_cols][socket_address]} %{[zeek_cols][socket_port]} %{[zeek_cols][vendor_id]} %{[zeek_cols][vendor_name]} %{[zeek_cols][device_type_id]} %{[zeek_cols][device_type_name]} %{[zeek_cols][product_code]} %{[zeek_cols][revision]} %{[zeek_cols][device_status]} %{[zeek_cols][serial_number]} %{[zeek_cols][product_name]} %{[zeek_cols][device_state]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_cip_identity" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_cip_identity" + init => "@zeek_cip_identity_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'packet_correlation_id', 'encapsulation_version', 'socket_address', 'socket_port', 'vendor_id', 'vendor_name', 'device_type_id', 'device_type_name', 'product_code', 'revision', 'device_status', 'serial_number', 'product_name', 'device_state' ]" + code => "event.set('[zeek_cols]', @zeek_cip_identity_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_cip_identity" + add_field => { "[zeek_cols][service]" => "cip" } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "cip_io") { + ############################################################################################################################# + # cip_io.log + # https://github.com/cisagov/ICSNPP + # + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_cip_io" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][packet_correlation_id]} %{[zeek_cols][connection_id]} %{[zeek_cols][sequence_number]} %{[zeek_cols][data_length]} %{[zeek_cols][io_data]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_cip_io" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_cip_io" + init => "@zeek_cip_io_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'packet_correlation_id', 'connection_id', 'sequence_number', 'data_length', 'io_data' ]" + code => "event.set('[zeek_cols]', @zeek_cip_io_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_cip_io" + add_field => { "[zeek_cols][service]" => "cip" } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "enip") { + ############################################################################################################################# + # enip.log + # https://github.com/cisagov/ICSNPP + # + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_enip" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][packet_correlation_id]} %{[zeek_cols][enip_command_code]} %{[zeek_cols][enip_command]} %{[zeek_cols][length]} %{[zeek_cols][session_handle]} %{[zeek_cols][enip_status]} %{[zeek_cols][sender_context]} %{[zeek_cols][options]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_enip" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_enip" + init => "@zeek_enip_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'packet_correlation_id', 'enip_command_code', 'enip_command', 'length', 'session_handle', 'enip_status', 'sender_context', 'options' ]" + code => "event.set('[zeek_cols]', @zeek_enip_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_enip" + add_field => { "[zeek_cols][service]" => "enip" } + add_tag => [ "ics" ] + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1022_zeek_files.conf b/logstash/pipelines/zeek/1022_zeek_files.conf new file mode 100644 index 000000000..105492ee9 --- /dev/null +++ b/logstash/pipelines/zeek/1022_zeek_files.conf @@ -0,0 +1,72 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + if ([log_source] == "files") { + ############################################################################################################################# + # files.log + # https://docs.zeek.org/en/stable/scripts/base/frameworks/files/main.zeek.html#type-Files::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_v51_files_with_all_fields" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][fuid]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][source]} %{[zeek_cols][depth]} %{[zeek_cols][analyzers]} %{[zeek_cols][mime_type]} %{[zeek_cols][filename]} %{[zeek_cols][duration]} %{[zeek_cols][local_orig]} %{[zeek_cols][is_orig]} %{[zeek_cols][seen_bytes]} %{[zeek_cols][total_bytes]} %{[zeek_cols][missing_bytes]} %{[zeek_cols][overflow_bytes]} %{[zeek_cols][timedout]} %{[zeek_cols][parent_fuid]} %{[zeek_cols][md5]} %{[zeek_cols][sha1]} %{[zeek_cols][sha256]} %{[zeek_cols][extracted]} %{[zeek_cols][extracted_cutoff]} %{[zeek_cols][extracted_size]} %{[zeek_cols][ftime]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_files" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_files" + init => "@zeek_files_field_names = [ 'ts', 'fuid', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'source', 'depth', 'analyzers', 'mime_type', 'filename', 'duration', 'local_orig', 'is_orig', 'seen_bytes', 'total_bytes', 'missing_bytes', 'overflow_bytes', 'timedout', 'parent_fuid', 'md5', 'sha1', 'sha256', 'extracted', 'extracted_cutoff', 'extracted_size', 'ftime' ]" + code => "event.set('[zeek_cols]', @zeek_files_field_names.zip(event.get('[message]')).to_h)" + } + } + if ([zeek_cols][conn_uids]) and ([zeek_cols][conn_uids] != '(empty)') and ([zeek_cols][conn_uids] != '') { + mutate { id => "mutate_split_zeek_files_conn_uids" + split => { "[zeek_cols][conn_uids]" => "," } } + } + if ([zeek_cols][tx_hosts]) and ([zeek_cols][tx_hosts] != '(empty)') and ([zeek_cols][tx_hosts] != '') { + mutate { id => "mutate_split_zeek_files_tx_hosts" + split => { "[zeek_cols][tx_hosts]" => "," } } + } + if ([zeek_cols][rx_hosts]) and ([zeek_cols][rx_hosts] != '(empty)') and ([zeek_cols][rx_hosts] != '') { + mutate { id => "mutate_split_zeek_files_rx_hosts" + split => { "[zeek_cols][rx_hosts]" => "," } } + } + mutate { id => "mutate_split_zeek_files_parent_fuid_and_analyzers" + split => { "[zeek_cols][parent_fuid]" => "," + "[zeek_cols][analyzers]" => "," } } + } + + if ([zeek_cols][conn_uids] and [zeek_cols][conn_uids][0]) { + mutate { + id => "mutate_add_field_zeek_files_conn_uids_to_uid" + add_field => { "[rootId]" => "%{[zeek_cols][conn_uids][0]}" + "[zeek_cols][uid]" => "%{[zeek_cols][conn_uids][0]}" } + } + } else if (![zeek_cols][uid]) { + mutate { + id => "mutate_add_fields_zeek_files_fuid_to_uid" + add_field => { "[zeek_cols][uid]" => "%{[zeek_cols][fuid]}" } + } + } + + if ([zeek_cols][tx_hosts] and [zeek_cols][tx_hosts][0]) { + mutate { id => "mutate_add_field_zeek_tx_hosts" + add_field => { "[source][ip]" => "%{[zeek_cols][tx_hosts][0]}" } } + } + + if ([zeek_cols][rx_hosts] and [zeek_cols][rx_hosts][0]) { + mutate { id => "mutate_add_field_zeek_rx_hosts" + add_field => { "[destination][ip]" => "%{[zeek_cols][rx_hosts][0]}" } } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1023_zeek_ftp.conf b/logstash/pipelines/zeek/1023_zeek_ftp.conf new file mode 100644 index 000000000..30473a39f --- /dev/null +++ b/logstash/pipelines/zeek/1023_zeek_ftp.conf @@ -0,0 +1,42 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + if ([log_source] == "ftp") { + ############################################################################################################################# + # ftp.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/ftp/info.zeek.html#type-FTP::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_ftp" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][user]} %{[zeek_cols][password]} %{[zeek_cols][command]} %{[zeek_cols][arg]} %{[zeek_cols][mime_type]} %{[zeek_cols][file_size]} %{[zeek_cols][reply_code]} %{[zeek_cols][reply_msg]} %{[zeek_cols][data_channel][passive]} %{[zeek_cols][data_channel][orig_h]} %{[zeek_cols][data_channel][resp_h]} %{[zeek_cols][data_channel][resp_p]} %{[zeek_cols][fuid]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ftp" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ftp" + init => "@zeek_ftp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'user', 'password', 'command', 'arg', 'mime_type', 'file_size', 'reply_code', 'reply_msg', 'data_channel.passive', 'data_channel.orig_h', 'data_channel.resp_h', 'data_channel.resp_p', 'fuid' ]" + code => "event.set('[zeek_cols]', @zeek_ftp_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_ftp" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "ftp" + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1024_zeek_genisys.conf b/logstash/pipelines/zeek/1024_zeek_genisys.conf new file mode 100644 index 000000000..fb50b5d93 --- /dev/null +++ b/logstash/pipelines/zeek/1024_zeek_genisys.conf @@ -0,0 +1,49 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "genisys") { + ############################################################################################################################# + # genisys.log + # https://github.com/cisagov/icsnpp-genisys + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_genisys_fields" + rename => { "[zeek_cols][payload]" => "[zeek_cols][payload_raw]" } + } + + } else { + dissect { + id => "dissect_zeek_genisys" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][header]} %{[zeek_cols][server]} %{[zeek_cols][direction]} %{[zeek_cols][crc_transmitted]} %{[zeek_cols][crc_calculated]} %{[zeek_cols][payload_raw]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_genisys" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_genisys" + init => "@zeek_genisys_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'header', 'server', 'direction', 'crc_transmitted', 'crc_calculated', 'payload_raw' ]" + code => "event.set('[zeek_cols]', @zeek_genisys_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_genisys" + add_field => { + "[zeek_cols][service]" => "genisys" + } + add_tag => [ "ics" ] + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1025_zeek_ge_srtp.conf b/logstash/pipelines/zeek/1025_zeek_ge_srtp.conf new file mode 100644 index 000000000..b7e73d456 --- /dev/null +++ b/logstash/pipelines/zeek/1025_zeek_ge_srtp.conf @@ -0,0 +1,46 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "ge_srtp") { + ############################################################################################################################# + # ge_srtp_general.log + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_ge_srtp_log" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][srtp_type]} %{[zeek_cols][sequence_number_1]} %{[zeek_cols][text_length]} %{[zeek_cols][time_seconds]} %{[zeek_cols][time_minutes]} %{[zeek_cols][time_hours]} %{[zeek_cols][sequence_number_2]} %{[zeek_cols][message_type]} %{[zeek_cols][mailbox_source]} %{[zeek_cols][mailbox_destination]} %{[zeek_cols][packet_number]} %{[zeek_cols][total_packet_number]} %{[zeek_cols][service_request_code]} %{[zeek_cols][segment_selector]} %{[zeek_cols][memory_offset]} %{[zeek_cols][data_length]} %{[zeek_cols][status_code]} %{[zeek_cols][minor_status_code]} %{[zeek_cols][data_requested]} %{[zeek_cols][control_program_number]} %{[zeek_cols][current_privilege_level]} %{[zeek_cols][last_sweep_time]} %{[zeek_cols][oversweep_flag]} %{[zeek_cols][constant_sweep_mode]} %{[zeek_cols][plc_fault_entry_last_read]} %{[zeek_cols][io_fault_entry_last_read]} %{[zeek_cols][plc_fault_entry_present]} %{[zeek_cols][io_fault_entry_present]} %{[zeek_cols][programmer_attachment]} %{[zeek_cols][front_panel_enable_switch]} %{[zeek_cols][front_panel_run_switch]} %{[zeek_cols][oem_protected]} %{[zeek_cols][plc_state]}" + } + } + + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ge_srtp_log" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ge_srtp_log" + init => "$zeek_ge_srtp_log_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'srtp_type', 'sequence_number_1', 'text_length', 'time_seconds', 'time_minutes', 'time_hours', 'sequence_number_2', 'message_type', 'mailbox_source', 'mailbox_destination', 'packet_number', 'total_packet_number', 'service_request_code', 'segment_selector', 'memory_offset', 'data_length', 'status_code', 'minor_status_code', 'data_requested', 'control_program_number', 'current_privilege_level', 'last_sweep_time', 'oversweep_flag', 'constant_sweep_mode', 'plc_fault_entry_last_read', 'io_fault_entry_last_read', 'plc_fault_entry_present', 'io_fault_entry_present', 'programmer_attachment', 'front_panel_enable_switch', 'front_panel_run_switch', 'oem_protected', 'plc_state' ]" + code => "event.set('[zeek_cols]', $zeek_ge_srtp_log_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { id => "mutate_remove_field_ge_srtp_proto" + remove_field => [ "[zeek_cols][proto]" ] } + mutate { + id => "mutate_add_fields_zeek_ge_srtp_log" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "ge_srtp" + } + add_tag => [ "ics" ] + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1026_zeek_gquic.conf b/logstash/pipelines/zeek/1026_zeek_gquic.conf new file mode 100644 index 000000000..70a697dff --- /dev/null +++ b/logstash/pipelines/zeek/1026_zeek_gquic.conf @@ -0,0 +1,43 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "gquic") { + ############################################################################################################################# + # gquic.log + # https://github.com/salesforce/GQUIC_Protocol_Analyzer/blob/master/scripts/Salesforce/GQUIC/main.bro + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_gquic" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][server_name]} %{[zeek_cols][user_agent]} %{[zeek_cols][tag_count]} %{[zeek_cols][cyu]} %{[zeek_cols][cyutags]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_gquic" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_gquic" + init => "@zeek_gquic_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'server_name', 'user_agent', 'tag_count', 'cyu', 'cyutags' ]" + code => "event.set('[zeek_cols]', @zeek_gquic_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_gquic" + add_field => { + "[zeek_cols][proto]" => "udp" + "[zeek_cols][service]" => "quic" + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1027_zeek_hart_ip.conf b/logstash/pipelines/zeek/1027_zeek_hart_ip.conf new file mode 100644 index 000000000..3df8e4445 --- /dev/null +++ b/logstash/pipelines/zeek/1027_zeek_hart_ip.conf @@ -0,0 +1,210 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "hart_ip_common_commands") { + ############################################################################################################################# + # hart_ip_common_commands.log + # main.zeek (https://github.com/cisagov/icsnpp-hart-ip) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_hart_ip_common_commands" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][command_number_link_id]} %{[zeek_cols][read_device_variables_request_slot0_device_variable_code]} %{[zeek_cols][read_device_variables_request_slot1_device_variable_code]} %{[zeek_cols][read_device_variables_request_slot2_device_variable_code]} %{[zeek_cols][read_device_variables_request_slot3_device_variable_code]} %{[zeek_cols][read_device_variables_response_slot0_device_variable_code]} %{[zeek_cols][read_device_variables_response_slot0_units_code]} %{[zeek_cols][read_device_variables_response_slot0_device_variable]} %{[zeek_cols][read_device_variables_response_slot1_device_variable_code]} %{[zeek_cols][read_device_variables_response_slot1_units_code]} %{[zeek_cols][read_device_variables_response_slot1_device_variable]} %{[zeek_cols][read_device_variables_response_slot2_device_variable_code]} %{[zeek_cols][read_device_variables_response_slot2_units_code]} %{[zeek_cols][read_device_variables_response_slot2_device_variable]} %{[zeek_cols][read_device_variables_response_slot3_device_variable_code]} %{[zeek_cols][read_device_variables_response_slot3_units_code]} %{[zeek_cols][read_device_variables_response_slot3_device_variable]} %{[zeek_cols][write_primary_variable_damping_value_pv_damping_value]} %{[zeek_cols][write_primary_variable_range_values_pv_upper_and_lower_range_values_units_code]} %{[zeek_cols][write_primary_variable_range_values_pv_upper_range_value]} %{[zeek_cols][write_primary_variable_range_values_p_v_lower_range_value]} %{[zeek_cols][eeprom_control_eeprom_control_code]} %{[zeek_cols][enter_exit_fixed_current_mode_pv_fixed_current_level]} %{[zeek_cols][write_primary_variable_units_pv_unit_codes]} %{[zeek_cols][trim_loop_current_zero_measured_pv_loop_current_level]} %{[zeek_cols][trim_loop_current_gain_measured_pv_loop_current_level]} %{[zeek_cols][write_primary_variable_transfer_function_p_v_transfer_function_code]} %{[zeek_cols][write_primary_variable_transducer_serial_number_pv_transducer_serial_number]} %{[zeek_cols][read_dynamic_variable_assignments_response_device_variable_assigned_to_primary_variable]} %{[zeek_cols][read_dynamic_variable_assignments_response_device_variable_assigned_to_secondary_variable]} %{[zeek_cols][read_dynamic_variable_assignments_response_device_variable_assigned_to_tertiary_variable]} %{[zeek_cols][read_dynamic_variable_assignments_response_device_variable_assigned_to_quaternary_variable]} %{[zeek_cols][write_dynamic_variable_assignments_device_variable_assigned_to_primary_variable]} %{[zeek_cols][write_dynamic_variable_assignments_device_variable_assigned_to_secondary_variable]} %{[zeek_cols][write_dynamic_variable_assignments_device_variable_assigned_to_tertiary_variable]} %{[zeek_cols][write_dynamic_variable_assignments_device_variable_assigned_to_quaternary_variable]} %{[zeek_cols][set_device_variable_zero_device_variable_zeroed]} %{[zeek_cols][write_device_variable_units_device_variable_code]} %{[zeek_cols][write_device_variable_units_device_variable_units_code]} %{[zeek_cols][read_device_variable_information_request_device_variable_code]} %{[zeek_cols][read_device_variable_information_response_device_variable_code]} %{[zeek_cols][read_device_variable_information_response_device_variable_transducer_serial_number]} %{[zeek_cols][read_device_variable_information_response_device_variable_limits_minimum_span_units_code]} %{[zeek_cols][read_device_variable_information_response_device_variable_upper_transducer_limit]} %{[zeek_cols][read_device_variable_information_response_device_variable_lower_transducer_limit]} %{[zeek_cols][read_device_variable_information_response_device_variable_damping_value]} %{[zeek_cols][read_device_variable_information_response_device_variable_minimum_span]} %{[zeek_cols][read_device_variable_information_response_device_variable_classification]} %{[zeek_cols][read_device_variable_information_response_device_variable_family]} %{[zeek_cols][read_device_variable_information_response_acquisition_period]} %{[zeek_cols][read_device_variable_information_response_device_variable_properties_is_simulated]} %{[zeek_cols][read_device_variable_information_response_device_variable_properties_undefined_bits_1_6]} %{[zeek_cols][read_device_variable_information_response_device_variable_properties_is_input]} %{[zeek_cols][write_device_variable_damping_value_device_variable_code]} %{[zeek_cols][write_device_variable_damping_value_device_variable_damping_value]} %{[zeek_cols][write_device_variable_transducer_serial_no_device_variable_code]} %{[zeek_cols][write_device_variable_transducer_serial_no_device_variable_transducer_serial_number]} %{[zeek_cols][read_unit_tag_descriptor_date_response_unit_tag]} %{[zeek_cols][read_unit_tag_descriptor_date_response_unit_descriptor]} %{[zeek_cols][read_unit_tag_descriptor_date_response_unit_date]} %{[zeek_cols][write_unit_tag_descriptor_date_unit_tag]} %{[zeek_cols][write_unit_tag_descriptor_date_unit_descriptor]} %{[zeek_cols][write_unit_tag_descriptor_date_unit_date]} %{[zeek_cols][write_number_of_response_preambles_number_of_preambles]} %{[zeek_cols][read_analog_channel_and_percent_of_range_request_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_and_percent_of_range_response_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_and_percent_of_range_response_analog_channel_units_code]} %{[zeek_cols][read_analog_channel_and_percent_of_range_response_analog_channel_level]} %{[zeek_cols][read_analog_channel_and_percent_of_range_response_analog_channel_percent_of_range]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_channel_units_code]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_level]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_units_code]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable_units_code]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable_units_code]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable_units_code]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable]} %{[zeek_cols][read_analog_channels_request_analog_channel_number_code_slot0]} %{[zeek_cols][read_analog_channels_request_analog_channel_number_code_slot1]} %{[zeek_cols][read_analog_channels_request_analog_channel_number_code_slot2]} %{[zeek_cols][read_analog_channels_request_analog_channel_number_code_slot3]} %{[zeek_cols][read_analog_channels_response_analog_channel_number_code_slot0]} %{[zeek_cols][read_analog_channels_response_analog_channel_units_code_slot0]} %{[zeek_cols][read_analog_channels_response_analog_channel_level_slot0]} %{[zeek_cols][read_analog_channels_response_analog_channel_number_code_slot1]} %{[zeek_cols][read_analog_channels_response_analog_channel_units_code_slot1]} %{[zeek_cols][read_analog_channels_response_analog_channel_level_slot1]} %{[zeek_cols][read_analog_channels_response_analog_channel_number_code_slot2]} %{[zeek_cols][read_analog_channels_response_analog_channel_units_code_slot2]} %{[zeek_cols][read_analog_channels_response_analog_channel_level_slot2]} %{[zeek_cols][read_analog_channels_response_analog_channel_number_code_slot3]} %{[zeek_cols][read_analog_channels_response_analog_channel_units_code_slot3]} %{[zeek_cols][read_analog_channels_response_analog_channel_level_slot3]} %{[zeek_cols][read_analog_channel_information_request_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_alarm_selection_code]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_transfer_function_code]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_upper_and_lower_range_values_units_code]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_upper_range_value]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_lower_range_value]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_damping_value]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_flags_is_simulated]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_flags_undefined_bits_1_6]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_flags_is_input]} %{[zeek_cols][write_analog_channel_additional_damping_value_analog_channel_number_code]} %{[zeek_cols][write_analog_channel_additional_damping_value_analog_channel_damping_value]} %{[zeek_cols][write_analog_channel_range_values_analog_channel_number_code]} %{[zeek_cols][write_analog_channel_range_values_analog_channel_upper_and_lower_range_values_units_code]} %{[zeek_cols][write_analog_channel_range_values_analog_channel_upper_range_value]} %{[zeek_cols][write_analog_channel_range_values_analog_channel_lower_range_value]} %{[zeek_cols][enter_exit_fixed_analog_channel_mode_analog_channel_number_code]} %{[zeek_cols][enter_exit_fixed_analog_channel_mode_analog_channel_units_code]} %{[zeek_cols][enter_exit_fixed_analog_channel_mode_fixed_analog_channel_level]} %{[zeek_cols][trim_analog_channel_zero_analog_channel_number_code]} %{[zeek_cols][trim_analog_channel_zero_analog_channel_units_code]} %{[zeek_cols][trim_analog_channel_zero_analog_channel_level]} %{[zeek_cols][trim_analog_channel_gain_analog_channel_number_code]} %{[zeek_cols][trim_analog_channel_gain_analog_channel_units_code]} %{[zeek_cols][trim_analog_channel_gain_analog_channel_level]} %{[zeek_cols][write_analog_channel_transfer_function_analog_channel_number_code]} %{[zeek_cols][write_analog_channel_transfer_function_analog_channel_units_code]} %{[zeek_cols][read_analog_channel_endpoint_values_request_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_upper_and_lower_endpoint_values_units_code]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_upper_endpoint_value]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_lower_endpoint_value]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_upper_limit_value]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_lower_limit_value]} %{[zeek_cols][lock_device_lock_code]} %{[zeek_cols][squawk_squawk_control]} %{[zeek_cols][find_device_response_254]} %{[zeek_cols][find_device_response_expanded_device_type]} %{[zeek_cols][find_device_response_minimum_preambles_master_slave]} %{[zeek_cols][find_device_response_hart_protocol_major_revision]} %{[zeek_cols][find_device_response_device_revision_level]} %{[zeek_cols][find_device_response_software_revision_level]} %{[zeek_cols][find_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level]} %{[zeek_cols][find_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code]} %{[zeek_cols][find_device_response_flags_c8_psk_in_multi_drop_only]} %{[zeek_cols][find_device_response_flags_c8_psk_capable_field_device]} %{[zeek_cols][find_device_response_flags_undefined_5]} %{[zeek_cols][find_device_response_flags_safehart_capable_field_device]} %{[zeek_cols][find_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation]} %{[zeek_cols][find_device_response_flags_protocol_bridge_device]} %{[zeek_cols][find_device_response_flags_eeprom_control]} %{[zeek_cols][find_device_response_flags_mutli_sensor_field_device]} %{[zeek_cols][find_device_response_device_id]} %{[zeek_cols][find_device_response_number_preambles_slave_master]} %{[zeek_cols][find_device_response_last_device_variable_this]} %{[zeek_cols][find_device_response_configuration_change_counter]} %{[zeek_cols][find_device_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][find_device_response_extended_field_device_status_function_check]} %{[zeek_cols][find_device_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][find_device_response_extended_field_device_status_failure]} %{[zeek_cols][find_device_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][find_device_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][find_device_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][find_device_response_manufacturer_identification_code]} %{[zeek_cols][find_device_response_private_label_distributor_code]} %{[zeek_cols][find_device_response_device_profile]} %{[zeek_cols][read_io_system_capabilities_response_max_io_cards]} %{[zeek_cols][read_io_system_capabilities_response_max_channels_per_io_card]} %{[zeek_cols][read_io_system_capabilities_response_max_sub_devices_per_channel]} %{[zeek_cols][read_io_system_capabilities_response_number_of_devices_detected]} %{[zeek_cols][read_io_system_capabilities_response_max_delayed_responses_supported]} %{[zeek_cols][read_io_system_capabilities_response_master_mode]} %{[zeek_cols][read_io_system_capabilities_response_retry_count]} %{[zeek_cols][poll_sub_device_request_io_card]} %{[zeek_cols][poll_sub_device_request_channel]} %{[zeek_cols][poll_sub_device_request_sub_device_polling_address]} %{[zeek_cols][poll_sub_device_response_254]} %{[zeek_cols][poll_sub_device_response_expanded_device_type]} %{[zeek_cols][poll_sub_device_response_minimum_preambles_master_slave]} %{[zeek_cols][poll_sub_device_response_hart_protocol_major_revision]} %{[zeek_cols][poll_sub_device_response_device_revision_level]} %{[zeek_cols][poll_sub_device_response_software_revision_level]} %{[zeek_cols][poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level]} %{[zeek_cols][poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code]} %{[zeek_cols][poll_sub_device_response_flags_c8_psk_in_multi_drop_only]} %{[zeek_cols][poll_sub_device_response_flags_c8_psk_capable_field_device]} %{[zeek_cols][poll_sub_device_response_flags_undefined_5]} %{[zeek_cols][poll_sub_device_response_flags_safehart_capable_field_device]} %{[zeek_cols][poll_sub_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation]} %{[zeek_cols][poll_sub_device_response_flags_protocol_bridge_device]} %{[zeek_cols][poll_sub_device_response_flags_eeprom_control]} %{[zeek_cols][poll_sub_device_response_flags_mutli_sensor_field_device]} %{[zeek_cols][poll_sub_device_response_device_id]} %{[zeek_cols][poll_sub_device_response_number_preambles_slave_master]} %{[zeek_cols][poll_sub_device_response_last_device_variable_this]} %{[zeek_cols][poll_sub_device_response_configuration_change_counter]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_function_check]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_failure]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][poll_sub_device_response_manufacturer_identification_code]} %{[zeek_cols][poll_sub_device_response_private_label_distributor_code]} %{[zeek_cols][poll_sub_device_response_device_profile]} %{[zeek_cols][read_lock_device_state_response_lock_status_undefined_bits]} %{[zeek_cols][read_lock_device_state_response_lock_status_lock_gateway]} %{[zeek_cols][read_lock_device_state_response_lock_status_configuration_locked]} %{[zeek_cols][read_lock_device_state_response_lock_status_lock_primary]} %{[zeek_cols][read_lock_device_state_response_lock_status_lock_permanent]} %{[zeek_cols][read_lock_device_state_response_lock_status_device_locked]} %{[zeek_cols][write_device_variable_device_variable_code]} %{[zeek_cols][write_device_variable_write_device_variable_command_code]} %{[zeek_cols][write_device_variable_units_code]} %{[zeek_cols][write_device_variable_device_variable_value]} %{[zeek_cols][write_device_variable_device_variable_status_process_data_status]} %{[zeek_cols][write_device_variable_device_variable_status_limit_status]} %{[zeek_cols][write_device_variable_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][write_device_variable_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_trim_points_device_variable_code]} %{[zeek_cols][read_device_variable_trim_points_response_trim_points_units_code]} %{[zeek_cols][read_device_variable_trim_points_response_lower_or_single_trim_point]} %{[zeek_cols][read_device_variable_trim_points_response_upper_trim_point]} %{[zeek_cols][read_device_variable_trim_guidelines_device_variable_guidelines]} %{[zeek_cols][write_device_variable_trim_point_device_variable_to_trim]} %{[zeek_cols][write_device_variable_trim_point_trim_point]} %{[zeek_cols][write_device_variable_trim_point_trim_points_units_code]} %{[zeek_cols][write_device_variable_trim_point_trim_point_value]} %{[zeek_cols][reset_device_variable_trim_device_variable_trim_to_reset]} %{[zeek_cols][read_sub_device_identity_summary_sub_device_index]} %{[zeek_cols][read_sub_device_identity_summary_response_io_card]} %{[zeek_cols][read_sub_device_identity_summary_response_channel]} %{[zeek_cols][read_sub_device_identity_summary_response_manufacturer_identification_code]} %{[zeek_cols][read_sub_device_identity_summary_response_expanded_device_type]} %{[zeek_cols][read_sub_device_identity_summary_response_device_id]} %{[zeek_cols][read_sub_device_identity_summary_response_universal_command_revision_level]} %{[zeek_cols][read_sub_device_identity_summary_response_long_tag]} %{[zeek_cols][read_sub_device_identity_summary_response_device_revision]} %{[zeek_cols][read_sub_device_identity_summary_response_device_profile]} %{[zeek_cols][read_sub_device_identity_summary_response_private_label_distributor_code]} %{[zeek_cols][read_io_channel_statistics_io_card]} %{[zeek_cols][read_io_channel_statistics_channel]} %{[zeek_cols][read_io_channel_statistics_response_stx_count]} %{[zeek_cols][read_io_channel_statistics_response_ack_count]} %{[zeek_cols][read_io_channel_statistics_response_ostx_count]} %{[zeek_cols][read_io_channel_statistics_response_oack_count]} %{[zeek_cols][read_io_channel_statistics_response_back_count]} %{[zeek_cols][read_sub_device_statistics_sub_device_index]} %{[zeek_cols][read_sub_device_statistics_response_stx_count]} %{[zeek_cols][read_sub_device_statistics_response_ack_count]} %{[zeek_cols][read_sub_device_statistics_response_back_count]} %{[zeek_cols][write_io_system_master_mode_master_mode]} %{[zeek_cols][write_io_system_retry_count_retry_count]} %{[zeek_cols][set_real_time_clock_time_set_code]} %{[zeek_cols][set_real_time_clock_date]} %{[zeek_cols][set_real_time_clock_time_of_day]} %{[zeek_cols][set_real_time_clock_null_bytes]}" + } + } + + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_hart_ip_common_commands" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_hart_ip_common_commands" + init => "$zeek_hart_ip_common_commands_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'command_number_link_id', 'read_device_variables_request_slot0_device_variable_code', 'read_device_variables_request_slot1_device_variable_code', 'read_device_variables_request_slot2_device_variable_code', 'read_device_variables_request_slot3_device_variable_code', 'read_device_variables_response_slot0_device_variable_code', 'read_device_variables_response_slot0_units_code', 'read_device_variables_response_slot0_device_variable', 'read_device_variables_response_slot1_device_variable_code', 'read_device_variables_response_slot1_units_code', 'read_device_variables_response_slot1_device_variable', 'read_device_variables_response_slot2_device_variable_code', 'read_device_variables_response_slot2_units_code', 'read_device_variables_response_slot2_device_variable', 'read_device_variables_response_slot3_device_variable_code', 'read_device_variables_response_slot3_units_code', 'read_device_variables_response_slot3_device_variable', 'write_primary_variable_damping_value_pv_damping_value', 'write_primary_variable_range_values_pv_upper_and_lower_range_values_units_code', 'write_primary_variable_range_values_pv_upper_range_value', 'write_primary_variable_range_values_p_v_lower_range_value', 'eeprom_control_eeprom_control_code', 'enter_exit_fixed_current_mode_pv_fixed_current_level', 'write_primary_variable_units_pv_unit_codes', 'trim_loop_current_zero_measured_pv_loop_current_level', 'trim_loop_current_gain_measured_pv_loop_current_level', 'write_primary_variable_transfer_function_p_v_transfer_function_code', 'write_primary_variable_transducer_serial_number_pv_transducer_serial_number', 'read_dynamic_variable_assignments_response_device_variable_assigned_to_primary_variable', 'read_dynamic_variable_assignments_response_device_variable_assigned_to_secondary_variable', 'read_dynamic_variable_assignments_response_device_variable_assigned_to_tertiary_variable', 'read_dynamic_variable_assignments_response_device_variable_assigned_to_quaternary_variable', 'write_dynamic_variable_assignments_device_variable_assigned_to_primary_variable', 'write_dynamic_variable_assignments_device_variable_assigned_to_secondary_variable', 'write_dynamic_variable_assignments_device_variable_assigned_to_tertiary_variable', 'write_dynamic_variable_assignments_device_variable_assigned_to_quaternary_variable', 'set_device_variable_zero_device_variable_zeroed', 'write_device_variable_units_device_variable_code', 'write_device_variable_units_device_variable_units_code', 'read_device_variable_information_request_device_variable_code', 'read_device_variable_information_response_device_variable_code', 'read_device_variable_information_response_device_variable_transducer_serial_number', 'read_device_variable_information_response_device_variable_limits_minimum_span_units_code', 'read_device_variable_information_response_device_variable_upper_transducer_limit', 'read_device_variable_information_response_device_variable_lower_transducer_limit', 'read_device_variable_information_response_device_variable_damping_value', 'read_device_variable_information_response_device_variable_minimum_span', 'read_device_variable_information_response_device_variable_classification', 'read_device_variable_information_response_device_variable_family', 'read_device_variable_information_response_acquisition_period', 'read_device_variable_information_response_device_variable_properties_is_simulated', 'read_device_variable_information_response_device_variable_properties_undefined_bits_1_6', 'read_device_variable_information_response_device_variable_properties_is_input', 'write_device_variable_damping_value_device_variable_code', 'write_device_variable_damping_value_device_variable_damping_value', 'write_device_variable_transducer_serial_no_device_variable_code', 'write_device_variable_transducer_serial_no_device_variable_transducer_serial_number', 'read_unit_tag_descriptor_date_response_unit_tag', 'read_unit_tag_descriptor_date_response_unit_descriptor', 'read_unit_tag_descriptor_date_response_unit_date', 'write_unit_tag_descriptor_date_unit_tag', 'write_unit_tag_descriptor_date_unit_descriptor', 'write_unit_tag_descriptor_date_unit_date', 'write_number_of_response_preambles_number_of_preambles', 'read_analog_channel_and_percent_of_range_request_analog_channel_number_code', 'read_analog_channel_and_percent_of_range_response_analog_channel_number_code', 'read_analog_channel_and_percent_of_range_response_analog_channel_units_code', 'read_analog_channel_and_percent_of_range_response_analog_channel_level', 'read_analog_channel_and_percent_of_range_response_analog_channel_percent_of_range', 'read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_channel_units_code', 'read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_level', 'read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_units_code', 'read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable', 'read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable_units_code', 'read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable', 'read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable_units_code', 'read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable', 'read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable_units_code', 'read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable', 'read_analog_channels_request_analog_channel_number_code_slot0', 'read_analog_channels_request_analog_channel_number_code_slot1', 'read_analog_channels_request_analog_channel_number_code_slot2', 'read_analog_channels_request_analog_channel_number_code_slot3', 'read_analog_channels_response_analog_channel_number_code_slot0', 'read_analog_channels_response_analog_channel_units_code_slot0', 'read_analog_channels_response_analog_channel_level_slot0', 'read_analog_channels_response_analog_channel_number_code_slot1', 'read_analog_channels_response_analog_channel_units_code_slot1', 'read_analog_channels_response_analog_channel_level_slot1', 'read_analog_channels_response_analog_channel_number_code_slot2', 'read_analog_channels_response_analog_channel_units_code_slot2', 'read_analog_channels_response_analog_channel_level_slot2', 'read_analog_channels_response_analog_channel_number_code_slot3', 'read_analog_channels_response_analog_channel_units_code_slot3', 'read_analog_channels_response_analog_channel_level_slot3', 'read_analog_channel_information_request_analog_channel_number_code', 'read_analog_channel_information_response_analog_channel_number_code', 'read_analog_channel_information_response_analog_channel_alarm_selection_code', 'read_analog_channel_information_response_analog_channel_transfer_function_code', 'read_analog_channel_information_response_analog_channel_upper_and_lower_range_values_units_code', 'read_analog_channel_information_response_analog_channel_upper_range_value', 'read_analog_channel_information_response_analog_channel_lower_range_value', 'read_analog_channel_information_response_analog_channel_damping_value', 'read_analog_channel_information_response_analog_channel_flags_is_simulated', 'read_analog_channel_information_response_analog_channel_flags_undefined_bits_1_6', 'read_analog_channel_information_response_analog_channel_flags_is_input', 'write_analog_channel_additional_damping_value_analog_channel_number_code', 'write_analog_channel_additional_damping_value_analog_channel_damping_value', 'write_analog_channel_range_values_analog_channel_number_code', 'write_analog_channel_range_values_analog_channel_upper_and_lower_range_values_units_code', 'write_analog_channel_range_values_analog_channel_upper_range_value', 'write_analog_channel_range_values_analog_channel_lower_range_value', 'enter_exit_fixed_analog_channel_mode_analog_channel_number_code', 'enter_exit_fixed_analog_channel_mode_analog_channel_units_code', 'enter_exit_fixed_analog_channel_mode_fixed_analog_channel_level', 'trim_analog_channel_zero_analog_channel_number_code', 'trim_analog_channel_zero_analog_channel_units_code', 'trim_analog_channel_zero_analog_channel_level', 'trim_analog_channel_gain_analog_channel_number_code', 'trim_analog_channel_gain_analog_channel_units_code', 'trim_analog_channel_gain_analog_channel_level', 'write_analog_channel_transfer_function_analog_channel_number_code', 'write_analog_channel_transfer_function_analog_channel_units_code', 'read_analog_channel_endpoint_values_request_analog_channel_number_code', 'read_analog_channel_endpoint_values_response_analog_channel_number_code', 'read_analog_channel_endpoint_values_response_analog_channel_upper_and_lower_endpoint_values_units_code', 'read_analog_channel_endpoint_values_response_analog_channel_upper_endpoint_value', 'read_analog_channel_endpoint_values_response_analog_channel_lower_endpoint_value', 'read_analog_channel_endpoint_values_response_analog_channel_upper_limit_value', 'read_analog_channel_endpoint_values_response_analog_channel_lower_limit_value', 'lock_device_lock_code', 'squawk_squawk_control', 'find_device_response_254', 'find_device_response_expanded_device_type', 'find_device_response_minimum_preambles_master_slave', 'find_device_response_hart_protocol_major_revision', 'find_device_response_device_revision_level', 'find_device_response_software_revision_level', 'find_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level', 'find_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code', 'find_device_response_flags_c8_psk_in_multi_drop_only', 'find_device_response_flags_c8_psk_capable_field_device', 'find_device_response_flags_undefined_5', 'find_device_response_flags_safehart_capable_field_device', 'find_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation', 'find_device_response_flags_protocol_bridge_device', 'find_device_response_flags_eeprom_control', 'find_device_response_flags_mutli_sensor_field_device', 'find_device_response_device_id', 'find_device_response_number_preambles_slave_master', 'find_device_response_last_device_variable_this', 'find_device_response_configuration_change_counter', 'find_device_response_extended_field_device_status_undefined_bits', 'find_device_response_extended_field_device_status_function_check', 'find_device_response_extended_field_device_status_out_of_specification', 'find_device_response_extended_field_device_status_failure', 'find_device_response_extended_field_device_status_critical_power_failure', 'find_device_response_extended_field_device_status_device_variable_alert', 'find_device_response_extended_field_device_status_maintenance_required', 'find_device_response_manufacturer_identification_code', 'find_device_response_private_label_distributor_code', 'find_device_response_device_profile', 'read_io_system_capabilities_response_max_io_cards', 'read_io_system_capabilities_response_max_channels_per_io_card', 'read_io_system_capabilities_response_max_sub_devices_per_channel', 'read_io_system_capabilities_response_number_of_devices_detected', 'read_io_system_capabilities_response_max_delayed_responses_supported', 'read_io_system_capabilities_response_master_mode', 'read_io_system_capabilities_response_retry_count', 'poll_sub_device_request_io_card', 'poll_sub_device_request_channel', 'poll_sub_device_request_sub_device_polling_address', 'poll_sub_device_response_254', 'poll_sub_device_response_expanded_device_type', 'poll_sub_device_response_minimum_preambles_master_slave', 'poll_sub_device_response_hart_protocol_major_revision', 'poll_sub_device_response_device_revision_level', 'poll_sub_device_response_software_revision_level', 'poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level', 'poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code', 'poll_sub_device_response_flags_c8_psk_in_multi_drop_only', 'poll_sub_device_response_flags_c8_psk_capable_field_device', 'poll_sub_device_response_flags_undefined_5', 'poll_sub_device_response_flags_safehart_capable_field_device', 'poll_sub_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation', 'poll_sub_device_response_flags_protocol_bridge_device', 'poll_sub_device_response_flags_eeprom_control', 'poll_sub_device_response_flags_mutli_sensor_field_device', 'poll_sub_device_response_device_id', 'poll_sub_device_response_number_preambles_slave_master', 'poll_sub_device_response_last_device_variable_this', 'poll_sub_device_response_configuration_change_counter', 'poll_sub_device_response_extended_field_device_status_undefined_bits', 'poll_sub_device_response_extended_field_device_status_function_check', 'poll_sub_device_response_extended_field_device_status_out_of_specification', 'poll_sub_device_response_extended_field_device_status_failure', 'poll_sub_device_response_extended_field_device_status_critical_power_failure', 'poll_sub_device_response_extended_field_device_status_device_variable_alert', 'poll_sub_device_response_extended_field_device_status_maintenance_required', 'poll_sub_device_response_manufacturer_identification_code', 'poll_sub_device_response_private_label_distributor_code', 'poll_sub_device_response_device_profile', 'read_lock_device_state_response_lock_status_undefined_bits', 'read_lock_device_state_response_lock_status_lock_gateway', 'read_lock_device_state_response_lock_status_configuration_locked', 'read_lock_device_state_response_lock_status_lock_primary', 'read_lock_device_state_response_lock_status_lock_permanent', 'read_lock_device_state_response_lock_status_device_locked', 'write_device_variable_device_variable_code', 'write_device_variable_write_device_variable_command_code', 'write_device_variable_units_code', 'write_device_variable_device_variable_value', 'write_device_variable_device_variable_status_process_data_status', 'write_device_variable_device_variable_status_limit_status', 'write_device_variable_device_variable_status_more_device_variable_status_available', 'write_device_variable_device_variable_status_device_family_specific_status', 'read_device_variable_trim_points_device_variable_code', 'read_device_variable_trim_points_response_trim_points_units_code', 'read_device_variable_trim_points_response_lower_or_single_trim_point', 'read_device_variable_trim_points_response_upper_trim_point', 'read_device_variable_trim_guidelines_device_variable_guidelines', 'write_device_variable_trim_point_device_variable_to_trim', 'write_device_variable_trim_point_trim_point', 'write_device_variable_trim_point_trim_points_units_code', 'write_device_variable_trim_point_trim_point_value', 'reset_device_variable_trim_device_variable_trim_to_reset', 'read_sub_device_identity_summary_sub_device_index', 'read_sub_device_identity_summary_response_io_card', 'read_sub_device_identity_summary_response_channel', 'read_sub_device_identity_summary_response_manufacturer_identification_code', 'read_sub_device_identity_summary_response_expanded_device_type', 'read_sub_device_identity_summary_response_device_id', 'read_sub_device_identity_summary_response_universal_command_revision_level', 'read_sub_device_identity_summary_response_long_tag', 'read_sub_device_identity_summary_response_device_revision', 'read_sub_device_identity_summary_response_device_profile', 'read_sub_device_identity_summary_response_private_label_distributor_code', 'read_io_channel_statistics_io_card', 'read_io_channel_statistics_channel', 'read_io_channel_statistics_response_stx_count', 'read_io_channel_statistics_response_ack_count', 'read_io_channel_statistics_response_ostx_count', 'read_io_channel_statistics_response_oack_count', 'read_io_channel_statistics_response_back_count', 'read_sub_device_statistics_sub_device_index', 'read_sub_device_statistics_response_stx_count', 'read_sub_device_statistics_response_ack_count', 'read_sub_device_statistics_response_back_count', 'write_io_system_master_mode_master_mode', 'write_io_system_retry_count_retry_count', 'set_real_time_clock_time_set_code', 'set_real_time_clock_date', 'set_real_time_clock_time_of_day', 'set_real_time_clock_null_bytes' ]" + code => "event.set('[zeek_cols]', $zeek_hart_ip_common_commands_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_hart_ip_common_commands" + add_field => { + "[zeek_cols][service]" => "hart_ip" + } + add_tag => [ "ics" ] + } + + # The "proto" field in these logs is useless. + # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed + # The other fields are basically just placeholders we don't want to store the raw data for. + mutate { id => "mutate_remove_field_zeek_hart_ip_common_commands_proto" + remove_field => [ "[zeek_cols][proto]", + "[zeek][hart_ip][token_passing_pdu_contents_data_data]", + "[zeek][hart_ip][message_packet_bytes]", + "[zeek][hart_ip][token_passing_pdu_contents_data_data]" ] } + + + } else if ([log_source] == "hart_ip_direct_pdu_command") { + ############################################################################################################################# + # hart_ip_direct_pdu_command.log + # main.zeek (https://github.com/cisagov/icsnpp-hart-ip) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_hart_ip_direct_pdu_command" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][direct_pdu_command_link_id]} %{[zeek_cols][command_number_link_id]} %{[zeek_cols][direct_pdu_command_data_data]} %{[zeek_cols][direct_pdu_command_command_number]} %{[zeek_cols][direct_pdu_command_byte_count]} %{[zeek_cols][direct_pdu_contents_response_response_code]}" + } + } + + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_hart_ip_direct_pdu_command" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_hart_ip_direct_pdu_command" + init => "$zeek_hart_ip_direct_pdu_command_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'direct_pdu_command_link_id', 'command_number_link_id', 'direct_pdu_command_data_data', 'direct_pdu_command_command_number', 'direct_pdu_command_byte_count', 'direct_pdu_contents_response_response_code' ]" + code => "event.set('[zeek_cols]', $zeek_hart_ip_direct_pdu_command_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_hart_ip_direct_pdu_command" + add_field => { + "[zeek_cols][service]" => "hart_ip" + } + add_tag => [ "ics" ] + } + + # The "proto" field in these logs is useless. + # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed + if ([zeek_cols][proto]) { mutate { id => "mutate_remove_field_zeek_hart_ip_direct_pdu_command_proto" + remove_field => [ "[zeek_cols][proto]" ] } } + + } else if ([log_source] == "hart_ip") { + ############################################################################################################################# + # hart_ip.log + # main.zeek (https://github.com/cisagov/icsnpp-hart-ip) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_hart_ip" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][command_number_link_id]} %{[zeek_cols][direct_pdu_command_link_id]} %{[zeek_cols][session_log_record_link_id]} %{[zeek_cols][message_packet_bytes]} %{[zeek_cols][header_version]} %{[zeek_cols][header_message_type_reserved]} %{[zeek_cols][header_message_type_message_type]} %{[zeek_cols][header_message_id]} %{[zeek_cols][header_status_code]} %{[zeek_cols][header_sequence_number]} %{[zeek_cols][header_length]} %{[zeek_cols][session_initiate_master_type]} %{[zeek_cols][session_initiate_inactivity_close_timer]} %{[zeek_cols][token_passing_pdu_delimiter_address_type]} %{[zeek_cols][token_passing_pdu_delimiter_expansion_bytes]} %{[zeek_cols][token_passing_pdu_delimiter_physical_layer_type]} %{[zeek_cols][token_passing_pdu_delimiter_frame_type]} %{[zeek_cols][token_passing_pdu_address_v4]} %{[zeek_cols][token_passing_pdu_address_v6]} %{[zeek_cols][token_passing_pdu_command_number]} %{[zeek_cols][token_passing_pdu_byte_count]} %{[zeek_cols][token_passing_pdu_check_byte]} %{[zeek_cols][token_passing_pdu_contents_data_data]} %{[zeek_cols][token_passing_pdu_contents_response_response_code]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_device_malfunction]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_configuration_changed]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_cold_start]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_more_status_available]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_loop_current_fixed]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_loop_current_saturated]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_non_primary_variable_out_of_limits]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_primary_variable_out_of_limits]} %{[zeek_cols][direct_pdu_device_status_device_malfunction]} %{[zeek_cols][direct_pdu_device_status_configuration_changed]} %{[zeek_cols][direct_pdu_device_status_cold_start]} %{[zeek_cols][direct_pdu_device_status_more_status_available]} %{[zeek_cols][direct_pdu_device_status_loop_current_fixed]} %{[zeek_cols][direct_pdu_device_status_loop_current_saturated]} %{[zeek_cols][direct_pdu_device_status_non_primary_variable_out_of_limits]} %{[zeek_cols][direct_pdu_device_status_primary_variable_out_of_limits]} %{[zeek_cols][direct_pdu_extended_status_undefined_bits]} %{[zeek_cols][direct_pdu_extended_status_function_check]} %{[zeek_cols][direct_pdu_extended_status_out_of_specification]} %{[zeek_cols][direct_pdu_extended_status_failure]} %{[zeek_cols][direct_pdu_extended_status_critical_power_failure]} %{[zeek_cols][direct_pdu_extended_status_device_variable_alert]} %{[zeek_cols][direct_pdu_extended_status_maintenance_required]} %{[zeek_cols][read_audit_log_start_record]} %{[zeek_cols][read_audit_log_number_of_records]} %{[zeek_cols][read_audit_log_power_up_time]} %{[zeek_cols][read_audit_log_last_security_change]} %{[zeek_cols][read_audit_log_server_status_undefined_bits]} %{[zeek_cols][read_audit_log_server_status_insecure_syslog_connection]} %{[zeek_cols][read_audit_log_server_status_syslog_server_located_but_connection_failed]} %{[zeek_cols][read_audit_log_server_status_unable_to_locate_syslog_server]} %{[zeek_cols][read_audit_log_session_record_size]}" + } + } + + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_hart_ip" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_hart_ip" + init => "$zeek_hart_ip_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'command_number_link_id', 'direct_pdu_command_link_id', 'session_log_record_link_id', 'message_packet_bytes', 'header_version', 'header_message_type_reserved', 'header_message_type_message_type', 'header_message_id', 'header_status_code', 'header_sequence_number', 'header_length', 'session_initiate_master_type', 'session_initiate_inactivity_close_timer', 'token_passing_pdu_delimiter_address_type', 'token_passing_pdu_delimiter_expansion_bytes', 'token_passing_pdu_delimiter_physical_layer_type', 'token_passing_pdu_delimiter_frame_type', 'token_passing_pdu_address_v4', 'token_passing_pdu_address_v6', 'token_passing_pdu_command_number', 'token_passing_pdu_byte_count', 'token_passing_pdu_check_byte', 'token_passing_pdu_contents_data_data', 'token_passing_pdu_contents_response_response_code', 'token_passing_pdu_contents_response_device_status_device_malfunction', 'token_passing_pdu_contents_response_device_status_configuration_changed', 'token_passing_pdu_contents_response_device_status_cold_start', 'token_passing_pdu_contents_response_device_status_more_status_available', 'token_passing_pdu_contents_response_device_status_loop_current_fixed', 'token_passing_pdu_contents_response_device_status_loop_current_saturated', 'token_passing_pdu_contents_response_device_status_non_primary_variable_out_of_limits', 'token_passing_pdu_contents_response_device_status_primary_variable_out_of_limits', 'direct_pdu_device_status_device_malfunction', 'direct_pdu_device_status_configuration_changed', 'direct_pdu_device_status_cold_start', 'direct_pdu_device_status_more_status_available', 'direct_pdu_device_status_loop_current_fixed', 'direct_pdu_device_status_loop_current_saturated', 'direct_pdu_device_status_non_primary_variable_out_of_limits', 'direct_pdu_device_status_primary_variable_out_of_limits', 'direct_pdu_extended_status_undefined_bits', 'direct_pdu_extended_status_function_check', 'direct_pdu_extended_status_out_of_specification', 'direct_pdu_extended_status_failure', 'direct_pdu_extended_status_critical_power_failure', 'direct_pdu_extended_status_device_variable_alert', 'direct_pdu_extended_status_maintenance_required', 'read_audit_log_start_record', 'read_audit_log_number_of_records', 'read_audit_log_power_up_time', 'read_audit_log_last_security_change', 'read_audit_log_server_status_undefined_bits', 'read_audit_log_server_status_insecure_syslog_connection', 'read_audit_log_server_status_syslog_server_located_but_connection_failed', 'read_audit_log_server_status_unable_to_locate_syslog_server', 'read_audit_log_session_record_size' ]" + code => "event.set('[zeek_cols]', $zeek_hart_ip_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_hart_ip" + add_field => { + "[zeek_cols][service]" => "hart_ip" + } + add_tag => [ "ics" ] + } + + # The "proto" field in these logs is useless. + # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed + if ([zeek_cols][proto]) { mutate { id => "mutate_remove_field_zeek_hart_ip_proto" + remove_field => [ "[zeek_cols][proto]" ] } } + + } else if ([log_source] == "hart_ip_session_record") { + ############################################################################################################################# + # hart_ip_session_record.log + # main.zeek (https://github.com/cisagov/icsnpp-hart-ip) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_hart_ip_session_record" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][session_log_record_link_id]} %{[zeek_cols][session_log_record_client_i_pv4_address]} %{[zeek_cols][session_log_record_client_i_pv6_address]} %{[zeek_cols][session_log_record_client_port]} %{[zeek_cols][session_log_record_server_port]} %{[zeek_cols][session_log_record_connect_time]} %{[zeek_cols][session_log_record_disconnect_time]} %{[zeek_cols][session_log_record_session_status_summary_undefined_bits]} %{[zeek_cols][session_log_record_session_status_summary_insecure_session]} %{[zeek_cols][session_log_record_session_status_summary_session_timeout]} %{[zeek_cols][session_log_record_session_status_summary_aborted_session]} %{[zeek_cols][session_log_record_session_status_summary_bad_session_initialization]} %{[zeek_cols][session_log_record_session_status_summary_writes_occured]} %{[zeek_cols][session_log_record_start_configuration_change_count]} %{[zeek_cols][session_log_record_end_configuration_change_count]} %{[zeek_cols][session_log_record_num_publish_pdu]} %{[zeek_cols][session_log_record_num_request_pdu]} %{[zeek_cols][session_log_record_num_response_pdu]}" + } + } + + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_hart_ip_session_record" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_hart_ip_session_record" + init => "$zeek_hart_ip_session_record_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'session_log_record_link_id', 'session_log_record_client_i_pv4_address', 'session_log_record_client_i_pv6_address', 'session_log_record_client_port', 'session_log_record_server_port', 'session_log_record_connect_time', 'session_log_record_disconnect_time', 'session_log_record_session_status_summary_undefined_bits', 'session_log_record_session_status_summary_insecure_session', 'session_log_record_session_status_summary_session_timeout', 'session_log_record_session_status_summary_aborted_session', 'session_log_record_session_status_summary_bad_session_initialization', 'session_log_record_session_status_summary_writes_occured', 'session_log_record_start_configuration_change_count', 'session_log_record_end_configuration_change_count', 'session_log_record_num_publish_pdu', 'session_log_record_num_request_pdu', 'session_log_record_num_response_pdu' ]" + code => "event.set('[zeek_cols]', $zeek_hart_ip_session_record_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_hart_ip_session_record" + add_field => { + "[zeek_cols][service]" => "hart_ip" + } + add_tag => [ "ics" ] + } + + # The "proto" field in these logs is useless. + # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed + if ([zeek_cols][proto]) { mutate { id => "mutate_remove_field_zeek_hart_ip_session_proto" + remove_field => [ "[zeek_cols][proto]" ] } } + + } else if ([log_source] == "hart_ip_universal_commands") { + ############################################################################################################################# + # hart_ip_universal_commands.log + # main.zeek (https://github.com/cisagov/icsnpp-hart-ip) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_hart_ip_universal_commands" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][command_number_link_id]} %{[zeek_cols][read_unique_identifier_response_254]} %{[zeek_cols][read_unique_identifier_response_expanded_device_type]} %{[zeek_cols][read_unique_identifier_response_minimum_preambles_master_slave]} %{[zeek_cols][read_unique_identifier_response_hart_protocol_major_revision]} %{[zeek_cols][read_unique_identifier_response_device_revision_level]} %{[zeek_cols][read_unique_identifier_response_software_revision_level]} %{[zeek_cols][read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level]} %{[zeek_cols][read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code]} %{[zeek_cols][read_unique_identifier_response_flags_c8_psk_in_multi_drop_only]} %{[zeek_cols][read_unique_identifier_response_flags_c8_psk_capable_field_device]} %{[zeek_cols][read_unique_identifier_response_flags_undefined_5]} %{[zeek_cols][read_unique_identifier_response_flags_safehart_capable_field_device]} %{[zeek_cols][read_unique_identifier_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation]} %{[zeek_cols][read_unique_identifier_response_flags_protocol_bridge_device]} %{[zeek_cols][read_unique_identifier_response_flags_eeprom_control]} %{[zeek_cols][read_unique_identifier_response_flags_mutli_sensor_field_device]} %{[zeek_cols][read_unique_identifier_response_device_id]} %{[zeek_cols][read_unique_identifier_response_number_preambles_slave_master]} %{[zeek_cols][read_unique_identifier_response_last_device_variable_this]} %{[zeek_cols][read_unique_identifier_response_configuration_change_counter]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_function_check]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_failure]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][read_unique_identifier_response_manufacturer_identification_code]} %{[zeek_cols][read_unique_identifier_response_private_label_distributor_code]} %{[zeek_cols][read_unique_identifier_response_device_profile]} %{[zeek_cols][read_primary_variable_response_primary_variable_units]} %{[zeek_cols][read_primary_variable_response_primary_variable]} %{[zeek_cols][read_loop_current_response_primary_variable_loop_current]} %{[zeek_cols][read_loop_current_response_primary_variable_percent_range]} %{[zeek_cols][read_dynamic_variable_response_primary_variable_loop_current]} %{[zeek_cols][read_dynamic_variable_response_primary_variable_units]} %{[zeek_cols][read_dynamic_variable_response_primary_variable]} %{[zeek_cols][read_dynamic_variable_response_secondary_variable_units]} %{[zeek_cols][read_dynamic_variable_response_secondary_variable]} %{[zeek_cols][read_dynamic_variable_response_tertiary_variable_units]} %{[zeek_cols][read_dynamic_variable_response_tertiary_variable]} %{[zeek_cols][read_dynamic_variable_response_quaternary_variable_units]} %{[zeek_cols][read_dynamic_variable_response_quaternary_variable]} %{[zeek_cols][write_polling_address_polling_address_device]} %{[zeek_cols][write_polling_address_loop_current_mode]} %{[zeek_cols][read_loop_configuration_response_polling_address_device]} %{[zeek_cols][read_loop_configuration_response_loop_current_mode]} %{[zeek_cols][read_dynamic_variable_classifications_response_primary_variable_classification]} %{[zeek_cols][read_dynamic_variable_classifications_response_secondary_variable_classification]} %{[zeek_cols][read_dynamic_variable_classifications_response_tertiary_variable_classification]} %{[zeek_cols][read_dynamic_variable_classifications_response_quaternary_variable_classification]} %{[zeek_cols][read_device_variable_request_slot0_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot1_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot2_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot3_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot4_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot5_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot6_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot7_device_variable_code]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_function_check]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_failure]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot0_units_code]} %{[zeek_cols][read_device_variable_response_slot0_device_variable]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot1_units_code]} %{[zeek_cols][read_device_variable_response_slot1_device_variable]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot2_units_code]} %{[zeek_cols][read_device_variable_response_slot2_device_variable]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot3_units_code]} %{[zeek_cols][read_device_variable_response_slot3_device_variable]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot4_units_code]} %{[zeek_cols][read_device_variable_response_slot4_device_variable]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot5_units_code]} %{[zeek_cols][read_device_variable_response_slot5_device_variable]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot6_units_code]} %{[zeek_cols][read_device_variable_response_slot6_device_variable]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot7_units_code]} %{[zeek_cols][read_device_variable_response_slot7_device_variable]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot0_time]} %{[zeek_cols][read_unique_identifier_tag_request_tag]} %{[zeek_cols][read_unique_identifier_tag_response_254]} %{[zeek_cols][read_unique_identifier_tag_response_expanded_device_type]} %{[zeek_cols][read_unique_identifier_tag_response_minimum_preambles_master_slave]} %{[zeek_cols][read_unique_identifier_tag_response_hart_protocol_major_revision]} %{[zeek_cols][read_unique_identifier_tag_response_device_revision_level]} %{[zeek_cols][read_unique_identifier_tag_response_software_revision_level]} %{[zeek_cols][read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level]} %{[zeek_cols][read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code]} %{[zeek_cols][read_unique_identifier_tag_response_flags_c8_psk_in_multi_drop_only]} %{[zeek_cols][read_unique_identifier_tag_response_flags_c8_psk_capable_field_device]} %{[zeek_cols][read_unique_identifier_tag_response_flags_undefined_5]} %{[zeek_cols][read_unique_identifier_tag_response_flags_safehart_capable_field_device]} %{[zeek_cols][read_unique_identifier_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation]} %{[zeek_cols][read_unique_identifier_tag_response_flags_protocol_bridge_device]} %{[zeek_cols][read_unique_identifier_tag_response_flags_eeprom_control]} %{[zeek_cols][read_unique_identifier_tag_response_flags_mutli_sensor_field_device]} %{[zeek_cols][read_unique_identifier_tag_response_device_id]} %{[zeek_cols][read_unique_identifier_tag_response_number_preambles_slave_master]} %{[zeek_cols][read_unique_identifier_tag_response_last_device_variable_this]} %{[zeek_cols][read_unique_identifier_tag_response_configuration_change_counter]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_function_check]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_failure]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][read_unique_identifier_tag_response_manufacturer_identification_code]} %{[zeek_cols][read_unique_identifier_tag_response_private_label_distributor_code]} %{[zeek_cols][read_unique_identifier_tag_response_device_profile]} %{[zeek_cols][read_message_response_message]} %{[zeek_cols][read_tag_response_tag]} %{[zeek_cols][read_tag_response_descriptor]} %{[zeek_cols][read_tag_response_date_code]} %{[zeek_cols][read_primary_variable_transducer_information_response_p_v_transducer_serial_number]} %{[zeek_cols][read_primary_variable_transducer_information_response_p_v_transducer_limits_units]} %{[zeek_cols][read_primary_variable_transducer_information_response_p_v_upper_transducer_limit]} %{[zeek_cols][read_primary_variable_transducer_information_response_p_v_lower_transducer_limit]} %{[zeek_cols][read_primary_variable_transducer_information_response_p_v_minimum_span]} %{[zeek_cols][read_device_information_response_p_v_alarm_selection_code]} %{[zeek_cols][read_device_information_response_p_v_transfer_function_code]} %{[zeek_cols][read_device_information_response_p_v_upper_lower_range]} %{[zeek_cols][read_device_information_response_p_v_upper_range_value]} %{[zeek_cols][read_device_information_response_p_v_lower_range_value]} %{[zeek_cols][read_device_information_response_p_v_damping_value]} %{[zeek_cols][read_device_information_response_write_protect_code]} %{[zeek_cols][read_device_information_response_250]} %{[zeek_cols][read_device_information_response_p_v_analog_channel_flags_undefined_bits]} %{[zeek_cols][read_device_information_response_p_v_analog_channel_flags_analog_channel]} %{[zeek_cols][read_final_assembly_number_response_final_assembly_number]} %{[zeek_cols][write_message_message_string]} %{[zeek_cols][write_tag_descriptor_date_tag]} %{[zeek_cols][write_tag_descriptor_date_record_keeping_descriptor]} %{[zeek_cols][write_tag_descriptor_date_date_code]} %{[zeek_cols][write_final_assembly_number_final_assembly_number]} %{[zeek_cols][read_long_tag_response_long_tag]} %{[zeek_cols][read_unique_identifier_long_tag_request_long_tag]} %{[zeek_cols][read_unique_identifier_long_tag_response_254]} %{[zeek_cols][read_unique_identifier_long_tag_response_expanded_device_type]} %{[zeek_cols][read_unique_identifier_long_tag_response_minimum_preambles_master_slave]} %{[zeek_cols][read_unique_identifier_long_tag_response_hart_protocol_major_revision]} %{[zeek_cols][read_unique_identifier_long_tag_response_device_revision_level]} %{[zeek_cols][read_unique_identifier_long_tag_response_software_revision_level]} %{[zeek_cols][read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level]} %{[zeek_cols][read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_c8_psk_in_multi_drop_only]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_c8_psk_capable_field_device]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_undefined_5]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_safehart_capable_field_device]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_protocol_bridge_device]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_eeprom_control]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_mutli_sensor_field_device]} %{[zeek_cols][read_unique_identifier_long_tag_response_device_id]} %{[zeek_cols][read_unique_identifier_long_tag_response_number_preambles_slave_master]} %{[zeek_cols][read_unique_identifier_long_tag_response_last_device_variable_this]} %{[zeek_cols][read_unique_identifier_long_tag_response_configuration_change_counter]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_function_check]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_failure]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][read_unique_identifier_long_tag_response_manufacturer_identification_code]} %{[zeek_cols][read_unique_identifier_long_tag_response_private_label_distributor_code]} %{[zeek_cols][read_unique_identifier_long_tag_response_device_profile]} %{[zeek_cols][write_long_tag_long_tag]} %{[zeek_cols][reset_configuration_changed_flag_configuration_change_counter]} %{[zeek_cols][read_additional_device_status_contents_device_specific_status_0]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_function_check]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_out_of_specification]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_failure]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_critical_power_failure]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_device_variable_alert]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_maintenance_required]} %{[zeek_cols][read_additional_device_status_contents_device_operating_mode]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_device_configuration_lock]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_electronic_defect]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_environmental_conditions_out_of_range]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_power_supply_conditions_out_of_range]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_watchdog_reset_executed]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_volatile_memory_defect]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_non_volatile_memory_defect]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_device_variable_simulation_active]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_reserved]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_battery_or_power_supply_needs_maintenance]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_event_notification_overflow]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_discrete_variable_simulation_active]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_status_simulation_active]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_saturated_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_saturated_quinary_analog]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_saturated_quaternary_analog]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_saturated_tertiary_analog]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_saturated_secondary_analog]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_stale_data_notice]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_sub_device_with_duplicate_id]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_sub_device_mismatch]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_duplicate_master_detected]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_sub_device_list_changed]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_radio_failure]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_block_transfer_pending]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_bandwith_allocation_pending]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_resereved]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_capacity_denied]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_analog_channel]} %{[zeek_cols][read_additional_device_status_contents_device_specific_status_1]}" + } + } + + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_hart_ip_universal_commands" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_hart_ip_universal_commands" + init => "$zeek_hart_ip_universal_commands_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'command_number_link_id', 'read_unique_identifier_response_254', 'read_unique_identifier_response_expanded_device_type', 'read_unique_identifier_response_minimum_preambles_master_slave', 'read_unique_identifier_response_hart_protocol_major_revision', 'read_unique_identifier_response_device_revision_level', 'read_unique_identifier_response_software_revision_level', 'read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level', 'read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code', 'read_unique_identifier_response_flags_c8_psk_in_multi_drop_only', 'read_unique_identifier_response_flags_c8_psk_capable_field_device', 'read_unique_identifier_response_flags_undefined_5', 'read_unique_identifier_response_flags_safehart_capable_field_device', 'read_unique_identifier_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation', 'read_unique_identifier_response_flags_protocol_bridge_device', 'read_unique_identifier_response_flags_eeprom_control', 'read_unique_identifier_response_flags_mutli_sensor_field_device', 'read_unique_identifier_response_device_id', 'read_unique_identifier_response_number_preambles_slave_master', 'read_unique_identifier_response_last_device_variable_this', 'read_unique_identifier_response_configuration_change_counter', 'read_unique_identifier_response_extended_field_device_status_undefined_bits', 'read_unique_identifier_response_extended_field_device_status_function_check', 'read_unique_identifier_response_extended_field_device_status_out_of_specification', 'read_unique_identifier_response_extended_field_device_status_failure', 'read_unique_identifier_response_extended_field_device_status_critical_power_failure', 'read_unique_identifier_response_extended_field_device_status_device_variable_alert', 'read_unique_identifier_response_extended_field_device_status_maintenance_required', 'read_unique_identifier_response_manufacturer_identification_code', 'read_unique_identifier_response_private_label_distributor_code', 'read_unique_identifier_response_device_profile', 'read_primary_variable_response_primary_variable_units', 'read_primary_variable_response_primary_variable', 'read_loop_current_response_primary_variable_loop_current', 'read_loop_current_response_primary_variable_percent_range', 'read_dynamic_variable_response_primary_variable_loop_current', 'read_dynamic_variable_response_primary_variable_units', 'read_dynamic_variable_response_primary_variable', 'read_dynamic_variable_response_secondary_variable_units', 'read_dynamic_variable_response_secondary_variable', 'read_dynamic_variable_response_tertiary_variable_units', 'read_dynamic_variable_response_tertiary_variable', 'read_dynamic_variable_response_quaternary_variable_units', 'read_dynamic_variable_response_quaternary_variable', 'write_polling_address_polling_address_device', 'write_polling_address_loop_current_mode', 'read_loop_configuration_response_polling_address_device', 'read_loop_configuration_response_loop_current_mode', 'read_dynamic_variable_classifications_response_primary_variable_classification', 'read_dynamic_variable_classifications_response_secondary_variable_classification', 'read_dynamic_variable_classifications_response_tertiary_variable_classification', 'read_dynamic_variable_classifications_response_quaternary_variable_classification', 'read_device_variable_request_slot0_device_variable_code', 'read_device_variable_request_slot1_device_variable_code', 'read_device_variable_request_slot2_device_variable_code', 'read_device_variable_request_slot3_device_variable_code', 'read_device_variable_request_slot4_device_variable_code', 'read_device_variable_request_slot5_device_variable_code', 'read_device_variable_request_slot6_device_variable_code', 'read_device_variable_request_slot7_device_variable_code', 'read_device_variable_response_extended_field_device_status_undefined_bits', 'read_device_variable_response_extended_field_device_status_function_check', 'read_device_variable_response_extended_field_device_status_out_of_specification', 'read_device_variable_response_extended_field_device_status_failure', 'read_device_variable_response_extended_field_device_status_critical_power_failure', 'read_device_variable_response_extended_field_device_status_device_variable_alert', 'read_device_variable_response_extended_field_device_status_maintenance_required', 'read_device_variable_response_slot0_device_variable_code', 'read_device_variable_response_slot0_device_variable_class', 'read_device_variable_response_slot0_units_code', 'read_device_variable_response_slot0_device_variable', 'read_device_variable_response_slot0_device_variable_status_process_data_status', 'read_device_variable_response_slot0_device_variable_status_limit_status', 'read_device_variable_response_slot0_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot0_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot1_device_variable_code', 'read_device_variable_response_slot1_device_variable_class', 'read_device_variable_response_slot1_units_code', 'read_device_variable_response_slot1_device_variable', 'read_device_variable_response_slot1_device_variable_status_process_data_status', 'read_device_variable_response_slot1_device_variable_status_limit_status', 'read_device_variable_response_slot1_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot1_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot2_device_variable_code', 'read_device_variable_response_slot2_device_variable_class', 'read_device_variable_response_slot2_units_code', 'read_device_variable_response_slot2_device_variable', 'read_device_variable_response_slot2_device_variable_status_process_data_status', 'read_device_variable_response_slot2_device_variable_status_limit_status', 'read_device_variable_response_slot2_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot2_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot3_device_variable_code', 'read_device_variable_response_slot3_device_variable_class', 'read_device_variable_response_slot3_units_code', 'read_device_variable_response_slot3_device_variable', 'read_device_variable_response_slot3_device_variable_status_process_data_status', 'read_device_variable_response_slot3_device_variable_status_limit_status', 'read_device_variable_response_slot3_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot3_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot4_device_variable_code', 'read_device_variable_response_slot4_device_variable_class', 'read_device_variable_response_slot4_units_code', 'read_device_variable_response_slot4_device_variable', 'read_device_variable_response_slot4_device_variable_status_process_data_status', 'read_device_variable_response_slot4_device_variable_status_limit_status', 'read_device_variable_response_slot4_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot4_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot5_device_variable_code', 'read_device_variable_response_slot5_device_variable_class', 'read_device_variable_response_slot5_units_code', 'read_device_variable_response_slot5_device_variable', 'read_device_variable_response_slot5_device_variable_status_process_data_status', 'read_device_variable_response_slot5_device_variable_status_limit_status', 'read_device_variable_response_slot5_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot5_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot6_device_variable_code', 'read_device_variable_response_slot6_device_variable_class', 'read_device_variable_response_slot6_units_code', 'read_device_variable_response_slot6_device_variable', 'read_device_variable_response_slot6_device_variable_status_process_data_status', 'read_device_variable_response_slot6_device_variable_status_limit_status', 'read_device_variable_response_slot6_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot6_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot7_device_variable_code', 'read_device_variable_response_slot7_device_variable_class', 'read_device_variable_response_slot7_units_code', 'read_device_variable_response_slot7_device_variable', 'read_device_variable_response_slot7_device_variable_status_process_data_status', 'read_device_variable_response_slot7_device_variable_status_limit_status', 'read_device_variable_response_slot7_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot7_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot0_time', 'read_unique_identifier_tag_request_tag', 'read_unique_identifier_tag_response_254', 'read_unique_identifier_tag_response_expanded_device_type', 'read_unique_identifier_tag_response_minimum_preambles_master_slave', 'read_unique_identifier_tag_response_hart_protocol_major_revision', 'read_unique_identifier_tag_response_device_revision_level', 'read_unique_identifier_tag_response_software_revision_level', 'read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level', 'read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code', 'read_unique_identifier_tag_response_flags_c8_psk_in_multi_drop_only', 'read_unique_identifier_tag_response_flags_c8_psk_capable_field_device', 'read_unique_identifier_tag_response_flags_undefined_5', 'read_unique_identifier_tag_response_flags_safehart_capable_field_device', 'read_unique_identifier_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation', 'read_unique_identifier_tag_response_flags_protocol_bridge_device', 'read_unique_identifier_tag_response_flags_eeprom_control', 'read_unique_identifier_tag_response_flags_mutli_sensor_field_device', 'read_unique_identifier_tag_response_device_id', 'read_unique_identifier_tag_response_number_preambles_slave_master', 'read_unique_identifier_tag_response_last_device_variable_this', 'read_unique_identifier_tag_response_configuration_change_counter', 'read_unique_identifier_tag_response_extended_field_device_status_undefined_bits', 'read_unique_identifier_tag_response_extended_field_device_status_function_check', 'read_unique_identifier_tag_response_extended_field_device_status_out_of_specification', 'read_unique_identifier_tag_response_extended_field_device_status_failure', 'read_unique_identifier_tag_response_extended_field_device_status_critical_power_failure', 'read_unique_identifier_tag_response_extended_field_device_status_device_variable_alert', 'read_unique_identifier_tag_response_extended_field_device_status_maintenance_required', 'read_unique_identifier_tag_response_manufacturer_identification_code', 'read_unique_identifier_tag_response_private_label_distributor_code', 'read_unique_identifier_tag_response_device_profile', 'read_message_response_message', 'read_tag_response_tag', 'read_tag_response_descriptor', 'read_tag_response_date_code', 'read_primary_variable_transducer_information_response_p_v_transducer_serial_number', 'read_primary_variable_transducer_information_response_p_v_transducer_limits_units', 'read_primary_variable_transducer_information_response_p_v_upper_transducer_limit', 'read_primary_variable_transducer_information_response_p_v_lower_transducer_limit', 'read_primary_variable_transducer_information_response_p_v_minimum_span', 'read_device_information_response_p_v_alarm_selection_code', 'read_device_information_response_p_v_transfer_function_code', 'read_device_information_response_p_v_upper_lower_range', 'read_device_information_response_p_v_upper_range_value', 'read_device_information_response_p_v_lower_range_value', 'read_device_information_response_p_v_damping_value', 'read_device_information_response_write_protect_code', 'read_device_information_response_250', 'read_device_information_response_p_v_analog_channel_flags_undefined_bits', 'read_device_information_response_p_v_analog_channel_flags_analog_channel', 'read_final_assembly_number_response_final_assembly_number', 'write_message_message_string', 'write_tag_descriptor_date_tag', 'write_tag_descriptor_date_record_keeping_descriptor', 'write_tag_descriptor_date_date_code', 'write_final_assembly_number_final_assembly_number', 'read_long_tag_response_long_tag', 'read_unique_identifier_long_tag_request_long_tag', 'read_unique_identifier_long_tag_response_254', 'read_unique_identifier_long_tag_response_expanded_device_type', 'read_unique_identifier_long_tag_response_minimum_preambles_master_slave', 'read_unique_identifier_long_tag_response_hart_protocol_major_revision', 'read_unique_identifier_long_tag_response_device_revision_level', 'read_unique_identifier_long_tag_response_software_revision_level', 'read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level', 'read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code', 'read_unique_identifier_long_tag_response_flags_c8_psk_in_multi_drop_only', 'read_unique_identifier_long_tag_response_flags_c8_psk_capable_field_device', 'read_unique_identifier_long_tag_response_flags_undefined_5', 'read_unique_identifier_long_tag_response_flags_safehart_capable_field_device', 'read_unique_identifier_long_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation', 'read_unique_identifier_long_tag_response_flags_protocol_bridge_device', 'read_unique_identifier_long_tag_response_flags_eeprom_control', 'read_unique_identifier_long_tag_response_flags_mutli_sensor_field_device', 'read_unique_identifier_long_tag_response_device_id', 'read_unique_identifier_long_tag_response_number_preambles_slave_master', 'read_unique_identifier_long_tag_response_last_device_variable_this', 'read_unique_identifier_long_tag_response_configuration_change_counter', 'read_unique_identifier_long_tag_response_extended_field_device_status_undefined_bits', 'read_unique_identifier_long_tag_response_extended_field_device_status_function_check', 'read_unique_identifier_long_tag_response_extended_field_device_status_out_of_specification', 'read_unique_identifier_long_tag_response_extended_field_device_status_failure', 'read_unique_identifier_long_tag_response_extended_field_device_status_critical_power_failure', 'read_unique_identifier_long_tag_response_extended_field_device_status_device_variable_alert', 'read_unique_identifier_long_tag_response_extended_field_device_status_maintenance_required', 'read_unique_identifier_long_tag_response_manufacturer_identification_code', 'read_unique_identifier_long_tag_response_private_label_distributor_code', 'read_unique_identifier_long_tag_response_device_profile', 'write_long_tag_long_tag', 'reset_configuration_changed_flag_configuration_change_counter', 'read_additional_device_status_contents_device_specific_status_0', 'read_additional_device_status_contents_extended_field_device_status_undefined_bits', 'read_additional_device_status_contents_extended_field_device_status_function_check', 'read_additional_device_status_contents_extended_field_device_status_out_of_specification', 'read_additional_device_status_contents_extended_field_device_status_failure', 'read_additional_device_status_contents_extended_field_device_status_critical_power_failure', 'read_additional_device_status_contents_extended_field_device_status_device_variable_alert', 'read_additional_device_status_contents_extended_field_device_status_maintenance_required', 'read_additional_device_status_contents_device_operating_mode', 'read_additional_device_status_contents_standardized_status0_device_configuration_lock', 'read_additional_device_status_contents_standardized_status0_electronic_defect', 'read_additional_device_status_contents_standardized_status0_environmental_conditions_out_of_range', 'read_additional_device_status_contents_standardized_status0_power_supply_conditions_out_of_range', 'read_additional_device_status_contents_standardized_status0_watchdog_reset_executed', 'read_additional_device_status_contents_standardized_status0_volatile_memory_defect', 'read_additional_device_status_contents_standardized_status0_non_volatile_memory_defect', 'read_additional_device_status_contents_standardized_status0_device_variable_simulation_active', 'read_additional_device_status_contents_standardized_status1_undefined_bits', 'read_additional_device_status_contents_standardized_status1_reserved', 'read_additional_device_status_contents_standardized_status1_battery_or_power_supply_needs_maintenance', 'read_additional_device_status_contents_standardized_status1_event_notification_overflow', 'read_additional_device_status_contents_standardized_status1_discrete_variable_simulation_active', 'read_additional_device_status_contents_standardized_status1_status_simulation_active', 'read_additional_device_status_contents_analog_channel_saturated_undefined_bits', 'read_additional_device_status_contents_analog_channel_saturated_quinary_analog', 'read_additional_device_status_contents_analog_channel_saturated_quaternary_analog', 'read_additional_device_status_contents_analog_channel_saturated_tertiary_analog', 'read_additional_device_status_contents_analog_channel_saturated_secondary_analog', 'read_additional_device_status_contents_standardized_status2_undefined_bits', 'read_additional_device_status_contents_standardized_status2_stale_data_notice', 'read_additional_device_status_contents_standardized_status2_sub_device_with_duplicate_id', 'read_additional_device_status_contents_standardized_status2_sub_device_mismatch', 'read_additional_device_status_contents_standardized_status2_duplicate_master_detected', 'read_additional_device_status_contents_standardized_status2_sub_device_list_changed', 'read_additional_device_status_contents_standardized_status3_undefined_bits', 'read_additional_device_status_contents_standardized_status3_radio_failure', 'read_additional_device_status_contents_standardized_status3_block_transfer_pending', 'read_additional_device_status_contents_standardized_status3_bandwith_allocation_pending', 'read_additional_device_status_contents_standardized_status3_resereved', 'read_additional_device_status_contents_standardized_status3_capacity_denied', 'read_additional_device_status_contents_analog_channel_undefined_bits', 'read_additional_device_status_contents_analog_channel_analog_channel', 'read_additional_device_status_contents_device_specific_status_1' ]" + code => "event.set('[zeek_cols]', $zeek_hart_ip_universal_commands_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_hart_ip_universal_commands" + add_field => { + "[zeek_cols][service]" => "hart_ip" + } + add_tag => [ "ics" ] + } + + # The "proto" field in these logs is useless. + # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed + if ([zeek_cols][proto]) { mutate { id => "mutate_remove_field_zeek_hart_ip_universal_commands_proto" + remove_field => [ "[zeek_cols][proto]" ] } } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1028_zeek_http.conf b/logstash/pipelines/zeek/1028_zeek_http.conf new file mode 100644 index 000000000..0baf87789 --- /dev/null +++ b/logstash/pipelines/zeek/1028_zeek_http.conf @@ -0,0 +1,59 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + if ([log_source] == "http") { + ############################################################################################################################# + # http.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/http/main.zeek.html#type-HTTP::Info + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_http_fields" + rename => { "[zeek_cols][username]" => "[zeek_cols][user]" } + } + + } else { + dissect { + id => "dissect_zeek_http_with_all_fields" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_depth]} %{[zeek_cols][method]} %{[zeek_cols][host]} %{[zeek_cols][uri]} %{[zeek_cols][referrer]} %{[zeek_cols][version]} %{[zeek_cols][user_agent]} %{[zeek_cols][origin]} %{[zeek_cols][request_body_len]} %{[zeek_cols][response_body_len]} %{[zeek_cols][status_code]} %{[zeek_cols][status_msg]} %{[zeek_cols][info_code]} %{[zeek_cols][info_msg]} %{[zeek_cols][tags]} %{[zeek_cols][user]} %{[zeek_cols][password]} %{[zeek_cols][proxied]} %{[zeek_cols][orig_fuids]} %{[zeek_cols][orig_filenames]} %{[zeek_cols][orig_mime_types]} %{[zeek_cols][resp_fuids]} %{[zeek_cols][resp_filenames]} %{[zeek_cols][resp_mime_types]} %{[zeek_cols][client_header_names]} %{[zeek_cols][server_header_names]} %{[zeek_cols][ja4h]} %{[zeek_cols][post_username]} %{[zeek_cols][post_password_plain]} %{[zeek_cols][post_password_md5]} %{[zeek_cols][post_password_sha1]} %{[zeek_cols][post_password_sha256]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_http" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_http" + init => "@zeek_http_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_depth', 'method', 'host', 'uri', 'referrer', 'version', 'user_agent', 'origin', 'request_body_len', 'response_body_len', 'status_code', 'status_msg', 'info_code', 'info_msg', 'tags', 'user', 'password', 'proxied', 'orig_fuids', 'orig_filenames', 'orig_mime_types', 'resp_fuids', 'resp_filenames', 'resp_mime_types', 'client_header_names', 'server_header_names', 'ja4h', 'post_username', 'post_password_plain', 'post_password_md5', 'post_password_sha1', 'post_password_sha256' ]" + code => "event.set('[zeek_cols]', @zeek_http_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_http_commas" + split => { "[zeek_cols][client_header_names]" => "," + "[zeek_cols][orig_filenames]" => "," + "[zeek_cols][orig_fuids]" => "," + "[zeek_cols][orig_mime_types]" => "," + "[zeek_cols][proxied]" => "," + "[zeek_cols][resp_filenames]" => "," + "[zeek_cols][resp_fuids]" => "," + "[zeek_cols][resp_mime_types]" => "," + "[zeek_cols][server_header_names]" => "," + "[zeek_cols][tags]" => "," } } + } + + mutate { + id => "mutate_add_fields_zeek_http" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "http" + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1029_zeek_intel.conf b/logstash/pipelines/zeek/1029_zeek_intel.conf new file mode 100644 index 000000000..d284f10a4 --- /dev/null +++ b/logstash/pipelines/zeek/1029_zeek_intel.conf @@ -0,0 +1,56 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "intel") { + ############################################################################################################################# + # intel.log + # https://docs.zeek.org/en/stable/scripts/base/frameworks/intel/main.zeek.html#type-Intel::Info + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_intel_fields" + rename => { "[zeek_cols][cif.firstseen]" => "[zeek_cols][cif_firstseen]" } + rename => { "[zeek_cols][cif.lastseen]" => "[zeek_cols][cif_lastseen]" } + rename => { "[zeek_cols][cif.tags]" => "[zeek_cols][cif_tags]" } + rename => { "[zeek_cols][seen.indicator]" => "[zeek_cols][seen_indicator]" } + rename => { "[zeek_cols][seen.indicator_type]" => "[zeek_cols][seen_indicator_type]" } + rename => { "[zeek_cols][seen.node]" => "[zeek_cols][seen_node]" } + rename => { "[zeek_cols][seen.where]" => "[zeek_cols][seen_where]" } + } + + } else { + dissect { + id => "dissect_zeek_intel" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][seen_indicator]} %{[zeek_cols][seen_indicator_type]} %{[zeek_cols][seen_where]} %{[zeek_cols][seen_node]} %{[zeek_cols][matched]} %{[zeek_cols][sources]} %{[zeek_cols][fuid]} %{[zeek_cols][file_mime_type]} %{[zeek_cols][file_desc]} %{[zeek_cols][cif_tags]} %{[zeek_cols][cif_confidence]} %{[zeek_cols][cif_source]} %{[zeek_cols][cif_description]} %{[zeek_cols][cif_firstseen]} %{[zeek_cols][cif_lastseen]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_intel" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_intel" + init => "@zeek_intel_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'seen_indicator', 'seen_indicator_type', 'seen_where', 'seen_node', 'matched', 'sources', 'fuid', 'file_mime_type', 'file_desc', 'cif_tags', 'cif_confidence', 'cif_source', 'cif_description', 'cif_firstseen', 'cif_lastseen' ]" + code => "event.set('[zeek_cols]', @zeek_intel_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_intel_commas" + split => { "[zeek_cols][sources]" => "," + "[zeek_cols][matched]" => "," } } + } + + # For some reason, even in JSON, I have cif_tags strings like: + # Network activity,osint:source-type=\"block-or-filter-list\" + # so whatever reason it's not already an array. Split it here. + mutate { id => "mutate_split_zeek_intel_cif_tags" + split => { "[zeek_cols][cif_tags]" => "," } } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1030_zeek_ipsec.conf b/logstash/pipelines/zeek/1030_zeek_ipsec.conf new file mode 100644 index 000000000..34d5a3a4c --- /dev/null +++ b/logstash/pipelines/zeek/1030_zeek_ipsec.conf @@ -0,0 +1,50 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "ipsec") { + ############################################################################################################################# + # ipsec.log + # https://github.com/corelight/zeek-spicy-ipsec/blob/master/analyzer/main.zeek + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_ipsec" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][initiator_spi]} %{[zeek_cols][responder_spi]} %{[zeek_cols][maj_ver]} %{[zeek_cols][min_ver]} %{[zeek_cols][exchange_type]} %{[zeek_cols][flag_e]} %{[zeek_cols][flag_c]} %{[zeek_cols][flag_a]} %{[zeek_cols][flag_i]} %{[zeek_cols][flag_v]} %{[zeek_cols][flag_r]} %{[zeek_cols][message_id]} %{[zeek_cols][vendor_ids]} %{[zeek_cols][notify_messages]} %{[zeek_cols][transforms]} %{[zeek_cols][ke_dh_groups]} %{[zeek_cols][proposals]} %{[zeek_cols][protocol_id]} %{[zeek_cols][certificates]} %{[zeek_cols][transform_attributes]} %{[zeek_cols][length]} %{[zeek_cols][hash]} %{[zeek_cols][doi]} %{[zeek_cols][situation]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ipsec" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ipsec" + init => "@zeek_ipsec_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'is_orig', 'initiator_spi', 'responder_spi', 'maj_ver', 'min_ver', 'exchange_type', 'flag_e', 'flag_c', 'flag_a', 'flag_i', 'flag_v', 'flag_r', 'message_id', 'vendor_ids', 'notify_messages', 'transforms', 'ke_dh_groups', 'proposals', 'protocol_id', 'certificates', 'transform_attributes', 'length', 'hash', 'doi', 'situation' ]" + code => "event.set('[zeek_cols]', @zeek_ipsec_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_ipsec_commas" + split => { "[zeek_cols][vendor_ids]" => "," + "[zeek_cols][notify_messages]" => "," + "[zeek_cols][transforms]" => "," + "[zeek_cols][ke_dh_groups]" => "," + "[zeek_cols][proposals]" => "," + "[zeek_cols][certificates]" => "," + "[zeek_cols][transform_attributes]" => "," } } + } + + mutate { + id => "mutate_add_fields_zeek_ipsec" + add_field => { + "[zeek_cols][service]" => "ipsec" + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1031_zeek_irc.conf b/logstash/pipelines/zeek/1031_zeek_irc.conf new file mode 100644 index 000000000..b674565e9 --- /dev/null +++ b/logstash/pipelines/zeek/1031_zeek_irc.conf @@ -0,0 +1,43 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "irc") { + ############################################################################################################################# + # irc.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/irc/main.zeek.html#type-IRC::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_irc" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][nick]} %{[zeek_cols][user]} %{[zeek_cols][command]} %{[zeek_cols][value]} %{[zeek_cols][addl]} %{[zeek_cols][dcc_file_name]} %{[zeek_cols][dcc_file_size]} %{[zeek_cols][dcc_mime_type]} %{[zeek_cols][fuid]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_irc" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_irc" + init => "@zeek_irc_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'nick', 'user', 'command', 'value', 'addl', 'dcc_file_name', 'dcc_file_size', 'dcc_mime_type', 'fuid' ]" + code => "event.set('[zeek_cols]', @zeek_irc_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_irc" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "irc" + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1032_zeek_kerberos.conf b/logstash/pipelines/zeek/1032_zeek_kerberos.conf new file mode 100644 index 000000000..d79335c5e --- /dev/null +++ b/logstash/pipelines/zeek/1032_zeek_kerberos.conf @@ -0,0 +1,50 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "kerberos") { + ############################################################################################################################# + # kerberos.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/krb/main.zeek.html#type-KRB::Info + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_kerberos_fields" + rename => { "[zeek_cols][client]" => "[zeek_cols][cname]" } + rename => { "[zeek_cols][service]" => "[zeek_cols][sname]" } + } + + } else { + dissect { + id => "dissect_zeek_kerberos" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][request_type]} %{[zeek_cols][cname]} %{[zeek_cols][sname]} %{[zeek_cols][success]} %{[zeek_cols][error_msg]} %{[zeek_cols][from]} %{[zeek_cols][till]} %{[zeek_cols][cipher]} %{[zeek_cols][forwardable]} %{[zeek_cols][renewable]} %{[zeek_cols][client_cert_subject]} %{[zeek_cols][client_cert_fuid]} %{[zeek_cols][server_cert_subject]} %{[zeek_cols][server_cert_fuid]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_kerberos" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_kerberos" + init => "@zeek_kerberos_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'request_type', 'cname', 'sname', 'success', 'error_msg', 'from', 'till', 'cipher', 'forwardable', 'renewable', 'client_cert_subject', 'client_cert_fuid', 'server_cert_subject', 'server_cert_fuid' ]" + code => "event.set('[zeek_cols]', @zeek_kerberos_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_kerberos_commas" + split => { "[zeek_cols][client_cert_fuid]" => "," + "[zeek_cols][server_cert_fuid]" => "," } } + } + + mutate { + id => "mutate_add_fields_zeek_krb5" + add_field => { "[zeek_cols][service]" => "krb" } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1033_zeek_known.conf b/logstash/pipelines/zeek/1033_zeek_known.conf new file mode 100644 index 000000000..0b701453a --- /dev/null +++ b/logstash/pipelines/zeek/1033_zeek_known.conf @@ -0,0 +1,202 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "known_certs") { + ############################################################################################################################# + # known_certs.log + # https://docs.zeek.org/en/stable/scripts/policy/protocols/ssl/known-certs.zeek.html#type-Known::CertsInfo + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_known_certs_fields" + rename => { "[zeek_cols][host]" => "[zeek_cols][orig_h]" } + rename => { "[zeek_cols][port_num]" => "[zeek_cols][orig_p]" } + } + + } else { + dissect { + id => "dissect_zeek_known_certs" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][subject]} %{[zeek_cols][issuer_subject]} %{[zeek_cols][serial]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_known_certs" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_known_certs" + init => "@zeek_known_certs_field_names = [ 'ts', 'orig_h', 'orig_p', 'subject', 'resp_h', 'issuer_subject', 'serial' ]" + code => "event.set('[zeek_cols]', @zeek_known_certs_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_known_certs" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "tls" + } + } + + } else if ([log_source] == "known_hosts") { + ############################################################################################################################# + # known_hosts.log + # https://docs.zeek.org/en/stable/scripts/policy/protocols/conn/known-hosts.zeek.html#type-Known::HostsInfo + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_known_hosts_fields" + rename => { "[zeek_cols][host]" => "[zeek_cols][orig_h]" } + } + + } else { + dissect { + id => "dissect_zeek_known_hosts" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_known_hosts" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_known_hosts" + init => "@zeek_known_hosts_field_names = [ 'ts', 'orig_h' ]" + code => "event.set('[zeek_cols]', @zeek_known_hosts_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + } else if ([log_source] == "known_modbus") { + ############################################################################################################################# + # known_modbus.log + # https://docs.zeek.org/en/stable/scripts/policy/protocols/modbus/known-masters-slaves.zeek.html#type-Known::ModbusInfo + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_known_modbus_fields" + rename => { "[zeek_cols][host]" => "[zeek_cols][orig_h]" } + } + + } else { + dissect { + id => "dissect_zeek_known_modbus" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]} %{[zeek_cols][device_type]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_known_modbus" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_known_modbus" + init => "@zeek_known_modbus_field_names = [ 'ts', 'orig_h', 'device_type' ]" + code => "event.set('[zeek_cols]', @zeek_known_modbus_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { id => "mutate_gsub_zeek_known_modbus_device_type" + gsub => [ "[zeek_cols][device_type]", "Known::", "" ] } + + mutate { id => "mutate_gsub_zeek_known_modbus_master" + gsub => [ "[zeek_cols][device_type]", "MASTER", "CLIENT" ] } + + mutate { id => "mutate_gsub_zeek_known_modbus_slave" + gsub => [ "[zeek_cols][device_type]", "SLAVE", "SERVER" ] } + + mutate { id => "mutate_add_tag_ics_known_modbus_log" + add_tag => [ "ics" ] } + + } else if ([log_source] == "known_routers") { + ############################################################################################################################# + # known_routers.log + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_known_routers" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][ttl]} %{[zeek_cols][hlim]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_known_routers" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_known_routers" + init => "@zeek_known_routers_field_names = [ 'ts', 'orig_h', 'orig_l2_addr', 'ttl', 'hlim' ]" + code => "event.set('[zeek_cols]', @zeek_known_routers_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + } else if ([log_source] == "known_services") { + ############################################################################################################################# + # known_services.log + # https://docs.zeek.org/en/stable/scripts/policy/protocols/conn/known-services.zeek.html#type-Known::ServicesInfo + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_known_services_fields" + rename => { "[zeek_cols][host]" => "[zeek_cols][resp_h]" } + rename => { "[zeek_cols][port_num]" => "[zeek_cols][resp_p]" } + rename => { "[zeek_cols][port_proto]" => "[zeek_cols][proto]" } + } + + } else { + dissect { + id => "dissect_zeek_known_services" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][service]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_known_services" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_known_services" + init => "@zeek_known_services_field_names = [ 'ts', 'resp_h', 'resp_p', 'proto', 'service' ]" + code => "event.set('[zeek_cols]', @zeek_known_services_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { id => "mutate_lowercase_zeek_known_services_service" + lowercase => [ "[zeek_cols][service]" ] } + + # normalize service string(s) + + # some services are named like blah_udp/blah_tcp/blah_data, and we don't care about the suffix + mutate { id => "mutate_gsub_field_zeek_known_services_protocol_suffix" + gsub => [ "[zeek_cols][service]", "[_-](tcp|udp|data)", "" ] } + + if ([zeek_cols][service] =~ /^spicy_/) { + # if it's coming from spicy, we don't care to have that in the service name + mutate { id => "mutate_gsub_field_zeek_known_service_spicy_prefix" + gsub => [ "[zeek_cols][service]", "^spicy_", "" ] } + + # some spicy services are named like blah_udp or blah_tcp, + # and we don't care about the _udp/_tcp suffix + mutate { id => "mutate_gsub_field_zeek_known_service_spicy_suffix" + gsub => [ "[zeek_cols][service]", "(_hmac)?(_(sha|md)\d+)?$", "" ] } + + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1034_zeek_ldap.conf b/logstash/pipelines/zeek/1034_zeek_ldap.conf new file mode 100644 index 000000000..3ae2f8f17 --- /dev/null +++ b/logstash/pipelines/zeek/1034_zeek_ldap.conf @@ -0,0 +1,100 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "ldap") { + ############################################################################################################################# + # ldap.log + # main.zeek (https://docs.zeek.org/en/master/scripts/base/protocols/ldap/main.zeek.html) + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_ldap_fields" + rename => { "[zeek_cols][arguments]" => "[zeek_cols][argument]" } + rename => { "[zeek_cols][opcode]" => "[zeek_cols][operation]" } + rename => { "[zeek_cols][opcodes]" => "[zeek_cols][operation]" } + rename => { "[zeek_cols][result]" => "[zeek_cols][result_code]" } + rename => { "[zeek_cols][results]" => "[zeek_cols][result_code]" } + rename => { "[zeek_cols][diagnostic_message]" => "[zeek_cols][result_message]" } + rename => { "[zeek_cols][diagnostic_messages]" => "[zeek_cols][result_message]" } + } + + } else { + dissect { + id => "dissect_zeek_ldap" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][message_id]} %{[zeek_cols][version]} %{[zeek_cols][operation]} %{[zeek_cols][result_code]} %{[zeek_cols][result_message]} %{[zeek_cols][object]} %{[zeek_cols][argument]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ldap" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ldap" + init => "@zeek_ldap_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'message_id', 'version', 'operation', 'result_code', 'result_message', 'object', 'argument' ]" + code => "event.set('[zeek_cols]', @zeek_ldap_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_ldap" + add_field => { + "[zeek_cols][service]" => "ldap" + } + + } + + } else if ([log_source] == "ldap_search") { + ############################################################################################################################# + # ldap_search.log + # main.zeek (https://docs.zeek.org/en/master/scripts/base/protocols/ldap/main.zeek.html) + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_ldap_search_fields" + rename => { "[zeek_cols][base_objects]" => "[zeek_cols][base_object]" } + rename => { "[zeek_cols][deref_aliases]" => "[zeek_cols][deref]" } + rename => { "[zeek_cols][derefs]" => "[zeek_cols][deref]" } + rename => { "[zeek_cols][diagnostic_message]" => "[zeek_cols][result_message]" } + rename => { "[zeek_cols][result]" => "[zeek_cols][result_code]" } + rename => { "[zeek_cols][results]" => "[zeek_cols][result_code]" } + rename => { "[zeek_cols][scopes]" => "[zeek_cols][scope]" } + } + + } else { + dissect { + id => "dissect_zeek_ldap_search" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][message_id]} %{[zeek_cols][scope]} %{[zeek_cols][deref]} %{[zeek_cols][base_object]} %{[zeek_cols][result_count]} %{[zeek_cols][result_code]} %{[zeek_cols][result_message]} %{[zeek_cols][filter]} %{[zeek_cols][attributes]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ldap_search" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ldap_search" + init => "@zeek_ldap_search_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'message_id', 'scope', 'deref', 'base_object', 'result_count', 'result_code', 'result_message', 'filter', 'attributes' ]" + code => "event.set('[zeek_cols]', @zeek_ldap_search_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_ldap_search" + add_field => { + "[zeek_cols][service]" => "ldap" + } + + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1035_zeek_login.conf b/logstash/pipelines/zeek/1035_zeek_login.conf new file mode 100644 index 000000000..2460ffa56 --- /dev/null +++ b/logstash/pipelines/zeek/1035_zeek_login.conf @@ -0,0 +1,35 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "login") { + ############################################################################################################################# + # login.log + # custom login.log module (rudimentary, telnet/rlogin/rsh analyzers are old and not the greatest) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_login" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][service]} %{[zeek_cols][success]} %{[zeek_cols][confused]} %{[zeek_cols][user]} %{[zeek_cols][client_user]} %{[zeek_cols][password]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_login" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_login" + init => "@zeek_login_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'service', 'success', 'confused', 'user', 'client_user', 'password' ]" + code => "event.set('[zeek_cols]', @zeek_login_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1036_zeek_modbus.conf b/logstash/pipelines/zeek/1036_zeek_modbus.conf new file mode 100644 index 000000000..4ff4723cb --- /dev/null +++ b/logstash/pipelines/zeek/1036_zeek_modbus.conf @@ -0,0 +1,210 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "modbus") { + ############################################################################################################################# + # modbus.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/modbus/main.zeek.html#type-Modbus::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_modbus" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_id]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][exception]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_modbus" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_modbus" + init => "@zeek_modbus_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'exception' ]" + code => "event.set('[zeek_cols]', @zeek_modbus_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_modbus" + add_field => { "[zeek_cols][service]" => "modbus" } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "modbus_detailed") { + ############################################################################################################################# + # modbus_detailed.log + # main.zeek (https://github.com/cisagov/icsnpp-modbus) + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_modbus_detailed_fields" + rename => { "[zeek_cols][tid]" => "[zeek_cols][trans_id]" } + rename => { "[zeek_cols][unit]" => "[zeek_cols][unit_id]" } + rename => { "[zeek_cols][request_response]" => "[zeek_cols][network_direction]" } + } + + } else { + dissect { + id => "dissect_zeek_modbus_detailed" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_id]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][address]} %{[zeek_cols][quantity]} %{[zeek_cols][values]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_modbus_detailed" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_modbus_detailed" + init => "@zeek_modbus_detailed_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'address', 'quantity', 'values' ]" + code => "event.set('[zeek_cols]', @zeek_modbus_detailed_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_modbus_detailed_values" + split => { "[zeek_cols][values]" => "," } } + } + + mutate { + id => "mutate_add_fields_zeek_modbus_detailed" + add_field => { + "[zeek_cols][service]" => "modbus" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "modbus_mask_write_register") { + ############################################################################################################################# + # modbus_mask_write_register.log + # main.zeek (https://github.com/cisagov/icsnpp-modbus) + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_modbus_mask_write_register_fields" + rename => { "[zeek_cols][tid]" => "[zeek_cols][trans_id]" } + rename => { "[zeek_cols][unit]" => "[zeek_cols][unit_id]" } + rename => { "[zeek_cols][request_response]" => "[zeek_cols][network_direction]" } + } + + } else { + dissect { + id => "dissect_zeek_modbus_mask_write_register" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_id]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][address]} %{[zeek_cols][and_mask]} %{[zeek_cols][or_mask]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_modbus_mask_write_register" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_modbus_mask_write_register" + init => "@zeek_modbus_mask_write_register_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'address', 'and_mask', 'or_mask' ]" + code => "event.set('[zeek_cols]', @zeek_modbus_mask_write_register_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_modbus_mask_write_register" + add_field => { + "[zeek_cols][service]" => "modbus" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "modbus_read_device_identification") { + ############################################################################################################################# + # modbus_read_device_identification.log + # main.zeek (https://github.com/cisagov/icsnpp-modbus) + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_modbus_read_device_identification_fields" + rename => { "[zeek_cols][tid]" => "[zeek_cols][trans_id]" } + rename => { "[zeek_cols][unit]" => "[zeek_cols][unit_id]" } + rename => { "[zeek_cols][request_response]" => "[zeek_cols][network_direction]" } + } + + } else { + dissect { + id => "dissect_zeek_modbus_read_device_identification" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_id]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][mei_type]} %{[zeek_cols][conformity_level_code]} %{[zeek_cols][conformity_level]} %{[zeek_cols][device_id_code]} %{[zeek_cols][object_id_code]} %{[zeek_cols][object_id]} %{[zeek_cols][object_value]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_modbus_read_device_identification" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_modbus_read_device_identification" + init => "@zeek_modbus_read_device_identification_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'mei_type', 'conformity_level_code', 'conformity_level', 'device_id_code', 'object_id_code', 'object_id', 'object_value' ]" + code => "event.set('[zeek_cols]', @zeek_modbus_read_device_identification_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_modbus_read_device_identification" + add_field => { + "[zeek_cols][service]" => "modbus" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "modbus_read_write_multiple_registers") { + ############################################################################################################################# + # modbus_read_write_multiple_registers.log + # main.zeek (https://github.com/cisagov/icsnpp-modbus) + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_modbus_read_write_multiple_registers_fields" + rename => { "[zeek_cols][tid]" => "[zeek_cols][trans_id]" } + rename => { "[zeek_cols][unit]" => "[zeek_cols][unit_id]" } + rename => { "[zeek_cols][request_response]" => "[zeek_cols][network_direction]" } + } + + } else { + dissect { + id => "dissect_zeek_modbus_read_write_multiple_registers" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_id]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][write_start_address]} %{[zeek_cols][write_registers]} %{[zeek_cols][read_start_address]} %{[zeek_cols][read_quantity]} %{[zeek_cols][read_registers]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_modbus_read_write_multiple_registers" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_modbus_read_write_multiple_registers" + init => "@zeek_modbus_read_write_multiple_registers_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'write_start_address', 'write_registers', 'read_start_address', 'read_quantity', 'read_registers' ]" + code => "event.set('[zeek_cols]', @zeek_modbus_read_write_multiple_registers_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_modbus_read_write_multiple_registers_read_commas" + split => { "[zeek_cols][read_registers]" => "," + "[zeek_cols][write_registers]" => "," } } + } + + mutate { + id => "mutate_add_fields_zeek_modbus_read_write_multiple_registers" + add_field => { + "[zeek_cols][service]" => "modbus" + } + add_tag => [ "ics" ] + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1037_zeek_mqtt.conf b/logstash/pipelines/zeek/1037_zeek_mqtt.conf new file mode 100644 index 000000000..8c3730f44 --- /dev/null +++ b/logstash/pipelines/zeek/1037_zeek_mqtt.conf @@ -0,0 +1,115 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "mqtt_connect") { + ############################################################################################################################# + # mqtt_connect.log + # https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html#type-MQTT::ConnectInfo + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_mqtt_connect" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto_name]} %{[zeek_cols][proto_version]} %{[zeek_cols][client_id]} %{[zeek_cols][connect_status]} %{[zeek_cols][will_topic]} %{[zeek_cols][will_payload]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_mqtt_connect" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_mqtt_connect" + init => "@zeek_mqtt_connect_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto_name', 'proto_version', 'client_id', 'connect_status', 'will_topic', 'will_payload' ]" + code => "event.set('[zeek_cols]', @zeek_mqtt_connect_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_mqtt_connect" + add_field => { + "[zeek_cols][proto]" => "udp" + "[zeek_cols][service]" => "mqtt" + } + } + + } else if ([log_source] == "mqtt_publish") { + ############################################################################################################################# + # mqtt_publish.log + # https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html#type-MQTT::PublishInfo + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_mqtt_publish" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][from_client]} %{[zeek_cols][retain]} %{[zeek_cols][qos]} %{[zeek_cols][status]} %{[zeek_cols][topic]} %{[zeek_cols][payload]} %{[zeek_cols][payload_len]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_mqtt_publish" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_mqtt_publish" + init => "@zeek_mqtt_publish_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'from_client', 'retain', 'qos', 'status', 'topic', 'payload', 'payload_len' ]" + code => "event.set('[zeek_cols]', @zeek_mqtt_publish_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_mqtt_publish" + add_field => { + "[zeek_cols][proto]" => "udp" + "[zeek_cols][service]" => "mqtt" + } + } + + } else if ([log_source] == "mqtt_subscribe") { + ############################################################################################################################# + # mqtt_subscribe.log + # https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html#type-MQTT::SubscribeInfo + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_mqtt_subscribe" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][action]} %{[zeek_cols][topics]} %{[zeek_cols][qos_levels]} %{[zeek_cols][granted_qos_level]} %{[zeek_cols][ack]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_mqtt_subscribe" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_mqtt_subscribe" + init => "@zeek_mqtt_subscribe_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'action', 'topics', 'qos_levels', 'granted_qos_level', 'ack' ]" + code => "event.set('[zeek_cols]', @zeek_mqtt_subscribe_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_mqtt_subscribe_commas" + split => { "[zeek_cols][topics]" => "," + "[zeek_cols][qos_levels]" => "," } } + } + + mutate { + id => "mutate_add_fields_zeek_mqtt_subscribe" + add_field => { + "[zeek_cols][proto]" => "udp" + "[zeek_cols][service]" => "mqtt" + } + } + + mutate { id => "mutate_gsub_zeek_mqtt_subscribe_action" + gsub => [ "[zeek_cols][action]", "MQTT::", "" ] } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1038_zeek_mysql.conf b/logstash/pipelines/zeek/1038_zeek_mysql.conf new file mode 100644 index 000000000..892ac1bb2 --- /dev/null +++ b/logstash/pipelines/zeek/1038_zeek_mysql.conf @@ -0,0 +1,40 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "mysql") { + ############################################################################################################################# + # mysql.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/mysql/main.zeek.html#type-MySQL::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_mysql" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][cmd]} %{[zeek_cols][arg]} %{[zeek_cols][success]} %{[zeek_cols][rows]} %{[zeek_cols][response]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_mysql" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_mysql" + init => "@zeek_mysql_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'cmd', 'arg', 'success', 'rows', 'response' ]" + code => "event.set('[zeek_cols]', @zeek_mysql_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_mysql" + add_field => { "[zeek_cols][service]" => "mysql" } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1039_zeek_notice.conf b/logstash/pipelines/zeek/1039_zeek_notice.conf new file mode 100644 index 000000000..ac044fef8 --- /dev/null +++ b/logstash/pipelines/zeek/1039_zeek_notice.conf @@ -0,0 +1,53 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "notice") { + ############################################################################################################################# + # notice.log + # https://docs.zeek.org/en/stable/scripts/base/frameworks/notice/main.zeek.html#type-Notice::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_notice_with_all_fields" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][fuid]} %{[zeek_cols][file_mime_type]} %{[zeek_cols][file_desc]} %{[zeek_cols][proto]} %{[zeek_cols][note]} %{[zeek_cols][msg]} %{[zeek_cols][sub]} %{[zeek_cols][src]} %{[zeek_cols][dst]} %{[zeek_cols][p]} %{[zeek_cols][n]} %{[zeek_cols][peer_descr]} %{[zeek_cols][actions]} %{[zeek_cols][email_dest]} %{[zeek_cols][suppress_for]} %{[zeek_cols][remote_location_country_code]} %{[zeek_cols][remote_location_region]} %{[zeek_cols][remote_location_city]} %{[zeek_cols][remote_location_latitude]} %{[zeek_cols][remote_location_longitude]} %{[zeek_cols][community_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_notice" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_notice" + init => "@zeek_notice_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'fuid', 'file_mime_type', 'file_desc', 'proto', 'note', 'msg', 'sub', 'src', 'dst', 'p', 'n', 'peer_descr', 'actions', 'email_dest', 'suppress_for', 'remote_location_country_code', 'remote_location_region', 'remote_location_city', 'remote_location_latitude', 'remote_location_longitude', 'community_id' ]" + code => "event.set('[zeek_cols]', @zeek_notice_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_notice_actions" + split => { "[zeek_cols][actions]" => "," } } + } + + if ([zeek_cols][src]) and ((![zeek_cols][orig_h]) or ([zeek_cols][orig_h] == '(empty)') or + ([zeek_cols][orig_h] == '-') or ([zeek_cols][orig_h] == '')) { + mutate { id => "mutate_replace_zeek_notice_orig_h" + replace => { "[zeek_cols][orig_h]" => "%{[zeek_cols][src]}" } } + } + if ([zeek_cols][dst]) and ((![zeek_cols][resp_h]) or ([zeek_cols][resp_h] == '(empty)') or + ([zeek_cols][resp_h] == '-') or ([zeek_cols][resp_h] == '')) { + mutate { id => "mutate_replace_zeek_notice_resp_h" + replace => { "[zeek_cols][resp_h]" => "%{[zeek_cols][dst]}" } } + } + if [zeek_cols][p] and ((![zeek_cols][resp_p]) or ([zeek_cols][resp_p] == '(empty)') or + ([zeek_cols][resp_p] == '-') or ([zeek_cols][resp_p] == '')) { + mutate { id => "mutate_replace_zeek_resp_p" + replace => { "[zeek_cols][resp_p]" => "%{[zeek_cols][p]}" } } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1040_zeek_ntlm.conf b/logstash/pipelines/zeek/1040_zeek_ntlm.conf new file mode 100644 index 000000000..b0cafaee7 --- /dev/null +++ b/logstash/pipelines/zeek/1040_zeek_ntlm.conf @@ -0,0 +1,51 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "ntlm") { + ############################################################################################################################# + # ntlm.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/ntlm/main.zeek.html#type-NTLM::Info + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_ntlm_fields" + rename => { "[zeek_cols][hostname]" => "[zeek_cols][host]" } + rename => { "[zeek_cols][domainname]" => "[zeek_cols][domain]" } + rename => { "[zeek_cols][server_nb_computer_name]" => "[zeek_cols][server_nb_computer]" } + rename => { "[zeek_cols][server_dns_computer_name]" => "[zeek_cols][server_dns_computer]" } + rename => { "[zeek_cols][server_tree_name]" => "[zeek_cols][server_tree]" } + rename => { "[zeek_cols][username]" => "[zeek_cols][user]" } + } + + } else { + dissect { + id => "dissect_zeek_ntlm_with_all_fields" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][user]} %{[zeek_cols][host]} %{[zeek_cols][domain]} %{[zeek_cols][server_nb_computer]} %{[zeek_cols][server_dns_computer]} %{[zeek_cols][server_tree]} %{[zeek_cols][success]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ntlm" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ntlm" + init => "@zeek_ntlm_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'user', 'host', 'domain', 'server_nb_computer', 'server_dns_computer', 'server_tree', 'success' ]" + code => "event.set('[zeek_cols]', @zeek_ntlm_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_ntlm" + add_field => { "[zeek_cols][service]" => "ntlm" } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1041_zeek_ntp.conf b/logstash/pipelines/zeek/1041_zeek_ntp.conf new file mode 100644 index 000000000..fc4196b57 --- /dev/null +++ b/logstash/pipelines/zeek/1041_zeek_ntp.conf @@ -0,0 +1,42 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + if ([log_source] == "ntp") { + ############################################################################################################################# + # ntp.log + # https://docs.zeek.org/en/latest/scripts/base/protocols/ntp/main.zeek.html#type-NTP::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_ntp" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][mode]} %{[zeek_cols][stratum]} %{[zeek_cols][poll]} %{[zeek_cols][precision]} %{[zeek_cols][root_delay]} %{[zeek_cols][root_disp]} %{[zeek_cols][ref_id]} %{[zeek_cols][ref_time]} %{[zeek_cols][org_time]} %{[zeek_cols][rec_time]} %{[zeek_cols][xmt_time]} %{[zeek_cols][num_exts]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ntp" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ntp" + init => "@zeek_ntp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'mode', 'stratum', 'poll', 'precision', 'root_delay', 'root_disp', 'ref_id', 'ref_time', 'org_time', 'rec_time', 'xmt_time', 'num_exts' ]" + code => "event.set('[zeek_cols]', @zeek_ntp_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_ntp" + add_field => { + "[zeek_cols][proto]" => "udp" + "[zeek_cols][service]" => "ntp" + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1042_zeek_ocsp.conf b/logstash/pipelines/zeek/1042_zeek_ocsp.conf new file mode 100644 index 000000000..b6919838e --- /dev/null +++ b/logstash/pipelines/zeek/1042_zeek_ocsp.conf @@ -0,0 +1,39 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "ocsp") { + ############################################################################################################################# + # ocsp.log + # https://docs.zeek.org/en/stable/scripts/policy/files/x509/log-ocsp.zeek.html#type-OCSP::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_ocsp" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][fuid]} %{[zeek_cols][hashAlgorithm]} %{[zeek_cols][issuerNameHash]} %{[zeek_cols][issuerKeyHash]} %{[zeek_cols][serialNumber]} %{[zeek_cols][certStatus]} %{[zeek_cols][revoketime]} %{[zeek_cols][revokereason]} %{[zeek_cols][thisUpdate]} %{[zeek_cols][nextUpdate]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ocsp" + split => { "[message]" => " " } + } + + ruby { + id => "ruby_zip_zeek_ocsp" + init => "@zeek_ocsp_field_names = [ 'ts', 'fuid', 'hashAlgorithm', 'issuerNameHash', 'issuerKeyHash', 'serialNumber', 'certStatus', 'revoketime', 'revokereason', 'thisUpdate', 'nextUpdate' ]" + code => "event.set('[zeek_cols]', @zeek_ocsp_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { id => "mutate_add_fields_zeek_service_ocsp" + add_field => { "[zeek_cols][service]" => "X.509" } } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1043_zeek_opcua_binary.conf b/logstash/pipelines/zeek/1043_zeek_opcua_binary.conf new file mode 100644 index 000000000..b9431e3d2 --- /dev/null +++ b/logstash/pipelines/zeek/1043_zeek_opcua_binary.conf @@ -0,0 +1,1598 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + if ([log_source] =~ /^opcua_binary/) { + if ([log_source] == "opcua_binary") { + ############################################################################################################################# + # opcua_binary.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][msg_type]} %{[zeek_cols][is_final]} %{[zeek_cols][msg_size]} %{[zeek_cols][error]} %{[zeek_cols][reason]} %{[zeek_cols][version]} %{[zeek_cols][rcv_buf_size]} %{[zeek_cols][snd_buf_size]} %{[zeek_cols][max_msg_size]} %{[zeek_cols][max_chunk_cnt]} %{[zeek_cols][endpoint_url]} %{[zeek_cols][sec_channel_id]} %{[zeek_cols][sec_policy_uri_len]} %{[zeek_cols][sec_policy_uri]} %{[zeek_cols][snd_cert_len]} %{[zeek_cols][snd_cert]} %{[zeek_cols][rcv_cert_len]} %{[zeek_cols][rcv_cert]} %{[zeek_cols][seq_number]} %{[zeek_cols][request_id]} %{[zeek_cols][encoding_mask]} %{[zeek_cols][namespace_idx]} %{[zeek_cols][identifier]} %{[zeek_cols][identifier_str]} %{[zeek_cols][req_hdr_node_id_type]} %{[zeek_cols][req_hdr_node_id_namespace_idx]} %{[zeek_cols][req_hdr_node_id_numeric]} %{[zeek_cols][req_hdr_node_id_string]} %{[zeek_cols][req_hdr_node_id_guid]} %{[zeek_cols][req_hdr_node_id_opaque]} %{[zeek_cols][req_hdr_timestamp]} %{[zeek_cols][req_hdr_request_handle]} %{[zeek_cols][req_hdr_return_diag]} %{[zeek_cols][req_hdr_audit_entry_id]} %{[zeek_cols][req_hdr_timeout_hint]} %{[zeek_cols][req_hdr_add_hdr_type_id]} %{[zeek_cols][req_hdr_add_hdr_enc_mask]} %{[zeek_cols][res_hdr_timestamp]} %{[zeek_cols][res_hdr_request_handle]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][res_hdr_service_diag_encoding]} %{[zeek_cols][res_hdr_add_hdr_type_id]} %{[zeek_cols][res_hdr_add_hdr_enc_mask]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary" + init => "@zeek_opcua_binary_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'msg_type', 'is_final', 'msg_size', 'error', 'reason', 'version', 'rcv_buf_size', 'snd_buf_size', 'max_msg_size', 'max_chunk_cnt', 'endpoint_url', 'sec_channel_id', 'sec_policy_uri_len', 'sec_policy_uri', 'snd_cert_len', 'snd_cert', 'rcv_cert_len', 'rcv_cert', 'seq_number', 'request_id', 'encoding_mask', 'namespace_idx', 'identifier', 'identifier_str', 'req_hdr_node_id_type', 'req_hdr_node_id_namespace_idx', 'req_hdr_node_id_numeric', 'req_hdr_node_id_string', 'req_hdr_node_id_guid', 'req_hdr_node_id_opaque', 'req_hdr_timestamp', 'req_hdr_request_handle', 'req_hdr_return_diag', 'req_hdr_audit_entry_id', 'req_hdr_timeout_hint', 'req_hdr_add_hdr_type_id', 'req_hdr_add_hdr_enc_mask', 'res_hdr_timestamp', 'res_hdr_request_handle', 'status_code_link_id', 'res_hdr_service_diag_encoding', 'res_hdr_add_hdr_type_id', 'res_hdr_add_hdr_enc_mask' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_activate_session") { + ############################################################################################################################# + # opcua_binary_activate_session.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_activate_session" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][client_algorithm]} %{[zeek_cols][client_signature]} %{[zeek_cols][client_software_cert_link_id]} %{[zeek_cols][opcua_locale_link_id]} %{[zeek_cols][ext_obj_type_id_encoding_mask]} %{[zeek_cols][ext_obj_type_id_namespace_idx]} %{[zeek_cols][ext_obj_type_id_numeric]} %{[zeek_cols][ext_obj_type_id_string]} %{[zeek_cols][ext_obj_type_id_guid]} %{[zeek_cols][ext_obj_type_id_opaque]} %{[zeek_cols][ext_obj_type_id_str]} %{[zeek_cols][ext_obj_encoding]} %{[zeek_cols][ext_obj_policy_id]} %{[zeek_cols][ext_obj_user_name]} %{[zeek_cols][ext_obj_password]} %{[zeek_cols][ext_obj_encryption_algorithom]} %{[zeek_cols][ext_obj_certificate_data]} %{[zeek_cols][ext_obj_token_data]} %{[zeek_cols][user_token_algorithm]} %{[zeek_cols][user_token_signature]} %{[zeek_cols][server_nonce]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][activate_session_diag_info_link_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_activate_session" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_activate_session" + init => "@zeek_opcua_binary_activate_session_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'client_algorithm', 'client_signature', 'client_software_cert_link_id', 'opcua_locale_link_id', 'ext_obj_type_id_encoding_mask', 'ext_obj_type_id_namespace_idx', 'ext_obj_type_id_numeric', 'ext_obj_type_id_string', 'ext_obj_type_id_guid', 'ext_obj_type_id_opaque', 'ext_obj_type_id_str', 'ext_obj_encoding', 'ext_obj_policy_id', 'ext_obj_user_name', 'ext_obj_password', 'ext_obj_encryption_algorithom', 'ext_obj_certificate_data', 'ext_obj_token_data', 'user_token_algorithm', 'user_token_signature', 'server_nonce', 'status_code_link_id', 'activate_session_diag_info_link_id' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_activate_session_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_activate_session" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_activate_session_client_software_cert") { + ############################################################################################################################# + # opcua_binary_activate_session_client_software_cert.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_activate_session_client_software_cert" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][client_software_cert_link_id]} %{[zeek_cols][cert_data]} %{[zeek_cols][cert_signature]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_activate_session_client_software_cert" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_activate_session_client_software_cert" + init => "@zeek_opcua_binary_activate_session_client_software_cert_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'client_software_cert_link_id', 'cert_data', 'cert_signature' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_activate_session_client_software_cert_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_activate_session_client_software_cert" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_activate_session_locale_id") { + ############################################################################################################################# + # opcua_binary_activate_session_locale_id.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_activate_session_locale_id" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_locale_link_id]} %{[zeek_cols][local_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_activate_session_locale_id" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_activate_session_locale_id" + init => "@zeek_opcua_binary_activate_session_locale_id_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_locale_link_id', 'local_id' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_activate_session_locale_id_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_activate_session_locale_id" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_aggregate_filter") { + ############################################################################################################################# + # opcua_binary_aggregate_filter.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_aggregate_filter" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][monitored_parameters_link_id]} %{[zeek_cols][start_time]} %{[zeek_cols][start_time_str]} %{[zeek_cols][aggregate_type_encoding_mask]} %{[zeek_cols][aggregate_type_namespace_idx]} %{[zeek_cols][aggregate_type_numeric]} %{[zeek_cols][aggregate_type_string]} %{[zeek_cols][aggregate_type_guid]} %{[zeek_cols][aggregate_type_opaque]} %{[zeek_cols][processing_interval]} %{[zeek_cols][use_server_capabilities_default]} %{[zeek_cols][treat_uncertain_as_bad]} %{[zeek_cols][percent_data_good]} %{[zeek_cols][percent_data_bad]} %{[zeek_cols][use_slopped_extrapolation]} %{[zeek_cols][revised_start_time]} %{[zeek_cols][revised_start_time_str]} %{[zeek_cols][revised_processing_interval]} %{[zeek_cols][revised_use_server_capabilities_default]} %{[zeek_cols][revised_treat_uncertain_as_bad]} %{[zeek_cols][revised_percent_data_good]} %{[zeek_cols][revised_percent_data_bad]} %{[zeek_cols][revised_use_slopped_extrapolation]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_aggregate_filter" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_aggregate_filter" + init => "@zeek_opcua_binary_aggregate_filter_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'monitored_parameters_link_id', 'start_time', 'start_time_str', 'aggregate_type_encoding_mask', 'aggregate_type_namespace_idx', 'aggregate_type_numeric', 'aggregate_type_string', 'aggregate_type_guid', 'aggregate_type_opaque', 'processing_interval', 'use_server_capabilities_default', 'treat_uncertain_as_bad', 'percent_data_good', 'percent_data_bad', 'use_slopped_extrapolation', 'revised_start_time', 'revised_start_time_str', 'revised_processing_interval', 'revised_use_server_capabilities_default', 'revised_treat_uncertain_as_bad', 'revised_percent_data_good', 'revised_percent_data_bad', 'revised_use_slopped_extrapolation' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_aggregate_filter_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_aggregate_filter" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_event_filter_attribute_operand") { + ############################################################################################################################# + # opcua_binary_event_filter_attribute_operand.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_event_filter_attribute_operand" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][content_filter_filter_operand_link_id]} %{[zeek_cols][node_id_encoding_mask]} %{[zeek_cols][node_id_namespace_idx]} %{[zeek_cols][node_id_numeric]} %{[zeek_cols][node_id_string]} %{[zeek_cols][node_id_guid]} %{[zeek_cols][node_id_opaque]} %{[zeek_cols][alias]} %{[zeek_cols][browse_path_element_link_id]} %{[zeek_cols][attribute]} %{[zeek_cols][index_range]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_event_filter_attribute_operand" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_event_filter_attribute_operand" + init => "@zeek_opcua_binary_event_filter_attribute_operand_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'content_filter_filter_operand_link_id', 'node_id_encoding_mask', 'node_id_namespace_idx', 'node_id_numeric', 'node_id_string', 'node_id_guid', 'node_id_opaque', 'alias', 'browse_path_element_link_id', 'attribute', 'index_range' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_attribute_operand_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_event_filter_attribute_operand" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_event_filter_attribute_operand_browse_paths") { + ############################################################################################################################# + # opcua_binary_event_filter_attribute_operand_browse_paths.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_event_filter_attribute_operand_browse_paths" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][browse_path_element_link_id]} %{[zeek_cols][type_id_encoding_mask]} %{[zeek_cols][type_id_namespace_idx]} %{[zeek_cols][type_id_numeric]} %{[zeek_cols][type_id_string]} %{[zeek_cols][type_id_guid]} %{[zeek_cols][type_id_opaque]} %{[zeek_cols][is_inverse]} %{[zeek_cols][include_subtypes]} %{[zeek_cols][target_name_namespace_idx]} %{[zeek_cols][target_name]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_event_filter_attribute_operand_browse_paths" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_event_filter_attribute_operand_browse_paths" + init => "@zeek_opcua_binary_event_filter_attribute_operand_browse_paths_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'browse_path_element_link_id', 'type_id_encoding_mask', 'type_id_namespace_idx', 'type_id_numeric', 'type_id_string', 'type_id_guid', 'type_id_opaque', 'is_inverse', 'include_subtypes', 'target_name_namespace_idx', 'target_name' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_attribute_operand_browse_paths_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_event_filter_attribute_operand_browse_paths" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_browse") { + ############################################################################################################################# + # opcua_binary_browse.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_browse" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][browse_service_type]} %{[zeek_cols][browse_view_id_encoding_mask]} %{[zeek_cols][browse_view_id_namespace_idx]} %{[zeek_cols][browse_view_id_numeric]} %{[zeek_cols][browse_view_id_string]} %{[zeek_cols][browse_view_id_guid]} %{[zeek_cols][browse_view_id_opaque]} %{[zeek_cols][browse_view_description_timestamp]} %{[zeek_cols][browse_view_description_view_version]} %{[zeek_cols][req_max_ref_nodes]} %{[zeek_cols][browse_description_link_id]} %{[zeek_cols][browse_next_release_continuation_point]} %{[zeek_cols][browse_next_link_id]} %{[zeek_cols][browse_response_link_id]} %{[zeek_cols][browse_diag_info_link_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_browse" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_browse" + init => "@zeek_opcua_binary_browse_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'browse_service_type', 'browse_view_id_encoding_mask', 'browse_view_id_namespace_idx', 'browse_view_id_numeric', 'browse_view_id_string', 'browse_view_id_guid', 'browse_view_id_opaque', 'browse_view_description_timestamp', 'browse_view_description_view_version', 'req_max_ref_nodes', 'browse_description_link_id', 'browse_next_release_continuation_point', 'browse_next_link_id', 'browse_response_link_id', 'browse_diag_info_link_id' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_browse_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_browse" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_browse_description") { + ############################################################################################################################# + # opcua_binary_browse_description.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_browse_description" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][browse_description_link_id]} %{[zeek_cols][browse_description_encoding_mask]} %{[zeek_cols][browse_description_namespace_idx]} %{[zeek_cols][browse_description_numeric]} %{[zeek_cols][browse_description_string]} %{[zeek_cols][browse_description_guid]} %{[zeek_cols][browse_description_opaque]} %{[zeek_cols][browse_direction]} %{[zeek_cols][browse_description_ref_encoding_mask]} %{[zeek_cols][browse_description_ref_namespace_idx]} %{[zeek_cols][browse_description_ref_numeric]} %{[zeek_cols][browse_description_ref_string]} %{[zeek_cols][browse_description_ref_guid]} %{[zeek_cols][browse_description_ref_opaque]} %{[zeek_cols][browse_description_include_subtypes]} %{[zeek_cols][browse_node_class_mask]} %{[zeek_cols][browse_result_mask]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_browse_description" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_browse_description" + init => "@zeek_opcua_binary_browse_description_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'browse_description_link_id', 'browse_description_encoding_mask', 'browse_description_namespace_idx', 'browse_description_numeric', 'browse_description_string', 'browse_description_guid', 'browse_description_opaque', 'browse_direction', 'browse_description_ref_encoding_mask', 'browse_description_ref_namespace_idx', 'browse_description_ref_numeric', 'browse_description_ref_string', 'browse_description_ref_guid', 'browse_description_ref_opaque', 'browse_description_include_subtypes', 'browse_node_class_mask', 'browse_result_mask' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_browse_description_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_browse_description" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_browse_response_references") { + ############################################################################################################################# + # opcua_binary_browse_response_references.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_browse_response_references" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][browse_reference_link_id]} %{[zeek_cols][browse_response_ref_encoding_mask]} %{[zeek_cols][browse_response_ref_namespace_idx]} %{[zeek_cols][browse_response_ref_numeric]} %{[zeek_cols][browse_response_ref_string]} %{[zeek_cols][browse_response_ref_guid]} %{[zeek_cols][browse_response_ref_opaque]} %{[zeek_cols][browse_response_is_forward]} %{[zeek_cols][browse_response_ref_type_encoding_mask]} %{[zeek_cols][browse_response_ref_type_namespace_idx]} %{[zeek_cols][browse_response_ref_type_numeric]} %{[zeek_cols][browse_response_ref_type_string]} %{[zeek_cols][browse_response_ref_type_guid]} %{[zeek_cols][browse_response_ref_type_opaque]} %{[zeek_cols][browse_response_ref_type_namespace_uri]} %{[zeek_cols][browse_response_ref_type_server_idx]} %{[zeek_cols][browse_response_ref_name_idx]} %{[zeek_cols][browse_response_ref_name]} %{[zeek_cols][browse_response_display_name_mask]} %{[zeek_cols][browse_response_display_name_locale]} %{[zeek_cols][browse_response_display_name_text]} %{[zeek_cols][browse_response_node_class]} %{[zeek_cols][browse_response_type_def_encoding_mask]} %{[zeek_cols][browse_response_type_def_namespace_idx]} %{[zeek_cols][browse_response_type_def_numeric]} %{[zeek_cols][browse_response_type_def_string]} %{[zeek_cols][browse_response_type_def_guid]} %{[zeek_cols][browse_response_type_def_opaque]} %{[zeek_cols][browse_response_type_def_namespace_uri]} %{[zeek_cols][browse_response_type_def_server_idx]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_browse_response_references" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_browse_response_references" + init => "@zeek_opcua_binary_browse_response_references_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'browse_reference_link_id', 'browse_response_ref_encoding_mask', 'browse_response_ref_namespace_idx', 'browse_response_ref_numeric', 'browse_response_ref_string', 'browse_response_ref_guid', 'browse_response_ref_opaque', 'browse_response_is_forward', 'browse_response_ref_type_encoding_mask', 'browse_response_ref_type_namespace_idx', 'browse_response_ref_type_numeric', 'browse_response_ref_type_string', 'browse_response_ref_type_guid', 'browse_response_ref_type_opaque', 'browse_response_ref_type_namespace_uri', 'browse_response_ref_type_server_idx', 'browse_response_ref_name_idx', 'browse_response_ref_name', 'browse_response_display_name_mask', 'browse_response_display_name_locale', 'browse_response_display_name_text', 'browse_response_node_class', 'browse_response_type_def_encoding_mask', 'browse_response_type_def_namespace_idx', 'browse_response_type_def_numeric', 'browse_response_type_def_string', 'browse_response_type_def_guid', 'browse_response_type_def_opaque', 'browse_response_type_def_namespace_uri', 'browse_response_type_def_server_idx' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_browse_response_references_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_browse_response_references" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_browse_request_continuation_point") { + ############################################################################################################################# + # opcua_binary_browse_request_continuation_point.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_browse_request_continuation_point" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][browse_next_link_id]} %{[zeek_cols][continuation_point]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_browse_request_continuation_point" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_browse_request_continuation_point" + init => "@zeek_opcua_binary_browse_request_continuation_point_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'browse_next_link_id', 'continuation_point' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_browse_request_continuation_point_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_browse_request_continuation_point" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_browse_result") { + ############################################################################################################################# + # opcua_binary_browse_result.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_browse_result" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][browse_response_link_id]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][browse_result_continuation_point]} %{[zeek_cols][browse_reference_link_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_browse_result" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_browse_result" + init => "@zeek_opcua_binary_browse_result_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'browse_response_link_id', 'status_code_link_id', 'browse_result_continuation_point', 'browse_reference_link_id' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_browse_result_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_browse_result" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_close_session") { + ############################################################################################################################# + # opcua_binary_close_session.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_close_session" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][del_subscriptions]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_close_session" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_close_session" + init => "@zeek_opcua_binary_close_session_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'del_subscriptions' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_close_session_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_close_session" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_event_filter_where_clause") { + ############################################################################################################################# + # opcua_binary_event_filter_where_clause.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_event_filter_where_clause" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][where_clause_link_id]} %{[zeek_cols][content_filter_element_link_id]} %{[zeek_cols][content_filter_status_code_link_id]} %{[zeek_cols][content_filter_diag_info_link_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_event_filter_where_clause" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_event_filter_where_clause" + init => "@zeek_opcua_binary_event_filter_where_clause_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'where_clause_link_id', 'content_filter_element_link_id', 'content_filter_status_code_link_id', 'content_filter_diag_info_link_id' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_where_clause_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_event_filter_where_clause" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_event_filter_where_clause_elements") { + ############################################################################################################################# + # opcua_binary_event_filter_where_clause_elements.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_event_filter_where_clause_elements" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][content_filter_element_link_id]} %{[zeek_cols][filter_operator]} %{[zeek_cols][content_filter_filter_operand_type_id_node_id_encoding_mask]} %{[zeek_cols][content_filter_filter_operand_type_id_node_id_namespace_idx]} %{[zeek_cols][content_filter_filter_operand_type_id_node_id_numeric]} %{[zeek_cols][content_filter_filter_operand_type_id_node_id_string]} %{[zeek_cols][content_filter_filter_operand_type_id_node_id_guid]} %{[zeek_cols][content_filter_filter_operand_type_id_node_id_opaque]} %{[zeek_cols][content_filter_filter_operand_type_id_string]} %{[zeek_cols][content_filter_filter_operand_type_id_encoding]} %{[zeek_cols][content_filter_filter_operand_link_id]} %{[zeek_cols][content_filter_operand_status_code_link_id]} %{[zeek_cols][content_filter_operand_diag_info_link_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_event_filter_where_clause_elements" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_event_filter_where_clause_elements" + init => "@zeek_opcua_binary_event_filter_where_clause_elements_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'content_filter_element_link_id', 'filter_operator', 'content_filter_filter_operand_type_id_node_id_encoding_mask', 'content_filter_filter_operand_type_id_node_id_namespace_idx', 'content_filter_filter_operand_type_id_node_id_numeric', 'content_filter_filter_operand_type_id_node_id_string', 'content_filter_filter_operand_type_id_node_id_guid', 'content_filter_filter_operand_type_id_node_id_opaque', 'content_filter_filter_operand_type_id_string', 'content_filter_filter_operand_type_id_encoding', 'content_filter_filter_operand_link_id', 'content_filter_operand_status_code_link_id', 'content_filter_operand_diag_info_link_id' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_where_clause_elements_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_event_filter_where_clause_elements" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_create_monitored_items") { + ############################################################################################################################# + # opcua_binary_create_monitored_items.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_create_monitored_items" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][subscription_id]} %{[zeek_cols][timestamps_to_return]} %{[zeek_cols][timestamps_to_return_str]} %{[zeek_cols][create_item_link_id]} %{[zeek_cols][create_monitored_items_diag_info_link_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_create_monitored_items" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_create_monitored_items" + init => "@zeek_opcua_binary_create_monitored_items_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'subscription_id', 'timestamps_to_return', 'timestamps_to_return_str', 'create_item_link_id', 'create_monitored_items_diag_info_link_id' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_monitored_items_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_create_monitored_items" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_create_monitored_items_create_item") { + ############################################################################################################################# + # opcua_binary_create_monitored_items_create_item.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_create_monitored_items_create_item" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][create_item_link_id]} %{[zeek_cols][item_to_monitor_node_id_encoding_mask]} %{[zeek_cols][item_to_monitor_node_id_namespace_idx]} %{[zeek_cols][item_to_monitor_node_id_numeric]} %{[zeek_cols][item_to_monitor_node_id_string]} %{[zeek_cols][item_to_monitor_node_id_guid]} %{[zeek_cols][item_to_monitor_node_id_opaque]} %{[zeek_cols][item_to_monitor_attribute_id]} %{[zeek_cols][item_to_monitor_index_range]} %{[zeek_cols][item_to_monitor_namespace_idx]} %{[zeek_cols][item_to_monitor_name]} %{[zeek_cols][monitoring_mode]} %{[zeek_cols][monitoring_parameters_client_handle]} %{[zeek_cols][monitoring_parameters_sampling_interval]} %{[zeek_cols][monitoring_parameters_queue_size]} %{[zeek_cols][monitoring_parameters_discard_oldest]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_node_id_encoding_mask]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_node_id_namespace_idx]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_node_id_numeric]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_node_id_string]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_node_id_guid]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_node_id_opaque]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_string]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_encoding]} %{[zeek_cols][filter_info_details_link_id]} %{[zeek_cols][monitoring_parameters_status_code_link_id]} %{[zeek_cols][monitored_item_index_id]} %{[zeek_cols][monitoring_parameters_revised_sampling_interval]} %{[zeek_cols][monitoring_parameters_revised_queue_size]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_create_monitored_items_create_item" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_create_monitored_items_create_item" + init => "@zeek_opcua_binary_create_monitored_items_create_item_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'create_item_link_id', 'item_to_monitor_node_id_encoding_mask', 'item_to_monitor_node_id_namespace_idx', 'item_to_monitor_node_id_numeric', 'item_to_monitor_node_id_string', 'item_to_monitor_node_id_guid', 'item_to_monitor_node_id_opaque', 'item_to_monitor_attribute_id', 'item_to_monitor_index_range', 'item_to_monitor_namespace_idx', 'item_to_monitor_name', 'monitoring_mode', 'monitoring_parameters_client_handle', 'monitoring_parameters_sampling_interval', 'monitoring_parameters_queue_size', 'monitoring_parameters_discard_oldest', 'monitoring_parameters_filter_info_type_id_node_id_encoding_mask', 'monitoring_parameters_filter_info_type_id_node_id_namespace_idx', 'monitoring_parameters_filter_info_type_id_node_id_numeric', 'monitoring_parameters_filter_info_type_id_node_id_string', 'monitoring_parameters_filter_info_type_id_node_id_guid', 'monitoring_parameters_filter_info_type_id_node_id_opaque', 'monitoring_parameters_filter_info_type_id_string', 'monitoring_parameters_filter_info_type_id_encoding', 'filter_info_details_link_id', 'monitoring_parameters_status_code_link_id', 'monitored_item_index_id', 'monitoring_parameters_revised_sampling_interval', 'monitoring_parameters_revised_queue_size' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_monitored_items_create_item_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_create_monitored_items_create_item" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_create_session") { + ############################################################################################################################# + # opcua_binary_create_session.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_create_session" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][application_uri]} %{[zeek_cols][product_uri]} %{[zeek_cols][encoding_mask]} %{[zeek_cols][locale]} %{[zeek_cols][text]} %{[zeek_cols][application_type]} %{[zeek_cols][gateway_server_uri]} %{[zeek_cols][discovery_profile_uri]} %{[zeek_cols][discovery_profile_link_id]} %{[zeek_cols][server_uri]} %{[zeek_cols][endpoint_url]} %{[zeek_cols][session_name]} %{[zeek_cols][client_nonce]} %{[zeek_cols][client_cert_size]} %{[zeek_cols][client_cert]} %{[zeek_cols][req_session_timeout]} %{[zeek_cols][max_res_msg_size]} %{[zeek_cols][session_id_encoding_mask]} %{[zeek_cols][session_id_namespace_idx]} %{[zeek_cols][session_id_numeric]} %{[zeek_cols][session_id_string]} %{[zeek_cols][session_id_guid]} %{[zeek_cols][session_id_opaque]} %{[zeek_cols][auth_token_encoding_mask]} %{[zeek_cols][auth_token_namespace_idx]} %{[zeek_cols][auth_token_numeric]} %{[zeek_cols][auth_token_string]} %{[zeek_cols][auth_token_guid]} %{[zeek_cols][auth_token_opaque]} %{[zeek_cols][revised_session_timeout]} %{[zeek_cols][server_nonce]} %{[zeek_cols][server_cert_size]} %{[zeek_cols][server_cert]} %{[zeek_cols][endpoint_link_id]} %{[zeek_cols][algorithm]} %{[zeek_cols][signature]} %{[zeek_cols][max_req_msg_size]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_create_session" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_create_session" + init => "@zeek_opcua_binary_create_session_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'application_uri', 'product_uri', 'encoding_mask', 'locale', 'text', 'application_type', 'gateway_server_uri', 'discovery_profile_uri', 'discovery_profile_link_id', 'server_uri', 'endpoint_url', 'session_name', 'client_nonce', 'client_cert_size', 'client_cert', 'req_session_timeout', 'max_res_msg_size', 'session_id_encoding_mask', 'session_id_namespace_idx', 'session_id_numeric', 'session_id_string', 'session_id_guid', 'session_id_opaque', 'auth_token_encoding_mask', 'auth_token_namespace_idx', 'auth_token_numeric', 'auth_token_string', 'auth_token_guid', 'auth_token_opaque', 'revised_session_timeout', 'server_nonce', 'server_cert_size', 'server_cert', 'endpoint_link_id', 'algorithm', 'signature', 'max_req_msg_size' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_session_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_create_session" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_create_session_discovery") { + ############################################################################################################################# + # opcua_binary_create_session_discovery.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_create_session_discovery" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][discovery_profile_link_id]} %{[zeek_cols][discovery_profile_uri]} %{[zeek_cols][discovery_profile_url]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_create_session_discovery" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_create_session_discovery" + init => "@zeek_opcua_binary_create_session_discovery_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'discovery_profile_link_id', 'discovery_profile_uri', 'discovery_profile_url' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_session_discovery_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_create_session_discovery" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_create_session_endpoints") { + ############################################################################################################################# + # opcua_binary_create_session_endpoints.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_create_session_endpoints" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][endpoint_link_id]} %{[zeek_cols][endpoint_url]} %{[zeek_cols][application_uri]} %{[zeek_cols][product_uri]} %{[zeek_cols][encoding_mask]} %{[zeek_cols][locale]} %{[zeek_cols][text]} %{[zeek_cols][application_type]} %{[zeek_cols][gateway_server_uri]} %{[zeek_cols][discovery_profile_uri]} %{[zeek_cols][discovery_profile_link_id]} %{[zeek_cols][cert_size]} %{[zeek_cols][server_cert]} %{[zeek_cols][message_security_mode]} %{[zeek_cols][security_policy_uri]} %{[zeek_cols][user_token_link_id]} %{[zeek_cols][transport_profile_uri]} %{[zeek_cols][security_level]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_create_session_endpoints" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_create_session_endpoints" + init => "@zeek_opcua_binary_create_session_endpoints_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'endpoint_link_id', 'endpoint_url', 'application_uri', 'product_uri', 'encoding_mask', 'locale', 'text', 'application_type', 'gateway_server_uri', 'discovery_profile_uri', 'discovery_profile_link_id', 'cert_size', 'server_cert', 'message_security_mode', 'security_policy_uri', 'user_token_link_id', 'transport_profile_uri', 'security_level' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_session_endpoints_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_create_session_endpoints" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_create_session_user_token") { + ############################################################################################################################# + # opcua_binary_create_session_user_token.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_create_session_user_token" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][user_token_link_id]} %{[zeek_cols][user_token_policy_id]} %{[zeek_cols][user_token_type]} %{[zeek_cols][user_token_issued_type]} %{[zeek_cols][user_token_endpoint_url]} %{[zeek_cols][user_token_sec_policy_uri]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_create_session_user_token" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_create_session_user_token" + init => "@zeek_opcua_binary_create_session_user_token_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'user_token_link_id', 'user_token_policy_id', 'user_token_type', 'user_token_issued_type', 'user_token_endpoint_url', 'user_token_sec_policy_uri' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_session_user_token_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_create_session_user_token" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_create_subscription") { + ############################################################################################################################# + # opcua_binary_create_subscription.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_create_subscription" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][requested_publishing_interval]} %{[zeek_cols][requested_lifetime_count]} %{[zeek_cols][requested_max_keep_alive_count]} %{[zeek_cols][max_notifications_per_publish]} %{[zeek_cols][publishing_enabled]} %{[zeek_cols][priority]} %{[zeek_cols][subscription_id]} %{[zeek_cols][revised_publishing_interval]} %{[zeek_cols][revised_lifetime_count]} %{[zeek_cols][revised_max_keep_alive_count]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_create_subscription" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_create_subscription" + init => "@zeek_opcua_binary_create_subscription_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'requested_publishing_interval', 'requested_lifetime_count', 'requested_max_keep_alive_count', 'max_notifications_per_publish', 'publishing_enabled', 'priority', 'subscription_id', 'revised_publishing_interval', 'revised_lifetime_count', 'revised_max_keep_alive_count' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_subscription_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_create_subscription" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_data_change_filter") { + ############################################################################################################################# + # opcua_binary_data_change_filter.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_data_change_filter" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][monitored_parameters_link_id]} %{[zeek_cols][trigger]} %{[zeek_cols][deadband_type]} %{[zeek_cols][deadband_value]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_data_change_filter" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_data_change_filter" + init => "@zeek_opcua_binary_data_change_filter_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'monitored_parameters_link_id', 'trigger', 'deadband_type', 'deadband_value' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_data_change_filter_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_data_change_filter" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_diag_info_detail") { + ############################################################################################################################# + # opcua_binary_diag_info_detail.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_diag_info_detail" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][diag_info_link_id]} %{[zeek_cols][root_object_id]} %{[zeek_cols][source]} %{[zeek_cols][source_str]} %{[zeek_cols][inner_diag_level]} %{[zeek_cols][has_symbolic_id]} %{[zeek_cols][symbolic_id]} %{[zeek_cols][symbolic_id_str]} %{[zeek_cols][has_namespace_uri]} %{[zeek_cols][namespace_uri]} %{[zeek_cols][namespace_uri_str]} %{[zeek_cols][has_locale]} %{[zeek_cols][locale]} %{[zeek_cols][locale_str]} %{[zeek_cols][has_locale_txt]} %{[zeek_cols][locale_txt]} %{[zeek_cols][locale_txt_str]} %{[zeek_cols][has_addl_info]} %{[zeek_cols][addl_info]} %{[zeek_cols][has_inner_stat_code]} %{[zeek_cols][inner_stat_code]} %{[zeek_cols][has_inner_diag_info]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_diag_info_detail" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_diag_info_detail" + init => "@zeek_opcua_binary_diag_info_detail_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'diag_info_link_id', 'root_object_id', 'source', 'source_str', 'inner_diag_level', 'has_symbolic_id', 'symbolic_id', 'symbolic_id_str', 'has_namespace_uri', 'namespace_uri', 'namespace_uri_str', 'has_locale', 'locale', 'locale_str', 'has_locale_txt', 'locale_txt', 'locale_txt_str', 'has_addl_info', 'addl_info', 'has_inner_stat_code', 'inner_stat_code', 'has_inner_diag_info' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_diag_info_detail_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_diag_info_detail" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_event_filter_element_operand") { + ############################################################################################################################# + # opcua_binary_event_filter_element_operand.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_event_filter_element_operand" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][content_filter_filter_operand_link_id]} %{[zeek_cols][element_index]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_event_filter_element_operand" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_event_filter_element_operand" + init => "@zeek_opcua_binary_event_filter_element_operand_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'content_filter_filter_operand_link_id', 'element_index' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_element_operand_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_event_filter_element_operand" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_event_filter") { + ############################################################################################################################# + # opcua_binary_event_filter.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_event_filter" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][monitored_parameters_link_id]} %{[zeek_cols][select_clause_link_id]} %{[zeek_cols][where_clause_content_filter_link_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_event_filter" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_event_filter" + init => "@zeek_opcua_binary_event_filter_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'monitored_parameters_link_id', 'select_clause_link_id', 'where_clause_content_filter_link_id' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_event_filter" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_get_endpoints") { + ############################################################################################################################# + # opcua_binary_get_endpoints.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_get_endpoints" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][endpoint_url]} %{[zeek_cols][locale_link_id]} %{[zeek_cols][profile_uri_link_id]} %{[zeek_cols][endpoint_description_link_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_get_endpoints" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_get_endpoints" + init => "@zeek_opcua_binary_get_endpoints_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'endpoint_url', 'locale_link_id', 'profile_uri_link_id', 'endpoint_description_link_id' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_get_endpoints_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_get_endpoints" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_get_endpoints_description") { + ############################################################################################################################# + # opcua_binary_get_endpoints_description.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_get_endpoints_description" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][endpoint_description_link_id]} %{[zeek_cols][endpoint_uri]} %{[zeek_cols][application_uri]} %{[zeek_cols][product_uri]} %{[zeek_cols][encoding_mask]} %{[zeek_cols][locale]} %{[zeek_cols][text]} %{[zeek_cols][application_type]} %{[zeek_cols][gateway_server_uri]} %{[zeek_cols][discovery_profile_uri]} %{[zeek_cols][discovery_profile_link_id]} %{[zeek_cols][cert_size]} %{[zeek_cols][server_cert]} %{[zeek_cols][message_security_mode]} %{[zeek_cols][security_policy_uri]} %{[zeek_cols][user_token_link_id]} %{[zeek_cols][transport_profile_uri]} %{[zeek_cols][security_level]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_get_endpoints_description" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_get_endpoints_description" + init => "@zeek_opcua_binary_get_endpoints_description_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'endpoint_description_link_id', 'endpoint_uri', 'application_uri', 'product_uri', 'encoding_mask', 'locale', 'text', 'application_type', 'gateway_server_uri', 'discovery_profile_uri', 'discovery_profile_link_id', 'cert_size', 'server_cert', 'message_security_mode', 'security_policy_uri', 'user_token_link_id', 'transport_profile_uri', 'security_level' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_get_endpoints_description_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_get_endpoints_description" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_get_endpoints_discovery") { + ############################################################################################################################# + # opcua_binary_get_endpoints_discovery.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_get_endpoints_discovery" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][discovery_profile_link_id]} %{[zeek_cols][discovery_profile_url]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_get_endpoints_discovery" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_get_endpoints_discovery" + init => "@zeek_opcua_binary_get_endpoints_discovery_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'discovery_profile_link_id', 'discovery_profile_url' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_get_endpoints_discovery_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_get_endpoints_discovery" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_get_endpoints_locale_id") { + ############################################################################################################################# + # opcua_binary_get_endpoints_locale_id.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_get_endpoints_locale_id" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][locale_link_id]} %{[zeek_cols][locale_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_get_endpoints_locale_id" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_get_endpoints_locale_id" + init => "@zeek_opcua_binary_get_endpoints_locale_id_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'locale_link_id', 'locale_id' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_get_endpoints_locale_id_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_get_endpoints_locale_id" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_get_endpoints_profile_uri") { + ############################################################################################################################# + # opcua_binary_get_endpoints_profile_uri.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_get_endpoints_profile_uri" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][profile_uri_link_id]} %{[zeek_cols][profile_uri]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_get_endpoints_profile_uri" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_get_endpoints_profile_uri" + init => "@zeek_opcua_binary_get_endpoints_profile_uri_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'profile_uri_link_id', 'profile_uri' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_get_endpoints_profile_uri_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_get_endpoints_profile_uri" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_get_endpoints_user_token") { + ############################################################################################################################# + # opcua_binary_get_endpoints_user_token.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_get_endpoints_user_token" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][user_token_link_id]} %{[zeek_cols][user_token_policy_id]} %{[zeek_cols][user_token_type]} %{[zeek_cols][user_token_issued_type]} %{[zeek_cols][user_token_endpoint_url]} %{[zeek_cols][user_token_sec_policy_uri]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_get_endpoints_user_token" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_get_endpoints_user_token" + init => "@zeek_opcua_binary_get_endpoints_user_token_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'user_token_link_id', 'user_token_policy_id', 'user_token_type', 'user_token_issued_type', 'user_token_endpoint_url', 'user_token_sec_policy_uri' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_get_endpoints_user_token_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_get_endpoints_user_token" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_event_filter_literal_operand") { + ############################################################################################################################# + # opcua_binary_event_filter_literal_operand.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_event_filter_literal_operand" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][content_filter_filter_operand_link_id]} %{[zeek_cols][literal_operand_variant_link]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_event_filter_literal_operand" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_event_filter_literal_operand" + init => "@zeek_opcua_binary_event_filter_literal_operand_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'content_filter_filter_operand_link_id', 'literal_operand_variant_link' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_literal_operand_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_event_filter_literal_operand" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_opensecure_channel") { + ############################################################################################################################# + # opcua_binary_opensecure_channel.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_opensecure_channel" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][client_proto_ver]} %{[zeek_cols][sec_token_request_type]} %{[zeek_cols][message_security_mode]} %{[zeek_cols][client_nonce]} %{[zeek_cols][req_lifetime]} %{[zeek_cols][server_proto_ver]} %{[zeek_cols][sec_token_sec_channel_id]} %{[zeek_cols][sec_token_id]} %{[zeek_cols][sec_token_created_at]} %{[zeek_cols][sec_token_revised_time]} %{[zeek_cols][server_nonce]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_opensecure_channel" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_opensecure_channel" + init => "@zeek_opcua_binary_opensecure_channel_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'client_proto_ver', 'sec_token_request_type', 'message_security_mode', 'client_nonce', 'req_lifetime', 'server_proto_ver', 'sec_token_sec_channel_id', 'sec_token_id', 'sec_token_created_at', 'sec_token_revised_time', 'server_nonce' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_opensecure_channel_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_opensecure_channel" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_read") { + ############################################################################################################################# + # opcua_binary_read.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_read" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][max_age]} %{[zeek_cols][timestamps_to_return]} %{[zeek_cols][timestamps_to_return_str]} %{[zeek_cols][nodes_to_read_link_id]} %{[zeek_cols][read_results_link_id]} %{[zeek_cols][diag_info_link_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_read" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_read" + init => "@zeek_opcua_binary_read_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'max_age', 'timestamps_to_return', 'timestamps_to_return_str', 'nodes_to_read_link_id', 'read_results_link_id', 'diag_info_link_id' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_read_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_read" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_read_nodes_to_read") { + ############################################################################################################################# + # opcua_binary_read_nodes_to_read.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_read_nodes_to_read" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][nodes_to_read_link_id]} %{[zeek_cols][node_id_encoding_mask]} %{[zeek_cols][node_id_namespace_idx]} %{[zeek_cols][node_id_numeric]} %{[zeek_cols][node_id_string]} %{[zeek_cols][node_id_guid]} %{[zeek_cols][node_id_opaque]} %{[zeek_cols][attribute_id]} %{[zeek_cols][attribute_id_str]} %{[zeek_cols][index_range]} %{[zeek_cols][data_encoding_name_idx]} %{[zeek_cols][data_encoding_name]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_read_nodes_to_read" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_read_nodes_to_read" + init => "@zeek_opcua_binary_read_nodes_to_read_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'nodes_to_read_link_id', 'node_id_encoding_mask', 'node_id_namespace_idx', 'node_id_numeric', 'node_id_string', 'node_id_guid', 'node_id_opaque', 'attribute_id', 'attribute_id_str', 'index_range', 'data_encoding_name_idx', 'data_encoding_name' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_read_nodes_to_read_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_read_nodes_to_read" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_read_results") { + ############################################################################################################################# + # opcua_binary_read_results.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_read_results" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][results_link_id]} %{[zeek_cols][level]} %{[zeek_cols][data_value_encoding_mask]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][source_timestamp]} %{[zeek_cols][source_pico_sec]} %{[zeek_cols][server_timestamp]} %{[zeek_cols][server_pico_sec]} %{[zeek_cols][read_results_variant_metadata_link_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_read_results" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_read_results" + init => "@zeek_opcua_binary_read_results_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'results_link_id', 'level', 'data_value_encoding_mask', 'status_code_link_id', 'source_timestamp', 'source_pico_sec', 'server_timestamp', 'server_pico_sec', 'read_results_variant_metadata_link_id' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_read_results_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_read_results" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_event_filter_select_clause") { + ############################################################################################################################# + # opcua_binary_event_filter_select_clause.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_event_filter_select_clause" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][select_clause_link_id]} %{[zeek_cols][type_id_encoding_mask]} %{[zeek_cols][type_id_namespace_idx]} %{[zeek_cols][type_id_numeric]} %{[zeek_cols][type_id_string]} %{[zeek_cols][type_id_guid]} %{[zeek_cols][type_id_opaque]} %{[zeek_cols][simple_attribute_operand_browse_path_link_id]} %{[zeek_cols][attribute_id]} %{[zeek_cols][index_range]} %{[zeek_cols][select_clause_status_code_link_id]} %{[zeek_cols][select_clause_diagnostic_info_link_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_event_filter_select_clause" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_event_filter_select_clause" + init => "@zeek_opcua_binary_event_filter_select_clause_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'select_clause_link_id', 'type_id_encoding_mask', 'type_id_namespace_idx', 'type_id_numeric', 'type_id_string', 'type_id_guid', 'type_id_opaque', 'simple_attribute_operand_browse_path_link_id', 'attribute_id', 'index_range', 'select_clause_status_code_link_id', 'select_clause_diagnostic_info_link_id' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_select_clause_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_event_filter_select_clause" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_event_filter_simple_attribute_operand") { + ############################################################################################################################# + # opcua_binary_event_filter_simple_attribute_operand.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_event_filter_simple_attribute_operand" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][content_filter_filter_operand_link_id]} %{[zeek_cols][type_id_encoding_mask]} %{[zeek_cols][type_id_namespace_idx]} %{[zeek_cols][type_id_numeric]} %{[zeek_cols][type_id_string]} %{[zeek_cols][type_id_guid]} %{[zeek_cols][type_id_opaque]} %{[zeek_cols][simple_attribute_operand_browse_path_link_id]} %{[zeek_cols][attribute_id]} %{[zeek_cols][index_range]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_event_filter_simple_attribute_operand" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_event_filter_simple_attribute_operand" + init => "@zeek_opcua_binary_event_filter_simple_attribute_operand_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'content_filter_filter_operand_link_id', 'type_id_encoding_mask', 'type_id_namespace_idx', 'type_id_numeric', 'type_id_string', 'type_id_guid', 'type_id_opaque', 'simple_attribute_operand_browse_path_link_id', 'attribute_id', 'index_range' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_simple_attribute_operand_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_event_filter_simple_attribute_operand" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_event_filter_simple_attribute_operand_browse_paths") { + ############################################################################################################################# + # opcua_binary_event_filter_simple_attribute_operand_browse_paths.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_event_filter_simple_attribute_operand_browse_paths" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][simple_attribute_operand_browse_path_link_id]} %{[zeek_cols][browse_path_src]} %{[zeek_cols][namespace_index]} %{[zeek_cols][name]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_event_filter_simple_attribute_operand_browse_paths" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_event_filter_simple_attribute_operand_browse_paths" + init => "@zeek_opcua_binary_event_filter_simple_attribute_operand_browse_paths_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'simple_attribute_operand_browse_path_link_id', 'browse_path_src', 'namespace_index', 'name' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_simple_attribute_operand_browse_paths_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_event_filter_simple_attribute_operand_browse_paths" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_status_code_detail") { + ############################################################################################################################# + # opcua_binary_status_code_detail.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_status_code_detail" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][source]} %{[zeek_cols][source_str]} %{[zeek_cols][source_level]} %{[zeek_cols][status_code]} %{[zeek_cols][severity]} %{[zeek_cols][severity_str]} %{[zeek_cols][sub_code]} %{[zeek_cols][sub_code_str]} %{[zeek_cols][structure_changed]} %{[zeek_cols][semantics_changed]} %{[zeek_cols][info_type]} %{[zeek_cols][info_type_str]} %{[zeek_cols][limit_bits]} %{[zeek_cols][limit_bits_str]} %{[zeek_cols][overflow]} %{[zeek_cols][historian_bits]} %{[zeek_cols][historian_bits_str]} %{[zeek_cols][historianpartial]} %{[zeek_cols][historianextradata]} %{[zeek_cols][historianmultivalue]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_status_code_detail" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_status_code_detail" + init => "@zeek_opcua_binary_status_code_detail_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'status_code_link_id', 'source', 'source_str', 'source_level', 'status_code', 'severity', 'severity_str', 'sub_code', 'sub_code_str', 'structure_changed', 'semantics_changed', 'info_type', 'info_type_str', 'limit_bits', 'limit_bits_str', 'overflow', 'historian_bits', 'historian_bits_str', 'historianpartial', 'historianextradata', 'historianmultivalue' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_status_code_detail_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_status_code_detail" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_variant_array_dims") { + ############################################################################################################################# + # opcua_binary_variant_array_dims.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_variant_array_dims" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][array_dim_link_id]} %{[zeek_cols][dimension]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_variant_array_dims" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_variant_array_dims" + init => "@zeek_opcua_binary_variant_array_dims_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'array_dim_link_id', 'dimension' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_variant_array_dims_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_variant_array_dims" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_variant_data") { + ############################################################################################################################# + # opcua_binary_variant_data.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_variant_data" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][variant_data_link_id]} %{[zeek_cols][variant_data_value_signed_numeric]} %{[zeek_cols][variant_data_value_unsigned_numeric]} %{[zeek_cols][variant_data_value_string]} %{[zeek_cols][variant_data_node_id_encoding_mask]} %{[zeek_cols][variant_data_node_id_namespace_idx]} %{[zeek_cols][variant_data_node_id_numeric]} %{[zeek_cols][variant_data_node_id_string]} %{[zeek_cols][variant_data_node_id_guid]} %{[zeek_cols][variant_data_node_id_opaque]} %{[zeek_cols][variant_data_node_id_namespace_uri]} %{[zeek_cols][variant_data_node_id_server_idx]} %{[zeek_cols][variant_data_value_time]} %{[zeek_cols][variant_data_encoding_name_idx]} %{[zeek_cols][variant_data_encoding_name]} %{[zeek_cols][variant_data_mask]} %{[zeek_cols][variant_data_locale]} %{[zeek_cols][variant_data_text]} %{[zeek_cols][variant_data_value_decimal]} %{[zeek_cols][variant_data_status_code_link_id]} %{[zeek_cols][variant_data_diag_info_link_id]} %{[zeek_cols][variant_data_ext_obj_link_id]} %{[zeek_cols][variant_metadata_data_link_id]} %{[zeek_cols][variant_data_value_link_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_variant_data" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_variant_data" + init => "@zeek_opcua_binary_variant_data_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'variant_data_link_id', 'variant_data_value_signed_numeric', 'variant_data_value_unsigned_numeric', 'variant_data_value_string', 'variant_data_node_id_encoding_mask', 'variant_data_node_id_namespace_idx', 'variant_data_node_id_numeric', 'variant_data_node_id_string', 'variant_data_node_id_guid', 'variant_data_node_id_opaque', 'variant_data_node_id_namespace_uri', 'variant_data_node_id_server_idx', 'variant_data_value_time', 'variant_data_encoding_name_idx', 'variant_data_encoding_name', 'variant_data_mask', 'variant_data_locale', 'variant_data_text', 'variant_data_value_decimal', 'variant_data_status_code_link_id', 'variant_data_diag_info_link_id', 'variant_data_ext_obj_link_id', 'variant_metadata_data_link_id', 'variant_data_value_link_id' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_variant_data_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_variant_data" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_variant_data_value") { + ############################################################################################################################# + # opcua_binary_variant_data_value.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_variant_data_value" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][variant_data_value_source_link]} %{[zeek_cols][data_value_encoding_mask]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][source_timestamp]} %{[zeek_cols][source_pico_sec]} %{[zeek_cols][server_timestamp]} %{[zeek_cols][server_pico_sec]} %{[zeek_cols][variant_metadata_link_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_variant_data_value" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_variant_data_value" + init => "@zeek_opcua_binary_variant_data_value_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'variant_data_value_source_link', 'data_value_encoding_mask', 'status_code_link_id', 'source_timestamp', 'source_pico_sec', 'server_timestamp', 'server_pico_sec', 'variant_metadata_link_id' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_variant_data_value_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_variant_data_value" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_variant_extension_object") { + ############################################################################################################################# + # opcua_binary_variant_extension_object.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_variant_extension_object" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][ext_obj_link_id]} %{[zeek_cols][ext_obj_node_id_encoding_mask]} %{[zeek_cols][ext_obj_node_id_namespace_idx]} %{[zeek_cols][ext_obj_node_id_numeric]} %{[zeek_cols][ext_obj_node_id_string]} %{[zeek_cols][ext_obj_node_id_guid]} %{[zeek_cols][ext_obj_node_id_opaque]} %{[zeek_cols][ext_obj_type_id_str]} %{[zeek_cols][ext_obj_encoding]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_variant_extension_object" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_variant_extension_object" + init => "@zeek_opcua_binary_variant_extension_object_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'ext_obj_link_id', 'ext_obj_node_id_encoding_mask', 'ext_obj_node_id_namespace_idx', 'ext_obj_node_id_numeric', 'ext_obj_node_id_string', 'ext_obj_node_id_guid', 'ext_obj_node_id_opaque', 'ext_obj_type_id_str', 'ext_obj_encoding' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_variant_extension_object_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_variant_extension_object" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "opcua_binary_variant_metadata") { + ############################################################################################################################# + # opcua_binary_variant_metadata.log + # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_opcua_binary_variant_metadata" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][variant_source_data_link_id]} %{[zeek_cols][variant_data_source]} %{[zeek_cols][variant_data_source_str]} %{[zeek_cols][dara_variant_encoding_mask]} %{[zeek_cols][data_variant_data_type]} %{[zeek_cols][data_variant_data_type_str]} %{[zeek_cols][built_in_data_type]} %{[zeek_cols][built_in_data_type_str]} %{[zeek_cols][variant_data_link_id]} %{[zeek_cols][variant_data_array_dim]} %{[zeek_cols][variant_data_array_multi_dim_link_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_opcua_binary_variant_metadata" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_opcua_binary_variant_metadata" + init => "@zeek_opcua_binary_variant_metadata_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'variant_source_data_link_id', 'variant_data_source', 'variant_data_source_str', 'dara_variant_encoding_mask', 'data_variant_data_type', 'data_variant_data_type_str', 'built_in_data_type', 'built_in_data_type_str', 'variant_data_link_id', 'variant_data_array_dim', 'variant_data_array_multi_dim_link_id' ]" + code => "event.set('[zeek_cols]', @zeek_opcua_binary_variant_metadata_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_opcua_binary_variant_metadata" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "ics" ] + } + + } else { + # some other unknown zeek opcua- log file. should start with ts at least! + + if ("_jsonparsesuccess" not in [tags]) { + csv { + id => "csv_zeek_unknown_opcua" + columns => ["ts"] + separator => " " + # there's no way to *disable* the csv quote char, so set it to something we'll never see + quote_char => " " + + target => "[zeek_cols]" + } + } + + mutate { id => "mutate_add_tag_zeek_unknown_opcua" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "opcua-binary" + } + add_tag => [ "_unknown_log_type" ] + } + + } # if / else if for opcua log types + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1044_zeek_ospf.conf b/logstash/pipelines/zeek/1044_zeek_ospf.conf new file mode 100644 index 000000000..462bb4979 --- /dev/null +++ b/logstash/pipelines/zeek/1044_zeek_ospf.conf @@ -0,0 +1,59 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "ospf") { + ############################################################################################################################# + # ospf.log + # https://github.com/corelight/zeek-spicy-ospf + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_ospf_fields" + rename => { "[zeek_cols][ip_dst]" => "[zeek_cols][orig_h]" } + rename => { "[zeek_cols][ip_src]" => "[zeek_cols][resp_h]" } + } + + } else { + dissect { + id => "dissect_zeek_ospf" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]} %{[zeek_cols][resp_h]} %{[zeek_cols][ospf_type]} %{[zeek_cols][version]} %{[zeek_cols][router_id]} %{[zeek_cols][area_id]} %{[zeek_cols][interface_id]} %{[zeek_cols][netmask]} %{[zeek_cols][desig_router]} %{[zeek_cols][backup_router]} %{[zeek_cols][neighbors]} %{[zeek_cols][lsa_type]} %{[zeek_cols][link_state_id]} %{[zeek_cols][advert_router]} %{[zeek_cols][routers]} %{[zeek_cols][link_id]} %{[zeek_cols][link_data]} %{[zeek_cols][link_type]} %{[zeek_cols][neighbor_router_id]} %{[zeek_cols][metrics]} %{[zeek_cols][fwd_addrs]} %{[zeek_cols][route_tags]} %{[zeek_cols][neighbor_interface_id]} %{[zeek_cols][prefix]} %{[zeek_cols][metric]} %{[zeek_cols][dest_router_id]} %{[zeek_cols][link_prefixes]} %{[zeek_cols][intra_prefixes]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ospf" + split => { "[message]" => " " } + } + + ruby { + id => "ruby_zip_zeek_ospf" + init => "@zeek_ospf_field_names = [ 'ts', 'orig_h', 'resp_h', 'ospf_type', 'version', 'router_id', 'area_id', 'interface_id', 'netmask', 'desig_router', 'backup_router', 'neighbors', 'lsa_type', 'link_state_id', 'advert_router', 'routers', 'link_id', 'link_data', 'link_type', 'neighbor_router_id', 'metrics', 'fwd_addrs', 'route_tags', 'neighbor_interface_id', 'prefix', 'metric', 'dest_router_id', 'link_prefixes', 'intra_prefixes' ]" + code => "event.set('[zeek_cols]', @zeek_ospf_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_ospf_commas" + split => { "[zeek_cols][neighbors]" => "," + "[zeek_cols][routers]" => "," + "[zeek_cols][metrics]" => "," + "[zeek_cols][fwd_addrs]" => "," + "[zeek_cols][route_tags]" => "," + "[zeek_cols][link_prefixes]" => "," + "[zeek_cols][intra_prefixes]" => "," } } + } + + mutate { + id => "mutate_add_fields_zeek_ospf" + add_field => { + "[zeek_cols][proto]" => "ospf" + "[zeek_cols][service]" => "ospf" + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1045_zeek_pe.conf b/logstash/pipelines/zeek/1045_zeek_pe.conf new file mode 100644 index 000000000..992c6829d --- /dev/null +++ b/logstash/pipelines/zeek/1045_zeek_pe.conf @@ -0,0 +1,43 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "pe") { + ############################################################################################################################# + # pe.log + # https://docs.zeek.org/en/stable/scripts/base/files/pe/main.zeek.html#type-PE::Info + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_pe_fields" + rename => { "[zeek_cols][id]" => "[zeek_cols][fuid]" } + } + + } else { + dissect { + id => "dissect_zeek_pe" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][fuid]} %{[zeek_cols][machine]} %{[zeek_cols][compile_ts]} %{[zeek_cols][os]} %{[zeek_cols][subsystem]} %{[zeek_cols][is_exe]} %{[zeek_cols][is_64bit]} %{[zeek_cols][uses_aslr]} %{[zeek_cols][uses_dep]} %{[zeek_cols][uses_code_integrity]} %{[zeek_cols][uses_seh]} %{[zeek_cols][has_import_table]} %{[zeek_cols][has_export_table]} %{[zeek_cols][has_cert_table]} %{[zeek_cols][has_debug_data]} %{[zeek_cols][section_names]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_pe" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_pe" + init => "@zeek_pe_field_names = [ 'ts', 'fuid', 'machine', 'compile_ts', 'os', 'subsystem', 'is_exe', 'is_64bit', 'uses_aslr', 'uses_dep', 'uses_code_integrity', 'uses_seh', 'has_import_table', 'has_export_table', 'has_cert_table', 'has_debug_data', 'section_names' ]" + code => "event.set('[zeek_cols]', @zeek_pe_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_pe_section_names" + split => { "[zeek_cols][section_names]" => "," } } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1046_zeek_profinet.conf b/logstash/pipelines/zeek/1046_zeek_profinet.conf new file mode 100644 index 000000000..e02d05afc --- /dev/null +++ b/logstash/pipelines/zeek/1046_zeek_profinet.conf @@ -0,0 +1,115 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "profinet") { + ############################################################################################################################# + # profinet.log + # https://github.com/amzn/zeek-plugin-profinet/blob/master/scripts/main.zeek + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_profinet" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][operation_type]} %{[zeek_cols][block_version]} %{[zeek_cols][slot_number]} %{[zeek_cols][subslot_number]} %{[zeek_cols][index]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_profinet" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_profinet" + init => "@zeek_profinet_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'operation_type', 'block_version', 'slot_number', 'subslot_number', 'index' ]" + code => "event.set('[zeek_cols]', @zeek_profinet_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_profinet" + add_field => { "[zeek_cols][service]" => "profinet" } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "profinet_dce_rpc") { + ############################################################################################################################# + # profinet_dce_rpc.log + # https://github.com/amzn/zeek-plugin-profinet/blob/master/scripts/main.zeek + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_profinet_dce_rpc" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][packet_type]} %{[zeek_cols][object_uuid]} %{[zeek_cols][interface_uuid]} %{[zeek_cols][activity_uuid]} %{[zeek_cols][server_boot_time]} %{[zeek_cols][operation]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_profinet_dce_rpc" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_profinet_dce_rpc" + init => "@zeek_profinet_dce_rpc_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'packet_type', 'object_uuid', 'interface_uuid', 'activity_uuid', 'server_boot_time', 'operation' ]" + code => "event.set('[zeek_cols]', @zeek_profinet_dce_rpc_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_profinet_dce_rpc" + add_field => { "[zeek_cols][service]" => "profinet_dce_rpc" } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "profinet_io_cm") { + ############################################################################################################################# + # profinet_io_cm.log + # https://github.com/cisagov/icsnpp-profinet-io-cm + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_profinet_io_cm_fields" + rename => { "[zeek_cols][array_of_sel_ack]" => "[zeek_cols][sel_ack]" } + rename => { "[zeek_cols][operation_num]" => "[zeek_cols][operation]" } + } + + } else { + dissect { + id => "dissect_zeek_profinet_io_cm" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][rpc_version]} %{[zeek_cols][packet_type]} %{[zeek_cols][reserved_for_impl_1]} %{[zeek_cols][last_fragment]} %{[zeek_cols][fragment]} %{[zeek_cols][no_fragment_requested]} %{[zeek_cols][maybe]} %{[zeek_cols][idempotent]} %{[zeek_cols][broadcast]} %{[zeek_cols][reserved_for_impl_2]} %{[zeek_cols][cancel_was_pending_at_call_end]} %{[zeek_cols][integer_encoding]} %{[zeek_cols][character_encoding]} %{[zeek_cols][floating_point_encoding]} %{[zeek_cols][serial_high]} %{[zeek_cols][object_uuid]} %{[zeek_cols][interface_uuid]} %{[zeek_cols][activity_uuid]} %{[zeek_cols][server_boot_time]} %{[zeek_cols][interface_vers_major]} %{[zeek_cols][interface_vers_minor]} %{[zeek_cols][sequence_num]} %{[zeek_cols][operation]} %{[zeek_cols][interface_hint]} %{[zeek_cols][activity_hint]} %{[zeek_cols][len_of_body]} %{[zeek_cols][fragment_num]} %{[zeek_cols][auth_protocol]} %{[zeek_cols][serial_low]} %{[zeek_cols][vers_fack]} %{[zeek_cols][window_size]} %{[zeek_cols][max_tsdu]} %{[zeek_cols][max_frag_size]} %{[zeek_cols][serial_number]} %{[zeek_cols][sel_ack_len]} %{[zeek_cols][sel_ack]}" + } + } + + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_profinet_io_cm" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_profinet_io_cm" + init => "$zeek_profinet_io_cm_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'rpc_version', 'packet_type', 'reserved_for_impl_1', 'last_fragment', 'fragment', 'no_fragment_requested', 'maybe', 'idempotent', 'broadcast', 'reserved_for_impl_2', 'cancel_was_pending_at_call_end', 'integer_encoding', 'character_encoding', 'floating_point_encoding', 'serial_high', 'object_uuid', 'interface_uuid', 'activity_uuid', 'server_boot_time', 'interface_vers_major', 'interface_vers_minor', 'sequence_num', 'operation', 'interface_hint', 'activity_hint', 'len_of_body', 'fragment_num', 'auth_protocol', 'serial_low', 'vers_fack', 'window_size', 'max_tsdu', 'max_frag_size', 'serial_number', 'sel_ack_len', 'sel_ack' ]" + code => "event.set('[zeek_cols]', $zeek_profinet_io_cm_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_profinet_io_cm_commas" + split => { "[zeek_cols][sel_ack]" => "," } } + } + + mutate { + id => "mutate_add_fields_zeek_profinet_io_cm" + add_field => { + "[zeek_cols][proto]" => "udp" + } + add_tag => [ "ics" ] + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1047_zeek_radius.conf b/logstash/pipelines/zeek/1047_zeek_radius.conf new file mode 100644 index 000000000..8164bdcd2 --- /dev/null +++ b/logstash/pipelines/zeek/1047_zeek_radius.conf @@ -0,0 +1,46 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "radius") { + ############################################################################################################################# + # radius.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/radius/main.zeek.html#type-RADIUS::Info + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_radius_fields" + rename => { "[zeek_cols][username]" => "[zeek_cols][user]" } + } + + } else { + dissect { + id => "dissect_zeek_radius" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][user]} %{[zeek_cols][mac]} %{[zeek_cols][framed_addr]} %{[zeek_cols][tunnel_client]} %{[zeek_cols][connect_info]} %{[zeek_cols][reply_msg]} %{[zeek_cols][result]} %{[zeek_cols][ttl]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_radius" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_radius" + init => "@zeek_radius_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'user', 'mac', 'framed_addr', 'tunnel_client', 'connect_info', 'reply_msg', 'result', 'ttl' ]" + code => "event.set('[zeek_cols]', @zeek_radius_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_radius" + add_field => { "[zeek_cols][service]" => "radius" } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1048_zeek_rdp.conf b/logstash/pipelines/zeek/1048_zeek_rdp.conf new file mode 100644 index 000000000..c773b9962 --- /dev/null +++ b/logstash/pipelines/zeek/1048_zeek_rdp.conf @@ -0,0 +1,46 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "rdp") { + ############################################################################################################################# + # rdp.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/rdp/main.zeek.html#type-RDP::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_rdp_with_all_fields" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][cookie]} %{[zeek_cols][result]} %{[zeek_cols][security_protocol]} %{[zeek_cols][client_channels]} %{[zeek_cols][keyboard_layout]} %{[zeek_cols][client_build]} %{[zeek_cols][client_name]} %{[zeek_cols][client_dig_product_id]} %{[zeek_cols][desktop_width]} %{[zeek_cols][desktop_height]} %{[zeek_cols][requested_color_depth]} %{[zeek_cols][cert_type]} %{[zeek_cols][cert_count]} %{[zeek_cols][cert_permanent]} %{[zeek_cols][encryption_level]} %{[zeek_cols][encryption_method]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_rdp" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_rdp" + init => "@zeek_rdp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'cookie', 'result', 'security_protocol', 'client_channels', 'keyboard_layout', 'client_build', 'client_name', 'client_dig_product_id', 'desktop_width', 'desktop_height', 'requested_color_depth', 'cert_type', 'cert_count', 'cert_permanent', 'encryption_level', 'encryption_method' ]" + code => "event.set('[zeek_cols]', @zeek_rdp_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_rdp_client_channels" + split => { "[zeek_cols][client_channels]" => "," } } + } + + mutate { + id => "mutate_add_fields_zeek_rdp" + add_field => { "[zeek_cols][service]" => "rdp" } + } + + # remove RDP prefix from client_build (version) + mutate { id => "mutate_gsub_field_zeek_rdp_client_build" + gsub => [ "[zeek_cols][client_build]", "^RDP ", "" ] } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1049_zeek_rfb.conf b/logstash/pipelines/zeek/1049_zeek_rfb.conf new file mode 100644 index 000000000..e65d628fc --- /dev/null +++ b/logstash/pipelines/zeek/1049_zeek_rfb.conf @@ -0,0 +1,39 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + if ([log_source] == "rfb") { + ############################################################################################################################# + # rfb.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/rfb/main.zeek.html#type-RFB::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_rfb" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][client_major_version]} %{[zeek_cols][client_minor_version]} %{[zeek_cols][server_major_version]} %{[zeek_cols][server_minor_version]} %{[zeek_cols][authentication_method]} %{[zeek_cols][auth]} %{[zeek_cols][share_flag]} %{[zeek_cols][desktop_name]} %{[zeek_cols][width]} %{[zeek_cols][height]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_rfb" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_rfb" + init => "@zeek_rfb_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'client_major_version', 'client_minor_version', 'server_major_version', 'server_minor_version', 'authentication_method', 'auth', 'share_flag', 'desktop_name', 'width', 'height' ]" + code => "event.set('[zeek_cols]', @zeek_rfb_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_rfb" + add_field => { "[zeek_cols][service]" => "rfb" } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1050_zeek_s7comm.conf b/logstash/pipelines/zeek/1050_zeek_s7comm.conf new file mode 100644 index 000000000..4b808b194 --- /dev/null +++ b/logstash/pipelines/zeek/1050_zeek_s7comm.conf @@ -0,0 +1,186 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "cotp") { + ############################################################################################################################# + # cotp.log + # https://github.com/cisagov/icsnpp-s7comm + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_cotp" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][pdu_code]} %{[zeek_cols][pdu_name]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_cotp" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_cotp" + init => "@zeek_cotp_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'pdu_code', 'pdu_name' ]" + code => "event.set('[zeek_cols]', @zeek_cotp_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_cotp" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "cotp" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "s7comm") { + ############################################################################################################################# + # s7comm.log + # https://github.com/cisagov/icsnpp-s7comm + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_s7comm" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][rosctr_code]} %{[zeek_cols][rosctr_name]} %{[zeek_cols][pdu_reference]} %{[zeek_cols][function_code]} %{[zeek_cols][function_name]} %{[zeek_cols][subfunction_code]} %{[zeek_cols][subfunction_name]} %{[zeek_cols][error_class]} %{[zeek_cols][error_code]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_s7comm" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_s7comm" + init => "@zeek_s7comm_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'rosctr_code', 'rosctr_name', 'pdu_reference', 'function_code', 'function_name', 'subfunction_code', 'subfunction_name', 'error_class', 'error_code' ]" + code => "event.set('[zeek_cols]', @zeek_s7comm_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_s7comm" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "s7comm" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "s7comm_plus") { + ############################################################################################################################# + # s7comm_plus.log + # https://github.com/cisagov/icsnpp-s7comm + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_s7comm_plus" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][opcode]} %{[zeek_cols][opcode_name]} %{[zeek_cols][function_code]} %{[zeek_cols][function_name]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_s7comm_plus" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_s7comm_plus" + init => "@zeek_s7comm_plus_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'opcode', 'opcode_name', 'function_code', 'function_name' ]" + code => "event.set('[zeek_cols]', @zeek_s7comm_plus_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_s7comm_plus" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "s7comm_plus" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "s7comm_read_szl") { + ############################################################################################################################# + # s7comm_read_szl.log + # https://github.com/cisagov/icsnpp-s7comm + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_s7comm_read_szl" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][pdu_reference]} %{[zeek_cols][method]} %{[zeek_cols][szl_id]} %{[zeek_cols][szl_id_name]} %{[zeek_cols][szl_index]} %{[zeek_cols][return_code]} %{[zeek_cols][return_code_name]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_s7comm_read_szl" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_s7comm_read_szl" + init => "@zeek_s7comm_read_szl_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'pdu_reference', 'method', 'szl_id', 'szl_id_name', 'szl_index', 'return_code', 'return_code_name' ]" + code => "event.set('[zeek_cols]', @zeek_s7comm_read_szl_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_s7comm_read_szl" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "s7comm" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "s7comm_upload_download") { + ############################################################################################################################# + # s7comm_upload_download.log + # https://github.com/cisagov/icsnpp-s7comm + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_s7comm_upload_download_fields" + rename => { "[zeek_cols][rosctr]" => "[zeek_cols][rosctr_name]" } + } + + } else { + dissect { + id => "dissect_zeek_s7comm_upload_download" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][rosctr_name]} %{[zeek_cols][pdu_reference]} %{[zeek_cols][function_name]} %{[zeek_cols][function_status]} %{[zeek_cols][session_id]} %{[zeek_cols][blocklength]} %{[zeek_cols][filename]} %{[zeek_cols][block_type]} %{[zeek_cols][block_number]} %{[zeek_cols][destination_filesystem]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_s7comm_upload_download" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_s7comm_upload_download" + init => "@zeek_s7comm_upload_download_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'rosctr_name', 'pdu_reference', 'function_name', 'function_status', 'session_id', 'blocklength', 'filename', 'block_type', 'block_number', 'destination_filesystem' ]" + code => "event.set('[zeek_cols]', @zeek_s7comm_upload_download_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_s7comm_upload_download" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "s7comm" + } + add_tag => [ "ics" ] + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1051_zeek_signatures.conf b/logstash/pipelines/zeek/1051_zeek_signatures.conf new file mode 100644 index 000000000..4f6a20441 --- /dev/null +++ b/logstash/pipelines/zeek/1051_zeek_signatures.conf @@ -0,0 +1,40 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "signatures") { + ############################################################################################################################# + # signatures.log + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_signatures" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][note]} %{[zeek_cols][signature_id]} %{[zeek_cols][event_message]} %{[zeek_cols][sub_message]} %{[zeek_cols][signature_count]} %{[zeek_cols][host_count]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_signatures" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_signatures" + init => "@zeek_signatures_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'note', 'signature_id', 'event_message', 'sub_message', 'signature_count', 'host_count' ]" + code => "event.set('[zeek_cols]', @zeek_signatures_field_names.zip(event.get('[message]')).to_h)" + } + } + if ("_carved" in [tags]) { + # Malcolm does some "special" stuff in zeek_carve_logger.py for file carving, sort of hijacking signatures.log for it: + # - _carved signature logs' sub_message contains fuid(s) comma-separated + mutate { id => "mutate_split_zeek_signatures_sub_message" + split => { "[zeek_cols][sub_message]" => "," } } + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1052_zeek_sip.conf b/logstash/pipelines/zeek/1052_zeek_sip.conf new file mode 100644 index 000000000..fc49f7c33 --- /dev/null +++ b/logstash/pipelines/zeek/1052_zeek_sip.conf @@ -0,0 +1,43 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "sip") { + ############################################################################################################################# + # sip.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/sip/main.zeek.html#type-SIP::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_sip" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_depth]} %{[zeek_cols][method]} %{[zeek_cols][uri]} %{[zeek_cols][date]} %{[zeek_cols][request_from]} %{[zeek_cols][request_to]} %{[zeek_cols][response_from]} %{[zeek_cols][response_to]} %{[zeek_cols][reply_to]} %{[zeek_cols][call_id]} %{[zeek_cols][seq]} %{[zeek_cols][subject]} %{[zeek_cols][request_path]} %{[zeek_cols][response_path]} %{[zeek_cols][user_agent]} %{[zeek_cols][status_code]} %{[zeek_cols][status_msg]} %{[zeek_cols][warning]} %{[zeek_cols][request_body_len]} %{[zeek_cols][response_body_len]} %{[zeek_cols][content_type]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_sip" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_sip" + init => "@zeek_sip_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_depth', 'method', 'uri', 'date', 'request_from', 'request_to', 'response_from', 'response_to', 'reply_to', 'call_id', 'seq', 'subject', 'request_path', 'response_path', 'user_agent', 'status_code', 'status_msg', 'warning', 'request_body_len', 'response_body_len', 'content_type' ]" + code => "event.set('[zeek_cols]', @zeek_sip_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_sip_commas" + split => { "[zeek_cols][request_path]" => "," + "[zeek_cols][response_path]" => "," } } + } + + mutate { + id => "mutate_add_fields_zeek_sip" + add_field => { "[zeek_cols][service]" => "sip" } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1053_zeek_smb.conf b/logstash/pipelines/zeek/1053_zeek_smb.conf new file mode 100644 index 000000000..9e42d4429 --- /dev/null +++ b/logstash/pipelines/zeek/1053_zeek_smb.conf @@ -0,0 +1,131 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "smb_cmd") { + ############################################################################################################################# + # smb_cmd.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::CmdInfo + # + # note that smb_cmd.referenced_file is exactly the same structure as the log line for smb_files. later on it will be + # merged up as its own top-level entity so I don't have to duplicate the parsing effort below + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_smb_cmd_referenced_file_fields" + rename => { "[zeek_cols][referenced_file.id.orig_h]" => "[zeek_cols][referenced_file][orig_h]" } + rename => { "[zeek_cols][referenced_file.id.orig_p]" => "[zeek_cols][referenced_file][orig_p]" } + rename => { "[zeek_cols][referenced_file.id.resp_h]" => "[zeek_cols][referenced_file][resp_h]" } + rename => { "[zeek_cols][referenced_file.id.resp_p]" => "[zeek_cols][referenced_file][resp_p]" } + } + + } else { + dissect { + id => "dissect_zeek_smb_cmd" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][command]} %{[zeek_cols][sub_command]} %{[zeek_cols][argument]} %{[zeek_cols][status]} %{[zeek_cols][rtt]} %{[zeek_cols][version]} %{[zeek_cols][user]} %{[zeek_cols][tree]} %{[zeek_cols][tree_service]} %{[zeek_cols][referenced_file][ts]} %{[zeek_cols][referenced_file][uid]} %{[zeek_cols][referenced_file][orig_h]} %{[zeek_cols][referenced_file][orig_p]} %{[zeek_cols][referenced_file][resp_h]} %{[zeek_cols][referenced_file][resp_p]} %{[zeek_cols][referenced_file][fuid]} %{[zeek_cols][referenced_file][action]} %{[zeek_cols][referenced_file][path]} %{[zeek_cols][referenced_file][name]} %{[zeek_cols][referenced_file][size]} %{[zeek_cols][referenced_file][prev_name]} %{[zeek_cols][referenced_file][times_modified]} %{[zeek_cols][referenced_file][times_accessed]} %{[zeek_cols][referenced_file][times_created]} %{[zeek_cols][referenced_file][times_changed]} %{[zeek_cols][referenced_file][data_offset_req]} %{[zeek_cols][referenced_file][data_len_req]} %{[zeek_cols][referenced_file][data_len_rsp]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_smb_cmd" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_smb_cmd" + init => "@zeek_smb_cmd_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'command', 'sub_command', 'argument', 'status', 'rtt', 'version', 'user', 'tree', 'tree_service', 'referenced_file.ts', 'referenced_file.uid', 'referenced_file.orig_h', 'referenced_file.orig_p', 'referenced_file.resp_h', 'referenced_file.resp_p', 'referenced_file.fuid', 'referenced_file.action', 'referenced_file.path', 'referenced_file.name', 'referenced_file.size', 'referenced_file.prev_name', 'referenced_file.times_modified', 'referenced_file.times_accessed', 'referenced_file.times_created', 'referenced_file.times_changed', 'referenced_file.data_offset_req', 'referenced_file.data_len_req', 'referenced_file.data_len_rsp' ]" + code => "event.set('[zeek_cols]', @zeek_smb_cmd_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_smb_cmd" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "smb" + } + } + + # remove SMB prefix from version + mutate { id => "mutate_gsub_field_zeek_smb_cmd_version" + gsub => [ "[zeek_cols][version]", "^SMB", "" ] } + + mutate { id => "mutate_gsub_zeek_smb_cmd_command" + gsub => [ "[zeek_cols][command]", "^SMB::", "" ] } + + } else if ([log_source] == "smb_files") { + ############################################################################################################################# + # smb_files.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::FileInfo + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_smb_files_with_all_fields" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][fuid]} %{[zeek_cols][action]} %{[zeek_cols][path]} %{[zeek_cols][name]} %{[zeek_cols][size]} %{[zeek_cols][prev_name]} %{[zeek_cols][times_modified]} %{[zeek_cols][times_accessed]} %{[zeek_cols][times_created]} %{[zeek_cols][times_changed]} %{[zeek_cols][data_offset_req]} %{[zeek_cols][data_len_req]} %{[zeek_cols][data_len_rsp]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_smb_files" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_smb_files" + init => "@zeek_smb_files_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'fuid', 'action', 'path', 'name', 'size', 'prev_name', 'times_modified', 'times_accessed', 'times_created', 'times_changed', 'data_offset_req', 'data_len_req', 'data_len_rsp' ]" + code => "event.set('[zeek_cols]', @zeek_smb_files_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_smb_files" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "smb" + } + } + + mutate { id => "mutate_gsub_zeek_smb_files_action" + gsub => [ "[zeek_cols][action]", "^SMB::", "" ] } + + } else if ([log_source] == "smb_mapping") { + ############################################################################################################################# + # smb_mapping.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::TreeInfo + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_smb_mapping" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][path]} %{[zeek_cols][resource_type]} %{[zeek_cols][native_file_system]} %{[zeek_cols][share_type]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_smb_mapping" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_smb_mapping" + init => "@zeek_smb_mapping_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'path', 'resource_type', 'native_file_system', 'share_type' ]" + code => "event.set('[zeek_cols]', @zeek_smb_mapping_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_smb_mapping" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "smb" + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1054_zeek_smtp.conf b/logstash/pipelines/zeek/1054_zeek_smtp.conf new file mode 100644 index 000000000..f4587c5d5 --- /dev/null +++ b/logstash/pipelines/zeek/1054_zeek_smtp.conf @@ -0,0 +1,48 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "smtp") { + ############################################################################################################################# + # smtp.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/smtp/main.zeek.html#type-SMTP::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_smtp" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_depth]} %{[zeek_cols][helo]} %{[zeek_cols][mailfrom]} %{[zeek_cols][rcptto]} %{[zeek_cols][date]} %{[zeek_cols][from]} %{[zeek_cols][to]} %{[zeek_cols][cc]} %{[zeek_cols][reply_to]} %{[zeek_cols][msg_id]} %{[zeek_cols][in_reply_to]} %{[zeek_cols][subject]} %{[zeek_cols][x_originating_ip]} %{[zeek_cols][first_received]} %{[zeek_cols][second_received]} %{[zeek_cols][last_reply]} %{[zeek_cols][path]} %{[zeek_cols][user_agent]} %{[zeek_cols][tls]} %{[zeek_cols][fuid]} %{[zeek_cols][is_webmail]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_smtp" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_smtp" + init => "@zeek_smtp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_depth', 'helo', 'mailfrom', 'rcptto', 'date', 'from', 'to', 'cc', 'reply_to', 'msg_id', 'in_reply_to', 'subject', 'x_originating_ip', 'first_received', 'second_received', 'last_reply', 'path', 'user_agent', 'tls', 'fuid', 'is_webmail' ]" + code => "event.set('[zeek_cols]', @zeek_smtp_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_smtp_commas" + split => { "[zeek_cols][rcptto]" => "," + "[zeek_cols][to]" => "," + "[zeek_cols][cc]" => "," + "[zeek_cols][path]" => "," } } + } + + mutate { + id => "mutate_add_fields_zeek_smtp" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "smtp" + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1055_zeek_snmp.conf b/logstash/pipelines/zeek/1055_zeek_snmp.conf new file mode 100644 index 000000000..2991ed095 --- /dev/null +++ b/logstash/pipelines/zeek/1055_zeek_snmp.conf @@ -0,0 +1,43 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "snmp") { + ############################################################################################################################# + # snmp.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/snmp/main.zeek.html#type-SNMP::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_snmp" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][duration]} %{[zeek_cols][version]} %{[zeek_cols][community]} %{[zeek_cols][get_requests]} %{[zeek_cols][get_bulk_requests]} %{[zeek_cols][get_responses]} %{[zeek_cols][set_requests]} %{[zeek_cols][display_string]} %{[zeek_cols][up_since]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_snmp" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_snmp" + init => "@zeek_snmp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'duration', 'version', 'community', 'get_requests', 'get_bulk_requests', 'get_responses', 'set_requests', 'display_string', 'up_since' ]" + code => "event.set('[zeek_cols]', @zeek_snmp_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_snmp" + add_field => { + "[zeek_cols][proto]" => "udp" + "[zeek_cols][service]" => "snmp" + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1056_zeek_socks.conf b/logstash/pipelines/zeek/1056_zeek_socks.conf new file mode 100644 index 000000000..aeec39cb0 --- /dev/null +++ b/logstash/pipelines/zeek/1056_zeek_socks.conf @@ -0,0 +1,40 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "socks") { + ############################################################################################################################# + # socks.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/socks/main.zeek.html#type-SOCKS::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_socks" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][user]} %{[zeek_cols][password]} %{[zeek_cols][server_status]} %{[zeek_cols][request_host]} %{[zeek_cols][request_name]} %{[zeek_cols][request_port]} %{[zeek_cols][bound_host]} %{[zeek_cols][bound_name]} %{[zeek_cols][bound_port]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_socks" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_socks" + init => "@zeek_socks_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'user', 'password', 'server_status', 'request_host', 'request_name', 'request_port', 'bound_host', 'bound_name', 'bound_port' ]" + code => "event.set('[zeek_cols]', @zeek_socks_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_socks" + add_field => { "[zeek_cols][service]" => "socks" } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1057_zeek_software.conf b/logstash/pipelines/zeek/1057_zeek_software.conf new file mode 100644 index 000000000..e6cfe36d5 --- /dev/null +++ b/logstash/pipelines/zeek/1057_zeek_software.conf @@ -0,0 +1,47 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "software") { + ############################################################################################################################# + # software.log + # https://docs.zeek.org/en/stable/scripts/base/frameworks/software/main.zeek.html#type-Software::Info + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_software_fields" + rename => { "[zeek_cols][host]" => "[zeek_cols][orig_h]" } + rename => { "[zeek_cols][host_p]" => "[zeek_cols][orig_p]" } + rename => { "[zeek_cols][version.major]" => "[zeek_cols][version_major]" } + rename => { "[zeek_cols][version.minor]" => "[zeek_cols][version_minor]" } + rename => { "[zeek_cols][version.minor2]" => "[zeek_cols][version_minor2]" } + rename => { "[zeek_cols][version.minor3]" => "[zeek_cols][version_minor3]" } + rename => { "[zeek_cols][version.addl]" => "[zeek_cols][version_addl]" } + } + + } else { + dissect { + id => "dissect_zeek_software" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][software_type]} %{[zeek_cols][name]} %{[zeek_cols][version_major]} %{[zeek_cols][version_minor]} %{[zeek_cols][version_minor2]} %{[zeek_cols][version_minor3]} %{[zeek_cols][version_addl]} %{[zeek_cols][unparsed_version]} %{[zeek_cols][url]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_software" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_software" + init => "@zeek_software_field_names = [ 'ts', 'orig_h', 'orig_p', 'software_type', 'name', 'version_major', 'version_minor', 'version_minor2', 'version_minor3', 'version_addl', 'unparsed_version', 'url' ]" + code => "event.set('[zeek_cols]', @zeek_software_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1058_zeek_ssh.conf b/logstash/pipelines/zeek/1058_zeek_ssh.conf new file mode 100644 index 000000000..bf1177a34 --- /dev/null +++ b/logstash/pipelines/zeek/1058_zeek_ssh.conf @@ -0,0 +1,87 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "ja4ssh") { + ############################################################################################################################# + # ja4ssh.log + # https://github.com/FoxIO-LLC/ja4 + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_ja4ssh" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][ja4ssh]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ja4ssh" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ja4ssh" + init => "@zeek_ja4ssh_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'ja4ssh' ]" + code => "event.set('[zeek_cols]', @zeek_ja4ssh_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_ja4ssh" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "ssh" + } + } + + } else if ([log_source] == "ssh") { + ############################################################################################################################# + # ssh.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/ssh/main.zeek.html#type-SSH::Info + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_ssh_fields" + rename => { "[zeek_cols][hasshServer_Algorithms]" => "[zeek_cols][hasshServerAlgorithms]" } + } + + } else { + dissect { + id => "dissect_zeek_ssh_with_all_fields_with_hassh" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][auth_success]} %{[zeek_cols][auth_attempts]} %{[zeek_cols][direction]} %{[zeek_cols][client]} %{[zeek_cols][server]} %{[zeek_cols][cipher_alg]} %{[zeek_cols][mac_alg]} %{[zeek_cols][compression_alg]} %{[zeek_cols][kex_alg]} %{[zeek_cols][host_key_alg]} %{[zeek_cols][host_key]} %{[zeek_cols][remote_location_country_code]} %{[zeek_cols][remote_location_region]} %{[zeek_cols][remote_location_city]} %{[zeek_cols][remote_location_latitude]} %{[zeek_cols][remote_location_longitude]} %{[zeek_cols][hasshVersion]} %{[zeek_cols][hassh]} %{[zeek_cols][hasshServer]} %{[zeek_cols][cshka]} %{[zeek_cols][hasshAlgorithms]} %{[zeek_cols][sshka]} %{[zeek_cols][hasshServerAlgorithms]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ssh" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ssh" + init => "@zeek_ssh_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'auth_success', 'auth_attempts', 'direction', 'client', 'server', 'cipher_alg', 'mac_alg', 'compression_alg', 'kex_alg', 'host_key_alg', 'host_key', 'remote_location_country_code', 'remote_location_region', 'remote_location_city', 'remote_location_latitude', 'remote_location_longitude', 'hasshVersion', 'hassh', 'hasshServer', 'cshka', 'hasshAlgorithms', 'sshka', 'hasshServerAlgorithms' ]" + code => "event.set('[zeek_cols]', @zeek_ssh_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_ssh_commas" + split => { "[zeek_cols][hasshAlgorithms]" => "," + "[zeek_cols][hasshServerAlgorithms]" => "," + "[zeek_cols][cshka]" => "," + "[zeek_cols][sshka]" => "," } } + } + + mutate { + id => "mutate_add_fields_zeek_ssh" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "ssh" + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1059_zeek_ssl.conf b/logstash/pipelines/zeek/1059_zeek_ssl.conf new file mode 100644 index 000000000..675bb103b --- /dev/null +++ b/logstash/pipelines/zeek/1059_zeek_ssl.conf @@ -0,0 +1,54 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "ssl") { + ############################################################################################################################# + # ssl.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/ssl/main.zeek.html#type-SSL::Info + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_ssl_fields" + rename => { "[zeek_cols][version]" => "[zeek_cols][ssl_version]" } + } + + } else { + dissect { + id => "dissect_zeek_ssl_v1_with_ja4" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][ssl_version]} %{[zeek_cols][cipher]} %{[zeek_cols][curve]} %{[zeek_cols][server_name]} %{[zeek_cols][resumed]} %{[zeek_cols][last_alert]} %{[zeek_cols][next_protocol]} %{[zeek_cols][established]} %{[zeek_cols][ssl_history]} %{[zeek_cols][cert_chain_fps]} %{[zeek_cols][client_cert_chain_fps]} %{[zeek_cols][sni_matches_cert]} %{[zeek_cols][validation_status]} %{[zeek_cols][ja4]} %{[zeek_cols][ja4s]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_ssl" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_ssl" + init => "@zeek_ssl_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'ssl_version', 'cipher', 'curve', 'server_name', 'resumed', 'last_alert', 'next_protocol', 'established', 'ssl_history', 'cert_chain_fps', 'client_cert_chain_fps', 'sni_matches_cert', 'validation_status', 'ja4', 'ja4s' ]" + code => "event.set('[zeek_cols]', @zeek_ssl_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_ssl_commas" + split => { "[zeek_cols][cert_chain_fuids]" => "," + "[zeek_cols][client_cert_chain_fuids]" => "," + "[zeek_cols][cert_chain_fps]" => "," + "[zeek_cols][client_cert_chain_fps]" => "," } } + } + + mutate { + id => "mutate_add_fields_zeek_ssl" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "tls" + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1060_zeek_stun.conf b/logstash/pipelines/zeek/1060_zeek_stun.conf new file mode 100644 index 000000000..fdb291513 --- /dev/null +++ b/logstash/pipelines/zeek/1060_zeek_stun.conf @@ -0,0 +1,96 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "stun") { + ############################################################################################################################# + # stun.log + # https://github.com/corelight/zeek-spicy-stun/blob/master/analyzer/main.zeek + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_stun_fields" + rename => { "[zeek_cols][attr_types]" => "[zeek_cols][attr_type]" } + rename => { "[zeek_cols][attr_vals]" => "[zeek_cols][attr_val]" } + } + + } else { + dissect { + id => "dissect_zeek_stun" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][is_orig]} %{[zeek_cols][trans_id]} %{[zeek_cols][method]} %{[zeek_cols][class]} %{[zeek_cols][attr_type]} %{[zeek_cols][attr_val]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_stun" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_stun" + init => "@zeek_stun_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'is_orig', 'trans_id', 'method', 'class', 'attr_type', 'attr_val' ]" + code => "event.set('[zeek_cols]', @zeek_stun_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_field_zeek_stun_commas" + split => { "[zeek_cols][attr_type]" => "," + "[zeek_cols][attr_val]" => "," } } + } + + mutate { + id => "mutate_add_fields_zeek_stun" + add_field => { + "[zeek_cols][service]" => "stun" + } + } + + } else if ([log_source] == "stun_nat") { + ############################################################################################################################# + # stun.log + # https://github.com/corelight/zeek-spicy-stun/blob/master/analyzer/main.zeek + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_stun_nat_fields" + rename => { "[zeek_cols][wan_addrs]" => "[zeek_cols][wan_addr]" } + rename => { "[zeek_cols][wan_ports]" => "[zeek_cols][wan_port]" } + rename => { "[zeek_cols][lan_addrs]" => "[zeek_cols][lan_addr]" } + } + + } else { + dissect { + id => "dissect_zeek_stun_nat" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][is_orig]} %{[zeek_cols][wan_addr]} %{[zeek_cols][wan_port]} %{[zeek_cols][lan_addr]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_stun_nat" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_stun_nat" + init => "@zeek_stun_nat_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'is_orig', 'wan_addr', 'wan_port', 'lan_addr' ]" + code => "event.set('[zeek_cols]', @zeek_stun_nat_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_field_zeek_stun_nat_commas" + split => { "[zeek_cols][wan_addrs]" => "," + "[zeek_cols][wan_ports]" => "," + "[zeek_cols][lan_addrs]" => "," } } + } + + mutate { + id => "mutate_add_fields_zeek_stun_nat" + add_field => { + "[zeek_cols][service]" => "stun" + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1061_zeek_synchrophasor.conf b/logstash/pipelines/zeek/1061_zeek_synchrophasor.conf new file mode 100644 index 000000000..ad4795ec7 --- /dev/null +++ b/logstash/pipelines/zeek/1061_zeek_synchrophasor.conf @@ -0,0 +1,242 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "synchrophasor") { + ############################################################################################################################# + # synchrophasor.log + # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_synchrophasor" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][version]} %{[zeek_cols][data_stream_id]} %{[zeek_cols][history]} %{[zeek_cols][frame_size_min]} %{[zeek_cols][frame_size_max]} %{[zeek_cols][frame_size_tot]} %{[zeek_cols][data_frame_count]} %{[zeek_cols][data_rate]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_synchrophasor" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_synchrophasor" + init => "@zeek_synchrophasor_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'version', 'data_stream_id', 'history', 'frame_size_min', 'frame_size_max', 'frame_size_tot', 'data_frame_count', 'data_rate' ]" + code => "event.set('[zeek_cols]', @zeek_synchrophasor_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_synchrophasor" + add_field => { + "[zeek_cols][service]" => "synchrophasor" + } + add_tag => [ "ics" ] + } + + + } else if ([log_source] == "synchrophasor_cmd") { + ############################################################################################################################# + # synchrophasor_cmd.log + # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_synchrophasor_cmd" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][frame_size]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][command]} %{[zeek_cols][extframe]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_synchrophasor_cmd" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_synchrophasor_cmd" + init => "@zeek_synchrophasor_cmd_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'frame_size', 'header_time_stamp', 'command', 'extframe' ]" + code => "event.set('[zeek_cols]', @zeek_synchrophasor_cmd_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_synchrophasor_cmd" + add_field => { + "[zeek_cols][service]" => "synchrophasor" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "synchrophasor_cfg") { + ############################################################################################################################# + # synchrophasor_cfg.log + # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_synchrophasor_cfg" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][frame_size]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][cont_idx]} %{[zeek_cols][pmu_count_expected]} %{[zeek_cols][pmu_count_actual]} %{[zeek_cols][data_rate]} %{[zeek_cols][cfg_frame_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_synchrophasor_cfg" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_synchrophasor_cfg" + init => "@zeek_synchrophasor_cfg_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'frame_size', 'header_time_stamp', 'cont_idx', 'pmu_count_expected', 'pmu_count_actual', 'data_rate', 'cfg_frame_id' ]" + code => "event.set('[zeek_cols]', @zeek_synchrophasor_cfg_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_synchrophasor_cfg" + add_field => { + "[zeek_cols][service]" => "synchrophasor" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "synchrophasor_cfg_detail") { + ############################################################################################################################# + # synchrophasor_cfg_detail.log + # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_synchrophasor_cfg_detail" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][cfg_frame_id]} %{[zeek_cols][pmu_idx]} %{[zeek_cols][svc_class]} %{[zeek_cols][station_name]} %{[zeek_cols][data_source_id]} %{[zeek_cols][global_pmuid]} %{[zeek_cols][phasor_shape]} %{[zeek_cols][phasor_format]} %{[zeek_cols][analog_format]} %{[zeek_cols][freq_format]} %{[zeek_cols][phnmr]} %{[zeek_cols][annmr]} %{[zeek_cols][dgnmr]} %{[zeek_cols][phnam]} %{[zeek_cols][annam]} %{[zeek_cols][dgnam]} %{[zeek_cols][phasor_conv_phunit]} %{[zeek_cols][phasor_conv_phvalue]} %{[zeek_cols][phasor_conv_upsampled_interpolation]} %{[zeek_cols][phasor_conv_upsampled_extrapolation]} %{[zeek_cols][phasor_conv_downsampled_reselection]} %{[zeek_cols][phasor_conv_downsampled_fir_filter]} %{[zeek_cols][phasor_conv_downsampled_no_fir_filter]} %{[zeek_cols][phasor_conv_filtered_without_changing_sampling]} %{[zeek_cols][phasor_conv_calibration_mag_adj]} %{[zeek_cols][phasor_conv_calibration_phas_adj]} %{[zeek_cols][phasor_conv_rotation_phase_adj]} %{[zeek_cols][phasor_conv_pseudo_phasor_val]} %{[zeek_cols][phasor_conv_mod_appl]} %{[zeek_cols][phasor_conv_phasor_component]} %{[zeek_cols][phasor_conv_phasor_type]} %{[zeek_cols][phasor_conv_user_def]} %{[zeek_cols][phasor_conv_scale_factor]} %{[zeek_cols][phasor_conv_angle_adj]} %{[zeek_cols][analog_conv_analog_flags]} %{[zeek_cols][analog_conv_user_defined_scaling]} %{[zeek_cols][analog_conv_mag_scale]} %{[zeek_cols][analog_conv_offset]} %{[zeek_cols][digital_conv_normal_status_mask]} %{[zeek_cols][digital_conv_valid_inputs_mask]} %{[zeek_cols][pmu_lat]} %{[zeek_cols][pmu_lon]} %{[zeek_cols][pmu_elev]} %{[zeek_cols][window]} %{[zeek_cols][group_delay]} %{[zeek_cols][fnom]} %{[zeek_cols][cfgcnt]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_synchrophasor_cfg_detail" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_synchrophasor_cfg_detail" + init => "@zeek_synchrophasor_cfg_detail_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'header_time_stamp', 'cfg_frame_id', 'pmu_idx', 'svc_class', 'station_name', 'data_source_id', 'global_pmuid', 'phasor_shape', 'phasor_format', 'analog_format', 'freq_format', 'phnmr', 'annmr', 'dgnmr', 'phnam', 'annam', 'dgnam', 'phasor_conv_phunit', 'phasor_conv_phvalue', 'phasor_conv_upsampled_interpolation', 'phasor_conv_upsampled_extrapolation', 'phasor_conv_downsampled_reselection', 'phasor_conv_downsampled_fir_filter', 'phasor_conv_downsampled_no_fir_filter', 'phasor_conv_filtered_without_changing_sampling', 'phasor_conv_calibration_mag_adj', 'phasor_conv_calibration_phas_adj', 'phasor_conv_rotation_phase_adj', 'phasor_conv_pseudo_phasor_val', 'phasor_conv_mod_appl', 'phasor_conv_phasor_component', 'phasor_conv_phasor_type', 'phasor_conv_user_def', 'phasor_conv_scale_factor', 'phasor_conv_angle_adj', 'analog_conv_analog_flags', 'analog_conv_user_defined_scaling', 'analog_conv_mag_scale', 'analog_conv_offset', 'digital_conv_normal_status_mask', 'digital_conv_valid_inputs_mask', 'pmu_lat', 'pmu_lon', 'pmu_elev', 'window', 'group_delay', 'fnom', 'cfgcnt' ]" + code => "event.set('[zeek_cols]', @zeek_synchrophasor_cfg_detail_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_synchrophasor_cfg_detail" + add_field => { + "[zeek_cols][service]" => "synchrophasor" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "synchrophasor_data") { + ############################################################################################################################# + # synchrophasor_data.log + # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_synchrophasor_data" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][frame_size]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][pmu_count_expected]} %{[zeek_cols][pmu_count_actual]} %{[zeek_cols][data_frame_id]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_synchrophasor_data" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_synchrophasor_data" + init => "@zeek_synchrophasor_data_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'frame_size', 'header_time_stamp', 'pmu_count_expected', 'pmu_count_actual', 'data_frame_id' ]" + code => "event.set('[zeek_cols]', @zeek_synchrophasor_data_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_synchrophasor_data" + add_field => { + "[zeek_cols][service]" => "synchrophasor" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "synchrophasor_data_detail") { + ############################################################################################################################# + # synchrophasor_data_detail.log + # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_synchrophasor_data_detail" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][data_frame_id]} %{[zeek_cols][pmu_idx]} %{[zeek_cols][trigger_reason]} %{[zeek_cols][unlocked_time]} %{[zeek_cols][pmu_time_quality]} %{[zeek_cols][data_modified]} %{[zeek_cols][config_change]} %{[zeek_cols][pmu_trigger_pickup]} %{[zeek_cols][data_sorting_type]} %{[zeek_cols][pmu_sync_error]} %{[zeek_cols][data_error_indicator]} %{[zeek_cols][est_rectangular_real]} %{[zeek_cols][est_rectangular_imaginary]} %{[zeek_cols][est_polar_magnitude]} %{[zeek_cols][est_polar_angle]} %{[zeek_cols][freq_dev_mhz]} %{[zeek_cols][rocof]} %{[zeek_cols][analog_data]} %{[zeek_cols][digital]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_synchrophasor_data_detail" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_synchrophasor_data_detail" + init => "@zeek_synchrophasor_data_detail_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'header_time_stamp', 'data_frame_id', 'pmu_idx', 'trigger_reason', 'unlocked_time', 'pmu_time_quality', 'data_modified', 'config_change', 'pmu_trigger_pickup', 'data_sorting_type', 'pmu_sync_error', 'data_error_indicator', 'est_rectangular_real', 'est_rectangular_imaginary', 'est_polar_magnitude', 'est_polar_angle', 'freq_dev_mhz', 'rocof', 'analog_data', 'digital' ]" + code => "event.set('[zeek_cols]', @zeek_synchrophasor_data_detail_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_synchrophasor_data_detail" + add_field => { + "[zeek_cols][service]" => "synchrophasor" + } + add_tag => [ "ics" ] + } + + } else if ([log_source] == "synchrophasor_hdr") { + ############################################################################################################################# + # synchrophasor_hdr.log + # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor) + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_synchrophasor_hdr" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][frame_size]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][data]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_synchrophasor_hdr" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_synchrophasor_hdr" + init => "@zeek_synchrophasor_hdr_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'frame_size', 'header_time_stamp', 'data' ]" + code => "event.set('[zeek_cols]', @zeek_synchrophasor_hdr_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_synchrophasor_hdr" + add_field => { + "[zeek_cols][service]" => "synchrophasor" + } + add_tag => [ "ics" ] + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1062_zeek_syslog.conf b/logstash/pipelines/zeek/1062_zeek_syslog.conf new file mode 100644 index 000000000..efb0ed69b --- /dev/null +++ b/logstash/pipelines/zeek/1062_zeek_syslog.conf @@ -0,0 +1,40 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "syslog") { + ############################################################################################################################# + # syslog.log + # https://docs.zeek.org/en/stable/scripts/base/protocols/syslog/main.zeek.html#type-Syslog::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_syslog" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][facility]} %{[zeek_cols][severity]} %{[zeek_cols][message]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_syslog" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_syslog" + init => "@zeek_syslog_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'facility', 'severity', 'message' ]" + code => "event.set('[zeek_cols]', @zeek_syslog_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_syslog" + add_field => { "[zeek_cols][service]" => "syslog" } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1063_zeek_tds.conf b/logstash/pipelines/zeek/1063_zeek_tds.conf new file mode 100644 index 000000000..23a724d0c --- /dev/null +++ b/logstash/pipelines/zeek/1063_zeek_tds.conf @@ -0,0 +1,115 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "tds") { + ############################################################################################################################# + # tds.log + # https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_tds" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][command]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_tds" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_tds" + init => "@zeek_tds_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'command' ]" + code => "event.set('[zeek_cols]', @zeek_tds_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_tds" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "tds" + } + } + + } else if ([log_source] == "tds_rpc") { + ############################################################################################################################# + # tds_rpc.log + # https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_tds_rpc_fields" + rename => { "[zeek_cols][parameters]" => "[zeek_cols][parameter]" } + } + + } else { + dissect { + id => "dissect_zeek_tds_rpc" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][procedure_name]} %{[zeek_cols][parameter]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_tds_rpc" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_tds_rpc" + init => "@zeek_tds_rpc_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'procedure_name', 'parameter' ]" + code => "event.set('[zeek_cols]', @zeek_tds_rpc_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_tds_rpc" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "tds" + } + } + + } else if ([log_source] == "tds_sql_batch") { + ############################################################################################################################# + # tds_sql_batch.log + # https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_tds_sql_batch" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][header_type]} %{[zeek_cols][query]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_tds_sql_batch" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_tds_sql_batch" + init => "@zeek_tds_sql_batch_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'header_type', 'query' ]" + code => "event.set('[zeek_cols]', @zeek_tds_sql_batch_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_tds_sql_batch" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "tds" + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1064_zeek_tftp.conf b/logstash/pipelines/zeek/1064_zeek_tftp.conf new file mode 100644 index 000000000..67cd6acef --- /dev/null +++ b/logstash/pipelines/zeek/1064_zeek_tftp.conf @@ -0,0 +1,43 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "tftp") { + ############################################################################################################################# + # tftp.log + # https://github.com/zeek/spicy-tftp + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_tftp" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][wrq]} %{[zeek_cols][fname]} %{[zeek_cols][mode]} %{[zeek_cols][uid_data]} %{[zeek_cols][size]} %{[zeek_cols][block_sent]} %{[zeek_cols][block_acked]} %{[zeek_cols][error_code]} %{[zeek_cols][error_msg]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_tftp" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_tftp" + init => "@zeek_tftp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'wrq', 'fname', 'mode', 'uid_data', 'size', 'block_sent', 'block_acked', 'error_code', 'error_msg' ]" + code => "event.set('[zeek_cols]', @zeek_tftp_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { + id => "mutate_add_fields_zeek_tftp" + add_field => { + "[zeek_cols][proto]" => "udp" + "[zeek_cols][service]" => "tftp" + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1065_zeek_tunnel.conf b/logstash/pipelines/zeek/1065_zeek_tunnel.conf new file mode 100644 index 000000000..6dfa8829f --- /dev/null +++ b/logstash/pipelines/zeek/1065_zeek_tunnel.conf @@ -0,0 +1,48 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + if ([log_source] == "tunnel") { + ############################################################################################################################# + # tunnel.log + # https://docs.zeek.org/en/stable/scripts/base/frameworks/tunnels/main.zeek.html#type-Tunnel::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_tunnel" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][tunnel_type]} %{[zeek_cols][action]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_tunnel" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_tunnel" + init => "@zeek_tunnel_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'tunnel_type', 'action' ]" + code => "event.set('[zeek_cols]', @zeek_tunnel_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { id => "mutate_gsub_zeek_tunnel_action" + gsub => [ "[zeek_cols][action]", "Tunnel::", "" ] } + + mutate { id => "mutate_gsub_zeek_tunnel_type" + gsub => [ "[zeek_cols][tunnel_type]", "Tunnel::", "" ] } + + mutate { + id => "mutate_add_fields_zeek_tunnel" + add_field => { "[zeek_cols][service]" => "%{[zeek_cols][tunnel_type]}" } + } + + mutate { id => "mutate_lowercase_zeek_tunnel_service" + lowercase => [ "[zeek_cols][service]" ] } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1066_zeek_weird.conf b/logstash/pipelines/zeek/1066_zeek_weird.conf new file mode 100644 index 000000000..4c1da69e3 --- /dev/null +++ b/logstash/pipelines/zeek/1066_zeek_weird.conf @@ -0,0 +1,35 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "weird") { + ############################################################################################################################# + # weird.log + # https://docs.zeek.org/en/stable/scripts/base/frameworks/notice/weird.zeek.html#type-Weird::Info + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_weird" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][name]} %{[zeek_cols][addl]} %{[zeek_cols][notice]} %{[zeek_cols][peer]} %{[zeek_cols][source]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_weird" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_weird" + init => "@zeek_weird_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'name', 'addl', 'notice', 'peer', 'source' ]" + code => "event.set('[zeek_cols]', @zeek_weird_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1067_zeek_wireguard.conf b/logstash/pipelines/zeek/1067_zeek_wireguard.conf new file mode 100644 index 000000000..4a69f88d7 --- /dev/null +++ b/logstash/pipelines/zeek/1067_zeek_wireguard.conf @@ -0,0 +1,45 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + + if ([log_source] == "wireguard") { + ############################################################################################################################# + # wireguard.log + # https://github.com/corelight/zeek-spicy-wireguard/blob/master/analyzer/main.zeek + + if ("_jsonparsesuccess" not in [tags]) { + dissect { + id => "dissect_zeek_wireguard" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][established]} %{[zeek_cols][initiations]} %{[zeek_cols][responses]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_wireguard" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_wireguard" + init => "@zeek_wireguard_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'established', 'initiations', 'responses' ]" + code => "event.set('[zeek_cols]', @zeek_wireguard_field_names.zip(event.get('[message]')).to_h)" + } + } + } + + mutate { id => "mutate_gsub_zeek_wireguard_packet_type" + gsub => [ "[zeek_cols][packet_type]", "Wireguard::WG_", "" ] } + + mutate { + id => "mutate_add_field_zeek_service_wireguard" + add_field => { + "[zeek_cols][proto]" => "udp" + "[zeek_cols][service]" => "wireguard" + } + } + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1068_zeek_x509.conf b/logstash/pipelines/zeek/1068_zeek_x509.conf new file mode 100644 index 000000000..9705ebd83 --- /dev/null +++ b/logstash/pipelines/zeek/1068_zeek_x509.conf @@ -0,0 +1,63 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + if ([log_source] == "x509") { + ############################################################################################################################# + # x509.log + # https://docs.zeek.org/en/stable/scripts/base/files/x509/main.zeek.html#type-X509::Info + + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_x509_fields" + rename => { "[zeek_cols][certificate.version]" => "[zeek_cols][certificate_version]" } + rename => { "[zeek_cols][certificate.serial]" => "[zeek_cols][certificate_serial]" } + rename => { "[zeek_cols][certificate.subject]" => "[zeek_cols][certificate_subject]" } + rename => { "[zeek_cols][certificate.issuer]" => "[zeek_cols][certificate_issuer]" } + rename => { "[zeek_cols][certificate.not_valid_before]" => "[zeek_cols][certificate_not_valid_before]" } + rename => { "[zeek_cols][certificate.not_valid_after]" => "[zeek_cols][certificate_not_valid_after]" } + rename => { "[zeek_cols][certificate.key_alg]" => "[zeek_cols][certificate_key_alg]" } + rename => { "[zeek_cols][certificate.sig_alg]" => "[zeek_cols][certificate_sig_alg]" } + rename => { "[zeek_cols][certificate.key_type]" => "[zeek_cols][certificate_key_type]" } + rename => { "[zeek_cols][certificate.key_length]" => "[zeek_cols][certificate_key_length]" } + rename => { "[zeek_cols][certificate.exponent]" => "[zeek_cols][certificate_exponent]" } + rename => { "[zeek_cols][certificate.curve]" => "[zeek_cols][certificate_curve]" } + rename => { "[zeek_cols][san.dns]" => "[zeek_cols][san_dns]" } + rename => { "[zeek_cols][san.uri]" => "[zeek_cols][san_uri]" } + rename => { "[zeek_cols][san.email]" => "[zeek_cols][san_email]" } + rename => { "[zeek_cols][san.ip]" => "[zeek_cols][san_ip]" } + rename => { "[zeek_cols][basic_constraints.ca]" => "[zeek_cols][basic_constraints_ca]" } + rename => { "[zeek_cols][basic_constraints.path_len]" => "[zeek_cols][basic_constraints_path_len]" } + } + + } else { + dissect { + id => "dissect_zeek_x509_v1" + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][fingerprint]} %{[zeek_cols][certificate_version]} %{[zeek_cols][certificate_serial]} %{[zeek_cols][certificate_subject]} %{[zeek_cols][certificate_issuer]} %{[zeek_cols][certificate_not_valid_before]} %{[zeek_cols][certificate_not_valid_after]} %{[zeek_cols][certificate_key_alg]} %{[zeek_cols][certificate_sig_alg]} %{[zeek_cols][certificate_key_type]} %{[zeek_cols][certificate_key_length]} %{[zeek_cols][certificate_exponent]} %{[zeek_cols][certificate_curve]} %{[zeek_cols][san_dns]} %{[zeek_cols][san_uri]} %{[zeek_cols][san_email]} %{[zeek_cols][san_ip]} %{[zeek_cols][basic_constraints_ca]} %{[zeek_cols][basic_constraints_path_len]} %{[zeek_cols][host_cert]} %{[zeek_cols][client_cert]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_x509" + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_x509" + init => "@zeek_x509_field_names = [ 'ts', 'fuid', 'certificate_version', 'certificate_serial', 'certificate_subject', 'certificate_issuer', 'certificate_not_valid_before', 'certificate_not_valid_after', 'certificate_key_alg', 'certificate_sig_alg', 'certificate_key_type', 'certificate_key_length', 'certificate_exponent', 'certificate_curve', 'san_dns', 'san_uri', 'san_email', 'san_ip', 'basic_constraints_ca', 'basic_constraints_path_len', 'host_cert', 'client_cert' ]" + code => "event.set('[zeek_cols]', @zeek_x509_field_names.zip(event.get('[message]')).to_h)" + } + } + mutate { id => "mutate_split_zeek_x509_san_ip" + split => { "[zeek_cols][san_ip]" => "," + "[zeek_cols][fingerprint]" => "," } } + } + + mutate { id => "mutate_add_fields_zeek_x509" + add_field => { "[zeek_cols][service]" => "X.509" } } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/1199_zeek_unknown.conf b/logstash/pipelines/zeek/1199_zeek_unknown.conf new file mode 100644 index 000000000..ea72245c1 --- /dev/null +++ b/logstash/pipelines/zeek/1199_zeek_unknown.conf @@ -0,0 +1,27 @@ +######################## +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. +####################### + +filter { + + if (![zeek_cols]) { + + if ("_jsonparsesuccess" not in [tags]) { + # some other unknown zeek log file. should start with ts at least! + csv { + id => "csv_zeek_unknown" + columns => ["ts"] + separator => " " + # there's no way to *disable* the csv quote char, so set it to something we'll never see + quote_char => " " + + target => "[zeek_cols]" + } + } + + mutate { id => "mutate_add_tag_zeek_unknown" + add_tag => [ "_unknown_log_type" ] } + + } + +} # end Filter diff --git a/logstash/pipelines/zeek/11_zeek_parse.conf b/logstash/pipelines/zeek/11_zeek_parse.conf deleted file mode 100644 index 83daff13b..000000000 --- a/logstash/pipelines/zeek/11_zeek_parse.conf +++ /dev/null @@ -1,6411 +0,0 @@ -######################## -# zeek -> arkime session creation and enrichment -# -# see https://docs.zeek.org/en/stable/script-reference/log-files.html for Zeek logfile documentation -# -# see source.zeeklogs.js for the Arkime code that turns these into UI fields -# -# to profile, debug: -# - get filters sorted by execution time (where in > 0) -# $ docker compose exec logstash curl -XGET http://localhost:9600/_node/stats/pipelines | jq -r '.. | .filters? // empty | .[] | objects | select (.events.in > 0) | [.id, .events.in, .events.out, .events.duration_in_millis] | join (";")' | sort -n -t ';' -k4 -# - get filters where in != out -# $ docker compose exec logstash curl -XGET http://localhost:9600/_node/stats/pipelines | jq -r '.. | .filters? // empty | .[] | objects | select (.events.in != .events.out) | [.id, .events.in, .events.out, .events.duration_in_millis] | join (";")' -# -# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. -####################### - -filter { - - # handle JSON-formatted Zeek logs right out of the gate, we'll do the field renaming below - if ([message] =~ /^{.*}$/) { json { - id => "json_zeek_message_parse" - source => "[message]" - target => "[zeek_cols]" - add_tag => [ "_jsonparsesuccess" ] - } } - - - # in JSON, do some global renaming of common fields to make them match the names we'd - # be assigning to them if we were reading TSV - if ("_jsonparsesuccess" in [tags]) { - - # some of the ICSNPP parsers do an interesting thing to handle source and destination fields - # (see https://github.com/cisagov/icsnpp-bacnet/?tab=readme-ov-file#source-and-destination-fields) - # so check for and handle those first - ruby { - id => "ruby_zeek_json_determine_source_destination_fields" - code => " - if ![event.get('[zeek_cols][source_h]').to_s, - event.get('[zeek_cols][source_p]').to_s, - event.get('[zeek_cols][destination_h]').to_s, - event.get('[zeek_cols][destination_p]').to_s].reject{ |e| e.nil? || e.empty? || (e == '0') }.empty? then - event.set('[@metadata][icsnpp_source_dest_fields]', 'true') - end - " - } - if ([@metadata][icsnpp_source_dest_fields]) { - mutate { - id => "mutate_rename_zeek_json_common_reversed_direction_fields" - rename => { "[zeek_cols][id.orig_h]" => "[zeek_cols][drop_orig_h]" } - rename => { "[zeek_cols][id.orig_p]" => "[zeek_cols][drop_orig_p]" } - rename => { "[zeek_cols][id.resp_h]" => "[zeek_cols][drop_resp_h]" } - rename => { "[zeek_cols][id.resp_p]" => "[zeek_cols][drop_resp_p]" } - rename => { "[zeek_cols][source_h]" => "[zeek_cols][orig_h]" } - rename => { "[zeek_cols][source_p]" => "[zeek_cols][orig_p]" } - rename => { "[zeek_cols][destination_h]" => "[zeek_cols][resp_h]" } - rename => { "[zeek_cols][destination_p]" => "[zeek_cols][resp_p]" } - } - - } else { - mutate { - id => "mutate_rename_zeek_json_common_fields" - rename => { "[zeek_cols][id.orig_h]" => "[zeek_cols][orig_h]" } - rename => { "[zeek_cols][id.orig_p]" => "[zeek_cols][orig_p]" } - rename => { "[zeek_cols][id.resp_h]" => "[zeek_cols][resp_h]" } - rename => { "[zeek_cols][id.resp_p]" => "[zeek_cols][resp_p]" } - } - } # icsnpp_source_dest_fields or not - } # _jsonparsesuccess in tags - - # The Dissect is WAY faster than CSV, and quite a bit faster than mutate.split. However, it - # is not as flexible when it comes to missing or extra columns - # (See https://github.com/logstash-plugins/logstash-filter-dissect/issues/62) - # - # So, if the dissect filter fails, we're going to fall back to split-then-zip solution. - # This should be a good tradeoff between performance (in the case where the Zeek logs - # match what we think they should look like) and flexibility (when they don't). - # - # The one drawback is that if you make a change to the fields in dissect, make sure - # you make the corresponding change in the ruby init code. - - if ([log_source] == "conn") { - ############################################################################################################################# - # conn.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/conn/main.zeek.html#type-Conn::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_conn_with_all_fields" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][service]} %{[zeek_cols][duration]} %{[zeek_cols][orig_bytes]} %{[zeek_cols][resp_bytes]} %{[zeek_cols][conn_state]} %{[zeek_cols][local_orig]} %{[zeek_cols][local_resp]} %{[zeek_cols][missed_bytes]} %{[zeek_cols][history]} %{[zeek_cols][orig_pkts]} %{[zeek_cols][orig_ip_bytes]} %{[zeek_cols][resp_pkts]} %{[zeek_cols][resp_ip_bytes]} %{[zeek_cols][tunnel_parents]} %{[zeek_cols][vlan]} %{[zeek_cols][inner_vlan]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][resp_l2_addr]} %{[zeek_cols][community_id]} %{[zeek_cols][ja4l]} %{[zeek_cols][ja4ls]} %{[zeek_cols][ja4t]} %{[zeek_cols][ja4ts]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_conn" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_conn" - init => "@zeek_conn_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'service', 'duration', 'orig_bytes', 'resp_bytes', 'conn_state', 'local_orig', 'local_resp', 'missed_bytes', 'history', 'orig_pkts', 'orig_ip_bytes', 'resp_pkts', 'resp_ip_bytes', 'tunnel_parents', 'vlan', 'inner_vlan', 'orig_l2_addr', 'resp_l2_addr', 'community_id', 'ja4l', 'ja4ls', 'ja4t', 'ja4ts' ]" - code => "event.set('[zeek_cols]', @zeek_conn_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - # normalize service string(s) - - # For some reason, even in JSON, I have service strings like: - # ...,"proto":"udp","service":"profinet,profinet_dce_rpc,spicy_profinet_io_cm,profinet",... - # so whatever reason it's not already an array. Split it here. - mutate { id => "mutate_split_zeek_conn_commas" - split => { "[zeek_cols][service]" => "," } } - - # some services are named like blah_udp/blah_tcp/blah_data, and we don't care about the suffix - mutate { id => "mutate_gsub_field_zeek_conn_service_protocol_suffix" - gsub => [ "[zeek_cols][service]", "[_-](tcp|udp|data)", "" ] } - - # if it's coming from spicy, we don't care to have that in the service name - mutate { id => "mutate_gsub_field_zeek_conn_service_spicy_prefix" - gsub => [ "[zeek_cols][service]", "spicy_", "" ] } - - mutate { id => "mutate_gsub_field_zeek_conn_service_spicy_cipher_suffix" - gsub => [ "[zeek_cols][service]", "(_hmac)?(_(sha|md)\d+)?$", "" ] } - - if ([zeek_cols][orig_ip_bytes]) and ([zeek_cols][orig_ip_bytes] != '-') and ([zeek_cols][orig_ip_bytes] != '(empty)') and ([zeek_cols][orig_ip_bytes] != '') { - mutate { id => "mutate_add_field_zeek_srcBytes" - add_field => { "[source][bytes]" => "%{[zeek_cols][orig_ip_bytes]}" } } - } - if ([zeek_cols][resp_ip_bytes]) and ([zeek_cols][resp_ip_bytes] != '-') and ([zeek_cols][resp_ip_bytes] != '(empty)') and ([zeek_cols][resp_ip_bytes] != '') { - mutate { id => "mutate_add_field_zeek_dstBytes" - add_field => { "[destination][bytes]" => "%{[zeek_cols][resp_ip_bytes]}" } } - } - if ([zeek_cols][orig_pkts]) and ([zeek_cols][orig_pkts] != '-') and ([zeek_cols][orig_pkts] != '(empty)') and ([zeek_cols][orig_pkts] != '') { - mutate { id => "mutate_add_field_zeek_srcPackets" - add_field => { "[source][packets]" => "%{[zeek_cols][orig_pkts]}" } } - } - if ([zeek_cols][orig_bytes]) and ([zeek_cols][orig_bytes] != '-') and ([zeek_cols][orig_bytes] != '(empty)') and ([zeek_cols][orig_bytes] != '') { - mutate { id => "mutate_add_field_zeek_srcDataBytes" - add_field => { "[client][bytes]" => "%{[zeek_cols][orig_bytes]}" } } - } - if ([zeek_cols][resp_pkts]) and ([zeek_cols][resp_pkts] != '-') and ([zeek_cols][resp_pkts] != '(empty)') and ([zeek_cols][resp_pkts] != '') { - mutate { id => "mutate_add_field_zeek_dstPackets" - add_field => { "[destination][packets]" => "%{[zeek_cols][resp_pkts]}" } } - } - if ([zeek_cols][resp_bytes]) and ([zeek_cols][resp_bytes] != '-') and ([zeek_cols][resp_bytes] != '(empty)') and ([zeek_cols][resp_bytes] != '') { - mutate { id => "mutate_add_field_zeek_dstDataBytes" - add_field => { "[server][bytes]" => "%{[zeek_cols][resp_bytes]}" } } - } - if ([zeek_cols][tunnel_parents]) and ([zeek_cols][tunnel_parents] != '(empty)') and ([zeek_cols][tunnel_parents] != '-') and ([zeek_cols][tunnel_parents] != '') { - if ("_jsonparsesuccess" not in [tags]) { mutate { id => "mutate_split_zeek_tunnel_parents" - split => { "[zeek_cols][tunnel_parents]" => "," } } } - mutate { id => "mutate_add_field_zeek_conn_rootId" - add_field => { "[rootId]" => "%{[zeek_cols][tunnel_parents][0]}" } } - } - - } else if ([log_source] == "bacnet") { - ############################################################################################################################# - # bacnet.log - # https://github.com/cisagov/ICSNPP - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_bacnet" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][bvlc_function]} %{[zeek_cols][pdu_type]} %{[zeek_cols][pdu_service]} %{[zeek_cols][invoke_id]} %{[zeek_cols][result_code]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_bacnet" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_bacnet" - init => "@zeek_bacnet_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'bvlc_function', 'pdu_type', 'pdu_service', 'invoke_id', 'result_code' ]" - code => "event.set('[zeek_cols]', @zeek_bacnet_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_bacnet" - add_field => { - "[zeek_cols][proto]" => "udp" - "[zeek_cols][service]" => "bacnet" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "bestguess") { - ############################################################################################################################# - # bestguess.log - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_bestguess" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][name]} %{[zeek_cols][category]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_bestguess" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_bestguess" - init => "@zeek_bestguess_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'name', 'category' ]" - code => "event.set('[zeek_cols]', @zeek_bestguess_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { id => "mutate_add_tag_ics_best_guess_log" - add_tag => [ "ics_best_guess" ] } - - } else if ([log_source] == "bsap_ip_header") { - ############################################################################################################################# - # bsap_ip_header.log - # https://github.com/cisagov/ICSNPP - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_bsap_ip_header" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][num_msg]} %{[zeek_cols][type_name]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_bsap_ip_header" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_bsap_ip_header" - init => "@zeek_bsap_ip_header_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'num_msg', 'type_name' ]" - code => "event.set('[zeek_cols]', @zeek_bsap_ip_header_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_bsap_ip_header" - add_field => { - "[zeek_cols][proto]" => "udp" - "[zeek_cols][service]" => "bsap" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "bsap_ip_rdb") { - ############################################################################################################################# - # bsap_ip_rdb.log - # https://github.com/cisagov/ICSNPP - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_bsap_ip_rdb" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][header_size]} %{[zeek_cols][mes_seq]} %{[zeek_cols][res_seq]} %{[zeek_cols][data_len]} %{[zeek_cols][sequence]} %{[zeek_cols][app_func_code]} %{[zeek_cols][node_status]} %{[zeek_cols][func_code]} %{[zeek_cols][variable_count]} %{[zeek_cols][variables]} %{[zeek_cols][variable_value]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_bsap_ip_rdb" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_bsap_ip_rdb" - init => "@zeek_bsap_ip_rdb_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'header_size', 'mes_seq', 'res_seq', 'data_len', 'sequence', 'app_func_code', 'node_status', 'func_code', 'variable_count', 'variables', 'variable_value' ]" - code => "event.set('[zeek_cols]', @zeek_bsap_ip_rdb_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_bsap_ip_rdb" - add_field => { - "[zeek_cols][proto]" => "udp" - "[zeek_cols][service]" => "bsap" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "bsap_serial_header") { - ############################################################################################################################# - # bsap_serial_header.log - # https://github.com/cisagov/ICSNPP - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_bsap_serial_header" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][ser]} %{[zeek_cols][dadd]} %{[zeek_cols][sadd]} %{[zeek_cols][ctl]} %{[zeek_cols][dfun]} %{[zeek_cols][seq]} %{[zeek_cols][sfun]} %{[zeek_cols][nsb]} %{[zeek_cols][type_name]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_bsap_serial_header" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_bsap_serial_header" - init => "@zeek_bsap_serial_header_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'ser', 'dadd', 'sadd', 'ctl', 'dfun', 'seq', 'sfun', 'nsb', 'type_name' ]" - code => "event.set('[zeek_cols]', @zeek_bsap_serial_header_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_bsap_serial_header" - add_field => { - "[zeek_cols][proto]" => "serial" - "[zeek_cols][service]" => "bsap" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "bsap_serial_rdb") { - ############################################################################################################################# - # bsap_serial_rdb.log - # https://github.com/cisagov/ICSNPP - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_bsap_serial_rdb" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][func_code]} %{[zeek_cols][variable_count]} %{[zeek_cols][variables]} %{[zeek_cols][variable_value]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_bsap_serial_rdb" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_bsap_serial_rdb" - init => "@zeek_bsap_serial_rdb_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'func_code', 'variable_count', 'variables', 'variable_value' ]" - code => "event.set('[zeek_cols]', @zeek_bsap_serial_rdb_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_bsap_serial_rdb" - add_field => { - "[zeek_cols][proto]" => "serial" - "[zeek_cols][service]" => "bsap" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "bsap_serial_rdb_ext") { - ############################################################################################################################# - # bsap_serial_rdb_ext.log - # https://github.com/cisagov/ICSNPP - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_bsap_serial_rdb_ext" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][dfun]} %{[zeek_cols][seq]} %{[zeek_cols][sfun]} %{[zeek_cols][nsb]} %{[zeek_cols][extfun]} %{[zeek_cols][data]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_bsap_serial_rdb_ext" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_bsap_serial_rdb_ext" - init => "@zeek_bsap_serial_rdb_ext_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'dfun', 'seq', 'sfun', 'nsb', 'extfun', 'data' ]" - code => "event.set('[zeek_cols]', @zeek_bsap_serial_rdb_ext_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_bsap_serial_rdb_ext" - add_field => { - "[zeek_cols][proto]" => "serial" - "[zeek_cols][service]" => "bsap" - } - add_tag => [ "ics" ] - } - - # for now, drop hex-encoded binary data for size - if ([zeek_cols][data]) { - mutate { id => "mutate_remove_field_zeek_bsap_serial_rdb_ext_data" - remove_field => [ "[zeek_cols][data]" ] } - } - - } else if ([log_source] == "bacnet_device_control") { - ############################################################################################################################# - # bacnet_device_control.log - # https://github.com/cisagov/ICSNPP - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_bacnet_device_control" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][invoke_id]} %{[zeek_cols][pdu_service]} %{[zeek_cols][time_duration]} %{[zeek_cols][device_state]} %{[zeek_cols][password]} %{[zeek_cols][result]} %{[zeek_cols][result_code]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_bacnet_device_control" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_bacnet_device_control" - init => "@zeek_bacnet_device_control_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'invoke_id', 'pdu_service', 'time_duration', 'device_state', 'password', 'result', 'result_code' ]" - code => "event.set('[zeek_cols]', @zeek_bacnet_device_control_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_bacnet_device_control" - add_field => { - "[zeek_cols][proto]" => "udp" - "[zeek_cols][service]" => "bacnet" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "bacnet_discovery") { - ############################################################################################################################# - # bacnet_discovery.log - # https://github.com/cisagov/ICSNPP - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_bacnet_discovery" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][pdu_service]} %{[zeek_cols][device_id_type]} %{[zeek_cols][device_id_number]} %{[zeek_cols][object_type]} %{[zeek_cols][instance_number]} %{[zeek_cols][vendor]} %{[zeek_cols][range]} %{[zeek_cols][object_name]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_bacnet_discovery" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_bacnet_discovery" - init => "@zeek_bacnet_discovery_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'pdu_service', 'device_id_type', 'device_id_number', 'object_type', 'instance_number', 'vendor', 'range', 'object_name' ]" - code => "event.set('[zeek_cols]', @zeek_bacnet_discovery_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_bacnet_discovery" - add_field => { - "[zeek_cols][proto]" => "udp" - "[zeek_cols][service]" => "bacnet" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "bacnet_property") { - ############################################################################################################################# - # bacnet_property.log - # https://github.com/cisagov/ICSNPP - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_bacnet_property" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][invoke_id]} %{[zeek_cols][pdu_service]} %{[zeek_cols][object_type]} %{[zeek_cols][instance_number]} %{[zeek_cols][property]} %{[zeek_cols][array_index]} %{[zeek_cols][value]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_bacnet_property" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_bacnet_property" - init => "@zeek_bacnet_property_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'invoke_id', 'pdu_service', 'object_type', 'instance_number', 'property', 'array_index', 'value' ]" - code => "event.set('[zeek_cols]', @zeek_bacnet_property_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_bacnet_property" - add_field => { - "[zeek_cols][proto]" => "udp" - "[zeek_cols][service]" => "bacnet" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "cip") { - ############################################################################################################################# - # cip.log - # https://github.com/cisagov/ICSNPP - # - # todo: class_id, instance_id is a hex integer, should it be converted to an integer? - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_cip" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][packet_correlation_id]} %{[zeek_cols][cip_sequence_count]} %{[zeek_cols][direction]} %{[zeek_cols][cip_service_code]} %{[zeek_cols][cip_service]} %{[zeek_cols][cip_status_code]} %{[zeek_cols][cip_status]} %{[zeek_cols][cip_extended_status_code]} %{[zeek_cols][cip_extended_status]} %{[zeek_cols][class_id]} %{[zeek_cols][class_name]} %{[zeek_cols][instance_id]} %{[zeek_cols][attribute_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_cip" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_cip" - init => "@zeek_cip_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'packet_correlation_id', 'cip_sequence_count', 'direction', 'cip_service_code', 'cip_service', 'cip_status_code', 'cip_status', 'cip_extended_status_code', 'cip_extended_status', 'class_id', 'class_name', 'instance_id', 'attribute_id' ]" - code => "event.set('[zeek_cols]', @zeek_cip_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_cip" - add_field => { "[zeek_cols][service]" => "cip" } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "cip_identity") { - ############################################################################################################################# - # cip_identity.log - # https://github.com/cisagov/ICSNPP - # - # TODO: device_status and device_state are a hex int string, convert to int? - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_cip_identity" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][packet_correlation_id]} %{[zeek_cols][encapsulation_version]} %{[zeek_cols][socket_address]} %{[zeek_cols][socket_port]} %{[zeek_cols][vendor_id]} %{[zeek_cols][vendor_name]} %{[zeek_cols][device_type_id]} %{[zeek_cols][device_type_name]} %{[zeek_cols][product_code]} %{[zeek_cols][revision]} %{[zeek_cols][device_status]} %{[zeek_cols][serial_number]} %{[zeek_cols][product_name]} %{[zeek_cols][device_state]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_cip_identity" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_cip_identity" - init => "@zeek_cip_identity_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'packet_correlation_id', 'encapsulation_version', 'socket_address', 'socket_port', 'vendor_id', 'vendor_name', 'device_type_id', 'device_type_name', 'product_code', 'revision', 'device_status', 'serial_number', 'product_name', 'device_state' ]" - code => "event.set('[zeek_cols]', @zeek_cip_identity_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_cip_identity" - add_field => { "[zeek_cols][service]" => "cip" } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "cip_io") { - ############################################################################################################################# - # cip_io.log - # https://github.com/cisagov/ICSNPP - # - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_cip_io" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][packet_correlation_id]} %{[zeek_cols][connection_id]} %{[zeek_cols][sequence_number]} %{[zeek_cols][data_length]} %{[zeek_cols][io_data]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_cip_io" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_cip_io" - init => "@zeek_cip_io_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'packet_correlation_id', 'connection_id', 'sequence_number', 'data_length', 'io_data' ]" - code => "event.set('[zeek_cols]', @zeek_cip_io_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_cip_io" - add_field => { "[zeek_cols][service]" => "cip" } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "dce_rpc") { - ############################################################################################################################# - # dce_rpc.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/dce-rpc/main.zeek.html#type-DCE_RPC::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_dce_rpc" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][rtt]} %{[zeek_cols][named_pipe]} %{[zeek_cols][endpoint]} %{[zeek_cols][operation]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_dce_rpc" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_dce_rpc" - init => "@zeek_dce_rpc_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'rtt', 'named_pipe', 'endpoint', 'operation' ]" - code => "event.set('[zeek_cols]', @zeek_dce_rpc_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_dce_rpc" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "dce_rpc" - } - } - - } else if ([log_source] == "dhcp") { - ############################################################################################################################# - # dhcp.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/dhcp/main.zeek.html#type-DHCP::Info - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_dhcp_fields" - rename => { "[zeek_cols][uids]" => "[zeek_cols][uid]" } - rename => { "[zeek_cols][client_addr]" => "[zeek_cols][orig_h]" } - rename => { "[zeek_cols][server_addr]" => "[zeek_cols][orig_p]" } - rename => { "[zeek_cols][mac]" => "[zeek_cols][orig_l2_addr]" } - rename => { "[zeek_cols][requested_addr]" => "[zeek_cols][requested_ip]" } - rename => { "[zeek_cols][assigned_addr]" => "[zeek_cols][assigned_ip]" } - } - - } else { - dissect { - id => "dissect_zeek_dhcp_with_all_fields" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][resp_h]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][host_name]} %{[zeek_cols][client_fqdn]} %{[zeek_cols][domain]} %{[zeek_cols][requested_ip]} %{[zeek_cols][assigned_ip]} %{[zeek_cols][lease_time]} %{[zeek_cols][client_message]} %{[zeek_cols][server_message]} %{[zeek_cols][msg_types]} %{[zeek_cols][duration]} %{[zeek_cols][client_software]} %{[zeek_cols][server_software]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_dhcp" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_dhcp" - init => "@zeek_dhcp_field_names = [ 'ts', 'uid', 'orig_h', 'resp_h', 'orig_l2_addr', 'host_name', 'client_fqdn', 'domain', 'requested_ip', 'assigned_ip', 'lease_time', 'client_message', 'server_message', 'msg_types', 'duration', 'client_software', 'server_software' ]" - code => "event.set('[zeek_cols]', @zeek_dhcp_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_dhcp_msg_types" - split => { "[zeek_cols][msg_types]" => "," } } - if ([zeek_cols][uid]) and - ([zeek_cols][uid] != '(empty)') and - ([zeek_cols][uid] != '') { - mutate { id => "mutate_split_zeek_dhcp_uids" - split => { "[zeek_cols][uid]" => "," } } - } - } - - if ([zeek_cols][uid] and [zeek_cols][uid][0]) { - mutate { id => "mutate_add_field_zeek_dhcp_uids" - add_field => { "[rootId]" => "%{[zeek_cols][uid][0]}" } } - } - - if ((![zeek_cols][orig_p]) and (![zeek_cols][resp_p])) { - mutate { - id => "mutate_add_field_zeek_dhcp_ports" - add_field => { - "[zeek_cols][orig_p]" => 68 - "[zeek_cols][resp_p]" => 67 - } - } - } - - mutate { - id => "mutate_add_fields_zeek_dhcp" - add_field => { - "[zeek_cols][proto]" => "udp" - "[zeek_cols][service]" => "dhcp" - } - } - - } else if ([log_source] == "dnp3") { - ############################################################################################################################# - # dnp3.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/dnp3/main.zeek.html#type-DNP3::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_dnp3" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][fc_request]} %{[zeek_cols][fc_reply]} %{[zeek_cols][iin]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_dnp3" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_dnp3" - init => "@zeek_dnp3_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'fc_request', 'fc_reply', 'iin' ]" - code => "event.set('[zeek_cols]', @zeek_dnp3_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_dnp3" - add_field => { "[zeek_cols][service]" => "dnp3" } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "dnp3_control") { - ############################################################################################################################# - # dnp3_control.log - # https://github.com/cisagov/ICSNPP - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_dnp3_control" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][block_type]} %{[zeek_cols][function_code]} %{[zeek_cols][index_number]} %{[zeek_cols][trip_control_code]} %{[zeek_cols][operation_type]} %{[zeek_cols][execute_count]} %{[zeek_cols][on_time]} %{[zeek_cols][off_time]} %{[zeek_cols][status_code]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_dnp3_control" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_dnp3_control" - init => "@zeek_dnp3_control_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'block_type', 'function_code', 'index_number', 'trip_control_code', 'operation_type', 'execute_count', 'on_time', 'off_time', 'status_code' ]" - code => "event.set('[zeek_cols]', @zeek_dnp3_control_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_dnp3_control" - add_field => { "[zeek_cols][service]" => "dnp3" } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "dnp3_objects") { - ############################################################################################################################# - # dnp3_objects.log - # https://github.com/cisagov/ICSNPP - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_dnp3_objects" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][function_code]} %{[zeek_cols][object_type]} %{[zeek_cols][object_count]} %{[zeek_cols][range_low]} %{[zeek_cols][range_high]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_dnp3_objects" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_dnp3_objects" - init => "@zeek_dnp3_objects_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'function_code', 'object_type', 'object_count', 'range_low', 'range_high' ]" - code => "event.set('[zeek_cols]', @zeek_dnp3_objects_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_dnp3_objects" - add_field => { "[zeek_cols][service]" => "dnp3" } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "dns") { - ############################################################################################################################# - # dns.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/dns/main.zeek.html#type-DNS::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_dns" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][trans_id]} %{[zeek_cols][rtt]} %{[zeek_cols][query]} %{[zeek_cols][qclass]} %{[zeek_cols][qclass_name]} %{[zeek_cols][qtype]} %{[zeek_cols][qtype_name]} %{[zeek_cols][rcode]} %{[zeek_cols][rcode_name]} %{[zeek_cols][AA]} %{[zeek_cols][TC]} %{[zeek_cols][RD]} %{[zeek_cols][RA]} %{[zeek_cols][Z]} %{[zeek_cols][answers]} %{[zeek_cols][TTLs]} %{[zeek_cols][rejected]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_dns" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_dns" - init => "@zeek_dns_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'trans_id', 'rtt', 'query', 'qclass', 'qclass_name', 'qtype', 'qtype_name', 'rcode', 'rcode_name', 'AA', 'TC', 'RD', 'RA', 'Z', 'answers', 'TTLs', 'rejected' ]" - code => "event.set('[zeek_cols]', @zeek_dns_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_dns_commas" - split => { "[zeek_cols][TTLs]" => "," - "[zeek_cols][answers]" => "," } } - } - - # remove C_ prefix from qclass_name - mutate { id => "mutate_gsub_field_zeek_dns_qclass_name" - gsub => [ "[zeek_cols][qclass_name]", "^C_", "" ] } - - mutate { - id => "mutate_add_fields_zeek_dns" - add_field => { "[zeek_cols][service]" => "dns" } - } - - } else if ([log_source] == "dpd") { - ############################################################################################################################# - # dpd.log - # https://docs.zeek.org/en/stable/scripts/base/frameworks/dpd/main.zeek.html#type-DPD::Info - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_dpd_fields" - rename => { "[zeek_cols][analyzer]" => "[zeek_cols][service]" } - } - - } else { - dissect { - id => "dissect_zeek_dpd" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][service]} %{[zeek_cols][failure_reason]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_dpd" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_dpd" - init => "@zeek_dpd_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'service', 'failure_reason' ]" - code => "event.set('[zeek_cols]', @zeek_dpd_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { id => "mutate_lowercase_zeek_dpd_service" - lowercase => [ "[zeek_cols][service]" ] } - - # normalize service string(s) - if ([zeek_cols][service] =~ /^spicy_/) { - # if it's coming from spicy, we don't care to have that in the service name - mutate { id => "mutate_gsub_field_zeek_dpd_service_spicy_prefix" - gsub => [ "[zeek_cols][service]", "^spicy_", "" ] } - - # some spicy services are named like blah_udp or blah_tcp, - # and we don't care about the _udp/_tcp suffix - mutate { id => "mutate_gsub_field_zeek_dpd_service_spicy_suffix" - gsub => [ "[zeek_cols][service]", "_(tcp|udp)(_hmac)?(_(sha|md)\d+)?$", "" ] } - } - - } else if ([log_source] == "enip") { - ############################################################################################################################# - # enip.log - # https://github.com/cisagov/ICSNPP - # - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_enip" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][packet_correlation_id]} %{[zeek_cols][enip_command_code]} %{[zeek_cols][enip_command]} %{[zeek_cols][length]} %{[zeek_cols][session_handle]} %{[zeek_cols][enip_status]} %{[zeek_cols][sender_context]} %{[zeek_cols][options]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_enip" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_enip" - init => "@zeek_enip_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'packet_correlation_id', 'enip_command_code', 'enip_command', 'length', 'session_handle', 'enip_status', 'sender_context', 'options' ]" - code => "event.set('[zeek_cols]', @zeek_enip_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_enip" - add_field => { "[zeek_cols][service]" => "enip" } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "ecat_registers") { - ############################################################################################################################# - # ecat_registers.log - # https://github.com/cisagov/icsnpp-ethercat - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_ecat_registers_fields" - rename => { "[zeek_cols][srcmac]" => "[zeek_cols][orig_l2_addr]" } - rename => { "[zeek_cols][dstmac]" => "[zeek_cols][resp_l2_addr]" } - rename => { "[zeek_cols][Command]" => "[zeek_cols][command]" } - rename => { "[zeek_cols][Slave_Addr]" => "[zeek_cols][server_addr]" } - rename => { "[zeek_cols][Register_Type]" => "[zeek_cols][register_type]" } - rename => { "[zeek_cols][Register_Addr]" => "[zeek_cols][register_addr]" } - } - - } else { - dissect { - id => "dissect_zeek_ecat_registers" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][resp_l2_addr]} %{[zeek_cols][command]} %{[zeek_cols][server_addr]} %{[zeek_cols][register_type]} %{[zeek_cols][register_addr]} %{[zeek_cols][data]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ecat_registers" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_ecat_registers" - init => "@zeek_ecat_registers_field_names = [ 'ts', 'orig_l2_addr', 'resp_l2_addr', 'command', 'server_addr', 'register_type', 'register_addr', 'data' ]" - code => "event.set('[zeek_cols]', @zeek_ecat_registers_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_ecat_registers" - add_field => { - "[zeek_cols][service]" => "ethercat" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "ecat_log_address") { - ############################################################################################################################# - # ecat_log_address.log - # https://github.com/cisagov/icsnpp-ethercat - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_ecat_log_address_fields" - rename => { "[zeek_cols][srcmac]" => "[zeek_cols][orig_l2_addr]" } - rename => { "[zeek_cols][dstmac]" => "[zeek_cols][resp_l2_addr]" } - rename => { "[zeek_cols][Log_Addr]" => "[zeek_cols][log_addr]" } - rename => { "[zeek_cols][Length]" => "[zeek_cols][length]" } - rename => { "[zeek_cols][Command]" => "[zeek_cols][command]" } - } - - } else { - dissect { - id => "dissect_zeek_ecat_log_address" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][resp_l2_addr]} %{[zeek_cols][log_addr]} %{[zeek_cols][length]} %{[zeek_cols][command]} %{[zeek_cols][data]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ecat_log_address" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_ecat_log_address" - init => "@zeek_ecat_log_address_field_names = [ 'ts', 'orig_l2_addr', 'resp_l2_addr', 'log_addr', 'length', 'command', 'data' ]" - code => "event.set('[zeek_cols]', @zeek_ecat_log_address_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_ecat_log_address" - add_field => { - "[zeek_cols][service]" => "ethercat" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "ecat_dev_info") { - ############################################################################################################################# - # ecat_dev_info.log - # https://github.com/cisagov/icsnpp-ethercat - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_ecat_dev_info_fields" - rename => { "[zeek_cols][slave_id]" => "[zeek_cols][server_id]" } - } - - } else { - dissect { - id => "dissect_zeek_ecat_dev_info" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][server_id]} %{[zeek_cols][revision]} %{[zeek_cols][dev_type]} %{[zeek_cols][build]} %{[zeek_cols][fmmucnt]} %{[zeek_cols][smcount]} %{[zeek_cols][ports]} %{[zeek_cols][dpram]} %{[zeek_cols][features]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ecat_dev_info" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_ecat_dev_info" - init => "@zeek_ecat_dev_info_field_names = [ 'ts', 'server_id', 'revision', 'dev_type', 'build', 'fmmucnt', 'smcount', 'ports', 'dpram', 'features' ]" - code => "event.set('[zeek_cols]', @zeek_ecat_dev_info_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_ecat_dev_info" - add_field => { - "[zeek_cols][service]" => "ethercat" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "ecat_aoe_info") { - ############################################################################################################################# - # ecat_aoe_info.log - # https://github.com/cisagov/icsnpp-ethercat - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_ecat_aoe_info_fields" - rename => { "[zeek_cols][targetid]" => "[zeek_cols][resp_l2_addr]" } - rename => { "[zeek_cols][targetport]" => "[zeek_cols][resp_port]" } - rename => { "[zeek_cols][senderid]" => "[zeek_cols][orig_l2_addr]" } - rename => { "[zeek_cols][senderport]" => "[zeek_cols][orig_port]" } - rename => { "[zeek_cols][cmd]" => "[zeek_cols][command]" } - rename => { "[zeek_cols][stateflags]" => "[zeek_cols][state]" } - } - - } else { - dissect { - id => "dissect_zeek_ecat_aoe_info" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][resp_l2_addr]} %{[zeek_cols][resp_port]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][orig_port]} %{[zeek_cols][command]} %{[zeek_cols][state]} %{[zeek_cols][data]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ecat_aoe_info" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_ecat_aoe_info" - init => "@zeek_ecat_aoe_info_field_names = [ 'ts', 'resp_l2_addr', 'resp_port', 'orig_l2_addr', 'orig_port', 'command', 'state', 'data' ]" - code => "event.set('[zeek_cols]', @zeek_ecat_aoe_info_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_ecat_aoe_info" - add_field => { - "[zeek_cols][service]" => "ethercat" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "ecat_coe_info") { - ############################################################################################################################# - # ecat_coe_info.log - # https://github.com/cisagov/icsnpp-ethercat - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_ecat_coe_info_fields" - rename => { "[zeek_cols][Type]" => "[zeek_cols][type]" } - } - - } else { - dissect { - id => "dissect_zeek_ecat_coe_info" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][number]} %{[zeek_cols][type]} %{[zeek_cols][req_resp]} %{[zeek_cols][index]} %{[zeek_cols][subindex]} %{[zeek_cols][dataoffset]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ecat_coe_info" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_ecat_coe_info" - init => "@zeek_ecat_coe_info_field_names = [ 'ts', 'number', 'type', 'req_resp', 'index', 'subindex', 'dataoffset' ]" - code => "event.set('[zeek_cols]', @zeek_ecat_coe_info_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_ecat_coe_info" - add_field => { - "[zeek_cols][service]" => "ethercat" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "ecat_foe_info") { - ############################################################################################################################# - # ecat_foe_info.log - # https://github.com/cisagov/icsnpp-ethercat - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_ecat_foe_info_fields" - rename => { "[zeek_cols][opCode]" => "[zeek_cols][opcode]" } - } - - } else { - dissect { - id => "dissect_zeek_ecat_foe_info" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][opcode]} %{[zeek_cols][reserved]} %{[zeek_cols][packet_num]} %{[zeek_cols][error_code]} %{[zeek_cols][filename]} %{[zeek_cols][data]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ecat_foe_info" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_ecat_foe_info" - init => "@zeek_ecat_foe_info_field_names = [ 'ts', 'opcode', 'reserved', 'packet_num', 'error_code', 'filename', 'data' ]" - code => "event.set('[zeek_cols]', @zeek_ecat_foe_info_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_ecat_foe_info" - add_field => { - "[zeek_cols][service]" => "ethercat" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "ecat_soe_info") { - ############################################################################################################################# - # ecat_soe_info.log - # https://github.com/cisagov/icsnpp-ethercat - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_ecat_soe_info_fields" - rename => { "[zeek_cols][opCode]" => "[zeek_cols][opcode]" } - rename => { "[zeek_cols][element_flags]" => "[zeek_cols][element]" } - } - - } else { - dissect { - id => "dissect_zeek_ecat_soe_info" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][opcode]} %{[zeek_cols][incomplete]} %{[zeek_cols][error]} %{[zeek_cols][drive_num]} %{[zeek_cols][element]} %{[zeek_cols][index]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ecat_soe_info" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_ecat_soe_info" - init => "@zeek_ecat_soe_info_field_names = [ 'ts', 'opcode', 'incomplete', 'error', 'drive_num', 'element', 'index' ]" - code => "event.set('[zeek_cols]', @zeek_ecat_soe_info_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_ecat_soe_info" - add_field => { - "[zeek_cols][service]" => "ethercat" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "ecat_arp_info") { - ############################################################################################################################# - # ecat_arp_info.log - # https://github.com/cisagov/icsnpp-ethercat - # - # NOTE: I currently have this disabled via policy hook in local.zeek, as it is including ALL arps and - # not just those from ethercat traffic which can be misleading (i.e., indicating ecat traffic where there is none) - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_ecat_arp_info_fields" - rename => { "[zeek_cols][mac_src]" => "[zeek_cols][orig_l2_addr]" } - rename => { "[zeek_cols][mac_dst]" => "[zeek_cols][resp_l2_addr]" } - rename => { "[zeek_cols][SPA]" => "[zeek_cols][orig_proto_addr]" } - rename => { "[zeek_cols][SHA]" => "[zeek_cols][orig_hw_addr]" } - rename => { "[zeek_cols][TPA]" => "[zeek_cols][resp_proto_addr]" } - rename => { "[zeek_cols][THA]" => "[zeek_cols][resp_hw_addr]" } - } - - } else { - dissect { - id => "dissect_zeek_ecat_arp_info" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][arp_type]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][resp_l2_addr]} %{[zeek_cols][orig_proto_addr]} %{[zeek_cols][orig_hw_addr]} %{[zeek_cols][resp_proto_addr]} %{[zeek_cols][resp_hw_addr]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ecat_arp_info" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_ecat_arp_info" - init => "@zeek_ecat_arp_info_field_names = [ 'ts', 'arp_type', 'orig_l2_addr', 'resp_l2_addr', 'orig_proto_addr', 'orig_hw_addr', 'resp_proto_addr', 'resp_hw_addr' ]" - code => "event.set('[zeek_cols]', @zeek_ecat_arp_info_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_ecat_arp_info" - add_field => { - "[zeek_cols][service]" => "ethercat" - } - } - - # TODO: check orig_proto_addr/orig_hw_addr resp_proto_addr/resp_hw_addr and convert to ip, etc. if necessary? - - } else if ([log_source] == "files") { - ############################################################################################################################# - # files.log - # https://docs.zeek.org/en/stable/scripts/base/frameworks/files/main.zeek.html#type-Files::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_v51_files_with_all_fields" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][fuid]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][source]} %{[zeek_cols][depth]} %{[zeek_cols][analyzers]} %{[zeek_cols][mime_type]} %{[zeek_cols][filename]} %{[zeek_cols][duration]} %{[zeek_cols][local_orig]} %{[zeek_cols][is_orig]} %{[zeek_cols][seen_bytes]} %{[zeek_cols][total_bytes]} %{[zeek_cols][missing_bytes]} %{[zeek_cols][overflow_bytes]} %{[zeek_cols][timedout]} %{[zeek_cols][parent_fuid]} %{[zeek_cols][md5]} %{[zeek_cols][sha1]} %{[zeek_cols][sha256]} %{[zeek_cols][extracted]} %{[zeek_cols][extracted_cutoff]} %{[zeek_cols][extracted_size]} %{[zeek_cols][ftime]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_files" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_files" - init => "@zeek_files_field_names = [ 'ts', 'fuid', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'source', 'depth', 'analyzers', 'mime_type', 'filename', 'duration', 'local_orig', 'is_orig', 'seen_bytes', 'total_bytes', 'missing_bytes', 'overflow_bytes', 'timedout', 'parent_fuid', 'md5', 'sha1', 'sha256', 'extracted', 'extracted_cutoff', 'extracted_size', 'ftime' ]" - code => "event.set('[zeek_cols]', @zeek_files_field_names.zip(event.get('[message]')).to_h)" - } - } - if ([zeek_cols][conn_uids]) and ([zeek_cols][conn_uids] != '(empty)') and ([zeek_cols][conn_uids] != '') { - mutate { id => "mutate_split_zeek_files_conn_uids" - split => { "[zeek_cols][conn_uids]" => "," } } - } - if ([zeek_cols][tx_hosts]) and ([zeek_cols][tx_hosts] != '(empty)') and ([zeek_cols][tx_hosts] != '') { - mutate { id => "mutate_split_zeek_files_tx_hosts" - split => { "[zeek_cols][tx_hosts]" => "," } } - } - if ([zeek_cols][rx_hosts]) and ([zeek_cols][rx_hosts] != '(empty)') and ([zeek_cols][rx_hosts] != '') { - mutate { id => "mutate_split_zeek_files_rx_hosts" - split => { "[zeek_cols][rx_hosts]" => "," } } - } - mutate { id => "mutate_split_zeek_files_parent_fuid_and_analyzers" - split => { "[zeek_cols][parent_fuid]" => "," - "[zeek_cols][analyzers]" => "," } } - } - - if ([zeek_cols][conn_uids] and [zeek_cols][conn_uids][0]) { - mutate { - id => "mutate_add_field_zeek_files_conn_uids_to_uid" - add_field => { "[rootId]" => "%{[zeek_cols][conn_uids][0]}" - "[zeek_cols][uid]" => "%{[zeek_cols][conn_uids][0]}" } - } - } else if (![zeek_cols][uid]) { - mutate { - id => "mutate_add_fields_zeek_files_fuid_to_uid" - add_field => { "[zeek_cols][uid]" => "%{[zeek_cols][fuid]}" } - } - } - - if ([zeek_cols][tx_hosts] and [zeek_cols][tx_hosts][0]) { - mutate { id => "mutate_add_field_zeek_tx_hosts" - add_field => { "[source][ip]" => "%{[zeek_cols][tx_hosts][0]}" } } - } - - if ([zeek_cols][rx_hosts] and [zeek_cols][rx_hosts][0]) { - mutate { id => "mutate_add_field_zeek_rx_hosts" - add_field => { "[destination][ip]" => "%{[zeek_cols][rx_hosts][0]}" } } - } - - - } else if ([log_source] == "ftp") { - ############################################################################################################################# - # ftp.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/ftp/info.zeek.html#type-FTP::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_ftp" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][user]} %{[zeek_cols][password]} %{[zeek_cols][command]} %{[zeek_cols][arg]} %{[zeek_cols][mime_type]} %{[zeek_cols][file_size]} %{[zeek_cols][reply_code]} %{[zeek_cols][reply_msg]} %{[zeek_cols][data_channel][passive]} %{[zeek_cols][data_channel][orig_h]} %{[zeek_cols][data_channel][resp_h]} %{[zeek_cols][data_channel][resp_p]} %{[zeek_cols][fuid]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ftp" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_ftp" - init => "@zeek_ftp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'user', 'password', 'command', 'arg', 'mime_type', 'file_size', 'reply_code', 'reply_msg', 'data_channel.passive', 'data_channel.orig_h', 'data_channel.resp_h', 'data_channel.resp_p', 'fuid' ]" - code => "event.set('[zeek_cols]', @zeek_ftp_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_ftp" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "ftp" - } - } - - } else if ([log_source] == "ge_srtp") { - ############################################################################################################################# - # ge_srtp_general.log - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_ge_srtp_log" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][srtp_type]} %{[zeek_cols][sequence_number_1]} %{[zeek_cols][text_length]} %{[zeek_cols][time_seconds]} %{[zeek_cols][time_minutes]} %{[zeek_cols][time_hours]} %{[zeek_cols][sequence_number_2]} %{[zeek_cols][message_type]} %{[zeek_cols][mailbox_source]} %{[zeek_cols][mailbox_destination]} %{[zeek_cols][packet_number]} %{[zeek_cols][total_packet_number]} %{[zeek_cols][service_request_code]} %{[zeek_cols][segment_selector]} %{[zeek_cols][memory_offset]} %{[zeek_cols][data_length]} %{[zeek_cols][status_code]} %{[zeek_cols][minor_status_code]} %{[zeek_cols][data_requested]} %{[zeek_cols][control_program_number]} %{[zeek_cols][current_privilege_level]} %{[zeek_cols][last_sweep_time]} %{[zeek_cols][oversweep_flag]} %{[zeek_cols][constant_sweep_mode]} %{[zeek_cols][plc_fault_entry_last_read]} %{[zeek_cols][io_fault_entry_last_read]} %{[zeek_cols][plc_fault_entry_present]} %{[zeek_cols][io_fault_entry_present]} %{[zeek_cols][programmer_attachment]} %{[zeek_cols][front_panel_enable_switch]} %{[zeek_cols][front_panel_run_switch]} %{[zeek_cols][oem_protected]} %{[zeek_cols][plc_state]}" - } - } - - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ge_srtp_log" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_ge_srtp_log" - init => "$zeek_ge_srtp_log_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'srtp_type', 'sequence_number_1', 'text_length', 'time_seconds', 'time_minutes', 'time_hours', 'sequence_number_2', 'message_type', 'mailbox_source', 'mailbox_destination', 'packet_number', 'total_packet_number', 'service_request_code', 'segment_selector', 'memory_offset', 'data_length', 'status_code', 'minor_status_code', 'data_requested', 'control_program_number', 'current_privilege_level', 'last_sweep_time', 'oversweep_flag', 'constant_sweep_mode', 'plc_fault_entry_last_read', 'io_fault_entry_last_read', 'plc_fault_entry_present', 'io_fault_entry_present', 'programmer_attachment', 'front_panel_enable_switch', 'front_panel_run_switch', 'oem_protected', 'plc_state' ]" - code => "event.set('[zeek_cols]', $zeek_ge_srtp_log_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { id => "mutate_remove_field_ge_srtp_proto" - remove_field => [ "[zeek_cols][proto]" ] } - mutate { - id => "mutate_add_fields_zeek_ge_srtp_log" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "ge_srtp" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "genisys") { - ############################################################################################################################# - # genisys.log - # https://github.com/cisagov/icsnpp-genisys - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_genisys_fields" - rename => { "[zeek_cols][payload]" => "[zeek_cols][payload_raw]" } - } - - } else { - dissect { - id => "dissect_zeek_genisys" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][header]} %{[zeek_cols][server]} %{[zeek_cols][direction]} %{[zeek_cols][crc_transmitted]} %{[zeek_cols][crc_calculated]} %{[zeek_cols][payload_raw]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_genisys" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_genisys" - init => "@zeek_genisys_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'header', 'server', 'direction', 'crc_transmitted', 'crc_calculated', 'payload_raw' ]" - code => "event.set('[zeek_cols]', @zeek_genisys_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_genisys" - add_field => { - "[zeek_cols][service]" => "genisys" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "gquic") { - ############################################################################################################################# - # gquic.log - # https://github.com/salesforce/GQUIC_Protocol_Analyzer/blob/master/scripts/Salesforce/GQUIC/main.bro - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_gquic" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][server_name]} %{[zeek_cols][user_agent]} %{[zeek_cols][tag_count]} %{[zeek_cols][cyu]} %{[zeek_cols][cyutags]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_gquic" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_gquic" - init => "@zeek_gquic_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'server_name', 'user_agent', 'tag_count', 'cyu', 'cyutags' ]" - code => "event.set('[zeek_cols]', @zeek_gquic_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_gquic" - add_field => { - "[zeek_cols][proto]" => "udp" - "[zeek_cols][service]" => "quic" - } - } - - } else if ([log_source] == "hart_ip_common_commands") { - ############################################################################################################################# - # hart_ip_common_commands.log - # main.zeek (https://github.com/cisagov/icsnpp-hart-ip) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_hart_ip_common_commands" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][command_number_link_id]} %{[zeek_cols][read_device_variables_request_slot0_device_variable_code]} %{[zeek_cols][read_device_variables_request_slot1_device_variable_code]} %{[zeek_cols][read_device_variables_request_slot2_device_variable_code]} %{[zeek_cols][read_device_variables_request_slot3_device_variable_code]} %{[zeek_cols][read_device_variables_response_slot0_device_variable_code]} %{[zeek_cols][read_device_variables_response_slot0_units_code]} %{[zeek_cols][read_device_variables_response_slot0_device_variable]} %{[zeek_cols][read_device_variables_response_slot1_device_variable_code]} %{[zeek_cols][read_device_variables_response_slot1_units_code]} %{[zeek_cols][read_device_variables_response_slot1_device_variable]} %{[zeek_cols][read_device_variables_response_slot2_device_variable_code]} %{[zeek_cols][read_device_variables_response_slot2_units_code]} %{[zeek_cols][read_device_variables_response_slot2_device_variable]} %{[zeek_cols][read_device_variables_response_slot3_device_variable_code]} %{[zeek_cols][read_device_variables_response_slot3_units_code]} %{[zeek_cols][read_device_variables_response_slot3_device_variable]} %{[zeek_cols][write_primary_variable_damping_value_pv_damping_value]} %{[zeek_cols][write_primary_variable_range_values_pv_upper_and_lower_range_values_units_code]} %{[zeek_cols][write_primary_variable_range_values_pv_upper_range_value]} %{[zeek_cols][write_primary_variable_range_values_p_v_lower_range_value]} %{[zeek_cols][eeprom_control_eeprom_control_code]} %{[zeek_cols][enter_exit_fixed_current_mode_pv_fixed_current_level]} %{[zeek_cols][write_primary_variable_units_pv_unit_codes]} %{[zeek_cols][trim_loop_current_zero_measured_pv_loop_current_level]} %{[zeek_cols][trim_loop_current_gain_measured_pv_loop_current_level]} %{[zeek_cols][write_primary_variable_transfer_function_p_v_transfer_function_code]} %{[zeek_cols][write_primary_variable_transducer_serial_number_pv_transducer_serial_number]} %{[zeek_cols][read_dynamic_variable_assignments_response_device_variable_assigned_to_primary_variable]} %{[zeek_cols][read_dynamic_variable_assignments_response_device_variable_assigned_to_secondary_variable]} %{[zeek_cols][read_dynamic_variable_assignments_response_device_variable_assigned_to_tertiary_variable]} %{[zeek_cols][read_dynamic_variable_assignments_response_device_variable_assigned_to_quaternary_variable]} %{[zeek_cols][write_dynamic_variable_assignments_device_variable_assigned_to_primary_variable]} %{[zeek_cols][write_dynamic_variable_assignments_device_variable_assigned_to_secondary_variable]} %{[zeek_cols][write_dynamic_variable_assignments_device_variable_assigned_to_tertiary_variable]} %{[zeek_cols][write_dynamic_variable_assignments_device_variable_assigned_to_quaternary_variable]} %{[zeek_cols][set_device_variable_zero_device_variable_zeroed]} %{[zeek_cols][write_device_variable_units_device_variable_code]} %{[zeek_cols][write_device_variable_units_device_variable_units_code]} %{[zeek_cols][read_device_variable_information_request_device_variable_code]} %{[zeek_cols][read_device_variable_information_response_device_variable_code]} %{[zeek_cols][read_device_variable_information_response_device_variable_transducer_serial_number]} %{[zeek_cols][read_device_variable_information_response_device_variable_limits_minimum_span_units_code]} %{[zeek_cols][read_device_variable_information_response_device_variable_upper_transducer_limit]} %{[zeek_cols][read_device_variable_information_response_device_variable_lower_transducer_limit]} %{[zeek_cols][read_device_variable_information_response_device_variable_damping_value]} %{[zeek_cols][read_device_variable_information_response_device_variable_minimum_span]} %{[zeek_cols][read_device_variable_information_response_device_variable_classification]} %{[zeek_cols][read_device_variable_information_response_device_variable_family]} %{[zeek_cols][read_device_variable_information_response_acquisition_period]} %{[zeek_cols][read_device_variable_information_response_device_variable_properties_is_simulated]} %{[zeek_cols][read_device_variable_information_response_device_variable_properties_undefined_bits_1_6]} %{[zeek_cols][read_device_variable_information_response_device_variable_properties_is_input]} %{[zeek_cols][write_device_variable_damping_value_device_variable_code]} %{[zeek_cols][write_device_variable_damping_value_device_variable_damping_value]} %{[zeek_cols][write_device_variable_transducer_serial_no_device_variable_code]} %{[zeek_cols][write_device_variable_transducer_serial_no_device_variable_transducer_serial_number]} %{[zeek_cols][read_unit_tag_descriptor_date_response_unit_tag]} %{[zeek_cols][read_unit_tag_descriptor_date_response_unit_descriptor]} %{[zeek_cols][read_unit_tag_descriptor_date_response_unit_date]} %{[zeek_cols][write_unit_tag_descriptor_date_unit_tag]} %{[zeek_cols][write_unit_tag_descriptor_date_unit_descriptor]} %{[zeek_cols][write_unit_tag_descriptor_date_unit_date]} %{[zeek_cols][write_number_of_response_preambles_number_of_preambles]} %{[zeek_cols][read_analog_channel_and_percent_of_range_request_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_and_percent_of_range_response_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_and_percent_of_range_response_analog_channel_units_code]} %{[zeek_cols][read_analog_channel_and_percent_of_range_response_analog_channel_level]} %{[zeek_cols][read_analog_channel_and_percent_of_range_response_analog_channel_percent_of_range]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_channel_units_code]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_level]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_units_code]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable_units_code]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable_units_code]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable_units_code]} %{[zeek_cols][read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable]} %{[zeek_cols][read_analog_channels_request_analog_channel_number_code_slot0]} %{[zeek_cols][read_analog_channels_request_analog_channel_number_code_slot1]} %{[zeek_cols][read_analog_channels_request_analog_channel_number_code_slot2]} %{[zeek_cols][read_analog_channels_request_analog_channel_number_code_slot3]} %{[zeek_cols][read_analog_channels_response_analog_channel_number_code_slot0]} %{[zeek_cols][read_analog_channels_response_analog_channel_units_code_slot0]} %{[zeek_cols][read_analog_channels_response_analog_channel_level_slot0]} %{[zeek_cols][read_analog_channels_response_analog_channel_number_code_slot1]} %{[zeek_cols][read_analog_channels_response_analog_channel_units_code_slot1]} %{[zeek_cols][read_analog_channels_response_analog_channel_level_slot1]} %{[zeek_cols][read_analog_channels_response_analog_channel_number_code_slot2]} %{[zeek_cols][read_analog_channels_response_analog_channel_units_code_slot2]} %{[zeek_cols][read_analog_channels_response_analog_channel_level_slot2]} %{[zeek_cols][read_analog_channels_response_analog_channel_number_code_slot3]} %{[zeek_cols][read_analog_channels_response_analog_channel_units_code_slot3]} %{[zeek_cols][read_analog_channels_response_analog_channel_level_slot3]} %{[zeek_cols][read_analog_channel_information_request_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_alarm_selection_code]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_transfer_function_code]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_upper_and_lower_range_values_units_code]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_upper_range_value]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_lower_range_value]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_damping_value]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_flags_is_simulated]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_flags_undefined_bits_1_6]} %{[zeek_cols][read_analog_channel_information_response_analog_channel_flags_is_input]} %{[zeek_cols][write_analog_channel_additional_damping_value_analog_channel_number_code]} %{[zeek_cols][write_analog_channel_additional_damping_value_analog_channel_damping_value]} %{[zeek_cols][write_analog_channel_range_values_analog_channel_number_code]} %{[zeek_cols][write_analog_channel_range_values_analog_channel_upper_and_lower_range_values_units_code]} %{[zeek_cols][write_analog_channel_range_values_analog_channel_upper_range_value]} %{[zeek_cols][write_analog_channel_range_values_analog_channel_lower_range_value]} %{[zeek_cols][enter_exit_fixed_analog_channel_mode_analog_channel_number_code]} %{[zeek_cols][enter_exit_fixed_analog_channel_mode_analog_channel_units_code]} %{[zeek_cols][enter_exit_fixed_analog_channel_mode_fixed_analog_channel_level]} %{[zeek_cols][trim_analog_channel_zero_analog_channel_number_code]} %{[zeek_cols][trim_analog_channel_zero_analog_channel_units_code]} %{[zeek_cols][trim_analog_channel_zero_analog_channel_level]} %{[zeek_cols][trim_analog_channel_gain_analog_channel_number_code]} %{[zeek_cols][trim_analog_channel_gain_analog_channel_units_code]} %{[zeek_cols][trim_analog_channel_gain_analog_channel_level]} %{[zeek_cols][write_analog_channel_transfer_function_analog_channel_number_code]} %{[zeek_cols][write_analog_channel_transfer_function_analog_channel_units_code]} %{[zeek_cols][read_analog_channel_endpoint_values_request_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_number_code]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_upper_and_lower_endpoint_values_units_code]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_upper_endpoint_value]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_lower_endpoint_value]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_upper_limit_value]} %{[zeek_cols][read_analog_channel_endpoint_values_response_analog_channel_lower_limit_value]} %{[zeek_cols][lock_device_lock_code]} %{[zeek_cols][squawk_squawk_control]} %{[zeek_cols][find_device_response_254]} %{[zeek_cols][find_device_response_expanded_device_type]} %{[zeek_cols][find_device_response_minimum_preambles_master_slave]} %{[zeek_cols][find_device_response_hart_protocol_major_revision]} %{[zeek_cols][find_device_response_device_revision_level]} %{[zeek_cols][find_device_response_software_revision_level]} %{[zeek_cols][find_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level]} %{[zeek_cols][find_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code]} %{[zeek_cols][find_device_response_flags_c8_psk_in_multi_drop_only]} %{[zeek_cols][find_device_response_flags_c8_psk_capable_field_device]} %{[zeek_cols][find_device_response_flags_undefined_5]} %{[zeek_cols][find_device_response_flags_safehart_capable_field_device]} %{[zeek_cols][find_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation]} %{[zeek_cols][find_device_response_flags_protocol_bridge_device]} %{[zeek_cols][find_device_response_flags_eeprom_control]} %{[zeek_cols][find_device_response_flags_mutli_sensor_field_device]} %{[zeek_cols][find_device_response_device_id]} %{[zeek_cols][find_device_response_number_preambles_slave_master]} %{[zeek_cols][find_device_response_last_device_variable_this]} %{[zeek_cols][find_device_response_configuration_change_counter]} %{[zeek_cols][find_device_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][find_device_response_extended_field_device_status_function_check]} %{[zeek_cols][find_device_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][find_device_response_extended_field_device_status_failure]} %{[zeek_cols][find_device_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][find_device_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][find_device_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][find_device_response_manufacturer_identification_code]} %{[zeek_cols][find_device_response_private_label_distributor_code]} %{[zeek_cols][find_device_response_device_profile]} %{[zeek_cols][read_io_system_capabilities_response_max_io_cards]} %{[zeek_cols][read_io_system_capabilities_response_max_channels_per_io_card]} %{[zeek_cols][read_io_system_capabilities_response_max_sub_devices_per_channel]} %{[zeek_cols][read_io_system_capabilities_response_number_of_devices_detected]} %{[zeek_cols][read_io_system_capabilities_response_max_delayed_responses_supported]} %{[zeek_cols][read_io_system_capabilities_response_master_mode]} %{[zeek_cols][read_io_system_capabilities_response_retry_count]} %{[zeek_cols][poll_sub_device_request_io_card]} %{[zeek_cols][poll_sub_device_request_channel]} %{[zeek_cols][poll_sub_device_request_sub_device_polling_address]} %{[zeek_cols][poll_sub_device_response_254]} %{[zeek_cols][poll_sub_device_response_expanded_device_type]} %{[zeek_cols][poll_sub_device_response_minimum_preambles_master_slave]} %{[zeek_cols][poll_sub_device_response_hart_protocol_major_revision]} %{[zeek_cols][poll_sub_device_response_device_revision_level]} %{[zeek_cols][poll_sub_device_response_software_revision_level]} %{[zeek_cols][poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level]} %{[zeek_cols][poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code]} %{[zeek_cols][poll_sub_device_response_flags_c8_psk_in_multi_drop_only]} %{[zeek_cols][poll_sub_device_response_flags_c8_psk_capable_field_device]} %{[zeek_cols][poll_sub_device_response_flags_undefined_5]} %{[zeek_cols][poll_sub_device_response_flags_safehart_capable_field_device]} %{[zeek_cols][poll_sub_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation]} %{[zeek_cols][poll_sub_device_response_flags_protocol_bridge_device]} %{[zeek_cols][poll_sub_device_response_flags_eeprom_control]} %{[zeek_cols][poll_sub_device_response_flags_mutli_sensor_field_device]} %{[zeek_cols][poll_sub_device_response_device_id]} %{[zeek_cols][poll_sub_device_response_number_preambles_slave_master]} %{[zeek_cols][poll_sub_device_response_last_device_variable_this]} %{[zeek_cols][poll_sub_device_response_configuration_change_counter]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_function_check]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_failure]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][poll_sub_device_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][poll_sub_device_response_manufacturer_identification_code]} %{[zeek_cols][poll_sub_device_response_private_label_distributor_code]} %{[zeek_cols][poll_sub_device_response_device_profile]} %{[zeek_cols][read_lock_device_state_response_lock_status_undefined_bits]} %{[zeek_cols][read_lock_device_state_response_lock_status_lock_gateway]} %{[zeek_cols][read_lock_device_state_response_lock_status_configuration_locked]} %{[zeek_cols][read_lock_device_state_response_lock_status_lock_primary]} %{[zeek_cols][read_lock_device_state_response_lock_status_lock_permanent]} %{[zeek_cols][read_lock_device_state_response_lock_status_device_locked]} %{[zeek_cols][write_device_variable_device_variable_code]} %{[zeek_cols][write_device_variable_write_device_variable_command_code]} %{[zeek_cols][write_device_variable_units_code]} %{[zeek_cols][write_device_variable_device_variable_value]} %{[zeek_cols][write_device_variable_device_variable_status_process_data_status]} %{[zeek_cols][write_device_variable_device_variable_status_limit_status]} %{[zeek_cols][write_device_variable_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][write_device_variable_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_trim_points_device_variable_code]} %{[zeek_cols][read_device_variable_trim_points_response_trim_points_units_code]} %{[zeek_cols][read_device_variable_trim_points_response_lower_or_single_trim_point]} %{[zeek_cols][read_device_variable_trim_points_response_upper_trim_point]} %{[zeek_cols][read_device_variable_trim_guidelines_device_variable_guidelines]} %{[zeek_cols][write_device_variable_trim_point_device_variable_to_trim]} %{[zeek_cols][write_device_variable_trim_point_trim_point]} %{[zeek_cols][write_device_variable_trim_point_trim_points_units_code]} %{[zeek_cols][write_device_variable_trim_point_trim_point_value]} %{[zeek_cols][reset_device_variable_trim_device_variable_trim_to_reset]} %{[zeek_cols][read_sub_device_identity_summary_sub_device_index]} %{[zeek_cols][read_sub_device_identity_summary_response_io_card]} %{[zeek_cols][read_sub_device_identity_summary_response_channel]} %{[zeek_cols][read_sub_device_identity_summary_response_manufacturer_identification_code]} %{[zeek_cols][read_sub_device_identity_summary_response_expanded_device_type]} %{[zeek_cols][read_sub_device_identity_summary_response_device_id]} %{[zeek_cols][read_sub_device_identity_summary_response_universal_command_revision_level]} %{[zeek_cols][read_sub_device_identity_summary_response_long_tag]} %{[zeek_cols][read_sub_device_identity_summary_response_device_revision]} %{[zeek_cols][read_sub_device_identity_summary_response_device_profile]} %{[zeek_cols][read_sub_device_identity_summary_response_private_label_distributor_code]} %{[zeek_cols][read_io_channel_statistics_io_card]} %{[zeek_cols][read_io_channel_statistics_channel]} %{[zeek_cols][read_io_channel_statistics_response_stx_count]} %{[zeek_cols][read_io_channel_statistics_response_ack_count]} %{[zeek_cols][read_io_channel_statistics_response_ostx_count]} %{[zeek_cols][read_io_channel_statistics_response_oack_count]} %{[zeek_cols][read_io_channel_statistics_response_back_count]} %{[zeek_cols][read_sub_device_statistics_sub_device_index]} %{[zeek_cols][read_sub_device_statistics_response_stx_count]} %{[zeek_cols][read_sub_device_statistics_response_ack_count]} %{[zeek_cols][read_sub_device_statistics_response_back_count]} %{[zeek_cols][write_io_system_master_mode_master_mode]} %{[zeek_cols][write_io_system_retry_count_retry_count]} %{[zeek_cols][set_real_time_clock_time_set_code]} %{[zeek_cols][set_real_time_clock_date]} %{[zeek_cols][set_real_time_clock_time_of_day]} %{[zeek_cols][set_real_time_clock_null_bytes]}" - } - } - - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_hart_ip_common_commands" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_hart_ip_common_commands" - init => "$zeek_hart_ip_common_commands_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'command_number_link_id', 'read_device_variables_request_slot0_device_variable_code', 'read_device_variables_request_slot1_device_variable_code', 'read_device_variables_request_slot2_device_variable_code', 'read_device_variables_request_slot3_device_variable_code', 'read_device_variables_response_slot0_device_variable_code', 'read_device_variables_response_slot0_units_code', 'read_device_variables_response_slot0_device_variable', 'read_device_variables_response_slot1_device_variable_code', 'read_device_variables_response_slot1_units_code', 'read_device_variables_response_slot1_device_variable', 'read_device_variables_response_slot2_device_variable_code', 'read_device_variables_response_slot2_units_code', 'read_device_variables_response_slot2_device_variable', 'read_device_variables_response_slot3_device_variable_code', 'read_device_variables_response_slot3_units_code', 'read_device_variables_response_slot3_device_variable', 'write_primary_variable_damping_value_pv_damping_value', 'write_primary_variable_range_values_pv_upper_and_lower_range_values_units_code', 'write_primary_variable_range_values_pv_upper_range_value', 'write_primary_variable_range_values_p_v_lower_range_value', 'eeprom_control_eeprom_control_code', 'enter_exit_fixed_current_mode_pv_fixed_current_level', 'write_primary_variable_units_pv_unit_codes', 'trim_loop_current_zero_measured_pv_loop_current_level', 'trim_loop_current_gain_measured_pv_loop_current_level', 'write_primary_variable_transfer_function_p_v_transfer_function_code', 'write_primary_variable_transducer_serial_number_pv_transducer_serial_number', 'read_dynamic_variable_assignments_response_device_variable_assigned_to_primary_variable', 'read_dynamic_variable_assignments_response_device_variable_assigned_to_secondary_variable', 'read_dynamic_variable_assignments_response_device_variable_assigned_to_tertiary_variable', 'read_dynamic_variable_assignments_response_device_variable_assigned_to_quaternary_variable', 'write_dynamic_variable_assignments_device_variable_assigned_to_primary_variable', 'write_dynamic_variable_assignments_device_variable_assigned_to_secondary_variable', 'write_dynamic_variable_assignments_device_variable_assigned_to_tertiary_variable', 'write_dynamic_variable_assignments_device_variable_assigned_to_quaternary_variable', 'set_device_variable_zero_device_variable_zeroed', 'write_device_variable_units_device_variable_code', 'write_device_variable_units_device_variable_units_code', 'read_device_variable_information_request_device_variable_code', 'read_device_variable_information_response_device_variable_code', 'read_device_variable_information_response_device_variable_transducer_serial_number', 'read_device_variable_information_response_device_variable_limits_minimum_span_units_code', 'read_device_variable_information_response_device_variable_upper_transducer_limit', 'read_device_variable_information_response_device_variable_lower_transducer_limit', 'read_device_variable_information_response_device_variable_damping_value', 'read_device_variable_information_response_device_variable_minimum_span', 'read_device_variable_information_response_device_variable_classification', 'read_device_variable_information_response_device_variable_family', 'read_device_variable_information_response_acquisition_period', 'read_device_variable_information_response_device_variable_properties_is_simulated', 'read_device_variable_information_response_device_variable_properties_undefined_bits_1_6', 'read_device_variable_information_response_device_variable_properties_is_input', 'write_device_variable_damping_value_device_variable_code', 'write_device_variable_damping_value_device_variable_damping_value', 'write_device_variable_transducer_serial_no_device_variable_code', 'write_device_variable_transducer_serial_no_device_variable_transducer_serial_number', 'read_unit_tag_descriptor_date_response_unit_tag', 'read_unit_tag_descriptor_date_response_unit_descriptor', 'read_unit_tag_descriptor_date_response_unit_date', 'write_unit_tag_descriptor_date_unit_tag', 'write_unit_tag_descriptor_date_unit_descriptor', 'write_unit_tag_descriptor_date_unit_date', 'write_number_of_response_preambles_number_of_preambles', 'read_analog_channel_and_percent_of_range_request_analog_channel_number_code', 'read_analog_channel_and_percent_of_range_response_analog_channel_number_code', 'read_analog_channel_and_percent_of_range_response_analog_channel_units_code', 'read_analog_channel_and_percent_of_range_response_analog_channel_level', 'read_analog_channel_and_percent_of_range_response_analog_channel_percent_of_range', 'read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_channel_units_code', 'read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_analog_level', 'read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable_units_code', 'read_dynamic_variables_and_primary_variable_analog_channel_response_primary_variable', 'read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable_units_code', 'read_dynamic_variables_and_primary_variable_analog_channel_response_secondary_variable', 'read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable_units_code', 'read_dynamic_variables_and_primary_variable_analog_channel_response_tertiary_variable', 'read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable_units_code', 'read_dynamic_variables_and_primary_variable_analog_channel_response_quaternary_variable', 'read_analog_channels_request_analog_channel_number_code_slot0', 'read_analog_channels_request_analog_channel_number_code_slot1', 'read_analog_channels_request_analog_channel_number_code_slot2', 'read_analog_channels_request_analog_channel_number_code_slot3', 'read_analog_channels_response_analog_channel_number_code_slot0', 'read_analog_channels_response_analog_channel_units_code_slot0', 'read_analog_channels_response_analog_channel_level_slot0', 'read_analog_channels_response_analog_channel_number_code_slot1', 'read_analog_channels_response_analog_channel_units_code_slot1', 'read_analog_channels_response_analog_channel_level_slot1', 'read_analog_channels_response_analog_channel_number_code_slot2', 'read_analog_channels_response_analog_channel_units_code_slot2', 'read_analog_channels_response_analog_channel_level_slot2', 'read_analog_channels_response_analog_channel_number_code_slot3', 'read_analog_channels_response_analog_channel_units_code_slot3', 'read_analog_channels_response_analog_channel_level_slot3', 'read_analog_channel_information_request_analog_channel_number_code', 'read_analog_channel_information_response_analog_channel_number_code', 'read_analog_channel_information_response_analog_channel_alarm_selection_code', 'read_analog_channel_information_response_analog_channel_transfer_function_code', 'read_analog_channel_information_response_analog_channel_upper_and_lower_range_values_units_code', 'read_analog_channel_information_response_analog_channel_upper_range_value', 'read_analog_channel_information_response_analog_channel_lower_range_value', 'read_analog_channel_information_response_analog_channel_damping_value', 'read_analog_channel_information_response_analog_channel_flags_is_simulated', 'read_analog_channel_information_response_analog_channel_flags_undefined_bits_1_6', 'read_analog_channel_information_response_analog_channel_flags_is_input', 'write_analog_channel_additional_damping_value_analog_channel_number_code', 'write_analog_channel_additional_damping_value_analog_channel_damping_value', 'write_analog_channel_range_values_analog_channel_number_code', 'write_analog_channel_range_values_analog_channel_upper_and_lower_range_values_units_code', 'write_analog_channel_range_values_analog_channel_upper_range_value', 'write_analog_channel_range_values_analog_channel_lower_range_value', 'enter_exit_fixed_analog_channel_mode_analog_channel_number_code', 'enter_exit_fixed_analog_channel_mode_analog_channel_units_code', 'enter_exit_fixed_analog_channel_mode_fixed_analog_channel_level', 'trim_analog_channel_zero_analog_channel_number_code', 'trim_analog_channel_zero_analog_channel_units_code', 'trim_analog_channel_zero_analog_channel_level', 'trim_analog_channel_gain_analog_channel_number_code', 'trim_analog_channel_gain_analog_channel_units_code', 'trim_analog_channel_gain_analog_channel_level', 'write_analog_channel_transfer_function_analog_channel_number_code', 'write_analog_channel_transfer_function_analog_channel_units_code', 'read_analog_channel_endpoint_values_request_analog_channel_number_code', 'read_analog_channel_endpoint_values_response_analog_channel_number_code', 'read_analog_channel_endpoint_values_response_analog_channel_upper_and_lower_endpoint_values_units_code', 'read_analog_channel_endpoint_values_response_analog_channel_upper_endpoint_value', 'read_analog_channel_endpoint_values_response_analog_channel_lower_endpoint_value', 'read_analog_channel_endpoint_values_response_analog_channel_upper_limit_value', 'read_analog_channel_endpoint_values_response_analog_channel_lower_limit_value', 'lock_device_lock_code', 'squawk_squawk_control', 'find_device_response_254', 'find_device_response_expanded_device_type', 'find_device_response_minimum_preambles_master_slave', 'find_device_response_hart_protocol_major_revision', 'find_device_response_device_revision_level', 'find_device_response_software_revision_level', 'find_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level', 'find_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code', 'find_device_response_flags_c8_psk_in_multi_drop_only', 'find_device_response_flags_c8_psk_capable_field_device', 'find_device_response_flags_undefined_5', 'find_device_response_flags_safehart_capable_field_device', 'find_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation', 'find_device_response_flags_protocol_bridge_device', 'find_device_response_flags_eeprom_control', 'find_device_response_flags_mutli_sensor_field_device', 'find_device_response_device_id', 'find_device_response_number_preambles_slave_master', 'find_device_response_last_device_variable_this', 'find_device_response_configuration_change_counter', 'find_device_response_extended_field_device_status_undefined_bits', 'find_device_response_extended_field_device_status_function_check', 'find_device_response_extended_field_device_status_out_of_specification', 'find_device_response_extended_field_device_status_failure', 'find_device_response_extended_field_device_status_critical_power_failure', 'find_device_response_extended_field_device_status_device_variable_alert', 'find_device_response_extended_field_device_status_maintenance_required', 'find_device_response_manufacturer_identification_code', 'find_device_response_private_label_distributor_code', 'find_device_response_device_profile', 'read_io_system_capabilities_response_max_io_cards', 'read_io_system_capabilities_response_max_channels_per_io_card', 'read_io_system_capabilities_response_max_sub_devices_per_channel', 'read_io_system_capabilities_response_number_of_devices_detected', 'read_io_system_capabilities_response_max_delayed_responses_supported', 'read_io_system_capabilities_response_master_mode', 'read_io_system_capabilities_response_retry_count', 'poll_sub_device_request_io_card', 'poll_sub_device_request_channel', 'poll_sub_device_request_sub_device_polling_address', 'poll_sub_device_response_254', 'poll_sub_device_response_expanded_device_type', 'poll_sub_device_response_minimum_preambles_master_slave', 'poll_sub_device_response_hart_protocol_major_revision', 'poll_sub_device_response_device_revision_level', 'poll_sub_device_response_software_revision_level', 'poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level', 'poll_sub_device_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code', 'poll_sub_device_response_flags_c8_psk_in_multi_drop_only', 'poll_sub_device_response_flags_c8_psk_capable_field_device', 'poll_sub_device_response_flags_undefined_5', 'poll_sub_device_response_flags_safehart_capable_field_device', 'poll_sub_device_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation', 'poll_sub_device_response_flags_protocol_bridge_device', 'poll_sub_device_response_flags_eeprom_control', 'poll_sub_device_response_flags_mutli_sensor_field_device', 'poll_sub_device_response_device_id', 'poll_sub_device_response_number_preambles_slave_master', 'poll_sub_device_response_last_device_variable_this', 'poll_sub_device_response_configuration_change_counter', 'poll_sub_device_response_extended_field_device_status_undefined_bits', 'poll_sub_device_response_extended_field_device_status_function_check', 'poll_sub_device_response_extended_field_device_status_out_of_specification', 'poll_sub_device_response_extended_field_device_status_failure', 'poll_sub_device_response_extended_field_device_status_critical_power_failure', 'poll_sub_device_response_extended_field_device_status_device_variable_alert', 'poll_sub_device_response_extended_field_device_status_maintenance_required', 'poll_sub_device_response_manufacturer_identification_code', 'poll_sub_device_response_private_label_distributor_code', 'poll_sub_device_response_device_profile', 'read_lock_device_state_response_lock_status_undefined_bits', 'read_lock_device_state_response_lock_status_lock_gateway', 'read_lock_device_state_response_lock_status_configuration_locked', 'read_lock_device_state_response_lock_status_lock_primary', 'read_lock_device_state_response_lock_status_lock_permanent', 'read_lock_device_state_response_lock_status_device_locked', 'write_device_variable_device_variable_code', 'write_device_variable_write_device_variable_command_code', 'write_device_variable_units_code', 'write_device_variable_device_variable_value', 'write_device_variable_device_variable_status_process_data_status', 'write_device_variable_device_variable_status_limit_status', 'write_device_variable_device_variable_status_more_device_variable_status_available', 'write_device_variable_device_variable_status_device_family_specific_status', 'read_device_variable_trim_points_device_variable_code', 'read_device_variable_trim_points_response_trim_points_units_code', 'read_device_variable_trim_points_response_lower_or_single_trim_point', 'read_device_variable_trim_points_response_upper_trim_point', 'read_device_variable_trim_guidelines_device_variable_guidelines', 'write_device_variable_trim_point_device_variable_to_trim', 'write_device_variable_trim_point_trim_point', 'write_device_variable_trim_point_trim_points_units_code', 'write_device_variable_trim_point_trim_point_value', 'reset_device_variable_trim_device_variable_trim_to_reset', 'read_sub_device_identity_summary_sub_device_index', 'read_sub_device_identity_summary_response_io_card', 'read_sub_device_identity_summary_response_channel', 'read_sub_device_identity_summary_response_manufacturer_identification_code', 'read_sub_device_identity_summary_response_expanded_device_type', 'read_sub_device_identity_summary_response_device_id', 'read_sub_device_identity_summary_response_universal_command_revision_level', 'read_sub_device_identity_summary_response_long_tag', 'read_sub_device_identity_summary_response_device_revision', 'read_sub_device_identity_summary_response_device_profile', 'read_sub_device_identity_summary_response_private_label_distributor_code', 'read_io_channel_statistics_io_card', 'read_io_channel_statistics_channel', 'read_io_channel_statistics_response_stx_count', 'read_io_channel_statistics_response_ack_count', 'read_io_channel_statistics_response_ostx_count', 'read_io_channel_statistics_response_oack_count', 'read_io_channel_statistics_response_back_count', 'read_sub_device_statistics_sub_device_index', 'read_sub_device_statistics_response_stx_count', 'read_sub_device_statistics_response_ack_count', 'read_sub_device_statistics_response_back_count', 'write_io_system_master_mode_master_mode', 'write_io_system_retry_count_retry_count', 'set_real_time_clock_time_set_code', 'set_real_time_clock_date', 'set_real_time_clock_time_of_day', 'set_real_time_clock_null_bytes' ]" - code => "event.set('[zeek_cols]', $zeek_hart_ip_common_commands_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_hart_ip_common_commands" - add_field => { - "[zeek_cols][service]" => "hart_ip" - } - add_tag => [ "ics" ] - } - - # The "proto" field in these logs is useless. - # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed - # The other fields are basically just placeholders we don't want to store the raw data for. - mutate { id => "mutate_remove_field_zeek_hart_ip_common_commands_proto" - remove_field => [ "[zeek_cols][proto]", - "[zeek][hart_ip][token_passing_pdu_contents_data_data]", - "[zeek][hart_ip][message_packet_bytes]", - "[zeek][hart_ip][token_passing_pdu_contents_data_data]" ] } - - - } else if ([log_source] == "hart_ip_direct_pdu_command") { - ############################################################################################################################# - # hart_ip_direct_pdu_command.log - # main.zeek (https://github.com/cisagov/icsnpp-hart-ip) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_hart_ip_direct_pdu_command" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][direct_pdu_command_link_id]} %{[zeek_cols][command_number_link_id]} %{[zeek_cols][direct_pdu_command_data_data]} %{[zeek_cols][direct_pdu_command_command_number]} %{[zeek_cols][direct_pdu_command_byte_count]} %{[zeek_cols][direct_pdu_contents_response_response_code]}" - } - } - - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_hart_ip_direct_pdu_command" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_hart_ip_direct_pdu_command" - init => "$zeek_hart_ip_direct_pdu_command_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'direct_pdu_command_link_id', 'command_number_link_id', 'direct_pdu_command_data_data', 'direct_pdu_command_command_number', 'direct_pdu_command_byte_count', 'direct_pdu_contents_response_response_code' ]" - code => "event.set('[zeek_cols]', $zeek_hart_ip_direct_pdu_command_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_hart_ip_direct_pdu_command" - add_field => { - "[zeek_cols][service]" => "hart_ip" - } - add_tag => [ "ics" ] - } - - # The "proto" field in these logs is useless. - # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed - if ([zeek_cols][proto]) { mutate { id => "mutate_remove_field_zeek_hart_ip_direct_pdu_command_proto" - remove_field => [ "[zeek_cols][proto]" ] } } - - } else if ([log_source] == "hart_ip") { - ############################################################################################################################# - # hart_ip.log - # main.zeek (https://github.com/cisagov/icsnpp-hart-ip) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_hart_ip" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][command_number_link_id]} %{[zeek_cols][direct_pdu_command_link_id]} %{[zeek_cols][session_log_record_link_id]} %{[zeek_cols][message_packet_bytes]} %{[zeek_cols][header_version]} %{[zeek_cols][header_message_type_reserved]} %{[zeek_cols][header_message_type_message_type]} %{[zeek_cols][header_message_id]} %{[zeek_cols][header_status_code]} %{[zeek_cols][header_sequence_number]} %{[zeek_cols][header_length]} %{[zeek_cols][session_initiate_master_type]} %{[zeek_cols][session_initiate_inactivity_close_timer]} %{[zeek_cols][token_passing_pdu_delimiter_address_type]} %{[zeek_cols][token_passing_pdu_delimiter_expansion_bytes]} %{[zeek_cols][token_passing_pdu_delimiter_physical_layer_type]} %{[zeek_cols][token_passing_pdu_delimiter_frame_type]} %{[zeek_cols][token_passing_pdu_address_v4]} %{[zeek_cols][token_passing_pdu_address_v6]} %{[zeek_cols][token_passing_pdu_command_number]} %{[zeek_cols][token_passing_pdu_byte_count]} %{[zeek_cols][token_passing_pdu_check_byte]} %{[zeek_cols][token_passing_pdu_contents_data_data]} %{[zeek_cols][token_passing_pdu_contents_response_response_code]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_device_malfunction]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_configuration_changed]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_cold_start]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_more_status_available]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_loop_current_fixed]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_loop_current_saturated]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_non_primary_variable_out_of_limits]} %{[zeek_cols][token_passing_pdu_contents_response_device_status_primary_variable_out_of_limits]} %{[zeek_cols][direct_pdu_device_status_device_malfunction]} %{[zeek_cols][direct_pdu_device_status_configuration_changed]} %{[zeek_cols][direct_pdu_device_status_cold_start]} %{[zeek_cols][direct_pdu_device_status_more_status_available]} %{[zeek_cols][direct_pdu_device_status_loop_current_fixed]} %{[zeek_cols][direct_pdu_device_status_loop_current_saturated]} %{[zeek_cols][direct_pdu_device_status_non_primary_variable_out_of_limits]} %{[zeek_cols][direct_pdu_device_status_primary_variable_out_of_limits]} %{[zeek_cols][direct_pdu_extended_status_undefined_bits]} %{[zeek_cols][direct_pdu_extended_status_function_check]} %{[zeek_cols][direct_pdu_extended_status_out_of_specification]} %{[zeek_cols][direct_pdu_extended_status_failure]} %{[zeek_cols][direct_pdu_extended_status_critical_power_failure]} %{[zeek_cols][direct_pdu_extended_status_device_variable_alert]} %{[zeek_cols][direct_pdu_extended_status_maintenance_required]} %{[zeek_cols][read_audit_log_start_record]} %{[zeek_cols][read_audit_log_number_of_records]} %{[zeek_cols][read_audit_log_power_up_time]} %{[zeek_cols][read_audit_log_last_security_change]} %{[zeek_cols][read_audit_log_server_status_undefined_bits]} %{[zeek_cols][read_audit_log_server_status_insecure_syslog_connection]} %{[zeek_cols][read_audit_log_server_status_syslog_server_located_but_connection_failed]} %{[zeek_cols][read_audit_log_server_status_unable_to_locate_syslog_server]} %{[zeek_cols][read_audit_log_session_record_size]}" - } - } - - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_hart_ip" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_hart_ip" - init => "$zeek_hart_ip_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'command_number_link_id', 'direct_pdu_command_link_id', 'session_log_record_link_id', 'message_packet_bytes', 'header_version', 'header_message_type_reserved', 'header_message_type_message_type', 'header_message_id', 'header_status_code', 'header_sequence_number', 'header_length', 'session_initiate_master_type', 'session_initiate_inactivity_close_timer', 'token_passing_pdu_delimiter_address_type', 'token_passing_pdu_delimiter_expansion_bytes', 'token_passing_pdu_delimiter_physical_layer_type', 'token_passing_pdu_delimiter_frame_type', 'token_passing_pdu_address_v4', 'token_passing_pdu_address_v6', 'token_passing_pdu_command_number', 'token_passing_pdu_byte_count', 'token_passing_pdu_check_byte', 'token_passing_pdu_contents_data_data', 'token_passing_pdu_contents_response_response_code', 'token_passing_pdu_contents_response_device_status_device_malfunction', 'token_passing_pdu_contents_response_device_status_configuration_changed', 'token_passing_pdu_contents_response_device_status_cold_start', 'token_passing_pdu_contents_response_device_status_more_status_available', 'token_passing_pdu_contents_response_device_status_loop_current_fixed', 'token_passing_pdu_contents_response_device_status_loop_current_saturated', 'token_passing_pdu_contents_response_device_status_non_primary_variable_out_of_limits', 'token_passing_pdu_contents_response_device_status_primary_variable_out_of_limits', 'direct_pdu_device_status_device_malfunction', 'direct_pdu_device_status_configuration_changed', 'direct_pdu_device_status_cold_start', 'direct_pdu_device_status_more_status_available', 'direct_pdu_device_status_loop_current_fixed', 'direct_pdu_device_status_loop_current_saturated', 'direct_pdu_device_status_non_primary_variable_out_of_limits', 'direct_pdu_device_status_primary_variable_out_of_limits', 'direct_pdu_extended_status_undefined_bits', 'direct_pdu_extended_status_function_check', 'direct_pdu_extended_status_out_of_specification', 'direct_pdu_extended_status_failure', 'direct_pdu_extended_status_critical_power_failure', 'direct_pdu_extended_status_device_variable_alert', 'direct_pdu_extended_status_maintenance_required', 'read_audit_log_start_record', 'read_audit_log_number_of_records', 'read_audit_log_power_up_time', 'read_audit_log_last_security_change', 'read_audit_log_server_status_undefined_bits', 'read_audit_log_server_status_insecure_syslog_connection', 'read_audit_log_server_status_syslog_server_located_but_connection_failed', 'read_audit_log_server_status_unable_to_locate_syslog_server', 'read_audit_log_session_record_size' ]" - code => "event.set('[zeek_cols]', $zeek_hart_ip_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_hart_ip" - add_field => { - "[zeek_cols][service]" => "hart_ip" - } - add_tag => [ "ics" ] - } - - # The "proto" field in these logs is useless. - # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed - if ([zeek_cols][proto]) { mutate { id => "mutate_remove_field_zeek_hart_ip_proto" - remove_field => [ "[zeek_cols][proto]" ] } } - - } else if ([log_source] == "hart_ip_session_record") { - ############################################################################################################################# - # hart_ip_session_record.log - # main.zeek (https://github.com/cisagov/icsnpp-hart-ip) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_hart_ip_session_record" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][session_log_record_link_id]} %{[zeek_cols][session_log_record_client_i_pv4_address]} %{[zeek_cols][session_log_record_client_i_pv6_address]} %{[zeek_cols][session_log_record_client_port]} %{[zeek_cols][session_log_record_server_port]} %{[zeek_cols][session_log_record_connect_time]} %{[zeek_cols][session_log_record_disconnect_time]} %{[zeek_cols][session_log_record_session_status_summary_undefined_bits]} %{[zeek_cols][session_log_record_session_status_summary_insecure_session]} %{[zeek_cols][session_log_record_session_status_summary_session_timeout]} %{[zeek_cols][session_log_record_session_status_summary_aborted_session]} %{[zeek_cols][session_log_record_session_status_summary_bad_session_initialization]} %{[zeek_cols][session_log_record_session_status_summary_writes_occured]} %{[zeek_cols][session_log_record_start_configuration_change_count]} %{[zeek_cols][session_log_record_end_configuration_change_count]} %{[zeek_cols][session_log_record_num_publish_pdu]} %{[zeek_cols][session_log_record_num_request_pdu]} %{[zeek_cols][session_log_record_num_response_pdu]}" - } - } - - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_hart_ip_session_record" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_hart_ip_session_record" - init => "$zeek_hart_ip_session_record_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'session_log_record_link_id', 'session_log_record_client_i_pv4_address', 'session_log_record_client_i_pv6_address', 'session_log_record_client_port', 'session_log_record_server_port', 'session_log_record_connect_time', 'session_log_record_disconnect_time', 'session_log_record_session_status_summary_undefined_bits', 'session_log_record_session_status_summary_insecure_session', 'session_log_record_session_status_summary_session_timeout', 'session_log_record_session_status_summary_aborted_session', 'session_log_record_session_status_summary_bad_session_initialization', 'session_log_record_session_status_summary_writes_occured', 'session_log_record_start_configuration_change_count', 'session_log_record_end_configuration_change_count', 'session_log_record_num_publish_pdu', 'session_log_record_num_request_pdu', 'session_log_record_num_response_pdu' ]" - code => "event.set('[zeek_cols]', $zeek_hart_ip_session_record_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_hart_ip_session_record" - add_field => { - "[zeek_cols][service]" => "hart_ip" - } - add_tag => [ "ics" ] - } - - # The "proto" field in these logs is useless. - # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed - if ([zeek_cols][proto]) { mutate { id => "mutate_remove_field_zeek_hart_ip_session_proto" - remove_field => [ "[zeek_cols][proto]" ] } } - - } else if ([log_source] == "hart_ip_universal_commands") { - ############################################################################################################################# - # hart_ip_universal_commands.log - # main.zeek (https://github.com/cisagov/icsnpp-hart-ip) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_hart_ip_universal_commands" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][command_number_link_id]} %{[zeek_cols][read_unique_identifier_response_254]} %{[zeek_cols][read_unique_identifier_response_expanded_device_type]} %{[zeek_cols][read_unique_identifier_response_minimum_preambles_master_slave]} %{[zeek_cols][read_unique_identifier_response_hart_protocol_major_revision]} %{[zeek_cols][read_unique_identifier_response_device_revision_level]} %{[zeek_cols][read_unique_identifier_response_software_revision_level]} %{[zeek_cols][read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level]} %{[zeek_cols][read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code]} %{[zeek_cols][read_unique_identifier_response_flags_c8_psk_in_multi_drop_only]} %{[zeek_cols][read_unique_identifier_response_flags_c8_psk_capable_field_device]} %{[zeek_cols][read_unique_identifier_response_flags_undefined_5]} %{[zeek_cols][read_unique_identifier_response_flags_safehart_capable_field_device]} %{[zeek_cols][read_unique_identifier_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation]} %{[zeek_cols][read_unique_identifier_response_flags_protocol_bridge_device]} %{[zeek_cols][read_unique_identifier_response_flags_eeprom_control]} %{[zeek_cols][read_unique_identifier_response_flags_mutli_sensor_field_device]} %{[zeek_cols][read_unique_identifier_response_device_id]} %{[zeek_cols][read_unique_identifier_response_number_preambles_slave_master]} %{[zeek_cols][read_unique_identifier_response_last_device_variable_this]} %{[zeek_cols][read_unique_identifier_response_configuration_change_counter]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_function_check]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_failure]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][read_unique_identifier_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][read_unique_identifier_response_manufacturer_identification_code]} %{[zeek_cols][read_unique_identifier_response_private_label_distributor_code]} %{[zeek_cols][read_unique_identifier_response_device_profile]} %{[zeek_cols][read_primary_variable_response_primary_variable_units]} %{[zeek_cols][read_primary_variable_response_primary_variable]} %{[zeek_cols][read_loop_current_response_primary_variable_loop_current]} %{[zeek_cols][read_loop_current_response_primary_variable_percent_range]} %{[zeek_cols][read_dynamic_variable_response_primary_variable_loop_current]} %{[zeek_cols][read_dynamic_variable_response_primary_variable_units]} %{[zeek_cols][read_dynamic_variable_response_primary_variable]} %{[zeek_cols][read_dynamic_variable_response_secondary_variable_units]} %{[zeek_cols][read_dynamic_variable_response_secondary_variable]} %{[zeek_cols][read_dynamic_variable_response_tertiary_variable_units]} %{[zeek_cols][read_dynamic_variable_response_tertiary_variable]} %{[zeek_cols][read_dynamic_variable_response_quaternary_variable_units]} %{[zeek_cols][read_dynamic_variable_response_quaternary_variable]} %{[zeek_cols][write_polling_address_polling_address_device]} %{[zeek_cols][write_polling_address_loop_current_mode]} %{[zeek_cols][read_loop_configuration_response_polling_address_device]} %{[zeek_cols][read_loop_configuration_response_loop_current_mode]} %{[zeek_cols][read_dynamic_variable_classifications_response_primary_variable_classification]} %{[zeek_cols][read_dynamic_variable_classifications_response_secondary_variable_classification]} %{[zeek_cols][read_dynamic_variable_classifications_response_tertiary_variable_classification]} %{[zeek_cols][read_dynamic_variable_classifications_response_quaternary_variable_classification]} %{[zeek_cols][read_device_variable_request_slot0_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot1_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot2_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot3_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot4_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot5_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot6_device_variable_code]} %{[zeek_cols][read_device_variable_request_slot7_device_variable_code]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_function_check]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_failure]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][read_device_variable_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot0_units_code]} %{[zeek_cols][read_device_variable_response_slot0_device_variable]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot0_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot1_units_code]} %{[zeek_cols][read_device_variable_response_slot1_device_variable]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot1_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot2_units_code]} %{[zeek_cols][read_device_variable_response_slot2_device_variable]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot2_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot3_units_code]} %{[zeek_cols][read_device_variable_response_slot3_device_variable]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot3_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot4_units_code]} %{[zeek_cols][read_device_variable_response_slot4_device_variable]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot4_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot5_units_code]} %{[zeek_cols][read_device_variable_response_slot5_device_variable]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot5_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot6_units_code]} %{[zeek_cols][read_device_variable_response_slot6_device_variable]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot6_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_code]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_class]} %{[zeek_cols][read_device_variable_response_slot7_units_code]} %{[zeek_cols][read_device_variable_response_slot7_device_variable]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_status_process_data_status]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_status_limit_status]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_status_more_device_variable_status_available]} %{[zeek_cols][read_device_variable_response_slot7_device_variable_status_device_family_specific_status]} %{[zeek_cols][read_device_variable_response_slot0_time]} %{[zeek_cols][read_unique_identifier_tag_request_tag]} %{[zeek_cols][read_unique_identifier_tag_response_254]} %{[zeek_cols][read_unique_identifier_tag_response_expanded_device_type]} %{[zeek_cols][read_unique_identifier_tag_response_minimum_preambles_master_slave]} %{[zeek_cols][read_unique_identifier_tag_response_hart_protocol_major_revision]} %{[zeek_cols][read_unique_identifier_tag_response_device_revision_level]} %{[zeek_cols][read_unique_identifier_tag_response_software_revision_level]} %{[zeek_cols][read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level]} %{[zeek_cols][read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code]} %{[zeek_cols][read_unique_identifier_tag_response_flags_c8_psk_in_multi_drop_only]} %{[zeek_cols][read_unique_identifier_tag_response_flags_c8_psk_capable_field_device]} %{[zeek_cols][read_unique_identifier_tag_response_flags_undefined_5]} %{[zeek_cols][read_unique_identifier_tag_response_flags_safehart_capable_field_device]} %{[zeek_cols][read_unique_identifier_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation]} %{[zeek_cols][read_unique_identifier_tag_response_flags_protocol_bridge_device]} %{[zeek_cols][read_unique_identifier_tag_response_flags_eeprom_control]} %{[zeek_cols][read_unique_identifier_tag_response_flags_mutli_sensor_field_device]} %{[zeek_cols][read_unique_identifier_tag_response_device_id]} %{[zeek_cols][read_unique_identifier_tag_response_number_preambles_slave_master]} %{[zeek_cols][read_unique_identifier_tag_response_last_device_variable_this]} %{[zeek_cols][read_unique_identifier_tag_response_configuration_change_counter]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_function_check]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_failure]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][read_unique_identifier_tag_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][read_unique_identifier_tag_response_manufacturer_identification_code]} %{[zeek_cols][read_unique_identifier_tag_response_private_label_distributor_code]} %{[zeek_cols][read_unique_identifier_tag_response_device_profile]} %{[zeek_cols][read_message_response_message]} %{[zeek_cols][read_tag_response_tag]} %{[zeek_cols][read_tag_response_descriptor]} %{[zeek_cols][read_tag_response_date_code]} %{[zeek_cols][read_primary_variable_transducer_information_response_p_v_transducer_serial_number]} %{[zeek_cols][read_primary_variable_transducer_information_response_p_v_transducer_limits_units]} %{[zeek_cols][read_primary_variable_transducer_information_response_p_v_upper_transducer_limit]} %{[zeek_cols][read_primary_variable_transducer_information_response_p_v_lower_transducer_limit]} %{[zeek_cols][read_primary_variable_transducer_information_response_p_v_minimum_span]} %{[zeek_cols][read_device_information_response_p_v_alarm_selection_code]} %{[zeek_cols][read_device_information_response_p_v_transfer_function_code]} %{[zeek_cols][read_device_information_response_p_v_upper_lower_range]} %{[zeek_cols][read_device_information_response_p_v_upper_range_value]} %{[zeek_cols][read_device_information_response_p_v_lower_range_value]} %{[zeek_cols][read_device_information_response_p_v_damping_value]} %{[zeek_cols][read_device_information_response_write_protect_code]} %{[zeek_cols][read_device_information_response_250]} %{[zeek_cols][read_device_information_response_p_v_analog_channel_flags_undefined_bits]} %{[zeek_cols][read_device_information_response_p_v_analog_channel_flags_analog_channel]} %{[zeek_cols][read_final_assembly_number_response_final_assembly_number]} %{[zeek_cols][write_message_message_string]} %{[zeek_cols][write_tag_descriptor_date_tag]} %{[zeek_cols][write_tag_descriptor_date_record_keeping_descriptor]} %{[zeek_cols][write_tag_descriptor_date_date_code]} %{[zeek_cols][write_final_assembly_number_final_assembly_number]} %{[zeek_cols][read_long_tag_response_long_tag]} %{[zeek_cols][read_unique_identifier_long_tag_request_long_tag]} %{[zeek_cols][read_unique_identifier_long_tag_response_254]} %{[zeek_cols][read_unique_identifier_long_tag_response_expanded_device_type]} %{[zeek_cols][read_unique_identifier_long_tag_response_minimum_preambles_master_slave]} %{[zeek_cols][read_unique_identifier_long_tag_response_hart_protocol_major_revision]} %{[zeek_cols][read_unique_identifier_long_tag_response_device_revision_level]} %{[zeek_cols][read_unique_identifier_long_tag_response_software_revision_level]} %{[zeek_cols][read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level]} %{[zeek_cols][read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_c8_psk_in_multi_drop_only]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_c8_psk_capable_field_device]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_undefined_5]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_safehart_capable_field_device]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_protocol_bridge_device]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_eeprom_control]} %{[zeek_cols][read_unique_identifier_long_tag_response_flags_mutli_sensor_field_device]} %{[zeek_cols][read_unique_identifier_long_tag_response_device_id]} %{[zeek_cols][read_unique_identifier_long_tag_response_number_preambles_slave_master]} %{[zeek_cols][read_unique_identifier_long_tag_response_last_device_variable_this]} %{[zeek_cols][read_unique_identifier_long_tag_response_configuration_change_counter]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_undefined_bits]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_function_check]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_out_of_specification]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_failure]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_critical_power_failure]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_device_variable_alert]} %{[zeek_cols][read_unique_identifier_long_tag_response_extended_field_device_status_maintenance_required]} %{[zeek_cols][read_unique_identifier_long_tag_response_manufacturer_identification_code]} %{[zeek_cols][read_unique_identifier_long_tag_response_private_label_distributor_code]} %{[zeek_cols][read_unique_identifier_long_tag_response_device_profile]} %{[zeek_cols][write_long_tag_long_tag]} %{[zeek_cols][reset_configuration_changed_flag_configuration_change_counter]} %{[zeek_cols][read_additional_device_status_contents_device_specific_status_0]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_function_check]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_out_of_specification]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_failure]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_critical_power_failure]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_device_variable_alert]} %{[zeek_cols][read_additional_device_status_contents_extended_field_device_status_maintenance_required]} %{[zeek_cols][read_additional_device_status_contents_device_operating_mode]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_device_configuration_lock]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_electronic_defect]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_environmental_conditions_out_of_range]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_power_supply_conditions_out_of_range]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_watchdog_reset_executed]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_volatile_memory_defect]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_non_volatile_memory_defect]} %{[zeek_cols][read_additional_device_status_contents_standardized_status0_device_variable_simulation_active]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_reserved]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_battery_or_power_supply_needs_maintenance]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_event_notification_overflow]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_discrete_variable_simulation_active]} %{[zeek_cols][read_additional_device_status_contents_standardized_status1_status_simulation_active]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_saturated_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_saturated_quinary_analog]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_saturated_quaternary_analog]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_saturated_tertiary_analog]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_saturated_secondary_analog]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_stale_data_notice]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_sub_device_with_duplicate_id]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_sub_device_mismatch]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_duplicate_master_detected]} %{[zeek_cols][read_additional_device_status_contents_standardized_status2_sub_device_list_changed]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_radio_failure]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_block_transfer_pending]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_bandwith_allocation_pending]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_resereved]} %{[zeek_cols][read_additional_device_status_contents_standardized_status3_capacity_denied]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_undefined_bits]} %{[zeek_cols][read_additional_device_status_contents_analog_channel_analog_channel]} %{[zeek_cols][read_additional_device_status_contents_device_specific_status_1]}" - } - } - - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_hart_ip_universal_commands" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_hart_ip_universal_commands" - init => "$zeek_hart_ip_universal_commands_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'command_number_link_id', 'read_unique_identifier_response_254', 'read_unique_identifier_response_expanded_device_type', 'read_unique_identifier_response_minimum_preambles_master_slave', 'read_unique_identifier_response_hart_protocol_major_revision', 'read_unique_identifier_response_device_revision_level', 'read_unique_identifier_response_software_revision_level', 'read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level', 'read_unique_identifier_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code', 'read_unique_identifier_response_flags_c8_psk_in_multi_drop_only', 'read_unique_identifier_response_flags_c8_psk_capable_field_device', 'read_unique_identifier_response_flags_undefined_5', 'read_unique_identifier_response_flags_safehart_capable_field_device', 'read_unique_identifier_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation', 'read_unique_identifier_response_flags_protocol_bridge_device', 'read_unique_identifier_response_flags_eeprom_control', 'read_unique_identifier_response_flags_mutli_sensor_field_device', 'read_unique_identifier_response_device_id', 'read_unique_identifier_response_number_preambles_slave_master', 'read_unique_identifier_response_last_device_variable_this', 'read_unique_identifier_response_configuration_change_counter', 'read_unique_identifier_response_extended_field_device_status_undefined_bits', 'read_unique_identifier_response_extended_field_device_status_function_check', 'read_unique_identifier_response_extended_field_device_status_out_of_specification', 'read_unique_identifier_response_extended_field_device_status_failure', 'read_unique_identifier_response_extended_field_device_status_critical_power_failure', 'read_unique_identifier_response_extended_field_device_status_device_variable_alert', 'read_unique_identifier_response_extended_field_device_status_maintenance_required', 'read_unique_identifier_response_manufacturer_identification_code', 'read_unique_identifier_response_private_label_distributor_code', 'read_unique_identifier_response_device_profile', 'read_primary_variable_response_primary_variable_units', 'read_primary_variable_response_primary_variable', 'read_loop_current_response_primary_variable_loop_current', 'read_loop_current_response_primary_variable_percent_range', 'read_dynamic_variable_response_primary_variable_loop_current', 'read_dynamic_variable_response_primary_variable_units', 'read_dynamic_variable_response_primary_variable', 'read_dynamic_variable_response_secondary_variable_units', 'read_dynamic_variable_response_secondary_variable', 'read_dynamic_variable_response_tertiary_variable_units', 'read_dynamic_variable_response_tertiary_variable', 'read_dynamic_variable_response_quaternary_variable_units', 'read_dynamic_variable_response_quaternary_variable', 'write_polling_address_polling_address_device', 'write_polling_address_loop_current_mode', 'read_loop_configuration_response_polling_address_device', 'read_loop_configuration_response_loop_current_mode', 'read_dynamic_variable_classifications_response_primary_variable_classification', 'read_dynamic_variable_classifications_response_secondary_variable_classification', 'read_dynamic_variable_classifications_response_tertiary_variable_classification', 'read_dynamic_variable_classifications_response_quaternary_variable_classification', 'read_device_variable_request_slot0_device_variable_code', 'read_device_variable_request_slot1_device_variable_code', 'read_device_variable_request_slot2_device_variable_code', 'read_device_variable_request_slot3_device_variable_code', 'read_device_variable_request_slot4_device_variable_code', 'read_device_variable_request_slot5_device_variable_code', 'read_device_variable_request_slot6_device_variable_code', 'read_device_variable_request_slot7_device_variable_code', 'read_device_variable_response_extended_field_device_status_undefined_bits', 'read_device_variable_response_extended_field_device_status_function_check', 'read_device_variable_response_extended_field_device_status_out_of_specification', 'read_device_variable_response_extended_field_device_status_failure', 'read_device_variable_response_extended_field_device_status_critical_power_failure', 'read_device_variable_response_extended_field_device_status_device_variable_alert', 'read_device_variable_response_extended_field_device_status_maintenance_required', 'read_device_variable_response_slot0_device_variable_code', 'read_device_variable_response_slot0_device_variable_class', 'read_device_variable_response_slot0_units_code', 'read_device_variable_response_slot0_device_variable', 'read_device_variable_response_slot0_device_variable_status_process_data_status', 'read_device_variable_response_slot0_device_variable_status_limit_status', 'read_device_variable_response_slot0_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot0_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot1_device_variable_code', 'read_device_variable_response_slot1_device_variable_class', 'read_device_variable_response_slot1_units_code', 'read_device_variable_response_slot1_device_variable', 'read_device_variable_response_slot1_device_variable_status_process_data_status', 'read_device_variable_response_slot1_device_variable_status_limit_status', 'read_device_variable_response_slot1_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot1_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot2_device_variable_code', 'read_device_variable_response_slot2_device_variable_class', 'read_device_variable_response_slot2_units_code', 'read_device_variable_response_slot2_device_variable', 'read_device_variable_response_slot2_device_variable_status_process_data_status', 'read_device_variable_response_slot2_device_variable_status_limit_status', 'read_device_variable_response_slot2_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot2_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot3_device_variable_code', 'read_device_variable_response_slot3_device_variable_class', 'read_device_variable_response_slot3_units_code', 'read_device_variable_response_slot3_device_variable', 'read_device_variable_response_slot3_device_variable_status_process_data_status', 'read_device_variable_response_slot3_device_variable_status_limit_status', 'read_device_variable_response_slot3_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot3_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot4_device_variable_code', 'read_device_variable_response_slot4_device_variable_class', 'read_device_variable_response_slot4_units_code', 'read_device_variable_response_slot4_device_variable', 'read_device_variable_response_slot4_device_variable_status_process_data_status', 'read_device_variable_response_slot4_device_variable_status_limit_status', 'read_device_variable_response_slot4_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot4_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot5_device_variable_code', 'read_device_variable_response_slot5_device_variable_class', 'read_device_variable_response_slot5_units_code', 'read_device_variable_response_slot5_device_variable', 'read_device_variable_response_slot5_device_variable_status_process_data_status', 'read_device_variable_response_slot5_device_variable_status_limit_status', 'read_device_variable_response_slot5_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot5_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot6_device_variable_code', 'read_device_variable_response_slot6_device_variable_class', 'read_device_variable_response_slot6_units_code', 'read_device_variable_response_slot6_device_variable', 'read_device_variable_response_slot6_device_variable_status_process_data_status', 'read_device_variable_response_slot6_device_variable_status_limit_status', 'read_device_variable_response_slot6_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot6_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot7_device_variable_code', 'read_device_variable_response_slot7_device_variable_class', 'read_device_variable_response_slot7_units_code', 'read_device_variable_response_slot7_device_variable', 'read_device_variable_response_slot7_device_variable_status_process_data_status', 'read_device_variable_response_slot7_device_variable_status_limit_status', 'read_device_variable_response_slot7_device_variable_status_more_device_variable_status_available', 'read_device_variable_response_slot7_device_variable_status_device_family_specific_status', 'read_device_variable_response_slot0_time', 'read_unique_identifier_tag_request_tag', 'read_unique_identifier_tag_response_254', 'read_unique_identifier_tag_response_expanded_device_type', 'read_unique_identifier_tag_response_minimum_preambles_master_slave', 'read_unique_identifier_tag_response_hart_protocol_major_revision', 'read_unique_identifier_tag_response_device_revision_level', 'read_unique_identifier_tag_response_software_revision_level', 'read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level', 'read_unique_identifier_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code', 'read_unique_identifier_tag_response_flags_c8_psk_in_multi_drop_only', 'read_unique_identifier_tag_response_flags_c8_psk_capable_field_device', 'read_unique_identifier_tag_response_flags_undefined_5', 'read_unique_identifier_tag_response_flags_safehart_capable_field_device', 'read_unique_identifier_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation', 'read_unique_identifier_tag_response_flags_protocol_bridge_device', 'read_unique_identifier_tag_response_flags_eeprom_control', 'read_unique_identifier_tag_response_flags_mutli_sensor_field_device', 'read_unique_identifier_tag_response_device_id', 'read_unique_identifier_tag_response_number_preambles_slave_master', 'read_unique_identifier_tag_response_last_device_variable_this', 'read_unique_identifier_tag_response_configuration_change_counter', 'read_unique_identifier_tag_response_extended_field_device_status_undefined_bits', 'read_unique_identifier_tag_response_extended_field_device_status_function_check', 'read_unique_identifier_tag_response_extended_field_device_status_out_of_specification', 'read_unique_identifier_tag_response_extended_field_device_status_failure', 'read_unique_identifier_tag_response_extended_field_device_status_critical_power_failure', 'read_unique_identifier_tag_response_extended_field_device_status_device_variable_alert', 'read_unique_identifier_tag_response_extended_field_device_status_maintenance_required', 'read_unique_identifier_tag_response_manufacturer_identification_code', 'read_unique_identifier_tag_response_private_label_distributor_code', 'read_unique_identifier_tag_response_device_profile', 'read_message_response_message', 'read_tag_response_tag', 'read_tag_response_descriptor', 'read_tag_response_date_code', 'read_primary_variable_transducer_information_response_p_v_transducer_serial_number', 'read_primary_variable_transducer_information_response_p_v_transducer_limits_units', 'read_primary_variable_transducer_information_response_p_v_upper_transducer_limit', 'read_primary_variable_transducer_information_response_p_v_lower_transducer_limit', 'read_primary_variable_transducer_information_response_p_v_minimum_span', 'read_device_information_response_p_v_alarm_selection_code', 'read_device_information_response_p_v_transfer_function_code', 'read_device_information_response_p_v_upper_lower_range', 'read_device_information_response_p_v_upper_range_value', 'read_device_information_response_p_v_lower_range_value', 'read_device_information_response_p_v_damping_value', 'read_device_information_response_write_protect_code', 'read_device_information_response_250', 'read_device_information_response_p_v_analog_channel_flags_undefined_bits', 'read_device_information_response_p_v_analog_channel_flags_analog_channel', 'read_final_assembly_number_response_final_assembly_number', 'write_message_message_string', 'write_tag_descriptor_date_tag', 'write_tag_descriptor_date_record_keeping_descriptor', 'write_tag_descriptor_date_date_code', 'write_final_assembly_number_final_assembly_number', 'read_long_tag_response_long_tag', 'read_unique_identifier_long_tag_request_long_tag', 'read_unique_identifier_long_tag_response_254', 'read_unique_identifier_long_tag_response_expanded_device_type', 'read_unique_identifier_long_tag_response_minimum_preambles_master_slave', 'read_unique_identifier_long_tag_response_hart_protocol_major_revision', 'read_unique_identifier_long_tag_response_device_revision_level', 'read_unique_identifier_long_tag_response_software_revision_level', 'read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_hardware_revision_level', 'read_unique_identifier_long_tag_response_hardware_revision_level_and_physical_signaling_codes_physical_signaling_code', 'read_unique_identifier_long_tag_response_flags_c8_psk_in_multi_drop_only', 'read_unique_identifier_long_tag_response_flags_c8_psk_capable_field_device', 'read_unique_identifier_long_tag_response_flags_undefined_5', 'read_unique_identifier_long_tag_response_flags_safehart_capable_field_device', 'read_unique_identifier_long_tag_response_flags_ieee_802_15_4_dsss_o_qpsk_modulation', 'read_unique_identifier_long_tag_response_flags_protocol_bridge_device', 'read_unique_identifier_long_tag_response_flags_eeprom_control', 'read_unique_identifier_long_tag_response_flags_mutli_sensor_field_device', 'read_unique_identifier_long_tag_response_device_id', 'read_unique_identifier_long_tag_response_number_preambles_slave_master', 'read_unique_identifier_long_tag_response_last_device_variable_this', 'read_unique_identifier_long_tag_response_configuration_change_counter', 'read_unique_identifier_long_tag_response_extended_field_device_status_undefined_bits', 'read_unique_identifier_long_tag_response_extended_field_device_status_function_check', 'read_unique_identifier_long_tag_response_extended_field_device_status_out_of_specification', 'read_unique_identifier_long_tag_response_extended_field_device_status_failure', 'read_unique_identifier_long_tag_response_extended_field_device_status_critical_power_failure', 'read_unique_identifier_long_tag_response_extended_field_device_status_device_variable_alert', 'read_unique_identifier_long_tag_response_extended_field_device_status_maintenance_required', 'read_unique_identifier_long_tag_response_manufacturer_identification_code', 'read_unique_identifier_long_tag_response_private_label_distributor_code', 'read_unique_identifier_long_tag_response_device_profile', 'write_long_tag_long_tag', 'reset_configuration_changed_flag_configuration_change_counter', 'read_additional_device_status_contents_device_specific_status_0', 'read_additional_device_status_contents_extended_field_device_status_undefined_bits', 'read_additional_device_status_contents_extended_field_device_status_function_check', 'read_additional_device_status_contents_extended_field_device_status_out_of_specification', 'read_additional_device_status_contents_extended_field_device_status_failure', 'read_additional_device_status_contents_extended_field_device_status_critical_power_failure', 'read_additional_device_status_contents_extended_field_device_status_device_variable_alert', 'read_additional_device_status_contents_extended_field_device_status_maintenance_required', 'read_additional_device_status_contents_device_operating_mode', 'read_additional_device_status_contents_standardized_status0_device_configuration_lock', 'read_additional_device_status_contents_standardized_status0_electronic_defect', 'read_additional_device_status_contents_standardized_status0_environmental_conditions_out_of_range', 'read_additional_device_status_contents_standardized_status0_power_supply_conditions_out_of_range', 'read_additional_device_status_contents_standardized_status0_watchdog_reset_executed', 'read_additional_device_status_contents_standardized_status0_volatile_memory_defect', 'read_additional_device_status_contents_standardized_status0_non_volatile_memory_defect', 'read_additional_device_status_contents_standardized_status0_device_variable_simulation_active', 'read_additional_device_status_contents_standardized_status1_undefined_bits', 'read_additional_device_status_contents_standardized_status1_reserved', 'read_additional_device_status_contents_standardized_status1_battery_or_power_supply_needs_maintenance', 'read_additional_device_status_contents_standardized_status1_event_notification_overflow', 'read_additional_device_status_contents_standardized_status1_discrete_variable_simulation_active', 'read_additional_device_status_contents_standardized_status1_status_simulation_active', 'read_additional_device_status_contents_analog_channel_saturated_undefined_bits', 'read_additional_device_status_contents_analog_channel_saturated_quinary_analog', 'read_additional_device_status_contents_analog_channel_saturated_quaternary_analog', 'read_additional_device_status_contents_analog_channel_saturated_tertiary_analog', 'read_additional_device_status_contents_analog_channel_saturated_secondary_analog', 'read_additional_device_status_contents_standardized_status2_undefined_bits', 'read_additional_device_status_contents_standardized_status2_stale_data_notice', 'read_additional_device_status_contents_standardized_status2_sub_device_with_duplicate_id', 'read_additional_device_status_contents_standardized_status2_sub_device_mismatch', 'read_additional_device_status_contents_standardized_status2_duplicate_master_detected', 'read_additional_device_status_contents_standardized_status2_sub_device_list_changed', 'read_additional_device_status_contents_standardized_status3_undefined_bits', 'read_additional_device_status_contents_standardized_status3_radio_failure', 'read_additional_device_status_contents_standardized_status3_block_transfer_pending', 'read_additional_device_status_contents_standardized_status3_bandwith_allocation_pending', 'read_additional_device_status_contents_standardized_status3_resereved', 'read_additional_device_status_contents_standardized_status3_capacity_denied', 'read_additional_device_status_contents_analog_channel_undefined_bits', 'read_additional_device_status_contents_analog_channel_analog_channel', 'read_additional_device_status_contents_device_specific_status_1' ]" - code => "event.set('[zeek_cols]', $zeek_hart_ip_universal_commands_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_hart_ip_universal_commands" - add_field => { - "[zeek_cols][service]" => "hart_ip" - } - add_tag => [ "ics" ] - } - - # The "proto" field in these logs is useless. - # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed - if ([zeek_cols][proto]) { mutate { id => "mutate_remove_field_zeek_hart_ip_universal_commands_proto" - remove_field => [ "[zeek_cols][proto]" ] } } - - } else if ([log_source] == "http") { - ############################################################################################################################# - # http.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/http/main.zeek.html#type-HTTP::Info - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_http_fields" - rename => { "[zeek_cols][username]" => "[zeek_cols][user]" } - } - - } else { - dissect { - id => "dissect_zeek_http_with_all_fields" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_depth]} %{[zeek_cols][method]} %{[zeek_cols][host]} %{[zeek_cols][uri]} %{[zeek_cols][referrer]} %{[zeek_cols][version]} %{[zeek_cols][user_agent]} %{[zeek_cols][origin]} %{[zeek_cols][request_body_len]} %{[zeek_cols][response_body_len]} %{[zeek_cols][status_code]} %{[zeek_cols][status_msg]} %{[zeek_cols][info_code]} %{[zeek_cols][info_msg]} %{[zeek_cols][tags]} %{[zeek_cols][user]} %{[zeek_cols][password]} %{[zeek_cols][proxied]} %{[zeek_cols][orig_fuids]} %{[zeek_cols][orig_filenames]} %{[zeek_cols][orig_mime_types]} %{[zeek_cols][resp_fuids]} %{[zeek_cols][resp_filenames]} %{[zeek_cols][resp_mime_types]} %{[zeek_cols][client_header_names]} %{[zeek_cols][server_header_names]} %{[zeek_cols][ja4h]} %{[zeek_cols][post_username]} %{[zeek_cols][post_password_plain]} %{[zeek_cols][post_password_md5]} %{[zeek_cols][post_password_sha1]} %{[zeek_cols][post_password_sha256]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_http" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_http" - init => "@zeek_http_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_depth', 'method', 'host', 'uri', 'referrer', 'version', 'user_agent', 'origin', 'request_body_len', 'response_body_len', 'status_code', 'status_msg', 'info_code', 'info_msg', 'tags', 'user', 'password', 'proxied', 'orig_fuids', 'orig_filenames', 'orig_mime_types', 'resp_fuids', 'resp_filenames', 'resp_mime_types', 'client_header_names', 'server_header_names', 'ja4h', 'post_username', 'post_password_plain', 'post_password_md5', 'post_password_sha1', 'post_password_sha256' ]" - code => "event.set('[zeek_cols]', @zeek_http_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_http_commas" - split => { "[zeek_cols][client_header_names]" => "," - "[zeek_cols][orig_filenames]" => "," - "[zeek_cols][orig_fuids]" => "," - "[zeek_cols][orig_mime_types]" => "," - "[zeek_cols][proxied]" => "," - "[zeek_cols][resp_filenames]" => "," - "[zeek_cols][resp_fuids]" => "," - "[zeek_cols][resp_mime_types]" => "," - "[zeek_cols][server_header_names]" => "," - "[zeek_cols][tags]" => "," } } - } - - mutate { - id => "mutate_add_fields_zeek_http" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "http" - } - } - - } else if ([log_source] == "intel") { - ############################################################################################################################# - # intel.log - # https://docs.zeek.org/en/stable/scripts/base/frameworks/intel/main.zeek.html#type-Intel::Info - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_intel_fields" - rename => { "[zeek_cols][cif.firstseen]" => "[zeek_cols][cif_firstseen]" } - rename => { "[zeek_cols][cif.lastseen]" => "[zeek_cols][cif_lastseen]" } - rename => { "[zeek_cols][cif.tags]" => "[zeek_cols][cif_tags]" } - rename => { "[zeek_cols][seen.indicator]" => "[zeek_cols][seen_indicator]" } - rename => { "[zeek_cols][seen.indicator_type]" => "[zeek_cols][seen_indicator_type]" } - rename => { "[zeek_cols][seen.node]" => "[zeek_cols][seen_node]" } - rename => { "[zeek_cols][seen.where]" => "[zeek_cols][seen_where]" } - } - - } else { - dissect { - id => "dissect_zeek_intel" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][seen_indicator]} %{[zeek_cols][seen_indicator_type]} %{[zeek_cols][seen_where]} %{[zeek_cols][seen_node]} %{[zeek_cols][matched]} %{[zeek_cols][sources]} %{[zeek_cols][fuid]} %{[zeek_cols][file_mime_type]} %{[zeek_cols][file_desc]} %{[zeek_cols][cif_tags]} %{[zeek_cols][cif_confidence]} %{[zeek_cols][cif_source]} %{[zeek_cols][cif_description]} %{[zeek_cols][cif_firstseen]} %{[zeek_cols][cif_lastseen]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_intel" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_intel" - init => "@zeek_intel_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'seen_indicator', 'seen_indicator_type', 'seen_where', 'seen_node', 'matched', 'sources', 'fuid', 'file_mime_type', 'file_desc', 'cif_tags', 'cif_confidence', 'cif_source', 'cif_description', 'cif_firstseen', 'cif_lastseen' ]" - code => "event.set('[zeek_cols]', @zeek_intel_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_intel_commas" - split => { "[zeek_cols][sources]" => "," - "[zeek_cols][matched]" => "," } } - } - - # For some reason, even in JSON, I have cif_tags strings like: - # Network activity,osint:source-type=\"block-or-filter-list\" - # so whatever reason it's not already an array. Split it here. - mutate { id => "mutate_split_zeek_intel_cif_tags" - split => { "[zeek_cols][cif_tags]" => "," } } - - } else if ([log_source] == "ipsec") { - ############################################################################################################################# - # ipsec.log - # https://github.com/corelight/zeek-spicy-ipsec/blob/master/analyzer/main.zeek - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_ipsec" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][initiator_spi]} %{[zeek_cols][responder_spi]} %{[zeek_cols][maj_ver]} %{[zeek_cols][min_ver]} %{[zeek_cols][exchange_type]} %{[zeek_cols][flag_e]} %{[zeek_cols][flag_c]} %{[zeek_cols][flag_a]} %{[zeek_cols][flag_i]} %{[zeek_cols][flag_v]} %{[zeek_cols][flag_r]} %{[zeek_cols][message_id]} %{[zeek_cols][vendor_ids]} %{[zeek_cols][notify_messages]} %{[zeek_cols][transforms]} %{[zeek_cols][ke_dh_groups]} %{[zeek_cols][proposals]} %{[zeek_cols][protocol_id]} %{[zeek_cols][certificates]} %{[zeek_cols][transform_attributes]} %{[zeek_cols][length]} %{[zeek_cols][hash]} %{[zeek_cols][doi]} %{[zeek_cols][situation]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ipsec" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_ipsec" - init => "@zeek_ipsec_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'is_orig', 'initiator_spi', 'responder_spi', 'maj_ver', 'min_ver', 'exchange_type', 'flag_e', 'flag_c', 'flag_a', 'flag_i', 'flag_v', 'flag_r', 'message_id', 'vendor_ids', 'notify_messages', 'transforms', 'ke_dh_groups', 'proposals', 'protocol_id', 'certificates', 'transform_attributes', 'length', 'hash', 'doi', 'situation' ]" - code => "event.set('[zeek_cols]', @zeek_ipsec_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_ipsec_commas" - split => { "[zeek_cols][vendor_ids]" => "," - "[zeek_cols][notify_messages]" => "," - "[zeek_cols][transforms]" => "," - "[zeek_cols][ke_dh_groups]" => "," - "[zeek_cols][proposals]" => "," - "[zeek_cols][certificates]" => "," - "[zeek_cols][transform_attributes]" => "," } } - } - - mutate { - id => "mutate_add_fields_zeek_ipsec" - add_field => { - "[zeek_cols][service]" => "ipsec" - } - } - - } else if ([log_source] == "irc") { - ############################################################################################################################# - # irc.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/irc/main.zeek.html#type-IRC::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_irc" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][nick]} %{[zeek_cols][user]} %{[zeek_cols][command]} %{[zeek_cols][value]} %{[zeek_cols][addl]} %{[zeek_cols][dcc_file_name]} %{[zeek_cols][dcc_file_size]} %{[zeek_cols][dcc_mime_type]} %{[zeek_cols][fuid]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_irc" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_irc" - init => "@zeek_irc_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'nick', 'user', 'command', 'value', 'addl', 'dcc_file_name', 'dcc_file_size', 'dcc_mime_type', 'fuid' ]" - code => "event.set('[zeek_cols]', @zeek_irc_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_irc" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "irc" - } - } - - } else if ([log_source] == "cotp") { - ############################################################################################################################# - # cotp.log - # https://github.com/cisagov/icsnpp-s7comm - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_cotp" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][pdu_code]} %{[zeek_cols][pdu_name]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_cotp" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_cotp" - init => "@zeek_cotp_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'pdu_code', 'pdu_name' ]" - code => "event.set('[zeek_cols]', @zeek_cotp_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_cotp" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "cotp" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "ja4ssh") { - ############################################################################################################################# - # ja4ssh.log - # https://github.com/FoxIO-LLC/ja4 - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_ja4ssh" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][ja4ssh]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ja4ssh" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_ja4ssh" - init => "@zeek_ja4ssh_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'ja4ssh' ]" - code => "event.set('[zeek_cols]', @zeek_ja4ssh_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_ja4ssh" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "ssh" - } - } - - } else if ([log_source] == "kerberos") { - ############################################################################################################################# - # kerberos.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/krb/main.zeek.html#type-KRB::Info - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_kerberos_fields" - rename => { "[zeek_cols][client]" => "[zeek_cols][cname]" } - rename => { "[zeek_cols][service]" => "[zeek_cols][sname]" } - } - - } else { - dissect { - id => "dissect_zeek_kerberos" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][request_type]} %{[zeek_cols][cname]} %{[zeek_cols][sname]} %{[zeek_cols][success]} %{[zeek_cols][error_msg]} %{[zeek_cols][from]} %{[zeek_cols][till]} %{[zeek_cols][cipher]} %{[zeek_cols][forwardable]} %{[zeek_cols][renewable]} %{[zeek_cols][client_cert_subject]} %{[zeek_cols][client_cert_fuid]} %{[zeek_cols][server_cert_subject]} %{[zeek_cols][server_cert_fuid]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_kerberos" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_kerberos" - init => "@zeek_kerberos_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'request_type', 'cname', 'sname', 'success', 'error_msg', 'from', 'till', 'cipher', 'forwardable', 'renewable', 'client_cert_subject', 'client_cert_fuid', 'server_cert_subject', 'server_cert_fuid' ]" - code => "event.set('[zeek_cols]', @zeek_kerberos_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_kerberos_commas" - split => { "[zeek_cols][client_cert_fuid]" => "," - "[zeek_cols][server_cert_fuid]" => "," } } - } - - mutate { - id => "mutate_add_fields_zeek_krb5" - add_field => { "[zeek_cols][service]" => "krb" } - } - - } else if ([log_source] == "known_certs") { - ############################################################################################################################# - # known_certs.log - # https://docs.zeek.org/en/stable/scripts/policy/protocols/ssl/known-certs.zeek.html#type-Known::CertsInfo - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_known_certs_fields" - rename => { "[zeek_cols][host]" => "[zeek_cols][orig_h]" } - rename => { "[zeek_cols][port_num]" => "[zeek_cols][orig_p]" } - } - - } else { - dissect { - id => "dissect_zeek_known_certs" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][subject]} %{[zeek_cols][issuer_subject]} %{[zeek_cols][serial]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_known_certs" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_known_certs" - init => "@zeek_known_certs_field_names = [ 'ts', 'orig_h', 'orig_p', 'subject', 'resp_h', 'issuer_subject', 'serial' ]" - code => "event.set('[zeek_cols]', @zeek_known_certs_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_known_certs" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "tls" - } - } - - } else if ([log_source] == "known_hosts") { - ############################################################################################################################# - # known_hosts.log - # https://docs.zeek.org/en/stable/scripts/policy/protocols/conn/known-hosts.zeek.html#type-Known::HostsInfo - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_known_hosts_fields" - rename => { "[zeek_cols][host]" => "[zeek_cols][orig_h]" } - } - - } else { - dissect { - id => "dissect_zeek_known_hosts" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_known_hosts" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_known_hosts" - init => "@zeek_known_hosts_field_names = [ 'ts', 'orig_h' ]" - code => "event.set('[zeek_cols]', @zeek_known_hosts_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - } else if ([log_source] == "known_modbus") { - ############################################################################################################################# - # known_modbus.log - # https://docs.zeek.org/en/stable/scripts/policy/protocols/modbus/known-masters-slaves.zeek.html#type-Known::ModbusInfo - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_known_modbus_fields" - rename => { "[zeek_cols][host]" => "[zeek_cols][orig_h]" } - } - - } else { - dissect { - id => "dissect_zeek_known_modbus" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]} %{[zeek_cols][device_type]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_known_modbus" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_known_modbus" - init => "@zeek_known_modbus_field_names = [ 'ts', 'orig_h', 'device_type' ]" - code => "event.set('[zeek_cols]', @zeek_known_modbus_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { id => "mutate_gsub_zeek_known_modbus_device_type" - gsub => [ "[zeek_cols][device_type]", "Known::", "" ] } - - mutate { id => "mutate_gsub_zeek_known_modbus_master" - gsub => [ "[zeek_cols][device_type]", "MASTER", "CLIENT" ] } - - mutate { id => "mutate_gsub_zeek_known_modbus_slave" - gsub => [ "[zeek_cols][device_type]", "SLAVE", "SERVER" ] } - - mutate { id => "mutate_add_tag_ics_known_modbus_log" - add_tag => [ "ics" ] } - - } else if ([log_source] == "known_routers") { - ############################################################################################################################# - # known_routers.log - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_known_routers" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_l2_addr]} %{[zeek_cols][ttl]} %{[zeek_cols][hlim]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_known_routers" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_known_routers" - init => "@zeek_known_routers_field_names = [ 'ts', 'orig_h', 'orig_l2_addr', 'ttl', 'hlim' ]" - code => "event.set('[zeek_cols]', @zeek_known_routers_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - } else if ([log_source] == "known_services") { - ############################################################################################################################# - # known_services.log - # https://docs.zeek.org/en/stable/scripts/policy/protocols/conn/known-services.zeek.html#type-Known::ServicesInfo - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_known_services_fields" - rename => { "[zeek_cols][host]" => "[zeek_cols][resp_h]" } - rename => { "[zeek_cols][port_num]" => "[zeek_cols][resp_p]" } - rename => { "[zeek_cols][port_proto]" => "[zeek_cols][proto]" } - } - - } else { - dissect { - id => "dissect_zeek_known_services" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][service]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_known_services" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_known_services" - init => "@zeek_known_services_field_names = [ 'ts', 'resp_h', 'resp_p', 'proto', 'service' ]" - code => "event.set('[zeek_cols]', @zeek_known_services_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { id => "mutate_lowercase_zeek_known_services_service" - lowercase => [ "[zeek_cols][service]" ] } - - # normalize service string(s) - - # some services are named like blah_udp/blah_tcp/blah_data, and we don't care about the suffix - mutate { id => "mutate_gsub_field_zeek_known_services_protocol_suffix" - gsub => [ "[zeek_cols][service]", "[_-](tcp|udp|data)", "" ] } - - if ([zeek_cols][service] =~ /^spicy_/) { - # if it's coming from spicy, we don't care to have that in the service name - mutate { id => "mutate_gsub_field_zeek_known_service_spicy_prefix" - gsub => [ "[zeek_cols][service]", "^spicy_", "" ] } - - # some spicy services are named like blah_udp or blah_tcp, - # and we don't care about the _udp/_tcp suffix - mutate { id => "mutate_gsub_field_zeek_known_service_spicy_suffix" - gsub => [ "[zeek_cols][service]", "(_hmac)?(_(sha|md)\d+)?$", "" ] } - - } - - } else if ([log_source] == "ldap") { - ############################################################################################################################# - # ldap.log - # main.zeek (https://docs.zeek.org/en/master/scripts/base/protocols/ldap/main.zeek.html) - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_ldap_fields" - rename => { "[zeek_cols][arguments]" => "[zeek_cols][argument]" } - rename => { "[zeek_cols][opcode]" => "[zeek_cols][operation]" } - rename => { "[zeek_cols][opcodes]" => "[zeek_cols][operation]" } - rename => { "[zeek_cols][result]" => "[zeek_cols][result_code]" } - rename => { "[zeek_cols][results]" => "[zeek_cols][result_code]" } - rename => { "[zeek_cols][diagnostic_message]" => "[zeek_cols][result_message]" } - rename => { "[zeek_cols][diagnostic_messages]" => "[zeek_cols][result_message]" } - } - - } else { - dissect { - id => "dissect_zeek_ldap" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][message_id]} %{[zeek_cols][version]} %{[zeek_cols][operation]} %{[zeek_cols][result_code]} %{[zeek_cols][result_message]} %{[zeek_cols][object]} %{[zeek_cols][argument]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ldap" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_ldap" - init => "@zeek_ldap_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'message_id', 'version', 'operation', 'result_code', 'result_message', 'object', 'argument' ]" - code => "event.set('[zeek_cols]', @zeek_ldap_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_ldap" - add_field => { - "[zeek_cols][service]" => "ldap" - } - - } - - } else if ([log_source] == "ldap_search") { - ############################################################################################################################# - # ldap_search.log - # main.zeek (https://docs.zeek.org/en/master/scripts/base/protocols/ldap/main.zeek.html) - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_ldap_search_fields" - rename => { "[zeek_cols][base_objects]" => "[zeek_cols][base_object]" } - rename => { "[zeek_cols][deref_aliases]" => "[zeek_cols][deref]" } - rename => { "[zeek_cols][derefs]" => "[zeek_cols][deref]" } - rename => { "[zeek_cols][diagnostic_message]" => "[zeek_cols][result_message]" } - rename => { "[zeek_cols][result]" => "[zeek_cols][result_code]" } - rename => { "[zeek_cols][results]" => "[zeek_cols][result_code]" } - rename => { "[zeek_cols][scopes]" => "[zeek_cols][scope]" } - } - - } else { - dissect { - id => "dissect_zeek_ldap_search" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][message_id]} %{[zeek_cols][scope]} %{[zeek_cols][deref]} %{[zeek_cols][base_object]} %{[zeek_cols][result_count]} %{[zeek_cols][result_code]} %{[zeek_cols][result_message]} %{[zeek_cols][filter]} %{[zeek_cols][attributes]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ldap_search" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_ldap_search" - init => "@zeek_ldap_search_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'message_id', 'scope', 'deref', 'base_object', 'result_count', 'result_code', 'result_message', 'filter', 'attributes' ]" - code => "event.set('[zeek_cols]', @zeek_ldap_search_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_ldap_search" - add_field => { - "[zeek_cols][service]" => "ldap" - } - - } - - } else if ([log_source] == "login") { - ############################################################################################################################# - # login.log - # custom login.log module (rudimentary, telnet/rlogin/rsh analyzers are old and not the greatest) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_login" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][service]} %{[zeek_cols][success]} %{[zeek_cols][confused]} %{[zeek_cols][user]} %{[zeek_cols][client_user]} %{[zeek_cols][password]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_login" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_login" - init => "@zeek_login_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'service', 'success', 'confused', 'user', 'client_user', 'password' ]" - code => "event.set('[zeek_cols]', @zeek_login_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - } else if ([log_source] == "modbus") { - ############################################################################################################################# - # modbus.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/modbus/main.zeek.html#type-Modbus::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_modbus" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_id]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][exception]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_modbus" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_modbus" - init => "@zeek_modbus_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'exception' ]" - code => "event.set('[zeek_cols]', @zeek_modbus_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_modbus" - add_field => { "[zeek_cols][service]" => "modbus" } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "modbus_detailed") { - ############################################################################################################################# - # modbus_detailed.log - # main.zeek (https://github.com/cisagov/icsnpp-modbus) - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_modbus_detailed_fields" - rename => { "[zeek_cols][tid]" => "[zeek_cols][trans_id]" } - rename => { "[zeek_cols][unit]" => "[zeek_cols][unit_id]" } - rename => { "[zeek_cols][request_response]" => "[zeek_cols][network_direction]" } - } - - } else { - dissect { - id => "dissect_zeek_modbus_detailed" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_id]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][address]} %{[zeek_cols][quantity]} %{[zeek_cols][values]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_modbus_detailed" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_modbus_detailed" - init => "@zeek_modbus_detailed_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'address', 'quantity', 'values' ]" - code => "event.set('[zeek_cols]', @zeek_modbus_detailed_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_modbus_detailed_values" - split => { "[zeek_cols][values]" => "," } } - } - - mutate { - id => "mutate_add_fields_zeek_modbus_detailed" - add_field => { - "[zeek_cols][service]" => "modbus" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "modbus_mask_write_register") { - ############################################################################################################################# - # modbus_mask_write_register.log - # main.zeek (https://github.com/cisagov/icsnpp-modbus) - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_modbus_mask_write_register_fields" - rename => { "[zeek_cols][tid]" => "[zeek_cols][trans_id]" } - rename => { "[zeek_cols][unit]" => "[zeek_cols][unit_id]" } - rename => { "[zeek_cols][request_response]" => "[zeek_cols][network_direction]" } - } - - } else { - dissect { - id => "dissect_zeek_modbus_mask_write_register" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_id]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][address]} %{[zeek_cols][and_mask]} %{[zeek_cols][or_mask]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_modbus_mask_write_register" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_modbus_mask_write_register" - init => "@zeek_modbus_mask_write_register_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'address', 'and_mask', 'or_mask' ]" - code => "event.set('[zeek_cols]', @zeek_modbus_mask_write_register_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_modbus_mask_write_register" - add_field => { - "[zeek_cols][service]" => "modbus" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "modbus_read_device_identification") { - ############################################################################################################################# - # modbus_read_device_identification.log - # main.zeek (https://github.com/cisagov/icsnpp-modbus) - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_modbus_read_device_identification_fields" - rename => { "[zeek_cols][tid]" => "[zeek_cols][trans_id]" } - rename => { "[zeek_cols][unit]" => "[zeek_cols][unit_id]" } - rename => { "[zeek_cols][request_response]" => "[zeek_cols][network_direction]" } - } - - } else { - dissect { - id => "dissect_zeek_modbus_read_device_identification" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_id]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][mei_type]} %{[zeek_cols][conformity_level_code]} %{[zeek_cols][conformity_level]} %{[zeek_cols][device_id_code]} %{[zeek_cols][object_id_code]} %{[zeek_cols][object_id]} %{[zeek_cols][object_value]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_modbus_read_device_identification" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_modbus_read_device_identification" - init => "@zeek_modbus_read_device_identification_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'mei_type', 'conformity_level_code', 'conformity_level', 'device_id_code', 'object_id_code', 'object_id', 'object_value' ]" - code => "event.set('[zeek_cols]', @zeek_modbus_read_device_identification_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_modbus_read_device_identification" - add_field => { - "[zeek_cols][service]" => "modbus" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "modbus_read_write_multiple_registers") { - ############################################################################################################################# - # modbus_read_write_multiple_registers.log - # main.zeek (https://github.com/cisagov/icsnpp-modbus) - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_modbus_read_write_multiple_registers_fields" - rename => { "[zeek_cols][tid]" => "[zeek_cols][trans_id]" } - rename => { "[zeek_cols][unit]" => "[zeek_cols][unit_id]" } - rename => { "[zeek_cols][request_response]" => "[zeek_cols][network_direction]" } - } - - } else { - dissect { - id => "dissect_zeek_modbus_read_write_multiple_registers" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_id]} %{[zeek_cols][unit_id]} %{[zeek_cols][func]} %{[zeek_cols][network_direction]} %{[zeek_cols][write_start_address]} %{[zeek_cols][write_registers]} %{[zeek_cols][read_start_address]} %{[zeek_cols][read_quantity]} %{[zeek_cols][read_registers]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_modbus_read_write_multiple_registers" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_modbus_read_write_multiple_registers" - init => "@zeek_modbus_read_write_multiple_registers_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'write_start_address', 'write_registers', 'read_start_address', 'read_quantity', 'read_registers' ]" - code => "event.set('[zeek_cols]', @zeek_modbus_read_write_multiple_registers_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_modbus_read_write_multiple_registers_read_commas" - split => { "[zeek_cols][read_registers]" => "," - "[zeek_cols][write_registers]" => "," } } - } - - mutate { - id => "mutate_add_fields_zeek_modbus_read_write_multiple_registers" - add_field => { - "[zeek_cols][service]" => "modbus" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "mqtt_connect") { - ############################################################################################################################# - # mqtt_connect.log - # https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html#type-MQTT::ConnectInfo - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_mqtt_connect" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto_name]} %{[zeek_cols][proto_version]} %{[zeek_cols][client_id]} %{[zeek_cols][connect_status]} %{[zeek_cols][will_topic]} %{[zeek_cols][will_payload]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_mqtt_connect" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_mqtt_connect" - init => "@zeek_mqtt_connect_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto_name', 'proto_version', 'client_id', 'connect_status', 'will_topic', 'will_payload' ]" - code => "event.set('[zeek_cols]', @zeek_mqtt_connect_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_mqtt_connect" - add_field => { - "[zeek_cols][proto]" => "udp" - "[zeek_cols][service]" => "mqtt" - } - } - - } else if ([log_source] == "mqtt_publish") { - ############################################################################################################################# - # mqtt_publish.log - # https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html#type-MQTT::PublishInfo - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_mqtt_publish" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][from_client]} %{[zeek_cols][retain]} %{[zeek_cols][qos]} %{[zeek_cols][status]} %{[zeek_cols][topic]} %{[zeek_cols][payload]} %{[zeek_cols][payload_len]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_mqtt_publish" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_mqtt_publish" - init => "@zeek_mqtt_publish_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'from_client', 'retain', 'qos', 'status', 'topic', 'payload', 'payload_len' ]" - code => "event.set('[zeek_cols]', @zeek_mqtt_publish_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_mqtt_publish" - add_field => { - "[zeek_cols][proto]" => "udp" - "[zeek_cols][service]" => "mqtt" - } - } - - } else if ([log_source] == "mqtt_subscribe") { - ############################################################################################################################# - # mqtt_subscribe.log - # https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html#type-MQTT::SubscribeInfo - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_mqtt_subscribe" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][action]} %{[zeek_cols][topics]} %{[zeek_cols][qos_levels]} %{[zeek_cols][granted_qos_level]} %{[zeek_cols][ack]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_mqtt_subscribe" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_mqtt_subscribe" - init => "@zeek_mqtt_subscribe_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'action', 'topics', 'qos_levels', 'granted_qos_level', 'ack' ]" - code => "event.set('[zeek_cols]', @zeek_mqtt_subscribe_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_mqtt_subscribe_commas" - split => { "[zeek_cols][topics]" => "," - "[zeek_cols][qos_levels]" => "," } } - } - - mutate { - id => "mutate_add_fields_zeek_mqtt_subscribe" - add_field => { - "[zeek_cols][proto]" => "udp" - "[zeek_cols][service]" => "mqtt" - } - } - - mutate { id => "mutate_gsub_zeek_mqtt_subscribe_action" - gsub => [ "[zeek_cols][action]", "MQTT::", "" ] } - - } else if ([log_source] == "mysql") { - ############################################################################################################################# - # mysql.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/mysql/main.zeek.html#type-MySQL::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_mysql" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][cmd]} %{[zeek_cols][arg]} %{[zeek_cols][success]} %{[zeek_cols][rows]} %{[zeek_cols][response]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_mysql" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_mysql" - init => "@zeek_mysql_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'cmd', 'arg', 'success', 'rows', 'response' ]" - code => "event.set('[zeek_cols]', @zeek_mysql_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_mysql" - add_field => { "[zeek_cols][service]" => "mysql" } - } - - } else if ([log_source] == "notice") { - ############################################################################################################################# - # notice.log - # https://docs.zeek.org/en/stable/scripts/base/frameworks/notice/main.zeek.html#type-Notice::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_notice_with_all_fields" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][fuid]} %{[zeek_cols][file_mime_type]} %{[zeek_cols][file_desc]} %{[zeek_cols][proto]} %{[zeek_cols][note]} %{[zeek_cols][msg]} %{[zeek_cols][sub]} %{[zeek_cols][src]} %{[zeek_cols][dst]} %{[zeek_cols][p]} %{[zeek_cols][n]} %{[zeek_cols][peer_descr]} %{[zeek_cols][actions]} %{[zeek_cols][email_dest]} %{[zeek_cols][suppress_for]} %{[zeek_cols][remote_location_country_code]} %{[zeek_cols][remote_location_region]} %{[zeek_cols][remote_location_city]} %{[zeek_cols][remote_location_latitude]} %{[zeek_cols][remote_location_longitude]} %{[zeek_cols][community_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_notice" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_notice" - init => "@zeek_notice_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'fuid', 'file_mime_type', 'file_desc', 'proto', 'note', 'msg', 'sub', 'src', 'dst', 'p', 'n', 'peer_descr', 'actions', 'email_dest', 'suppress_for', 'remote_location_country_code', 'remote_location_region', 'remote_location_city', 'remote_location_latitude', 'remote_location_longitude', 'community_id' ]" - code => "event.set('[zeek_cols]', @zeek_notice_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_notice_actions" - split => { "[zeek_cols][actions]" => "," } } - } - - if ([zeek_cols][src]) and ((![zeek_cols][orig_h]) or ([zeek_cols][orig_h] == '(empty)') or - ([zeek_cols][orig_h] == '-') or ([zeek_cols][orig_h] == '')) { - mutate { id => "mutate_replace_zeek_notice_orig_h" - replace => { "[zeek_cols][orig_h]" => "%{[zeek_cols][src]}" } } - } - if ([zeek_cols][dst]) and ((![zeek_cols][resp_h]) or ([zeek_cols][resp_h] == '(empty)') or - ([zeek_cols][resp_h] == '-') or ([zeek_cols][resp_h] == '')) { - mutate { id => "mutate_replace_zeek_notice_resp_h" - replace => { "[zeek_cols][resp_h]" => "%{[zeek_cols][dst]}" } } - } - if [zeek_cols][p] and ((![zeek_cols][resp_p]) or ([zeek_cols][resp_p] == '(empty)') or - ([zeek_cols][resp_p] == '-') or ([zeek_cols][resp_p] == '')) { - mutate { id => "mutate_replace_zeek_resp_p" - replace => { "[zeek_cols][resp_p]" => "%{[zeek_cols][p]}" } } - } - - } else if ([log_source] == "ntlm") { - ############################################################################################################################# - # ntlm.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/ntlm/main.zeek.html#type-NTLM::Info - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_ntlm_fields" - rename => { "[zeek_cols][hostname]" => "[zeek_cols][host]" } - rename => { "[zeek_cols][domainname]" => "[zeek_cols][domain]" } - rename => { "[zeek_cols][server_nb_computer_name]" => "[zeek_cols][server_nb_computer]" } - rename => { "[zeek_cols][server_dns_computer_name]" => "[zeek_cols][server_dns_computer]" } - rename => { "[zeek_cols][server_tree_name]" => "[zeek_cols][server_tree]" } - rename => { "[zeek_cols][username]" => "[zeek_cols][user]" } - } - - } else { - dissect { - id => "dissect_zeek_ntlm_with_all_fields" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][user]} %{[zeek_cols][host]} %{[zeek_cols][domain]} %{[zeek_cols][server_nb_computer]} %{[zeek_cols][server_dns_computer]} %{[zeek_cols][server_tree]} %{[zeek_cols][success]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ntlm" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_ntlm" - init => "@zeek_ntlm_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'user', 'host', 'domain', 'server_nb_computer', 'server_dns_computer', 'server_tree', 'success' ]" - code => "event.set('[zeek_cols]', @zeek_ntlm_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_ntlm" - add_field => { "[zeek_cols][service]" => "ntlm" } - } - - } else if ([log_source] == "ntp") { - ############################################################################################################################# - # ntp.log - # https://docs.zeek.org/en/latest/scripts/base/protocols/ntp/main.zeek.html#type-NTP::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_ntp" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][mode]} %{[zeek_cols][stratum]} %{[zeek_cols][poll]} %{[zeek_cols][precision]} %{[zeek_cols][root_delay]} %{[zeek_cols][root_disp]} %{[zeek_cols][ref_id]} %{[zeek_cols][ref_time]} %{[zeek_cols][org_time]} %{[zeek_cols][rec_time]} %{[zeek_cols][xmt_time]} %{[zeek_cols][num_exts]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ntp" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_ntp" - init => "@zeek_ntp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'mode', 'stratum', 'poll', 'precision', 'root_delay', 'root_disp', 'ref_id', 'ref_time', 'org_time', 'rec_time', 'xmt_time', 'num_exts' ]" - code => "event.set('[zeek_cols]', @zeek_ntp_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_ntp" - add_field => { - "[zeek_cols][proto]" => "udp" - "[zeek_cols][service]" => "ntp" - } - } - - } else if ([log_source] == "ocsp") { - ############################################################################################################################# - # ocsp.log - # https://docs.zeek.org/en/stable/scripts/policy/files/x509/log-ocsp.zeek.html#type-OCSP::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_ocsp" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][fuid]} %{[zeek_cols][hashAlgorithm]} %{[zeek_cols][issuerNameHash]} %{[zeek_cols][issuerKeyHash]} %{[zeek_cols][serialNumber]} %{[zeek_cols][certStatus]} %{[zeek_cols][revoketime]} %{[zeek_cols][revokereason]} %{[zeek_cols][thisUpdate]} %{[zeek_cols][nextUpdate]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ocsp" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - - ruby { - id => "ruby_zip_zeek_ocsp" - init => "@zeek_ocsp_field_names = [ 'ts', 'fuid', 'hashAlgorithm', 'issuerNameHash', 'issuerKeyHash', 'serialNumber', 'certStatus', 'revoketime', 'revokereason', 'thisUpdate', 'nextUpdate' ]" - code => "event.set('[zeek_cols]', @zeek_ocsp_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { id => "mutate_add_fields_zeek_service_ocsp" - add_field => { "[zeek_cols][service]" => "X.509" } } - - } else if ([log_source] == "ospf") { - ############################################################################################################################# - # ospf.log - # https://github.com/corelight/zeek-spicy-ospf - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_ospf_fields" - rename => { "[zeek_cols][ip_dst]" => "[zeek_cols][orig_h]" } - rename => { "[zeek_cols][ip_src]" => "[zeek_cols][resp_h]" } - } - - } else { - dissect { - id => "dissect_zeek_ospf" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]} %{[zeek_cols][resp_h]} %{[zeek_cols][ospf_type]} %{[zeek_cols][version]} %{[zeek_cols][router_id]} %{[zeek_cols][area_id]} %{[zeek_cols][interface_id]} %{[zeek_cols][netmask]} %{[zeek_cols][desig_router]} %{[zeek_cols][backup_router]} %{[zeek_cols][neighbors]} %{[zeek_cols][lsa_type]} %{[zeek_cols][link_state_id]} %{[zeek_cols][advert_router]} %{[zeek_cols][routers]} %{[zeek_cols][link_id]} %{[zeek_cols][link_data]} %{[zeek_cols][link_type]} %{[zeek_cols][neighbor_router_id]} %{[zeek_cols][metrics]} %{[zeek_cols][fwd_addrs]} %{[zeek_cols][route_tags]} %{[zeek_cols][neighbor_interface_id]} %{[zeek_cols][prefix]} %{[zeek_cols][metric]} %{[zeek_cols][dest_router_id]} %{[zeek_cols][link_prefixes]} %{[zeek_cols][intra_prefixes]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ospf" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - - ruby { - id => "ruby_zip_zeek_ospf" - init => "@zeek_ospf_field_names = [ 'ts', 'orig_h', 'resp_h', 'ospf_type', 'version', 'router_id', 'area_id', 'interface_id', 'netmask', 'desig_router', 'backup_router', 'neighbors', 'lsa_type', 'link_state_id', 'advert_router', 'routers', 'link_id', 'link_data', 'link_type', 'neighbor_router_id', 'metrics', 'fwd_addrs', 'route_tags', 'neighbor_interface_id', 'prefix', 'metric', 'dest_router_id', 'link_prefixes', 'intra_prefixes' ]" - code => "event.set('[zeek_cols]', @zeek_ospf_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_ospf_commas" - split => { "[zeek_cols][neighbors]" => "," - "[zeek_cols][routers]" => "," - "[zeek_cols][metrics]" => "," - "[zeek_cols][fwd_addrs]" => "," - "[zeek_cols][route_tags]" => "," - "[zeek_cols][link_prefixes]" => "," - "[zeek_cols][intra_prefixes]" => "," } } - } - - mutate { - id => "mutate_add_fields_zeek_ospf" - add_field => { - "[zeek_cols][proto]" => "ospf" - "[zeek_cols][service]" => "ospf" - } - } - - } else if ([log_source] == "pe") { - ############################################################################################################################# - # pe.log - # https://docs.zeek.org/en/stable/scripts/base/files/pe/main.zeek.html#type-PE::Info - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_pe_fields" - rename => { "[zeek_cols][id]" => "[zeek_cols][fuid]" } - } - - } else { - dissect { - id => "dissect_zeek_pe" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][fuid]} %{[zeek_cols][machine]} %{[zeek_cols][compile_ts]} %{[zeek_cols][os]} %{[zeek_cols][subsystem]} %{[zeek_cols][is_exe]} %{[zeek_cols][is_64bit]} %{[zeek_cols][uses_aslr]} %{[zeek_cols][uses_dep]} %{[zeek_cols][uses_code_integrity]} %{[zeek_cols][uses_seh]} %{[zeek_cols][has_import_table]} %{[zeek_cols][has_export_table]} %{[zeek_cols][has_cert_table]} %{[zeek_cols][has_debug_data]} %{[zeek_cols][section_names]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_pe" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_pe" - init => "@zeek_pe_field_names = [ 'ts', 'fuid', 'machine', 'compile_ts', 'os', 'subsystem', 'is_exe', 'is_64bit', 'uses_aslr', 'uses_dep', 'uses_code_integrity', 'uses_seh', 'has_import_table', 'has_export_table', 'has_cert_table', 'has_debug_data', 'section_names' ]" - code => "event.set('[zeek_cols]', @zeek_pe_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_pe_section_names" - split => { "[zeek_cols][section_names]" => "," } } - } - - } else if ([log_source] == "profinet") { - ############################################################################################################################# - # profinet.log - # https://github.com/amzn/zeek-plugin-profinet/blob/master/scripts/main.zeek - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_profinet" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][operation_type]} %{[zeek_cols][block_version]} %{[zeek_cols][slot_number]} %{[zeek_cols][subslot_number]} %{[zeek_cols][index]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_profinet" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_profinet" - init => "@zeek_profinet_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'operation_type', 'block_version', 'slot_number', 'subslot_number', 'index' ]" - code => "event.set('[zeek_cols]', @zeek_profinet_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_profinet" - add_field => { "[zeek_cols][service]" => "profinet" } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "profinet_dce_rpc") { - ############################################################################################################################# - # profinet_dce_rpc.log - # https://github.com/amzn/zeek-plugin-profinet/blob/master/scripts/main.zeek - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_profinet_dce_rpc" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][packet_type]} %{[zeek_cols][object_uuid]} %{[zeek_cols][interface_uuid]} %{[zeek_cols][activity_uuid]} %{[zeek_cols][server_boot_time]} %{[zeek_cols][operation]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_profinet_dce_rpc" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_profinet_dce_rpc" - init => "@zeek_profinet_dce_rpc_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'packet_type', 'object_uuid', 'interface_uuid', 'activity_uuid', 'server_boot_time', 'operation' ]" - code => "event.set('[zeek_cols]', @zeek_profinet_dce_rpc_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_profinet_dce_rpc" - add_field => { "[zeek_cols][service]" => "profinet_dce_rpc" } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "profinet_io_cm") { - ############################################################################################################################# - # profinet_io_cm.log - # https://github.com/cisagov/icsnpp-profinet-io-cm - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_profinet_io_cm_fields" - rename => { "[zeek_cols][array_of_sel_ack]" => "[zeek_cols][sel_ack]" } - rename => { "[zeek_cols][operation_num]" => "[zeek_cols][operation]" } - } - - } else { - dissect { - id => "dissect_zeek_profinet_io_cm" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][rpc_version]} %{[zeek_cols][packet_type]} %{[zeek_cols][reserved_for_impl_1]} %{[zeek_cols][last_fragment]} %{[zeek_cols][fragment]} %{[zeek_cols][no_fragment_requested]} %{[zeek_cols][maybe]} %{[zeek_cols][idempotent]} %{[zeek_cols][broadcast]} %{[zeek_cols][reserved_for_impl_2]} %{[zeek_cols][cancel_was_pending_at_call_end]} %{[zeek_cols][integer_encoding]} %{[zeek_cols][character_encoding]} %{[zeek_cols][floating_point_encoding]} %{[zeek_cols][serial_high]} %{[zeek_cols][object_uuid]} %{[zeek_cols][interface_uuid]} %{[zeek_cols][activity_uuid]} %{[zeek_cols][server_boot_time]} %{[zeek_cols][interface_vers_major]} %{[zeek_cols][interface_vers_minor]} %{[zeek_cols][sequence_num]} %{[zeek_cols][operation]} %{[zeek_cols][interface_hint]} %{[zeek_cols][activity_hint]} %{[zeek_cols][len_of_body]} %{[zeek_cols][fragment_num]} %{[zeek_cols][auth_protocol]} %{[zeek_cols][serial_low]} %{[zeek_cols][vers_fack]} %{[zeek_cols][window_size]} %{[zeek_cols][max_tsdu]} %{[zeek_cols][max_frag_size]} %{[zeek_cols][serial_number]} %{[zeek_cols][sel_ack_len]} %{[zeek_cols][sel_ack]}" - } - } - - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_profinet_io_cm" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_profinet_io_cm" - init => "$zeek_profinet_io_cm_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'rpc_version', 'packet_type', 'reserved_for_impl_1', 'last_fragment', 'fragment', 'no_fragment_requested', 'maybe', 'idempotent', 'broadcast', 'reserved_for_impl_2', 'cancel_was_pending_at_call_end', 'integer_encoding', 'character_encoding', 'floating_point_encoding', 'serial_high', 'object_uuid', 'interface_uuid', 'activity_uuid', 'server_boot_time', 'interface_vers_major', 'interface_vers_minor', 'sequence_num', 'operation', 'interface_hint', 'activity_hint', 'len_of_body', 'fragment_num', 'auth_protocol', 'serial_low', 'vers_fack', 'window_size', 'max_tsdu', 'max_frag_size', 'serial_number', 'sel_ack_len', 'sel_ack' ]" - code => "event.set('[zeek_cols]', $zeek_profinet_io_cm_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_profinet_io_cm_commas" - split => { "[zeek_cols][sel_ack]" => "," } } - } - - mutate { - id => "mutate_add_fields_zeek_profinet_io_cm" - add_field => { - "[zeek_cols][proto]" => "udp" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "radius") { - ############################################################################################################################# - # radius.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/radius/main.zeek.html#type-RADIUS::Info - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_radius_fields" - rename => { "[zeek_cols][username]" => "[zeek_cols][user]" } - } - - } else { - dissect { - id => "dissect_zeek_radius" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][user]} %{[zeek_cols][mac]} %{[zeek_cols][framed_addr]} %{[zeek_cols][tunnel_client]} %{[zeek_cols][connect_info]} %{[zeek_cols][reply_msg]} %{[zeek_cols][result]} %{[zeek_cols][ttl]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_radius" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_radius" - init => "@zeek_radius_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'user', 'mac', 'framed_addr', 'tunnel_client', 'connect_info', 'reply_msg', 'result', 'ttl' ]" - code => "event.set('[zeek_cols]', @zeek_radius_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_radius" - add_field => { "[zeek_cols][service]" => "radius" } - } - - } else if ([log_source] == "rdp") { - ############################################################################################################################# - # rdp.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/rdp/main.zeek.html#type-RDP::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_rdp_with_all_fields" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][cookie]} %{[zeek_cols][result]} %{[zeek_cols][security_protocol]} %{[zeek_cols][client_channels]} %{[zeek_cols][keyboard_layout]} %{[zeek_cols][client_build]} %{[zeek_cols][client_name]} %{[zeek_cols][client_dig_product_id]} %{[zeek_cols][desktop_width]} %{[zeek_cols][desktop_height]} %{[zeek_cols][requested_color_depth]} %{[zeek_cols][cert_type]} %{[zeek_cols][cert_count]} %{[zeek_cols][cert_permanent]} %{[zeek_cols][encryption_level]} %{[zeek_cols][encryption_method]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_rdp" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_rdp" - init => "@zeek_rdp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'cookie', 'result', 'security_protocol', 'client_channels', 'keyboard_layout', 'client_build', 'client_name', 'client_dig_product_id', 'desktop_width', 'desktop_height', 'requested_color_depth', 'cert_type', 'cert_count', 'cert_permanent', 'encryption_level', 'encryption_method' ]" - code => "event.set('[zeek_cols]', @zeek_rdp_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_rdp_client_channels" - split => { "[zeek_cols][client_channels]" => "," } } - } - - mutate { - id => "mutate_add_fields_zeek_rdp" - add_field => { "[zeek_cols][service]" => "rdp" } - } - - # remove RDP prefix from client_build (version) - mutate { id => "mutate_gsub_field_zeek_rdp_client_build" - gsub => [ "[zeek_cols][client_build]", "^RDP ", "" ] } - - } else if ([log_source] == "rfb") { - ############################################################################################################################# - # rfb.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/rfb/main.zeek.html#type-RFB::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_rfb" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][client_major_version]} %{[zeek_cols][client_minor_version]} %{[zeek_cols][server_major_version]} %{[zeek_cols][server_minor_version]} %{[zeek_cols][authentication_method]} %{[zeek_cols][auth]} %{[zeek_cols][share_flag]} %{[zeek_cols][desktop_name]} %{[zeek_cols][width]} %{[zeek_cols][height]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_rfb" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_rfb" - init => "@zeek_rfb_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'client_major_version', 'client_minor_version', 'server_major_version', 'server_minor_version', 'authentication_method', 'auth', 'share_flag', 'desktop_name', 'width', 'height' ]" - code => "event.set('[zeek_cols]', @zeek_rfb_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_rfb" - add_field => { "[zeek_cols][service]" => "rfb" } - } - - } else if ([log_source] == "s7comm") { - ############################################################################################################################# - # s7comm.log - # https://github.com/cisagov/icsnpp-s7comm - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_s7comm" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][rosctr_code]} %{[zeek_cols][rosctr_name]} %{[zeek_cols][pdu_reference]} %{[zeek_cols][function_code]} %{[zeek_cols][function_name]} %{[zeek_cols][subfunction_code]} %{[zeek_cols][subfunction_name]} %{[zeek_cols][error_class]} %{[zeek_cols][error_code]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_s7comm" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_s7comm" - init => "@zeek_s7comm_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'rosctr_code', 'rosctr_name', 'pdu_reference', 'function_code', 'function_name', 'subfunction_code', 'subfunction_name', 'error_class', 'error_code' ]" - code => "event.set('[zeek_cols]', @zeek_s7comm_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_s7comm" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "s7comm" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "s7comm_plus") { - ############################################################################################################################# - # s7comm_plus.log - # https://github.com/cisagov/icsnpp-s7comm - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_s7comm_plus" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][opcode]} %{[zeek_cols][opcode_name]} %{[zeek_cols][function_code]} %{[zeek_cols][function_name]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_s7comm_plus" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_s7comm_plus" - init => "@zeek_s7comm_plus_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'opcode', 'opcode_name', 'function_code', 'function_name' ]" - code => "event.set('[zeek_cols]', @zeek_s7comm_plus_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_s7comm_plus" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "s7comm_plus" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "s7comm_read_szl") { - ############################################################################################################################# - # s7comm_read_szl.log - # https://github.com/cisagov/icsnpp-s7comm - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_s7comm_read_szl" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][pdu_reference]} %{[zeek_cols][method]} %{[zeek_cols][szl_id]} %{[zeek_cols][szl_id_name]} %{[zeek_cols][szl_index]} %{[zeek_cols][return_code]} %{[zeek_cols][return_code_name]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_s7comm_read_szl" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_s7comm_read_szl" - init => "@zeek_s7comm_read_szl_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'pdu_reference', 'method', 'szl_id', 'szl_id_name', 'szl_index', 'return_code', 'return_code_name' ]" - code => "event.set('[zeek_cols]', @zeek_s7comm_read_szl_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_s7comm_read_szl" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "s7comm" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "s7comm_upload_download") { - ############################################################################################################################# - # s7comm_upload_download.log - # https://github.com/cisagov/icsnpp-s7comm - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_s7comm_upload_download_fields" - rename => { "[zeek_cols][rosctr]" => "[zeek_cols][rosctr_name]" } - } - - } else { - dissect { - id => "dissect_zeek_s7comm_upload_download" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][rosctr_name]} %{[zeek_cols][pdu_reference]} %{[zeek_cols][function_name]} %{[zeek_cols][function_status]} %{[zeek_cols][session_id]} %{[zeek_cols][blocklength]} %{[zeek_cols][filename]} %{[zeek_cols][block_type]} %{[zeek_cols][block_number]} %{[zeek_cols][destination_filesystem]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_s7comm_upload_download" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_s7comm_upload_download" - init => "@zeek_s7comm_upload_download_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'rosctr_name', 'pdu_reference', 'function_name', 'function_status', 'session_id', 'blocklength', 'filename', 'block_type', 'block_number', 'destination_filesystem' ]" - code => "event.set('[zeek_cols]', @zeek_s7comm_upload_download_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_s7comm_upload_download" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "s7comm" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "signatures") { - ############################################################################################################################# - # signatures.log - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_signatures" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][note]} %{[zeek_cols][signature_id]} %{[zeek_cols][event_message]} %{[zeek_cols][sub_message]} %{[zeek_cols][signature_count]} %{[zeek_cols][host_count]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_signatures" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_signatures" - init => "@zeek_signatures_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'note', 'signature_id', 'event_message', 'sub_message', 'signature_count', 'host_count' ]" - code => "event.set('[zeek_cols]', @zeek_signatures_field_names.zip(event.get('[message]')).to_h)" - } - } - if ("_carved" in [tags]) { - # Malcolm does some "special" stuff in zeek_carve_logger.py for file carving, sort of hijacking signatures.log for it: - # - _carved signature logs' sub_message contains fuid(s) comma-separated - mutate { id => "mutate_split_zeek_signatures_sub_message" - split => { "[zeek_cols][sub_message]" => "," } } - } - } - - } else if ([log_source] == "sip") { - ############################################################################################################################# - # sip.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/sip/main.zeek.html#type-SIP::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_sip" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_depth]} %{[zeek_cols][method]} %{[zeek_cols][uri]} %{[zeek_cols][date]} %{[zeek_cols][request_from]} %{[zeek_cols][request_to]} %{[zeek_cols][response_from]} %{[zeek_cols][response_to]} %{[zeek_cols][reply_to]} %{[zeek_cols][call_id]} %{[zeek_cols][seq]} %{[zeek_cols][subject]} %{[zeek_cols][request_path]} %{[zeek_cols][response_path]} %{[zeek_cols][user_agent]} %{[zeek_cols][status_code]} %{[zeek_cols][status_msg]} %{[zeek_cols][warning]} %{[zeek_cols][request_body_len]} %{[zeek_cols][response_body_len]} %{[zeek_cols][content_type]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_sip" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_sip" - init => "@zeek_sip_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_depth', 'method', 'uri', 'date', 'request_from', 'request_to', 'response_from', 'response_to', 'reply_to', 'call_id', 'seq', 'subject', 'request_path', 'response_path', 'user_agent', 'status_code', 'status_msg', 'warning', 'request_body_len', 'response_body_len', 'content_type' ]" - code => "event.set('[zeek_cols]', @zeek_sip_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_sip_commas" - split => { "[zeek_cols][request_path]" => "," - "[zeek_cols][response_path]" => "," } } - } - - mutate { - id => "mutate_add_fields_zeek_sip" - add_field => { "[zeek_cols][service]" => "sip" } - } - - } else if ([log_source] == "smb_cmd") { - ############################################################################################################################# - # smb_cmd.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::CmdInfo - # - # note that smb_cmd.referenced_file is exactly the same structure as the log line for smb_files. later on it will be - # merged up as its own top-level entity so I don't have to duplicate the parsing effort below - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_smb_cmd_referenced_file_fields" - rename => { "[zeek_cols][referenced_file.id.orig_h]" => "[zeek_cols][referenced_file][orig_h]" } - rename => { "[zeek_cols][referenced_file.id.orig_p]" => "[zeek_cols][referenced_file][orig_p]" } - rename => { "[zeek_cols][referenced_file.id.resp_h]" => "[zeek_cols][referenced_file][resp_h]" } - rename => { "[zeek_cols][referenced_file.id.resp_p]" => "[zeek_cols][referenced_file][resp_p]" } - } - - } else { - dissect { - id => "dissect_zeek_smb_cmd" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][command]} %{[zeek_cols][sub_command]} %{[zeek_cols][argument]} %{[zeek_cols][status]} %{[zeek_cols][rtt]} %{[zeek_cols][version]} %{[zeek_cols][user]} %{[zeek_cols][tree]} %{[zeek_cols][tree_service]} %{[zeek_cols][referenced_file][ts]} %{[zeek_cols][referenced_file][uid]} %{[zeek_cols][referenced_file][orig_h]} %{[zeek_cols][referenced_file][orig_p]} %{[zeek_cols][referenced_file][resp_h]} %{[zeek_cols][referenced_file][resp_p]} %{[zeek_cols][referenced_file][fuid]} %{[zeek_cols][referenced_file][action]} %{[zeek_cols][referenced_file][path]} %{[zeek_cols][referenced_file][name]} %{[zeek_cols][referenced_file][size]} %{[zeek_cols][referenced_file][prev_name]} %{[zeek_cols][referenced_file][times_modified]} %{[zeek_cols][referenced_file][times_accessed]} %{[zeek_cols][referenced_file][times_created]} %{[zeek_cols][referenced_file][times_changed]} %{[zeek_cols][referenced_file][data_offset_req]} %{[zeek_cols][referenced_file][data_len_req]} %{[zeek_cols][referenced_file][data_len_rsp]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_smb_cmd" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_smb_cmd" - init => "@zeek_smb_cmd_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'command', 'sub_command', 'argument', 'status', 'rtt', 'version', 'user', 'tree', 'tree_service', 'referenced_file.ts', 'referenced_file.uid', 'referenced_file.orig_h', 'referenced_file.orig_p', 'referenced_file.resp_h', 'referenced_file.resp_p', 'referenced_file.fuid', 'referenced_file.action', 'referenced_file.path', 'referenced_file.name', 'referenced_file.size', 'referenced_file.prev_name', 'referenced_file.times_modified', 'referenced_file.times_accessed', 'referenced_file.times_created', 'referenced_file.times_changed', 'referenced_file.data_offset_req', 'referenced_file.data_len_req', 'referenced_file.data_len_rsp' ]" - code => "event.set('[zeek_cols]', @zeek_smb_cmd_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_smb_cmd" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "smb" - } - } - - # remove SMB prefix from version - mutate { id => "mutate_gsub_field_zeek_smb_cmd_version" - gsub => [ "[zeek_cols][version]", "^SMB", "" ] } - - mutate { id => "mutate_gsub_zeek_smb_cmd_command" - gsub => [ "[zeek_cols][command]", "^SMB::", "" ] } - - } else if ([log_source] == "smb_files") { - ############################################################################################################################# - # smb_files.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::FileInfo - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_smb_files_with_all_fields" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][fuid]} %{[zeek_cols][action]} %{[zeek_cols][path]} %{[zeek_cols][name]} %{[zeek_cols][size]} %{[zeek_cols][prev_name]} %{[zeek_cols][times_modified]} %{[zeek_cols][times_accessed]} %{[zeek_cols][times_created]} %{[zeek_cols][times_changed]} %{[zeek_cols][data_offset_req]} %{[zeek_cols][data_len_req]} %{[zeek_cols][data_len_rsp]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_smb_files" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_smb_files" - init => "@zeek_smb_files_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'fuid', 'action', 'path', 'name', 'size', 'prev_name', 'times_modified', 'times_accessed', 'times_created', 'times_changed', 'data_offset_req', 'data_len_req', 'data_len_rsp' ]" - code => "event.set('[zeek_cols]', @zeek_smb_files_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_smb_files" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "smb" - } - } - - mutate { id => "mutate_gsub_zeek_smb_files_action" - gsub => [ "[zeek_cols][action]", "^SMB::", "" ] } - - } else if ([log_source] == "smb_mapping") { - ############################################################################################################################# - # smb_mapping.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/smb/main.zeek.html#type-SMB::TreeInfo - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_smb_mapping" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][path]} %{[zeek_cols][resource_type]} %{[zeek_cols][native_file_system]} %{[zeek_cols][share_type]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_smb_mapping" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_smb_mapping" - init => "@zeek_smb_mapping_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'path', 'resource_type', 'native_file_system', 'share_type' ]" - code => "event.set('[zeek_cols]', @zeek_smb_mapping_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_smb_mapping" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "smb" - } - } - - } else if ([log_source] == "smtp") { - ############################################################################################################################# - # smtp.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/smtp/main.zeek.html#type-SMTP::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_smtp" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_depth]} %{[zeek_cols][helo]} %{[zeek_cols][mailfrom]} %{[zeek_cols][rcptto]} %{[zeek_cols][date]} %{[zeek_cols][from]} %{[zeek_cols][to]} %{[zeek_cols][cc]} %{[zeek_cols][reply_to]} %{[zeek_cols][msg_id]} %{[zeek_cols][in_reply_to]} %{[zeek_cols][subject]} %{[zeek_cols][x_originating_ip]} %{[zeek_cols][first_received]} %{[zeek_cols][second_received]} %{[zeek_cols][last_reply]} %{[zeek_cols][path]} %{[zeek_cols][user_agent]} %{[zeek_cols][tls]} %{[zeek_cols][fuid]} %{[zeek_cols][is_webmail]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_smtp" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_smtp" - init => "@zeek_smtp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_depth', 'helo', 'mailfrom', 'rcptto', 'date', 'from', 'to', 'cc', 'reply_to', 'msg_id', 'in_reply_to', 'subject', 'x_originating_ip', 'first_received', 'second_received', 'last_reply', 'path', 'user_agent', 'tls', 'fuid', 'is_webmail' ]" - code => "event.set('[zeek_cols]', @zeek_smtp_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_smtp_commas" - split => { "[zeek_cols][rcptto]" => "," - "[zeek_cols][to]" => "," - "[zeek_cols][cc]" => "," - "[zeek_cols][path]" => "," } } - } - - mutate { - id => "mutate_add_fields_zeek_smtp" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "smtp" - } - } - - } else if ([log_source] == "snmp") { - ############################################################################################################################# - # snmp.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/snmp/main.zeek.html#type-SNMP::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_snmp" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][duration]} %{[zeek_cols][version]} %{[zeek_cols][community]} %{[zeek_cols][get_requests]} %{[zeek_cols][get_bulk_requests]} %{[zeek_cols][get_responses]} %{[zeek_cols][set_requests]} %{[zeek_cols][display_string]} %{[zeek_cols][up_since]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_snmp" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_snmp" - init => "@zeek_snmp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'duration', 'version', 'community', 'get_requests', 'get_bulk_requests', 'get_responses', 'set_requests', 'display_string', 'up_since' ]" - code => "event.set('[zeek_cols]', @zeek_snmp_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_snmp" - add_field => { - "[zeek_cols][proto]" => "udp" - "[zeek_cols][service]" => "snmp" - } - } - - } else if ([log_source] == "socks") { - ############################################################################################################################# - # socks.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/socks/main.zeek.html#type-SOCKS::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_socks" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][user]} %{[zeek_cols][password]} %{[zeek_cols][server_status]} %{[zeek_cols][request_host]} %{[zeek_cols][request_name]} %{[zeek_cols][request_port]} %{[zeek_cols][bound_host]} %{[zeek_cols][bound_name]} %{[zeek_cols][bound_port]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_socks" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_socks" - init => "@zeek_socks_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'user', 'password', 'server_status', 'request_host', 'request_name', 'request_port', 'bound_host', 'bound_name', 'bound_port' ]" - code => "event.set('[zeek_cols]', @zeek_socks_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_socks" - add_field => { "[zeek_cols][service]" => "socks" } - } - - } else if ([log_source] == "software") { - ############################################################################################################################# - # software.log - # https://docs.zeek.org/en/stable/scripts/base/frameworks/software/main.zeek.html#type-Software::Info - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_software_fields" - rename => { "[zeek_cols][host]" => "[zeek_cols][orig_h]" } - rename => { "[zeek_cols][host_p]" => "[zeek_cols][orig_p]" } - rename => { "[zeek_cols][version.major]" => "[zeek_cols][version_major]" } - rename => { "[zeek_cols][version.minor]" => "[zeek_cols][version_minor]" } - rename => { "[zeek_cols][version.minor2]" => "[zeek_cols][version_minor2]" } - rename => { "[zeek_cols][version.minor3]" => "[zeek_cols][version_minor3]" } - rename => { "[zeek_cols][version.addl]" => "[zeek_cols][version_addl]" } - } - - } else { - dissect { - id => "dissect_zeek_software" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][software_type]} %{[zeek_cols][name]} %{[zeek_cols][version_major]} %{[zeek_cols][version_minor]} %{[zeek_cols][version_minor2]} %{[zeek_cols][version_minor3]} %{[zeek_cols][version_addl]} %{[zeek_cols][unparsed_version]} %{[zeek_cols][url]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_software" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_software" - init => "@zeek_software_field_names = [ 'ts', 'orig_h', 'orig_p', 'software_type', 'name', 'version_major', 'version_minor', 'version_minor2', 'version_minor3', 'version_addl', 'unparsed_version', 'url' ]" - code => "event.set('[zeek_cols]', @zeek_software_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - } else if ([log_source] == "wireguard") { - ############################################################################################################################# - # wireguard.log - # https://github.com/corelight/zeek-spicy-wireguard/blob/master/analyzer/main.zeek - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_wireguard" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][established]} %{[zeek_cols][initiations]} %{[zeek_cols][responses]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_wireguard" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_wireguard" - init => "@zeek_wireguard_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'established', 'initiations', 'responses' ]" - code => "event.set('[zeek_cols]', @zeek_wireguard_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { id => "mutate_gsub_zeek_wireguard_packet_type" - gsub => [ "[zeek_cols][packet_type]", "Wireguard::WG_", "" ] } - - mutate { - id => "mutate_add_field_zeek_service_wireguard" - add_field => { - "[zeek_cols][proto]" => "udp" - "[zeek_cols][service]" => "wireguard" - } - } - - } else if ([log_source] == "ssh") { - ############################################################################################################################# - # ssh.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/ssh/main.zeek.html#type-SSH::Info - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_ssh_fields" - rename => { "[zeek_cols][hasshServer_Algorithms]" => "[zeek_cols][hasshServerAlgorithms]" } - } - - } else { - dissect { - id => "dissect_zeek_ssh_with_all_fields_with_hassh" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][version]} %{[zeek_cols][auth_success]} %{[zeek_cols][auth_attempts]} %{[zeek_cols][direction]} %{[zeek_cols][client]} %{[zeek_cols][server]} %{[zeek_cols][cipher_alg]} %{[zeek_cols][mac_alg]} %{[zeek_cols][compression_alg]} %{[zeek_cols][kex_alg]} %{[zeek_cols][host_key_alg]} %{[zeek_cols][host_key]} %{[zeek_cols][remote_location_country_code]} %{[zeek_cols][remote_location_region]} %{[zeek_cols][remote_location_city]} %{[zeek_cols][remote_location_latitude]} %{[zeek_cols][remote_location_longitude]} %{[zeek_cols][hasshVersion]} %{[zeek_cols][hassh]} %{[zeek_cols][hasshServer]} %{[zeek_cols][cshka]} %{[zeek_cols][hasshAlgorithms]} %{[zeek_cols][sshka]} %{[zeek_cols][hasshServerAlgorithms]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ssh" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_ssh" - init => "@zeek_ssh_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'version', 'auth_success', 'auth_attempts', 'direction', 'client', 'server', 'cipher_alg', 'mac_alg', 'compression_alg', 'kex_alg', 'host_key_alg', 'host_key', 'remote_location_country_code', 'remote_location_region', 'remote_location_city', 'remote_location_latitude', 'remote_location_longitude', 'hasshVersion', 'hassh', 'hasshServer', 'cshka', 'hasshAlgorithms', 'sshka', 'hasshServerAlgorithms' ]" - code => "event.set('[zeek_cols]', @zeek_ssh_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_ssh_commas" - split => { "[zeek_cols][hasshAlgorithms]" => "," - "[zeek_cols][hasshServerAlgorithms]" => "," - "[zeek_cols][cshka]" => "," - "[zeek_cols][sshka]" => "," } } - } - - mutate { - id => "mutate_add_fields_zeek_ssh" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "ssh" - } - } - - } else if ([log_source] == "ssl") { - ############################################################################################################################# - # ssl.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/ssl/main.zeek.html#type-SSL::Info - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_ssl_fields" - rename => { "[zeek_cols][version]" => "[zeek_cols][ssl_version]" } - } - - } else { - dissect { - id => "dissect_zeek_ssl_v1_with_ja4" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][ssl_version]} %{[zeek_cols][cipher]} %{[zeek_cols][curve]} %{[zeek_cols][server_name]} %{[zeek_cols][resumed]} %{[zeek_cols][last_alert]} %{[zeek_cols][next_protocol]} %{[zeek_cols][established]} %{[zeek_cols][ssl_history]} %{[zeek_cols][cert_chain_fps]} %{[zeek_cols][client_cert_chain_fps]} %{[zeek_cols][sni_matches_cert]} %{[zeek_cols][validation_status]} %{[zeek_cols][ja4]} %{[zeek_cols][ja4s]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_ssl" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_ssl" - init => "@zeek_ssl_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'ssl_version', 'cipher', 'curve', 'server_name', 'resumed', 'last_alert', 'next_protocol', 'established', 'ssl_history', 'cert_chain_fps', 'client_cert_chain_fps', 'sni_matches_cert', 'validation_status', 'ja4', 'ja4s' ]" - code => "event.set('[zeek_cols]', @zeek_ssl_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_ssl_commas" - split => { "[zeek_cols][cert_chain_fuids]" => "," - "[zeek_cols][client_cert_chain_fuids]" => "," - "[zeek_cols][cert_chain_fps]" => "," - "[zeek_cols][client_cert_chain_fps]" => "," } } - } - - mutate { - id => "mutate_add_fields_zeek_ssl" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "tls" - } - } - - } else if ([log_source] == "stun") { - ############################################################################################################################# - # stun.log - # https://github.com/corelight/zeek-spicy-stun/blob/master/analyzer/main.zeek - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_stun_fields" - rename => { "[zeek_cols][attr_types]" => "[zeek_cols][attr_type]" } - rename => { "[zeek_cols][attr_vals]" => "[zeek_cols][attr_val]" } - } - - } else { - dissect { - id => "dissect_zeek_stun" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][is_orig]} %{[zeek_cols][trans_id]} %{[zeek_cols][method]} %{[zeek_cols][class]} %{[zeek_cols][attr_type]} %{[zeek_cols][attr_val]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_stun" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_stun" - init => "@zeek_stun_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'is_orig', 'trans_id', 'method', 'class', 'attr_type', 'attr_val' ]" - code => "event.set('[zeek_cols]', @zeek_stun_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_field_zeek_stun_commas" - split => { "[zeek_cols][attr_type]" => "," - "[zeek_cols][attr_val]" => "," } } - } - - mutate { - id => "mutate_add_fields_zeek_stun" - add_field => { - "[zeek_cols][service]" => "stun" - } - } - - } else if ([log_source] == "stun_nat") { - ############################################################################################################################# - # stun.log - # https://github.com/corelight/zeek-spicy-stun/blob/master/analyzer/main.zeek - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_stun_nat_fields" - rename => { "[zeek_cols][wan_addrs]" => "[zeek_cols][wan_addr]" } - rename => { "[zeek_cols][wan_ports]" => "[zeek_cols][wan_port]" } - rename => { "[zeek_cols][lan_addrs]" => "[zeek_cols][lan_addr]" } - } - - } else { - dissect { - id => "dissect_zeek_stun_nat" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][is_orig]} %{[zeek_cols][wan_addr]} %{[zeek_cols][wan_port]} %{[zeek_cols][lan_addr]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_stun_nat" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_stun_nat" - init => "@zeek_stun_nat_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'is_orig', 'wan_addr', 'wan_port', 'lan_addr' ]" - code => "event.set('[zeek_cols]', @zeek_stun_nat_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_field_zeek_stun_nat_commas" - split => { "[zeek_cols][wan_addrs]" => "," - "[zeek_cols][wan_ports]" => "," - "[zeek_cols][lan_addrs]" => "," } } - } - - mutate { - id => "mutate_add_fields_zeek_stun_nat" - add_field => { - "[zeek_cols][service]" => "stun" - } - } - - } else if ([log_source] == "synchrophasor") { - ############################################################################################################################# - # synchrophasor.log - # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_synchrophasor" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][version]} %{[zeek_cols][data_stream_id]} %{[zeek_cols][history]} %{[zeek_cols][frame_size_min]} %{[zeek_cols][frame_size_max]} %{[zeek_cols][frame_size_tot]} %{[zeek_cols][data_frame_count]} %{[zeek_cols][data_rate]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_synchrophasor" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_synchrophasor" - init => "@zeek_synchrophasor_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'version', 'data_stream_id', 'history', 'frame_size_min', 'frame_size_max', 'frame_size_tot', 'data_frame_count', 'data_rate' ]" - code => "event.set('[zeek_cols]', @zeek_synchrophasor_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_synchrophasor" - add_field => { - "[zeek_cols][service]" => "synchrophasor" - } - add_tag => [ "ics" ] - } - - - } else if ([log_source] == "synchrophasor_cmd") { - ############################################################################################################################# - # synchrophasor_cmd.log - # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_synchrophasor_cmd" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][frame_size]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][command]} %{[zeek_cols][extframe]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_synchrophasor_cmd" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_synchrophasor_cmd" - init => "@zeek_synchrophasor_cmd_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'frame_size', 'header_time_stamp', 'command', 'extframe' ]" - code => "event.set('[zeek_cols]', @zeek_synchrophasor_cmd_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_synchrophasor_cmd" - add_field => { - "[zeek_cols][service]" => "synchrophasor" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "synchrophasor_cfg") { - ############################################################################################################################# - # synchrophasor_cfg.log - # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_synchrophasor_cfg" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][frame_size]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][cont_idx]} %{[zeek_cols][pmu_count_expected]} %{[zeek_cols][pmu_count_actual]} %{[zeek_cols][data_rate]} %{[zeek_cols][cfg_frame_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_synchrophasor_cfg" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_synchrophasor_cfg" - init => "@zeek_synchrophasor_cfg_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'frame_size', 'header_time_stamp', 'cont_idx', 'pmu_count_expected', 'pmu_count_actual', 'data_rate', 'cfg_frame_id' ]" - code => "event.set('[zeek_cols]', @zeek_synchrophasor_cfg_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_synchrophasor_cfg" - add_field => { - "[zeek_cols][service]" => "synchrophasor" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "synchrophasor_cfg_detail") { - ############################################################################################################################# - # synchrophasor_cfg_detail.log - # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_synchrophasor_cfg_detail" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][cfg_frame_id]} %{[zeek_cols][pmu_idx]} %{[zeek_cols][svc_class]} %{[zeek_cols][station_name]} %{[zeek_cols][data_source_id]} %{[zeek_cols][global_pmuid]} %{[zeek_cols][phasor_shape]} %{[zeek_cols][phasor_format]} %{[zeek_cols][analog_format]} %{[zeek_cols][freq_format]} %{[zeek_cols][phnmr]} %{[zeek_cols][annmr]} %{[zeek_cols][dgnmr]} %{[zeek_cols][phnam]} %{[zeek_cols][annam]} %{[zeek_cols][dgnam]} %{[zeek_cols][phasor_conv_phunit]} %{[zeek_cols][phasor_conv_phvalue]} %{[zeek_cols][phasor_conv_upsampled_interpolation]} %{[zeek_cols][phasor_conv_upsampled_extrapolation]} %{[zeek_cols][phasor_conv_downsampled_reselection]} %{[zeek_cols][phasor_conv_downsampled_fir_filter]} %{[zeek_cols][phasor_conv_downsampled_no_fir_filter]} %{[zeek_cols][phasor_conv_filtered_without_changing_sampling]} %{[zeek_cols][phasor_conv_calibration_mag_adj]} %{[zeek_cols][phasor_conv_calibration_phas_adj]} %{[zeek_cols][phasor_conv_rotation_phase_adj]} %{[zeek_cols][phasor_conv_pseudo_phasor_val]} %{[zeek_cols][phasor_conv_mod_appl]} %{[zeek_cols][phasor_conv_phasor_component]} %{[zeek_cols][phasor_conv_phasor_type]} %{[zeek_cols][phasor_conv_user_def]} %{[zeek_cols][phasor_conv_scale_factor]} %{[zeek_cols][phasor_conv_angle_adj]} %{[zeek_cols][analog_conv_analog_flags]} %{[zeek_cols][analog_conv_user_defined_scaling]} %{[zeek_cols][analog_conv_mag_scale]} %{[zeek_cols][analog_conv_offset]} %{[zeek_cols][digital_conv_normal_status_mask]} %{[zeek_cols][digital_conv_valid_inputs_mask]} %{[zeek_cols][pmu_lat]} %{[zeek_cols][pmu_lon]} %{[zeek_cols][pmu_elev]} %{[zeek_cols][window]} %{[zeek_cols][group_delay]} %{[zeek_cols][fnom]} %{[zeek_cols][cfgcnt]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_synchrophasor_cfg_detail" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_synchrophasor_cfg_detail" - init => "@zeek_synchrophasor_cfg_detail_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'header_time_stamp', 'cfg_frame_id', 'pmu_idx', 'svc_class', 'station_name', 'data_source_id', 'global_pmuid', 'phasor_shape', 'phasor_format', 'analog_format', 'freq_format', 'phnmr', 'annmr', 'dgnmr', 'phnam', 'annam', 'dgnam', 'phasor_conv_phunit', 'phasor_conv_phvalue', 'phasor_conv_upsampled_interpolation', 'phasor_conv_upsampled_extrapolation', 'phasor_conv_downsampled_reselection', 'phasor_conv_downsampled_fir_filter', 'phasor_conv_downsampled_no_fir_filter', 'phasor_conv_filtered_without_changing_sampling', 'phasor_conv_calibration_mag_adj', 'phasor_conv_calibration_phas_adj', 'phasor_conv_rotation_phase_adj', 'phasor_conv_pseudo_phasor_val', 'phasor_conv_mod_appl', 'phasor_conv_phasor_component', 'phasor_conv_phasor_type', 'phasor_conv_user_def', 'phasor_conv_scale_factor', 'phasor_conv_angle_adj', 'analog_conv_analog_flags', 'analog_conv_user_defined_scaling', 'analog_conv_mag_scale', 'analog_conv_offset', 'digital_conv_normal_status_mask', 'digital_conv_valid_inputs_mask', 'pmu_lat', 'pmu_lon', 'pmu_elev', 'window', 'group_delay', 'fnom', 'cfgcnt' ]" - code => "event.set('[zeek_cols]', @zeek_synchrophasor_cfg_detail_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_synchrophasor_cfg_detail" - add_field => { - "[zeek_cols][service]" => "synchrophasor" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "synchrophasor_data") { - ############################################################################################################################# - # synchrophasor_data.log - # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_synchrophasor_data" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][frame_size]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][pmu_count_expected]} %{[zeek_cols][pmu_count_actual]} %{[zeek_cols][data_frame_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_synchrophasor_data" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_synchrophasor_data" - init => "@zeek_synchrophasor_data_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'frame_size', 'header_time_stamp', 'pmu_count_expected', 'pmu_count_actual', 'data_frame_id' ]" - code => "event.set('[zeek_cols]', @zeek_synchrophasor_data_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_synchrophasor_data" - add_field => { - "[zeek_cols][service]" => "synchrophasor" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "synchrophasor_data_detail") { - ############################################################################################################################# - # synchrophasor_data_detail.log - # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_synchrophasor_data_detail" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][data_frame_id]} %{[zeek_cols][pmu_idx]} %{[zeek_cols][trigger_reason]} %{[zeek_cols][unlocked_time]} %{[zeek_cols][pmu_time_quality]} %{[zeek_cols][data_modified]} %{[zeek_cols][config_change]} %{[zeek_cols][pmu_trigger_pickup]} %{[zeek_cols][data_sorting_type]} %{[zeek_cols][pmu_sync_error]} %{[zeek_cols][data_error_indicator]} %{[zeek_cols][est_rectangular_real]} %{[zeek_cols][est_rectangular_imaginary]} %{[zeek_cols][est_polar_magnitude]} %{[zeek_cols][est_polar_angle]} %{[zeek_cols][freq_dev_mhz]} %{[zeek_cols][rocof]} %{[zeek_cols][analog_data]} %{[zeek_cols][digital]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_synchrophasor_data_detail" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_synchrophasor_data_detail" - init => "@zeek_synchrophasor_data_detail_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'header_time_stamp', 'data_frame_id', 'pmu_idx', 'trigger_reason', 'unlocked_time', 'pmu_time_quality', 'data_modified', 'config_change', 'pmu_trigger_pickup', 'data_sorting_type', 'pmu_sync_error', 'data_error_indicator', 'est_rectangular_real', 'est_rectangular_imaginary', 'est_polar_magnitude', 'est_polar_angle', 'freq_dev_mhz', 'rocof', 'analog_data', 'digital' ]" - code => "event.set('[zeek_cols]', @zeek_synchrophasor_data_detail_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_synchrophasor_data_detail" - add_field => { - "[zeek_cols][service]" => "synchrophasor" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "synchrophasor_hdr") { - ############################################################################################################################# - # synchrophasor_hdr.log - # main.zeek (https://github.com/cisagov/icsnpp-synchrophasor) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_synchrophasor_hdr" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][frame_type]} %{[zeek_cols][frame_size]} %{[zeek_cols][header_time_stamp]} %{[zeek_cols][data]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_synchrophasor_hdr" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_synchrophasor_hdr" - init => "@zeek_synchrophasor_hdr_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'frame_type', 'frame_size', 'header_time_stamp', 'data' ]" - code => "event.set('[zeek_cols]', @zeek_synchrophasor_hdr_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_synchrophasor_hdr" - add_field => { - "[zeek_cols][service]" => "synchrophasor" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "syslog") { - ############################################################################################################################# - # syslog.log - # https://docs.zeek.org/en/stable/scripts/base/protocols/syslog/main.zeek.html#type-Syslog::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_syslog" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][proto]} %{[zeek_cols][facility]} %{[zeek_cols][severity]} %{[zeek_cols][message]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_syslog" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_syslog" - init => "@zeek_syslog_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'proto', 'facility', 'severity', 'message' ]" - code => "event.set('[zeek_cols]', @zeek_syslog_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_syslog" - add_field => { "[zeek_cols][service]" => "syslog" } - } - - } else if ([log_source] == "tds") { - ############################################################################################################################# - # tds.log - # https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_tds" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][command]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_tds" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_tds" - init => "@zeek_tds_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'command' ]" - code => "event.set('[zeek_cols]', @zeek_tds_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_tds" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "tds" - } - } - - } else if ([log_source] == "tds_rpc") { - ############################################################################################################################# - # tds_rpc.log - # https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_tds_rpc_fields" - rename => { "[zeek_cols][parameters]" => "[zeek_cols][parameter]" } - } - - } else { - dissect { - id => "dissect_zeek_tds_rpc" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][procedure_name]} %{[zeek_cols][parameter]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_tds_rpc" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_tds_rpc" - init => "@zeek_tds_rpc_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'procedure_name', 'parameter' ]" - code => "event.set('[zeek_cols]', @zeek_tds_rpc_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_tds_rpc" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "tds" - } - } - - } else if ([log_source] == "tds_sql_batch") { - ############################################################################################################################# - # tds_sql_batch.log - # https://github.com/amzn/zeek-plugin-tds/blob/master/scripts/main.zeek - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_tds_sql_batch" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][header_type]} %{[zeek_cols][query]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_tds_sql_batch" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_tds_sql_batch" - init => "@zeek_tds_sql_batch_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'header_type', 'query' ]" - code => "event.set('[zeek_cols]', @zeek_tds_sql_batch_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_tds_sql_batch" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "tds" - } - } - - } else if ([log_source] == "tftp") { - ############################################################################################################################# - # tftp.log - # https://github.com/zeek/spicy-tftp - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_tftp" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][wrq]} %{[zeek_cols][fname]} %{[zeek_cols][mode]} %{[zeek_cols][uid_data]} %{[zeek_cols][size]} %{[zeek_cols][block_sent]} %{[zeek_cols][block_acked]} %{[zeek_cols][error_code]} %{[zeek_cols][error_msg]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_tftp" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_tftp" - init => "@zeek_tftp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'wrq', 'fname', 'mode', 'uid_data', 'size', 'block_sent', 'block_acked', 'error_code', 'error_msg' ]" - code => "event.set('[zeek_cols]', @zeek_tftp_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_tftp" - add_field => { - "[zeek_cols][proto]" => "udp" - "[zeek_cols][service]" => "tftp" - } - } - - } else if ([log_source] == "tunnel") { - ############################################################################################################################# - # tunnel.log - # https://docs.zeek.org/en/stable/scripts/base/frameworks/tunnels/main.zeek.html#type-Tunnel::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_tunnel" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][tunnel_type]} %{[zeek_cols][action]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_tunnel" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_tunnel" - init => "@zeek_tunnel_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'tunnel_type', 'action' ]" - code => "event.set('[zeek_cols]', @zeek_tunnel_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { id => "mutate_gsub_zeek_tunnel_action" - gsub => [ "[zeek_cols][action]", "Tunnel::", "" ] } - - mutate { id => "mutate_gsub_zeek_tunnel_type" - gsub => [ "[zeek_cols][tunnel_type]", "Tunnel::", "" ] } - - mutate { - id => "mutate_add_fields_zeek_tunnel" - add_field => { "[zeek_cols][service]" => "%{[zeek_cols][tunnel_type]}" } - } - - mutate { id => "mutate_lowercase_zeek_tunnel_service" - lowercase => [ "[zeek_cols][service]" ] } - - } else if ([log_source] == "weird") { - ############################################################################################################################# - # weird.log - # https://docs.zeek.org/en/stable/scripts/base/frameworks/notice/weird.zeek.html#type-Weird::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_weird" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][name]} %{[zeek_cols][addl]} %{[zeek_cols][notice]} %{[zeek_cols][peer]} %{[zeek_cols][source]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_weird" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_weird" - init => "@zeek_weird_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'name', 'addl', 'notice', 'peer', 'source' ]" - code => "event.set('[zeek_cols]', @zeek_weird_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - } else if ([log_source] == "x509") { - ############################################################################################################################# - # x509.log - # https://docs.zeek.org/en/stable/scripts/base/files/x509/main.zeek.html#type-X509::Info - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_x509_fields" - rename => { "[zeek_cols][certificate.version]" => "[zeek_cols][certificate_version]" } - rename => { "[zeek_cols][certificate.serial]" => "[zeek_cols][certificate_serial]" } - rename => { "[zeek_cols][certificate.subject]" => "[zeek_cols][certificate_subject]" } - rename => { "[zeek_cols][certificate.issuer]" => "[zeek_cols][certificate_issuer]" } - rename => { "[zeek_cols][certificate.not_valid_before]" => "[zeek_cols][certificate_not_valid_before]" } - rename => { "[zeek_cols][certificate.not_valid_after]" => "[zeek_cols][certificate_not_valid_after]" } - rename => { "[zeek_cols][certificate.key_alg]" => "[zeek_cols][certificate_key_alg]" } - rename => { "[zeek_cols][certificate.sig_alg]" => "[zeek_cols][certificate_sig_alg]" } - rename => { "[zeek_cols][certificate.key_type]" => "[zeek_cols][certificate_key_type]" } - rename => { "[zeek_cols][certificate.key_length]" => "[zeek_cols][certificate_key_length]" } - rename => { "[zeek_cols][certificate.exponent]" => "[zeek_cols][certificate_exponent]" } - rename => { "[zeek_cols][certificate.curve]" => "[zeek_cols][certificate_curve]" } - rename => { "[zeek_cols][san.dns]" => "[zeek_cols][san_dns]" } - rename => { "[zeek_cols][san.uri]" => "[zeek_cols][san_uri]" } - rename => { "[zeek_cols][san.email]" => "[zeek_cols][san_email]" } - rename => { "[zeek_cols][san.ip]" => "[zeek_cols][san_ip]" } - rename => { "[zeek_cols][basic_constraints.ca]" => "[zeek_cols][basic_constraints_ca]" } - rename => { "[zeek_cols][basic_constraints.path_len]" => "[zeek_cols][basic_constraints_path_len]" } - } - - } else { - dissect { - id => "dissect_zeek_x509_v1" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][fingerprint]} %{[zeek_cols][certificate_version]} %{[zeek_cols][certificate_serial]} %{[zeek_cols][certificate_subject]} %{[zeek_cols][certificate_issuer]} %{[zeek_cols][certificate_not_valid_before]} %{[zeek_cols][certificate_not_valid_after]} %{[zeek_cols][certificate_key_alg]} %{[zeek_cols][certificate_sig_alg]} %{[zeek_cols][certificate_key_type]} %{[zeek_cols][certificate_key_length]} %{[zeek_cols][certificate_exponent]} %{[zeek_cols][certificate_curve]} %{[zeek_cols][san_dns]} %{[zeek_cols][san_uri]} %{[zeek_cols][san_email]} %{[zeek_cols][san_ip]} %{[zeek_cols][basic_constraints_ca]} %{[zeek_cols][basic_constraints_path_len]} %{[zeek_cols][host_cert]} %{[zeek_cols][client_cert]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_x509" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_x509" - init => "@zeek_x509_field_names = [ 'ts', 'fuid', 'certificate_version', 'certificate_serial', 'certificate_subject', 'certificate_issuer', 'certificate_not_valid_before', 'certificate_not_valid_after', 'certificate_key_alg', 'certificate_sig_alg', 'certificate_key_type', 'certificate_key_length', 'certificate_exponent', 'certificate_curve', 'san_dns', 'san_uri', 'san_email', 'san_ip', 'basic_constraints_ca', 'basic_constraints_path_len', 'host_cert', 'client_cert' ]" - code => "event.set('[zeek_cols]', @zeek_x509_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "mutate_split_zeek_x509_san_ip" - split => { "[zeek_cols][san_ip]" => "," - "[zeek_cols][fingerprint]" => "," } } - } - - mutate { id => "mutate_add_fields_zeek_x509" - add_field => { "[zeek_cols][service]" => "X.509" } } - - } else if ([log_source] =~ /^opcua_binary/) { - - if ([log_source] == "opcua_binary") { - ############################################################################################################################# - # opcua_binary.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][msg_type]} %{[zeek_cols][is_final]} %{[zeek_cols][msg_size]} %{[zeek_cols][error]} %{[zeek_cols][reason]} %{[zeek_cols][version]} %{[zeek_cols][rcv_buf_size]} %{[zeek_cols][snd_buf_size]} %{[zeek_cols][max_msg_size]} %{[zeek_cols][max_chunk_cnt]} %{[zeek_cols][endpoint_url]} %{[zeek_cols][sec_channel_id]} %{[zeek_cols][sec_policy_uri_len]} %{[zeek_cols][sec_policy_uri]} %{[zeek_cols][snd_cert_len]} %{[zeek_cols][snd_cert]} %{[zeek_cols][rcv_cert_len]} %{[zeek_cols][rcv_cert]} %{[zeek_cols][seq_number]} %{[zeek_cols][request_id]} %{[zeek_cols][encoding_mask]} %{[zeek_cols][namespace_idx]} %{[zeek_cols][identifier]} %{[zeek_cols][identifier_str]} %{[zeek_cols][req_hdr_node_id_type]} %{[zeek_cols][req_hdr_node_id_namespace_idx]} %{[zeek_cols][req_hdr_node_id_numeric]} %{[zeek_cols][req_hdr_node_id_string]} %{[zeek_cols][req_hdr_node_id_guid]} %{[zeek_cols][req_hdr_node_id_opaque]} %{[zeek_cols][req_hdr_timestamp]} %{[zeek_cols][req_hdr_request_handle]} %{[zeek_cols][req_hdr_return_diag]} %{[zeek_cols][req_hdr_audit_entry_id]} %{[zeek_cols][req_hdr_timeout_hint]} %{[zeek_cols][req_hdr_add_hdr_type_id]} %{[zeek_cols][req_hdr_add_hdr_enc_mask]} %{[zeek_cols][res_hdr_timestamp]} %{[zeek_cols][res_hdr_request_handle]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][res_hdr_service_diag_encoding]} %{[zeek_cols][res_hdr_add_hdr_type_id]} %{[zeek_cols][res_hdr_add_hdr_enc_mask]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary" - init => "@zeek_opcua_binary_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'msg_type', 'is_final', 'msg_size', 'error', 'reason', 'version', 'rcv_buf_size', 'snd_buf_size', 'max_msg_size', 'max_chunk_cnt', 'endpoint_url', 'sec_channel_id', 'sec_policy_uri_len', 'sec_policy_uri', 'snd_cert_len', 'snd_cert', 'rcv_cert_len', 'rcv_cert', 'seq_number', 'request_id', 'encoding_mask', 'namespace_idx', 'identifier', 'identifier_str', 'req_hdr_node_id_type', 'req_hdr_node_id_namespace_idx', 'req_hdr_node_id_numeric', 'req_hdr_node_id_string', 'req_hdr_node_id_guid', 'req_hdr_node_id_opaque', 'req_hdr_timestamp', 'req_hdr_request_handle', 'req_hdr_return_diag', 'req_hdr_audit_entry_id', 'req_hdr_timeout_hint', 'req_hdr_add_hdr_type_id', 'req_hdr_add_hdr_enc_mask', 'res_hdr_timestamp', 'res_hdr_request_handle', 'status_code_link_id', 'res_hdr_service_diag_encoding', 'res_hdr_add_hdr_type_id', 'res_hdr_add_hdr_enc_mask' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_activate_session") { - ############################################################################################################################# - # opcua_binary_activate_session.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_activate_session" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][client_algorithm]} %{[zeek_cols][client_signature]} %{[zeek_cols][client_software_cert_link_id]} %{[zeek_cols][opcua_locale_link_id]} %{[zeek_cols][ext_obj_type_id_encoding_mask]} %{[zeek_cols][ext_obj_type_id_namespace_idx]} %{[zeek_cols][ext_obj_type_id_numeric]} %{[zeek_cols][ext_obj_type_id_string]} %{[zeek_cols][ext_obj_type_id_guid]} %{[zeek_cols][ext_obj_type_id_opaque]} %{[zeek_cols][ext_obj_type_id_str]} %{[zeek_cols][ext_obj_encoding]} %{[zeek_cols][ext_obj_policy_id]} %{[zeek_cols][ext_obj_user_name]} %{[zeek_cols][ext_obj_password]} %{[zeek_cols][ext_obj_encryption_algorithom]} %{[zeek_cols][ext_obj_certificate_data]} %{[zeek_cols][ext_obj_token_data]} %{[zeek_cols][user_token_algorithm]} %{[zeek_cols][user_token_signature]} %{[zeek_cols][server_nonce]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][activate_session_diag_info_link_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_activate_session" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_activate_session" - init => "@zeek_opcua_binary_activate_session_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'client_algorithm', 'client_signature', 'client_software_cert_link_id', 'opcua_locale_link_id', 'ext_obj_type_id_encoding_mask', 'ext_obj_type_id_namespace_idx', 'ext_obj_type_id_numeric', 'ext_obj_type_id_string', 'ext_obj_type_id_guid', 'ext_obj_type_id_opaque', 'ext_obj_type_id_str', 'ext_obj_encoding', 'ext_obj_policy_id', 'ext_obj_user_name', 'ext_obj_password', 'ext_obj_encryption_algorithom', 'ext_obj_certificate_data', 'ext_obj_token_data', 'user_token_algorithm', 'user_token_signature', 'server_nonce', 'status_code_link_id', 'activate_session_diag_info_link_id' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_activate_session_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_activate_session" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_activate_session_client_software_cert") { - ############################################################################################################################# - # opcua_binary_activate_session_client_software_cert.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_activate_session_client_software_cert" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][client_software_cert_link_id]} %{[zeek_cols][cert_data]} %{[zeek_cols][cert_signature]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_activate_session_client_software_cert" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_activate_session_client_software_cert" - init => "@zeek_opcua_binary_activate_session_client_software_cert_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'client_software_cert_link_id', 'cert_data', 'cert_signature' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_activate_session_client_software_cert_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_activate_session_client_software_cert" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_activate_session_locale_id") { - ############################################################################################################################# - # opcua_binary_activate_session_locale_id.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_activate_session_locale_id" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_locale_link_id]} %{[zeek_cols][local_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_activate_session_locale_id" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_activate_session_locale_id" - init => "@zeek_opcua_binary_activate_session_locale_id_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_locale_link_id', 'local_id' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_activate_session_locale_id_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_activate_session_locale_id" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_aggregate_filter") { - ############################################################################################################################# - # opcua_binary_aggregate_filter.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_aggregate_filter" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][monitored_parameters_link_id]} %{[zeek_cols][start_time]} %{[zeek_cols][start_time_str]} %{[zeek_cols][aggregate_type_encoding_mask]} %{[zeek_cols][aggregate_type_namespace_idx]} %{[zeek_cols][aggregate_type_numeric]} %{[zeek_cols][aggregate_type_string]} %{[zeek_cols][aggregate_type_guid]} %{[zeek_cols][aggregate_type_opaque]} %{[zeek_cols][processing_interval]} %{[zeek_cols][use_server_capabilities_default]} %{[zeek_cols][treat_uncertain_as_bad]} %{[zeek_cols][percent_data_good]} %{[zeek_cols][percent_data_bad]} %{[zeek_cols][use_slopped_extrapolation]} %{[zeek_cols][revised_start_time]} %{[zeek_cols][revised_start_time_str]} %{[zeek_cols][revised_processing_interval]} %{[zeek_cols][revised_use_server_capabilities_default]} %{[zeek_cols][revised_treat_uncertain_as_bad]} %{[zeek_cols][revised_percent_data_good]} %{[zeek_cols][revised_percent_data_bad]} %{[zeek_cols][revised_use_slopped_extrapolation]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_aggregate_filter" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_aggregate_filter" - init => "@zeek_opcua_binary_aggregate_filter_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'monitored_parameters_link_id', 'start_time', 'start_time_str', 'aggregate_type_encoding_mask', 'aggregate_type_namespace_idx', 'aggregate_type_numeric', 'aggregate_type_string', 'aggregate_type_guid', 'aggregate_type_opaque', 'processing_interval', 'use_server_capabilities_default', 'treat_uncertain_as_bad', 'percent_data_good', 'percent_data_bad', 'use_slopped_extrapolation', 'revised_start_time', 'revised_start_time_str', 'revised_processing_interval', 'revised_use_server_capabilities_default', 'revised_treat_uncertain_as_bad', 'revised_percent_data_good', 'revised_percent_data_bad', 'revised_use_slopped_extrapolation' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_aggregate_filter_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_aggregate_filter" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_event_filter_attribute_operand") { - ############################################################################################################################# - # opcua_binary_event_filter_attribute_operand.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_event_filter_attribute_operand" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][content_filter_filter_operand_link_id]} %{[zeek_cols][node_id_encoding_mask]} %{[zeek_cols][node_id_namespace_idx]} %{[zeek_cols][node_id_numeric]} %{[zeek_cols][node_id_string]} %{[zeek_cols][node_id_guid]} %{[zeek_cols][node_id_opaque]} %{[zeek_cols][alias]} %{[zeek_cols][browse_path_element_link_id]} %{[zeek_cols][attribute]} %{[zeek_cols][index_range]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_event_filter_attribute_operand" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_event_filter_attribute_operand" - init => "@zeek_opcua_binary_event_filter_attribute_operand_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'content_filter_filter_operand_link_id', 'node_id_encoding_mask', 'node_id_namespace_idx', 'node_id_numeric', 'node_id_string', 'node_id_guid', 'node_id_opaque', 'alias', 'browse_path_element_link_id', 'attribute', 'index_range' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_attribute_operand_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_event_filter_attribute_operand" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_event_filter_attribute_operand_browse_paths") { - ############################################################################################################################# - # opcua_binary_event_filter_attribute_operand_browse_paths.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_event_filter_attribute_operand_browse_paths" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][browse_path_element_link_id]} %{[zeek_cols][type_id_encoding_mask]} %{[zeek_cols][type_id_namespace_idx]} %{[zeek_cols][type_id_numeric]} %{[zeek_cols][type_id_string]} %{[zeek_cols][type_id_guid]} %{[zeek_cols][type_id_opaque]} %{[zeek_cols][is_inverse]} %{[zeek_cols][include_subtypes]} %{[zeek_cols][target_name_namespace_idx]} %{[zeek_cols][target_name]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_event_filter_attribute_operand_browse_paths" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_event_filter_attribute_operand_browse_paths" - init => "@zeek_opcua_binary_event_filter_attribute_operand_browse_paths_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'browse_path_element_link_id', 'type_id_encoding_mask', 'type_id_namespace_idx', 'type_id_numeric', 'type_id_string', 'type_id_guid', 'type_id_opaque', 'is_inverse', 'include_subtypes', 'target_name_namespace_idx', 'target_name' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_attribute_operand_browse_paths_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_event_filter_attribute_operand_browse_paths" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_browse") { - ############################################################################################################################# - # opcua_binary_browse.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_browse" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][browse_service_type]} %{[zeek_cols][browse_view_id_encoding_mask]} %{[zeek_cols][browse_view_id_namespace_idx]} %{[zeek_cols][browse_view_id_numeric]} %{[zeek_cols][browse_view_id_string]} %{[zeek_cols][browse_view_id_guid]} %{[zeek_cols][browse_view_id_opaque]} %{[zeek_cols][browse_view_description_timestamp]} %{[zeek_cols][browse_view_description_view_version]} %{[zeek_cols][req_max_ref_nodes]} %{[zeek_cols][browse_description_link_id]} %{[zeek_cols][browse_next_release_continuation_point]} %{[zeek_cols][browse_next_link_id]} %{[zeek_cols][browse_response_link_id]} %{[zeek_cols][browse_diag_info_link_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_browse" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_browse" - init => "@zeek_opcua_binary_browse_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'browse_service_type', 'browse_view_id_encoding_mask', 'browse_view_id_namespace_idx', 'browse_view_id_numeric', 'browse_view_id_string', 'browse_view_id_guid', 'browse_view_id_opaque', 'browse_view_description_timestamp', 'browse_view_description_view_version', 'req_max_ref_nodes', 'browse_description_link_id', 'browse_next_release_continuation_point', 'browse_next_link_id', 'browse_response_link_id', 'browse_diag_info_link_id' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_browse_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_browse" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_browse_description") { - ############################################################################################################################# - # opcua_binary_browse_description.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_browse_description" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][browse_description_link_id]} %{[zeek_cols][browse_description_encoding_mask]} %{[zeek_cols][browse_description_namespace_idx]} %{[zeek_cols][browse_description_numeric]} %{[zeek_cols][browse_description_string]} %{[zeek_cols][browse_description_guid]} %{[zeek_cols][browse_description_opaque]} %{[zeek_cols][browse_direction]} %{[zeek_cols][browse_description_ref_encoding_mask]} %{[zeek_cols][browse_description_ref_namespace_idx]} %{[zeek_cols][browse_description_ref_numeric]} %{[zeek_cols][browse_description_ref_string]} %{[zeek_cols][browse_description_ref_guid]} %{[zeek_cols][browse_description_ref_opaque]} %{[zeek_cols][browse_description_include_subtypes]} %{[zeek_cols][browse_node_class_mask]} %{[zeek_cols][browse_result_mask]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_browse_description" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_browse_description" - init => "@zeek_opcua_binary_browse_description_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'browse_description_link_id', 'browse_description_encoding_mask', 'browse_description_namespace_idx', 'browse_description_numeric', 'browse_description_string', 'browse_description_guid', 'browse_description_opaque', 'browse_direction', 'browse_description_ref_encoding_mask', 'browse_description_ref_namespace_idx', 'browse_description_ref_numeric', 'browse_description_ref_string', 'browse_description_ref_guid', 'browse_description_ref_opaque', 'browse_description_include_subtypes', 'browse_node_class_mask', 'browse_result_mask' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_browse_description_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_browse_description" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_browse_response_references") { - ############################################################################################################################# - # opcua_binary_browse_response_references.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_browse_response_references" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][browse_reference_link_id]} %{[zeek_cols][browse_response_ref_encoding_mask]} %{[zeek_cols][browse_response_ref_namespace_idx]} %{[zeek_cols][browse_response_ref_numeric]} %{[zeek_cols][browse_response_ref_string]} %{[zeek_cols][browse_response_ref_guid]} %{[zeek_cols][browse_response_ref_opaque]} %{[zeek_cols][browse_response_is_forward]} %{[zeek_cols][browse_response_ref_type_encoding_mask]} %{[zeek_cols][browse_response_ref_type_namespace_idx]} %{[zeek_cols][browse_response_ref_type_numeric]} %{[zeek_cols][browse_response_ref_type_string]} %{[zeek_cols][browse_response_ref_type_guid]} %{[zeek_cols][browse_response_ref_type_opaque]} %{[zeek_cols][browse_response_ref_type_namespace_uri]} %{[zeek_cols][browse_response_ref_type_server_idx]} %{[zeek_cols][browse_response_ref_name_idx]} %{[zeek_cols][browse_response_ref_name]} %{[zeek_cols][browse_response_display_name_mask]} %{[zeek_cols][browse_response_display_name_locale]} %{[zeek_cols][browse_response_display_name_text]} %{[zeek_cols][browse_response_node_class]} %{[zeek_cols][browse_response_type_def_encoding_mask]} %{[zeek_cols][browse_response_type_def_namespace_idx]} %{[zeek_cols][browse_response_type_def_numeric]} %{[zeek_cols][browse_response_type_def_string]} %{[zeek_cols][browse_response_type_def_guid]} %{[zeek_cols][browse_response_type_def_opaque]} %{[zeek_cols][browse_response_type_def_namespace_uri]} %{[zeek_cols][browse_response_type_def_server_idx]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_browse_response_references" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_browse_response_references" - init => "@zeek_opcua_binary_browse_response_references_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'browse_reference_link_id', 'browse_response_ref_encoding_mask', 'browse_response_ref_namespace_idx', 'browse_response_ref_numeric', 'browse_response_ref_string', 'browse_response_ref_guid', 'browse_response_ref_opaque', 'browse_response_is_forward', 'browse_response_ref_type_encoding_mask', 'browse_response_ref_type_namespace_idx', 'browse_response_ref_type_numeric', 'browse_response_ref_type_string', 'browse_response_ref_type_guid', 'browse_response_ref_type_opaque', 'browse_response_ref_type_namespace_uri', 'browse_response_ref_type_server_idx', 'browse_response_ref_name_idx', 'browse_response_ref_name', 'browse_response_display_name_mask', 'browse_response_display_name_locale', 'browse_response_display_name_text', 'browse_response_node_class', 'browse_response_type_def_encoding_mask', 'browse_response_type_def_namespace_idx', 'browse_response_type_def_numeric', 'browse_response_type_def_string', 'browse_response_type_def_guid', 'browse_response_type_def_opaque', 'browse_response_type_def_namespace_uri', 'browse_response_type_def_server_idx' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_browse_response_references_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_browse_response_references" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_browse_request_continuation_point") { - ############################################################################################################################# - # opcua_binary_browse_request_continuation_point.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_browse_request_continuation_point" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][browse_next_link_id]} %{[zeek_cols][continuation_point]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_browse_request_continuation_point" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_browse_request_continuation_point" - init => "@zeek_opcua_binary_browse_request_continuation_point_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'browse_next_link_id', 'continuation_point' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_browse_request_continuation_point_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_browse_request_continuation_point" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_browse_result") { - ############################################################################################################################# - # opcua_binary_browse_result.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_browse_result" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][browse_response_link_id]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][browse_result_continuation_point]} %{[zeek_cols][browse_reference_link_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_browse_result" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_browse_result" - init => "@zeek_opcua_binary_browse_result_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'browse_response_link_id', 'status_code_link_id', 'browse_result_continuation_point', 'browse_reference_link_id' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_browse_result_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_browse_result" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_close_session") { - ############################################################################################################################# - # opcua_binary_close_session.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_close_session" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][del_subscriptions]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_close_session" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_close_session" - init => "@zeek_opcua_binary_close_session_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'del_subscriptions' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_close_session_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_close_session" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_event_filter_where_clause") { - ############################################################################################################################# - # opcua_binary_event_filter_where_clause.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_event_filter_where_clause" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][where_clause_link_id]} %{[zeek_cols][content_filter_element_link_id]} %{[zeek_cols][content_filter_status_code_link_id]} %{[zeek_cols][content_filter_diag_info_link_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_event_filter_where_clause" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_event_filter_where_clause" - init => "@zeek_opcua_binary_event_filter_where_clause_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'where_clause_link_id', 'content_filter_element_link_id', 'content_filter_status_code_link_id', 'content_filter_diag_info_link_id' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_where_clause_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_event_filter_where_clause" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_event_filter_where_clause_elements") { - ############################################################################################################################# - # opcua_binary_event_filter_where_clause_elements.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_event_filter_where_clause_elements" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][content_filter_element_link_id]} %{[zeek_cols][filter_operator]} %{[zeek_cols][content_filter_filter_operand_type_id_node_id_encoding_mask]} %{[zeek_cols][content_filter_filter_operand_type_id_node_id_namespace_idx]} %{[zeek_cols][content_filter_filter_operand_type_id_node_id_numeric]} %{[zeek_cols][content_filter_filter_operand_type_id_node_id_string]} %{[zeek_cols][content_filter_filter_operand_type_id_node_id_guid]} %{[zeek_cols][content_filter_filter_operand_type_id_node_id_opaque]} %{[zeek_cols][content_filter_filter_operand_type_id_string]} %{[zeek_cols][content_filter_filter_operand_type_id_encoding]} %{[zeek_cols][content_filter_filter_operand_link_id]} %{[zeek_cols][content_filter_operand_status_code_link_id]} %{[zeek_cols][content_filter_operand_diag_info_link_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_event_filter_where_clause_elements" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_event_filter_where_clause_elements" - init => "@zeek_opcua_binary_event_filter_where_clause_elements_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'content_filter_element_link_id', 'filter_operator', 'content_filter_filter_operand_type_id_node_id_encoding_mask', 'content_filter_filter_operand_type_id_node_id_namespace_idx', 'content_filter_filter_operand_type_id_node_id_numeric', 'content_filter_filter_operand_type_id_node_id_string', 'content_filter_filter_operand_type_id_node_id_guid', 'content_filter_filter_operand_type_id_node_id_opaque', 'content_filter_filter_operand_type_id_string', 'content_filter_filter_operand_type_id_encoding', 'content_filter_filter_operand_link_id', 'content_filter_operand_status_code_link_id', 'content_filter_operand_diag_info_link_id' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_where_clause_elements_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_event_filter_where_clause_elements" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_create_monitored_items") { - ############################################################################################################################# - # opcua_binary_create_monitored_items.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_create_monitored_items" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][subscription_id]} %{[zeek_cols][timestamps_to_return]} %{[zeek_cols][timestamps_to_return_str]} %{[zeek_cols][create_item_link_id]} %{[zeek_cols][create_monitored_items_diag_info_link_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_create_monitored_items" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_create_monitored_items" - init => "@zeek_opcua_binary_create_monitored_items_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'subscription_id', 'timestamps_to_return', 'timestamps_to_return_str', 'create_item_link_id', 'create_monitored_items_diag_info_link_id' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_monitored_items_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_create_monitored_items" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_create_monitored_items_create_item") { - ############################################################################################################################# - # opcua_binary_create_monitored_items_create_item.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_create_monitored_items_create_item" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][create_item_link_id]} %{[zeek_cols][item_to_monitor_node_id_encoding_mask]} %{[zeek_cols][item_to_monitor_node_id_namespace_idx]} %{[zeek_cols][item_to_monitor_node_id_numeric]} %{[zeek_cols][item_to_monitor_node_id_string]} %{[zeek_cols][item_to_monitor_node_id_guid]} %{[zeek_cols][item_to_monitor_node_id_opaque]} %{[zeek_cols][item_to_monitor_attribute_id]} %{[zeek_cols][item_to_monitor_index_range]} %{[zeek_cols][item_to_monitor_namespace_idx]} %{[zeek_cols][item_to_monitor_name]} %{[zeek_cols][monitoring_mode]} %{[zeek_cols][monitoring_parameters_client_handle]} %{[zeek_cols][monitoring_parameters_sampling_interval]} %{[zeek_cols][monitoring_parameters_queue_size]} %{[zeek_cols][monitoring_parameters_discard_oldest]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_node_id_encoding_mask]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_node_id_namespace_idx]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_node_id_numeric]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_node_id_string]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_node_id_guid]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_node_id_opaque]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_string]} %{[zeek_cols][monitoring_parameters_filter_info_type_id_encoding]} %{[zeek_cols][filter_info_details_link_id]} %{[zeek_cols][monitoring_parameters_status_code_link_id]} %{[zeek_cols][monitored_item_index_id]} %{[zeek_cols][monitoring_parameters_revised_sampling_interval]} %{[zeek_cols][monitoring_parameters_revised_queue_size]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_create_monitored_items_create_item" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_create_monitored_items_create_item" - init => "@zeek_opcua_binary_create_monitored_items_create_item_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'create_item_link_id', 'item_to_monitor_node_id_encoding_mask', 'item_to_monitor_node_id_namespace_idx', 'item_to_monitor_node_id_numeric', 'item_to_monitor_node_id_string', 'item_to_monitor_node_id_guid', 'item_to_monitor_node_id_opaque', 'item_to_monitor_attribute_id', 'item_to_monitor_index_range', 'item_to_monitor_namespace_idx', 'item_to_monitor_name', 'monitoring_mode', 'monitoring_parameters_client_handle', 'monitoring_parameters_sampling_interval', 'monitoring_parameters_queue_size', 'monitoring_parameters_discard_oldest', 'monitoring_parameters_filter_info_type_id_node_id_encoding_mask', 'monitoring_parameters_filter_info_type_id_node_id_namespace_idx', 'monitoring_parameters_filter_info_type_id_node_id_numeric', 'monitoring_parameters_filter_info_type_id_node_id_string', 'monitoring_parameters_filter_info_type_id_node_id_guid', 'monitoring_parameters_filter_info_type_id_node_id_opaque', 'monitoring_parameters_filter_info_type_id_string', 'monitoring_parameters_filter_info_type_id_encoding', 'filter_info_details_link_id', 'monitoring_parameters_status_code_link_id', 'monitored_item_index_id', 'monitoring_parameters_revised_sampling_interval', 'monitoring_parameters_revised_queue_size' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_monitored_items_create_item_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_create_monitored_items_create_item" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_create_session") { - ############################################################################################################################# - # opcua_binary_create_session.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_create_session" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][application_uri]} %{[zeek_cols][product_uri]} %{[zeek_cols][encoding_mask]} %{[zeek_cols][locale]} %{[zeek_cols][text]} %{[zeek_cols][application_type]} %{[zeek_cols][gateway_server_uri]} %{[zeek_cols][discovery_profile_uri]} %{[zeek_cols][discovery_profile_link_id]} %{[zeek_cols][server_uri]} %{[zeek_cols][endpoint_url]} %{[zeek_cols][session_name]} %{[zeek_cols][client_nonce]} %{[zeek_cols][client_cert_size]} %{[zeek_cols][client_cert]} %{[zeek_cols][req_session_timeout]} %{[zeek_cols][max_res_msg_size]} %{[zeek_cols][session_id_encoding_mask]} %{[zeek_cols][session_id_namespace_idx]} %{[zeek_cols][session_id_numeric]} %{[zeek_cols][session_id_string]} %{[zeek_cols][session_id_guid]} %{[zeek_cols][session_id_opaque]} %{[zeek_cols][auth_token_encoding_mask]} %{[zeek_cols][auth_token_namespace_idx]} %{[zeek_cols][auth_token_numeric]} %{[zeek_cols][auth_token_string]} %{[zeek_cols][auth_token_guid]} %{[zeek_cols][auth_token_opaque]} %{[zeek_cols][revised_session_timeout]} %{[zeek_cols][server_nonce]} %{[zeek_cols][server_cert_size]} %{[zeek_cols][server_cert]} %{[zeek_cols][endpoint_link_id]} %{[zeek_cols][algorithm]} %{[zeek_cols][signature]} %{[zeek_cols][max_req_msg_size]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_create_session" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_create_session" - init => "@zeek_opcua_binary_create_session_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'application_uri', 'product_uri', 'encoding_mask', 'locale', 'text', 'application_type', 'gateway_server_uri', 'discovery_profile_uri', 'discovery_profile_link_id', 'server_uri', 'endpoint_url', 'session_name', 'client_nonce', 'client_cert_size', 'client_cert', 'req_session_timeout', 'max_res_msg_size', 'session_id_encoding_mask', 'session_id_namespace_idx', 'session_id_numeric', 'session_id_string', 'session_id_guid', 'session_id_opaque', 'auth_token_encoding_mask', 'auth_token_namespace_idx', 'auth_token_numeric', 'auth_token_string', 'auth_token_guid', 'auth_token_opaque', 'revised_session_timeout', 'server_nonce', 'server_cert_size', 'server_cert', 'endpoint_link_id', 'algorithm', 'signature', 'max_req_msg_size' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_session_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_create_session" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_create_session_discovery") { - ############################################################################################################################# - # opcua_binary_create_session_discovery.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_create_session_discovery" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][discovery_profile_link_id]} %{[zeek_cols][discovery_profile_uri]} %{[zeek_cols][discovery_profile_url]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_create_session_discovery" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_create_session_discovery" - init => "@zeek_opcua_binary_create_session_discovery_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'discovery_profile_link_id', 'discovery_profile_uri', 'discovery_profile_url' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_session_discovery_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_create_session_discovery" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_create_session_endpoints") { - ############################################################################################################################# - # opcua_binary_create_session_endpoints.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_create_session_endpoints" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][endpoint_link_id]} %{[zeek_cols][endpoint_url]} %{[zeek_cols][application_uri]} %{[zeek_cols][product_uri]} %{[zeek_cols][encoding_mask]} %{[zeek_cols][locale]} %{[zeek_cols][text]} %{[zeek_cols][application_type]} %{[zeek_cols][gateway_server_uri]} %{[zeek_cols][discovery_profile_uri]} %{[zeek_cols][discovery_profile_link_id]} %{[zeek_cols][cert_size]} %{[zeek_cols][server_cert]} %{[zeek_cols][message_security_mode]} %{[zeek_cols][security_policy_uri]} %{[zeek_cols][user_token_link_id]} %{[zeek_cols][transport_profile_uri]} %{[zeek_cols][security_level]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_create_session_endpoints" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_create_session_endpoints" - init => "@zeek_opcua_binary_create_session_endpoints_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'endpoint_link_id', 'endpoint_url', 'application_uri', 'product_uri', 'encoding_mask', 'locale', 'text', 'application_type', 'gateway_server_uri', 'discovery_profile_uri', 'discovery_profile_link_id', 'cert_size', 'server_cert', 'message_security_mode', 'security_policy_uri', 'user_token_link_id', 'transport_profile_uri', 'security_level' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_session_endpoints_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_create_session_endpoints" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_create_session_user_token") { - ############################################################################################################################# - # opcua_binary_create_session_user_token.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_create_session_user_token" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][user_token_link_id]} %{[zeek_cols][user_token_policy_id]} %{[zeek_cols][user_token_type]} %{[zeek_cols][user_token_issued_type]} %{[zeek_cols][user_token_endpoint_url]} %{[zeek_cols][user_token_sec_policy_uri]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_create_session_user_token" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_create_session_user_token" - init => "@zeek_opcua_binary_create_session_user_token_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'user_token_link_id', 'user_token_policy_id', 'user_token_type', 'user_token_issued_type', 'user_token_endpoint_url', 'user_token_sec_policy_uri' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_session_user_token_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_create_session_user_token" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_create_subscription") { - ############################################################################################################################# - # opcua_binary_create_subscription.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_create_subscription" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][requested_publishing_interval]} %{[zeek_cols][requested_lifetime_count]} %{[zeek_cols][requested_max_keep_alive_count]} %{[zeek_cols][max_notifications_per_publish]} %{[zeek_cols][publishing_enabled]} %{[zeek_cols][priority]} %{[zeek_cols][subscription_id]} %{[zeek_cols][revised_publishing_interval]} %{[zeek_cols][revised_lifetime_count]} %{[zeek_cols][revised_max_keep_alive_count]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_create_subscription" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_create_subscription" - init => "@zeek_opcua_binary_create_subscription_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'requested_publishing_interval', 'requested_lifetime_count', 'requested_max_keep_alive_count', 'max_notifications_per_publish', 'publishing_enabled', 'priority', 'subscription_id', 'revised_publishing_interval', 'revised_lifetime_count', 'revised_max_keep_alive_count' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_create_subscription_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_create_subscription" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_data_change_filter") { - ############################################################################################################################# - # opcua_binary_data_change_filter.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_data_change_filter" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][monitored_parameters_link_id]} %{[zeek_cols][trigger]} %{[zeek_cols][deadband_type]} %{[zeek_cols][deadband_value]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_data_change_filter" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_data_change_filter" - init => "@zeek_opcua_binary_data_change_filter_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'monitored_parameters_link_id', 'trigger', 'deadband_type', 'deadband_value' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_data_change_filter_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_data_change_filter" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_diag_info_detail") { - ############################################################################################################################# - # opcua_binary_diag_info_detail.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_diag_info_detail" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][diag_info_link_id]} %{[zeek_cols][root_object_id]} %{[zeek_cols][source]} %{[zeek_cols][source_str]} %{[zeek_cols][inner_diag_level]} %{[zeek_cols][has_symbolic_id]} %{[zeek_cols][symbolic_id]} %{[zeek_cols][symbolic_id_str]} %{[zeek_cols][has_namespace_uri]} %{[zeek_cols][namespace_uri]} %{[zeek_cols][namespace_uri_str]} %{[zeek_cols][has_locale]} %{[zeek_cols][locale]} %{[zeek_cols][locale_str]} %{[zeek_cols][has_locale_txt]} %{[zeek_cols][locale_txt]} %{[zeek_cols][locale_txt_str]} %{[zeek_cols][has_addl_info]} %{[zeek_cols][addl_info]} %{[zeek_cols][has_inner_stat_code]} %{[zeek_cols][inner_stat_code]} %{[zeek_cols][has_inner_diag_info]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_diag_info_detail" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_diag_info_detail" - init => "@zeek_opcua_binary_diag_info_detail_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'diag_info_link_id', 'root_object_id', 'source', 'source_str', 'inner_diag_level', 'has_symbolic_id', 'symbolic_id', 'symbolic_id_str', 'has_namespace_uri', 'namespace_uri', 'namespace_uri_str', 'has_locale', 'locale', 'locale_str', 'has_locale_txt', 'locale_txt', 'locale_txt_str', 'has_addl_info', 'addl_info', 'has_inner_stat_code', 'inner_stat_code', 'has_inner_diag_info' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_diag_info_detail_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_diag_info_detail" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_event_filter_element_operand") { - ############################################################################################################################# - # opcua_binary_event_filter_element_operand.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_event_filter_element_operand" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][content_filter_filter_operand_link_id]} %{[zeek_cols][element_index]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_event_filter_element_operand" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_event_filter_element_operand" - init => "@zeek_opcua_binary_event_filter_element_operand_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'content_filter_filter_operand_link_id', 'element_index' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_element_operand_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_event_filter_element_operand" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_event_filter") { - ############################################################################################################################# - # opcua_binary_event_filter.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_event_filter" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][monitored_parameters_link_id]} %{[zeek_cols][select_clause_link_id]} %{[zeek_cols][where_clause_content_filter_link_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_event_filter" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_event_filter" - init => "@zeek_opcua_binary_event_filter_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'monitored_parameters_link_id', 'select_clause_link_id', 'where_clause_content_filter_link_id' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_event_filter" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_get_endpoints") { - ############################################################################################################################# - # opcua_binary_get_endpoints.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_get_endpoints" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][endpoint_url]} %{[zeek_cols][locale_link_id]} %{[zeek_cols][profile_uri_link_id]} %{[zeek_cols][endpoint_description_link_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_get_endpoints" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_get_endpoints" - init => "@zeek_opcua_binary_get_endpoints_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'endpoint_url', 'locale_link_id', 'profile_uri_link_id', 'endpoint_description_link_id' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_get_endpoints_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_get_endpoints" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_get_endpoints_description") { - ############################################################################################################################# - # opcua_binary_get_endpoints_description.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_get_endpoints_description" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][endpoint_description_link_id]} %{[zeek_cols][endpoint_uri]} %{[zeek_cols][application_uri]} %{[zeek_cols][product_uri]} %{[zeek_cols][encoding_mask]} %{[zeek_cols][locale]} %{[zeek_cols][text]} %{[zeek_cols][application_type]} %{[zeek_cols][gateway_server_uri]} %{[zeek_cols][discovery_profile_uri]} %{[zeek_cols][discovery_profile_link_id]} %{[zeek_cols][cert_size]} %{[zeek_cols][server_cert]} %{[zeek_cols][message_security_mode]} %{[zeek_cols][security_policy_uri]} %{[zeek_cols][user_token_link_id]} %{[zeek_cols][transport_profile_uri]} %{[zeek_cols][security_level]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_get_endpoints_description" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_get_endpoints_description" - init => "@zeek_opcua_binary_get_endpoints_description_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'endpoint_description_link_id', 'endpoint_uri', 'application_uri', 'product_uri', 'encoding_mask', 'locale', 'text', 'application_type', 'gateway_server_uri', 'discovery_profile_uri', 'discovery_profile_link_id', 'cert_size', 'server_cert', 'message_security_mode', 'security_policy_uri', 'user_token_link_id', 'transport_profile_uri', 'security_level' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_get_endpoints_description_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_get_endpoints_description" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_get_endpoints_discovery") { - ############################################################################################################################# - # opcua_binary_get_endpoints_discovery.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_get_endpoints_discovery" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][discovery_profile_link_id]} %{[zeek_cols][discovery_profile_url]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_get_endpoints_discovery" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_get_endpoints_discovery" - init => "@zeek_opcua_binary_get_endpoints_discovery_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'discovery_profile_link_id', 'discovery_profile_url' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_get_endpoints_discovery_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_get_endpoints_discovery" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_get_endpoints_locale_id") { - ############################################################################################################################# - # opcua_binary_get_endpoints_locale_id.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_get_endpoints_locale_id" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][locale_link_id]} %{[zeek_cols][locale_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_get_endpoints_locale_id" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_get_endpoints_locale_id" - init => "@zeek_opcua_binary_get_endpoints_locale_id_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'locale_link_id', 'locale_id' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_get_endpoints_locale_id_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_get_endpoints_locale_id" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_get_endpoints_profile_uri") { - ############################################################################################################################# - # opcua_binary_get_endpoints_profile_uri.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_get_endpoints_profile_uri" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][profile_uri_link_id]} %{[zeek_cols][profile_uri]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_get_endpoints_profile_uri" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_get_endpoints_profile_uri" - init => "@zeek_opcua_binary_get_endpoints_profile_uri_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'profile_uri_link_id', 'profile_uri' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_get_endpoints_profile_uri_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_get_endpoints_profile_uri" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_get_endpoints_user_token") { - ############################################################################################################################# - # opcua_binary_get_endpoints_user_token.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_get_endpoints_user_token" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][user_token_link_id]} %{[zeek_cols][user_token_policy_id]} %{[zeek_cols][user_token_type]} %{[zeek_cols][user_token_issued_type]} %{[zeek_cols][user_token_endpoint_url]} %{[zeek_cols][user_token_sec_policy_uri]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_get_endpoints_user_token" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_get_endpoints_user_token" - init => "@zeek_opcua_binary_get_endpoints_user_token_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'user_token_link_id', 'user_token_policy_id', 'user_token_type', 'user_token_issued_type', 'user_token_endpoint_url', 'user_token_sec_policy_uri' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_get_endpoints_user_token_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_get_endpoints_user_token" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_event_filter_literal_operand") { - ############################################################################################################################# - # opcua_binary_event_filter_literal_operand.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_event_filter_literal_operand" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][content_filter_filter_operand_link_id]} %{[zeek_cols][literal_operand_variant_link]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_event_filter_literal_operand" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_event_filter_literal_operand" - init => "@zeek_opcua_binary_event_filter_literal_operand_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'content_filter_filter_operand_link_id', 'literal_operand_variant_link' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_literal_operand_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_event_filter_literal_operand" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_opensecure_channel") { - ############################################################################################################################# - # opcua_binary_opensecure_channel.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_opensecure_channel" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][client_proto_ver]} %{[zeek_cols][sec_token_request_type]} %{[zeek_cols][message_security_mode]} %{[zeek_cols][client_nonce]} %{[zeek_cols][req_lifetime]} %{[zeek_cols][server_proto_ver]} %{[zeek_cols][sec_token_sec_channel_id]} %{[zeek_cols][sec_token_id]} %{[zeek_cols][sec_token_created_at]} %{[zeek_cols][sec_token_revised_time]} %{[zeek_cols][server_nonce]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_opensecure_channel" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_opensecure_channel" - init => "@zeek_opcua_binary_opensecure_channel_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'client_proto_ver', 'sec_token_request_type', 'message_security_mode', 'client_nonce', 'req_lifetime', 'server_proto_ver', 'sec_token_sec_channel_id', 'sec_token_id', 'sec_token_created_at', 'sec_token_revised_time', 'server_nonce' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_opensecure_channel_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_opensecure_channel" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_read") { - ############################################################################################################################# - # opcua_binary_read.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_read" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][max_age]} %{[zeek_cols][timestamps_to_return]} %{[zeek_cols][timestamps_to_return_str]} %{[zeek_cols][nodes_to_read_link_id]} %{[zeek_cols][read_results_link_id]} %{[zeek_cols][diag_info_link_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_read" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_read" - init => "@zeek_opcua_binary_read_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'max_age', 'timestamps_to_return', 'timestamps_to_return_str', 'nodes_to_read_link_id', 'read_results_link_id', 'diag_info_link_id' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_read_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_read" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_read_nodes_to_read") { - ############################################################################################################################# - # opcua_binary_read_nodes_to_read.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_read_nodes_to_read" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][nodes_to_read_link_id]} %{[zeek_cols][node_id_encoding_mask]} %{[zeek_cols][node_id_namespace_idx]} %{[zeek_cols][node_id_numeric]} %{[zeek_cols][node_id_string]} %{[zeek_cols][node_id_guid]} %{[zeek_cols][node_id_opaque]} %{[zeek_cols][attribute_id]} %{[zeek_cols][attribute_id_str]} %{[zeek_cols][index_range]} %{[zeek_cols][data_encoding_name_idx]} %{[zeek_cols][data_encoding_name]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_read_nodes_to_read" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_read_nodes_to_read" - init => "@zeek_opcua_binary_read_nodes_to_read_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'nodes_to_read_link_id', 'node_id_encoding_mask', 'node_id_namespace_idx', 'node_id_numeric', 'node_id_string', 'node_id_guid', 'node_id_opaque', 'attribute_id', 'attribute_id_str', 'index_range', 'data_encoding_name_idx', 'data_encoding_name' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_read_nodes_to_read_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_read_nodes_to_read" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_read_results") { - ############################################################################################################################# - # opcua_binary_read_results.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_read_results" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][results_link_id]} %{[zeek_cols][level]} %{[zeek_cols][data_value_encoding_mask]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][source_timestamp]} %{[zeek_cols][source_pico_sec]} %{[zeek_cols][server_timestamp]} %{[zeek_cols][server_pico_sec]} %{[zeek_cols][read_results_variant_metadata_link_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_read_results" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_read_results" - init => "@zeek_opcua_binary_read_results_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'results_link_id', 'level', 'data_value_encoding_mask', 'status_code_link_id', 'source_timestamp', 'source_pico_sec', 'server_timestamp', 'server_pico_sec', 'read_results_variant_metadata_link_id' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_read_results_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_read_results" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_event_filter_select_clause") { - ############################################################################################################################# - # opcua_binary_event_filter_select_clause.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_event_filter_select_clause" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][select_clause_link_id]} %{[zeek_cols][type_id_encoding_mask]} %{[zeek_cols][type_id_namespace_idx]} %{[zeek_cols][type_id_numeric]} %{[zeek_cols][type_id_string]} %{[zeek_cols][type_id_guid]} %{[zeek_cols][type_id_opaque]} %{[zeek_cols][simple_attribute_operand_browse_path_link_id]} %{[zeek_cols][attribute_id]} %{[zeek_cols][index_range]} %{[zeek_cols][select_clause_status_code_link_id]} %{[zeek_cols][select_clause_diagnostic_info_link_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_event_filter_select_clause" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_event_filter_select_clause" - init => "@zeek_opcua_binary_event_filter_select_clause_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'select_clause_link_id', 'type_id_encoding_mask', 'type_id_namespace_idx', 'type_id_numeric', 'type_id_string', 'type_id_guid', 'type_id_opaque', 'simple_attribute_operand_browse_path_link_id', 'attribute_id', 'index_range', 'select_clause_status_code_link_id', 'select_clause_diagnostic_info_link_id' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_select_clause_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_event_filter_select_clause" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_event_filter_simple_attribute_operand") { - ############################################################################################################################# - # opcua_binary_event_filter_simple_attribute_operand.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_event_filter_simple_attribute_operand" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][content_filter_filter_operand_link_id]} %{[zeek_cols][type_id_encoding_mask]} %{[zeek_cols][type_id_namespace_idx]} %{[zeek_cols][type_id_numeric]} %{[zeek_cols][type_id_string]} %{[zeek_cols][type_id_guid]} %{[zeek_cols][type_id_opaque]} %{[zeek_cols][simple_attribute_operand_browse_path_link_id]} %{[zeek_cols][attribute_id]} %{[zeek_cols][index_range]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_event_filter_simple_attribute_operand" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_event_filter_simple_attribute_operand" - init => "@zeek_opcua_binary_event_filter_simple_attribute_operand_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'content_filter_filter_operand_link_id', 'type_id_encoding_mask', 'type_id_namespace_idx', 'type_id_numeric', 'type_id_string', 'type_id_guid', 'type_id_opaque', 'simple_attribute_operand_browse_path_link_id', 'attribute_id', 'index_range' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_simple_attribute_operand_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_event_filter_simple_attribute_operand" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_event_filter_simple_attribute_operand_browse_paths") { - ############################################################################################################################# - # opcua_binary_event_filter_simple_attribute_operand_browse_paths.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_event_filter_simple_attribute_operand_browse_paths" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][simple_attribute_operand_browse_path_link_id]} %{[zeek_cols][browse_path_src]} %{[zeek_cols][namespace_index]} %{[zeek_cols][name]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_event_filter_simple_attribute_operand_browse_paths" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_event_filter_simple_attribute_operand_browse_paths" - init => "@zeek_opcua_binary_event_filter_simple_attribute_operand_browse_paths_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'simple_attribute_operand_browse_path_link_id', 'browse_path_src', 'namespace_index', 'name' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_event_filter_simple_attribute_operand_browse_paths_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_event_filter_simple_attribute_operand_browse_paths" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_status_code_detail") { - ############################################################################################################################# - # opcua_binary_status_code_detail.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_status_code_detail" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][source]} %{[zeek_cols][source_str]} %{[zeek_cols][source_level]} %{[zeek_cols][status_code]} %{[zeek_cols][severity]} %{[zeek_cols][severity_str]} %{[zeek_cols][sub_code]} %{[zeek_cols][sub_code_str]} %{[zeek_cols][structure_changed]} %{[zeek_cols][semantics_changed]} %{[zeek_cols][info_type]} %{[zeek_cols][info_type_str]} %{[zeek_cols][limit_bits]} %{[zeek_cols][limit_bits_str]} %{[zeek_cols][overflow]} %{[zeek_cols][historian_bits]} %{[zeek_cols][historian_bits_str]} %{[zeek_cols][historianpartial]} %{[zeek_cols][historianextradata]} %{[zeek_cols][historianmultivalue]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_status_code_detail" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_status_code_detail" - init => "@zeek_opcua_binary_status_code_detail_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'status_code_link_id', 'source', 'source_str', 'source_level', 'status_code', 'severity', 'severity_str', 'sub_code', 'sub_code_str', 'structure_changed', 'semantics_changed', 'info_type', 'info_type_str', 'limit_bits', 'limit_bits_str', 'overflow', 'historian_bits', 'historian_bits_str', 'historianpartial', 'historianextradata', 'historianmultivalue' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_status_code_detail_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_status_code_detail" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_variant_array_dims") { - ############################################################################################################################# - # opcua_binary_variant_array_dims.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_variant_array_dims" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][array_dim_link_id]} %{[zeek_cols][dimension]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_variant_array_dims" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_variant_array_dims" - init => "@zeek_opcua_binary_variant_array_dims_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'array_dim_link_id', 'dimension' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_variant_array_dims_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_variant_array_dims" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_variant_data") { - ############################################################################################################################# - # opcua_binary_variant_data.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_variant_data" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][variant_data_link_id]} %{[zeek_cols][variant_data_value_signed_numeric]} %{[zeek_cols][variant_data_value_unsigned_numeric]} %{[zeek_cols][variant_data_value_string]} %{[zeek_cols][variant_data_node_id_encoding_mask]} %{[zeek_cols][variant_data_node_id_namespace_idx]} %{[zeek_cols][variant_data_node_id_numeric]} %{[zeek_cols][variant_data_node_id_string]} %{[zeek_cols][variant_data_node_id_guid]} %{[zeek_cols][variant_data_node_id_opaque]} %{[zeek_cols][variant_data_node_id_namespace_uri]} %{[zeek_cols][variant_data_node_id_server_idx]} %{[zeek_cols][variant_data_value_time]} %{[zeek_cols][variant_data_encoding_name_idx]} %{[zeek_cols][variant_data_encoding_name]} %{[zeek_cols][variant_data_mask]} %{[zeek_cols][variant_data_locale]} %{[zeek_cols][variant_data_text]} %{[zeek_cols][variant_data_value_decimal]} %{[zeek_cols][variant_data_status_code_link_id]} %{[zeek_cols][variant_data_diag_info_link_id]} %{[zeek_cols][variant_data_ext_obj_link_id]} %{[zeek_cols][variant_metadata_data_link_id]} %{[zeek_cols][variant_data_value_link_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_variant_data" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_variant_data" - init => "@zeek_opcua_binary_variant_data_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'variant_data_link_id', 'variant_data_value_signed_numeric', 'variant_data_value_unsigned_numeric', 'variant_data_value_string', 'variant_data_node_id_encoding_mask', 'variant_data_node_id_namespace_idx', 'variant_data_node_id_numeric', 'variant_data_node_id_string', 'variant_data_node_id_guid', 'variant_data_node_id_opaque', 'variant_data_node_id_namespace_uri', 'variant_data_node_id_server_idx', 'variant_data_value_time', 'variant_data_encoding_name_idx', 'variant_data_encoding_name', 'variant_data_mask', 'variant_data_locale', 'variant_data_text', 'variant_data_value_decimal', 'variant_data_status_code_link_id', 'variant_data_diag_info_link_id', 'variant_data_ext_obj_link_id', 'variant_metadata_data_link_id', 'variant_data_value_link_id' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_variant_data_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_variant_data" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_variant_data_value") { - ############################################################################################################################# - # opcua_binary_variant_data_value.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_variant_data_value" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][variant_data_value_source_link]} %{[zeek_cols][data_value_encoding_mask]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][source_timestamp]} %{[zeek_cols][source_pico_sec]} %{[zeek_cols][server_timestamp]} %{[zeek_cols][server_pico_sec]} %{[zeek_cols][variant_metadata_link_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_variant_data_value" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_variant_data_value" - init => "@zeek_opcua_binary_variant_data_value_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'variant_data_value_source_link', 'data_value_encoding_mask', 'status_code_link_id', 'source_timestamp', 'source_pico_sec', 'server_timestamp', 'server_pico_sec', 'variant_metadata_link_id' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_variant_data_value_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_variant_data_value" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_variant_extension_object") { - ############################################################################################################################# - # opcua_binary_variant_extension_object.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_variant_extension_object" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][ext_obj_link_id]} %{[zeek_cols][ext_obj_node_id_encoding_mask]} %{[zeek_cols][ext_obj_node_id_namespace_idx]} %{[zeek_cols][ext_obj_node_id_numeric]} %{[zeek_cols][ext_obj_node_id_string]} %{[zeek_cols][ext_obj_node_id_guid]} %{[zeek_cols][ext_obj_node_id_opaque]} %{[zeek_cols][ext_obj_type_id_str]} %{[zeek_cols][ext_obj_encoding]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_variant_extension_object" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_variant_extension_object" - init => "@zeek_opcua_binary_variant_extension_object_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'ext_obj_link_id', 'ext_obj_node_id_encoding_mask', 'ext_obj_node_id_namespace_idx', 'ext_obj_node_id_numeric', 'ext_obj_node_id_string', 'ext_obj_node_id_guid', 'ext_obj_node_id_opaque', 'ext_obj_type_id_str', 'ext_obj_encoding' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_variant_extension_object_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_variant_extension_object" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else if ([log_source] == "opcua_binary_variant_metadata") { - ############################################################################################################################# - # opcua_binary_variant_metadata.log - # variant-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary) - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_opcua_binary_variant_metadata" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][variant_source_data_link_id]} %{[zeek_cols][variant_data_source]} %{[zeek_cols][variant_data_source_str]} %{[zeek_cols][dara_variant_encoding_mask]} %{[zeek_cols][data_variant_data_type]} %{[zeek_cols][data_variant_data_type_str]} %{[zeek_cols][built_in_data_type]} %{[zeek_cols][built_in_data_type_str]} %{[zeek_cols][variant_data_link_id]} %{[zeek_cols][variant_data_array_dim]} %{[zeek_cols][variant_data_array_multi_dim_link_id]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_opcua_binary_variant_metadata" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_opcua_binary_variant_metadata" - init => "@zeek_opcua_binary_variant_metadata_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'variant_source_data_link_id', 'variant_data_source', 'variant_data_source_str', 'dara_variant_encoding_mask', 'data_variant_data_type', 'data_variant_data_type_str', 'built_in_data_type', 'built_in_data_type_str', 'variant_data_link_id', 'variant_data_array_dim', 'variant_data_array_multi_dim_link_id' ]" - code => "event.set('[zeek_cols]', @zeek_opcua_binary_variant_metadata_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { - id => "mutate_add_fields_zeek_opcua_binary_variant_metadata" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "ics" ] - } - - } else { - # some other unknown zeek opcua- log file. should start with ts at least! - - if ("_jsonparsesuccess" not in [tags]) { - csv { - id => "csv_zeek_unknown_opcua" - columns => ["ts"] - - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - separator => " " - # there's no way to *disable* the csv quote char, so set it to something we'll never see - quote_char => " " - - target => "[zeek_cols]" - } - } - - mutate { id => "mutate_add_tag_zeek_unknown_opcua" - add_field => { - "[zeek_cols][proto]" => "tcp" - "[zeek_cols][service]" => "opcua-binary" - } - add_tag => [ "_unknown_log_type" ] - } - - } # if / else if for opcua log types - - } else if ([log_source] == "analyzer") { - ############################################################################################################################# - # analyzer.log - # Zeek Logging analyzer confirmations and violations into analyzer.log - # https://docs.zeek.org/en/master/scripts/base/frameworks/analyzer/logging.zeek.html - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_diagnostic_analyzer" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][cause]} %{[zeek_cols][analyzer_kind]} %{[zeek_cols][analyzer_name]} %{[zeek_cols][uid]} %{[zeek_cols][fuid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][failure_reason]} %{[zeek_cols][failure_data]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_diagnostic_analyzer" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_diagnostic_analyzer" - init => "@zeek_diagnostic_analyzer_field_names = [ 'ts', 'cause', 'analyzer_kind', 'analyzer_name', 'uid', 'fuid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'failure_reason', 'failure_data' ]" - code => "event.set('[zeek_cols]', @zeek_diagnostic_analyzer_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - # we are *not* adding the _zeekdiagnostic even though it could arguably be classified as such, the reason being that - # the UID/FUID and IP/ports make it suitable to be searched with the network data - - } else if ([log_source] == "broker") { - ############################################################################################################################# - # broker.log - # https://docs.zeek.org/en/master/scripts/base/frameworks/broker/log.zeek.html - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_broker_fields" - rename => { "[zeek_cols][ty]" => "[zeek_cols][event_type]" } - rename => { "[zeek_cols][ev]" => "[zeek_cols][event_action]" } - rename => { "[zeek_cols][peer.address]" => "[zeek_cols][peer_ip]" } - rename => { "[zeek_cols][peer.bound_port]" => "[zeek_cols][peer_port]" } - rename => { "[zeek_cols][message]" => "[zeek_cols][peer_message]" } - } - - } else { - dissect { - id => "dissect_zeek_diagnostic_broker" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][event_type]} %{[zeek_cols][event_action]} %{[zeek_cols][peer_ip]} %{[zeek_cols][peer_port]} %{[zeek_cols][peer_message]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_diagnostic_broker" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_diagnostic_broker" - init => "@zeek_diagnostic_broker_field_names = [ 'ts', 'event_type', 'event_action', 'peer_ip', 'peer_port', 'peer_message' ]" - code => "event.set('[zeek_cols]', @zeek_diagnostic_broker_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { id => "mutate_add_tag_zeek_diagnostic_broker" - add_tag => [ "_zeekdiagnostic" ] } - - } else if ([log_source] == "capture_loss") { - ############################################################################################################################# - # capture_loss.log - # Reports analysis of missing traffic. Zeek bases its conclusions on analysis of TCP sequence numbers. - # https://docs.zeek.org/en/master/logs/capture-loss-and-reporter.html - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_diagnostic_capture_loss" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][ts_delta]} %{[zeek_cols][peer]} %{[zeek_cols][gaps]} %{[zeek_cols][acks]} %{[zeek_cols][percent_lost]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_diagnostic_capture_loss" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_diagnostic_capture_loss" - init => "@zeek_diagnostic_capture_loss_field_names = [ 'ts', 'ts_delta', 'peer', 'gaps', 'acks', 'percent_lost' ]" - code => "event.set('[zeek_cols]', @zeek_diagnostic_capture_loss_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { id => "mutate_add_tag_zeek_diagnostic_capture_loss" - add_tag => [ "_zeekdiagnostic" ] } - - } else if ([log_source] == "cluster") { - ############################################################################################################################# - # cluster.log - # Logging for establishing and controlling a cluster of Zeek instances - # https://docs.zeek.org/en/master/scripts/base/frameworks/cluster/main.zeek.html#type-Cluster::Info - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_cluster_fields" - rename => { "[zeek_cols][message]" => "[zeek_cols][node_message]" } - } - - } else { - dissect { - id => "dissect_zeek_diagnostic_cluster" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][node]} %{[zeek_cols][node_message]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_diagnostic_cluster" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_diagnostic_cluster" - init => "@zeek_diagnostic_cluster_field_names = [ 'ts', 'node', 'node_message' ]" - code => "event.set('[zeek_cols]', @zeek_diagnostic_cluster_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { id => "mutate_add_tag_zeek_diagnostic_cluster" - add_tag => [ "_zeekdiagnostic" ] } - - } else if ([log_source] == "config") { - ############################################################################################################################# - # config.log - # Logging for Zeek configuration changes - # https://docs.zeek.org/en/master/scripts/base/frameworks/config/main.zeek.html#type-Config::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_diagnostic_config" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][value_name]} %{[zeek_cols][value_old]} %{[zeek_cols][value_new]} %{[zeek_cols][location]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_diagnostic_config" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_diagnostic_config" - init => "@zeek_diagnostic_config_field_names = [ 'ts', 'value_name', 'value_old', 'value_new', 'location' ]" - code => "event.set('[zeek_cols]', @zeek_diagnostic_config_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { id => "mutate_add_tag_zeek_diagnostic_config" - add_tag => [ "_zeekdiagnostic" ] } - - } else if ([log_source] == "packet_filter") { - ############################################################################################################################# - # packet_filter.log - # https://docs.zeek.org/en/master/scripts/base/frameworks/packet-filter/main.zeek.html#type-PacketFilter::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_diagnostic_packet_filter" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][node]} %{[zeek_cols][filter]} %{[zeek_cols][init]} %{[zeek_cols][success]} %{[zeek_cols][failure_reason]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_diagnostic_packet_filter" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_diagnostic_packet_filter" - init => "@zeek_diagnostic_packet_filter_field_names = [ 'ts', 'node', 'filter', 'init', 'success', 'failure_reason' ]" - code => "event.set('[zeek_cols]', @zeek_diagnostic_packet_filter_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { id => "mutate_add_tag_zeek_diagnostic_packet_filter" - add_tag => [ "_zeekdiagnostic" ] } - - } else if ([log_source] == "print") { - ############################################################################################################################# - # print.log - # https://docs.zeek.org/en/master/scripts/base/frameworks/logging/main.zeek.html#type-Log::PrintLogInfo - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_diagnostic_print" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][vals]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_diagnostic_print" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_diagnostic_print" - init => "@zeek_diagnostic_print_field_names = [ 'ts', 'vals' ]" - code => "event.set('[zeek_cols]', @zeek_diagnostic_print_field_names.zip(event.get('[message]')).to_h)" - } - } - mutate { id => "split_zeek_diagnostic_print_vals" - split => { "[zeek_cols][vals]" => "," } } - } - - mutate { id => "mutate_add_tag_zeek_diagnostic_print" - add_tag => [ "_zeekdiagnostic" ] } - - - } else if ([log_source] == "reporter") { - ############################################################################################################################# - # reporter.log - # https://docs.zeek.org/en/master/scripts/base/frameworks/reporter/main.zeek.html#type-Reporter::Info - - if ("_jsonparsesuccess" in [tags]) { - mutate { - id => "mutate_rename_zeek_json_reporter_fields" - rename => { "[zeek_cols][message]" => "[zeek_cols][msg]" } - } - - } else { - dissect { - id => "dissect_zeek_diagnostic_reporter" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][level]} %{[zeek_cols][msg]} %{[zeek_cols][location]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_diagnostic_reporter" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_diagnostic_reporter" - init => "@zeek_diagnostic_reporter_field_names = [ 'ts', 'level', 'msg', 'location' ]" - code => "event.set('[zeek_cols]', @zeek_diagnostic_reporter_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { id => "mutate_add_tag_zeek_diagnostic_reporter" - add_tag => [ "_zeekdiagnostic" ] } - - } else if ([log_source] == "stats") { - ############################################################################################################################# - # stats.log - # https://docs.zeek.org/en/master/scripts/policy/misc/stats.zeek.html#type-Stats::Info - - if ("_jsonparsesuccess" not in [tags]) { - dissect { - id => "dissect_zeek_diagnostic_stats" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][peer]} %{[zeek_cols][mem]} %{[zeek_cols][pkts_proc]} %{[zeek_cols][bytes_recv]} %{[zeek_cols][pkts_dropped]} %{[zeek_cols][pkts_link]} %{[zeek_cols][pkt_lag]} %{[zeek_cols][pkts_filtered]} %{[zeek_cols][events_proc]} %{[zeek_cols][events_queued]} %{[zeek_cols][active_tcp_conns]} %{[zeek_cols][active_udp_conns]} %{[zeek_cols][active_icmp_conns]} %{[zeek_cols][tcp_conns]} %{[zeek_cols][udp_conns]} %{[zeek_cols][icmp_conns]} %{[zeek_cols][timers]} %{[zeek_cols][active_timers]} %{[zeek_cols][files]} %{[zeek_cols][active_files]} %{[zeek_cols][dns_requests]} %{[zeek_cols][active_dns_requests]} %{[zeek_cols][reassem_tcp_size]} %{[zeek_cols][reassem_file_size]} %{[zeek_cols][reassem_frag_size]} %{[zeek_cols][reassem_unknown_size]}" - } - } - if ("_dissectfailure" in [tags]) { - mutate { - id => "mutate_split_zeek_diagnostic_stats" - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - split => { "[message]" => " " } - } - ruby { - id => "ruby_zip_zeek_diagnostic_stats" - init => "@zeek_diagnostic_stats_field_names = [ 'ts', 'peer', 'mem', 'pkts_proc', 'bytes_recv', 'pkts_dropped', 'pkts_link', 'pkt_lag', 'pkts_filtered', 'events_proc', 'events_queued', 'active_tcp_conns', 'active_udp_conns', 'active_icmp_conns', 'tcp_conns', 'udp_conns', 'icmp_conns', 'timers', 'active_timers', 'files', 'active_files', 'dns_requests', 'active_dns_requests', 'reassem_tcp_size', 'reassem_file_size', 'reassem_frag_size', 'reassem_unknown_size' ]" - code => "event.set('[zeek_cols]', @zeek_diagnostic_stats_field_names.zip(event.get('[message]')).to_h)" - } - } - } - - mutate { id => "mutate_add_tag_zeek_diagnostic_stats" - add_tag => [ "_zeekdiagnostic" ] } - - } else { - - if ("_jsonparsesuccess" not in [tags]) { - # some other unknown zeek log file. should start with ts at least! - csv { - id => "csv_zeek_unknown" - columns => ["ts"] - - # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP - separator => " " - # there's no way to *disable* the csv quote char, so set it to something we'll never see - quote_char => " " - - target => "[zeek_cols]" - } - } - - mutate { id => "mutate_add_tag_zeek_unknown" - add_tag => [ "_unknown_log_type" ] } - - } # if / else if for source type (conn.log, dns.log, etc.) - -} # end Filter diff --git a/logstash/pipelines/zeek/12_zeek_mutate.conf b/logstash/pipelines/zeek/1200_zeek_mutate.conf similarity index 99% rename from logstash/pipelines/zeek/12_zeek_mutate.conf rename to logstash/pipelines/zeek/1200_zeek_mutate.conf index 182adb633..434e62eae 100644 --- a/logstash/pipelines/zeek/12_zeek_mutate.conf +++ b/logstash/pipelines/zeek/1200_zeek_mutate.conf @@ -1937,7 +1937,7 @@ filter { } } - # collect referenced file UIDs(s)/FUID(s) at parent level (here rather than in 13_zeek_normalize.conf because + # collect referenced file UIDs(s)/FUID(s) at parent level (here rather than in 1300_zeek_normalize.conf because # this would have already been done as a root-level fuid array in the main "rename" above if we # had not had to move it up a level just now) if ([zeek][smb_files][uid]) { diff --git a/logstash/pipelines/zeek/13_zeek_normalize.conf b/logstash/pipelines/zeek/1300_zeek_normalize.conf similarity index 99% rename from logstash/pipelines/zeek/13_zeek_normalize.conf rename to logstash/pipelines/zeek/1300_zeek_normalize.conf index 9774603f8..c4b77e920 100644 --- a/logstash/pipelines/zeek/13_zeek_normalize.conf +++ b/logstash/pipelines/zeek/1300_zeek_normalize.conf @@ -1262,7 +1262,7 @@ filter { # FUIDs ############################################################################################################# # collect all other FUIDs under parent [zeek][fuid] array (some were already done at the root level in - # the "rename" in 12_zeek_mutate.conf) + # the "rename" in 1200_zeek_mutate.conf) if ([zeek][files][parent_fuid]) { mutate { id => "mutate_merge_normalize_zeek_files_parent_fuid" merge => { "[zeek][fuid]" => "[zeek][files][parent_fuid]" } } } diff --git a/logstash/pipelines/zeek/14_zeek_convert.conf b/logstash/pipelines/zeek/1400_zeek_convert.conf similarity index 100% rename from logstash/pipelines/zeek/14_zeek_convert.conf rename to logstash/pipelines/zeek/1400_zeek_convert.conf diff --git a/logstash/pipelines/zeek/19_severity.conf b/logstash/pipelines/zeek/1900_severity.conf similarity index 100% rename from logstash/pipelines/zeek/19_severity.conf rename to logstash/pipelines/zeek/1900_severity.conf diff --git a/logstash/pipelines/zeek/99_zeek_forward.conf b/logstash/pipelines/zeek/9900_zeek_forward.conf similarity index 100% rename from logstash/pipelines/zeek/99_zeek_forward.conf rename to logstash/pipelines/zeek/9900_zeek_forward.conf diff --git a/logstash/scripts/logstash-start.sh b/logstash/scripts/logstash-start.sh index 35df19c66..d752f5fc3 100755 --- a/logstash/scripts/logstash-start.sh +++ b/logstash/scripts/logstash-start.sh @@ -123,6 +123,11 @@ find "$PIPELINES_DIR" -type f -name "*.conf" -exec sed -i "s/_MALCOLM_LOGSTASH_O find "$PIPELINES_DIR" -type f -name "*.conf" -exec sed -i "s/_MALCOLM_LOGSTASH_PRIMARY_DATASTORE_TYPE_/${OPENSEARCH_PRIMARY_TYPE}/g" "{}" \; 2>/dev/null find "$PIPELINES_DIR" -type f -name "*.conf" -exec sed -i "s/_MALCOLM_LOGSTASH_SECONDARY_DATASTORE_TYPE_/${OPENSEARCH_SECONDARY_TYPE}/g" "{}" \; 2>/dev/null +# make sure that the delimiter for zeek TSV parsing is set correctly in that pipeline (i.e., spaces to tabs) +if [[ -d "$PIPELINES_DIR"/zeek ]]; then + sed -i -E 's/(split\s*=>\s*\{\s*"\[message\]"\s*=>\s*"\s*)\s+("\s*\})/\1\t\2/g' "$PIPELINES_DIR"/zeek/*.conf + sed -i -E 's/\s\s*(%\{\[zeek_cols\]\[)/\t\1/g' "$PIPELINES_DIR"/zeek/*.conf +fi # import trusted CA certificates if necessary /usr/local/bin/jdk-cacerts-auto-import.sh || true diff --git a/scripts/zeek_script_to_malcolm_boilerplate.py b/scripts/zeek_script_to_malcolm_boilerplate.py index d93323d77..4f6a9f5a5 100755 --- a/scripts/zeek_script_to_malcolm_boilerplate.py +++ b/scripts/zeek_script_to_malcolm_boilerplate.py @@ -10,13 +10,12 @@ # The scripts are parsed into their constitutent records and &log fields. # # Each record is then printed out in the formats used by Malcolm for parsing and defining Zeek logs: -# - Logstash (https://idaholab.github.io/Malcolm/docs/contributing-logstash.html#LogstashZeek), for ./logstash/pipelines/zeek/11_zeek_parse.conf +# - Logstash (https://idaholab.github.io/Malcolm/docs/contributing-logstash.html#LogstashZeek), for ./logstash/pipelines/zeek/1001_zeek_parse.conf # - Arkime (https://idaholab.github.io/Malcolm/docs/contributing-new-log-fields.html#NewFields), for ./arkime/etc/config.ini # - OpenSearch tndex templates (https://idaholab.github.io/Malcolm/docs/contributing-new-log-fields.html#NewFields), for ./dashboards/templates/composable/component/zeek*.json # -# For Logstash boilerplate, pay close attention to the comment in the logstash filter: -# # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP -# If you are copy/pasting, ensure your editor doesn't lose the TAB characters. +# The logstash/scripts/logstash-start.sh container startup script should automatically fix any issues +# with parsing the Zeek tab delimiter (e.g., converting spaces in the `dissect` and `split` filters to tabs) # import argparse @@ -490,7 +489,6 @@ def main(): f' if ("_jsonparsesuccess" not in [tags]) {{', f' dissect {{', f' id => "dissect_zeek_{rName}"', - f" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP", f' mapping => {{', f' "[message]" => "{rFieldsDissect}"', f' }}', @@ -499,7 +497,6 @@ def main(): f' if ("_dissectfailure" in [tags]) {{', f' mutate {{', f' id => "mutate_split_zeek_{rName}"', - f" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP", f' split => {{ "[message]" => "{ZEEK_DELIMITER_CHAR}" }}', f' }}', f' ruby {{', diff --git a/shared/bin/zeek_carve_logger.py b/shared/bin/zeek_carve_logger.py index 2ab20dadd..8eeb9b69f 100755 --- a/shared/bin/zeek_carve_logger.py +++ b/shared/bin/zeek_carve_logger.py @@ -155,7 +155,7 @@ def main(): broSigLogSpec = args.broSigLogSpec if broSigLogSpec is not None: if os.path.isdir(broSigLogSpec): - # _carved tag will be recognized by 12_zeek_mutate.conf in logstash + # _carved tag will be recognized by 1200_zeek_mutate.conf in logstash broSigLogSpec = os.path.join(broSigLogSpec, "signatures(_carved).log") else: # make sure path to write to zeek signatures log file exists before we start writing @@ -265,9 +265,9 @@ def main(): note=ZEEK_SIGNATURE_NOTICE, signature_id=scanResult[FILE_SCAN_RESULT_MESSAGE], event_message=scanResult[FILE_SCAN_RESULT_DESCRIPTION], - sub_message=fileSpecFields.fid - if fileSpecFields.fid is not None - else os.path.basename(fileName), + sub_message=( + fileSpecFields.fid if fileSpecFields.fid is not None else os.path.basename(fileName) + ), signature_count=scanResult[FILE_SCAN_RESULT_HITS], host_count=scanResult[FILE_SCAN_RESULT_ENGINES], ) @@ -321,7 +321,9 @@ def main(): else: # delete the file os.remove(fileName) - logging.debug(f"{scriptName}:\t🚫\t{fileName} ({fileScanCount}/{len(scanners)})") + logging.debug( + f"{scriptName}:\t🚫\t{fileName} ({fileScanCount}/{len(scanners)})" + ) # graceful shutdown logging.info(f"{scriptName}: shutting down...")