diff --git a/dynamite_nsm/confs/elasticsearch/elasticsearch.yml b/dynamite_nsm/confs/elasticsearch/elasticsearch.yml new file mode 100644 index 00000000..4761d0a4 --- /dev/null +++ b/dynamite_nsm/confs/elasticsearch/elasticsearch.yml @@ -0,0 +1,101 @@ +# ======================== Elasticsearch Configuration ========================= +# +# NOTE: Elasticsearch comes with reasonable defaults for most settings. +# Before you set out to tweak and tune the configuration, make sure you +# understand what are you trying to accomplish and the consequences. +# +# The primary way of configuring a node is via this file. This template lists +# the most important settings you may want to configure for a production cluster. +# +# Please consult the documentation for further information on configuration options: +# https://www.elastic.co/guide/en/elasticsearch/reference/index.html +# +# ---------------------------------- Cluster ----------------------------------- +# +# Use a descriptive name for your cluster: +# +cluster.name: dynamite-nsm-cluster +# +# ------------------------------------ Node ------------------------------------ +# +# Use a descriptive name for the node: +# +node.name: dynamite-es-node +# +# Add custom attributes to the node: +# +#node.attr.rack: r1 +# +# ----------------------------------- Paths ------------------------------------ +# +# Path to directory where to store the data (separate multiple locations by comma): +# +path.data: /opt/dynamite/elasticsearch/data/ +# +# Path to log files: +# +path.logs: /var/log/dynamite/elasticsearch/ +# +# ----------------------------------- Memory ----------------------------------- +# +# Lock the memory on startup: +# +#bootstrap.memory_lock: true +# +# Make sure that the heap size is set to about half the memory available +# on the system and that the owner of the process is allowed to use this +# limit. +# +# Elasticsearch performs poorly when the system is swapping the memory. +# +# ---------------------------------- Network ----------------------------------- +# +# Set the bind address to a specific IP (IPv4 or IPv6): +# +network.host: 0.0.0.0 +# +# Set a custom port for HTTP: +# +http.port: 9200 +# +# For more information, consult the network module documentation. +# +# --------------------------------- Discovery ---------------------------------- +# +# Pass an initial list of hosts to perform discovery when this node is started: +# The default list of hosts is ["127.0.0.1", "[::1]"] +# +discovery.seed_hosts: ["localhost"] +# +# Bootstrap the cluster using an initial set of master-eligible nodes: +# +cluster.initial_master_nodes: ["dynamite-node"] +# +# For more information, consult the discovery and cluster formation module documentation. +# +# ---------------------------------- Gateway ----------------------------------- +# +# Block initial recovery after a full cluster restart until N nodes are started: +# +#gateway.recover_after_nodes: 3 +# +# For more information, consult the gateway module documentation. +# +# ---------------------------------- Various ----------------------------------- +# +# Require explicit names when deleting indices: +search.max_buckets: 10000 +opendistro_security.disabled: false +opendistro_security.ssl.transport.enabled: true +opendistro_security.ssl.http.enabled: true + +opendistro_security.ssl.http.pemcert_filepath: security/auth/admin.pem +opendistro_security.ssl.http.pemkey_filepath: security/auth/admin-key.pem +opendistro_security.ssl.http.pemtrustedcas_filepath: security/auth/root-ca.pem +opendistro_security.ssl.transport.pemcert_filepath: security/auth/admin.pem +opendistro_security.ssl.transport.pemkey_filepath: security/auth/admin-key.pem +opendistro_security.ssl.transport.pemtrustedcas_filepath: security/auth/root-ca.pem + +opendistro_security.authcz.admin_dn: +- C=US,ST=GA,L=Atlanta,O=Dynamite,OU=R&D,CN=dynamite.ai +- CN=dynamite.ai,OU=R&D,O=Dynamite,L=Atlanta,ST=GA,C=US diff --git a/dynamite_nsm/confs/elasticsearch/jvm.options b/dynamite_nsm/confs/elasticsearch/jvm.options new file mode 100644 index 00000000..a927e413 --- /dev/null +++ b/dynamite_nsm/confs/elasticsearch/jvm.options @@ -0,0 +1,20 @@ +-Xms4g +-Xmx4g +8-13:-XX:+UseConcMarkSweepGC +8-13:-XX:CMSInitiatingOccupancyFraction=75 +8-13:-XX:+UseCMSInitiatingOccupancyOnly +14-:-XX:+UseG1GC +14-:-XX:G1ReservePercent=25 +14-:-XX:InitiatingHeapOccupancyPercent=30 +-Djava.io.tmpdir=${ES_TMPDIR} +-XX:+HeapDumpOnOutOfMemoryError +-XX:HeapDumpPath=data +-XX:ErrorFile=logs/hs_err_pid%p.log +8:-XX:+PrintGCDetails +8:-XX:+PrintGCDateStamps +8:-XX:+PrintTenuringDistribution +8:-XX:+PrintGCApplicationStoppedTime +8:-Xloggc:logs/gc.log +8:-XX:+UseGCLogFileRotation +8:-XX:NumberOfGCLogFiles=32 +8:-XX:GCLogFileSize=64m diff --git a/dynamite_nsm/confs/elasticsearch/security/action_groups.yml b/dynamite_nsm/confs/elasticsearch/security/action_groups.yml new file mode 100644 index 00000000..aac69ab8 --- /dev/null +++ b/dynamite_nsm/confs/elasticsearch/security/action_groups.yml @@ -0,0 +1,3 @@ +_meta: + type: "actiongroups" + config_version: 2 \ No newline at end of file diff --git a/dynamite_nsm/confs/elasticsearch/security/audit.yml b/dynamite_nsm/confs/elasticsearch/security/audit.yml new file mode 100644 index 00000000..dcfbad8d --- /dev/null +++ b/dynamite_nsm/confs/elasticsearch/security/audit.yml @@ -0,0 +1,85 @@ +_meta: + type: "audit" + config_version: 2 + +config: + # enable/disable audit logging + enabled: true + + audit: + # Enable/disable REST API auditing + enable_rest: true + + # Categories to exclude from REST API auditing + disabled_rest_categories: + - AUTHENTICATED + - GRANTED_PRIVILEGES + + # Enable/disable Transport API auditing + enable_transport: true + + # Categories to exclude from Transport API auditing + disabled_transport_categories: + - AUTHENTICATED + - GRANTED_PRIVILEGES + + # Users to be excluded from auditing. Wildcard patterns are supported. Eg: + # ignore_users: ["test-user", "employee-*"] + ignore_users: + - kibanaserver + + # Requests to be excluded from auditing. Wildcard patterns are supported. Eg: + # ignore_requests: ["indices:data/read/*", "SearchRequest"] + ignore_requests: [] + + # Log individual operations in a bulk request + resolve_bulk_requests: false + + # Include the body of the request (if available) for both REST and the transport layer + log_request_body: true + + # Logs all indices affected by a request. Resolves aliases and wildcards/date patterns + resolve_indices: true + + # Exclude sensitive headers from being included in the logs. Eg: Authorization + exclude_sensitive_headers: true + + compliance: + # enable/disable compliance + enabled: true + + # Log updates to internal security changes + internal_config: true + + # Log external config files for the node + external_config: false + + # Log only metadata of the document for read events + read_metadata_only: true + + # Map of indexes and fields to monitor for read events. Wildcard patterns are supported for both index names and fields. Eg: + # read_watched_fields: { + # "twitter": ["message"] + # "logs-*": ["id", "attr*"] + # } + read_watched_fields: {} + + # List of users to ignore for read events. Wildcard patterns are supported. Eg: + # read_ignore_users: ["test-user", "employee-*"] + read_ignore_users: + - kibanaserver + + # Log only metadata of the document for write events + write_metadata_only: true + + # Log only diffs for document updates + write_log_diffs: false + + # List of indices to watch for write events. Wildcard patterns are supported + # write_watched_indices: ["twitter", "logs-*"] + write_watched_indices: [] + + # List of users to ignore for write events. Wildcard patterns are supported. Eg: + # write_ignore_users: ["test-user", "employee-*"] + write_ignore_users: + - kibanaserver diff --git a/dynamite_nsm/confs/elasticsearch/security/config.yml b/dynamite_nsm/confs/elasticsearch/security/config.yml new file mode 100644 index 00000000..251b13ae --- /dev/null +++ b/dynamite_nsm/confs/elasticsearch/security/config.yml @@ -0,0 +1,247 @@ +--- + +# This is the main Open Distro Security configuration file where authentication +# and authorization is defined. +# +# You need to configure at least one authentication domain in the authc of this file. +# An authentication domain is responsible for extracting the user credentials from +# the request and for validating them against an authentication backend like Active Directory for example. +# +# If more than one authentication domain is configured the first one which succeeds wins. +# If all authentication domains fail then the request is unauthenticated. +# In this case an exception is thrown and/or the HTTP status is set to 401. +# +# After authentication authorization (authz) will be applied. There can be zero or more authorizers which collect +# the roles from a given backend for the authenticated user. +# +# Both, authc and auth can be enabled/disabled separately for REST and TRANSPORT layer. Default is true for both. +# http_enabled: true +# transport_enabled: true +# +# For HTTP it is possible to allow anonymous authentication. If that is the case then the HTTP authenticators try to +# find user credentials in the HTTP request. If credentials are found then the user gets regularly authenticated. +# If none can be found the user will be authenticated as an "anonymous" user. This user has always the username "anonymous" +# and one role named "anonymous_backendrole". +# If you enable anonymous authentication all HTTP authenticators will not challenge. +# +# +# Note: If you define more than one HTTP authenticators make sure to put non-challenging authenticators like "proxy" or "clientcert" +# first and the challenging one last. +# Because it's not possible to challenge a client with two different authentication methods (for example +# Kerberos and Basic) only one can have the challenge flag set to true. You can cope with this situation +# by using pre-authentication, e.g. sending a HTTP Basic authentication header in the request. +# +# Default value of the challenge flag is true. +# +# +# HTTP +# basic (challenging) +# proxy (not challenging, needs xff) +# kerberos (challenging) +# clientcert (not challenging, needs https) +# jwt (not challenging) +# host (not challenging) #DEPRECATED, will be removed in a future version. +# host based authentication is configurable in roles_mapping + +# Authc +# internal +# noop +# ldap + +# Authz +# ldap +# noop + + + +_meta: + type: "config" + config_version: 2 + +config: + dynamic: + # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index + # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default) + # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently + #filtered_alias_mode: warn + #do_not_fail_on_forbidden: false + #kibana: + # Kibana multitenancy + #multitenancy_enabled: true + #server_username: kibanaserver + #index: '.kibana' + http: + anonymous_auth_enabled: false + xff: + enabled: false + internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern + #internalProxies: '.*' # trust all internal proxies, regex pattern + #remoteIpHeader: 'x-forwarded-for' + ###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help + ###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For + ###### and here https://tools.ietf.org/html/rfc7239 + ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve + authc: + kerberos_auth_domain: + http_enabled: false + transport_enabled: false + order: 6 + http_authenticator: + type: kerberos + challenge: true + config: + # If true a lot of kerberos/security related debugging output will be logged to standard out + krb_debug: false + # If true then the realm will be stripped from the user name + strip_realm_from_principal: true + authentication_backend: + type: noop + basic_internal_auth_domain: + description: "Authenticate via HTTP Basic against internal users database" + http_enabled: true + transport_enabled: true + order: 4 + http_authenticator: + type: basic + challenge: true + authentication_backend: + type: intern + proxy_auth_domain: + description: "Authenticate via proxy" + http_enabled: false + transport_enabled: false + order: 3 + http_authenticator: + type: proxy + challenge: false + config: + user_header: "x-proxy-user" + roles_header: "x-proxy-roles" + authentication_backend: + type: noop + jwt_auth_domain: + description: "Authenticate via Json Web Token" + http_enabled: false + transport_enabled: false + order: 0 + http_authenticator: + type: jwt + challenge: false + config: + signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key" + jwt_header: "Authorization" + jwt_url_parameter: null + roles_key: null + subject_key: null + authentication_backend: + type: noop + clientcert_auth_domain: + description: "Authenticate via SSL client certificates" + http_enabled: false + transport_enabled: false + order: 2 + http_authenticator: + type: clientcert + config: + username_attribute: cn #optional, if omitted DN becomes username + challenge: false + authentication_backend: + type: noop + ldap: + description: "Authenticate via LDAP or Active Directory" + http_enabled: false + transport_enabled: false + order: 5 + http_authenticator: + type: basic + challenge: false + authentication_backend: + # LDAP authentication backend (authenticate users against a LDAP or Active Directory) + type: ldap + config: + # enable ldaps + enable_ssl: false + # enable start tls, enable_ssl should be false + enable_start_tls: false + # send client certificate + enable_ssl_client_auth: false + # verify ldap hostname + verify_hostnames: true + hosts: + - localhost:8389 + bind_dn: null + password: null + userbase: 'ou=people,dc=example,dc=com' + # Filter to search for users (currently in the whole subtree beneath userbase) + # {0} is substituted with the username + usersearch: '(sAMAccountName={0})' + # Use this attribute from the user as username (if not set then DN is used) + username_attribute: null + authz: + roles_from_myldap: + description: "Authorize via LDAP or Active Directory" + http_enabled: false + transport_enabled: false + authorization_backend: + # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too) + type: ldap + config: + # enable ldaps + enable_ssl: false + # enable start tls, enable_ssl should be false + enable_start_tls: false + # send client certificate + enable_ssl_client_auth: false + # verify ldap hostname + verify_hostnames: true + hosts: + - localhost:8389 + bind_dn: null + password: null + rolebase: 'ou=groups,dc=example,dc=com' + # Filter to search for roles (currently in the whole subtree beneath rolebase) + # {0} is substituted with the DN of the user + # {1} is substituted with the username + # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute + rolesearch: '(member={0})' + # Specify the name of the attribute which value should be substituted with {2} above + userroleattribute: null + # Roles as an attribute of the user entry + userrolename: disabled + #userrolename: memberOf + # The attribute in a role entry containing the name of that role, Default is "name". + # Can also be "dn" to use the full DN as rolename. + rolename: cn + # Resolve nested roles transitive (roles which are members of other roles and so on ...) + resolve_nested_roles: true + userbase: 'ou=people,dc=example,dc=com' + # Filter to search for users (currently in the whole subtree beneath userbase) + # {0} is substituted with the username + usersearch: '(uid={0})' + # Skip users matching a user name, a wildcard or a regex pattern + #skip_users: + # - 'cn=Michael Jackson,ou*people,o=TEST' + # - '/\S*/' + roles_from_another_ldap: + description: "Authorize via another Active Directory" + http_enabled: false + transport_enabled: false + authorization_backend: + type: ldap + #config goes here ... + # auth_failure_listeners: + # ip_rate_limiting: + # type: ip + # allowed_tries: 10 + # time_window_seconds: 3600 + # block_expiry_seconds: 600 + # max_blocked_clients: 100000 + # max_tracked_clients: 100000 + # internal_authentication_backend_limiting: + # type: username + # authentication_backend: intern + # allowed_tries: 10 + # time_window_seconds: 3600 + # block_expiry_seconds: 600 + # max_blocked_clients: 100000 + # max_tracked_clients: 100000 \ No newline at end of file diff --git a/dynamite_nsm/confs/elasticsearch/security/elasticsearch.yml.example b/dynamite_nsm/confs/elasticsearch/security/elasticsearch.yml.example new file mode 100644 index 00000000..e16d2b34 --- /dev/null +++ b/dynamite_nsm/confs/elasticsearch/security/elasticsearch.yml.example @@ -0,0 +1,236 @@ +############## Open Distro Security configuration ############### + +########################################################### +# Add the following settings to your standard elasticsearch.yml +# alongside with the Open Distro Security TLS settings. +# Settings must always be the same on all nodes in the cluster. + +############## Common configuration settings ############## + +# Enable or disable the Open Distro Security advanced modules +# By default advanced modules are enabled, you can switch +# all advanced features off by setting the following key to false +opendistro_security.advanced_modules_enabled: true + +# Specify a list of DNs which denote the other nodes in the cluster. +# This settings support wildcards and regular expressions +# The list of DNs are also read from security index **in addition** to the yml configuration if +# opendistro_security.nodes_dn_dynamic_config_enabled is true. +# NOTE: This setting only has effect if 'opendistro_security.cert.intercluster_request_evaluator_class' is not set. +opendistro_security.nodes_dn: + - "CN=*.example.com, OU=SSL, O=Test, L=Test, C=DE" + - "CN=node.other.com, OU=SSL, O=Test, L=Test, C=DE" + +# The nodes_dn_dynamic_config_enabled settings is geared towards cross_cluster usecases where there is a need to +# manage the whitelisted nodes_dn without having to restart the nodes everytime a new cross_cluster remote is configured +# Setting nodes_dn_dynamic_config_enabled to true enables **super-admin callable** /_opendistro/_security/api/nodesdn APIs +# which provide means to update/retrieve nodesdn dynamically. +# +# NOTE: The overall whitelisted nodes_dn evaluated comes from both the opendistro_security.nodes_dn and the ones stored +# in security index. +# (default: false) +# NOTE2: This setting only has effect if 'opendistro_security.cert.intercluster_request_evaluator_class' is not set. +opendistro_security.nodes_dn_dynamic_config_enabled: false + +# Defines the DNs (distinguished names) of certificates +# to which admin privileges should be assigned (mandatory) +opendistro_security.authcz.admin_dn: + - "CN=kirk,OU=client,O=client,l=tEst, C=De" + +# Define how backend roles should be mapped to Open Distro Security roles +# MAPPING_ONLY - mappings must be configured explicitely in roles_mapping.yml (default) +# BACKENDROLES_ONLY - backend roles are mapped to Open Distro Security rules directly. Settings in roles_mapping.yml have no effect. +# BOTH - backend roles are mapped to Open Distro Security roles mapped directly and via roles_mapping.yml in addition +opendistro_security.roles_mapping_resolution: MAPPING_ONLY + +############## REST Management API configuration settings ############## +# Enable or disable role based access to the REST management API +# Default is that no role is allowed to access the REST management API. +#opendistro_security.restapi.roles_enabled: ["all_access","xyz_role"] + +# Disable particular endpoints and their HTTP methods for roles. +# By default all endpoints/methods are allowed. +#opendistro_security.restapi.endpoints_disabled..: +# Example: +#opendistro_security.restapi.endpoints_disabled.all_access.ACTIONGROUPS: ["PUT","POST","DELETE"] +#opendistro_security.restapi.endpoints_disabled.xyz_role.LICENSE: ["DELETE"] + +# The following endpoints exist: +# ACTIONGROUPS +# CACHE +# CONFIG +# ROLES +# ROLESMAPPING +# INTERNALUSERS +# SYSTEMINFO +# PERMISSIONSINFO + +############## Auditlog configuration settings ############## +# General settings + +# Enable/disable rest request logging (default: true) +#opendistro_security.audit.enable_rest: true +# Enable/disable transport request logging (default: false) +#opendistro_security.audit.enable_transport: false +# Enable/disable bulk request logging (default: false) +# If enabled all subrequests in bulk requests will be logged too +#opendistro_security.audit.resolve_bulk_requests: false +# Disable some categories +#opendistro_security.audit.config.disabled_categories: ["AUTHENTICATED","GRANTED_PRIVILEGES"] +# Disable some requests (wildcard or regex of actions or rest request paths) +#opendistro_security.audit.ignore_requests: ["indices:data/read/*","*_bulk"] +# Tune threadpool size, default is 10 +#opendistro_security.audit.threadpool.size: 10 +# Tune threadpool max size queue length, default is 100000 +#opendistro_security.audit.threadpool.max_queue_len: 100000 + +# Ignore users, e.g. do not log audit requests from that users (default: no ignored users) +#opendistro_security.audit.ignore_users: ['kibanaserver','some*user','/also.*regex possible/']" + +# Destination of the auditlog events +opendistro_security.audit.type: internal_elasticsearch +#opendistro_security.audit.type: external_elasticsearch +#opendistro_security.audit.type: debug +#opendistro_security.audit.type: webhook + +# external_elasticsearch settings +#opendistro_security.audit.config.http_endpoints: ['localhost:9200','localhost:9201','localhost:9202']" +# Auditlog index can be a static one or one with a date pattern (default is 'auditlog6') +#opendistro_security.audit.config.index: auditlog6 # make sure you secure this index properly +#opendistro_security.audit.config.index: "'auditlog6-'YYYY.MM.dd" #rotates index daily - make sure you secure this index properly +#opendistro_security.audit.config.type: auditlog +#opendistro_security.audit.config.username: auditloguser +#opendistro_security.audit.config.password: auditlogpassword +#opendistro_security.audit.config.enable_ssl: false +#opendistro_security.audit.config.verify_hostnames: false +#opendistro_security.audit.config.enable_ssl_client_auth: false +#opendistro_security.audit.config.cert_alias: mycert +#opendistro_security.audit.config.pemkey_filepath: key.pem +#opendistro_security.audit.config.pemkey_content: <...pem base 64 content> +#opendistro_security.audit.config.pemkey_password: secret +#opendistro_security.audit.config.pemcert_filepath: cert.pem +#opendistro_security.audit.config.pemcert_content: <...pem base 64 content> +#opendistro_security.audit.config.pemtrustedcas_filepath: ca.pem +#opendistro_security.audit.config.pemtrustedcas_content: <...pem base 64 content> + +# webhook settings +#opendistro_security.audit.config.webhook.url: "http://mywebhook/endpoint" +# One of URL_PARAMETER_GET,URL_PARAMETER_POST,TEXT,JSON,SLACK +#opendistro_security.audit.config.webhook.format: JSON +#opendistro_security.audit.config.webhook.ssl.verify: false +#opendistro_security.audit.config.webhook.ssl.pemtrustedcas_filepath: ca.pem +#opendistro_security.audit.config.webhook.ssl.pemtrustedcas_content: <...pem base 64 content> + +# log4j settings +#opendistro_security.audit.config.log4j.logger_name: auditlogger +#opendistro_security.audit.config.log4j.level: INFO + +############## Kerberos configuration settings ############## +# If Kerberos authentication should be used you have to configure: + +# The Path to the krb5.conf file +# Can be absolute or relative to the Elasticsearch config directory +#opendistro_security.kerberos.krb5_filepath: '/etc/krb5.conf' + +# The Path to the keytab where the acceptor_principal credentials are stored. +# Must be relative to the Elasticsearch config directory +#opendistro_security.kerberos.acceptor_keytab_filepath: 'eskeytab.tab' + +# Acceptor (Server) Principal name, must be present in acceptor_keytab_path file +#opendistro_security.kerberos.acceptor_principal: 'HTTP/localhost' + +############## Advanced configuration settings ############## +# Enable transport layer impersonation +# Allow DNs (distinguished names) to impersonate as other users +#opendistro_security.authcz.impersonation_dn: +# "CN=spock,OU=client,O=client,L=Test,C=DE": +# - worf +# "cn=webuser,ou=IT,ou=IT,dc=company,dc=com": +# - user2 +# - user1 + +# Enable rest layer impersonation +# Allow users to impersonate as other users +#opendistro_security.authcz.rest_impersonation_user: +# "picard": +# - worf +# "john": +# - steve +# - martin + +# If this is set to true Open Distro Security will automatically initialize the configuration index +# with the files in the config directory if the index does not exist. +# WARNING: This will use well-known default passwords. +# Use only in a private network/environment. +#opendistro_security.allow_default_init_securityindex: false + +# If this is set to true then allow to startup with demo certificates. +# These are certificates issued by floragunn GmbH for demo purposes. +# WARNING: This certificates are well known and therefore unsafe +# Use only in a private network/environment. +#opendistro_security.allow_unsafe_democertificates: false + + + +# Password strength rules for password complexity. +# If you want to set up password strength rules for internal users, you can use the below settings for it. +# Password validation rules can be configured through regex. In the below regex example, a user must need +# a password with minimum 8 characters length and must include minimum one uppercase, one lower case, one digit, and one special character.  +# And a custom error message can be configured, in case if a password is not created according to the password strength rule.    +# opendistro_security.restapi.password_validation_regex: '(?=.*[A-Z])(?=.*[^a-zA-Z\d])(?=.*[0-9])(?=.*[a-z]).{8,}' +# opendistro_security.restapi.password_validation_error_message: "A password must be at least 8 characters long and contain at least one uppercase letter, one lowercase letter, one digit, and one special character." + + +############## Expert settings ############## +# WARNING: Expert settings, do only use if you know what you are doing +# If you set wrong values here this this could be a security risk +# or make Open Distro Security stop working + +# Name of the index where .opendistro_security stores its configuration. + +#opendistro_security.config_index_name: .opendistro_security + +# This defines the OID of server node certificates +#opendistro_security.cert.oid: '1.2.3.4.5.5' + +# This specifies the implementation of com.amazon.opendistroforelasticsearch.security.transport.InterClusterRequestEvaluator +# that is used to determine inter-cluster request. +# Instances of com.amazon.opendistroforelasticsearch.security.transport.InterClusterRequestEvaluator must implement a single argument +# constructor that takes an org.elasticsearch.common.settings.Settings +#opendistro_security.cert.intercluster_request_evaluator_class: com.amazon.opendistroforelasticsearch.security.transport.DefaultInterClusterRequestEvaluator + +# Allow snapshot restore for normal users +# By default only requests signed by an admin TLS certificate can do this +# To enable snapshot restore for normal users set 'opendistro_security.enable_snapshot_restore_privilege: true' +# The user who wants to restore a snapshot must have the 'cluster:admin/snapshot/restore' privilege and must also have +# "indices:admin/create" and "indices:data/write/index" for the indices to be restores. +# A snapshot can only be restored when it does not contain global state and does not restore the '.opendistro_security' index +# If 'opendistro_security.check_snapshot_restore_write_privileges: false' is set then the additional indices checks are omitted. + +# This makes it less secure. +#opendistro_security.enable_snapshot_restore_privilege: true +#opendistro_security.check_snapshot_restore_write_privileges: false + +# Authentication cache timeout in minutes (A value of 0 disables caching, default is 60) +#opendistro_security.cache.ttl_minutes: 60 + +# Disable Open Distro Security +# WARNING: This can expose your configuration (including passwords) to the public. +#opendistro_security.disabled: false + + +# Protected indices are even more secure than normal indices. These indices require a role to access like any other index, but they require an additional role +# to be visible, listed in the opendistro_security.protected_indices.roles setting. +# Enable protected indices +# opendistro_security.protected_indices.enabled: true +# Specify a list of roles a user must be member of to touch any protected index. +# opendistro_security.protected_indices.roles: ['all_access'] +# Specify a list of indices to mark as protected. These indices will only be visible / mutable by members of the above setting, in addition to needing permission to the index via a normal role. +# opendistro_security.protected_indices.indices: ['.opendistro-alerting-config', '.opendistro-ism-*'] + +# System indices are similar to security index, except the contents are not encrypted. +# Indices configured as system indices can be accessed by only super-admin and no role will provide access to these indices. +# Enable system indices +# opendistro_security.system_indices.enabled: true +# Specify a list of indices to mark as system. These indices will only be visible / mutable by members of the above setting, in addition to needing permission to the index via a normal role. +# opendistro_security.system_indices.indices: ['.opendistro-alerting-config', '.opendistro-ism-*', '.opendistro-reports-*', '.opendistro-notifications-*', '.opendistro-notebooks', '.opendistro-asynchronous-search-response*'] diff --git a/dynamite_nsm/confs/elasticsearch/security/internal_users.yml b/dynamite_nsm/confs/elasticsearch/security/internal_users.yml new file mode 100644 index 00000000..52069500 --- /dev/null +++ b/dynamite_nsm/confs/elasticsearch/security/internal_users.yml @@ -0,0 +1,56 @@ +--- +# This is the internal user database +# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh + +_meta: + type: "internalusers" + config_version: 2 + +# Define your internal users here + +## Demo users + +admin: + hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG" + reserved: true + backend_roles: + - "admin" + description: "Demo admin user" + +kibanaserver: + hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H." + reserved: true + description: "Demo kibanaserver user" + +kibanaro: + hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC" + reserved: false + backend_roles: + - "kibanauser" + - "readall" + attributes: + attribute1: "value1" + attribute2: "value2" + attribute3: "value3" + description: "Demo kibanaro user" + +logstash: + hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2" + reserved: false + backend_roles: + - "logstash" + description: "Demo logstash user" + +readall: + hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2" + reserved: false + backend_roles: + - "readall" + description: "Demo readall user" + +snapshotrestore: + hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W" + reserved: false + backend_roles: + - "snapshotrestore" + description: "Demo snapshotrestore user" \ No newline at end of file diff --git a/dynamite_nsm/confs/elasticsearch/security/nodes_dn.yml b/dynamite_nsm/confs/elasticsearch/security/nodes_dn.yml new file mode 100644 index 00000000..7f8304cf --- /dev/null +++ b/dynamite_nsm/confs/elasticsearch/security/nodes_dn.yml @@ -0,0 +1,8 @@ +_meta: + type: "nodesdn" + config_version: 2 + +# Define nodesdn mapping name and corresponding values +# cluster1: +# nodes_dn: +# - CN=*.example.com diff --git a/dynamite_nsm/confs/elasticsearch/security/roles.yml b/dynamite_nsm/confs/elasticsearch/security/roles.yml new file mode 100644 index 00000000..f4da9171 --- /dev/null +++ b/dynamite_nsm/confs/elasticsearch/security/roles.yml @@ -0,0 +1,130 @@ +_meta: + type: "roles" + config_version: 2 + +# Restrict users so they can only view visualization and dashboard on kibana +kibana_read_only: + reserved: true + +# The security REST API access role is used to assign specific users access to change the security settings through the REST API. +security_rest_api_access: + reserved: true + +# Allows users to view monitors, destinations and alerts +alerting_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/alerting/alerts/get' + - 'cluster:admin/opendistro/alerting/destination/get' + - 'cluster:admin/opendistro/alerting/monitor/get' + - 'cluster:admin/opendistro/alerting/monitor/search' + +# Allows users to view and acknowledge alerts +alerting_ack_alerts: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/alerting/alerts/*' + +# Allows users to use all alerting functionality +alerting_full_access: + reserved: true + cluster_permissions: + - 'cluster_monitor' + - 'cluster:admin/opendistro/alerting/*' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices_monitor' + - 'indices:admin/aliases/get' + - 'indices:admin/mappings/get' + +# Allow users to read Anomaly Detection detectors and results +anomaly_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/ad/detector/info' + - 'cluster:admin/opendistro/ad/detector/search' + - 'cluster:admin/opendistro/ad/detectors/get' + - 'cluster:admin/opendistro/ad/result/search' + - 'cluster:admin/opendistro/ad/tasks/search' + +# Allows users to use all Anomaly Detection functionality +anomaly_full_access: + reserved: true + cluster_permissions: + - 'cluster_monitor' + - 'cluster:admin/opendistro/ad/*' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices_monitor' + - 'indices:admin/aliases/get' + - 'indices:admin/mappings/get' + +# Allows users to read Notebooks +notebooks_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/notebooks/list' + - 'cluster:admin/opendistro/notebooks/get' + +# Allows users to all Notebooks functionality +notebooks_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/notebooks/create' + - 'cluster:admin/opendistro/notebooks/update' + - 'cluster:admin/opendistro/notebooks/delete' + - 'cluster:admin/opendistro/notebooks/get' + - 'cluster:admin/opendistro/notebooks/list' + +# Allows users to read and download Reports +reports_instances_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/reports/instance/list' + - 'cluster:admin/opendistro/reports/instance/get' + - 'cluster:admin/opendistro/reports/menu/download' + +# Allows users to read and download Reports and Report-definitions +reports_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/reports/definition/get' + - 'cluster:admin/opendistro/reports/definition/list' + - 'cluster:admin/opendistro/reports/instance/list' + - 'cluster:admin/opendistro/reports/instance/get' + - 'cluster:admin/opendistro/reports/menu/download' + +# Allows users to all Reports functionality +reports_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/reports/definition/create' + - 'cluster:admin/opendistro/reports/definition/update' + - 'cluster:admin/opendistro/reports/definition/on_demand' + - 'cluster:admin/opendistro/reports/definition/delete' + - 'cluster:admin/opendistro/reports/definition/get' + - 'cluster:admin/opendistro/reports/definition/list' + - 'cluster:admin/opendistro/reports/instance/list' + - 'cluster:admin/opendistro/reports/instance/get' + - 'cluster:admin/opendistro/reports/menu/download' + +# Allows users to use all asynchronous-search functionality +asynchronous_search_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/asynchronous_search/*' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices:data/read/search*' + +# Allows users to read stored asynchronous-search results +asynchronous_search_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/asynchronous_search/get' \ No newline at end of file diff --git a/dynamite_nsm/confs/elasticsearch/security/roles_mapping.yml b/dynamite_nsm/confs/elasticsearch/security/roles_mapping.yml new file mode 100644 index 00000000..d5acdedc --- /dev/null +++ b/dynamite_nsm/confs/elasticsearch/security/roles_mapping.yml @@ -0,0 +1,49 @@ +--- +# In this file users, backendroles and hosts can be mapped to Open Distro Security roles. +# Permissions for Opendistro roles are configured in roles.yml + +_meta: + type: "rolesmapping" + config_version: 2 + +# Define your roles mapping here + +## Demo roles mapping + +all_access: + reserved: false + backend_roles: + - "admin" + description: "Maps admin to all_access" + +own_index: + reserved: false + users: + - "*" + description: "Allow full access to an index named like the username" + +logstash: + reserved: false + backend_roles: + - "logstash" + +kibana_user: + reserved: false + backend_roles: + - "kibanauser" + description: "Maps kibanauser to kibana_user" + +readall: + reserved: false + backend_roles: + - "readall" + +manage_snapshots: + reserved: false + backend_roles: + - "snapshotrestore" + +kibana_server: + reserved: true + users: + - "kibanaserver" diff --git a/dynamite_nsm/confs/elasticsearch/security/tenants.yml b/dynamite_nsm/confs/elasticsearch/security/tenants.yml new file mode 100644 index 00000000..04104dce --- /dev/null +++ b/dynamite_nsm/confs/elasticsearch/security/tenants.yml @@ -0,0 +1,11 @@ +--- +_meta: + type: "tenants" + config_version: 2 + +# Define your tenants here + +## Demo tenants +admin_tenant: + reserved: false + description: "Demo tenant for admin user" diff --git a/dynamite_nsm/confs/elasticsearch/security/whitelist.yml b/dynamite_nsm/confs/elasticsearch/security/whitelist.yml new file mode 100644 index 00000000..53f9970f --- /dev/null +++ b/dynamite_nsm/confs/elasticsearch/security/whitelist.yml @@ -0,0 +1,69 @@ +--- +_meta: + type: "whitelist" + config_version: 2 + +# Description: +# enabled - feature flag. +# if enabled is false, the whitelisting feature is removed. +# This is like removing the check that checks if an API is whitelisted. +# This is equivalent to continuing with the usual access control checks, and removing all the code that implements whitelisting. +# if enabled is true, then all users except SuperAdmin can access only the APIs in requests +# SuperAdmin can access all APIs. +# SuperAdmin is defined by the SuperAdmin certificate, which is configured in the elasticsearch.yml setting: opendistro_security.authcz.admin_dn: +# Refer to the example setting in elasticsearch.yml.example, and the opendistro documentation to know more about configuring SuperAdmin. +# +# requests - map of whitelisted endpoints, and the whitelisted HTTP requests for those endpoints + +# Examples showing how to configure this yml file (make sure the _meta data from above is also there): +# Example 1: +# To enable whitelisting and whitelist GET /_cluster/settings +# +#config: +# enabled: true +# requests: +# /_cluster/settings: +# - GET +# +# Example 2: +# If you want to whitelist multiple request methods for /_cluster/settings (GET,PUT): +# +#config: +# enabled: true +# requests: +# /_cluster/settings: +# - GET +# - PUT +# +# Example 3: +# If you want to whitelist other APIs as well, for example GET /_cat/nodes, and GET /_cat/shards: +# +#config: +# enabled: true +# requests: +# /_cluster/settings: +# - GET +# - PUT +# /_cat/nodes: +# - GET +# /_cat/shards: +# - GET +# +# Example 4: +# If you want to disable the whitelisting feature, set enabled to false. +# enabled: false +# requests: +# /_cluster/settings: +# - GET +# +#At this point, all APIs become whitelisted because the feature to whitelist is off, so requests is irrelevant. + + +#this name must be config +config: + enabled: false + requests: + /_cluster/settings: + - GET + /_cat/nodes: + - GET diff --git a/dynamite_nsm/confs/filebeat/filebeat.yml b/dynamite_nsm/confs/filebeat/filebeat.yml new file mode 100644 index 00000000..e22b9b89 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/filebeat.yml @@ -0,0 +1,53 @@ +filebeat.config.modules: + path: ${path.config}/modules.d/*.yml + reload.enabled: false +filebeat.inputs: +- enabled: false + paths: + - /opt/dynamite/zeek/logs/current/*.log + - /opt/dynamite/suricata/logs/eve.json + type: log +output.elasticsearch: + enabled: true + hosts: + - https://localhost:9200 + password: admin + ssl: + certificate_authorities: [] + verification_mode: none + username: admin +output.kafka: + enabled: false + hosts: + - localhost:9092 + ssl: + certificate_authorities: [] + topic: dynamite_events +output.logstash: + bulk_max_size: 2048 + enabled: false + hosts: + - localhost:5044 + loadbalance: false + pipelining: 2 + ssl: + certificate_authorities: [] +output.redis: + bulk_max_size: 2048 + db: 0 + enabled: false + hosts: + - localhost:9092 + loadbalance: false + ssl: + certificate_authorities: [] + worker: 1 +processors: +- add_fields: + fields: + originating_agent_tag: dynamite_nsm_agent +setup.kibana: + enabled: false +setup.template: + enabled: true + overwrite: true diff --git a/dynamite_nsm/confs/filebeat/log_samples/elastic_ecs/suricata_alert.json b/dynamite_nsm/confs/filebeat/log_samples/elastic_ecs/suricata_alert.json new file mode 100644 index 00000000..f8eb7acd --- /dev/null +++ b/dynamite_nsm/confs/filebeat/log_samples/elastic_ecs/suricata_alert.json @@ -0,0 +1,125 @@ +{ + "@timestamp": "2021-01-02T06:44:09.398Z", + "agent": { + "hostname": "sensor-dev", + "name": "sensor-dev", + "id": "6bf5192e-e2f1-49bb-ab7a-c04c26381e7e", + "type": "filebeat", + "ephemeral_id": "d25ef98c-b717-47de-b61e-71da4df4a2df", + "version": "7.9.2" + }, + "destination": { + "address": "172.16.23.255", + "port": 57621, + "bytes": 0, + "ip": "172.16.23.255", + "packets": 0 + }, + "ecs": { + "version": "1.5.0" + }, + "event": { + "severity": 3, + "original": "{\"timestamp\":\"2021-01-02T01:44:09.398482-0500\",\"flow_id\":918014348514287,\"in_iface\":\"ens37\",\"event_type\":\"alert\",\"src_ip\":\"172.16.23.1\",\"src_port\":57621,\"dest_ip\":\"172.16.23.255\",\"dest_port\":57621,\"proto\":\"UDP\",\"community_id\":\"1:MAZK8VOhlED0IWtc4eWEUm\\/Gb8A=\",\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2027397,\"rev\":1,\"signature\":\"ET POLICY Spotify P2P Client\",\"category\":\"Not Suspicious Traffic\",\"severity\":3,\"metadata\":{\"updated_at\":[\"2019_05_30\"],\"signature_severity\":[\"Minor\"],\"performance_impact\":[\"Low\"],\"deployment\":[\"Internal\"],\"created_at\":[\"2019_05_30\"],\"attack_target\":[\"Client_Endpoint\"],\"affected_product\":[\"Windows_Client_Apps\"]}},\"app_proto\":\"failed\",\"flow\":{\"pkts_toserver\":471,\"pkts_toclient\":0,\"bytes_toserver\":40506,\"bytes_toclient\":0,\"start\":\"2021-01-01T21:49:08.152559-0500\"}}", + "created": "2021-01-15T03:34:20.671Z", + "kind": "alert", + "module": "suricata", + "start": "2021-01-02T02:49:08.152Z", + "category": [ + "network", + "intrusion_detection" + ], + "type": [ + "allowed" + ], + "dataset": "suricata.eve" + }, + "fields": { + "originating_agent_tag": "sensordev_agt" + }, + "fileset": { + "name": "eve" + }, + "host": { + "name": "sensor-dev" + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/opt/dynamite/suricata/logs/eve.json" + }, + "offset": 14848090 + }, + "message": "Not Suspicious Traffic", + "network": { + "community_id": "1:MAZK8VOhlED0IWtc4eWEUm/Gb8A=", + "bytes": 40506, + "transport": "udp", + "packets": 471 + }, + "related": { + "ip": [ + "172.16.23.1", + "172.16.23.255" + ] + }, + "rule": { + "name": "ET POLICY Spotify P2P Client", + "id": "2027397", + "category": "Not Suspicious Traffic" + }, + "service": { + "type": "suricata" + }, + "source": { + "address": "172.16.23.1", + "port": 57621, + "bytes": 40506, + "ip": "172.16.23.1", + "packets": 471 + }, + "suricata": { + "eve": { + "in_iface": "ens37", + "community_id": "1:MAZK8VOhlED0IWtc4eWEUm/Gb8A=", + "event_type": "alert", + "alert": { + "metadata": { + "performance_impact": [ + "Low" + ], + "affected_product": [ + "Windows_Client_Apps" + ], + "updated_at": [ + "2019_05_30" + ], + "attack_target": [ + "Client_Endpoint" + ], + "created_at": [ + "2019_05_30" + ], + "signature_severity": [ + "Minor" + ], + "deployment": [ + "Internal" + ] + }, + "signature_id": 2027397, + "rev": 1, + "gid": 1, + "signature": "ET POLICY Spotify P2P Client", + "category": "Not Suspicious Traffic" + }, + "flow_id": 918014348514287, + "flow": {} + } + }, + "tags": [ + "suricata" + ] +} \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/log_samples/elastic_ecs/zeek_conn.json b/dynamite_nsm/confs/filebeat/log_samples/elastic_ecs/zeek_conn.json new file mode 100644 index 00000000..94ebb267 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/log_samples/elastic_ecs/zeek_conn.json @@ -0,0 +1,98 @@ +{ + "@timestamp": "2021-01-15T03:09:58.604Z", + "agent": { + "hostname": "sensor-dev", + "name": "sensor-dev", + "id": "6bf5192e-e2f1-49bb-ab7a-c04c26381e7e", + "ephemeral_id": "401fd4f5-0c05-4bbe-967c-89e7ba50a218", + "type": "filebeat", + "version": "7.9.2" + }, + "destination": { + "address": "224.0.0.251", + "port": 5353, + "bytes": 0, + "ip": "224.0.0.251", + "packets": 0, + "mac": "01:00:5e:00:00:fb" + }, + "ecs": { + "version": "1.5.0" + }, + "event": { + "kind": "event", + "created": "2021-01-15T03:10:11.676987153Z", + "module": "zeek", + "id": "Cheuyi0axMSZadhHg", + "category": [ + "network", + "network" + ], + "type": [ + "connection", + "start" + ], + "dataset": "zeek.connection" + }, + "fields": { + "originating_agent_tag": "sensordev_agt" + }, + "fileset": { + "name": "connection" + }, + "host": { + "name": "sensor-dev" + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/opt/dynamite/zeek/logs/current/conn.log" + }, + "offset": 474 + }, + "network": { + "protocol": "dns", + "community_id": "1:L7sPAjk4l04Uq1b+1PF2pGezp/c=", + "bytes": 73, + "transport": "udp", + "packets": 1, + "direction": "outbound" + }, + "related": { + "ip": [ + "172.16.23.1", + "224.0.0.251" + ] + }, + "service": { + "type": "zeek" + }, + "source": { + "address": "172.16.23.1", + "port": 5353, + "bytes": 73, + "ip": "172.16.23.1", + "packets": 1, + "mac": "00:50:56:c0:00:01" + }, + "tags": [ + "zeek.connection", + "local_orig" + ], + "zeek": { + "session_id": "Cheuyi0axMSZadhHg", + "connection": { + "local_resp": false, + "community_id": "1:L7sPAjk4l04Uq1b+1PF2pGezp/c=", + "orientation": "multicast", + "local_orig": true, + "missed_bytes": 0, + "history": "D", + "state": "S0", + "state_message": "Connection attempt seen, no reply.", + "pcr": 1 + } + } +} \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/log_samples/elastic_ecs/zeek_dhcp.json b/dynamite_nsm/confs/filebeat/log_samples/elastic_ecs/zeek_dhcp.json new file mode 100644 index 00000000..75bbc73b --- /dev/null +++ b/dynamite_nsm/confs/filebeat/log_samples/elastic_ecs/zeek_dhcp.json @@ -0,0 +1,108 @@ +{ + "@timestamp": "2021-01-12T20:08:18.367Z", + "agent": { + "hostname": "sensor-dev", + "name": "sensor-dev", + "id": "6bf5192e-e2f1-49bb-ab7a-c04c26381e7e", + "type": "filebeat", + "ephemeral_id": "437ed064-9295-43af-9e84-e5bb38665cd8", + "version": "7.9.2" + }, + "client": { + "address": "172.16.23.128" + }, + "destination": { + "address": "172.16.23.254", + "port": 67, + "ip": "172.16.23.254" + }, + "ecs": { + "version": "1.5.0" + }, + "event": { + "kind": "event", + "created": "2021-01-12T20:15:26.551936060Z", + "module": "zeek", + "id": "{0=CcO3R42oSYdJMEIeS5}", + "category": [ + "network" + ], + "type": [ + "connection", + "protocol", + "info" + ], + "dataset": "zeek.dhcp" + }, + "fields": { + "originating_agent_tag": "sensordev_agt" + }, + "fileset": { + "name": "dhcp" + }, + "host": { + "name": "sensor-dev" + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/opt/dynamite/zeek/logs/current/dhcp.log" + }, + "offset": 0 + }, + "network": { + "community_id": "1:fwVMujs9487i/LsEdet5jezcpFc=", + "protocol": "dhcp", + "name": "localdomain", + "transport": "udp" + }, + "related": { + "ip": [ + "172.16.23.128", + "172.16.23.254" + ] + }, + "server": { + "address": "172.16.23.254" + }, + "service": { + "type": "zeek" + }, + "source": { + "address": "172.16.23.128", + "port": 68, + "ip": "172.16.23.128" + }, + "tags": [ + "zeek.dhcp" + ], + "zeek": { + "session_id": [ + "CcO3R42oSYdJMEIeS5" + ], + "dhcp": { + "msg": { + "types": [ + "REQUEST", + "ACK" + ], + "origin": [ + "172.16.23.128", + "172.16.23.254" + ] + }, + "duration": 0, + "hostname": "sensor-dev", + "address": { + "server": "172.16.23.254", + "client": "172.16.23.128", + "assigned": "172.16.23.128", + "mac": "00:0c:29:c6:7e:2c" + }, + "lease_time": 1800, + "domain": "localdomain" + } + } +} \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/log_samples/elastic_ecs/zeek_dns.json b/dynamite_nsm/confs/filebeat/log_samples/elastic_ecs/zeek_dns.json new file mode 100644 index 00000000..191f7459 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/log_samples/elastic_ecs/zeek_dns.json @@ -0,0 +1,102 @@ +{ + "@timestamp": "2021-01-12T19:59:52.595Z", + "agent": { + "hostname": "sensor-dev", + "name": "sensor-dev", + "id": "6bf5192e-e2f1-49bb-ab7a-c04c26381e7e", + "type": "filebeat", + "ephemeral_id": "437ed064-9295-43af-9e84-e5bb38665cd8", + "version": "7.9.2" + }, + "destination": { + "address": "224.0.0.251", + "port": 5353, + "ip": "224.0.0.251" + }, + "dns": { + "question": { + "registered_domain": "_tcp.local", + "top_level_domain": "local", + "name": "_spotify-connect._tcp.local", + "type": "PTR", + "class": "IN" + }, + "id": 0, + "type": "query" + }, + "ecs": { + "version": "1.5.0" + }, + "event": { + "original": "{\"ts\":1610481592.595331,\"uid\":\"CqfE721wPELl1yUjt7\",\"id.orig_h\":\"172.16.23.1\",\"id.orig_p\":5353,\"id.resp_h\":\"224.0.0.251\",\"id.resp_p\":5353,\"proto\":\"udp\",\"trans_id\":0,\"query\":\"_spotify-connect._tcp.local\",\"qclass\":1,\"qclass_name\":\"C_INTERNET\",\"qtype\":12,\"qtype_name\":\"PTR\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":false,\"Z\":0,\"rejected\":false,\"community_id\":\"1:L7sPAjk4l04Uq1b+1PF2pGezp/c=\"}", + "created": "2021-01-12T20:15:19.225Z", + "kind": "event", + "module": "zeek", + "id": "CqfE721wPELl1yUjt7", + "type": [ + "connection", + "info", + "protocol" + ], + "category": [ + "network" + ], + "dataset": "zeek.dns" + }, + "fields": { + "originating_agent_tag": "sensordev_agt" + }, + "fileset": { + "name": "dns" + }, + "host": { + "name": "sensor-dev" + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/opt/dynamite/zeek/logs/current/dns.log" + }, + "offset": 0 + }, + "network": { + "community_id": "1:L7sPAjk4l04Uq1b+1PF2pGezp/c=", + "transport": "udp" + }, + "related": { + "ip": [ + "172.16.23.1", + "224.0.0.251" + ] + }, + "service": { + "type": "zeek" + }, + "source": { + "address": "172.16.23.1", + "port": 5353, + "ip": "172.16.23.1" + }, + "tags": [ + "zeek.dns" + ], + "zeek": { + "dns": { + "AA": false, + "qclass_name": "C_INTERNET", + "RD": false, + "community_id": "1:L7sPAjk4l04Uq1b+1PF2pGezp/c=", + "qtype_name": "PTR", + "qtype": 12, + "rejected": false, + "query": "_spotify-connect._tcp.local", + "trans_id": 0, + "qclass": 1, + "TC": false, + "RA": false + }, + "session_id": "CqfE721wPELl1yUjt7" + } +} \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/log_samples/elastic_ecs/zeek_files.json b/dynamite_nsm/confs/filebeat/log_samples/elastic_ecs/zeek_files.json new file mode 100644 index 00000000..e73fa9af --- /dev/null +++ b/dynamite_nsm/confs/filebeat/log_samples/elastic_ecs/zeek_files.json @@ -0,0 +1,102 @@ +{ + "@timestamp": "2021-01-18T19:58:25.728Z", + "agent": { + "hostname": "sensor-dev", + "name": "sensor-dev", + "id": "6bf5192e-e2f1-49bb-ab7a-c04c26381e7e", + "ephemeral_id": "9b5aa2d4-1b54-4c25-bd2d-61cd592d34f4", + "type": "filebeat", + "version": "7.9.2" + }, + "client": { + "ip": "192.168.194.128" + }, + "ecs": { + "version": "1.5.0" + }, + "event": { + "kind": "event", + "created": "2021-01-18T19:58:34.279540379Z", + "module": "zeek", + "id": "C4AHgq1UaIgSiE12C4", + "category": [ + "file" + ], + "type": [ + "info" + ], + "dataset": "zeek.files" + }, + "fields": { + "originating_agent_tag": "sensordev_agt" + }, + "file": { + "mime_type": "application/x-x509-user-cert", + "hash": { + "sha1": "6d3c6aa45f46eb8bb6fb8f0844020161a025c3c8", + "md5": "329956dbb75e522e0931d34576914a1d" + } + }, + "fileset": { + "name": "files" + }, + "host": { + "name": "sensor-dev" + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/opt/dynamite/zeek/logs/current/files.log" + }, + "offset": 1077 + }, + "related": { + "ip": [ + "44.227.11.155", + "192.168.194.128" + ], + "hash": [ + "329956dbb75e522e0931d34576914a1d", + "6d3c6aa45f46eb8bb6fb8f0844020161a025c3c8" + ] + }, + "server": { + "ip": "44.227.11.155" + }, + "service": { + "type": "zeek" + }, + "tags": [ + "zeek.files" + ], + "zeek": { + "files": { + "session_ids": [ + "C4AHgq1UaIgSiE12C4" + ], + "timedout": false, + "local_orig": false, + "tx_host": "44.227.11.155", + "source": "SSL", + "is_orig": false, + "overflow_bytes": 0, + "duration": 0, + "sha1": "6d3c6aa45f46eb8bb6fb8f0844020161a025c3c8", + "depth": 0, + "analyzers": [ + "SHA1", + "X509", + "MD5" + ], + "mime_type": "application/x-x509-user-cert", + "rx_host": "192.168.194.128", + "fuid": "F8TQ9LErOrU0jX7i3", + "seen_bytes": 1766, + "missing_bytes": 0, + "md5": "329956dbb75e522e0931d34576914a1d" + }, + "session_id": "C4AHgq1UaIgSiE12C4" + } +} \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/log_samples/elastic_ecs/zeek_http.json b/dynamite_nsm/confs/filebeat/log_samples/elastic_ecs/zeek_http.json new file mode 100644 index 00000000..7b0bfda9 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/log_samples/elastic_ecs/zeek_http.json @@ -0,0 +1,156 @@ +{ + "@timestamp": "2021-01-18T19:58:25.832Z", + "agent": { + "hostname": "sensor-dev", + "name": "sensor-dev", + "id": "6bf5192e-e2f1-49bb-ab7a-c04c26381e7e", + "ephemeral_id": "9b5aa2d4-1b54-4c25-bd2d-61cd592d34f4", + "type": "filebeat", + "version": "7.9.2" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + } + }, + "as": { + "number": 15133, + "organization": { + "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + } + }, + "address": "72.21.91.29", + "port": 80, + "ip": "72.21.91.29" + }, + "ecs": { + "version": "1.5.0" + }, + "event": { + "kind": "event", + "created": "2021-01-18T19:58:34.280666497Z", + "module": "zeek", + "action": "post", + "id": "CMcIc31sqwZSUKQP5j", + "category": [ + "network", + "web" + ], + "type": [ + "connection", + "info", + "protocol" + ], + "dataset": "zeek.http", + "outcome": "success" + }, + "fields": { + "originating_agent_tag": "sensordev_agt" + }, + "fileset": { + "name": "http" + }, + "host": { + "name": "sensor-dev" + }, + "http": { + "request": { + "method": "POST", + "body": { + "bytes": 83 + } + }, + "response": { + "status_code": 200, + "body": { + "bytes": 471 + } + }, + "version": "1.1" + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/opt/dynamite/zeek/logs/current/http.log" + }, + "offset": 2984 + }, + "network": { + "community_id": "1:V7YJnKQL1/XSRE6bx4UxmzX5NnA=", + "transport": "tcp" + }, + "related": { + "ip": [ + "192.168.194.128", + "72.21.91.29" + ] + }, + "service": { + "type": "zeek" + }, + "source": { + "address": "192.168.194.128", + "port": 34942, + "ip": "192.168.194.128" + }, + "tags": [ + "zeek.http" + ], + "url": { + "original": "/", + "port": 80, + "domain": "ocsp.digicert.com" + }, + "user_agent": { + "original": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0", + "os": { + "name": "Ubuntu" + }, + "name": "Firefox", + "device": { + "name": "Other" + }, + "version": "84.0." + }, + "zeek": { + "http": { + "uri_vars": [ + "/" + ], + "resp_mime_types": [ + "application/ocsp-response" + ], + "client_header_names": [ + "HOST", + "USER-AGENT", + "ACCEPT", + "ACCEPT-LANGUAGE", + "ACCEPT-ENCODING", + "CONTENT-TYPE", + "CONTENT-LENGTH", + "CONNECTION" + ], + "community_id": "1:V7YJnKQL1/XSRE6bx4UxmzX5NnA=", + "trans_depth": 1, + "orig_fuids": [ + "FHbW6v2ACWtzPXSmn2" + ], + "status_msg": "OK", + "orig_mime_types": [ + "application/ocsp-request" + ], + "tags": [], + "resp_fuids": [ + "F8IRy32mB5ft7uqVx" + ] + }, + "session_id": "CMcIc31sqwZSUKQP5j" + } +} \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/log_samples/elastic_ecs/zeek_pe.json b/dynamite_nsm/confs/filebeat/log_samples/elastic_ecs/zeek_pe.json new file mode 100644 index 00000000..c25f50a8 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/log_samples/elastic_ecs/zeek_pe.json @@ -0,0 +1,75 @@ +{ + "@timestamp": "2021-01-18T20:33:50.188Z", + "agent": { + "hostname": "sensor-dev", + "name": "sensor-dev", + "id": "6bf5192e-e2f1-49bb-ab7a-c04c26381e7e", + "type": "filebeat", + "ephemeral_id": "9b5aa2d4-1b54-4c25-bd2d-61cd592d34f4", + "version": "7.9.2" + }, + "ecs": { + "version": "1.5.0" + }, + "event": { + "kind": "event", + "created": "2021-01-18T20:33:55.433112556Z", + "module": "zeek", + "type": [ + "info" + ], + "category": [ + "file" + ], + "dataset": "zeek.pe" + }, + "fields": { + "originating_agent_tag": "sensordev_agt" + }, + "fileset": { + "name": "pe" + }, + "host": { + "name": "sensor-dev" + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/opt/dynamite/zeek/logs/current/pe.log" + }, + "offset": 0 + }, + "service": { + "type": "zeek" + }, + "tags": [ + "zeek.pe" + ], + "zeek": { + "pe": { + "compile_time": "2006-04-29T09:56:31.000Z", + "uses_aslr": false, + "os": "Windows 95 or NT 4.0", + "subsystem": "WINDOWS_GUI", + "section_names": [ + ".text", + ".rdata", + ".data", + ".rsrc" + ], + "has_export_table": false, + "uses_dep": false, + "is_64bit": false, + "has_cert_table": true, + "has_debug_data": false, + "has_import_table": true, + "uses_seh": true, + "is_exe": true, + "machine": "I386", + "id": "FnhRQ63qMsSOfIGoWl", + "uses_code_integrity": false + } + } +} \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/log_samples/elastic_ecs/zeek_ssh.json b/dynamite_nsm/confs/filebeat/log_samples/elastic_ecs/zeek_ssh.json new file mode 100644 index 00000000..1801b974 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/log_samples/elastic_ecs/zeek_ssh.json @@ -0,0 +1,95 @@ +{ + "@timestamp": "2021-01-18T20:25:14.252Z", + "agent": { + "hostname": "sensor-dev", + "name": "sensor-dev", + "id": "6bf5192e-e2f1-49bb-ab7a-c04c26381e7e", + "type": "filebeat", + "ephemeral_id": "9b5aa2d4-1b54-4c25-bd2d-61cd592d34f4", + "version": "7.9.2" + }, + "destination": { + "address": "192.168.194.128", + "port": 22, + "ip": "192.168.194.128" + }, + "ecs": { + "version": "1.5.0" + }, + "event": { + "kind": "event", + "created": "2021-01-18T20:25:23.314784943Z", + "module": "zeek", + "id": "CTmQup3tXKmgr92ECk", + "category": [ + "network" + ], + "type": [ + "connection", + "protocol" + ], + "dataset": "zeek.ssh", + "outcome": "success" + }, + "fields": { + "originating_agent_tag": "sensordev_agt" + }, + "fileset": { + "name": "ssh" + }, + "host": { + "name": "sensor-dev" + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/opt/dynamite/zeek/logs/current/ssh.log" + }, + "offset": 0 + }, + "network": { + "protocol": "ssh", + "community_id": "1:9u7Q4Aw1yFu7z67axSzldRRGJJ4=", + "transport": "tcp" + }, + "related": { + "ip": [ + "192.168.194.1", + "192.168.194.128" + ] + }, + "service": { + "type": "zeek" + }, + "source": { + "address": "192.168.194.1", + "port": 49760, + "ip": "192.168.194.1" + }, + "tags": [ + "zeek.ssh" + ], + "zeek": { + "ssh": { + "server": "SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1", + "host_key": "24:c3:65:22:da:ed:29:48:80:ae:df:de:74:25:cb:b6", + "community_id": "1:9u7Q4Aw1yFu7z67axSzldRRGJJ4=", + "auth": { + "success": true, + "attempts": 1 + }, + "client": "SSH-2.0-OpenSSH_8.1", + "version": 2, + "algorithm": { + "cipher": "chacha20-poly1305@openssh.com", + "host_key": "ecdsa-sha2-nistp256", + "compression": "none", + "key_exchange": "curve25519-sha256", + "mac": "umac-64-etm@openssh.com" + } + }, + "session_id": "CTmQup3tXKmgr92ECk" + } +} \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/log_samples/elastic_ecs/zeek_ssl.json b/dynamite_nsm/confs/filebeat/log_samples/elastic_ecs/zeek_ssl.json new file mode 100644 index 00000000..f8c9d2d9 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/log_samples/elastic_ecs/zeek_ssl.json @@ -0,0 +1,96 @@ +{ + "@timestamp": "2021-01-18T19:19:19.760Z", + "agent": { + "hostname": "sensor-dev", + "name": "sensor-dev", + "id": "6bf5192e-e2f1-49bb-ab7a-c04c26381e7e", + "ephemeral_id": "9b5aa2d4-1b54-4c25-bd2d-61cd592d34f4", + "type": "filebeat", + "version": "7.9.2" + }, + "client": { + "address": "127.0.0.1" + }, + "destination": { + "address": "127.0.0.1", + "port": 47763, + "ip": "127.0.0.1" + }, + "ecs": { + "version": "1.5.0" + }, + "event": { + "kind": [ + "connection", + "protocol" + ], + "created": "2021-01-18T19:35:11.917623174Z", + "module": "zeek", + "id": "CgJFJV0S7TpYJkc1e", + "category": [ + "network" + ], + "dataset": "zeek.ssl" + }, + "fields": { + "originating_agent_tag": "sensordev_agt" + }, + "fileset": { + "name": "ssl" + }, + "host": { + "name": "sensor-dev" + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/opt/dynamite/zeek/logs/current/ssl.log" + }, + "offset": 0 + }, + "network": { + "community_id": "1:MIn0vYshYL45/ZjBgofGuA/a4fY=", + "transport": "tcp" + }, + "related": { + "ip": [ + "127.0.0.1", + "127.0.0.1" + ] + }, + "server": { + "address": "127.0.0.1" + }, + "service": { + "type": "zeek" + }, + "source": { + "address": "127.0.0.1", + "port": 60872, + "ip": "127.0.0.1" + }, + "tags": [ + "zeek.ssl" + ], + "tls": { + "cipher": "TLS_ECDH_ANON_WITH_AES_256_CBC_SHA", + "established": false, + "curve": "secp384r1", + "resumed": false, + "version": "1.2", + "version_protocol": "tls" + }, + "zeek": { + "session_id": "CgJFJV0S7TpYJkc1e", + "ssl": { + "cipher": "TLS_ECDH_ANON_WITH_AES_256_CBC_SHA", + "established": false, + "community_id": "1:MIn0vYshYL45/ZjBgofGuA/a4fY=", + "curve": "secp384r1", + "resumed": false, + "version": "TLSv12" + } + } +} \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/log_samples/elastic_ecs/zeek_weird.json b/dynamite_nsm/confs/filebeat/log_samples/elastic_ecs/zeek_weird.json new file mode 100644 index 00000000..480c710a --- /dev/null +++ b/dynamite_nsm/confs/filebeat/log_samples/elastic_ecs/zeek_weird.json @@ -0,0 +1,78 @@ +{ + "@timestamp": "2021-01-13T17:02:32.864Z", + "agent": { + "hostname": "sensor-dev", + "name": "sensor-dev", + "id": "6bf5192e-e2f1-49bb-ab7a-c04c26381e7e", + "ephemeral_id": "c6462bb8-8609-4620-bd3d-4f8a0cd4f025", + "type": "filebeat", + "version": "7.9.2" + }, + "destination": { + "address": "224.0.0.251", + "port": 5353, + "ip": "224.0.0.251" + }, + "ecs": { + "version": "1.5.0" + }, + "event": { + "kind": "alert", + "created": "2021-01-13T17:02:35.501488569Z", + "module": "zeek", + "id": "CjSsHj4wXCoOPjhHll", + "category": [ + "network" + ], + "type": [ + "info" + ], + "dataset": "zeek.weird" + }, + "fields": { + "originating_agent_tag": "sensordev_agt" + }, + "fileset": { + "name": "weird" + }, + "host": { + "name": "sensor-dev" + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/opt/dynamite/zeek/logs/current/weird.log" + }, + "offset": 0 + }, + "related": { + "ip": [ + "172.16.23.1", + "224.0.0.251" + ] + }, + "rule": { + "name": "DNS_Conn_count_too_large" + }, + "service": { + "type": "zeek" + }, + "source": { + "address": "172.16.23.1", + "port": 5353, + "ip": "172.16.23.1" + }, + "tags": [ + "zeek.weird" + ], + "zeek": { + "weird": { + "peer": "dynamite-worker-ens37-7", + "name": "DNS_Conn_count_too_large", + "notice": false + }, + "session_id": "CjSsHj4wXCoOPjhHll" + } +} \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/log_samples/elastic_ecs/zeek_x509.json b/dynamite_nsm/confs/filebeat/log_samples/elastic_ecs/zeek_x509.json new file mode 100644 index 00000000..f555b91e --- /dev/null +++ b/dynamite_nsm/confs/filebeat/log_samples/elastic_ecs/zeek_x509.json @@ -0,0 +1,90 @@ +{ + "@timestamp": "2021-01-18T19:58:25.728Z", + "agent": { + "hostname": "sensor-dev", + "name": "sensor-dev", + "id": "6bf5192e-e2f1-49bb-ab7a-c04c26381e7e", + "type": "filebeat", + "ephemeral_id": "9b5aa2d4-1b54-4c25-bd2d-61cd592d34f4", + "version": "7.9.2" + }, + "ecs": { + "version": "1.5.0" + }, + "event": { + "kind": "event", + "created": "2021-01-18T19:58:33.189116150Z", + "module": "zeek", + "id": "F8TQ9LErOrU0jX7i3", + "type": [ + "info" + ], + "dataset": "zeek.x509" + }, + "fields": { + "originating_agent_tag": "sensordev_agt" + }, + "fileset": { + "name": "x509" + }, + "host": { + "name": "sensor-dev" + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/opt/dynamite/zeek/logs/current/x509.log" + }, + "offset": 0 + }, + "service": { + "type": "zeek" + }, + "tags": [ + "zeek.x509" + ], + "zeek": { + "x509": { + "san": { + "dns": [ + "*.telemetry.mozilla.org", + "telemetry.mozilla.org" + ] + }, + "certificate": { + "valid": { + "from": "2020-08-24T04:00:00.000Z", + "until": "2022-10-28T16:00:00.000Z" + }, + "serial": "0CE6B5FD8FB1B07CD4D54CAEFE4DBF57", + "subject": { + "country": "US", + "organization": "Mozilla Corporation", + "locality": "Mountain View", + "state": "California", + "common_name": "*.telemetry.mozilla.org", + "organizational_unit": "Cloud Services" + }, + "signature_algorithm": "sha256WithRSAEncryption", + "version": 3, + "key": { + "length": 2048, + "type": "rsa", + "algorithm": "rsaEncryption" + }, + "issuer": { + "country": "US", + "organization": "DigiCert Inc", + "common_name": "DigiCert SHA2 Secure Server CA" + }, + "exponent": "65537" + }, + "basic_constraints": { + "certificate_authority": false + } + }, + "session_id": "F8TQ9LErOrU0jX7i3" + } +} \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/log_samples/plain/suricata_alert.json b/dynamite_nsm/confs/filebeat/log_samples/plain/suricata_alert.json new file mode 100644 index 00000000..55a8c3a6 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/log_samples/plain/suricata_alert.json @@ -0,0 +1,30 @@ +{ + "@timestamp": "2021-01-18T21:20:26.989Z", + "agent": { + "ephemeral_id": "d6350ebc-834c-446e-bdae-f37e1337c765", + "id": "6bf5192e-e2f1-49bb-ab7a-c04c26381e7e", + "name": "sensor-dev", + "type": "filebeat", + "version": "7.9.2", + "hostname": "sensor-dev" + }, + "ecs": { + "version": "1.5.0" + }, + "fields": { + "originating_agent_tag": "sensordev_agt" + }, + "host": { + "name": "sensor-dev" + }, + "input": { + "type": "log" + }, + "log": { + "offset": 112989789, + "file": { + "path": "/opt/dynamite/suricata/logs/eve.json" + } + }, + "message": "{\"timestamp\":\"2021-01-18T16:20:24.899299-0500\",\"flow_id\":424175191242979,\"in_iface\":\"ens37\",\"event_type\":\"alert\",\"src_ip\":\"172.16.23.1\",\"src_port\":57621,\"dest_ip\":\"172.16.23.255\",\"dest_port\":57621,\"proto\":\"UDP\",\"community_id\":\"1:MAZK8VOhlED0IWtc4eWEUm\\/Gb8A=\",\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2027397,\"rev\":1,\"signature\":\"ET POLICY Spotify P2P Client\",\"category\":\"Not Suspicious Traffic\",\"severity\":3,\"metadata\":{\"updated_at\":[\"2019_05_30\"],\"signature_severity\":[\"Minor\"],\"performance_impact\":[\"Low\"],\"deployment\":[\"Internal\"],\"created_at\":[\"2019_05_30\"],\"attack_target\":[\"Client_Endpoint\"],\"affected_product\":[\"Windows_Client_Apps\"]}},\"app_proto\":\"failed\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":86,\"bytes_toclient\":0,\"start\":\"2021-01-18T16:20:24.899299-0500\"}}" +} \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/log_samples/plain/zeek_conn.json b/dynamite_nsm/confs/filebeat/log_samples/plain/zeek_conn.json new file mode 100644 index 00000000..924b50d1 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/log_samples/plain/zeek_conn.json @@ -0,0 +1,30 @@ +{ + "@timestamp": "2021-01-18T20:51:29.900Z", + "fields": { + "originating_agent_tag": "sensordev_agt" + }, + "log": { + "offset": 44154, + "file": { + "path": "/opt/dynamite/zeek/logs/current/conn.log" + } + }, + "message": "{\"ts\":1611002934.576912,\"uid\":\"CqTRYF2nRmEAo2YPcj\",\"id.orig_h\":\"192.168.194.1\",\"id.orig_p\":50152,\"id.resp_h\":\"192.168.194.128\",\"id.resp_p\":5000,\"proto\":\"tcp\",\"service\":\"http\",\"duration\":0.18938612937927246,\"orig_bytes\":871,\"resp_bytes\":161,\"conn_state\":\"SF\",\"local_orig\":true,\"local_resp\":true,\"missed_bytes\":0,\"history\":\"ShADadfF\",\"orig_pkts\":7,\"orig_ip_bytes\":1247,\"resp_pkts\":6,\"resp_ip_bytes\":481,\"orig_l2_addr\":\"00:50:56:c0:00:08\",\"resp_l2_addr\":\"00:0c:29:c6:7e:22\",\"community_id\":\"1:WvUW+MlQ1TFt1RX7ZBQgBvDqdF4=\",\"orientation\":\"internal\",\"pcr\":0.687984496124031}", + "input": { + "type": "log" + }, + "ecs": { + "version": "1.5.0" + }, + "host": { + "name": "sensor-dev" + }, + "agent": { + "version": "7.9.2", + "hostname": "sensor-dev", + "ephemeral_id": "d6350ebc-834c-446e-bdae-f37e1337c765", + "id": "6bf5192e-e2f1-49bb-ab7a-c04c26381e7e", + "name": "sensor-dev", + "type": "filebeat" + } +} \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/log_samples/plain/zeek_dhcp.json b/dynamite_nsm/confs/filebeat/log_samples/plain/zeek_dhcp.json new file mode 100644 index 00000000..037cbfbf --- /dev/null +++ b/dynamite_nsm/confs/filebeat/log_samples/plain/zeek_dhcp.json @@ -0,0 +1,30 @@ +{ + "@timestamp": "2021-01-18T20:59:59.928Z", + "agent": { + "ephemeral_id": "d6350ebc-834c-446e-bdae-f37e1337c765", + "id": "6bf5192e-e2f1-49bb-ab7a-c04c26381e7e", + "name": "sensor-dev", + "type": "filebeat", + "version": "7.9.2", + "hostname": "sensor-dev" + }, + "ecs": { + "version": "1.5.0" + }, + "fields": { + "originating_agent_tag": "sensordev_agt" + }, + "host": { + "name": "sensor-dev" + }, + "input": { + "type": "log" + }, + "log": { + "offset": 340, + "file": { + "path": "/opt/dynamite/zeek/logs/current/dhcp.log" + } + }, + "message": "{\"ts\":1611003582.932836,\"uids\":[\"CLnwnD4N4WvFZX7Pmg\"],\"client_addr\":\"192.168.194.128\",\"server_addr\":\"192.168.194.254\",\"mac\":\"00:0c:29:c6:7e:22\",\"host_name\":\"sensor-dev\",\"domain\":\"localdomain\",\"assigned_addr\":\"192.168.194.128\",\"lease_time\":1800.0,\"msg_types\":[\"REQUEST\",\"ACK\"],\"duration\":0.0,\"msg_orig\":[\"192.168.194.128\",\"192.168.194.254\"]}" +} \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/log_samples/plain/zeek_dns.json b/dynamite_nsm/confs/filebeat/log_samples/plain/zeek_dns.json new file mode 100644 index 00000000..e159f9ec --- /dev/null +++ b/dynamite_nsm/confs/filebeat/log_samples/plain/zeek_dns.json @@ -0,0 +1,30 @@ +{ + "@timestamp": "2021-01-18T20:51:29.899Z", + "agent": { + "version": "7.9.2", + "hostname": "sensor-dev", + "ephemeral_id": "d6350ebc-834c-446e-bdae-f37e1337c765", + "id": "6bf5192e-e2f1-49bb-ab7a-c04c26381e7e", + "name": "sensor-dev", + "type": "filebeat" + }, + "ecs": { + "version": "1.5.0" + }, + "fields": { + "originating_agent_tag": "sensordev_agt" + }, + "host": { + "name": "sensor-dev" + }, + "input": { + "type": "log" + }, + "log": { + "offset": 25324, + "file": { + "path": "/opt/dynamite/zeek/logs/current/dns.log" + } + }, + "message": "{\"ts\":1611002938.817571,\"uid\":\"CBcBl62nZ1ilbz9b75\",\"id.orig_h\":\"192.168.194.128\",\"id.orig_p\":34779,\"id.resp_h\":\"192.168.194.2\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":57080,\"query\":\"ec2-54-152-182-23.compute-1.amazonaws.com\",\"qclass\":1,\"qclass_name\":\"C_INTERNET\",\"qtype\":28,\"qtype_name\":\"AAAA\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":false,\"TC\":false,\"RD\":true,\"RA\":false,\"Z\":0,\"rejected\":false,\"auth\":[\"dns-external-master.amazon.com\"],\"community_id\":\"1:2XhDk1Fa9j4UKQjQU/I6LR0+TlY=\"}" +} \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/log_samples/plain/zeek_files.json b/dynamite_nsm/confs/filebeat/log_samples/plain/zeek_files.json new file mode 100644 index 00000000..b51a93b1 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/log_samples/plain/zeek_files.json @@ -0,0 +1,30 @@ +{ + "@timestamp": "2021-01-18T20:51:29.901Z", + "agent": { + "ephemeral_id": "d6350ebc-834c-446e-bdae-f37e1337c765", + "id": "6bf5192e-e2f1-49bb-ab7a-c04c26381e7e", + "name": "sensor-dev", + "type": "filebeat", + "version": "7.9.2", + "hostname": "sensor-dev" + }, + "ecs": { + "version": "1.5.0" + }, + "fields": { + "originating_agent_tag": "sensordev_agt" + }, + "host": { + "name": "sensor-dev" + }, + "input": { + "type": "log" + }, + "log": { + "offset": 91259, + "file": { + "path": "/opt/dynamite/zeek/logs/current/files.log" + } + }, + "message": "{\"ts\":1611002935.072792,\"fuid\":\"F6kpKK1wmgLSVbWbCf\",\"tx_hosts\":[\"192.168.194.128\"],\"rx_hosts\":[\"54.152.182.23\"],\"conn_uids\":[\"CeNJiK1MYVTfTEy7t3\"],\"source\":\"HTTP\",\"depth\":0,\"analyzers\":[\"SHA1\",\"MD5\"],\"mime_type\":\"text/json\",\"duration\":0.0,\"local_orig\":true,\"is_orig\":true,\"seen_bytes\":3261,\"total_bytes\":3261,\"missing_bytes\":0,\"overflow_bytes\":0,\"timedout\":false,\"md5\":\"f42b9e0526362db67615fa54130bd109\",\"sha1\":\"74b9434bcfcc86945fa9f65ebecd21eead6f4ca9\"}" +} \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/log_samples/plain/zeek_http.json b/dynamite_nsm/confs/filebeat/log_samples/plain/zeek_http.json new file mode 100644 index 00000000..dfd34d16 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/log_samples/plain/zeek_http.json @@ -0,0 +1,30 @@ +{ + "@timestamp": "2021-01-18T20:51:29.900Z", + "agent": { + "name": "sensor-dev", + "type": "filebeat", + "version": "7.9.2", + "hostname": "sensor-dev", + "ephemeral_id": "d6350ebc-834c-446e-bdae-f37e1337c765", + "id": "6bf5192e-e2f1-49bb-ab7a-c04c26381e7e" + }, + "ecs": { + "version": "1.5.0" + }, + "fields": { + "originating_agent_tag": "sensordev_agt" + }, + "host": { + "name": "sensor-dev" + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/opt/dynamite/zeek/logs/current/http.log" + }, + "offset": 75736 + }, + "message": "{\"ts\":1611002935.072792,\"uid\":\"CeNJiK1MYVTfTEy7t3\",\"id.orig_h\":\"192.168.194.128\",\"id.orig_p\":45828,\"id.resp_h\":\"54.152.182.23\",\"id.resp_p\":9200,\"trans_depth\":93,\"method\":\"POST\",\"host\":\"ec2-54-152-182-23.compute-1.amazonaws.com\",\"uri\":\"/_bulk\",\"version\":\"1.1\",\"user_agent\":\"Go-http-client/1.1\",\"request_body_len\":3261,\"response_body_len\":719,\"status_code\":200,\"status_msg\":\"OK\",\"tags\":[],\"orig_fuids\":[\"F6kpKK1wmgLSVbWbCf\"],\"orig_mime_types\":[\"text/json\"],\"resp_fuids\":[\"FVvRx71StXNI4tOtc6\"],\"resp_mime_types\":[\"text/json\"],\"client_header_names\":[\"HOST\",\"USER-AGENT\",\"CONTENT-LENGTH\",\"ACCEPT\",\"CONTENT-TYPE\",\"ACCEPT-ENCODING\"],\"uri_vars\":[\"/_bulk\"],\"community_id\":\"1:SwYW/rkejKmk+NZzBdNDAhxFye4=\"}" +} \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/log_samples/plain/zeek_ntp.json b/dynamite_nsm/confs/filebeat/log_samples/plain/zeek_ntp.json new file mode 100644 index 00000000..1a5e9787 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/log_samples/plain/zeek_ntp.json @@ -0,0 +1,30 @@ +{ + "@timestamp": "2021-01-18T21:01:49.937Z", + "agent": { + "name": "sensor-dev", + "type": "filebeat", + "version": "7.9.2", + "hostname": "sensor-dev", + "ephemeral_id": "d6350ebc-834c-446e-bdae-f37e1337c765", + "id": "6bf5192e-e2f1-49bb-ab7a-c04c26381e7e" + }, + "ecs": { + "version": "1.5.0" + }, + "fields": { + "originating_agent_tag": "sensordev_agt" + }, + "host": { + "name": "sensor-dev" + }, + "input": { + "type": "log" + }, + "log": { + "offset": 0, + "file": { + "path": "/opt/dynamite/zeek/logs/current/ntp.log" + } + }, + "message": "{\"ts\":1611003705.600744,\"uid\":\"C5QtcE2VsQw479vLRg\",\"id.orig_h\":\"192.168.194.128\",\"id.orig_p\":37655,\"id.resp_h\":\"91.189.89.199\",\"id.resp_p\":123,\"version\":4,\"mode\":3,\"stratum\":0,\"poll\":1.0,\"precision\":1.0,\"root_delay\":0.0,\"root_disp\":0.0,\"ref_id\":\"\\\\x00\\\\x00\\\\x00\\\\x00\",\"ref_time\":0.0,\"org_time\":0.0,\"rec_time\":0.0,\"xmt_time\":1611003705.1389756,\"num_exts\":0,\"community_id\":\"1:f4nLNmBtwKBk/wkHaCtTZKMXj4I=\"}" +} \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/log_samples/plain/zeek_pe.json b/dynamite_nsm/confs/filebeat/log_samples/plain/zeek_pe.json new file mode 100644 index 00000000..23e92981 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/log_samples/plain/zeek_pe.json @@ -0,0 +1,30 @@ +{ + "@timestamp": "2021-01-18T21:15:39.976Z", + "agent": { + "id": "6bf5192e-e2f1-49bb-ab7a-c04c26381e7e", + "name": "sensor-dev", + "type": "filebeat", + "version": "7.9.2", + "hostname": "sensor-dev", + "ephemeral_id": "d6350ebc-834c-446e-bdae-f37e1337c765" + }, + "ecs": { + "version": "1.5.0" + }, + "fields": { + "originating_agent_tag": "sensordev_agt" + }, + "host": { + "name": "sensor-dev" + }, + "input": { + "type": "log" + }, + "log": { + "offset": 0, + "file": { + "path": "/opt/dynamite/zeek/logs/current/pe.log" + } + }, + "message": "{\"ts\":1611004537.196761,\"id\":\"FrwH7FGDquiAD3A05\",\"machine\":\"I386\",\"compile_ts\":1146304591.0,\"os\":\"Windows 95 or NT 4.0\",\"subsystem\":\"WINDOWS_GUI\",\"is_exe\":true,\"is_64bit\":false,\"uses_aslr\":false,\"uses_dep\":false,\"uses_code_integrity\":false,\"uses_seh\":true,\"has_import_table\":true,\"has_export_table\":false,\"has_cert_table\":true,\"has_debug_data\":false,\"section_names\":[\".text\",\".rdata\",\".data\",\".rsrc\"]}" +} \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/log_samples/plain/zeek_ssh.json b/dynamite_nsm/confs/filebeat/log_samples/plain/zeek_ssh.json new file mode 100644 index 00000000..88ab0088 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/log_samples/plain/zeek_ssh.json @@ -0,0 +1,30 @@ +{ + "@timestamp": "2021-01-18T21:17:19.980Z", + "agent": { + "id": "6bf5192e-e2f1-49bb-ab7a-c04c26381e7e", + "name": "sensor-dev", + "type": "filebeat", + "version": "7.9.2", + "hostname": "sensor-dev", + "ephemeral_id": "d6350ebc-834c-446e-bdae-f37e1337c765" + }, + "ecs": { + "version": "1.5.0" + }, + "fields": { + "originating_agent_tag": "sensordev_agt" + }, + "host": { + "name": "sensor-dev" + }, + "input": { + "type": "log" + }, + "log": { + "offset": 0, + "file": { + "path": "/opt/dynamite/zeek/logs/current/ssh.log" + } + }, + "message": "{\"ts\":1611004627.916861,\"uid\":\"CAMmwh4vfkG9rDxWcd\",\"id.orig_h\":\"192.168.194.1\",\"id.orig_p\":50448,\"id.resp_h\":\"192.168.194.128\",\"id.resp_p\":22,\"version\":2,\"auth_success\":true,\"auth_attempts\":1,\"client\":\"SSH-2.0-OpenSSH_8.1\",\"server\":\"SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1\",\"cipher_alg\":\"chacha20-poly1305@openssh.com\",\"mac_alg\":\"umac-64-etm@openssh.com\",\"compression_alg\":\"none\",\"kex_alg\":\"curve25519-sha256\",\"host_key_alg\":\"ecdsa-sha2-nistp256\",\"host_key\":\"24:c3:65:22:da:ed:29:48:80:ae:df:de:74:25:cb:b6\",\"community_id\":\"1:ulqgDBoUWpI/RdAIXa6SjKc7/NM=\"}" +} \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/log_samples/plain/zeek_ssl.json b/dynamite_nsm/confs/filebeat/log_samples/plain/zeek_ssl.json new file mode 100644 index 00000000..ce1a0dd2 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/log_samples/plain/zeek_ssl.json @@ -0,0 +1,30 @@ +{ + "@timestamp": "2021-01-18T20:54:59.913Z", + "agent": { + "type": "filebeat", + "version": "7.9.2", + "hostname": "sensor-dev", + "ephemeral_id": "d6350ebc-834c-446e-bdae-f37e1337c765", + "id": "6bf5192e-e2f1-49bb-ab7a-c04c26381e7e", + "name": "sensor-dev" + }, + "ecs": { + "version": "1.5.0" + }, + "fields": { + "originating_agent_tag": "sensordev_agt" + }, + "host": { + "name": "sensor-dev" + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/opt/dynamite/zeek/logs/current/ssl.log" + }, + "offset": 4525 + }, + "message": "{\"ts\":1611003289.640754,\"uid\":\"Cziisy4kt9npgmH5r5\",\"id.orig_h\":\"192.168.194.128\",\"id.orig_p\":57808,\"id.resp_h\":\"34.120.5.221\",\"id.resp_p\":443,\"version\":\"TLSv13\",\"cipher\":\"TLS_AES_128_GCM_SHA256\",\"curve\":\"x25519\",\"server_name\":\"getpocket.cdn.mozilla.net\",\"resumed\":true,\"established\":true,\"community_id\":\"1:2/GpHokLxGI4DX8P8yzhwENJS6U=\"}" +} \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/log_samples/plain/zeek_weird.json b/dynamite_nsm/confs/filebeat/log_samples/plain/zeek_weird.json new file mode 100644 index 00000000..0c43237d --- /dev/null +++ b/dynamite_nsm/confs/filebeat/log_samples/plain/zeek_weird.json @@ -0,0 +1,30 @@ +{ + "@timestamp": "2021-01-18T20:51:39.901Z", + "agent": { + "ephemeral_id": "d6350ebc-834c-446e-bdae-f37e1337c765", + "id": "6bf5192e-e2f1-49bb-ab7a-c04c26381e7e", + "name": "sensor-dev", + "type": "filebeat", + "version": "7.9.2", + "hostname": "sensor-dev" + }, + "ecs": { + "version": "1.5.0" + }, + "fields": { + "originating_agent_tag": "sensordev_agt" + }, + "host": { + "name": "sensor-dev" + }, + "input": { + "type": "log" + }, + "log": { + "offset": 1115, + "file": { + "path": "/opt/dynamite/zeek/logs/current/weird.log" + } + }, + "message": "{\"ts\":1611003091.593869,\"uid\":\"CTPN1o1UqvlukX3oVa\",\"id.orig_h\":\"192.168.194.1\",\"id.orig_p\":50193,\"id.resp_h\":\"192.168.194.128\",\"id.resp_p\":5000,\"name\":\"truncated_tcp_payload\",\"notice\":false,\"peer\":\"dynamite-worker-ens33-1\"}" +} \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/log_samples/plain/zeek_x509.json b/dynamite_nsm/confs/filebeat/log_samples/plain/zeek_x509.json new file mode 100644 index 00000000..6f1c906c --- /dev/null +++ b/dynamite_nsm/confs/filebeat/log_samples/plain/zeek_x509.json @@ -0,0 +1,30 @@ +{ + "@timestamp": "2021-01-18T20:54:59.913Z", + "agent": { + "ephemeral_id": "d6350ebc-834c-446e-bdae-f37e1337c765", + "id": "6bf5192e-e2f1-49bb-ab7a-c04c26381e7e", + "name": "sensor-dev", + "type": "filebeat", + "version": "7.9.2", + "hostname": "sensor-dev" + }, + "ecs": { + "version": "1.5.0" + }, + "fields": { + "originating_agent_tag": "sensordev_agt" + }, + "host": { + "name": "sensor-dev" + }, + "input": { + "type": "log" + }, + "log": { + "offset": 6672, + "file": { + "path": "/opt/dynamite/zeek/logs/current/x509.log" + } + }, + "message": "{\"ts\":1611003289.640754,\"id\":\"Fdh1rT3APObnkWG9P2\",\"certificate.version\":3,\"certificate.serial\":\"0E251F25CB1732E1835E0C4CF0EA7D4A\",\"certificate.subject\":\"CN=spocs.getpocket.com\",\"certificate.issuer\":\"CN=Amazon,OU=Server CA 1B,O=Amazon,C=US\",\"certificate.not_valid_before\":1590811200.0,\"certificate.not_valid_after\":1625068800.0,\"certificate.key_alg\":\"rsaEncryption\",\"certificate.sig_alg\":\"sha256WithRSAEncryption\",\"certificate.key_type\":\"rsa\",\"certificate.key_length\":2048,\"certificate.exponent\":\"65537\",\"san.dns\":[\"spocs.getpocket.com\"],\"basic_constraints.ca\":false}" +} \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/suricata/README.md b/dynamite_nsm/confs/filebeat/module/suricata/README.md new file mode 100644 index 00000000..402f37f4 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/suricata/README.md @@ -0,0 +1,43 @@ +# Suricata module + +## Caveats + +* Original Suricata event shoved as is `suricata.eve.` + +## How to try the module from source + +Build Filebeat + +``` +cd x-pack/filebeat +make mage +mage build update +./filebeat setup --modules=suricata -e -d "*" -c filebeat.yml -E 'setup.dashboards.directory=build/kibana' +``` + +Install Suricata (for MacOS with Brew) + +``` +brew install suricata --with-jansson +``` + +Configure it to generate the EVE JSON log. Edit `/usr/local/etc/suricata/suricata.yaml` and set + +``` +- eve-log: + enabled: yes +``` + +Start Suricata + +``` +sudo suricata -i en0 # optionally more -i en1 -i en2... +``` + +Start the Suricata Filebeat module + +``` +./filebeat --modules=suricata -e -d "*" -c filebeat.yml +``` + +You can look for the Suricata saved searches and dashboards in Kibana. diff --git a/dynamite_nsm/confs/filebeat/module/suricata/_meta/config.yml b/dynamite_nsm/confs/filebeat/module/suricata/_meta/config.yml new file mode 100644 index 00000000..1556d5d0 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/suricata/_meta/config.yml @@ -0,0 +1,8 @@ +- module: suricata + # All logs + eve: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/dynamite_nsm/confs/filebeat/module/suricata/_meta/docs.asciidoc b/dynamite_nsm/confs/filebeat/module/suricata/_meta/docs.asciidoc new file mode 100644 index 00000000..08d5feb6 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/suricata/_meta/docs.asciidoc @@ -0,0 +1,65 @@ +[role="xpack"] + +:modulename: suricata +:has-dashboards: true + +== Suricata module + +This is a module to the Suricata IDS/IPS/NSM log. It parses logs that are in the +https://suricata.readthedocs.io/en/latest/output/eve/eve-json-format.html[ +Suricata Eve JSON format]. + +include::../include/what-happens.asciidoc[] + +include::../include/gs-link.asciidoc[] + +[float] +=== Compatibility + +This module has been developed against Suricata v4.0.4, but is expected to work +with other versions of Suricata. + +include::../include/configuring-intro.asciidoc[] + +This is an example of how to overwrite the default log file path. + +[source,yaml] +---- +- module: suricata + eve: + enabled: true + var.paths: ["/my/path/suricata.json"] +---- + +:fileset_ex: eve + +include::../include/config-option-intro.asciidoc[] + +[float] +==== `eve` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +[float] +=== Example dashboard + +This module comes with sample dashboards. For example: + +[role="screenshot"] +image::./images/filebeat-suricata-events.png[] + +[role="screenshot"] +image::./images/filebeat-suricata-alerts.png[] + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + diff --git a/dynamite_nsm/confs/filebeat/module/suricata/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/suricata/_meta/fields.yml new file mode 100644 index 00000000..59cd3817 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/suricata/_meta/fields.yml @@ -0,0 +1,10 @@ +- key: suricata + title: Suricata + description: > + Module for handling the EVE JSON logs produced by Suricata. + fields: + - name: suricata + type: group + description: > + Fields from the Suricata EVE log file. + fields: diff --git a/dynamite_nsm/confs/filebeat/module/suricata/_meta/kibana/7/dashboard/filebeat-suricata-alert-overview.json b/dynamite_nsm/confs/filebeat/module/suricata/_meta/kibana/7/dashboard/filebeat-suricata-alert-overview.json new file mode 100644 index 00000000..bf71ad88 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/suricata/_meta/kibana/7/dashboard/filebeat-suricata-alert-overview.json @@ -0,0 +1,983 @@ +{ + "objects": [ + { + "attributes": { + "description": "Overview of the Suricata Alerts dashboard.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "optionsJSON": { + "darkTheme": false, + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "1", + "w": 23, + "x": 0, + "y": 4 + }, + "panelIndex": "1", + "panelRefName": "panel_0", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 26, + "i": "2", + "w": 25, + "x": 23, + "y": 0 + }, + "panelIndex": "2", + "panelRefName": "panel_1", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 16, + "i": "3", + "w": 48, + "x": 0, + "y": 41 + }, + "panelIndex": "3", + "panelRefName": "panel_2", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": { + "mapCenter": [ + 38.548165423046584, + -6.328125000000001 + ], + "mapZoom": 2 + }, + "gridData": { + "h": 15, + "i": "4", + "w": 23, + "x": 0, + "y": 26 + }, + "panelIndex": "4", + "panelRefName": "panel_3", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": { + "mapCenter": [ + 41.77131167976407, + 1.9335937500000002 + ], + "mapZoom": 2 + }, + "gridData": { + "h": 15, + "i": "5", + "w": 25, + "x": 23, + "y": 26 + }, + "panelIndex": "5", + "panelRefName": "panel_4", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "7", + "w": 12, + "x": 11, + "y": 14 + }, + "panelIndex": "7", + "panelRefName": "panel_5", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "8", + "w": 11, + "x": 0, + "y": 14 + }, + "panelIndex": "8", + "panelRefName": "panel_6", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 4, + "i": "e86b7f30-96da-4f52-9ff0-cefcaadcc914", + "w": 23, + "x": 0, + "y": 0 + }, + "panelIndex": "e86b7f30-96da-4f52-9ff0-cefcaadcc914", + "panelRefName": "panel_7", + "version": "7.9.0-SNAPSHOT" + } + ], + "timeRestore": false, + "title": "[Filebeat Suricata] Alert Overview", + "version": 1 + }, + "id": "05268ee0-86d1-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "494fa290-86d2-11e8-b59d-21efb914e65c-ecs", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "16033310-86d3-11e8-b59d-21efb914e65c-ecs", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", + "name": "panel_2", + "type": "search" + }, + { + "id": "85fed080-86d7-11e8-b59d-21efb914e65c-ecs", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "a09ca070-86d7-11e8-b59d-21efb914e65c-ecs", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "2ccdc1a0-86d8-11e8-b59d-21efb914e65c-ecs", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "c7b8b8f0-86d8-11e8-b59d-21efb914e65c-ecs", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "908e8c90-d296-11ea-90e3-8767fe7ccf14", + "name": "panel_7", + "type": "visualization" + } + ], + "type": "dashboard", + "updated_at": "2020-07-30T19:13:51.743Z", + "version": "WzEwMTUsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Top Alerting Hosts [Filebeat Suricata]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-6y", + "to": "now" + }, + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "host.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "grid": { + "categoryLines": false, + "style": { + "color": "#eee" + } + }, + "labels": { + "show": false + }, + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "mode": "stacked", + "show": "true", + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "Top Alerting Hosts [Filebeat Suricata]", + "type": "histogram" + } + }, + "id": "494fa290-86d2-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-07-30T19:09:55.677Z", + "version": "WzkwNCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Top Alert Signatures [Filebeat Suricata]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Alert Signature", + "field": "rule.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 15 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Alert Category", + "field": "rule.category", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Top Alert Signatures [Filebeat Suricata]", + "type": "table" + } + }, + "id": "16033310-86d3-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-07-30T19:11:35.746Z", + "version": "Wzk0MywxXQ==" + }, + { + "attributes": { + "columns": [ + "host.name", + "suricata.eve.flow_id", + "source.ip", + "source.port", + "destination.ip", + "destination.port", + "source.geo.country_iso_code", + "destination.geo.country_iso_code" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.kind", + "negate": false, + "params": { + "query": "alert" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "alert" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.module", + "negate": false, + "params": { + "query": "suricata" + }, + "type": "phrase" + }, + "query": { + "match": { + "event.module": { + "query": "suricata", + "type": "phrase" + } + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Alerts [Filebeat Suricata]", + "version": 1 + }, + "id": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "search": "7.4.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2020-07-30T18:46:18.887Z", + "version": "WzYyNiwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Alert - Source Location [Filebeat Suricata]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "autoPrecision": true, + "field": "source.geo.location", + "isFilteredByCollar": true, + "precision": 2, + "useGeocentroid": true + }, + "schema": "segment", + "type": "geohash_grid" + } + ], + "params": { + "addTooltip": true, + "colorSchema": "Yellow to Red", + "heatClusterSize": 1.5, + "isDesaturated": true, + "legendPosition": "bottomright", + "mapCenter": [ + 0, + 0 + ], + "mapType": "Scaled Circle Markers", + "mapZoom": 2, + "wms": { + "baseLayersAreLoaded": {}, + "enabled": false, + "options": { + "format": "image/png", + "transparent": true + }, + "selectedTmsLayer": { + "attribution": "\u003cp\u003e\u0026#169; \u003ca href=\"http://www.openstreetmap.org/copyright\"\u003eOpenStreetMap\u003c/a\u003e contributors | \u003ca href=\"https://www.elastic.co/elastic-maps-service\"\u003eElastic Maps Service\u003c/a\u003e\u003c/p\u003e\u0026#10;", + "id": "road_map", + "maxZoom": 18, + "minZoom": 0, + "subdomains": [], + "url": "https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree\u0026my_app_name=kibana\u0026my_app_version=6.3.0\u0026license=fc9de2c1-5f06-4080-8dd0-8a334171d89a" + }, + "tmsLayers": [ + { + "attribution": "\u003cp\u003e\u0026#169; \u003ca href=\"http://www.openstreetmap.org/copyright\"\u003eOpenStreetMap\u003c/a\u003e contributors | \u003ca href=\"https://www.elastic.co/elastic-maps-service\"\u003eElastic Maps Service\u003c/a\u003e\u003c/p\u003e\u0026#10;", + "id": "road_map", + "maxZoom": 18, + "minZoom": 0, + "subdomains": [], + "url": "https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree\u0026my_app_name=kibana\u0026my_app_version=6.3.0\u0026license=fc9de2c1-5f06-4080-8dd0-8a334171d89a" + } + ] + } + }, + "title": "Alert - Source Location [Filebeat Suricata]", + "type": "tile_map" + } + }, + "id": "85fed080-86d7-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-07-30T19:13:13.311Z", + "version": "Wzk5MCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Alert - Destination Location [Filebeat Suricata]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "autoPrecision": true, + "field": "destination.geo.location", + "isFilteredByCollar": true, + "precision": 2, + "useGeocentroid": true + }, + "schema": "segment", + "type": "geohash_grid" + } + ], + "params": { + "addTooltip": true, + "colorSchema": "Yellow to Red", + "heatClusterSize": 1.5, + "isDesaturated": true, + "legendPosition": "bottomright", + "mapCenter": [ + 0, + 0 + ], + "mapType": "Scaled Circle Markers", + "mapZoom": 2, + "wms": { + "baseLayersAreLoaded": {}, + "enabled": false, + "options": { + "format": "image/png", + "transparent": true + }, + "selectedTmsLayer": { + "attribution": "\u003cp\u003e\u0026#169; \u003ca href=\"http://www.openstreetmap.org/copyright\"\u003eOpenStreetMap\u003c/a\u003e contributors | \u003ca href=\"https://www.elastic.co/elastic-maps-service\"\u003eElastic Maps Service\u003c/a\u003e\u003c/p\u003e\u0026#10;", + "id": "road_map", + "maxZoom": 18, + "minZoom": 0, + "subdomains": [], + "url": "https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree\u0026my_app_name=kibana\u0026my_app_version=6.3.0\u0026license=fc9de2c1-5f06-4080-8dd0-8a334171d89a" + }, + "tmsLayers": [ + { + "attribution": "\u003cp\u003e\u0026#169; \u003ca href=\"http://www.openstreetmap.org/copyright\"\u003eOpenStreetMap\u003c/a\u003e contributors | \u003ca href=\"https://www.elastic.co/elastic-maps-service\"\u003eElastic Maps Service\u003c/a\u003e\u003c/p\u003e\u0026#10;", + "id": "road_map", + "maxZoom": 18, + "minZoom": 0, + "subdomains": [], + "url": "https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree\u0026my_app_name=kibana\u0026my_app_version=6.3.0\u0026license=fc9de2c1-5f06-4080-8dd0-8a334171d89a" + } + ] + } + }, + "title": "Alert - Destination Location [Filebeat Suricata]", + "type": "tile_map" + } + }, + "id": "a09ca070-86d7-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-07-30T19:13:34.582Z", + "version": "WzEwMDQsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Alerts - Top Destination Countries [Filebeat Suricata]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Source Country", + "field": "destination.geo.country_iso_code", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 5, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Alerts - Top Destination Countries [Filebeat Suricata]", + "type": "table" + } + }, + "id": "2ccdc1a0-86d8-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-07-30T19:12:34.381Z", + "version": "Wzk2OSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Alerts - Top Source Countries [Filebeat Suricata]", + "uiStateJSON": { + "vis": { + "params": { + "sort": { + "columnIndex": null, + "direction": null + } + } + } + }, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Source Country", + "field": "source.geo.country_iso_code", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 5, + "percentageCol": "", + "showMetricsAtAllLevels": false, + "showPartialRows": false, + "showTotal": false, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "Alerts - Top Source Countries [Filebeat Suricata]", + "type": "table" + } + }, + "id": "c7b8b8f0-86d8-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "1c2bcec0-86d1-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-07-30T19:12:12.735Z", + "version": "Wzk1NCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Navigation [Filebeat Suricata]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 18, + "markdown": "![Hello World](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADwAAAAyCAYAAAAA9rgCAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAACXBIWXMAAJ17AACdewE8n3fEAAABWWlUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iWE1QIENvcmUgNS40LjAiPgogICA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczp0aWZmPSJodHRwOi8vbnMuYWRvYmUuY29tL3RpZmYvMS4wLyI+CiAgICAgICAgIDx0aWZmOk9yaWVudGF0aW9uPjE8L3RpZmY6T3JpZW50YXRpb24+CiAgICAgIDwvcmRmOkRlc2NyaXB0aW9uPgogICA8L3JkZjpSREY+CjwveDp4bXBtZXRhPgpMwidZAAAN5UlEQVRoBe1ZeXCU5Rn/7b25s9nEHJAQAhggCIKCThFpFRXFa+yhTtVSndaZUvWPVjqt1bGHY6cdrVNq66C21UpbT7wwxqMjAh4oBCGQC8KRY7Ob3WQ3e9/9Pe/uh2ukrePM7h/oM2S/73ve87l+z/O+6NIkfIFI/wWSVYn6pcAnu8W/tPCXFj7JNPClS59kBv2UOF84Cxs/pYJ8M1jYHS/udIBOV1idF1ZgqWJ1Ov6jpFlKp1PqrVCCF07grLDJeBT+oX5Ex52wVk9DxYy5muwFeRbGn7LCphIx9G26A933noZ0KoFEyAvHe1uUAgoiLRcpiMCMWiVPYGQAvg/vg7lhFpLRIGL+cQxsuBTO95/PyCuKyTMVxqVFDoZtPBSAjivqjJUY/OfXYWlciXl370bVnMUZMXNiO19yF0bg7O6jXicgGJWKw1y3CG3rNsNcZlOonQtk+RJW5i2MwFnLBYcOQGeSZVNIx4eRSiblo6CU/xhmXIr1ktEwQke2Qm+lfPoixMcnEHQMZIQtQOxqWs27wBoMxYKTFHILLdwMmhdSb4RdR7V9FOyZd4G1EsNosUJfvATppI+opVe4HXFnBS4AWGkazbvAUlkJGYvLYKlZhnR0AqnIXpS2fgeRsV5Ibs4AluYL2tby88y/wLJvFcd6GIpsMNpWwFx9BUzl05Dw9SPgOCI9WIicRAJrohiLK5COuVA0/UyEht7m8xwMvvIA3TxBLxfdaz2VDvLyUxALazk2HvAQuHqRDPtgrVvKdBxFMngMrn3blXCFsHLeBdaOglGfB6HDj9Gl52Dyo9+w2rLSsnEYy5sI2uG8WPNEk+ZdYIlfId+RLlrXRUHLVS6OjOyEscSORGBUAdeJNpcPXt4F1tzZ270NejNFSEUodDOSoR7+uVExbw0q5yxVsun0WhLLh6iZOfNbWop1mZbiLDqCBzczD5cTjUMEqDLEJ/ahePpizLhwbVY68YT8C/yxhbk5FW/KBXPQUr4VL7sveUzlad/aM4u2WvwGRg4h5tpNC7dwbIzDo6qmrllykZo0LTW1WiZnXW05bU55apTLy33PRflP8LWB2cODXLPIFcsn9SsLkHOiKmgqb+o3R2pXN7KUt/f9zMlbXecYlFvrLWQZ+E7SaU/1NeXnBHOfcE9Thv23PkaxlgibjEV4IJ+guxlgKa/iJtjE/Jhg0S+KM1gs0BvNPOEk1EEgw2O5aDQhEQnRVeXkIwqiFq3Fak55jwUmMLFnIwxl4s5+SmmhkfthqroUxqJStU0ZG/W61VhzuZ2K+DjSZLzK0+SZSyvVGmo98YocZYiCDSYzDGY5nfDsHfRlqjjKY+I47c7MKIPGmAeH23/BnPgRuxphbbgM827agAg30f3HFUiFBzDz+u2oXrAcQecg+jZeSOw5iJa178M+dxkOv/QgvJ3rmWJWUVEmVlGNsC26HA1nr4G3fw9io50w10odPcn5TUhFAWv9UqWYycE+HHvpXsTcO5Dw96P+4ifQeN63Zc9UZBDdD11LdO+AseIctN3yCkwsUQeevx/+nk1E+wbOGYLeVMGqrQN1qzdj+ooraZQ4+p74McJHH2Ho6NB2mwPWqlraNg3jeH8nDm5YAWM1PU2MGaN2PBtZFNxHA+mQCg2wUCBfWZC74KBU6KDicWa1sVQ8osamjHsRG3MhVsw09MFGRFx/gKmsCpVn3QH/gXuoDHpK0VJ6ElC14DzlUT33t2bPyPSGY0B0YkjNKT/RSQ9jvwP60oWcdzuiPrcSOObpReRgDywto9yhAQkWMuEuKmjFuBobD/gQGWmHztKGhGc/wuOjSmDZu9657XEY6CmG4jPQdM0WzPkhrbbilxxIPxYPpXfJX677yLVBLk/cX7qbbOdg5k2voXjO92CZ1gxn+62I+VwoaVyI6CCFXPoAXXkB21pR3XY2jr3+VxlGS1Wj9sLHMfv2DpQ2LVKblp+IxyFZjBasQoqGCHtGVFv9+bei5dZ2mCrPZbsHRTO+jzl3vQ7b/OWqXYqcpH+YIFmlvsNj1GSWjOGRfyurVi66EfVnXaLY9nnL1DPq92a6qatj2VqW5FX701hxbsxcjrozL0B583wc+P3DKu+aK+pQVNOE4tb5mH7+Dej7++1ovbkDcl3r2/eg0mPF6T9F06rrtdmVNwmWhJxHxCikpOgeYX6DYWWfm8nbnt3PMgwYHjWzUHfGKumoSBTDWyTukR5Irwo5+hVfagK9zlCiXCrqOaKY6RSvX/iX+eBqstJnIfaTvaUScRTZ6mCpv0G5vfq216Fs/ncJfPR1HhJKamcg5B5h3A1AlrK1natWkL5CGsCEHb1KaWkpVli0hB09ql1iMckwkpCSMElnxwmgCoVGD8mRW5HcsEQcexXwiXb1pXOuUA3+fb/D0LZnM6eWjFozIz7LL/vLEJV3Oam6lqUPEtRpnBjMFXakQ2N0MzeqWldi4MUN8O7fCpHfWsI/IrOQCg1RG+eQg0XEsRu6IqC0hZ7Hu7Dw6B6VNcRSmlKUlvktpNdL7KU5rluFXMms1cSM0xB1PosYUVv1qT/namqK2GxbhqGnvgF31ztcmGr7H5QRLmNRNQlLQhPXMhv1KqUEHUcQHP4Xgoy7dHE1TEVl0M2+EFtumw437Kg5cw2cww70HAQOyUWmiVJlSdO1hFPE+QIsZSsYmyupnFlITbyMOO+yFYmC+SJ/x4lyy1VwxLlTeURl6woYSlpY1QWY9sZUN31pXTMar25HzLGTqeMsDPxtOfzDh1RjbvFwfFK+GKkPMzWulb7BaApDo0D3oXG8tflpPPbzW9D+KvDiw0DJnAweHOjqw9NPAE/+6GKUNbQg0bwczz8J7PigHrHkx3GjVWeOESee+y2wzzUNxpoWDPtnQK7Agh5qSBFTDDeg7SHLVMge92wnCC9ESf1MClyrMkh4bEh14eVSGvXLVqPuskeYjt4nYhpw+On1qlFHF5HMIx6T9RqlUV+AwjGcvJGMfrtGUtjyFLCt413846pv4dieHaD3Yu32t1FT36DmMpkMqOBb1YIraRa6VCwMG79LSnj4133CTqr/6NAgBGpitlNha5iB/lgrHtsE9PQdUe1yQTIeSCPGsFd3B4orSO5AglhrqlqisMJinymYRwA8rHrotaWaV9+EiiU/Y3AnEex7Dp7eXZCLNzOtGScWRDN4ggDd9KVngI4tnCTLE2WIU1a3tGLWNZfAoPOjYv4CnHr64uw2KCMVy3WRYEUn2rOWlCjlxdxjiEdZiQixj3a6Gh3oRzlZRVYTxp0jKCu1giGP4f4+6cmxOuw8mMLmjQwLlyYFFeQ6DBO9z2gtZ/5lGuNaggPh0W41Si8LaOjWdPE6ImkdzKxzIyO9iCWS2NcLvPAg4A5lJqVtYCDyMXUf/48puZ6h0VF/+nKsXrcekT2A640uHOraS26GpIgRUk9OVV5lFxxCiGYM+DKAkqSyZT/JRAJDXZ2wzwC6Nj+MXzdMw+G3noN9NgXu2qXaDQY9TPoUaEx4gh8L/FHnfjhCnHfoTfTePw2B/RtgtFcRyHYwvv3QS5xqtWtxdT30lSvRd4BaGw0hntLhg210HU6qXb9I6kgMkEEyWTN1q7xLFoiFgphJy1ZfuVJZ78C726XpOMm2JL+mGCf22jqUssYQBR7a26n6GMU0pMCkF67OdmJKDWLOYzA20gBDR2GqaYTrvWeoIK86eIiCZIQhGxLRcAi7dnyIN7cCr7yyH4QNTHqHacAapCd3IsKCRD/42qMY+7ADvtFB7Hj5eXS078BLr1GAyjrYaIVTzlgCKfG7dmxFJBhAV1YIK0OjsvoU2R+tolf/ZxPx+5Tl5p5/ubJnz6tPwj+RQVVRrNhYHTbicY6twcyLboGFgb3tT3eic9tbGDjQhd49uzHpGYfvPaIqq4obn9qJOzvduH7TVsRdgwjQMydYvoqvyJyiRA3oJicmEOp9DUbixyW/fRNr/uxGw9pd2NWdwAR5MQ+rr/Ej+/Didatx36omPHnZVXBsH0IjXantjKUqPS3+5s3KbXpefBS/+moN3nnobgS5yPwb1qOGriakeYiG6nPP+ooSzt2xG0f7iG6kFFFGvEBnJBBmC5vzrrsJXnqznNQ2XfM1/KTtNHS9s42bc4FeifJZ52LmvDaU2eyY2bYQRU3zIKXF2MgwfzOKljm1VDbucsK/n3m9zYbZCxbCZrejed4CONKL8PRfBPCOQj9WvgQ7Gac+7otpFPVrVuEHHd2wnVKrJr3g2htw/j13wfvuILwfRjDx7hAWrluLq25dr9rlJ84jJCs8SNEuq89onYcK4pXwOt9oly6q0pFIjU44lUcIb/Zpi7DurTeQjmRypHhSma0KQ33d8PC9vKEJJgEUkrWoCOWNpyrlD3bzpECSI6Ccv+S4KDR8sA9i+7KmxbAWC8Qx7Jg/G2Y1q3773mGNQXdIe6lRn9tNdzOirpGLEJ01N9FQc+hQP/xeL4qIro2zT4WBfaWPtIuLRUMhVlZm2OvqFc8z6kA8FmM/Az1hOibHPQj6/URQE6rYR0+g08b7vRNwO0a4OTNOmd6I4OQkIsQDa3EJbDWZsJHNjztHEY1EYCmykl8LWSPBNSwUTvp5ifhhhp2Z2GKvrZchioQv8xl4yFECaw3aU2rpzMV4Jj40obV2eWqbzeV9nvfctT7PeG3MZ92PElg6U4LMWMlb/JtK6lBBpmqZ0uf4+Bz+VN7U79z5j7cJU1tb9pMznzQd75fl/79vGSOU2+8/QDU5FFmyNvEAAAAASUVORK5CYII=) [Events](/app/dashboards#/view/78289c40-86da-11e8-b59d-21efb914e65c-ecs) | [Alerts](/app/dashboards#/view/05268ee0-86d1-11e8-b59d-21efb914e65c-ecs)", + "openLinksInNewTab": false + }, + "title": "Navigation [Filebeat Suricata]", + "type": "markdown" + } + }, + "id": "908e8c90-d296-11ea-90e3-8767fe7ccf14", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-07-30T18:57:50.040Z", + "version": "Wzc1MywxXQ==" + } + ], + "version": "7.9.0-SNAPSHOT" +} \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/suricata/_meta/kibana/7/dashboard/filebeat-suricata-event-overview.json b/dynamite_nsm/confs/filebeat/module/suricata/_meta/kibana/7/dashboard/filebeat-suricata-event-overview.json new file mode 100644 index 00000000..908f9839 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/suricata/_meta/kibana/7/dashboard/filebeat-suricata-event-overview.json @@ -0,0 +1,1293 @@ +{ + "objects": [ + { + "attributes": { + "description": "Overview of the Surcata events dashboard.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "optionsJSON": { + "darkTheme": false, + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "1", + "w": 48, + "x": 0, + "y": 4 + }, + "panelIndex": "1", + "panelRefName": "panel_0", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 14, + "i": "2", + "w": 9, + "x": 0, + "y": 24 + }, + "panelIndex": "2", + "panelRefName": "panel_1", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 14, + "i": "3", + "w": 11, + "x": 19, + "y": 24 + }, + "panelIndex": "3", + "panelRefName": "panel_2", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 10, + "i": "4", + "w": 48, + "x": 0, + "y": 14 + }, + "panelIndex": "4", + "panelRefName": "panel_3", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 19, + "i": "5", + "w": 48, + "x": 0, + "y": 38 + }, + "panelIndex": "5", + "panelRefName": "panel_4", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 14, + "i": "6", + "w": 9, + "x": 30, + "y": 24 + }, + "panelIndex": "6", + "panelRefName": "panel_5", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 14, + "i": "7", + "w": 9, + "x": 39, + "y": 24 + }, + "panelIndex": "7", + "panelRefName": "panel_6", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 14, + "i": "8", + "w": 10, + "x": 9, + "y": 24 + }, + "panelIndex": "8", + "panelRefName": "panel_7", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 16, + "i": "9", + "w": 48, + "x": 0, + "y": 57 + }, + "panelIndex": "9", + "panelRefName": "panel_8", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": { + "title": "" + }, + "gridData": { + "h": 4, + "i": "78f64fb8-a6ed-4960-a73b-a8c42c40f799", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "78f64fb8-a6ed-4960-a73b-a8c42c40f799", + "panelRefName": "panel_9", + "version": "7.9.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 4, + "i": "63e14057-b48b-48fe-b3e2-84f7690d60e8", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "63e14057-b48b-48fe-b3e2-84f7690d60e8", + "panelRefName": "panel_10", + "version": "7.9.0-SNAPSHOT" + } + ], + "timeRestore": false, + "title": "[Filebeat Suricata] Events Overview", + "version": 1 + }, + "id": "78289c40-86da-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "c7d46c60-86da-11e8-b59d-21efb914e65c-ecs", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "0a0aa630-86db-11e8-b59d-21efb914e65c-ecs", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "728f64c0-86db-11e8-b59d-21efb914e65c-ecs", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "9d5b5b50-86db-11e8-b59d-21efb914e65c-ecs", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", + "name": "panel_4", + "type": "search" + }, + { + "id": "5f99eb50-86dc-11e8-b59d-21efb914e65c-ecs", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "8e7f88d0-86dc-11e8-b59d-21efb914e65c-ecs", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "0a363820-86dd-11e8-b59d-21efb914e65c-ecs", + "name": "panel_7", + "type": "visualization" + }, + { + "id": "d57a2db0-86ca-11e8-b59d-21efb914e65c-ecs", + "name": "panel_8", + "type": "search" + }, + { + "id": "908e8c90-d296-11ea-90e3-8767fe7ccf14", + "name": "panel_9", + "type": "visualization" + }, + { + "id": "169c0600-d297-11ea-90e3-8767fe7ccf14", + "name": "panel_10", + "type": "visualization" + } + ], + "type": "dashboard", + "updated_at": "2020-07-30T19:08:06.676Z", + "version": "Wzg3MiwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Activity Types over Time [Filebeat Suricata]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-6y", + "to": "now" + }, + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "suricata.eve.event_type", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 20 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "grid": { + "categoryLines": false, + "style": { + "color": "#eee" + } + }, + "labels": { + "show": false + }, + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "mode": "stacked", + "show": "true", + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "Activity Types over Time [Filebeat Suricata]", + "type": "histogram" + } + }, + "id": "c7d46c60-86da-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-07-30T18:59:25.617Z", + "version": "Wzc2OCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Event Types [Filebeat Suricata]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "ECS Event Type", + "field": "event.type", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 20 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Suricata Event Type", + "field": "suricata.eve.event_type", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "bottom", + "type": "pie" + }, + "title": "Event Types [Filebeat Suricata]", + "type": "pie" + } + }, + "id": "0a0aa630-86db-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-07-30T19:06:59.207Z", + "version": "Wzg1OCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Top Network Protocols [Filebeat Suricata]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "network.protocol", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "bottom", + "type": "pie" + }, + "title": "Top Network Protocols [Filebeat Suricata]", + "type": "pie" + } + }, + "id": "728f64c0-86db-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-07-30T18:49:07.711Z", + "version": "WzY3NSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Top Hosts Generating Events [Filebeat Suricata]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-6y", + "to": "now" + }, + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "host.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "grid": { + "categoryLines": false, + "style": { + "color": "#eee" + } + }, + "labels": { + "show": false + }, + "legendPosition": "right", + "seriesParams": [ + { + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "mode": "stacked", + "show": "true", + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "Top Hosts Generating Events [Filebeat Suricata]", + "type": "histogram" + } + }, + "id": "9d5b5b50-86db-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-07-30T18:59:45.518Z", + "version": "Wzc4MCwxXQ==" + }, + { + "attributes": { + "columns": [ + "host.name", + "suricata.eve.flow_id", + "network.transport", + "source.ip", + "source.port", + "destination.ip", + "destination.port", + "destination.geo.region_name", + "destination.geo.country_iso_code" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.kind", + "negate": false, + "params": { + "query": "event" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "event" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.module", + "negate": false, + "params": { + "query": "suricata" + }, + "type": "phrase" + }, + "query": { + "match": { + "event.module": { + "query": "suricata", + "type": "phrase" + } + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Events [Filebeat Suricata]", + "version": 1 + }, + "id": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "search": "7.4.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2020-07-30T18:45:13.363Z", + "version": "WzYyMCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Top Connection Source Countries [Filebeat Suricata]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Top Connection Source Countries", + "field": "source.geo.country_iso_code", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "maxFontSize": 72, + "minFontSize": 18, + "orientation": "single", + "scale": "linear", + "showLabel": false + }, + "title": "Top Connection Source Countries [Filebeat Suricata]", + "type": "tagcloud" + } + }, + "id": "5f99eb50-86dc-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-07-30T18:49:36.842Z", + "version": "WzY4OCwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Top Connection Destination Countries [Filebeat Suricata]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Top Connection Destination Countries", + "field": "destination.geo.country_iso_code", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "maxFontSize": 72, + "minFontSize": 18, + "orientation": "single", + "scale": "linear", + "showLabel": false + }, + "title": "Top Connection Destination Countries [Filebeat Suricata]", + "type": "tagcloud" + } + }, + "id": "8e7f88d0-86dc-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-07-30T18:50:04.448Z", + "version": "WzcwNSwxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Top Transport Protocols [Filebeat Suricata]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "network.transport", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "bottom", + "type": "pie" + }, + "title": "Top Transport Protocols [Filebeat Suricata]", + "type": "pie" + } + }, + "id": "0a363820-86dd-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-07-30T18:48:19.957Z", + "version": "WzY0NiwxXQ==" + }, + { + "attributes": { + "columns": [ + "host.name", + "suricata.eve.stats.detect.alert", + "suricata.eve.stats.app_layer.flow.dns_udp", + "suricata.eve.stats.app_layer.flow.tls", + "suricata.eve.stats.app_layer.flow.http", + "suricata.eve.stats.app_layer.flow.ssh", + "suricata.eve.stats.tcp.sessions" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.kind", + "negate": false, + "params": { + "query": "metric" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.kind": "metric" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.module", + "negate": false, + "params": { + "query": "suricata" + }, + "type": "phrase" + }, + "query": { + "match": { + "event.module": { + "query": "suricata", + "type": "phrase" + } + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Host Stats [Filebeat Suricata]", + "version": 1 + }, + "id": "d57a2db0-86ca-11e8-b59d-21efb914e65c-ecs", + "migrationVersion": { + "search": "7.4.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2020-07-30T18:45:50.678Z", + "version": "WzYyMywxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Navigation [Filebeat Suricata]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 18, + "markdown": "![Hello World](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADwAAAAyCAYAAAAA9rgCAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAACXBIWXMAAJ17AACdewE8n3fEAAABWWlUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iWE1QIENvcmUgNS40LjAiPgogICA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczp0aWZmPSJodHRwOi8vbnMuYWRvYmUuY29tL3RpZmYvMS4wLyI+CiAgICAgICAgIDx0aWZmOk9yaWVudGF0aW9uPjE8L3RpZmY6T3JpZW50YXRpb24+CiAgICAgIDwvcmRmOkRlc2NyaXB0aW9uPgogICA8L3JkZjpSREY+CjwveDp4bXBtZXRhPgpMwidZAAAN5UlEQVRoBe1ZeXCU5Rn/7b25s9nEHJAQAhggCIKCThFpFRXFa+yhTtVSndaZUvWPVjqt1bGHY6cdrVNq66C21UpbT7wwxqMjAh4oBCGQC8KRY7Ob3WQ3e9/9Pe/uh2ukrePM7h/oM2S/73ve87l+z/O+6NIkfIFI/wWSVYn6pcAnu8W/tPCXFj7JNPClS59kBv2UOF84Cxs/pYJ8M1jYHS/udIBOV1idF1ZgqWJ1Ov6jpFlKp1PqrVCCF07grLDJeBT+oX5Ex52wVk9DxYy5muwFeRbGn7LCphIx9G26A933noZ0KoFEyAvHe1uUAgoiLRcpiMCMWiVPYGQAvg/vg7lhFpLRIGL+cQxsuBTO95/PyCuKyTMVxqVFDoZtPBSAjivqjJUY/OfXYWlciXl370bVnMUZMXNiO19yF0bg7O6jXicgGJWKw1y3CG3rNsNcZlOonQtk+RJW5i2MwFnLBYcOQGeSZVNIx4eRSiblo6CU/xhmXIr1ktEwQke2Qm+lfPoixMcnEHQMZIQtQOxqWs27wBoMxYKTFHILLdwMmhdSb4RdR7V9FOyZd4G1EsNosUJfvATppI+opVe4HXFnBS4AWGkazbvAUlkJGYvLYKlZhnR0AqnIXpS2fgeRsV5Ibs4AluYL2tby88y/wLJvFcd6GIpsMNpWwFx9BUzl05Dw9SPgOCI9WIicRAJrohiLK5COuVA0/UyEht7m8xwMvvIA3TxBLxfdaz2VDvLyUxALazk2HvAQuHqRDPtgrVvKdBxFMngMrn3blXCFsHLeBdaOglGfB6HDj9Gl52Dyo9+w2rLSsnEYy5sI2uG8WPNEk+ZdYIlfId+RLlrXRUHLVS6OjOyEscSORGBUAdeJNpcPXt4F1tzZ270NejNFSEUodDOSoR7+uVExbw0q5yxVsun0WhLLh6iZOfNbWop1mZbiLDqCBzczD5cTjUMEqDLEJ/ahePpizLhwbVY68YT8C/yxhbk5FW/KBXPQUr4VL7sveUzlad/aM4u2WvwGRg4h5tpNC7dwbIzDo6qmrllykZo0LTW1WiZnXW05bU55apTLy33PRflP8LWB2cODXLPIFcsn9SsLkHOiKmgqb+o3R2pXN7KUt/f9zMlbXecYlFvrLWQZ+E7SaU/1NeXnBHOfcE9Thv23PkaxlgibjEV4IJ+guxlgKa/iJtjE/Jhg0S+KM1gs0BvNPOEk1EEgw2O5aDQhEQnRVeXkIwqiFq3Fak55jwUmMLFnIwxl4s5+SmmhkfthqroUxqJStU0ZG/W61VhzuZ2K+DjSZLzK0+SZSyvVGmo98YocZYiCDSYzDGY5nfDsHfRlqjjKY+I47c7MKIPGmAeH23/BnPgRuxphbbgM827agAg30f3HFUiFBzDz+u2oXrAcQecg+jZeSOw5iJa178M+dxkOv/QgvJ3rmWJWUVEmVlGNsC26HA1nr4G3fw9io50w10odPcn5TUhFAWv9UqWYycE+HHvpXsTcO5Dw96P+4ifQeN63Zc9UZBDdD11LdO+AseIctN3yCkwsUQeevx/+nk1E+wbOGYLeVMGqrQN1qzdj+ooraZQ4+p74McJHH2Ho6NB2mwPWqlraNg3jeH8nDm5YAWM1PU2MGaN2PBtZFNxHA+mQCg2wUCBfWZC74KBU6KDicWa1sVQ8osamjHsRG3MhVsw09MFGRFx/gKmsCpVn3QH/gXuoDHpK0VJ6ElC14DzlUT33t2bPyPSGY0B0YkjNKT/RSQ9jvwP60oWcdzuiPrcSOObpReRgDywto9yhAQkWMuEuKmjFuBobD/gQGWmHztKGhGc/wuOjSmDZu9657XEY6CmG4jPQdM0WzPkhrbbilxxIPxYPpXfJX677yLVBLk/cX7qbbOdg5k2voXjO92CZ1gxn+62I+VwoaVyI6CCFXPoAXXkB21pR3XY2jr3+VxlGS1Wj9sLHMfv2DpQ2LVKblp+IxyFZjBasQoqGCHtGVFv9+bei5dZ2mCrPZbsHRTO+jzl3vQ7b/OWqXYqcpH+YIFmlvsNj1GSWjOGRfyurVi66EfVnXaLY9nnL1DPq92a6qatj2VqW5FX701hxbsxcjrozL0B583wc+P3DKu+aK+pQVNOE4tb5mH7+Dej7++1ovbkDcl3r2/eg0mPF6T9F06rrtdmVNwmWhJxHxCikpOgeYX6DYWWfm8nbnt3PMgwYHjWzUHfGKumoSBTDWyTukR5Irwo5+hVfagK9zlCiXCrqOaKY6RSvX/iX+eBqstJnIfaTvaUScRTZ6mCpv0G5vfq216Fs/ncJfPR1HhJKamcg5B5h3A1AlrK1natWkL5CGsCEHb1KaWkpVli0hB09ql1iMckwkpCSMElnxwmgCoVGD8mRW5HcsEQcexXwiXb1pXOuUA3+fb/D0LZnM6eWjFozIz7LL/vLEJV3Oam6lqUPEtRpnBjMFXakQ2N0MzeqWldi4MUN8O7fCpHfWsI/IrOQCg1RG+eQg0XEsRu6IqC0hZ7Hu7Dw6B6VNcRSmlKUlvktpNdL7KU5rluFXMms1cSM0xB1PosYUVv1qT/namqK2GxbhqGnvgF31ztcmGr7H5QRLmNRNQlLQhPXMhv1KqUEHUcQHP4Xgoy7dHE1TEVl0M2+EFtumw437Kg5cw2cww70HAQOyUWmiVJlSdO1hFPE+QIsZSsYmyupnFlITbyMOO+yFYmC+SJ/x4lyy1VwxLlTeURl6woYSlpY1QWY9sZUN31pXTMar25HzLGTqeMsDPxtOfzDh1RjbvFwfFK+GKkPMzWulb7BaApDo0D3oXG8tflpPPbzW9D+KvDiw0DJnAweHOjqw9NPAE/+6GKUNbQg0bwczz8J7PigHrHkx3GjVWeOESee+y2wzzUNxpoWDPtnQK7Agh5qSBFTDDeg7SHLVMge92wnCC9ESf1MClyrMkh4bEh14eVSGvXLVqPuskeYjt4nYhpw+On1qlFHF5HMIx6T9RqlUV+AwjGcvJGMfrtGUtjyFLCt413846pv4dieHaD3Yu32t1FT36DmMpkMqOBb1YIraRa6VCwMG79LSnj4133CTqr/6NAgBGpitlNha5iB/lgrHtsE9PQdUe1yQTIeSCPGsFd3B4orSO5AglhrqlqisMJinymYRwA8rHrotaWaV9+EiiU/Y3AnEex7Dp7eXZCLNzOtGScWRDN4ggDd9KVngI4tnCTLE2WIU1a3tGLWNZfAoPOjYv4CnHr64uw2KCMVy3WRYEUn2rOWlCjlxdxjiEdZiQixj3a6Gh3oRzlZRVYTxp0jKCu1giGP4f4+6cmxOuw8mMLmjQwLlyYFFeQ6DBO9z2gtZ/5lGuNaggPh0W41Si8LaOjWdPE6ImkdzKxzIyO9iCWS2NcLvPAg4A5lJqVtYCDyMXUf/48puZ6h0VF/+nKsXrcekT2A640uHOraS26GpIgRUk9OVV5lFxxCiGYM+DKAkqSyZT/JRAJDXZ2wzwC6Nj+MXzdMw+G3noN9NgXu2qXaDQY9TPoUaEx4gh8L/FHnfjhCnHfoTfTePw2B/RtgtFcRyHYwvv3QS5xqtWtxdT30lSvRd4BaGw0hntLhg210HU6qXb9I6kgMkEEyWTN1q7xLFoiFgphJy1ZfuVJZ78C726XpOMm2JL+mGCf22jqUssYQBR7a26n6GMU0pMCkF67OdmJKDWLOYzA20gBDR2GqaYTrvWeoIK86eIiCZIQhGxLRcAi7dnyIN7cCr7yyH4QNTHqHacAapCd3IsKCRD/42qMY+7ADvtFB7Hj5eXS078BLr1GAyjrYaIVTzlgCKfG7dmxFJBhAV1YIK0OjsvoU2R+tolf/ZxPx+5Tl5p5/ubJnz6tPwj+RQVVRrNhYHTbicY6twcyLboGFgb3tT3eic9tbGDjQhd49uzHpGYfvPaIqq4obn9qJOzvduH7TVsRdgwjQMydYvoqvyJyiRA3oJicmEOp9DUbixyW/fRNr/uxGw9pd2NWdwAR5MQ+rr/Ej+/Didatx36omPHnZVXBsH0IjXantjKUqPS3+5s3KbXpefBS/+moN3nnobgS5yPwb1qOGriakeYiG6nPP+ooSzt2xG0f7iG6kFFFGvEBnJBBmC5vzrrsJXnqznNQ2XfM1/KTtNHS9s42bc4FeifJZ52LmvDaU2eyY2bYQRU3zIKXF2MgwfzOKljm1VDbucsK/n3m9zYbZCxbCZrejed4CONKL8PRfBPCOQj9WvgQ7Gac+7otpFPVrVuEHHd2wnVKrJr3g2htw/j13wfvuILwfRjDx7hAWrluLq25dr9rlJ84jJCs8SNEuq89onYcK4pXwOt9oly6q0pFIjU44lUcIb/Zpi7DurTeQjmRypHhSma0KQ33d8PC9vKEJJgEUkrWoCOWNpyrlD3bzpECSI6Ccv+S4KDR8sA9i+7KmxbAWC8Qx7Jg/G2Y1q3773mGNQXdIe6lRn9tNdzOirpGLEJ01N9FQc+hQP/xeL4qIro2zT4WBfaWPtIuLRUMhVlZm2OvqFc8z6kA8FmM/Az1hOibHPQj6/URQE6rYR0+g08b7vRNwO0a4OTNOmd6I4OQkIsQDa3EJbDWZsJHNjztHEY1EYCmykl8LWSPBNSwUTvp5ifhhhp2Z2GKvrZchioQv8xl4yFECaw3aU2rpzMV4Jj40obV2eWqbzeV9nvfctT7PeG3MZ92PElg6U4LMWMlb/JtK6lBBpmqZ0uf4+Bz+VN7U79z5j7cJU1tb9pMznzQd75fl/79vGSOU2+8/QDU5FFmyNvEAAAAASUVORK5CYII=) [Events](/app/dashboards#/view/78289c40-86da-11e8-b59d-21efb914e65c-ecs) | [Alerts](/app/dashboards#/view/05268ee0-86d1-11e8-b59d-21efb914e65c-ecs)", + "openLinksInNewTab": false + }, + "title": "Navigation [Filebeat Suricata]", + "type": "markdown" + } + }, + "id": "908e8c90-d296-11ea-90e3-8767fe7ccf14", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [], + "type": "visualization", + "updated_at": "2020-07-30T18:57:50.040Z", + "version": "Wzc1MywxXQ==" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "Event Count [Filebeat Suricata]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Events" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 30, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "Event Count [Filebeat Suricata]", + "type": "metric" + } + }, + "id": "169c0600-d297-11ea-90e3-8767fe7ccf14", + "migrationVersion": { + "visualization": "7.8.0" + }, + "namespaces": [ + "default" + ], + "references": [ + { + "id": "13dd22f0-86cc-11e8-b59d-21efb914e65c-ecs", + "name": "search_0", + "type": "search" + } + ], + "type": "visualization", + "updated_at": "2020-07-30T19:02:39.133Z", + "version": "WzgyNCwxXQ==" + } + ], + "version": "7.9.0-SNAPSHOT" +} \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/suricata/eve/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/suricata/eve/_meta/fields.yml new file mode 100644 index 00000000..4cb834de --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/suricata/eve/_meta/fields.yml @@ -0,0 +1,751 @@ +- name: eve + type: group + description: > + Fields exported by the EVE JSON logs + fields: + - name: event_type + type: keyword + + - name: app_proto_orig + type: keyword + + - name: tcp + type: group + fields: + - name: tcp_flags + type: keyword + + - name: psh + type: boolean + + - name: tcp_flags_tc + type: keyword + + - name: ack + type: boolean + + - name: syn + type: boolean + + - name: state + type: keyword + + - name: tcp_flags_ts + type: keyword + + - name: rst + type: boolean + + - name: fin + type: boolean + + - name: fileinfo + type: group + fields: + - name: sha1 + type: keyword + + - name: filename + type: alias + path: file.path + + - name: tx_id + type: long + + - name: state + type: keyword + + - name: stored + type: boolean + + - name: gaps + type: boolean + + - name: sha256 + type: keyword + + - name: md5 + type: keyword + + - name: size + type: alias + path: file.size + + - name: icmp_type + type: long + + - name: dest_port + type: alias + path: destination.port + + - name: src_port + type: alias + path: source.port + + - name: proto + type: alias + path: network.transport + + - name: pcap_cnt + type: long + + - name: src_ip + type: alias + path: source.ip + + - name: dns + type: group + fields: + - name: type + type: keyword + + - name: rrtype + type: keyword + + - name: rrname + type: keyword + + - name: rdata + type: keyword + + - name: tx_id + type: long + + - name: ttl + type: long + + - name: rcode + type: keyword + + - name: id + type: long + + - name: flow_id + type: keyword + + - name: email + type: group + fields: + - name: status + type: keyword + + - name: dest_ip + type: alias + path: destination.ip + + - name: icmp_code + type: long + + - name: http + type: group + fields: + - name: status + type: alias + path: http.response.status_code + + - name: redirect + type: keyword + + - name: http_user_agent + type: alias + path: user_agent.original + + - name: protocol + type: keyword + + - name: http_refer + type: alias + path: http.request.referrer + + - name: url + type: alias + path: url.original + + - name: hostname + type: alias + path: url.domain + + - name: length + type: alias + path: http.response.body.bytes + + - name: http_method + type: alias + path: http.request.method + + - name: http_content_type + type: keyword + + - name: in_iface + type: keyword + + - name: alert + type: group + fields: + - name: metadata + type: flattened + description: Metadata about the alert. + + - name: category + type: keyword + + - name: severity + type: alias + path: event.severity + + - name: rev + type: long + + - name: gid + type: long + + - name: signature + type: keyword + + - name: action + type: alias + path: event.outcome + + - name: signature_id + type: long + + - name: ssh + type: group + fields: + - name: client + type: group + fields: + - name: proto_version + type: keyword + + - name: software_version + type: keyword + + - name: server + type: group + fields: + - name: proto_version + type: keyword + + - name: software_version + type: keyword + + - name: stats + type: group + fields: + - name: capture + type: group + fields: + - name: kernel_packets + type: long + + - name: kernel_drops + type: long + + - name: kernel_ifdrops + type: long + + - name: uptime + type: long + + - name: detect + type: group + fields: + - name: alert + type: long + + - name: http + type: group + fields: + - name: memcap + type: long + + - name: memuse + type: long + + - name: file_store + type: group + fields: + - name: open_files + type: long + + - name: defrag + type: group + fields: + - name: max_frag_hits + type: long + + - name: ipv4 + type: group + fields: + - name: timeouts + type: long + + - name: fragments + type: long + + - name: reassembled + type: long + + - name: ipv6 + type: group + fields: + - name: timeouts + type: long + + - name: fragments + type: long + + - name: reassembled + type: long + + - name: flow + type: group + fields: + - name: tcp_reuse + type: long + + - name: udp + type: long + + - name: memcap + type: long + + - name: emerg_mode_entered + type: long + + - name: emerg_mode_over + type: long + + - name: tcp + type: long + + - name: icmpv6 + type: long + + - name: icmpv4 + type: long + + - name: spare + type: long + + - name: memuse + type: long + + - name: tcp + type: group + fields: + - name: pseudo_failed + type: long + + - name: ssn_memcap_drop + type: long + + - name: insert_data_overlap_fail + type: long + + - name: sessions + type: long + + - name: pseudo + type: long + + - name: synack + type: long + + - name: insert_data_normal_fail + type: long + + - name: syn + type: long + + - name: memuse + type: long + + - name: invalid_checksum + type: long + + - name: segment_memcap_drop + type: long + + - name: overlap + type: long + + - name: insert_list_fail + type: long + + - name: rst + type: long + + - name: stream_depth_reached + type: long + + - name: reassembly_memuse + type: long + + - name: reassembly_gap + type: long + + - name: overlap_diff_data + type: long + + - name: no_flow + type: long + + - name: decoder + type: group + fields: + - name: avg_pkt_size + type: long + + - name: bytes + type: long + + - name: tcp + type: long + + - name: raw + type: long + + - name: ppp + type: long + + - name: vlan_qinq + type: long + + - name: 'null' + type: long + + - name: ltnull + type: group + fields: + - name: unsupported_type + type: long + + - name: pkt_too_small + type: long + + - name: invalid + type: long + + - name: gre + type: long + + - name: ipv4 + type: long + + - name: ipv6 + type: long + + - name: pkts + type: long + + - name: ipv6_in_ipv6 + type: long + + - name: ipraw + type: group + fields: + - name: invalid_ip_version + type: long + + - name: pppoe + type: long + + - name: udp + type: long + + - name: dce + type: group + fields: + - name: pkt_too_small + type: long + + - name: vlan + type: long + + - name: sctp + type: long + + - name: max_pkt_size + type: long + + - name: teredo + type: long + + - name: mpls + type: long + + - name: sll + type: long + + - name: icmpv6 + type: long + + - name: icmpv4 + type: long + + - name: erspan + type: long + + - name: ethernet + type: long + + - name: ipv4_in_ipv6 + type: long + + - name: ieee8021ah + type: long + + - name: dns + type: group + fields: + - name: memcap_global + type: long + + - name: memcap_state + type: long + + - name: memuse + type: long + + - name: flow_mgr + type: group + fields: + - name: rows_busy + type: long + + - name: flows_timeout + type: long + + - name: flows_notimeout + type: long + + - name: rows_skipped + type: long + + - name: closed_pruned + type: long + + - name: new_pruned + type: long + + - name: flows_removed + type: long + + - name: bypassed_pruned + type: long + + - name: est_pruned + type: long + + - name: flows_timeout_inuse + type: long + + - name: flows_checked + type: long + + - name: rows_maxlen + type: long + + - name: rows_checked + type: long + + - name: rows_empty + type: long + + - name: app_layer + type: group + fields: + - name: flow + type: group + fields: + - name: tls + type: long + + - name: ftp + type: long + + - name: http + type: long + + - name: failed_udp + type: long + + - name: dns_udp + type: long + + - name: dns_tcp + type: long + + - name: smtp + type: long + + - name: failed_tcp + type: long + + - name: msn + type: long + + - name: ssh + type: long + + - name: imap + type: long + + - name: dcerpc_udp + type: long + + - name: dcerpc_tcp + type: long + + - name: smb + type: long + + - name: tx + type: group + fields: + - name: tls + type: long + + - name: ftp + type: long + + - name: http + type: long + + - name: dns_udp + type: long + + - name: dns_tcp + type: long + + - name: smtp + type: long + + - name: ssh + type: long + + - name: dcerpc_udp + type: long + + - name: dcerpc_tcp + type: long + + - name: smb + type: long + + - name: tls + type: group + fields: + - name: notbefore + type: date + + - name: issuerdn + type: keyword + + - name: sni + type: keyword + + - name: version + type: keyword + + - name: session_resumed + type: boolean + + - name: fingerprint + type: keyword + + - name: serial + type: keyword + + - name: notafter + type: date + + - name: subject + type: keyword + + - name: ja3s + type: group + default_field: false + fields: + - name: string + type: keyword + - name: hash + type: keyword + + - name: ja3 + type: group + default_field: false + fields: + - name: string + type: keyword + - name: hash + type: keyword + + - name: app_proto_ts + type: keyword + + - name: flow + type: group + fields: + - name: bytes_toclient + type: alias + path: destination.bytes + + - name: start + type: alias + path: event.start + + - name: pkts_toclient + type: alias + path: destination.packets + + - name: age + type: long + + - name: state + type: keyword + + - name: bytes_toserver + type: alias + path: source.bytes + + - name: reason + type: keyword + + - name: pkts_toserver + type: alias + path: source.packets + + - name: alerted + type: boolean + + - name: app_proto + type: alias + path: network.protocol + + - name: tx_id + type: long + + - name: app_proto_tc + type: keyword + + - name: smtp + type: group + fields: + - name: rcpt_to + type: keyword + + - name: mail_from + type: keyword + + - name: helo + type: keyword + + - name: app_proto_expected + type: keyword + + - name: flags + type: group + fields: diff --git a/dynamite_nsm/confs/filebeat/module/suricata/eve/config/eve.yml b/dynamite_nsm/confs/filebeat/module/suricata/eve/config/eve.yml new file mode 100644 index 00000000..441eea8d --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/suricata/eve/config/eve.yml @@ -0,0 +1,66 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - drop_event: + when: + contains: + message: "stats" + - rename: + fields: + - {from: message, to: event.original} + - decode_json_fields: + fields: [event.original] + target: suricata.eve + - convert: + ignore_missing: true + fail_on_error: false + mode: rename + fields: + - {from: suricata.eve.src_ip, to: source.address} + - {from: suricata.eve.src_port, to: source.port, type: long} + - {from: suricata.eve.dest_ip, to: destination.address} + - {from: suricata.eve.dest_port, to: destination.port, type: long} + - {from: suricata.eve.proto, to: network.transport} + - {from: suricata.eve.flow_id, type: string} + - convert: + ignore_missing: true + fail_on_error: false + mode: copy + fields: + - {from: source.address, to: source.ip, type: ip} + - {from: destination.address, to: destination.ip, type: ip} + - {from: '@timestamp', to: event.created} + - timestamp: + field: suricata.eve.timestamp + layouts: + - '2006-01-02T15:04:05.999999999Z0700' # ISO8601 + - drop_fields: + fields: + - event.original + - suricata.eve.timestamp +{{ if .community_id }} + - community_id: +{{ end }} + - registered_domain: + when: + or: + - equals.suricata.eve.dns.type: query + # V2 events always include the query data. + - equals.suricata.eve.dns.version: 2 + ignore_missing: true + ignore_failure: true + field: suricata.eve.dns.rrname + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/suricata/eve/ingest/dns-answer-v1.yml b/dynamite_nsm/confs/filebeat/module/suricata/eve/ingest/dns-answer-v1.yml new file mode 100644 index 00000000..b44d3ce8 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/suricata/eve/ingest/dns-answer-v1.yml @@ -0,0 +1,43 @@ +--- +description: Pipeline for Suricata DNS answers v1 + +# Suricata DNS v1 events contain a single answer. Multiple events are created +# to represent all of the answers. +processors: + - script: + lang: painless + tag: suricata_dns_answer_v1 + source: | + def name = ctx?.suricata?.eve?.dns?.rrname; + def data = ctx?.suricata?.eve?.dns?.rdata; + def type = ctx?.suricata?.eve?.dns?.rrtype; + def ttl = ctx?.suricata?.eve?.dns?.ttl; + + def answer = [:]; + if (name != null) { + answer["name"] = name; + } + if (data != null) { + answer["data"] = data; + } + if (type != null) { + answer["type"] = type; + } + if (ttl != null) { + answer["ttl"] = ttl; + } + if (!answer.isEmpty()) { + ctx.dns.answers = [answer]; + } + + if (type == "A" || type == "AAAA") { + ctx.dns.resolved_ip = [data]; + } +on_failure: + - append: + field: error.message + value: >- + error in DNS v1 pipeline: + error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} + with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} + {{ _ingest.on_failure_message }} diff --git a/dynamite_nsm/confs/filebeat/module/suricata/eve/ingest/dns-answer-v2.yml b/dynamite_nsm/confs/filebeat/module/suricata/eve/ingest/dns-answer-v2.yml new file mode 100644 index 00000000..189798e1 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/suricata/eve/ingest/dns-answer-v2.yml @@ -0,0 +1,46 @@ +--- +description: Pipeline for Suricata DNS answers v2 + +# Suricata DNS v2 events contain all answers in a single event. +processors: + - rename: + field: suricata.eve.dns.answers + target_field: dns.answers + ignore_missing: true + - script: + if: ctx?.dns?.answers != null + lang: painless + tag: suricata_dns_answers_v2 + source: | + def resolvedIps = new ArrayList(); + for (def answer : ctx?.dns?.answers) { + // Normalize field names to match ECS. + def name = answer.remove("rrname"); + if (name != null) { + answer["name"] = name; + } + def type = answer.remove("rrtype"); + if (type != null) { + answer["type"] = type; + } + def data = answer.remove("rdata"); + if (data != null) { + answer["data"] = data; + } + + if (type == "A" || type == "AAAA") { + resolvedIps.add(data); + } + } + + if (resolvedIps.size() > 0) { + ctx.dns.resolved_ip = resolvedIps; + } +on_failure: + - append: + field: error.message + value: >- + error in DNS v2 pipeline: + error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} + with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} + {{ _ingest.on_failure_message }} diff --git a/dynamite_nsm/confs/filebeat/module/suricata/eve/ingest/dns.yml b/dynamite_nsm/confs/filebeat/module/suricata/eve/ingest/dns.yml new file mode 100644 index 00000000..edd15c1d --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/suricata/eve/ingest/dns.yml @@ -0,0 +1,97 @@ +--- +description: Pipeline for Suricata DNS Events + +processors: + - set: + field: dns.id + value: '{{suricata.eve.dns.id}}' + ignore_empty_value: true + - set: + field: dns.response_code + value: '{{suricata.eve.dns.rcode}}' + ignore_empty_value: true + - set: + field: dns.type + value: '{{suricata.eve.dns.type}}' + ignore_empty_value: true + - set: + # V2 events always include the query data. + if: >- + ctx?.dns?.type == "query" || + ctx?.suricata?.eve?.dns?.version == 2 + field: dns.question.name + value: '{{suricata.eve.dns.rrname}}' + ignore_empty_value: true + - set: + # V2 events always include the query data. + if: >- + ctx?.dns?.type == "query" || + ctx?.suricata?.eve?.dns?.version == 2 + field: dns.question.type + value: '{{suricata.eve.dns.rrtype}}' + ignore_empty_value: true + - pipeline: + if: >- + ctx?.dns?.type == "answer" && + ctx?.suricata?.eve?.dns?.version == null + name: '{< IngestPipeline "dns-answer-v1" >}' + - pipeline: + if: >- + ctx?.dns?.type == "answer" && + ctx?.suricata?.eve?.dns?.version == 2 + name: '{< IngestPipeline "dns-answer-v2" >}' + - foreach: + field: dns.resolved_ip + ignore_missing: true + processor: + append: + field: related.ip + value: + - '{{_ingest._value}}' + allow_duplicates: false + - script: + if: ctx?.dns?.question?.registered_domain != null + tag: suricata_dns_top_level_domain + lang: painless + source: | + def rd = ctx.dns.question.registered_domain; + def firstDot = rd.indexOf("."); + if (firstDot == -1) { + return; + } + ctx.dns.question.top_level_domain = rd.substring(firstDot + 1); + - append: + if: ctx?.suricata?.eve?.dns?.aa == true + field: dns.header_flags + value: AA + - append: + if: ctx?.suricata?.eve?.dns?.tc == true + field: dns.header_flags + value: TC + - append: + if: ctx?.suricata?.eve?.dns?.rd == true + field: dns.header_flags + value: RD + - append: + if: ctx?.suricata?.eve?.dns?.ra == true + field: dns.header_flags + value: RA + - remove: + field: + - suricata.eve.dns.aa + - suricata.eve.dns.tc + - suricata.eve.dns.rd + - suricata.eve.dns.ra + - suricata.eve.dns.qr + - suricata.eve.dns.version + - suricata.eve.dns.flags + - suricata.eve.dns.grouped + ignore_missing: true +on_failure: + - append: + field: error.message + value: >- + error in DNS pipeline: + error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} + with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} + {{ _ingest.on_failure_message }} diff --git a/dynamite_nsm/confs/filebeat/module/suricata/eve/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/suricata/eve/ingest/pipeline.yml new file mode 100644 index 00000000..a24a5df3 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/suricata/eve/ingest/pipeline.yml @@ -0,0 +1,445 @@ +--- +description: Pipeline for parsing Suricata EVE logs + +processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + + - rename: + field: suricata.eve.ether.dest_mac + target_field: destination.mac + ignore_missing: true + - rename: + field: suricata.eve.ether.src_mac + target_field: source.mac + ignore_missing: true + + # Handle the different Suricata event types. + - lowercase: + field: suricata.eve.event_type + ignore_missing: true + - script: + tag: suricata_ecs_categorize + lang: painless + ignore_failure: true + params: + alert: + kind: alert + category: + - network + - intrusion_detection + dns: + type: + - protocol + network_protocol: dns + flow: + type: + - connection + ftp: + type: + - protocol + network_protocol: ftp + ftp_data: + type: + - protocol + network_protocol: ftp + http: + category: + - network + - web + type: + - access + - protocol + network_protocol: http + http2: + category: + - network + - web + type: + - access + - protocol + network_protocol: http + mqtt: + type: + - protocol + network_protocol: mqtt + smb: + type: + - protocol + network_protocol: smb + ssh: + type: + - protocol + network_protocol: ssh + stats: + kind: metric + tftp: + type: + - protocol + network_protocol: tftp + tls: + type: + - protocol + network_protocol: tls + rdp: + type: + - protocol + network_protocol: rdp + rfb: # RFB (Remote Framebuffer Protocol) + type: + - protocol + network_protocol: rdp + + source: | + ctx.event.kind = 'event'; + ctx.event.category = ['network']; + def type_params = params.get(ctx?.suricata?.eve?.event_type); + if (type_params == null) { + return; + } + type_params.forEach((k, v) -> { + if ('network_protocol' == k) { + if (ctx.network == null) { + ctx.network = ['protocol': v]; + } else { + ctx.network.protocol = v; + } + } else if (v instanceof List) { + ctx.event[k] = new ArrayList(v); + } else { + ctx.event[k] = v; + } + }); + + ## Anomaly and Alert + - lowercase: + field: suricata.eve.app_proto + ignore_missing: true + - set: + if: ctx?.suricata?.eve?.app_proto == "ftp-data" + field: network.protocol + value: ftp + - set: + if: >- + ctx?.suricata?.eve?.app_proto != "failed" && + ctx?.suricata?.eve?.app_proto != "template" && + ctx?.suricata?.eve?.app_proto != "template-rust" + field: network.protocol + value: '{{suricata.eve.app_proto}}' + ignore_empty_value: true + ## HTTP + - set: + if: >- + ctx?.suricata?.eve?.event_type == "http" && + ctx?.suricata?.eve?.http?.status != null && + ctx?.suricata?.eve?.http?.status < 400 + field: event.outcome + value: success + - set: + if: >- + ctx?.suricata?.eve?.event_type == "http" && + ctx?.suricata?.eve?.http?.status != null && + ctx?.suricata?.eve?.http?.status >= 400 + field: event.outcome + value: failure + ## DNS + - pipeline: + if: >- + ctx?.network?.protocol == "dns" + name: '{< IngestPipeline "dns" >}' + ## TLS + - pipeline: + if: ctx?.network?.protocol == "tls" + name: '{< IngestPipeline "tls" >}' + ## Flow + - append: + if: ctx?.suricata?.eve?.flow?.state == "new" + field: event.type + value: + - start + - append: + if: ctx?.suricata?.eve?.flow?.state == "closed" + field: event.type + value: + - end + + + - set: + value: "{{suricata.eve.http.http_method}}" + field: http.request.method + if: "ctx?.suricata?.eve?.http?.http_method != null" + - rename: + field: suricata.eve.http.status + target_field: http.response.status_code + ignore_missing: true + - append: + if: ctx.suricata?.eve?.http?.hostname != null + value: '{{suricata.eve.http.hostname}}' + field: destination.domain + allow_duplicates: false + - remove: + field: suricata.eve.http.hostname + ignore_failure: true + - script: + lang: painless + tag: suricata_deduplicate_dest_domain + source: > + def domain = ctx.destination?.domain; + if (domain instanceof Collection) { + domain = domain.stream().distinct().collect(Collectors.toList()); + if (domain.length == 1) { + domain = domain[0]; + } + ctx.destination.domain = domain; + } + ignore_failure: true + - set: + if: ctx?.network?.protocol == 'http' + field: url.domain + value: '{{destination.domain}}' + ignore_empty_value: true + - grok: + field: suricata.eve.http.url + patterns: + - '%{PATH:url.path}(?:\?%{QUERY:url.query})?(?:#%{ANY:url.fragment})?' + ignore_missing: true + pattern_definitions: + PATH: '[^?#]*' + QUERY: '[^#]*' + ANY: '.*' + - rename: + field: suricata.eve.http.url + target_field: url.original + ignore_missing: true + - rename: + field: suricata.eve.http.http_port + target_field: url.port + ignore_missing: true + - rename: + field: suricata.eve.http.http_refer + target_field: http.request.referrer + ignore_missing: true + - rename: + field: suricata.eve.http.length + target_field: http.response.body.bytes + ignore_missing: true + - rename: + field: suricata.eve.fileinfo.filename + target_field: file.path + ignore_missing: true + - rename: + field: suricata.eve.fileinfo.size + target_field: file.size + ignore_missing: true + - lowercase: + field: network.transport + ignore_missing: true + - convert: + field: suricata.eve.alert.category + target_field: message + type: string + ignore_missing: true + - set: + field: rule.category + value: "{{suricata.eve.alert.category}}" + ignore_empty_value: true + - set: + field: rule.id + value: "{{suricata.eve.alert.signature_id}}" + ignore_empty_value: true + - set: + field: rule.name + value: "{{suricata.eve.alert.signature}}" + ignore_empty_value: true + - set: + if: ctx?.suricata?.eve?.alert?.action == 'blocked' + field: suricata.eve.alert.action + value: denied + - append: + if: ctx?.suricata?.eve?.alert?.action != null + field: event.type + value: "{{suricata.eve.alert.action}}" + - remove: + field: suricata.eve.alert.action + ignore_failure: true + - rename: + field: suricata.eve.alert.severity + target_field: event.severity + ignore_missing: true + - rename: + field: suricata.eve.flow.pkts_toclient + target_field: destination.packets + ignore_missing: true + - rename: + field: suricata.eve.flow.pkts_toserver + target_field: source.packets + ignore_missing: true + - rename: + field: suricata.eve.flow.bytes_toclient + target_field: destination.bytes + ignore_missing: true + - rename: + field: suricata.eve.flow.bytes_toserver + target_field: source.bytes + ignore_missing: true + - script: + tag: suricata_network_bytes_packets + lang: painless + source: > + long getOrZero(def map, def key) { + if (map!=null && map[key]!=null) { + return map[key]; + } + return 0; + } + def network=ctx['network'], source=ctx['source'], dest=ctx['destination']; + def sp=getOrZero(source,'packets'), sb=getOrZero(source,'bytes'), dp=getOrZero(dest,'packets'), db=getOrZero(dest,'bytes'); + if (sb+db+sp+dp > 0) { + if (network == null) { + network=new HashMap(); + ctx['network']=network; + } + if (sb+db > 0) { + network['bytes'] = sb+db; + } + if(sp+dp>0) { + network['packets'] = sp+dp; + } + } + - date: + field: suricata.eve.flow.start + target_field: event.start + formats: + - ISO8601 + ignore_failure: true + - date: + field: suricata.eve.flow.end + target_field: event.end + formats: + - ISO8601 + ignore_failure: true + - script: + tag: suricata_event_duration + lang: painless + source: > + Instant ins(def d) { + try { + return Instant.parse(d); + } catch(Exception e) { + return null; + } + } + def ev = ctx['event']; + if (ev != null) { + def start = ins(ev['start']); + def end = ins(ev['end']); + if (start != null && end != null && !start.isAfter(end)) { + ev['duration'] = Duration.between(start,end).toNanos(); + } + } + - lowercase: + field: suricata.eve.proto + target_field: network.transport + ignore_missing: true + - user_agent: + field: suricata.eve.http.http_user_agent + ignore_missing: true + - geoip: + if: ctx?.source?.geo == null + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + if: ctx?.destination?.geo == null + field: destination.ip + target_field: destination.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + if: ctx?.url?.domain != null && ctx.url.domain != '' + field: related.hosts + value: '{{url.domain}}' + allow_duplicates: false + - append: + if: ctx?.source?.ip != null + field: related.ip + value: '{{source.ip}}' + allow_duplicates: false + - append: + if: ctx?.destination?.ip != null + field: related.ip + value: '{{destination.ip}}' + allow_duplicates: false + - remove: + field: + - suricata.eve.app_proto + - suricata.eve.flow.end + - suricata.eve.flow.start + - suricata.eve.http.http_method + - suricata.eve.http.http_user_agent + ignore_missing: true +on_failure: + - append: + field: error.message + value: >- + error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} + with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} + {{ _ingest.on_failure_message }} + - remove: + field: + # Remove all alias fields to ensure indexing succeeds. + - suricata.eve.alert.action + - suricata.eve.alert.severity + - suricata.eve.app_proto + - suricata.eve.dest_ip + - suricata.eve.dest_port + - suricata.eve.fileinfo.filename + - suricata.eve.fileinfo.size + - suricata.eve.flow.bytes_toclient + - suricata.eve.flow.bytes_toserver + - suricata.eve.flow.pkts_toclient + - suricata.eve.flow.pkts_toserver + - suricata.eve.flow.start + - suricata.eve.http.hostname + - suricata.eve.http.http_method + - suricata.eve.http.http_refer + - suricata.eve.http.http_user_agent + - suricata.eve.http.length + - suricata.eve.http.status + - suricata.eve.http.url + - suricata.eve.proto + - suricata.eve.src_ip + - suricata.eve.src_port + ignore_missing: true diff --git a/dynamite_nsm/confs/filebeat/module/suricata/eve/ingest/tls.yml b/dynamite_nsm/confs/filebeat/module/suricata/eve/ingest/tls.yml new file mode 100644 index 00000000..dd61fd93 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/suricata/eve/ingest/tls.yml @@ -0,0 +1,196 @@ +--- +description: Pipeline for Suricata TLS Events + +processors: + - dissect: + if: ctx?.suricata?.eve?.tls?.version != "UNDETERMINED" + field: suricata.eve.tls.version + pattern: '%{tls.version_protocol} %{tls.version}' + ignore_missing: true + ignore_failure: true + - lowercase: + field: tls.version_protocol + ignore_missing: true + - script: + if: ctx?.suricata?.eve?.tls?.sni != null + tag: suricata_trim_tls_sni + lang: painless + source: | + def sni = ctx.suricata.eve.tls.sni; + if (!sni.endsWith(".")) { + return; + } + ctx.suricata.eve.tls.sni = sni.substring(0, sni.length() - 1); + # Subject + - set: + field: tls.server.subject + value: '{{suricata.eve.tls.subject}}' + ignore_empty_value: true + - gsub: + field: suricata.eve.tls.subject + pattern: \\, + replacement: "" + ignore_missing: true + - kv: + field: suricata.eve.tls.subject + field_split: ', ' + value_split: '=' + target_field: suricata.eve.tls.kv_subject + ignore_missing: true + ignore_failure: true + - rename: + field: suricata.eve.tls.kv_subject.C + target_field: tls.server.x509.subject.country + ignore_missing: true + - rename: + field: suricata.eve.tls.kv_subject.CN + target_field: tls.server.x509.subject.common_name + ignore_missing: true + - rename: + field: suricata.eve.tls.kv_subject.L + target_field: tls.server.x509.subject.locality + ignore_missing: true + - rename: + field: suricata.eve.tls.kv_subject.O + target_field: tls.server.x509.subject.organization + ignore_missing: true + - rename: + field: suricata.eve.tls.kv_subject.OU + target_field: tls.server.x509.subject.organizational_unit + ignore_missing: true + - rename: + field: suricata.eve.tls.kv_subject.ST + target_field: tls.server.x509.subject.state_or_province + ignore_missing: true + # Issuer + - set: + field: tls.server.issuer + value: '{{suricata.eve.tls.issuerdn}}' + ignore_empty_value: true + - gsub: + field: suricata.eve.tls.issuerdn + pattern: \\, + replacement: "" + ignore_missing: true + - kv: + field: suricata.eve.tls.issuerdn + field_split: ', ' + value_split: '=' + target_field: suricata.eve.tls.kv_issuerdn + ignore_missing: true + ignore_failure: true + - rename: + field: suricata.eve.tls.kv_issuerdn.C + target_field: tls.server.x509.issuer.country + ignore_missing: true + - rename: + field: suricata.eve.tls.kv_issuerdn.CN + target_field: tls.server.x509.issuer.common_name + ignore_missing: true + - rename: + field: suricata.eve.tls.kv_issuerdn.L + target_field: tls.server.x509.issuer.locality + ignore_missing: true + - rename: + field: suricata.eve.tls.kv_issuerdn.O + target_field: tls.server.x509.issuer.organization + ignore_missing: true + - rename: + field: suricata.eve.tls.kv_issuerdn.OU + target_field: tls.server.x509.issuer.organizational_unit + ignore_missing: true + - rename: + field: suricata.eve.tls.kv_issuerdn.ST + target_field: tls.server.x509.issuer.state_or_province + ignore_missing: true + + - convert: + field: suricata.eve.tls.session_resumed + target_field: tls.resumed + type: boolean + ignore_missing: true + - set: + field: tls.server.hash.sha1 + value: '{{suricata.eve.tls.fingerprint}}' + ignore_empty_value: true + - uppercase: + field: tls.server.hash.sha1 + ignore_missing: true + - split: + field: tls.server.hash.sha1 + separator: ":" + ignore_missing: true + - join: + field: tls.server.hash.sha1 + separator: "" + ignore_failure: true + - append: + field: related.hash + value: "{{tls.server.hash.sha1}}" + if: "ctx?.tls?.server?.hash?.sha1 != null" + - set: + field: tls.client.server_name + value: '{{suricata.eve.tls.sni}}' + ignore_empty_value: true + - set: + field: destination.domain + value: '{{suricata.eve.tls.sni}}' + ignore_empty_value: true + - set: + field: tls.server.ja3s + value: '{{suricata.eve.tls.ja3s.hash}}' + ignore_empty_value: true + - set: + field: tls.client.ja3 + value: '{{suricata.eve.tls.ja3.hash}}' + ignore_empty_value: true + - set: + field: tls.server.certificate + value: '{{suricata.eve.tls.certificate}}' + ignore_empty_value: true + - set: + field: tls.server.certificate_chain + value: '{{suricata.eve.tls.chain}}' + ignore_empty_value: true + - set: + field: tls.server.x509.serial_number + value: '{{suricata.eve.tls.serial}}' + ignore_empty_value: true + - gsub: + field: tls.server.x509.serial_number + pattern: ':' + replacement: '' + ignore_missing: true + - date: + field: suricata.eve.tls.notafter + target_field: tls.server.not_after + formats: + - ISO8601 + if: ctx.suricata?.eve?.tls?.notafter != null + - date: + field: suricata.eve.tls.notbefore + target_field: tls.server.not_before + formats: + - ISO8601 + if: ctx.suricata?.eve?.tls?.notbefore != null + - set: + field: tls.server.x509.not_after + value: '{{tls.server.not_after}}' + ignore_empty_value: true + - set: + field: tls.server.x509.not_before + value: '{{tls.server.not_before}}' + ignore_empty_value: true + - remove: + field: + - suricata.eve.tls.kv_issuerdn + - suricata.eve.tls.kv_subject + ignore_missing: true +on_failure: + - append: + field: error.message + value: >- + error in TLS pipeline: + error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}} + with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}} + {{ _ingest.on_failure_message }} diff --git a/dynamite_nsm/confs/filebeat/module/suricata/eve/manifest.yml b/dynamite_nsm/confs/filebeat/module/suricata/eve/manifest.yml new file mode 100644 index 00000000..8d7f87d8 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/suricata/eve/manifest.yml @@ -0,0 +1,28 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/suricata/eve.json + os.darwin: + - /usr/local/var/log/suricata/eve.json + os.windows: + - 'c:/program files/suricata/log/eve.json' + - name: tags + default: [suricata] + - name: community_id + default: true + +ingest_pipeline: + - ingest/pipeline.yml + - ingest/dns.yml + - ingest/dns-answer-v1.yml + - ingest/dns-answer-v2.yml + - ingest/tls.yml +input: config/eve.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user-agent diff --git a/dynamite_nsm/confs/filebeat/module/suricata/eve/test/eve-6.0.log-expected.json b/dynamite_nsm/confs/filebeat/module/suricata/eve/test/eve-6.0.log-expected.json new file mode 100644 index 00000000..e8f77f90 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/suricata/eve/test/eve-6.0.log-expected.json @@ -0,0 +1,88 @@ +[ + { + "@timestamp": "2021-01-27T00:28:11.488Z", + "destination.address": "10.31.64.240", + "destination.bytes": 876, + "destination.domain": "testmynids.org", + "destination.ip": "10.31.64.240", + "destination.mac": "00:1b:17:00:01:18", + "destination.packets": 5, + "destination.port": 47592, + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "suricata.eve", + "event.kind": "alert", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2021-01-27T01:28:11.488362+0100\",\"flow_id\":1805461738637437,\"in_iface\":\"enp6s0\",\"event_type\":\"alert\",\"src_ip\":\"52.222.141.99\",\"src_port\":80,\"dest_ip\":\"10.31.64.240\",\"dest_port\":47592,\"proto\":\"TCP\",\"ether\":{\"src_mac\":\"00:03:2d:3f:e5:63\",\"dest_mac\":\"00:1b:17:00:01:18\"},\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2100498,\"rev\":7,\"signature\":\"GPL ATTACK_RESPONSE id check returned root\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"created_at\":[\"2010_09_23\"],\"updated_at\":[\"2010_09_23\"]}},\"http\":{\"hostname\":\"testmynids.org\",\"url\":\"/uid/index.html\",\"http_user_agent\":\"curl/7.58.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":39},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":6,\"pkts_toclient\":5,\"bytes_toserver\":496,\"bytes_toclient\":876,\"start\":\"2021-01-22T23:28:38.673917+0100\"}}", + "event.severity": 2, + "event.start": "2021-01-22T22:28:38.673Z", + "event.type": [ + "allowed" + ], + "fileset.name": "eve", + "http.request.method": "GET", + "http.response.body.bytes": 39, + "http.response.status_code": 200, + "input.type": "log", + "log.offset": 0, + "message": "Potentially Bad Traffic", + "network.bytes": 1372, + "network.community_id": "1:/b5R3BDG/6TU2Pu+pRF8w6d1Z18=", + "network.packets": 11, + "network.protocol": "http", + "network.transport": "tcp", + "related.hosts": [ + "testmynids.org" + ], + "related.ip": [ + "52.222.141.99", + "10.31.64.240" + ], + "rule.category": "Potentially Bad Traffic", + "rule.id": "2100498", + "rule.name": "GPL ATTACK_RESPONSE id check returned root", + "service.type": "suricata", + "source.address": "52.222.141.99", + "source.bytes": 496, + "source.geo.city_name": "Seattle", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 47.6348, + "source.geo.location.lon": -122.3451, + "source.geo.region_iso_code": "US-WA", + "source.geo.region_name": "Washington", + "source.ip": "52.222.141.99", + "source.mac": "00:03:2d:3f:e5:63", + "source.packets": 6, + "source.port": 80, + "suricata.eve.alert.category": "Potentially Bad Traffic", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.metadata.created_at": [ + "2010_09_23" + ], + "suricata.eve.alert.metadata.updated_at": [ + "2010_09_23" + ], + "suricata.eve.alert.rev": 7, + "suricata.eve.alert.signature": "GPL ATTACK_RESPONSE id check returned root", + "suricata.eve.alert.signature_id": 2100498, + "suricata.eve.event_type": "alert", + "suricata.eve.flow_id": "1805461738637437", + "suricata.eve.http.http_content_type": "text/html", + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.in_iface": "enp6s0", + "tags": [ + "suricata" + ], + "url.domain": "testmynids.org", + "url.original": "/uid/index.html", + "url.path": "/uid/index.html", + "user_agent.device.name": "Other", + "user_agent.name": "curl", + "user_agent.original": "curl/7.58.0", + "user_agent.version": "7.58.0" + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json b/dynamite_nsm/confs/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json new file mode 100644 index 00000000..457a16da --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json @@ -0,0 +1,1787 @@ +[ + { + "@timestamp": "2018-10-03T14:42:44.836Z", + "destination.address": "93.184.216.34", + "destination.as.number": 15133, + "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", + "destination.bytes": 1654, + "destination.domain": "example.net", + "destination.geo.city_name": "Norwell", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 42.1596, + "destination.geo.location.lon": -70.8217, + "destination.geo.region_iso_code": "US-MA", + "destination.geo.region_name": "Massachusetts", + "destination.ip": "93.184.216.34", + "destination.packets": 3, + "destination.port": 80, + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "suricata.eve", + "event.kind": "alert", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-03T14:42:44.836744+0000\",\"flow_id\":2191386088856669,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":32858,\"dest_ip\":\"93.184.216.34\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013028,\"rev\":4,\"signature\":\"ET POLICY curl User-Agent Outbound\",\"category\":\"Attempted Information Leak\",\"severity\":2},\"http\":{\"hostname\":\"example.net\",\"url\":\"\\/\",\"http_user_agent\":\"curl\\/7.58.0\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1121},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":347,\"bytes_toclient\":1654,\"start\":\"2018-10-03T14:42:44.613469+0000\"}}", + "event.severity": 2, + "event.start": "2018-10-03T14:42:44.613Z", + "event.type": [ + "allowed" + ], + "fileset.name": "eve", + "http.request.method": "GET", + "http.response.body.bytes": 1121, + "http.response.status_code": 200, + "input.type": "log", + "log.offset": 0, + "message": "Attempted Information Leak", + "network.bytes": 2001, + "network.community_id": "1:Tx1T2pcsxn4KDSlkBTi/5q9tZuo=", + "network.packets": 7, + "network.protocol": "http", + "network.transport": "tcp", + "related.hosts": [ + "example.net" + ], + "related.ip": [ + "192.168.1.146", + "93.184.216.34" + ], + "rule.category": "Attempted Information Leak", + "rule.id": "2013028", + "rule.name": "ET POLICY curl User-Agent Outbound", + "service.type": "suricata", + "source.address": "192.168.1.146", + "source.bytes": 347, + "source.ip": "192.168.1.146", + "source.packets": 4, + "source.port": 32858, + "suricata.eve.alert.category": "Attempted Information Leak", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 4, + "suricata.eve.alert.signature": "ET POLICY curl User-Agent Outbound", + "suricata.eve.alert.signature_id": 2013028, + "suricata.eve.event_type": "alert", + "suricata.eve.flow_id": "2191386088856669", + "suricata.eve.http.http_content_type": "text/html", + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.tx_id": 0, + "tags": [ + "suricata" + ], + "url.domain": "example.net", + "url.original": "/", + "url.path": "/", + "user_agent.device.name": "Other", + "user_agent.name": "curl", + "user_agent.original": "curl/7.58.0", + "user_agent.version": "7.58.0" + }, + { + "@timestamp": "2018-10-03T16:16:26.711Z", + "destination.address": "93.184.216.34", + "destination.as.number": 15133, + "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", + "destination.bytes": 1654, + "destination.domain": "example.net", + "destination.geo.city_name": "Norwell", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 42.1596, + "destination.geo.location.lon": -70.8217, + "destination.geo.region_iso_code": "US-MA", + "destination.geo.region_name": "Massachusetts", + "destination.ip": "93.184.216.34", + "destination.packets": 3, + "destination.port": 80, + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "suricata.eve", + "event.kind": "alert", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-03T16:16:26.711841+0000\",\"flow_id\":678269478904081,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":32864,\"dest_ip\":\"93.184.216.34\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013028,\"rev\":4,\"signature\":\"ET POLICY curl User-Agent Outbound\",\"category\":\"Attempted Information Leak\",\"severity\":2},\"http\":{\"hostname\":\"example.net\",\"url\":\"\\/\",\"http_user_agent\":\"curl\\/7.58.0\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1121},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":347,\"bytes_toclient\":1654,\"start\":\"2018-10-03T16:16:26.467217+0000\"}}", + "event.severity": 2, + "event.start": "2018-10-03T16:16:26.467Z", + "event.type": [ + "allowed" + ], + "fileset.name": "eve", + "http.request.method": "GET", + "http.response.body.bytes": 1121, + "http.response.status_code": 200, + "input.type": "log", + "log.offset": 723, + "message": "Attempted Information Leak", + "network.bytes": 2001, + "network.community_id": "1:A30Bhw0tTI2EifayU+MwAocMCZs=", + "network.packets": 7, + "network.protocol": "http", + "network.transport": "tcp", + "related.hosts": [ + "example.net" + ], + "related.ip": [ + "192.168.1.146", + "93.184.216.34" + ], + "rule.category": "Attempted Information Leak", + "rule.id": "2013028", + "rule.name": "ET POLICY curl User-Agent Outbound", + "service.type": "suricata", + "source.address": "192.168.1.146", + "source.bytes": 347, + "source.ip": "192.168.1.146", + "source.packets": 4, + "source.port": 32864, + "suricata.eve.alert.category": "Attempted Information Leak", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 4, + "suricata.eve.alert.signature": "ET POLICY curl User-Agent Outbound", + "suricata.eve.alert.signature_id": 2013028, + "suricata.eve.event_type": "alert", + "suricata.eve.flow_id": "678269478904081", + "suricata.eve.http.http_content_type": "text/html", + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.tx_id": 0, + "tags": [ + "suricata" + ], + "url.domain": "example.net", + "url.original": "/", + "url.path": "/", + "user_agent.device.name": "Other", + "user_agent.name": "curl", + "user_agent.original": "curl/7.58.0", + "user_agent.version": "7.58.0" + }, + { + "@timestamp": "2018-10-03T16:44:50.813Z", + "destination.address": "93.184.216.34", + "destination.as.number": 15133, + "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", + "destination.bytes": 1654, + "destination.domain": "example.net", + "destination.geo.city_name": "Norwell", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 42.1596, + "destination.geo.location.lon": -70.8217, + "destination.geo.region_iso_code": "US-MA", + "destination.geo.region_name": "Massachusetts", + "destination.ip": "93.184.216.34", + "destination.packets": 3, + "destination.port": 80, + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "suricata.eve", + "event.kind": "alert", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-03T16:44:50.813100+0000\",\"flow_id\":1170030461115650,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":32870,\"dest_ip\":\"93.184.216.34\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013028,\"rev\":4,\"signature\":\"ET POLICY curl User-Agent Outbound\",\"category\":\"Attempted Information Leak\",\"severity\":2},\"http\":{\"hostname\":\"example.net\",\"url\":\"\\/\",\"http_user_agent\":\"curl\\/7.58.0\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1126},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":347,\"bytes_toclient\":1654,\"start\":\"2018-10-03T16:44:50.580866+0000\"}}", + "event.severity": 2, + "event.start": "2018-10-03T16:44:50.580Z", + "event.type": [ + "allowed" + ], + "fileset.name": "eve", + "http.request.method": "GET", + "http.response.body.bytes": 1126, + "http.response.status_code": 200, + "input.type": "log", + "log.offset": 1445, + "message": "Attempted Information Leak", + "network.bytes": 2001, + "network.community_id": "1:QI9ZBw/ltPo2cnzG5ne3IrgSdhw=", + "network.packets": 7, + "network.protocol": "http", + "network.transport": "tcp", + "related.hosts": [ + "example.net" + ], + "related.ip": [ + "192.168.1.146", + "93.184.216.34" + ], + "rule.category": "Attempted Information Leak", + "rule.id": "2013028", + "rule.name": "ET POLICY curl User-Agent Outbound", + "service.type": "suricata", + "source.address": "192.168.1.146", + "source.bytes": 347, + "source.ip": "192.168.1.146", + "source.packets": 4, + "source.port": 32870, + "suricata.eve.alert.category": "Attempted Information Leak", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 4, + "suricata.eve.alert.signature": "ET POLICY curl User-Agent Outbound", + "suricata.eve.alert.signature_id": 2013028, + "suricata.eve.event_type": "alert", + "suricata.eve.flow_id": "1170030461115650", + "suricata.eve.http.http_content_type": "text/html", + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.tx_id": 0, + "tags": [ + "suricata" + ], + "url.domain": "example.net", + "url.original": "/", + "url.path": "/", + "user_agent.device.name": "Other", + "user_agent.name": "curl", + "user_agent.original": "curl/7.58.0", + "user_agent.version": "7.58.0" + }, + { + "@timestamp": "2018-10-03T16:45:09.267Z", + "destination.address": "93.184.216.34", + "destination.as.number": 15133, + "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", + "destination.bytes": 1654, + "destination.domain": "example.org", + "destination.geo.city_name": "Norwell", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 42.1596, + "destination.geo.location.lon": -70.8217, + "destination.geo.region_iso_code": "US-MA", + "destination.geo.region_name": "Massachusetts", + "destination.ip": "93.184.216.34", + "destination.packets": 3, + "destination.port": 80, + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "suricata.eve", + "event.kind": "alert", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-03T16:45:09.267308+0000\",\"flow_id\":49628113637132,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":32872,\"dest_ip\":\"93.184.216.34\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013028,\"rev\":4,\"signature\":\"ET POLICY curl User-Agent Outbound\",\"category\":\"Attempted Information Leak\",\"severity\":2},\"http\":{\"hostname\":\"example.org\",\"url\":\"\\/\",\"http_user_agent\":\"curl\\/7.58.0\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1121},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":347,\"bytes_toclient\":1654,\"start\":\"2018-10-03T16:45:09.036620+0000\"}}", + "event.severity": 2, + "event.start": "2018-10-03T16:45:09.036Z", + "event.type": [ + "allowed" + ], + "fileset.name": "eve", + "http.request.method": "GET", + "http.response.body.bytes": 1121, + "http.response.status_code": 200, + "input.type": "log", + "log.offset": 2168, + "message": "Attempted Information Leak", + "network.bytes": 2001, + "network.community_id": "1:kvem4ydd+kylAQHyyYnQUREfRDY=", + "network.packets": 7, + "network.protocol": "http", + "network.transport": "tcp", + "related.hosts": [ + "example.org" + ], + "related.ip": [ + "192.168.1.146", + "93.184.216.34" + ], + "rule.category": "Attempted Information Leak", + "rule.id": "2013028", + "rule.name": "ET POLICY curl User-Agent Outbound", + "service.type": "suricata", + "source.address": "192.168.1.146", + "source.bytes": 347, + "source.ip": "192.168.1.146", + "source.packets": 4, + "source.port": 32872, + "suricata.eve.alert.category": "Attempted Information Leak", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 4, + "suricata.eve.alert.signature": "ET POLICY curl User-Agent Outbound", + "suricata.eve.alert.signature_id": 2013028, + "suricata.eve.event_type": "alert", + "suricata.eve.flow_id": "49628113637132", + "suricata.eve.http.http_content_type": "text/html", + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.tx_id": 0, + "tags": [ + "suricata" + ], + "url.domain": "example.org", + "url.original": "/", + "url.path": "/", + "user_agent.device.name": "Other", + "user_agent.name": "curl", + "user_agent.original": "curl/7.58.0", + "user_agent.version": "7.58.0" + }, + { + "@timestamp": "2018-10-03T16:45:34.481Z", + "destination.address": "93.184.216.34", + "destination.as.number": 15133, + "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", + "destination.bytes": 1654, + "destination.domain": "example.org", + "destination.geo.city_name": "Norwell", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 42.1596, + "destination.geo.location.lon": -70.8217, + "destination.geo.region_iso_code": "US-MA", + "destination.geo.region_name": "Massachusetts", + "destination.ip": "93.184.216.34", + "destination.packets": 3, + "destination.port": 80, + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "suricata.eve", + "event.kind": "alert", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-03T16:45:34.481113+0000\",\"flow_id\":116307482565223,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":32876,\"dest_ip\":\"93.184.216.34\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013028,\"rev\":4,\"signature\":\"ET POLICY curl User-Agent Outbound\",\"category\":\"Attempted Information Leak\",\"severity\":2},\"http\":{\"hostname\":\"example.org\",\"url\":\"\\/\",\"http_user_agent\":\"curl\\/7.58.0\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1121},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":347,\"bytes_toclient\":1654,\"start\":\"2018-10-03T16:45:34.252519+0000\"}}", + "event.severity": 2, + "event.start": "2018-10-03T16:45:34.252Z", + "event.type": [ + "allowed" + ], + "fileset.name": "eve", + "http.request.method": "GET", + "http.response.body.bytes": 1121, + "http.response.status_code": 200, + "input.type": "log", + "log.offset": 2889, + "message": "Attempted Information Leak", + "network.bytes": 2001, + "network.community_id": "1:HpBUwS4J4Fkh+ON3BdMMGV4jy8I=", + "network.packets": 7, + "network.protocol": "http", + "network.transport": "tcp", + "related.hosts": [ + "example.org" + ], + "related.ip": [ + "192.168.1.146", + "93.184.216.34" + ], + "rule.category": "Attempted Information Leak", + "rule.id": "2013028", + "rule.name": "ET POLICY curl User-Agent Outbound", + "service.type": "suricata", + "source.address": "192.168.1.146", + "source.bytes": 347, + "source.ip": "192.168.1.146", + "source.packets": 4, + "source.port": 32876, + "suricata.eve.alert.category": "Attempted Information Leak", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 4, + "suricata.eve.alert.signature": "ET POLICY curl User-Agent Outbound", + "suricata.eve.alert.signature_id": 2013028, + "suricata.eve.event_type": "alert", + "suricata.eve.flow_id": "116307482565223", + "suricata.eve.http.http_content_type": "text/html", + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.tx_id": 0, + "tags": [ + "suricata" + ], + "url.domain": "example.org", + "url.original": "/", + "url.path": "/", + "user_agent.device.name": "Other", + "user_agent.name": "curl", + "user_agent.original": "curl/7.58.0", + "user_agent.version": "7.58.0" + }, + { + "@timestamp": "2018-10-03T17:02:38.900Z", + "destination.address": "93.184.216.34", + "destination.as.number": 15133, + "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", + "destination.bytes": 1654, + "destination.domain": "example.org", + "destination.geo.city_name": "Norwell", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 42.1596, + "destination.geo.location.lon": -70.8217, + "destination.geo.region_iso_code": "US-MA", + "destination.geo.region_name": "Massachusetts", + "destination.ip": "93.184.216.34", + "destination.packets": 3, + "destination.port": 80, + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "suricata.eve", + "event.kind": "alert", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-03T17:02:38.900976+0000\",\"flow_id\":1205867738178946,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":32892,\"dest_ip\":\"93.184.216.34\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013028,\"rev\":4,\"signature\":\"ET POLICY curl User-Agent Outbound\",\"category\":\"Attempted Information Leak\",\"severity\":2},\"http\":{\"hostname\":\"example.org\",\"url\":\"\\/\",\"http_user_agent\":\"curl\\/7.58.0\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1126},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":347,\"bytes_toclient\":1654,\"start\":\"2018-10-03T17:02:38.599426+0000\"}}", + "event.severity": 2, + "event.start": "2018-10-03T17:02:38.599Z", + "event.type": [ + "allowed" + ], + "fileset.name": "eve", + "http.request.method": "GET", + "http.response.body.bytes": 1126, + "http.response.status_code": 200, + "input.type": "log", + "log.offset": 3611, + "message": "Attempted Information Leak", + "network.bytes": 2001, + "network.community_id": "1:Bp3vB9bJiV2y/u23rxSpviRLSto=", + "network.packets": 7, + "network.protocol": "http", + "network.transport": "tcp", + "related.hosts": [ + "example.org" + ], + "related.ip": [ + "192.168.1.146", + "93.184.216.34" + ], + "rule.category": "Attempted Information Leak", + "rule.id": "2013028", + "rule.name": "ET POLICY curl User-Agent Outbound", + "service.type": "suricata", + "source.address": "192.168.1.146", + "source.bytes": 347, + "source.ip": "192.168.1.146", + "source.packets": 4, + "source.port": 32892, + "suricata.eve.alert.category": "Attempted Information Leak", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 4, + "suricata.eve.alert.signature": "ET POLICY curl User-Agent Outbound", + "suricata.eve.alert.signature_id": 2013028, + "suricata.eve.event_type": "alert", + "suricata.eve.flow_id": "1205867738178946", + "suricata.eve.http.http_content_type": "text/html", + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.tx_id": 0, + "tags": [ + "suricata" + ], + "url.domain": "example.org", + "url.original": "/", + "url.path": "/", + "user_agent.device.name": "Other", + "user_agent.name": "curl", + "user_agent.original": "curl/7.58.0", + "user_agent.version": "7.58.0" + }, + { + "@timestamp": "2018-10-04T09:34:59.009Z", + "destination.address": "91.189.88.152", + "destination.as.number": 41231, + "destination.as.organization.name": "Canonical Group Limited", + "destination.bytes": 1654, + "destination.domain": "security.ubuntu.com", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", + "destination.geo.location.lat": 51.5132, + "destination.geo.location.lon": -0.0961, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": "91.189.88.152", + "destination.packets": 3, + "destination.port": 80, + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "suricata.eve", + "event.kind": "alert", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-04T09:34:59.009897+0000\",\"flow_id\":764842923400056,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":37742,\"dest_ip\":\"91.189.88.152\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"security.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-security\\/InRelease\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1138},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":497,\"bytes_toclient\":1654,\"start\":\"2018-10-04T09:34:58.924536+0000\"}}", + "event.severity": 3, + "event.start": "2018-10-04T09:34:58.924Z", + "event.type": [ + "allowed" + ], + "fileset.name": "eve", + "http.request.method": "GET", + "http.response.body.bytes": 1138, + "http.response.status_code": 200, + "input.type": "log", + "log.offset": 4334, + "message": "Not Suspicious Traffic", + "network.bytes": 2151, + "network.community_id": "1:/kMBCIkdcM80Xtj2MYPWlkzcovg=", + "network.packets": 7, + "network.protocol": "http", + "network.transport": "tcp", + "related.hosts": [ + "security.ubuntu.com" + ], + "related.ip": [ + "192.168.1.146", + "91.189.88.152" + ], + "rule.category": "Not Suspicious Traffic", + "rule.id": "2013504", + "rule.name": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "service.type": "suricata", + "source.address": "192.168.1.146", + "source.bytes": 497, + "source.ip": "192.168.1.146", + "source.packets": 4, + "source.port": 37742, + "suricata.eve.alert.category": "Not Suspicious Traffic", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 5, + "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.event_type": "alert", + "suricata.eve.flow_id": "764842923400056", + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.tx_id": 0, + "tags": [ + "suricata" + ], + "url.domain": "security.ubuntu.com", + "url.original": "/ubuntu/dists/bionic-security/InRelease", + "url.path": "/ubuntu/dists/bionic-security/InRelease", + "user_agent.device.name": "Other", + "user_agent.name": "Debian APT-HTTP", + "user_agent.original": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", + "user_agent.os.name": "Debian", + "user_agent.version": "1.3" + }, + { + "@timestamp": "2018-10-04T09:34:59.168Z", + "destination.address": "91.189.91.23", + "destination.as.number": 41231, + "destination.as.organization.name": "Canonical Group Limited", + "destination.bytes": 417, + "destination.domain": "archive.ubuntu.com", + "destination.geo.city_name": "Boston", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 42.3562, + "destination.geo.location.lon": -71.0631, + "destination.geo.region_iso_code": "US-MA", + "destination.geo.region_name": "Massachusetts", + "destination.ip": "91.189.91.23", + "destination.packets": 3, + "destination.port": 80, + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "suricata.eve", + "event.kind": "alert", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-04T09:34:59.168340+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic\\/InRelease\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":304,\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":487,\"bytes_toclient\":417,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", + "event.severity": 3, + "event.start": "2018-10-04T09:34:58.926Z", + "event.type": [ + "allowed" + ], + "fileset.name": "eve", + "http.request.method": "GET", + "http.response.body.bytes": 0, + "http.response.status_code": 304, + "input.type": "log", + "log.offset": 5140, + "message": "Not Suspicious Traffic", + "network.bytes": 904, + "network.community_id": "1:v4+r8WgQyj/+LOpAIRGXwdlh/Xk=", + "network.packets": 7, + "network.protocol": "http", + "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], + "related.ip": [ + "192.168.1.146", + "91.189.91.23" + ], + "rule.category": "Not Suspicious Traffic", + "rule.id": "2013504", + "rule.name": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "service.type": "suricata", + "source.address": "192.168.1.146", + "source.bytes": 487, + "source.ip": "192.168.1.146", + "source.packets": 4, + "source.port": 52340, + "suricata.eve.alert.category": "Not Suspicious Traffic", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 5, + "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.event_type": "alert", + "suricata.eve.flow_id": "112424506237238", + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.tx_id": 0, + "tags": [ + "suricata" + ], + "url.domain": "archive.ubuntu.com", + "url.original": "/ubuntu/dists/bionic/InRelease", + "url.path": "/ubuntu/dists/bionic/InRelease", + "user_agent.device.name": "Other", + "user_agent.name": "Debian APT-HTTP", + "user_agent.original": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", + "user_agent.os.name": "Debian", + "user_agent.version": "1.3" + }, + { + "@timestamp": "2018-10-04T09:34:59.288Z", + "destination.address": "91.189.91.23", + "destination.as.number": 41231, + "destination.as.organization.name": "Canonical Group Limited", + "destination.bytes": 3445, + "destination.domain": "archive.ubuntu.com", + "destination.geo.city_name": "Boston", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 42.3562, + "destination.geo.location.lon": -71.0631, + "destination.geo.region_iso_code": "US-MA", + "destination.geo.region_name": "Massachusetts", + "destination.ip": "91.189.91.23", + "destination.packets": 5, + "destination.port": 80, + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "suricata.eve", + "event.kind": "alert", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-04T09:34:59.288862+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":1,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/InRelease\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2601},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":6,\"pkts_toclient\":5,\"bytes_toserver\":842,\"bytes_toclient\":3445,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", + "event.severity": 3, + "event.start": "2018-10-04T09:34:58.926Z", + "event.type": [ + "allowed" + ], + "fileset.name": "eve", + "http.request.method": "GET", + "http.response.body.bytes": 2601, + "http.response.status_code": 200, + "input.type": "log", + "log.offset": 5931, + "message": "Not Suspicious Traffic", + "network.bytes": 4287, + "network.community_id": "1:v4+r8WgQyj/+LOpAIRGXwdlh/Xk=", + "network.packets": 11, + "network.protocol": "http", + "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], + "related.ip": [ + "192.168.1.146", + "91.189.91.23" + ], + "rule.category": "Not Suspicious Traffic", + "rule.id": "2013504", + "rule.name": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "service.type": "suricata", + "source.address": "192.168.1.146", + "source.bytes": 842, + "source.ip": "192.168.1.146", + "source.packets": 6, + "source.port": 52340, + "suricata.eve.alert.category": "Not Suspicious Traffic", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 5, + "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.event_type": "alert", + "suricata.eve.flow_id": "112424506237238", + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.tx_id": 1, + "tags": [ + "suricata" + ], + "url.domain": "archive.ubuntu.com", + "url.original": "/ubuntu/dists/bionic-updates/InRelease", + "url.path": "/ubuntu/dists/bionic-updates/InRelease", + "user_agent.device.name": "Other", + "user_agent.name": "Debian APT-HTTP", + "user_agent.original": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", + "user_agent.os.name": "Debian", + "user_agent.version": "1.3" + }, + { + "@timestamp": "2018-10-04T09:34:59.289Z", + "destination.address": "91.189.88.152", + "destination.as.number": 41231, + "destination.as.organization.name": "Canonical Group Limited", + "destination.bytes": 90543, + "destination.domain": "security.ubuntu.com", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", + "destination.geo.location.lat": 51.5132, + "destination.geo.location.lon": -0.0961, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": "91.189.88.152", + "destination.packets": 62, + "destination.port": 80, + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "suricata.eve", + "event.kind": "alert", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-04T09:34:59.289324+0000\",\"flow_id\":764842923400056,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":37742,\"dest_ip\":\"91.189.88.152\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":1,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"security.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-security\\/main\\/source\\/by-hash\\/SHA256\\/f5ec03d97ca76c98162d9233c8b7c578c52897e2136428277baf2e7b633a8e72\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1241},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":64,\"pkts_toclient\":62,\"bytes_toserver\":4810,\"bytes_toclient\":90543,\"start\":\"2018-10-04T09:34:58.924536+0000\"}}", + "event.severity": 3, + "event.start": "2018-10-04T09:34:58.924Z", + "event.type": [ + "allowed" + ], + "fileset.name": "eve", + "http.request.method": "GET", + "http.response.body.bytes": 1241, + "http.response.status_code": 200, + "input.type": "log", + "log.offset": 6734, + "message": "Not Suspicious Traffic", + "network.bytes": 95353, + "network.community_id": "1:/kMBCIkdcM80Xtj2MYPWlkzcovg=", + "network.packets": 126, + "network.protocol": "http", + "network.transport": "tcp", + "related.hosts": [ + "security.ubuntu.com" + ], + "related.ip": [ + "192.168.1.146", + "91.189.88.152" + ], + "rule.category": "Not Suspicious Traffic", + "rule.id": "2013504", + "rule.name": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "service.type": "suricata", + "source.address": "192.168.1.146", + "source.bytes": 4810, + "source.ip": "192.168.1.146", + "source.packets": 64, + "source.port": 37742, + "suricata.eve.alert.category": "Not Suspicious Traffic", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 5, + "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.event_type": "alert", + "suricata.eve.flow_id": "764842923400056", + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.tx_id": 1, + "tags": [ + "suricata" + ], + "url.domain": "security.ubuntu.com", + "url.original": "/ubuntu/dists/bionic-security/main/source/by-hash/SHA256/f5ec03d97ca76c98162d9233c8b7c578c52897e2136428277baf2e7b633a8e72", + "url.path": "/ubuntu/dists/bionic-security/main/source/by-hash/SHA256/f5ec03d97ca76c98162d9233c8b7c578c52897e2136428277baf2e7b633a8e72", + "user_agent.device.name": "Other", + "user_agent.name": "Debian APT-HTTP", + "user_agent.original": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", + "user_agent.os.name": "Debian", + "user_agent.version": "1.3" + }, + { + "@timestamp": "2018-10-04T09:34:59.356Z", + "destination.address": "91.189.88.152", + "destination.as.number": 41231, + "destination.as.organization.name": "Canonical Group Limited", + "destination.bytes": 145014, + "destination.domain": "security.ubuntu.com", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", + "destination.geo.location.lat": 51.5132, + "destination.geo.location.lon": -0.0961, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": "91.189.88.152", + "destination.packets": 98, + "destination.port": 80, + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "suricata.eve", + "event.kind": "alert", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-04T09:34:59.356132+0000\",\"flow_id\":764842923400056,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":37742,\"dest_ip\":\"91.189.88.152\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":2,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"security.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-security\\/main\\/binary-amd64\\/by-hash\\/SHA256\\/c5b8346a3221bc9a23a79ba4dc4e730a6319a77fc9d63872dfc56539a0810015\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2687},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":87,\"pkts_toclient\":98,\"bytes_toserver\":6591,\"bytes_toclient\":145014,\"start\":\"2018-10-04T09:34:58.924536+0000\"}}", + "event.severity": 3, + "event.start": "2018-10-04T09:34:58.924Z", + "event.type": [ + "allowed" + ], + "fileset.name": "eve", + "http.request.method": "GET", + "http.response.body.bytes": 2687, + "http.response.status_code": 200, + "input.type": "log", + "log.offset": 7630, + "message": "Not Suspicious Traffic", + "network.bytes": 151605, + "network.community_id": "1:/kMBCIkdcM80Xtj2MYPWlkzcovg=", + "network.packets": 185, + "network.protocol": "http", + "network.transport": "tcp", + "related.hosts": [ + "security.ubuntu.com" + ], + "related.ip": [ + "192.168.1.146", + "91.189.88.152" + ], + "rule.category": "Not Suspicious Traffic", + "rule.id": "2013504", + "rule.name": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "service.type": "suricata", + "source.address": "192.168.1.146", + "source.bytes": 6591, + "source.ip": "192.168.1.146", + "source.packets": 87, + "source.port": 37742, + "suricata.eve.alert.category": "Not Suspicious Traffic", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 5, + "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.event_type": "alert", + "suricata.eve.flow_id": "764842923400056", + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.tx_id": 2, + "tags": [ + "suricata" + ], + "url.domain": "security.ubuntu.com", + "url.original": "/ubuntu/dists/bionic-security/main/binary-amd64/by-hash/SHA256/c5b8346a3221bc9a23a79ba4dc4e730a6319a77fc9d63872dfc56539a0810015", + "url.path": "/ubuntu/dists/bionic-security/main/binary-amd64/by-hash/SHA256/c5b8346a3221bc9a23a79ba4dc4e730a6319a77fc9d63872dfc56539a0810015", + "user_agent.device.name": "Other", + "user_agent.name": "Debian APT-HTTP", + "user_agent.original": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", + "user_agent.os.name": "Debian", + "user_agent.version": "1.3" + }, + { + "@timestamp": "2018-10-04T09:34:59.456Z", + "destination.address": "91.189.88.152", + "destination.as.number": 41231, + "destination.as.organization.name": "Canonical Group Limited", + "destination.bytes": 330525, + "destination.domain": "security.ubuntu.com", + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", + "destination.geo.location.lat": 51.5132, + "destination.geo.location.lon": -0.0961, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": "91.189.88.152", + "destination.packets": 221, + "destination.port": 80, + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "suricata.eve", + "event.kind": "alert", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-04T09:34:59.456919+0000\",\"flow_id\":764842923400056,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":37742,\"dest_ip\":\"91.189.88.152\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":3,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"security.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-security\\/universe\\/binary-amd64\\/by-hash\\/SHA256\\/e5cc957139a25a0fee47cbf2c0fac8ad5cab50346d6a74abe031748924c5b558\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2688},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":156,\"pkts_toclient\":221,\"bytes_toserver\":11460,\"bytes_toclient\":330525,\"start\":\"2018-10-04T09:34:58.924536+0000\"}}", + "event.severity": 3, + "event.start": "2018-10-04T09:34:58.924Z", + "event.type": [ + "allowed" + ], + "fileset.name": "eve", + "http.request.method": "GET", + "http.response.body.bytes": 2688, + "http.response.status_code": 200, + "input.type": "log", + "log.offset": 8533, + "message": "Not Suspicious Traffic", + "network.bytes": 341985, + "network.community_id": "1:/kMBCIkdcM80Xtj2MYPWlkzcovg=", + "network.packets": 377, + "network.protocol": "http", + "network.transport": "tcp", + "related.hosts": [ + "security.ubuntu.com" + ], + "related.ip": [ + "192.168.1.146", + "91.189.88.152" + ], + "rule.category": "Not Suspicious Traffic", + "rule.id": "2013504", + "rule.name": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "service.type": "suricata", + "source.address": "192.168.1.146", + "source.bytes": 11460, + "source.ip": "192.168.1.146", + "source.packets": 156, + "source.port": 37742, + "suricata.eve.alert.category": "Not Suspicious Traffic", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 5, + "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.event_type": "alert", + "suricata.eve.flow_id": "764842923400056", + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.tx_id": 3, + "tags": [ + "suricata" + ], + "url.domain": "security.ubuntu.com", + "url.original": "/ubuntu/dists/bionic-security/universe/binary-amd64/by-hash/SHA256/e5cc957139a25a0fee47cbf2c0fac8ad5cab50346d6a74abe031748924c5b558", + "url.path": "/ubuntu/dists/bionic-security/universe/binary-amd64/by-hash/SHA256/e5cc957139a25a0fee47cbf2c0fac8ad5cab50346d6a74abe031748924c5b558", + "user_agent.device.name": "Other", + "user_agent.name": "Debian APT-HTTP", + "user_agent.original": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", + "user_agent.os.name": "Debian", + "user_agent.version": "1.3" + }, + { + "@timestamp": "2018-10-04T09:34:59.747Z", + "destination.address": "91.189.91.23", + "destination.as.number": 41231, + "destination.as.organization.name": "Canonical Group Limited", + "destination.bytes": 96554, + "destination.domain": "archive.ubuntu.com", + "destination.geo.city_name": "Boston", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 42.3562, + "destination.geo.location.lon": -71.0631, + "destination.geo.region_iso_code": "US-MA", + "destination.geo.region_name": "Massachusetts", + "destination.ip": "91.189.91.23", + "destination.packets": 67, + "destination.port": 80, + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "suricata.eve", + "event.kind": "alert", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-04T09:34:59.747122+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":2,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-backports\\/InRelease\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2601},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":64,\"pkts_toclient\":67,\"bytes_toserver\":4895,\"bytes_toclient\":96554,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", + "event.severity": 3, + "event.start": "2018-10-04T09:34:58.926Z", + "event.type": [ + "allowed" + ], + "fileset.name": "eve", + "http.request.method": "GET", + "http.response.body.bytes": 2601, + "http.response.status_code": 200, + "input.type": "log", + "log.offset": 9443, + "message": "Not Suspicious Traffic", + "network.bytes": 101449, + "network.community_id": "1:v4+r8WgQyj/+LOpAIRGXwdlh/Xk=", + "network.packets": 131, + "network.protocol": "http", + "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], + "related.ip": [ + "192.168.1.146", + "91.189.91.23" + ], + "rule.category": "Not Suspicious Traffic", + "rule.id": "2013504", + "rule.name": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "service.type": "suricata", + "source.address": "192.168.1.146", + "source.bytes": 4895, + "source.ip": "192.168.1.146", + "source.packets": 64, + "source.port": 52340, + "suricata.eve.alert.category": "Not Suspicious Traffic", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 5, + "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.event_type": "alert", + "suricata.eve.flow_id": "112424506237238", + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.tx_id": 2, + "tags": [ + "suricata" + ], + "url.domain": "archive.ubuntu.com", + "url.original": "/ubuntu/dists/bionic-backports/InRelease", + "url.path": "/ubuntu/dists/bionic-backports/InRelease", + "user_agent.device.name": "Other", + "user_agent.name": "Debian APT-HTTP", + "user_agent.original": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", + "user_agent.os.name": "Debian", + "user_agent.version": "1.3" + }, + { + "@timestamp": "2018-10-04T09:34:59.953Z", + "destination.address": "91.189.91.23", + "destination.as.number": 41231, + "destination.as.organization.name": "Canonical Group Limited", + "destination.bytes": 174843, + "destination.domain": "archive.ubuntu.com", + "destination.geo.city_name": "Boston", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 42.3562, + "destination.geo.location.lon": -71.0631, + "destination.geo.region_iso_code": "US-MA", + "destination.geo.region_name": "Massachusetts", + "destination.ip": "91.189.91.23", + "destination.packets": 119, + "destination.port": 80, + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "suricata.eve", + "event.kind": "alert", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-04T09:34:59.953886+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":3,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/main\\/source\\/by-hash\\/SHA256\\/65f2e3a4e9d89d9d4b5e3d42e586bc96f48a24466b0ad0b4a707255e44a26b03\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2687},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":91,\"pkts_toclient\":119,\"bytes_toserver\":6932,\"bytes_toclient\":174843,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", + "event.severity": 3, + "event.start": "2018-10-04T09:34:58.926Z", + "event.type": [ + "allowed" + ], + "fileset.name": "eve", + "http.request.method": "GET", + "http.response.body.bytes": 2687, + "http.response.status_code": 200, + "input.type": "log", + "log.offset": 10252, + "message": "Not Suspicious Traffic", + "network.bytes": 181775, + "network.community_id": "1:v4+r8WgQyj/+LOpAIRGXwdlh/Xk=", + "network.packets": 210, + "network.protocol": "http", + "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], + "related.ip": [ + "192.168.1.146", + "91.189.91.23" + ], + "rule.category": "Not Suspicious Traffic", + "rule.id": "2013504", + "rule.name": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "service.type": "suricata", + "source.address": "192.168.1.146", + "source.bytes": 6932, + "source.ip": "192.168.1.146", + "source.packets": 91, + "source.port": 52340, + "suricata.eve.alert.category": "Not Suspicious Traffic", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 5, + "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.event_type": "alert", + "suricata.eve.flow_id": "112424506237238", + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.tx_id": 3, + "tags": [ + "suricata" + ], + "url.domain": "archive.ubuntu.com", + "url.original": "/ubuntu/dists/bionic-updates/main/source/by-hash/SHA256/65f2e3a4e9d89d9d4b5e3d42e586bc96f48a24466b0ad0b4a707255e44a26b03", + "url.path": "/ubuntu/dists/bionic-updates/main/source/by-hash/SHA256/65f2e3a4e9d89d9d4b5e3d42e586bc96f48a24466b0ad0b4a707255e44a26b03", + "user_agent.device.name": "Other", + "user_agent.name": "Debian APT-HTTP", + "user_agent.original": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", + "user_agent.os.name": "Debian", + "user_agent.version": "1.3" + }, + { + "@timestamp": "2018-10-04T09:35:00.250Z", + "destination.address": "91.189.91.23", + "destination.as.number": 41231, + "destination.as.organization.name": "Canonical Group Limited", + "destination.bytes": 376452, + "destination.domain": "archive.ubuntu.com", + "destination.geo.city_name": "Boston", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 42.3562, + "destination.geo.location.lon": -71.0631, + "destination.geo.region_iso_code": "US-MA", + "destination.geo.region_name": "Massachusetts", + "destination.ip": "91.189.91.23", + "destination.packets": 253, + "destination.port": 80, + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "suricata.eve", + "event.kind": "alert", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-04T09:35:00.250560+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":4,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/universe\\/source\\/by-hash\\/SHA256\\/56cfd9cc2efa61dff7428dddf921c3cd6047ab8e6484a7f1888e4c3f7252f1ef\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2688},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":159,\"pkts_toclient\":253,\"bytes_toserver\":11679,\"bytes_toclient\":376452,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", + "event.severity": 3, + "event.start": "2018-10-04T09:34:58.926Z", + "event.type": [ + "allowed" + ], + "fileset.name": "eve", + "http.request.method": "GET", + "http.response.body.bytes": 2688, + "http.response.status_code": 200, + "input.type": "log", + "log.offset": 11147, + "message": "Not Suspicious Traffic", + "network.bytes": 388131, + "network.community_id": "1:v4+r8WgQyj/+LOpAIRGXwdlh/Xk=", + "network.packets": 412, + "network.protocol": "http", + "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], + "related.ip": [ + "192.168.1.146", + "91.189.91.23" + ], + "rule.category": "Not Suspicious Traffic", + "rule.id": "2013504", + "rule.name": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "service.type": "suricata", + "source.address": "192.168.1.146", + "source.bytes": 11679, + "source.ip": "192.168.1.146", + "source.packets": 159, + "source.port": 52340, + "suricata.eve.alert.category": "Not Suspicious Traffic", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 5, + "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.event_type": "alert", + "suricata.eve.flow_id": "112424506237238", + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.tx_id": 4, + "tags": [ + "suricata" + ], + "url.domain": "archive.ubuntu.com", + "url.original": "/ubuntu/dists/bionic-updates/universe/source/by-hash/SHA256/56cfd9cc2efa61dff7428dddf921c3cd6047ab8e6484a7f1888e4c3f7252f1ef", + "url.path": "/ubuntu/dists/bionic-updates/universe/source/by-hash/SHA256/56cfd9cc2efa61dff7428dddf921c3cd6047ab8e6484a7f1888e4c3f7252f1ef", + "user_agent.device.name": "Other", + "user_agent.name": "Debian APT-HTTP", + "user_agent.original": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", + "user_agent.os.name": "Debian", + "user_agent.version": "1.3" + }, + { + "@timestamp": "2018-10-04T09:35:00.401Z", + "destination.address": "91.189.91.23", + "destination.as.number": 41231, + "destination.as.organization.name": "Canonical Group Limited", + "destination.bytes": 468170, + "destination.domain": "archive.ubuntu.com", + "destination.geo.city_name": "Boston", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 42.3562, + "destination.geo.location.lon": -71.0631, + "destination.geo.region_iso_code": "US-MA", + "destination.geo.region_name": "Massachusetts", + "destination.ip": "91.189.91.23", + "destination.packets": 314, + "destination.port": 80, + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "suricata.eve", + "event.kind": "alert", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-04T09:35:00.401788+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":5,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/main\\/binary-amd64\\/by-hash\\/SHA256\\/4360137dc8f98b47648da1fef5472ef234fb02115bc2b29873bcaeee62637e70\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2687},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":190,\"pkts_toclient\":314,\"bytes_toserver\":13986,\"bytes_toclient\":468170,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", + "event.severity": 3, + "event.start": "2018-10-04T09:34:58.926Z", + "event.type": [ + "allowed" + ], + "fileset.name": "eve", + "http.request.method": "GET", + "http.response.body.bytes": 2687, + "http.response.status_code": 200, + "input.type": "log", + "log.offset": 12048, + "message": "Not Suspicious Traffic", + "network.bytes": 482156, + "network.community_id": "1:v4+r8WgQyj/+LOpAIRGXwdlh/Xk=", + "network.packets": 504, + "network.protocol": "http", + "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], + "related.ip": [ + "192.168.1.146", + "91.189.91.23" + ], + "rule.category": "Not Suspicious Traffic", + "rule.id": "2013504", + "rule.name": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "service.type": "suricata", + "source.address": "192.168.1.146", + "source.bytes": 13986, + "source.ip": "192.168.1.146", + "source.packets": 190, + "source.port": 52340, + "suricata.eve.alert.category": "Not Suspicious Traffic", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 5, + "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.event_type": "alert", + "suricata.eve.flow_id": "112424506237238", + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.tx_id": 5, + "tags": [ + "suricata" + ], + "url.domain": "archive.ubuntu.com", + "url.original": "/ubuntu/dists/bionic-updates/main/binary-amd64/by-hash/SHA256/4360137dc8f98b47648da1fef5472ef234fb02115bc2b29873bcaeee62637e70", + "url.path": "/ubuntu/dists/bionic-updates/main/binary-amd64/by-hash/SHA256/4360137dc8f98b47648da1fef5472ef234fb02115bc2b29873bcaeee62637e70", + "user_agent.device.name": "Other", + "user_agent.name": "Debian APT-HTTP", + "user_agent.original": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", + "user_agent.os.name": "Debian", + "user_agent.version": "1.3" + }, + { + "@timestamp": "2018-10-04T09:35:00.776Z", + "destination.address": "91.189.91.23", + "destination.as.number": 41231, + "destination.as.organization.name": "Canonical Group Limited", + "destination.bytes": 880323, + "destination.domain": "archive.ubuntu.com", + "destination.geo.city_name": "Boston", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 42.3562, + "destination.geo.location.lon": -71.0631, + "destination.geo.region_iso_code": "US-MA", + "destination.geo.region_name": "Massachusetts", + "destination.ip": "91.189.91.23", + "destination.packets": 588, + "destination.port": 80, + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "suricata.eve", + "event.kind": "alert", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-04T09:35:00.776438+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":6,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/restricted\\/binary-amd64\\/by-hash\\/SHA256\\/c93fdc7f10cad1263349fd7b5bdd6a7f7163165b96ad263b3e12022e319d0d12\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2691},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":328,\"pkts_toclient\":588,\"bytes_toserver\":23361,\"bytes_toclient\":880323,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", + "event.severity": 3, + "event.start": "2018-10-04T09:34:58.926Z", + "event.type": [ + "allowed" + ], + "fileset.name": "eve", + "http.request.method": "GET", + "http.response.body.bytes": 2691, + "http.response.status_code": 200, + "input.type": "log", + "log.offset": 12951, + "message": "Not Suspicious Traffic", + "network.bytes": 903684, + "network.community_id": "1:v4+r8WgQyj/+LOpAIRGXwdlh/Xk=", + "network.packets": 916, + "network.protocol": "http", + "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], + "related.ip": [ + "192.168.1.146", + "91.189.91.23" + ], + "rule.category": "Not Suspicious Traffic", + "rule.id": "2013504", + "rule.name": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "service.type": "suricata", + "source.address": "192.168.1.146", + "source.bytes": 23361, + "source.ip": "192.168.1.146", + "source.packets": 328, + "source.port": 52340, + "suricata.eve.alert.category": "Not Suspicious Traffic", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 5, + "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.event_type": "alert", + "suricata.eve.flow_id": "112424506237238", + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.tx_id": 6, + "tags": [ + "suricata" + ], + "url.domain": "archive.ubuntu.com", + "url.original": "/ubuntu/dists/bionic-updates/restricted/binary-amd64/by-hash/SHA256/c93fdc7f10cad1263349fd7b5bdd6a7f7163165b96ad263b3e12022e319d0d12", + "url.path": "/ubuntu/dists/bionic-updates/restricted/binary-amd64/by-hash/SHA256/c93fdc7f10cad1263349fd7b5bdd6a7f7163165b96ad263b3e12022e319d0d12", + "user_agent.device.name": "Other", + "user_agent.name": "Debian APT-HTTP", + "user_agent.original": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", + "user_agent.os.name": "Debian", + "user_agent.version": "1.3" + }, + { + "@timestamp": "2018-10-04T09:35:00.897Z", + "destination.address": "91.189.91.23", + "destination.as.number": 41231, + "destination.as.organization.name": "Canonical Group Limited", + "destination.bytes": 884342, + "destination.domain": "archive.ubuntu.com", + "destination.geo.city_name": "Boston", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 42.3562, + "destination.geo.location.lon": -71.0631, + "destination.geo.region_iso_code": "US-MA", + "destination.geo.region_name": "Massachusetts", + "destination.ip": "91.189.91.23", + "destination.packets": 591, + "destination.port": 80, + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "suricata.eve", + "event.kind": "alert", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-04T09:35:00.897009+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":7,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/universe\\/binary-amd64\\/by-hash\\/SHA256\\/5190f7afbee38b3cb32225db478fdbabd46f76eaa9c5921a13091891bf3e9bbc\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":2687},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":330,\"pkts_toclient\":591,\"bytes_toserver\":23758,\"bytes_toclient\":884342,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", + "event.severity": 3, + "event.start": "2018-10-04T09:34:58.926Z", + "event.type": [ + "allowed" + ], + "fileset.name": "eve", + "http.request.method": "GET", + "http.response.body.bytes": 2687, + "http.response.status_code": 200, + "input.type": "log", + "log.offset": 13860, + "message": "Not Suspicious Traffic", + "network.bytes": 908100, + "network.community_id": "1:v4+r8WgQyj/+LOpAIRGXwdlh/Xk=", + "network.packets": 921, + "network.protocol": "http", + "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], + "related.ip": [ + "192.168.1.146", + "91.189.91.23" + ], + "rule.category": "Not Suspicious Traffic", + "rule.id": "2013504", + "rule.name": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "service.type": "suricata", + "source.address": "192.168.1.146", + "source.bytes": 23758, + "source.ip": "192.168.1.146", + "source.packets": 330, + "source.port": 52340, + "suricata.eve.alert.category": "Not Suspicious Traffic", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 5, + "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.event_type": "alert", + "suricata.eve.flow_id": "112424506237238", + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.tx_id": 7, + "tags": [ + "suricata" + ], + "url.domain": "archive.ubuntu.com", + "url.original": "/ubuntu/dists/bionic-updates/universe/binary-amd64/by-hash/SHA256/5190f7afbee38b3cb32225db478fdbabd46f76eaa9c5921a13091891bf3e9bbc", + "url.path": "/ubuntu/dists/bionic-updates/universe/binary-amd64/by-hash/SHA256/5190f7afbee38b3cb32225db478fdbabd46f76eaa9c5921a13091891bf3e9bbc", + "user_agent.device.name": "Other", + "user_agent.name": "Debian APT-HTTP", + "user_agent.original": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", + "user_agent.os.name": "Debian", + "user_agent.version": "1.3" + }, + { + "@timestamp": "2018-10-04T09:35:01.362Z", + "destination.address": "91.189.91.23", + "destination.as.number": 41231, + "destination.as.organization.name": "Canonical Group Limited", + "destination.bytes": 1467603, + "destination.domain": "archive.ubuntu.com", + "destination.geo.city_name": "Boston", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 42.3562, + "destination.geo.location.lon": -71.0631, + "destination.geo.region_iso_code": "US-MA", + "destination.geo.region_name": "Massachusetts", + "destination.ip": "91.189.91.23", + "destination.packets": 979, + "destination.port": 80, + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "suricata.eve", + "event.kind": "alert", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-04T09:35:01.362208+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":8,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/universe\\/i18n\\/by-hash\\/SHA256\\/9fe539b7036e51327cd85ca5e0a4dd4eb47f69168875de2ac9842a5e36ebd4a4\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":524,\"pkts_toclient\":979,\"bytes_toserver\":36819,\"bytes_toclient\":1467603,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", + "event.severity": 3, + "event.start": "2018-10-04T09:34:58.926Z", + "event.type": [ + "allowed" + ], + "fileset.name": "eve", + "http.request.method": "GET", + "http.response.body.bytes": 0, + "input.type": "log", + "log.offset": 14767, + "message": "Not Suspicious Traffic", + "network.bytes": 1504422, + "network.community_id": "1:v4+r8WgQyj/+LOpAIRGXwdlh/Xk=", + "network.packets": 1503, + "network.protocol": "http", + "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], + "related.ip": [ + "192.168.1.146", + "91.189.91.23" + ], + "rule.category": "Not Suspicious Traffic", + "rule.id": "2013504", + "rule.name": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "service.type": "suricata", + "source.address": "192.168.1.146", + "source.bytes": 36819, + "source.ip": "192.168.1.146", + "source.packets": 524, + "source.port": 52340, + "suricata.eve.alert.category": "Not Suspicious Traffic", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 5, + "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.event_type": "alert", + "suricata.eve.flow_id": "112424506237238", + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.tx_id": 8, + "tags": [ + "suricata" + ], + "url.domain": "archive.ubuntu.com", + "url.original": "/ubuntu/dists/bionic-updates/universe/i18n/by-hash/SHA256/9fe539b7036e51327cd85ca5e0a4dd4eb47f69168875de2ac9842a5e36ebd4a4", + "url.path": "/ubuntu/dists/bionic-updates/universe/i18n/by-hash/SHA256/9fe539b7036e51327cd85ca5e0a4dd4eb47f69168875de2ac9842a5e36ebd4a4", + "user_agent.device.name": "Other", + "user_agent.name": "Debian APT-HTTP", + "user_agent.original": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", + "user_agent.os.name": "Debian", + "user_agent.version": "1.3" + }, + { + "@timestamp": "2018-10-04T09:35:01.575Z", + "destination.address": "91.189.91.23", + "destination.as.number": 41231, + "destination.as.organization.name": "Canonical Group Limited", + "destination.bytes": 1618380, + "destination.domain": "archive.ubuntu.com", + "destination.geo.city_name": "Boston", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 42.3562, + "destination.geo.location.lon": -71.0631, + "destination.geo.region_iso_code": "US-MA", + "destination.geo.region_name": "Massachusetts", + "destination.ip": "91.189.91.23", + "destination.packets": 1079, + "destination.port": 80, + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "suricata.eve", + "event.kind": "alert", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-10-04T09:35:01.575088+0000\",\"flow_id\":112424506237238,\"in_iface\":\"enp0s3\",\"event_type\":\"alert\",\"src_ip\":\"192.168.1.146\",\"src_port\":52340,\"dest_ip\":\"91.189.91.23\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":9,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2013504,\"rev\":5,\"signature\":\"ET POLICY GNU\\/Linux APT User-Agent Outbound likely related to package management\",\"category\":\"Not Suspicious Traffic\",\"severity\":3},\"http\":{\"hostname\":\"archive.ubuntu.com\",\"url\":\"\\/ubuntu\\/dists\\/bionic-updates\\/multiverse\\/binary-amd64\\/by-hash\\/SHA256\\/8ab8cb220c0e50521c589acc2bc2b43a3121210f0b035a0605972bcffd73dd16\",\"http_user_agent\":\"Debian APT-HTTP\\/1.3 (1.6.3ubuntu0.1)\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":575,\"pkts_toclient\":1079,\"bytes_toserver\":40452,\"bytes_toclient\":1618380,\"start\":\"2018-10-04T09:34:58.926006+0000\"}}", + "event.severity": 3, + "event.start": "2018-10-04T09:34:58.926Z", + "event.type": [ + "allowed" + ], + "fileset.name": "eve", + "http.request.method": "GET", + "http.response.body.bytes": 0, + "input.type": "log", + "log.offset": 15651, + "message": "Not Suspicious Traffic", + "network.bytes": 1658832, + "network.community_id": "1:v4+r8WgQyj/+LOpAIRGXwdlh/Xk=", + "network.packets": 1654, + "network.protocol": "http", + "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], + "related.ip": [ + "192.168.1.146", + "91.189.91.23" + ], + "rule.category": "Not Suspicious Traffic", + "rule.id": "2013504", + "rule.name": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "service.type": "suricata", + "source.address": "192.168.1.146", + "source.bytes": 40452, + "source.ip": "192.168.1.146", + "source.packets": 575, + "source.port": 52340, + "suricata.eve.alert.category": "Not Suspicious Traffic", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 5, + "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", + "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.event_type": "alert", + "suricata.eve.flow_id": "112424506237238", + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.in_iface": "enp0s3", + "suricata.eve.tx_id": 9, + "tags": [ + "suricata" + ], + "url.domain": "archive.ubuntu.com", + "url.original": "/ubuntu/dists/bionic-updates/multiverse/binary-amd64/by-hash/SHA256/8ab8cb220c0e50521c589acc2bc2b43a3121210f0b035a0605972bcffd73dd16", + "url.path": "/ubuntu/dists/bionic-updates/multiverse/binary-amd64/by-hash/SHA256/8ab8cb220c0e50521c589acc2bc2b43a3121210f0b035a0605972bcffd73dd16", + "user_agent.device.name": "Other", + "user_agent.name": "Debian APT-HTTP", + "user_agent.original": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", + "user_agent.os.name": "Debian", + "user_agent.version": "1.3" + }, + { + "@timestamp": "2018-10-04T09:35:02.796Z", + "destination.address": "10.232.0.237", + "destination.domain": "hostname.domain.net", + "destination.ip": "10.232.0.237", + "destination.port": 9080, + "event.category": [ + "network" + ], + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"tls\":{\"ja3s\":{\"string\":\"333,55555,66666-22\",\"hash\":\"0993626a07ad09e1ce91293be7aa5721\"},\"ja3\":{\"string\":\"001,22222-33333-00-44444-66666-333-333-55555-55555-22-55555-44444-22-33-66666-77777-22-88888-99999-333-22-66666-77777-22-99999-96611-22-33-88888-33333-88888-333-22222-33333-333-222-88888-444-99999-22222-666-777-888,22-33-44-55-6,77-88-99-0-11-11-22-33-44-55,0\",\"hash\":\"d92325c876e7279f4eb8c62415e3a6b7\"},\"notafter\":\"2024-07-16T14:52:35\",\"notbefore\":\"2019-07-17T14:52:35\",\"version\":\"TLS 1.2\",\"sni\":\"hostname.domain.net\",\"fingerprint\":\"00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33\",\"serial\":\"00:11:22:33:44:55:66:77:88\",\"issuerdn\":\"C=US, O=Google Inc, CN=Google Internet Authority G2\",\"subject\":\"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com\"},\"proto\":\"TCP\",\"dest_port\":9080,\"dest_ip\":\"10.232.0.237\",\"src_port\":45884,\"src_ip\":\"10.126.2.140\",\"event_type\":\"tls\",\"in_iface\":\"enp5s0\",\"flow_id\":1091813059495729,\"timestamp\":\"2018-10-04T09:35:02.796615+0000\"}", + "event.type": [ + "protocol" + ], + "fileset.name": "eve", + "input.type": "log", + "log.offset": 16546, + "network.community_id": "1:qsGDjYDIWp+kHhxotTdhPbUaWSo=", + "network.protocol": "tls", + "network.transport": "tcp", + "related.hash": [ + "00112233445566778899AABBCCDDEEFF00112233" + ], + "related.ip": [ + "10.126.2.140", + "10.232.0.237" + ], + "service.type": "suricata", + "source.address": "10.126.2.140", + "source.ip": "10.126.2.140", + "source.port": 45884, + "suricata.eve.event_type": "tls", + "suricata.eve.flow_id": "1091813059495729", + "suricata.eve.in_iface": "enp5s0", + "suricata.eve.tls.fingerprint": "00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33", + "suricata.eve.tls.issuerdn": "C=US, O=Google Inc, CN=Google Internet Authority G2", + "suricata.eve.tls.ja3.hash": "d92325c876e7279f4eb8c62415e3a6b7", + "suricata.eve.tls.ja3.string": "001,22222-33333-00-44444-66666-333-333-55555-55555-22-55555-44444-22-33-66666-77777-22-88888-99999-333-22-66666-77777-22-99999-96611-22-33-88888-33333-88888-333-22222-33333-333-222-88888-444-99999-22222-666-777-888,22-33-44-55-6,77-88-99-0-11-11-22-33-44-55,0", + "suricata.eve.tls.ja3s.hash": "0993626a07ad09e1ce91293be7aa5721", + "suricata.eve.tls.ja3s.string": "333,55555,66666-22", + "suricata.eve.tls.notafter": "2024-07-16T14:52:35", + "suricata.eve.tls.notbefore": "2019-07-17T14:52:35", + "suricata.eve.tls.serial": "00:11:22:33:44:55:66:77:88", + "suricata.eve.tls.sni": "hostname.domain.net", + "suricata.eve.tls.subject": "C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com", + "suricata.eve.tls.version": "TLS 1.2", + "tags": [ + "suricata" + ], + "tls.client.ja3": "d92325c876e7279f4eb8c62415e3a6b7", + "tls.client.server_name": "hostname.domain.net", + "tls.server.hash.sha1": "00112233445566778899AABBCCDDEEFF00112233", + "tls.server.issuer": "C=US, O=Google Inc, CN=Google Internet Authority G2", + "tls.server.ja3s": "0993626a07ad09e1ce91293be7aa5721", + "tls.server.not_after": "2024-07-16T14:52:35.000Z", + "tls.server.not_before": "2019-07-17T14:52:35.000Z", + "tls.server.subject": "C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com", + "tls.server.x509.issuer.common_name": "Google Internet Authority G2", + "tls.server.x509.issuer.country": "US", + "tls.server.x509.issuer.organization": "Google Inc", + "tls.server.x509.not_after": "2024-07-16T14:52:35.000Z", + "tls.server.x509.not_before": "2019-07-17T14:52:35.000Z", + "tls.server.x509.serial_number": "001122334455667788", + "tls.server.x509.subject.common_name": "*.google.com", + "tls.server.x509.subject.country": "US", + "tls.server.x509.subject.locality": "Mountain View", + "tls.server.x509.subject.organization": "Google Inc", + "tls.server.x509.subject.state_or_province": "California", + "tls.version": "1.2", + "tls.version_protocol": "tls" + }, + { + "@timestamp": "2020-06-26T15:00:03.342Z", + "destination.address": "10.128.2.48", + "destination.bytes": 4660, + "destination.domain": "host.domain.net", + "destination.ip": "10.128.2.48", + "destination.packets": 8, + "destination.port": 8443, + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "suricata.eve", + "event.kind": "alert", + "event.module": "suricata", + "event.original": "{\"flow\":{\"start\":\"2020-06-26T11:00:02.970011-0400\",\"bytes_toclient\":4660,\"bytes_toserver\":1074,\"pkts_toclient\":8,\"pkts_toserver\":7},\"app_proto\":\"tls\",\"tls\":{\"ja3s\":{\"string\":\"742,48172,30210-30\",\"hash\":\"391231ba5675e42807b9e1f457b2614e\"},\"ja3\":{\"string\":\"718,4682-2687-2686-41992-41911-53292-53297-41969-22905-41926-41924-94181-94711-15-23-95-12-11-205,0-33-50-53-6-61-39-23-34-85-81,93-04-52,3-9-3\",\"hash\":\"3f1ea03f5822e8021b60cc3e4b233181\"},\"notafter\":\"2026-06-25T17:36:29\",\"notbefore\":\"2016-06-27T17:36:29\",\"version\":\"TLS 1.2\",\"sni\":\"host.domain.net\",\"fingerprint\":\"36:3f:ee:2a:1c:fa:de:ad:be:ef:42:99:cf:a9:b0:91:01:eb:a9:cc\",\"serial\":\"72:A9:2C:51\",\"issuerdn\":\"C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown\",\"subject\":\"C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown\"},\"alert\":{\"severity\":3,\"category\":\"\",\"signature\":\"SURICATA TLS on unusual port\",\"rev\":1,\"signature_id\":2610003,\"gid\":1,\"action\":\"allowed\"},\"proto\":\"TCP\",\"dest_port\":8443,\"dest_ip\":\"10.128.2.48\",\"src_port\":64389,\"src_ip\":\"10.137.3.54\",\"event_type\":\"alert\",\"in_iface\":\"enp0s31f6\",\"flow_id\":991192778198299,\"timestamp\":\"2020-06-26T11:00:03.342282-0400\"}", + "event.severity": 3, + "event.start": "2020-06-26T15:00:02.970Z", + "event.type": [ + "allowed" + ], + "fileset.name": "eve", + "input.type": "log", + "log.offset": 17541, + "message": "", + "network.bytes": 5734, + "network.community_id": "1:W6fjhboFUwyEchJ3ELaqSBzDEJE=", + "network.packets": 15, + "network.protocol": "tls", + "network.transport": "tcp", + "related.hash": [ + "363FEE2A1CFADEADBEEF4299CFA9B09101EBA9CC" + ], + "related.ip": [ + "10.137.3.54", + "10.128.2.48" + ], + "rule.id": "2610003", + "rule.name": "SURICATA TLS on unusual port", + "service.type": "suricata", + "source.address": "10.137.3.54", + "source.bytes": 1074, + "source.ip": "10.137.3.54", + "source.packets": 7, + "source.port": 64389, + "suricata.eve.alert.category": "", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 1, + "suricata.eve.alert.signature": "SURICATA TLS on unusual port", + "suricata.eve.alert.signature_id": 2610003, + "suricata.eve.event_type": "alert", + "suricata.eve.flow_id": "991192778198299", + "suricata.eve.in_iface": "enp0s31f6", + "suricata.eve.tls.fingerprint": "36:3f:ee:2a:1c:fa:de:ad:be:ef:42:99:cf:a9:b0:91:01:eb:a9:cc", + "suricata.eve.tls.issuerdn": "C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown", + "suricata.eve.tls.ja3.hash": "3f1ea03f5822e8021b60cc3e4b233181", + "suricata.eve.tls.ja3.string": "718,4682-2687-2686-41992-41911-53292-53297-41969-22905-41926-41924-94181-94711-15-23-95-12-11-205,0-33-50-53-6-61-39-23-34-85-81,93-04-52,3-9-3", + "suricata.eve.tls.ja3s.hash": "391231ba5675e42807b9e1f457b2614e", + "suricata.eve.tls.ja3s.string": "742,48172,30210-30", + "suricata.eve.tls.notafter": "2026-06-25T17:36:29", + "suricata.eve.tls.notbefore": "2016-06-27T17:36:29", + "suricata.eve.tls.serial": "72:A9:2C:51", + "suricata.eve.tls.sni": "host.domain.net", + "suricata.eve.tls.subject": "C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown", + "suricata.eve.tls.version": "TLS 1.2", + "tags": [ + "suricata" + ], + "tls.client.ja3": "3f1ea03f5822e8021b60cc3e4b233181", + "tls.client.server_name": "host.domain.net", + "tls.server.hash.sha1": "363FEE2A1CFADEADBEEF4299CFA9B09101EBA9CC", + "tls.server.issuer": "C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown", + "tls.server.ja3s": "391231ba5675e42807b9e1f457b2614e", + "tls.server.not_after": "2026-06-25T17:36:29.000Z", + "tls.server.not_before": "2016-06-27T17:36:29.000Z", + "tls.server.subject": "C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown", + "tls.server.x509.issuer.common_name": "Unknown", + "tls.server.x509.issuer.country": "Unknown", + "tls.server.x509.issuer.locality": "Unknown", + "tls.server.x509.issuer.organization": "Unknown", + "tls.server.x509.issuer.organizational_unit": "Unknown", + "tls.server.x509.issuer.state_or_province": "Unknown", + "tls.server.x509.not_after": "2026-06-25T17:36:29.000Z", + "tls.server.x509.not_before": "2016-06-27T17:36:29.000Z", + "tls.server.x509.serial_number": "72A92C51", + "tls.server.x509.subject.common_name": "Unknown", + "tls.server.x509.subject.country": "Unknown", + "tls.server.x509.subject.locality": "Unknown", + "tls.server.x509.subject.organization": "Unknown", + "tls.server.x509.subject.organizational_unit": "Unknown", + "tls.server.x509.subject.state_or_province": "Unknown", + "tls.version": "1.2", + "tls.version_protocol": "tls" + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log-expected.json b/dynamite_nsm/confs/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log-expected.json new file mode 100644 index 00000000..cdcf5703 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log-expected.json @@ -0,0 +1,1504 @@ +[ + { + "@timestamp": "2019-08-22T23:48:27.924Z", + "destination.address": "10.0.2.3", + "destination.ip": "10.0.2.3", + "destination.port": 53, + "dns.id": "51803", + "dns.question.name": "google.com", + "dns.question.registered_domain": "google.com", + "dns.question.top_level_domain": "com", + "dns.question.type": "A", + "dns.type": "query", + "event.category": [ + "network" + ], + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-22T23:48:27.924120+0000\",\"flow_id\":885455453886936,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":46686,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":51803,\"rrname\":\"google.com\",\"rrtype\":\"A\",\"tx_id\":0}}", + "event.type": [ + "protocol" + ], + "fileset.name": "eve", + "input.type": "log", + "log.offset": 0, + "network.community_id": "1:HActqwgIaYeC8fc4sfMGrL8jjaI=", + "network.protocol": "dns", + "network.transport": "udp", + "related.ip": [ + "10.0.2.15", + "10.0.2.3" + ], + "service.type": "suricata", + "source.address": "10.0.2.15", + "source.ip": "10.0.2.15", + "source.port": 46686, + "suricata.eve.dns.id": 51803, + "suricata.eve.dns.rrname": "google.com", + "suricata.eve.dns.rrtype": "A", + "suricata.eve.dns.tx_id": 0, + "suricata.eve.dns.type": "query", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": "885455453886936", + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-22T23:48:27.924Z", + "destination.address": "10.0.2.3", + "destination.ip": "10.0.2.3", + "destination.port": 53, + "dns.id": "39523", + "dns.question.name": "google.com", + "dns.question.registered_domain": "google.com", + "dns.question.top_level_domain": "com", + "dns.question.type": "AAAA", + "dns.type": "query", + "event.category": [ + "network" + ], + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-22T23:48:27.924282+0000\",\"flow_id\":1418448010418810,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":36993,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":39523,\"rrname\":\"google.com\",\"rrtype\":\"AAAA\",\"tx_id\":0}}", + "event.type": [ + "protocol" + ], + "fileset.name": "eve", + "input.type": "log", + "log.offset": 280, + "network.community_id": "1:Z5dwZB2hQ1ZuxC+6Jw04VtuJ1lw=", + "network.protocol": "dns", + "network.transport": "udp", + "related.ip": [ + "10.0.2.15", + "10.0.2.3" + ], + "service.type": "suricata", + "source.address": "10.0.2.15", + "source.ip": "10.0.2.15", + "source.port": 36993, + "suricata.eve.dns.id": 39523, + "suricata.eve.dns.rrname": "google.com", + "suricata.eve.dns.rrtype": "AAAA", + "suricata.eve.dns.tx_id": 0, + "suricata.eve.dns.type": "query", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": "1418448010418810", + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-22T23:48:27.950Z", + "destination.address": "10.0.2.15", + "destination.ip": "10.0.2.15", + "destination.port": 36993, + "dns.answers": [ + { + "data": "2607:f8b0:4006:0805:0000:0000:0000:200e", + "name": "google.com", + "ttl": 272, + "type": "AAAA" + } + ], + "dns.header_flags": [ + "RD", + "RA" + ], + "dns.id": "39523", + "dns.question.name": "google.com", + "dns.question.registered_domain": "google.com", + "dns.question.top_level_domain": "com", + "dns.question.type": "AAAA", + "dns.resolved_ip": [ + "2607:f8b0:4006:0805:0000:0000:0000:200e" + ], + "dns.response_code": "NOERROR", + "dns.type": "answer", + "event.category": [ + "network" + ], + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-22T23:48:27.950946+0000\",\"flow_id\":1418448010418810,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":36993,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":39523,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"google.com\",\"rrtype\":\"AAAA\",\"answers\":[{\"rrname\":\"google.com\",\"rrtype\":\"AAAA\",\"ttl\":272,\"rdata\":\"2607:f8b0:4006:0805:0000:0000:0000:200e\"}],\"grouped\":{\"AAAA\":[\"2607:f8b0:4006:0805:0000:0000:0000:200e\"]}}}", + "event.type": [ + "protocol" + ], + "fileset.name": "eve", + "input.type": "log", + "log.offset": 564, + "network.community_id": "1:Z5dwZB2hQ1ZuxC+6Jw04VtuJ1lw=", + "network.protocol": "dns", + "network.transport": "udp", + "related.ip": [ + "2607:f8b0:4006:0805:0000:0000:0000:200e", + "10.0.2.3", + "10.0.2.15" + ], + "service.type": "suricata", + "source.address": "10.0.2.3", + "source.ip": "10.0.2.3", + "source.port": 53, + "suricata.eve.dns.id": 39523, + "suricata.eve.dns.rcode": "NOERROR", + "suricata.eve.dns.rrname": "google.com", + "suricata.eve.dns.rrtype": "AAAA", + "suricata.eve.dns.type": "answer", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": "1418448010418810", + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-22T23:48:27.957Z", + "destination.address": "10.0.2.15", + "destination.ip": "10.0.2.15", + "destination.port": 46686, + "dns.answers": [ + { + "data": "172.217.11.46", + "name": "google.com", + "ttl": 299, + "type": "A" + } + ], + "dns.header_flags": [ + "RD", + "RA" + ], + "dns.id": "51803", + "dns.question.name": "google.com", + "dns.question.registered_domain": "google.com", + "dns.question.top_level_domain": "com", + "dns.question.type": "A", + "dns.resolved_ip": [ + "172.217.11.46" + ], + "dns.response_code": "NOERROR", + "dns.type": "answer", + "event.category": [ + "network" + ], + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-22T23:48:27.957906+0000\",\"flow_id\":885455453886936,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":46686,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":51803,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"google.com\",\"rrtype\":\"A\",\"answers\":[{\"rrname\":\"google.com\",\"rrtype\":\"A\",\"ttl\":299,\"rdata\":\"172.217.11.46\"}],\"grouped\":{\"A\":[\"172.217.11.46\"]}}}", + "event.type": [ + "protocol" + ], + "fileset.name": "eve", + "input.type": "log", + "log.offset": 1089, + "network.community_id": "1:HActqwgIaYeC8fc4sfMGrL8jjaI=", + "network.protocol": "dns", + "network.transport": "udp", + "related.ip": [ + "172.217.11.46", + "10.0.2.3", + "10.0.2.15" + ], + "service.type": "suricata", + "source.address": "10.0.2.3", + "source.ip": "10.0.2.3", + "source.port": 53, + "suricata.eve.dns.id": 51803, + "suricata.eve.dns.rcode": "NOERROR", + "suricata.eve.dns.rrname": "google.com", + "suricata.eve.dns.rrtype": "A", + "suricata.eve.dns.type": "answer", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": "885455453886936", + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-22T23:48:48.839Z", + "destination.address": "10.0.2.3", + "destination.ip": "10.0.2.3", + "destination.port": 53, + "dns.id": "60273", + "dns.question.name": "www.elastic.co", + "dns.question.registered_domain": "elastic.co", + "dns.question.subdomain": "www", + "dns.question.top_level_domain": "co", + "dns.question.type": "A", + "dns.type": "query", + "event.category": [ + "network" + ], + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-22T23:48:48.839495+0000\",\"flow_id\":40074894954311,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":50720,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":60273,\"rrname\":\"www.elastic.co\",\"rrtype\":\"A\",\"tx_id\":0}}", + "event.type": [ + "protocol" + ], + "fileset.name": "eve", + "input.type": "log", + "log.offset": 1552, + "network.community_id": "1:vfjW/QLkaS6+iMbv/HRuEOgqA4o=", + "network.protocol": "dns", + "network.transport": "udp", + "related.ip": [ + "10.0.2.15", + "10.0.2.3" + ], + "service.type": "suricata", + "source.address": "10.0.2.15", + "source.ip": "10.0.2.15", + "source.port": 50720, + "suricata.eve.dns.id": 60273, + "suricata.eve.dns.rrname": "www.elastic.co", + "suricata.eve.dns.rrtype": "A", + "suricata.eve.dns.tx_id": 0, + "suricata.eve.dns.type": "query", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": "40074894954311", + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-22T23:48:48.839Z", + "destination.address": "10.0.2.3", + "destination.ip": "10.0.2.3", + "destination.port": 53, + "dns.id": "4210", + "dns.question.name": "www.elastic.co", + "dns.question.registered_domain": "elastic.co", + "dns.question.subdomain": "www", + "dns.question.top_level_domain": "co", + "dns.question.type": "AAAA", + "dns.type": "query", + "event.category": [ + "network" + ], + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-22T23:48:48.839714+0000\",\"flow_id\":2130691028471842,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":41979,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":4210,\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"tx_id\":0}}", + "event.type": [ + "protocol" + ], + "fileset.name": "eve", + "input.type": "log", + "log.offset": 1835, + "network.community_id": "1:SDBTqhsjpXwQyrvRX6xpeEaMsAg=", + "network.protocol": "dns", + "network.transport": "udp", + "related.ip": [ + "10.0.2.15", + "10.0.2.3" + ], + "service.type": "suricata", + "source.address": "10.0.2.15", + "source.ip": "10.0.2.15", + "source.port": 41979, + "suricata.eve.dns.id": 4210, + "suricata.eve.dns.rrname": "www.elastic.co", + "suricata.eve.dns.rrtype": "AAAA", + "suricata.eve.dns.tx_id": 0, + "suricata.eve.dns.type": "query", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": "2130691028471842", + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-22T23:48:48.901Z", + "destination.address": "10.0.2.15", + "destination.ip": "10.0.2.15", + "destination.port": 50720, + "dns.answers": [ + { + "data": "dualstack.r2.shared.global.fastly.net", + "name": "www.elastic.co", + "ttl": 270, + "type": "CNAME" + }, + { + "data": "151.101.130.217", + "name": "dualstack.r2.shared.global.fastly.net", + "ttl": 29, + "type": "A" + }, + { + "data": "151.101.194.217", + "name": "dualstack.r2.shared.global.fastly.net", + "ttl": 29, + "type": "A" + }, + { + "data": "151.101.2.217", + "name": "dualstack.r2.shared.global.fastly.net", + "ttl": 29, + "type": "A" + }, + { + "data": "151.101.66.217", + "name": "dualstack.r2.shared.global.fastly.net", + "ttl": 29, + "type": "A" + } + ], + "dns.header_flags": [ + "RD", + "RA" + ], + "dns.id": "60273", + "dns.question.name": "www.elastic.co", + "dns.question.registered_domain": "elastic.co", + "dns.question.subdomain": "www", + "dns.question.top_level_domain": "co", + "dns.question.type": "A", + "dns.resolved_ip": [ + "151.101.130.217", + "151.101.194.217", + "151.101.2.217", + "151.101.66.217" + ], + "dns.response_code": "NOERROR", + "dns.type": "answer", + "event.category": [ + "network" + ], + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-22T23:48:48.901548+0000\",\"flow_id\":40074894954311,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":50720,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":60273,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"A\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":270,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.130.217\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.194.217\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.2.217\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.66.217\"}],\"grouped\":{\"A\":[\"151.101.130.217\",\"151.101.194.217\",\"151.101.2.217\",\"151.101.66.217\"],\"CNAME\":[\"dualstack.r2.shared.global.fastly.net\"]}}}", + "event.type": [ + "protocol" + ], + "fileset.name": "eve", + "input.type": "log", + "log.offset": 2122, + "network.community_id": "1:vfjW/QLkaS6+iMbv/HRuEOgqA4o=", + "network.protocol": "dns", + "network.transport": "udp", + "related.ip": [ + "151.101.130.217", + "151.101.194.217", + "151.101.2.217", + "151.101.66.217", + "10.0.2.3", + "10.0.2.15" + ], + "service.type": "suricata", + "source.address": "10.0.2.3", + "source.ip": "10.0.2.3", + "source.port": 53, + "suricata.eve.dns.id": 60273, + "suricata.eve.dns.rcode": "NOERROR", + "suricata.eve.dns.rrname": "www.elastic.co", + "suricata.eve.dns.rrtype": "A", + "suricata.eve.dns.type": "answer", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": "40074894954311", + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-22T23:48:48.902Z", + "destination.address": "10.0.2.15", + "destination.ip": "10.0.2.15", + "destination.port": 41979, + "dns.answers": [ + { + "data": "dualstack.r2.shared.global.fastly.net", + "name": "www.elastic.co", + "ttl": 299, + "type": "CNAME" + }, + { + "data": "2a04:4e42:0600:0000:0000:0000:0000:0729", + "name": "dualstack.r2.shared.global.fastly.net", + "ttl": 29, + "type": "AAAA" + }, + { + "data": "2a04:4e42:0000:0000:0000:0000:0000:0729", + "name": "dualstack.r2.shared.global.fastly.net", + "ttl": 29, + "type": "AAAA" + }, + { + "data": "2a04:4e42:0200:0000:0000:0000:0000:0729", + "name": "dualstack.r2.shared.global.fastly.net", + "ttl": 29, + "type": "AAAA" + }, + { + "data": "2a04:4e42:0400:0000:0000:0000:0000:0729", + "name": "dualstack.r2.shared.global.fastly.net", + "ttl": 29, + "type": "AAAA" + } + ], + "dns.header_flags": [ + "RD", + "RA" + ], + "dns.id": "4210", + "dns.question.name": "www.elastic.co", + "dns.question.registered_domain": "elastic.co", + "dns.question.subdomain": "www", + "dns.question.top_level_domain": "co", + "dns.question.type": "AAAA", + "dns.resolved_ip": [ + "2a04:4e42:0600:0000:0000:0000:0000:0729", + "2a04:4e42:0000:0000:0000:0000:0000:0729", + "2a04:4e42:0200:0000:0000:0000:0000:0729", + "2a04:4e42:0400:0000:0000:0000:0000:0729" + ], + "dns.response_code": "NOERROR", + "dns.type": "answer", + "event.category": [ + "network" + ], + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-22T23:48:48.902685+0000\",\"flow_id\":2130691028471842,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":41979,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":4210,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":299,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0600:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0000:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0200:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0400:0000:0000:0000:0000:0729\"}],\"grouped\":{\"AAAA\":[\"2a04:4e42:0600:0000:0000:0000:0000:0729\",\"2a04:4e42:0000:0000:0000:0000:0000:0729\",\"2a04:4e42:0200:0000:0000:0000:0000:0729\",\"2a04:4e42:0400:0000:0000:0000:0000:0729\"],\"CNAME\":[\"dualstack.r2.shared.global.fastly.net\"]}}}", + "event.type": [ + "protocol" + ], + "fileset.name": "eve", + "input.type": "log", + "log.offset": 3116, + "network.community_id": "1:SDBTqhsjpXwQyrvRX6xpeEaMsAg=", + "network.protocol": "dns", + "network.transport": "udp", + "related.ip": [ + "2a04:4e42:0600:0000:0000:0000:0000:0729", + "2a04:4e42:0000:0000:0000:0000:0000:0729", + "2a04:4e42:0200:0000:0000:0000:0000:0729", + "2a04:4e42:0400:0000:0000:0000:0000:0729", + "10.0.2.3", + "10.0.2.15" + ], + "service.type": "suricata", + "source.address": "10.0.2.3", + "source.ip": "10.0.2.3", + "source.port": 53, + "suricata.eve.dns.id": 4210, + "suricata.eve.dns.rcode": "NOERROR", + "suricata.eve.dns.rrname": "www.elastic.co", + "suricata.eve.dns.rrtype": "AAAA", + "suricata.eve.dns.type": "answer", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": "2130691028471842", + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-23T01:22:31.812Z", + "destination.address": "10.0.2.3", + "destination.ip": "10.0.2.3", + "destination.port": 53, + "dns.id": "28329", + "dns.question.name": "www.yahoo.com", + "dns.question.registered_domain": "yahoo.com", + "dns.question.subdomain": "www", + "dns.question.top_level_domain": "com", + "dns.question.type": "A", + "dns.type": "query", + "event.category": [ + "network" + ], + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.812655+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":44773,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":28329,\"rrname\":\"www.yahoo.com\",\"rrtype\":\"A\",\"tx_id\":0}}", + "event.type": [ + "protocol" + ], + "fileset.name": "eve", + "input.type": "log", + "log.offset": 4327, + "network.community_id": "1:O4Lt3gevExgYQL5MQJq7vgssBrQ=", + "network.protocol": "dns", + "network.transport": "udp", + "related.ip": [ + "10.0.2.15", + "10.0.2.3" + ], + "service.type": "suricata", + "source.address": "10.0.2.15", + "source.ip": "10.0.2.15", + "source.port": 44773, + "suricata.eve.dns.id": 28329, + "suricata.eve.dns.rrname": "www.yahoo.com", + "suricata.eve.dns.rrtype": "A", + "suricata.eve.dns.tx_id": 0, + "suricata.eve.dns.type": "query", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": "814378410010223", + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-23T01:22:31.812Z", + "destination.address": "10.0.2.3", + "destination.ip": "10.0.2.3", + "destination.port": 53, + "dns.id": "7050", + "dns.question.name": "www.yahoo.com", + "dns.question.registered_domain": "yahoo.com", + "dns.question.subdomain": "www", + "dns.question.top_level_domain": "com", + "dns.question.type": "AAAA", + "dns.type": "query", + "event.category": [ + "network" + ], + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.812828+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":55246,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":7050,\"rrname\":\"www.yahoo.com\",\"rrtype\":\"AAAA\",\"tx_id\":0}}", + "event.type": [ + "protocol" + ], + "fileset.name": "eve", + "input.type": "log", + "log.offset": 4610, + "network.community_id": "1:NKecJMP5cHplk+fr2uNww69SdWg=", + "network.protocol": "dns", + "network.transport": "udp", + "related.ip": [ + "10.0.2.15", + "10.0.2.3" + ], + "service.type": "suricata", + "source.address": "10.0.2.15", + "source.ip": "10.0.2.15", + "source.port": 55246, + "suricata.eve.dns.id": 7050, + "suricata.eve.dns.rrname": "www.yahoo.com", + "suricata.eve.dns.rrtype": "AAAA", + "suricata.eve.dns.tx_id": 0, + "suricata.eve.dns.type": "query", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": "1887239765714716", + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-23T01:22:31.846Z", + "destination.address": "10.0.2.15", + "destination.ip": "10.0.2.15", + "destination.port": 44773, + "dns.answers": [ + { + "data": "atsv2-fp-shed.wg1.b.yahoo.com", + "name": "www.yahoo.com", + "ttl": 1315, + "type": "CNAME" + } + ], + "dns.header_flags": [ + "RD", + "RA" + ], + "dns.id": "28329", + "dns.response_code": "NOERROR", + "dns.type": "answer", + "event.category": [ + "network" + ], + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.yahoo.com\",\"rrtype\":\"CNAME\",\"ttl\":1315,\"rdata\":\"atsv2-fp-shed.wg1.b.yahoo.com\"}}", + "event.type": [ + "protocol" + ], + "fileset.name": "eve", + "input.type": "log", + "log.offset": 4896, + "network.community_id": "1:O4Lt3gevExgYQL5MQJq7vgssBrQ=", + "network.protocol": "dns", + "network.transport": "udp", + "related.ip": [ + "10.0.2.3", + "10.0.2.15" + ], + "service.type": "suricata", + "source.address": "10.0.2.3", + "source.ip": "10.0.2.3", + "source.port": 53, + "suricata.eve.dns.id": 28329, + "suricata.eve.dns.rcode": "NOERROR", + "suricata.eve.dns.rdata": "atsv2-fp-shed.wg1.b.yahoo.com", + "suricata.eve.dns.rrname": "www.yahoo.com", + "suricata.eve.dns.rrtype": "CNAME", + "suricata.eve.dns.ttl": 1315, + "suricata.eve.dns.type": "answer", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": "814378410010223", + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-23T01:22:31.846Z", + "destination.address": "10.0.2.15", + "destination.ip": "10.0.2.15", + "destination.port": 44773, + "dns.answers": [ + { + "data": "98.138.219.232", + "name": "atsv2-fp-shed.wg1.b.yahoo.com", + "ttl": 15, + "type": "A" + } + ], + "dns.header_flags": [ + "RD", + "RA" + ], + "dns.id": "28329", + "dns.resolved_ip": [ + "98.138.219.232" + ], + "dns.response_code": "NOERROR", + "dns.type": "answer", + "event.category": [ + "network" + ], + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"A\",\"ttl\":15,\"rdata\":\"98.138.219.232\"}}", + "event.type": [ + "protocol" + ], + "fileset.name": "eve", + "input.type": "log", + "log.offset": 5288, + "network.community_id": "1:O4Lt3gevExgYQL5MQJq7vgssBrQ=", + "network.protocol": "dns", + "network.transport": "udp", + "related.ip": [ + "98.138.219.232", + "10.0.2.3", + "10.0.2.15" + ], + "service.type": "suricata", + "source.address": "10.0.2.3", + "source.ip": "10.0.2.3", + "source.port": 53, + "suricata.eve.dns.id": 28329, + "suricata.eve.dns.rcode": "NOERROR", + "suricata.eve.dns.rdata": "98.138.219.232", + "suricata.eve.dns.rrname": "atsv2-fp-shed.wg1.b.yahoo.com", + "suricata.eve.dns.rrtype": "A", + "suricata.eve.dns.ttl": 15, + "suricata.eve.dns.type": "answer", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": "814378410010223", + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-23T01:22:31.846Z", + "destination.address": "10.0.2.15", + "destination.ip": "10.0.2.15", + "destination.port": 44773, + "dns.answers": [ + { + "data": "98.138.219.231", + "name": "atsv2-fp-shed.wg1.b.yahoo.com", + "ttl": 15, + "type": "A" + } + ], + "dns.header_flags": [ + "RD", + "RA" + ], + "dns.id": "28329", + "dns.resolved_ip": [ + "98.138.219.231" + ], + "dns.response_code": "NOERROR", + "dns.type": "answer", + "event.category": [ + "network" + ], + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"A\",\"ttl\":15,\"rdata\":\"98.138.219.231\"}}", + "event.type": [ + "protocol" + ], + "fileset.name": "eve", + "input.type": "log", + "log.offset": 5675, + "network.community_id": "1:O4Lt3gevExgYQL5MQJq7vgssBrQ=", + "network.protocol": "dns", + "network.transport": "udp", + "related.ip": [ + "98.138.219.231", + "10.0.2.3", + "10.0.2.15" + ], + "service.type": "suricata", + "source.address": "10.0.2.3", + "source.ip": "10.0.2.3", + "source.port": 53, + "suricata.eve.dns.id": 28329, + "suricata.eve.dns.rcode": "NOERROR", + "suricata.eve.dns.rdata": "98.138.219.231", + "suricata.eve.dns.rrname": "atsv2-fp-shed.wg1.b.yahoo.com", + "suricata.eve.dns.rrtype": "A", + "suricata.eve.dns.ttl": 15, + "suricata.eve.dns.type": "answer", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": "814378410010223", + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-23T01:22:31.846Z", + "destination.address": "10.0.2.15", + "destination.ip": "10.0.2.15", + "destination.port": 44773, + "dns.answers": [ + { + "data": "72.30.35.10", + "name": "atsv2-fp-shed.wg1.b.yahoo.com", + "ttl": 15, + "type": "A" + } + ], + "dns.header_flags": [ + "RD", + "RA" + ], + "dns.id": "28329", + "dns.resolved_ip": [ + "72.30.35.10" + ], + "dns.response_code": "NOERROR", + "dns.type": "answer", + "event.category": [ + "network" + ], + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"A\",\"ttl\":15,\"rdata\":\"72.30.35.10\"}}", + "event.type": [ + "protocol" + ], + "fileset.name": "eve", + "input.type": "log", + "log.offset": 6062, + "network.community_id": "1:O4Lt3gevExgYQL5MQJq7vgssBrQ=", + "network.protocol": "dns", + "network.transport": "udp", + "related.ip": [ + "72.30.35.10", + "10.0.2.3", + "10.0.2.15" + ], + "service.type": "suricata", + "source.address": "10.0.2.3", + "source.ip": "10.0.2.3", + "source.port": 53, + "suricata.eve.dns.id": 28329, + "suricata.eve.dns.rcode": "NOERROR", + "suricata.eve.dns.rdata": "72.30.35.10", + "suricata.eve.dns.rrname": "atsv2-fp-shed.wg1.b.yahoo.com", + "suricata.eve.dns.rrtype": "A", + "suricata.eve.dns.ttl": 15, + "suricata.eve.dns.type": "answer", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": "814378410010223", + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-23T01:22:31.846Z", + "destination.address": "10.0.2.15", + "destination.ip": "10.0.2.15", + "destination.port": 44773, + "dns.answers": [ + { + "data": "72.30.35.9", + "name": "atsv2-fp-shed.wg1.b.yahoo.com", + "ttl": 15, + "type": "A" + } + ], + "dns.header_flags": [ + "RD", + "RA" + ], + "dns.id": "28329", + "dns.resolved_ip": [ + "72.30.35.9" + ], + "dns.response_code": "NOERROR", + "dns.type": "answer", + "event.category": [ + "network" + ], + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.846575+0000\",\"flow_id\":814378410010223,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":44773,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":28329,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"A\",\"ttl\":15,\"rdata\":\"72.30.35.9\"}}", + "event.type": [ + "protocol" + ], + "fileset.name": "eve", + "input.type": "log", + "log.offset": 6446, + "network.community_id": "1:O4Lt3gevExgYQL5MQJq7vgssBrQ=", + "network.protocol": "dns", + "network.transport": "udp", + "related.ip": [ + "72.30.35.9", + "10.0.2.3", + "10.0.2.15" + ], + "service.type": "suricata", + "source.address": "10.0.2.3", + "source.ip": "10.0.2.3", + "source.port": 53, + "suricata.eve.dns.id": 28329, + "suricata.eve.dns.rcode": "NOERROR", + "suricata.eve.dns.rdata": "72.30.35.9", + "suricata.eve.dns.rrname": "atsv2-fp-shed.wg1.b.yahoo.com", + "suricata.eve.dns.rrtype": "A", + "suricata.eve.dns.ttl": 15, + "suricata.eve.dns.type": "answer", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": "814378410010223", + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-23T01:22:31.847Z", + "destination.address": "10.0.2.15", + "destination.ip": "10.0.2.15", + "destination.port": 55246, + "dns.answers": [ + { + "data": "atsv2-fp-shed.wg1.b.yahoo.com", + "name": "www.yahoo.com", + "ttl": 1268, + "type": "CNAME" + } + ], + "dns.header_flags": [ + "RD", + "RA" + ], + "dns.id": "7050", + "dns.response_code": "NOERROR", + "dns.type": "answer", + "event.category": [ + "network" + ], + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.yahoo.com\",\"rrtype\":\"CNAME\",\"ttl\":1268,\"rdata\":\"atsv2-fp-shed.wg1.b.yahoo.com\"}}", + "event.type": [ + "protocol" + ], + "fileset.name": "eve", + "input.type": "log", + "log.offset": 6829, + "network.community_id": "1:NKecJMP5cHplk+fr2uNww69SdWg=", + "network.protocol": "dns", + "network.transport": "udp", + "related.ip": [ + "10.0.2.3", + "10.0.2.15" + ], + "service.type": "suricata", + "source.address": "10.0.2.3", + "source.ip": "10.0.2.3", + "source.port": 53, + "suricata.eve.dns.id": 7050, + "suricata.eve.dns.rcode": "NOERROR", + "suricata.eve.dns.rdata": "atsv2-fp-shed.wg1.b.yahoo.com", + "suricata.eve.dns.rrname": "www.yahoo.com", + "suricata.eve.dns.rrtype": "CNAME", + "suricata.eve.dns.ttl": 1268, + "suricata.eve.dns.type": "answer", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": "1887239765714716", + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-23T01:22:31.847Z", + "destination.address": "10.0.2.15", + "destination.ip": "10.0.2.15", + "destination.port": 55246, + "dns.answers": [ + { + "data": "2001:4998:0058:1836:0000:0000:0000:0010", + "name": "atsv2-fp-shed.wg1.b.yahoo.com", + "ttl": 53, + "type": "AAAA" + } + ], + "dns.header_flags": [ + "RD", + "RA" + ], + "dns.id": "7050", + "dns.resolved_ip": [ + "2001:4998:0058:1836:0000:0000:0000:0010" + ], + "dns.response_code": "NOERROR", + "dns.type": "answer", + "event.category": [ + "network" + ], + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"AAAA\",\"ttl\":53,\"rdata\":\"2001:4998:0058:1836:0000:0000:0000:0010\"}}", + "event.type": [ + "protocol" + ], + "fileset.name": "eve", + "input.type": "log", + "log.offset": 7221, + "network.community_id": "1:NKecJMP5cHplk+fr2uNww69SdWg=", + "network.protocol": "dns", + "network.transport": "udp", + "related.ip": [ + "2001:4998:0058:1836:0000:0000:0000:0010", + "10.0.2.3", + "10.0.2.15" + ], + "service.type": "suricata", + "source.address": "10.0.2.3", + "source.ip": "10.0.2.3", + "source.port": 53, + "suricata.eve.dns.id": 7050, + "suricata.eve.dns.rcode": "NOERROR", + "suricata.eve.dns.rdata": "2001:4998:0058:1836:0000:0000:0000:0010", + "suricata.eve.dns.rrname": "atsv2-fp-shed.wg1.b.yahoo.com", + "suricata.eve.dns.rrtype": "AAAA", + "suricata.eve.dns.ttl": 53, + "suricata.eve.dns.type": "answer", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": "1887239765714716", + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-23T01:22:31.847Z", + "destination.address": "10.0.2.15", + "destination.ip": "10.0.2.15", + "destination.port": 55246, + "dns.answers": [ + { + "data": "2001:4998:0044:041d:0000:0000:0000:0003", + "name": "atsv2-fp-shed.wg1.b.yahoo.com", + "ttl": 53, + "type": "AAAA" + } + ], + "dns.header_flags": [ + "RD", + "RA" + ], + "dns.id": "7050", + "dns.resolved_ip": [ + "2001:4998:0044:041d:0000:0000:0000:0003" + ], + "dns.response_code": "NOERROR", + "dns.type": "answer", + "event.category": [ + "network" + ], + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"AAAA\",\"ttl\":53,\"rdata\":\"2001:4998:0044:041d:0000:0000:0000:0003\"}}", + "event.type": [ + "protocol" + ], + "fileset.name": "eve", + "input.type": "log", + "log.offset": 7636, + "network.community_id": "1:NKecJMP5cHplk+fr2uNww69SdWg=", + "network.protocol": "dns", + "network.transport": "udp", + "related.ip": [ + "2001:4998:0044:041d:0000:0000:0000:0003", + "10.0.2.3", + "10.0.2.15" + ], + "service.type": "suricata", + "source.address": "10.0.2.3", + "source.ip": "10.0.2.3", + "source.port": 53, + "suricata.eve.dns.id": 7050, + "suricata.eve.dns.rcode": "NOERROR", + "suricata.eve.dns.rdata": "2001:4998:0044:041d:0000:0000:0000:0003", + "suricata.eve.dns.rrname": "atsv2-fp-shed.wg1.b.yahoo.com", + "suricata.eve.dns.rrtype": "AAAA", + "suricata.eve.dns.ttl": 53, + "suricata.eve.dns.type": "answer", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": "1887239765714716", + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-23T01:22:31.847Z", + "destination.address": "10.0.2.15", + "destination.ip": "10.0.2.15", + "destination.port": 55246, + "dns.answers": [ + { + "data": "2001:4998:0058:1836:0000:0000:0000:0011", + "name": "atsv2-fp-shed.wg1.b.yahoo.com", + "ttl": 53, + "type": "AAAA" + } + ], + "dns.header_flags": [ + "RD", + "RA" + ], + "dns.id": "7050", + "dns.resolved_ip": [ + "2001:4998:0058:1836:0000:0000:0000:0011" + ], + "dns.response_code": "NOERROR", + "dns.type": "answer", + "event.category": [ + "network" + ], + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"AAAA\",\"ttl\":53,\"rdata\":\"2001:4998:0058:1836:0000:0000:0000:0011\"}}", + "event.type": [ + "protocol" + ], + "fileset.name": "eve", + "input.type": "log", + "log.offset": 8051, + "network.community_id": "1:NKecJMP5cHplk+fr2uNww69SdWg=", + "network.protocol": "dns", + "network.transport": "udp", + "related.ip": [ + "2001:4998:0058:1836:0000:0000:0000:0011", + "10.0.2.3", + "10.0.2.15" + ], + "service.type": "suricata", + "source.address": "10.0.2.3", + "source.ip": "10.0.2.3", + "source.port": 53, + "suricata.eve.dns.id": 7050, + "suricata.eve.dns.rcode": "NOERROR", + "suricata.eve.dns.rdata": "2001:4998:0058:1836:0000:0000:0000:0011", + "suricata.eve.dns.rrname": "atsv2-fp-shed.wg1.b.yahoo.com", + "suricata.eve.dns.rrtype": "AAAA", + "suricata.eve.dns.ttl": 53, + "suricata.eve.dns.type": "answer", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": "1887239765714716", + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-23T01:22:31.847Z", + "destination.address": "10.0.2.15", + "destination.ip": "10.0.2.15", + "destination.port": 55246, + "dns.answers": [ + { + "data": "2001:4998:0044:041d:0000:0000:0000:0004", + "name": "atsv2-fp-shed.wg1.b.yahoo.com", + "ttl": 53, + "type": "AAAA" + } + ], + "dns.header_flags": [ + "RD", + "RA" + ], + "dns.id": "7050", + "dns.resolved_ip": [ + "2001:4998:0044:041d:0000:0000:0000:0004" + ], + "dns.response_code": "NOERROR", + "dns.type": "answer", + "event.category": [ + "network" + ], + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-23T01:22:31.847379+0000\",\"flow_id\":1887239765714716,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":55246,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":7050,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"atsv2-fp-shed.wg1.b.yahoo.com\",\"rrtype\":\"AAAA\",\"ttl\":53,\"rdata\":\"2001:4998:0044:041d:0000:0000:0000:0004\"}}", + "event.type": [ + "protocol" + ], + "fileset.name": "eve", + "input.type": "log", + "log.offset": 8466, + "network.community_id": "1:NKecJMP5cHplk+fr2uNww69SdWg=", + "network.protocol": "dns", + "network.transport": "udp", + "related.ip": [ + "2001:4998:0044:041d:0000:0000:0000:0004", + "10.0.2.3", + "10.0.2.15" + ], + "service.type": "suricata", + "source.address": "10.0.2.3", + "source.ip": "10.0.2.3", + "source.port": 53, + "suricata.eve.dns.id": 7050, + "suricata.eve.dns.rcode": "NOERROR", + "suricata.eve.dns.rdata": "2001:4998:0044:041d:0000:0000:0000:0004", + "suricata.eve.dns.rrname": "atsv2-fp-shed.wg1.b.yahoo.com", + "suricata.eve.dns.rrtype": "AAAA", + "suricata.eve.dns.ttl": 53, + "suricata.eve.dns.type": "answer", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": "1887239765714716", + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-23T02:03:36.578Z", + "destination.address": "10.0.2.3", + "destination.ip": "10.0.2.3", + "destination.port": 53, + "dns.id": "9104", + "dns.question.name": "www.elastic.co", + "dns.question.registered_domain": "elastic.co", + "dns.question.subdomain": "www", + "dns.question.top_level_domain": "co", + "dns.question.type": "A", + "dns.type": "query", + "event.category": [ + "network" + ], + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-23T02:03:36.578089+0000\",\"flow_id\":2181951993205289,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":48288,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":9104,\"rrname\":\"www.elastic.co\",\"rrtype\":\"A\",\"tx_id\":0}}", + "event.type": [ + "protocol" + ], + "fileset.name": "eve", + "input.type": "log", + "log.offset": 8881, + "network.community_id": "1:zh0UVYktuWGDSL+4ROPa1CTtEPE=", + "network.protocol": "dns", + "network.transport": "udp", + "related.ip": [ + "10.0.2.15", + "10.0.2.3" + ], + "service.type": "suricata", + "source.address": "10.0.2.15", + "source.ip": "10.0.2.15", + "source.port": 48288, + "suricata.eve.dns.id": 9104, + "suricata.eve.dns.rrname": "www.elastic.co", + "suricata.eve.dns.rrtype": "A", + "suricata.eve.dns.tx_id": 0, + "suricata.eve.dns.type": "query", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": "2181951993205289", + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-23T02:03:36.578Z", + "destination.address": "10.0.2.3", + "destination.ip": "10.0.2.3", + "destination.port": 53, + "dns.id": "12859", + "dns.question.name": "www.elastic.co", + "dns.question.registered_domain": "elastic.co", + "dns.question.subdomain": "www", + "dns.question.top_level_domain": "co", + "dns.question.type": "AAAA", + "dns.type": "query", + "event.category": [ + "network" + ], + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-23T02:03:36.578262+0000\",\"flow_id\":928596784370390,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.15\",\"src_port\":59203,\"dest_ip\":\"10.0.2.3\",\"dest_port\":53,\"proto\":\"UDP\",\"dns\":{\"type\":\"query\",\"id\":12859,\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"tx_id\":0}}", + "event.type": [ + "protocol" + ], + "fileset.name": "eve", + "input.type": "log", + "log.offset": 9165, + "network.community_id": "1:fuLDtU46PU3PHindOSCj0JKYUaA=", + "network.protocol": "dns", + "network.transport": "udp", + "related.ip": [ + "10.0.2.15", + "10.0.2.3" + ], + "service.type": "suricata", + "source.address": "10.0.2.15", + "source.ip": "10.0.2.15", + "source.port": 59203, + "suricata.eve.dns.id": 12859, + "suricata.eve.dns.rrname": "www.elastic.co", + "suricata.eve.dns.rrtype": "AAAA", + "suricata.eve.dns.tx_id": 0, + "suricata.eve.dns.type": "query", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": "928596784370390", + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-23T02:03:36.619Z", + "destination.address": "10.0.2.15", + "destination.ip": "10.0.2.15", + "destination.port": 48288, + "dns.answers": [ + { + "data": "dualstack.r2.shared.global.fastly.net", + "name": "www.elastic.co", + "ttl": 150, + "type": "CNAME" + }, + { + "data": "151.101.194.217", + "name": "dualstack.r2.shared.global.fastly.net", + "ttl": 29, + "type": "A" + }, + { + "data": "151.101.2.217", + "name": "dualstack.r2.shared.global.fastly.net", + "ttl": 29, + "type": "A" + }, + { + "data": "151.101.66.217", + "name": "dualstack.r2.shared.global.fastly.net", + "ttl": 29, + "type": "A" + }, + { + "data": "151.101.130.217", + "name": "dualstack.r2.shared.global.fastly.net", + "ttl": 29, + "type": "A" + } + ], + "dns.header_flags": [ + "RD", + "RA" + ], + "dns.id": "9104", + "dns.question.name": "www.elastic.co", + "dns.question.registered_domain": "elastic.co", + "dns.question.subdomain": "www", + "dns.question.top_level_domain": "co", + "dns.question.type": "A", + "dns.resolved_ip": [ + "151.101.194.217", + "151.101.2.217", + "151.101.66.217", + "151.101.130.217" + ], + "dns.response_code": "NOERROR", + "dns.type": "answer", + "event.category": [ + "network" + ], + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-23T02:03:36.619381+0000\",\"flow_id\":2181951993205289,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":48288,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":9104,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"A\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":150,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.194.217\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.2.217\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.66.217\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"A\",\"ttl\":29,\"rdata\":\"151.101.130.217\"}]}}", + "event.type": [ + "protocol" + ], + "fileset.name": "eve", + "input.type": "log", + "log.offset": 9452, + "network.community_id": "1:zh0UVYktuWGDSL+4ROPa1CTtEPE=", + "network.protocol": "dns", + "network.transport": "udp", + "related.ip": [ + "151.101.194.217", + "151.101.2.217", + "151.101.66.217", + "151.101.130.217", + "10.0.2.3", + "10.0.2.15" + ], + "service.type": "suricata", + "source.address": "10.0.2.3", + "source.ip": "10.0.2.3", + "source.port": 53, + "suricata.eve.dns.id": 9104, + "suricata.eve.dns.rcode": "NOERROR", + "suricata.eve.dns.rrname": "www.elastic.co", + "suricata.eve.dns.rrtype": "A", + "suricata.eve.dns.type": "answer", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": "2181951993205289", + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2019-08-23T02:03:36.626Z", + "destination.address": "10.0.2.15", + "destination.ip": "10.0.2.15", + "destination.port": 59203, + "dns.answers": [ + { + "data": "dualstack.r2.shared.global.fastly.net", + "name": "www.elastic.co", + "ttl": 269, + "type": "CNAME" + }, + { + "data": "2a04:4e42:0000:0000:0000:0000:0000:0729", + "name": "dualstack.r2.shared.global.fastly.net", + "ttl": 29, + "type": "AAAA" + }, + { + "data": "2a04:4e42:0200:0000:0000:0000:0000:0729", + "name": "dualstack.r2.shared.global.fastly.net", + "ttl": 29, + "type": "AAAA" + }, + { + "data": "2a04:4e42:0400:0000:0000:0000:0000:0729", + "name": "dualstack.r2.shared.global.fastly.net", + "ttl": 29, + "type": "AAAA" + }, + { + "data": "2a04:4e42:0600:0000:0000:0000:0000:0729", + "name": "dualstack.r2.shared.global.fastly.net", + "ttl": 29, + "type": "AAAA" + } + ], + "dns.header_flags": [ + "RD", + "RA" + ], + "dns.id": "12859", + "dns.question.name": "www.elastic.co", + "dns.question.registered_domain": "elastic.co", + "dns.question.subdomain": "www", + "dns.question.top_level_domain": "co", + "dns.question.type": "AAAA", + "dns.resolved_ip": [ + "2a04:4e42:0000:0000:0000:0000:0000:0729", + "2a04:4e42:0200:0000:0000:0000:0000:0729", + "2a04:4e42:0400:0000:0000:0000:0000:0729", + "2a04:4e42:0600:0000:0000:0000:0000:0729" + ], + "dns.response_code": "NOERROR", + "dns.type": "answer", + "event.category": [ + "network" + ], + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2019-08-23T02:03:36.626559+0000\",\"flow_id\":928596784370390,\"in_iface\":\"enp0s3\",\"event_type\":\"dns\",\"src_ip\":\"10.0.2.3\",\"src_port\":53,\"dest_ip\":\"10.0.2.15\",\"dest_port\":59203,\"proto\":\"UDP\",\"dns\":{\"version\":2,\"type\":\"answer\",\"id\":12859,\"flags\":\"8180\",\"qr\":true,\"rd\":true,\"ra\":true,\"rcode\":\"NOERROR\",\"rrname\":\"www.elastic.co\",\"rrtype\":\"AAAA\",\"answers\":[{\"rrname\":\"www.elastic.co\",\"rrtype\":\"CNAME\",\"ttl\":269,\"rdata\":\"dualstack.r2.shared.global.fastly.net\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0000:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0200:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0400:0000:0000:0000:0000:0729\"},{\"rrname\":\"dualstack.r2.shared.global.fastly.net\",\"rrtype\":\"AAAA\",\"ttl\":29,\"rdata\":\"2a04:4e42:0600:0000:0000:0000:0000:0729\"}]}}", + "event.type": [ + "protocol" + ], + "fileset.name": "eve", + "input.type": "log", + "log.offset": 10310, + "network.community_id": "1:fuLDtU46PU3PHindOSCj0JKYUaA=", + "network.protocol": "dns", + "network.transport": "udp", + "related.ip": [ + "2a04:4e42:0000:0000:0000:0000:0000:0729", + "2a04:4e42:0200:0000:0000:0000:0000:0729", + "2a04:4e42:0400:0000:0000:0000:0000:0729", + "2a04:4e42:0600:0000:0000:0000:0000:0729", + "10.0.2.3", + "10.0.2.15" + ], + "service.type": "suricata", + "source.address": "10.0.2.3", + "source.ip": "10.0.2.3", + "source.port": 53, + "suricata.eve.dns.id": 12859, + "suricata.eve.dns.rcode": "NOERROR", + "suricata.eve.dns.rrname": "www.elastic.co", + "suricata.eve.dns.rrtype": "AAAA", + "suricata.eve.dns.type": "answer", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": "928596784370390", + "suricata.eve.in_iface": "enp0s3", + "tags": [ + "suricata" + ] + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/suricata/eve/test/eve-small.log-expected.json b/dynamite_nsm/confs/filebeat/module/suricata/eve/test/eve-small.log-expected.json new file mode 100644 index 00000000..50125bc3 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/suricata/eve/test/eve-small.log-expected.json @@ -0,0 +1,757 @@ +[ + { + "@timestamp": "2018-07-05T19:01:09.820Z", + "destination.address": "192.168.253.112", + "destination.ip": "192.168.253.112", + "destination.port": 22, + "event.category": [ + "network" + ], + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-07-05T15:01:09.820360-0400\",\"flow_id\":298824096901438,\"in_iface\":\"en0\",\"event_type\":\"ssh\",\"src_ip\":\"192.168.86.85\",\"src_port\":55406,\"dest_ip\":\"192.168.253.112\",\"dest_port\":22,\"proto\":\"TCP\",\"ssh\":{\"client\":{\"proto_version\":\"2.0\",\"software_version\":\"OpenSSH_7.6\"},\"server\":{\"proto_version\":\"2.0\",\"software_version\":\"libssh_0.7.0\"}}}", + "event.type": [ + "protocol" + ], + "fileset.name": "eve", + "input.type": "log", + "log.offset": 0, + "network.community_id": "1:NLm1MbaBR6humQxEQI2Ai7h/XiI=", + "network.protocol": "ssh", + "network.transport": "tcp", + "related.ip": [ + "192.168.86.85", + "192.168.253.112" + ], + "service.type": "suricata", + "source.address": "192.168.86.85", + "source.ip": "192.168.86.85", + "source.port": 55406, + "suricata.eve.event_type": "ssh", + "suricata.eve.flow_id": "298824096901438", + "suricata.eve.in_iface": "en0", + "suricata.eve.ssh.client.proto_version": "2.0", + "suricata.eve.ssh.client.software_version": "OpenSSH_7.6", + "suricata.eve.ssh.server.proto_version": "2.0", + "suricata.eve.ssh.server.software_version": "libssh_0.7.0", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2018-07-05T19:07:20.910Z", + "destination.address": "192.168.156.70", + "destination.bytes": 343, + "destination.domain": "l2.io", + "destination.ip": "192.168.156.70", + "destination.packets": 3, + "destination.port": 443, + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "suricata.eve", + "event.kind": "alert", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-07-05T15:07:20.910626-0400\",\"flow_id\":904992230150281,\"in_iface\":\"en0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.86.85\",\"src_port\":55641,\"dest_ip\":\"192.168.156.70\",\"dest_port\":443,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2024833,\"rev\":3,\"signature\":\"ET POLICY Observed IP Lookup Domain (l2 .io in TLS SNI)\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1},\"tls\":{\"session_resumed\":true,\"sni\":\"l2.io\",\"version\":\"TLS 1.2\"},\"app_proto\":\"tls\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":793,\"bytes_toclient\":343,\"start\":\"2018-07-05T15:07:19.659593-0400\"}}", + "event.severity": 1, + "event.start": "2018-07-05T19:07:19.659Z", + "event.type": [ + "allowed" + ], + "fileset.name": "eve", + "input.type": "log", + "log.offset": 350, + "message": "Potential Corporate Privacy Violation", + "network.bytes": 1136, + "network.community_id": "1:BWtsS+4pk477zAwfzve3Nm+x1Ms=", + "network.packets": 7, + "network.protocol": "tls", + "network.transport": "tcp", + "related.ip": [ + "192.168.86.85", + "192.168.156.70" + ], + "rule.category": "Potential Corporate Privacy Violation", + "rule.id": "2024833", + "rule.name": "ET POLICY Observed IP Lookup Domain (l2 .io in TLS SNI)", + "service.type": "suricata", + "source.address": "192.168.86.85", + "source.bytes": 793, + "source.ip": "192.168.86.85", + "source.packets": 4, + "source.port": 55641, + "suricata.eve.alert.category": "Potential Corporate Privacy Violation", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 3, + "suricata.eve.alert.signature": "ET POLICY Observed IP Lookup Domain (l2 .io in TLS SNI)", + "suricata.eve.alert.signature_id": 2024833, + "suricata.eve.event_type": "alert", + "suricata.eve.flow_id": "904992230150281", + "suricata.eve.in_iface": "en0", + "suricata.eve.tls.session_resumed": true, + "suricata.eve.tls.sni": "l2.io", + "suricata.eve.tls.version": "TLS 1.2", + "suricata.eve.tx_id": 0, + "tags": [ + "suricata" + ], + "tls.client.server_name": "l2.io", + "tls.resumed": true, + "tls.version": "1.2", + "tls.version_protocol": "tls" + }, + { + "@timestamp": "2018-07-05T19:43:47.690Z", + "destination.address": "192.168.86.28", + "destination.domain": "192.168.86.28", + "destination.ip": "192.168.86.28", + "destination.port": 63963, + "event.category": [ + "network", + "web" + ], + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-07-05T15:43:47.690014-0400\",\"flow_id\":2115002772430095,\"in_iface\":\"en0\",\"event_type\":\"http\",\"src_ip\":\"192.168.86.85\",\"src_port\":56119,\"dest_ip\":\"192.168.86.28\",\"dest_port\":63963,\"proto\":\"TCP\",\"tx_id\":0,\"http\":{\"hostname\":\"192.168.86.28\",\"url\":\"\\/dd.xml\",\"http_user_agent\":\"Mozilla\\/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/67.0.3396.99 Safari\\/537.36\",\"http_content_type\":\"text\\/xml\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1155}}", + "event.outcome": "success", + "event.type": [ + "access", + "protocol" + ], + "fileset.name": "eve", + "http.request.method": "GET", + "http.response.body.bytes": 1155, + "http.response.status_code": 200, + "input.type": "log", + "log.offset": 985, + "network.community_id": "1:gjMiDGtS5SVvdwzjjQdAKGBrDA4=", + "network.protocol": "http", + "network.transport": "tcp", + "related.hosts": [ + "192.168.86.28" + ], + "related.ip": [ + "192.168.86.85", + "192.168.86.28" + ], + "service.type": "suricata", + "source.address": "192.168.86.85", + "source.ip": "192.168.86.85", + "source.port": 56119, + "suricata.eve.event_type": "http", + "suricata.eve.flow_id": "2115002772430095", + "suricata.eve.http.http_content_type": "text/xml", + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.in_iface": "en0", + "suricata.eve.tx_id": 0, + "tags": [ + "suricata" + ], + "url.domain": "192.168.86.28", + "url.original": "/dd.xml", + "url.path": "/dd.xml", + "user_agent.device.name": "Mac", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36", + "user_agent.os.full": "Mac OS X 10.13.5", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.13.5", + "user_agent.version": "67.0.3396.99" + }, + { + "@timestamp": "2018-07-05T19:44:33.222Z", + "destination.address": "192.168.86.85", + "destination.domain": "192.168.86.28", + "destination.ip": "192.168.86.85", + "destination.port": 56118, + "event.category": [ + "network" + ], + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-07-05T15:44:33.222441-0400\",\"flow_id\":2211411903323127,\"in_iface\":\"en0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.86.28\",\"src_port\":8008,\"dest_ip\":\"192.168.86.85\",\"dest_port\":56118,\"proto\":\"TCP\",\"http\":{\"hostname\":\"192.168.86.28\",\"url\":\"\\/ssdp\\/device-desc.xml\",\"http_user_agent\":\"Mozilla\\/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit\\/537.36 (KHTML, like Gecko) Chrome\\/67.0.3396.99 Safari\\/537.36\",\"http_content_type\":\"application\\/xml\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":200,\"length\":1071},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/ssdp\\/device-desc.xml\",\"gaps\":false,\"state\":\"CLOSED\",\"md5\":\"427b7337ff37eeb24d74f47d8e04cf21\",\"sha1\":\"313573490192c685e9e53abef25453ed0d5e2aee\",\"sha256\":\"f610428ebddf6f8cf9e39322e672583c45fcdcf885efad0ab48fd53a3dfc2c4b\",\"stored\":false,\"size\":1071,\"tx_id\":0}}", + "file.path": "/ssdp/device-desc.xml", + "file.size": 1071, + "fileset.name": "eve", + "http.request.method": "GET", + "http.response.body.bytes": 1071, + "http.response.status_code": 200, + "input.type": "log", + "log.offset": 1507, + "network.community_id": "1:XhhAO/Twj86+bD+1fV8FnpLIEDs=", + "network.protocol": "http", + "network.transport": "tcp", + "related.hosts": [ + "192.168.86.28" + ], + "related.ip": [ + "192.168.86.28", + "192.168.86.85" + ], + "service.type": "suricata", + "source.address": "192.168.86.28", + "source.ip": "192.168.86.28", + "source.port": 8008, + "suricata.eve.event_type": "fileinfo", + "suricata.eve.fileinfo.gaps": false, + "suricata.eve.fileinfo.md5": "427b7337ff37eeb24d74f47d8e04cf21", + "suricata.eve.fileinfo.sha1": "313573490192c685e9e53abef25453ed0d5e2aee", + "suricata.eve.fileinfo.sha256": "f610428ebddf6f8cf9e39322e672583c45fcdcf885efad0ab48fd53a3dfc2c4b", + "suricata.eve.fileinfo.state": "CLOSED", + "suricata.eve.fileinfo.stored": false, + "suricata.eve.fileinfo.tx_id": 0, + "suricata.eve.flow_id": "2211411903323127", + "suricata.eve.http.http_content_type": "application/xml", + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.in_iface": "en0", + "tags": [ + "suricata" + ], + "url.domain": "192.168.86.28", + "url.original": "/ssdp/device-desc.xml", + "url.path": "/ssdp/device-desc.xml", + "user_agent.device.name": "Mac", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36", + "user_agent.os.full": "Mac OS X 10.13.5", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.13.5", + "user_agent.version": "67.0.3396.99" + }, + { + "@timestamp": "2018-07-05T19:51:20.213Z", + "destination.address": "192.168.86.85", + "destination.ip": "192.168.86.85", + "destination.port": 39464, + "dns.answers": [ + { + "data": "172.217.13.110", + "name": "clients.l.google.com", + "ttl": 299, + "type": "A" + } + ], + "dns.id": "12308", + "dns.resolved_ip": [ + "172.217.13.110" + ], + "dns.response_code": "NOERROR", + "dns.type": "answer", + "event.category": [ + "network" + ], + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-07-05T15:51:20.213418-0400\",\"flow_id\":1684780223079543,\"in_iface\":\"en0\",\"event_type\":\"dns\",\"src_ip\":\"192.168.86.1\",\"src_port\":53,\"dest_ip\":\"192.168.86.85\",\"dest_port\":39464,\"proto\":\"UDP\",\"dns\":{\"type\":\"answer\",\"id\":12308,\"rcode\":\"NOERROR\",\"rrname\":\"clients.l.google.com\",\"rrtype\":\"A\",\"ttl\":299,\"rdata\":\"172.217.13.110\"}}", + "event.type": [ + "protocol" + ], + "fileset.name": "eve", + "input.type": "log", + "log.offset": 2347, + "network.community_id": "1:pC3b0nBNCU4LxSue53drHp4b4cs=", + "network.protocol": "dns", + "network.transport": "udp", + "related.ip": [ + "172.217.13.110", + "192.168.86.1", + "192.168.86.85" + ], + "service.type": "suricata", + "source.address": "192.168.86.1", + "source.ip": "192.168.86.1", + "source.port": 53, + "suricata.eve.dns.id": 12308, + "suricata.eve.dns.rcode": "NOERROR", + "suricata.eve.dns.rdata": "172.217.13.110", + "suricata.eve.dns.rrname": "clients.l.google.com", + "suricata.eve.dns.rrtype": "A", + "suricata.eve.dns.ttl": 299, + "suricata.eve.dns.type": "answer", + "suricata.eve.event_type": "dns", + "suricata.eve.flow_id": "1684780223079543", + "suricata.eve.in_iface": "en0", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2018-07-05T19:51:23.009Z", + "event.category": [ + "network" + ], + "event.dataset": "suricata.eve", + "event.kind": "metric", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-07-05T15:51:23.009510-0400\",\"event_type\":\"stats\",\"stats\":{\"uptime\":5400,\"capture\":{\"kernel_packets\":430313,\"kernel_drops\":0,\"kernel_ifdrops\":0},\"decoder\":{\"pkts\":430313,\"bytes\":335138381,\"invalid\":2,\"ipv4\":425873,\"ipv6\":3785,\"ethernet\":430313,\"raw\":0,\"null\":0,\"sll\":0,\"tcp\":370093,\"udp\":58337,\"sctp\":0,\"icmpv4\":186,\"icmpv6\":1019,\"ppp\":0,\"pppoe\":0,\"gre\":0,\"vlan\":0,\"vlan_qinq\":0,\"ieee8021ah\":0,\"teredo\":1,\"ipv4_in_ipv6\":0,\"ipv6_in_ipv6\":0,\"mpls\":0,\"avg_pkt_size\":778,\"max_pkt_size\":1514,\"erspan\":0,\"ipraw\":{\"invalid_ip_version\":0},\"ltnull\":{\"pkt_too_small\":0,\"unsupported_type\":0},\"dce\":{\"pkt_too_small\":0}},\"flow\":{\"memcap\":0,\"tcp\":1113,\"udp\":1881,\"icmpv4\":0,\"icmpv6\":677,\"spare\":10000,\"emerg_mode_entered\":0,\"emerg_mode_over\":0,\"tcp_reuse\":0,\"memuse\":11537312},\"defrag\":{\"ipv4\":{\"fragments\":0,\"reassembled\":0,\"timeouts\":0},\"ipv6\":{\"fragments\":0,\"reassembled\":0,\"timeouts\":0},\"max_frag_hits\":0},\"tcp\":{\"sessions\":842,\"ssn_memcap_drop\":0,\"pseudo\":0,\"pseudo_failed\":0,\"invalid_checksum\":0,\"no_flow\":0,\"syn\":1138,\"synack\":656,\"rst\":1165,\"segment_memcap_drop\":0,\"stream_depth_reached\":63,\"reassembly_gap\":0,\"overlap\":5979,\"overlap_diff_data\":0,\"insert_data_normal_fail\":0,\"insert_data_overlap_fail\":0,\"insert_list_fail\":0,\"memuse\":4587520,\"reassembly_memuse\":768000},\"detect\":{\"alert\":2},\"app_layer\":{\"flow\":{\"http\":22,\"ftp\":0,\"smtp\":0,\"tls\":560,\"ssh\":4,\"imap\":0,\"msn\":0,\"smb\":0,\"dcerpc_tcp\":0,\"dns_tcp\":0,\"failed_tcp\":2,\"dcerpc_udp\":0,\"dns_udp\":762,\"failed_udp\":1119},\"tx\":{\"http\":25,\"ftp\":0,\"smtp\":0,\"tls\":0,\"ssh\":0,\"smb\":0,\"dcerpc_tcp\":0,\"dns_tcp\":0,\"dcerpc_udp\":0,\"dns_udp\":762}},\"flow_mgr\":{\"closed_pruned\":729,\"new_pruned\":1879,\"est_pruned\":975,\"bypassed_pruned\":0,\"flows_checked\":8,\"flows_notimeout\":8,\"flows_timeout\":0,\"flows_timeout_inuse\":0,\"flows_removed\":0,\"rows_checked\":65536,\"rows_skipped\":65530,\"rows_empty\":0,\"rows_busy\":0,\"rows_maxlen\":2},\"file_store\":{\"open_files\":0},\"dns\":{\"memuse\":7749,\"memcap_state\":0,\"memcap_global\":0},\"http\":{\"memuse\":17861,\"memcap\":0}}}", + "fileset.name": "eve", + "input.type": "log", + "log.offset": 2687, + "service.type": "suricata", + "suricata.eve.event_type": "stats", + "suricata.eve.stats.app_layer.flow.dcerpc_tcp": 0, + "suricata.eve.stats.app_layer.flow.dcerpc_udp": 0, + "suricata.eve.stats.app_layer.flow.dns_tcp": 0, + "suricata.eve.stats.app_layer.flow.dns_udp": 762, + "suricata.eve.stats.app_layer.flow.failed_tcp": 2, + "suricata.eve.stats.app_layer.flow.failed_udp": 1119, + "suricata.eve.stats.app_layer.flow.ftp": 0, + "suricata.eve.stats.app_layer.flow.http": 22, + "suricata.eve.stats.app_layer.flow.imap": 0, + "suricata.eve.stats.app_layer.flow.msn": 0, + "suricata.eve.stats.app_layer.flow.smb": 0, + "suricata.eve.stats.app_layer.flow.smtp": 0, + "suricata.eve.stats.app_layer.flow.ssh": 4, + "suricata.eve.stats.app_layer.flow.tls": 560, + "suricata.eve.stats.app_layer.tx.dcerpc_tcp": 0, + "suricata.eve.stats.app_layer.tx.dcerpc_udp": 0, + "suricata.eve.stats.app_layer.tx.dns_tcp": 0, + "suricata.eve.stats.app_layer.tx.dns_udp": 762, + "suricata.eve.stats.app_layer.tx.ftp": 0, + "suricata.eve.stats.app_layer.tx.http": 25, + "suricata.eve.stats.app_layer.tx.smb": 0, + "suricata.eve.stats.app_layer.tx.smtp": 0, + "suricata.eve.stats.app_layer.tx.ssh": 0, + "suricata.eve.stats.app_layer.tx.tls": 0, + "suricata.eve.stats.capture.kernel_drops": 0, + "suricata.eve.stats.capture.kernel_ifdrops": 0, + "suricata.eve.stats.capture.kernel_packets": 430313, + "suricata.eve.stats.decoder.avg_pkt_size": 778, + "suricata.eve.stats.decoder.bytes": 335138381, + "suricata.eve.stats.decoder.dce.pkt_too_small": 0, + "suricata.eve.stats.decoder.erspan": 0, + "suricata.eve.stats.decoder.ethernet": 430313, + "suricata.eve.stats.decoder.gre": 0, + "suricata.eve.stats.decoder.icmpv4": 186, + "suricata.eve.stats.decoder.icmpv6": 1019, + "suricata.eve.stats.decoder.ieee8021ah": 0, + "suricata.eve.stats.decoder.invalid": 2, + "suricata.eve.stats.decoder.ipraw.invalid_ip_version": 0, + "suricata.eve.stats.decoder.ipv4": 425873, + "suricata.eve.stats.decoder.ipv4_in_ipv6": 0, + "suricata.eve.stats.decoder.ipv6": 3785, + "suricata.eve.stats.decoder.ipv6_in_ipv6": 0, + "suricata.eve.stats.decoder.ltnull.pkt_too_small": 0, + "suricata.eve.stats.decoder.ltnull.unsupported_type": 0, + "suricata.eve.stats.decoder.max_pkt_size": 1514, + "suricata.eve.stats.decoder.mpls": 0, + "suricata.eve.stats.decoder.null": 0, + "suricata.eve.stats.decoder.pkts": 430313, + "suricata.eve.stats.decoder.ppp": 0, + "suricata.eve.stats.decoder.pppoe": 0, + "suricata.eve.stats.decoder.raw": 0, + "suricata.eve.stats.decoder.sctp": 0, + "suricata.eve.stats.decoder.sll": 0, + "suricata.eve.stats.decoder.tcp": 370093, + "suricata.eve.stats.decoder.teredo": 1, + "suricata.eve.stats.decoder.udp": 58337, + "suricata.eve.stats.decoder.vlan": 0, + "suricata.eve.stats.decoder.vlan_qinq": 0, + "suricata.eve.stats.defrag.ipv4.fragments": 0, + "suricata.eve.stats.defrag.ipv4.reassembled": 0, + "suricata.eve.stats.defrag.ipv4.timeouts": 0, + "suricata.eve.stats.defrag.ipv6.fragments": 0, + "suricata.eve.stats.defrag.ipv6.reassembled": 0, + "suricata.eve.stats.defrag.ipv6.timeouts": 0, + "suricata.eve.stats.defrag.max_frag_hits": 0, + "suricata.eve.stats.detect.alert": 2, + "suricata.eve.stats.dns.memcap_global": 0, + "suricata.eve.stats.dns.memcap_state": 0, + "suricata.eve.stats.dns.memuse": 7749, + "suricata.eve.stats.file_store.open_files": 0, + "suricata.eve.stats.flow.emerg_mode_entered": 0, + "suricata.eve.stats.flow.emerg_mode_over": 0, + "suricata.eve.stats.flow.icmpv4": 0, + "suricata.eve.stats.flow.icmpv6": 677, + "suricata.eve.stats.flow.memcap": 0, + "suricata.eve.stats.flow.memuse": 11537312, + "suricata.eve.stats.flow.spare": 10000, + "suricata.eve.stats.flow.tcp": 1113, + "suricata.eve.stats.flow.tcp_reuse": 0, + "suricata.eve.stats.flow.udp": 1881, + "suricata.eve.stats.flow_mgr.bypassed_pruned": 0, + "suricata.eve.stats.flow_mgr.closed_pruned": 729, + "suricata.eve.stats.flow_mgr.est_pruned": 975, + "suricata.eve.stats.flow_mgr.flows_checked": 8, + "suricata.eve.stats.flow_mgr.flows_notimeout": 8, + "suricata.eve.stats.flow_mgr.flows_removed": 0, + "suricata.eve.stats.flow_mgr.flows_timeout": 0, + "suricata.eve.stats.flow_mgr.flows_timeout_inuse": 0, + "suricata.eve.stats.flow_mgr.new_pruned": 1879, + "suricata.eve.stats.flow_mgr.rows_busy": 0, + "suricata.eve.stats.flow_mgr.rows_checked": 65536, + "suricata.eve.stats.flow_mgr.rows_empty": 0, + "suricata.eve.stats.flow_mgr.rows_maxlen": 2, + "suricata.eve.stats.flow_mgr.rows_skipped": 65530, + "suricata.eve.stats.http.memcap": 0, + "suricata.eve.stats.http.memuse": 17861, + "suricata.eve.stats.tcp.insert_data_normal_fail": 0, + "suricata.eve.stats.tcp.insert_data_overlap_fail": 0, + "suricata.eve.stats.tcp.insert_list_fail": 0, + "suricata.eve.stats.tcp.invalid_checksum": 0, + "suricata.eve.stats.tcp.memuse": 4587520, + "suricata.eve.stats.tcp.no_flow": 0, + "suricata.eve.stats.tcp.overlap": 5979, + "suricata.eve.stats.tcp.overlap_diff_data": 0, + "suricata.eve.stats.tcp.pseudo": 0, + "suricata.eve.stats.tcp.pseudo_failed": 0, + "suricata.eve.stats.tcp.reassembly_gap": 0, + "suricata.eve.stats.tcp.reassembly_memuse": 768000, + "suricata.eve.stats.tcp.rst": 1165, + "suricata.eve.stats.tcp.segment_memcap_drop": 0, + "suricata.eve.stats.tcp.sessions": 842, + "suricata.eve.stats.tcp.ssn_memcap_drop": 0, + "suricata.eve.stats.tcp.stream_depth_reached": 63, + "suricata.eve.stats.tcp.syn": 1138, + "suricata.eve.stats.tcp.synack": 656, + "suricata.eve.stats.uptime": 5400, + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2018-07-05T19:51:50.666Z", + "destination.address": "17.142.164.13", + "destination.as.number": 714, + "destination.as.organization.name": "Apple Inc.", + "destination.domain": "p33-btmmdns.icloud.com", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "17.142.164.13", + "destination.port": 443, + "event.category": [ + "network" + ], + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-07-05T15:51:50.666597-0400\",\"flow_id\":89751777876473,\"in_iface\":\"en0\",\"event_type\":\"tls\",\"src_ip\":\"192.168.86.85\",\"src_port\":56187,\"dest_ip\":\"17.142.164.13\",\"dest_port\":443,\"proto\":\"TCP\",\"tls\":{\"subject\":\"CN=*.icloud.com, OU=management:idms.group.506364, O=Apple Inc., ST=California, C=US\",\"issuerdn\":\"CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US\",\"serial\":\"5C:9C:E1:09:78:87:F8:07\",\"fingerprint\":\"6a:ff:ac:a6:5f:8a:05:e7:a9:8c:76:29:b9:08:c7:69:ad:dc:72:47\",\"sni\":\"p33-btmmdns.icloud.com.\",\"version\":\"TLS 1.2\",\"notbefore\":\"2017-02-27T17:54:31\",\"notafter\":\"2019-03-29T17:54:31\"}}", + "event.type": [ + "protocol" + ], + "fileset.name": "eve", + "input.type": "log", + "log.offset": 4683, + "network.community_id": "1:u67AuA4ybOaspT7mp9OZ3jWvnKw=", + "network.protocol": "tls", + "network.transport": "tcp", + "related.hash": [ + "6AFFACA65F8A05E7A98C7629B908C769ADDC7247" + ], + "related.ip": [ + "192.168.86.85", + "17.142.164.13" + ], + "service.type": "suricata", + "source.address": "192.168.86.85", + "source.ip": "192.168.86.85", + "source.port": 56187, + "suricata.eve.event_type": "tls", + "suricata.eve.flow_id": "89751777876473", + "suricata.eve.in_iface": "en0", + "suricata.eve.tls.fingerprint": "6a:ff:ac:a6:5f:8a:05:e7:a9:8c:76:29:b9:08:c7:69:ad:dc:72:47", + "suricata.eve.tls.issuerdn": "CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US", + "suricata.eve.tls.notafter": "2019-03-29T17:54:31", + "suricata.eve.tls.notbefore": "2017-02-27T17:54:31", + "suricata.eve.tls.serial": "5C:9C:E1:09:78:87:F8:07", + "suricata.eve.tls.sni": "p33-btmmdns.icloud.com", + "suricata.eve.tls.subject": "CN=*.icloud.com, OU=management:idms.group.506364, O=Apple Inc., ST=California, C=US", + "suricata.eve.tls.version": "TLS 1.2", + "tags": [ + "suricata" + ], + "tls.client.server_name": "p33-btmmdns.icloud.com", + "tls.server.hash.sha1": "6AFFACA65F8A05E7A98C7629B908C769ADDC7247", + "tls.server.issuer": "CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US", + "tls.server.not_after": "2019-03-29T17:54:31.000Z", + "tls.server.not_before": "2017-02-27T17:54:31.000Z", + "tls.server.subject": "CN=*.icloud.com, OU=management:idms.group.506364, O=Apple Inc., ST=California, C=US", + "tls.server.x509.issuer.common_name": "Apple IST CA 2 - G1", + "tls.server.x509.issuer.country": "US", + "tls.server.x509.issuer.organization": "Apple Inc.", + "tls.server.x509.issuer.organizational_unit": "Certification Authority", + "tls.server.x509.not_after": "2019-03-29T17:54:31.000Z", + "tls.server.x509.not_before": "2017-02-27T17:54:31.000Z", + "tls.server.x509.serial_number": "5C9CE1097887F807", + "tls.server.x509.subject.common_name": "*.icloud.com", + "tls.server.x509.subject.country": "US", + "tls.server.x509.subject.organization": "Apple Inc.", + "tls.server.x509.subject.organizational_unit": "management:idms.group.506364", + "tls.server.x509.subject.state_or_province": "California", + "tls.version": "1.2", + "tls.version_protocol": "tls" + }, + { + "@timestamp": "2018-07-05T19:51:54.001Z", + "destination.address": "ff02:0000:0000:0000:0000:0000:0001:0002", + "destination.bytes": 0, + "destination.ip": "ff02:0000:0000:0000:0000:0000:0001:0002", + "destination.packets": 0, + "destination.port": 547, + "event.category": [ + "network" + ], + "event.dataset": "suricata.eve", + "event.duration": 0, + "event.end": "2018-07-05T19:51:23.453Z", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2018-07-05T15:51:54.001329-0400\",\"flow_id\":1828507008887644,\"event_type\":\"flow\",\"src_ip\":\"fe80:0000:0000:0000:fada:0cff:fedc:87f1\",\"src_port\":546,\"dest_ip\":\"ff02:0000:0000:0000:0000:0000:0001:0002\",\"dest_port\":547,\"proto\":\"UDP\",\"app_proto\":\"failed\",\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":110,\"bytes_toclient\":0,\"start\":\"2018-07-05T15:51:23.453468-0400\",\"end\":\"2018-07-05T15:51:23.453468-0400\",\"age\":0,\"state\":\"new\",\"reason\":\"timeout\",\"alerted\":false}}", + "event.start": "2018-07-05T19:51:23.453Z", + "event.type": [ + "connection", + "start" + ], + "fileset.name": "eve", + "input.type": "log", + "log.offset": 5308, + "network.bytes": 110, + "network.community_id": "1:fNUIKjMfx/xaM1gOO3eaVAeWLZA=", + "network.packets": 1, + "network.transport": "udp", + "related.ip": [ + "fe80:0000:0000:0000:fada:0cff:fedc:87f1", + "ff02:0000:0000:0000:0000:0000:0001:0002" + ], + "service.type": "suricata", + "source.address": "fe80:0000:0000:0000:fada:0cff:fedc:87f1", + "source.bytes": 110, + "source.ip": "fe80:0000:0000:0000:fada:0cff:fedc:87f1", + "source.packets": 1, + "source.port": 546, + "suricata.eve.event_type": "flow", + "suricata.eve.flow.age": 0, + "suricata.eve.flow.alerted": false, + "suricata.eve.flow.reason": "timeout", + "suricata.eve.flow.state": "new", + "suricata.eve.flow_id": "1828507008887644", + "tags": [ + "suricata" + ] + }, + { + "@timestamp": "2020-12-09T16:02:43.000Z", + "destination.address": "192.168.50.1", + "destination.domain": "ctldl.windowsupdate.com", + "destination.ip": "192.168.50.1", + "destination.port": 8080, + "event.category": [ + "network", + "web" + ], + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2020-12-09T16:02:43.000505+0000\",\"flow_id\":913701662641234,\"in_iface\":\"eno6\",\"event_type\":\"http\",\"src_ip\":\"192.168.50.1\",\"src_port\":57134,\"dest_ip\":\"192.168.50.1\",\"dest_port\":8080,\"proto\":\"TCP\",\"tx_id\":0,\"http\":{\"hostname\":\"ctldl.windowsupdate.com\",\"url\":\"http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?111111111111\",\"http_user_agent\":\"Microsoft-CryptoAPI/10.0\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"length\":0}}", + "event.type": [ + "access", + "protocol" + ], + "fileset.name": "eve", + "http.request.method": "GET", + "http.response.body.bytes": 0, + "input.type": "log", + "log.offset": 5796, + "network.community_id": "1:Y8m38aDR9cy/emlD86XGhosniqY=", + "network.protocol": "http", + "network.transport": "tcp", + "related.hosts": [ + "ctldl.windowsupdate.com" + ], + "related.ip": [ + "192.168.50.1" + ], + "service.type": "suricata", + "source.address": "192.168.50.1", + "source.ip": "192.168.50.1", + "source.port": 57134, + "suricata.eve.event_type": "http", + "suricata.eve.flow_id": "913701662641234", + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.in_iface": "eno6", + "suricata.eve.tx_id": 0, + "tags": [ + "suricata" + ], + "url.domain": "ctldl.windowsupdate.com", + "url.original": "http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?111111111111", + "url.path": "http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab", + "url.query": "111111111111", + "user_agent.device.name": "Other", + "user_agent.name": "Microsoft-CryptoAPI", + "user_agent.original": "Microsoft-CryptoAPI/10.0", + "user_agent.version": "10.0" + }, + { + "@timestamp": "2020-12-09T16:02:58.005Z", + "destination.address": "192.168.50.1", + "destination.ip": "192.168.50.1", + "destination.port": 443, + "event.category": [ + "network" + ], + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2020-12-09T16:02:58.005716+0000\",\"flow_id\":1298574590709840,\"in_iface\":\"eno6\",\"event_type\":\"tls\",\"src_ip\":\"192.168.50.1\",\"src_port\":60614,\"dest_ip\":\"192.168.50.1\",\"dest_port\":443,\"proto\":\"TCP\",\"tls\":{\"subject\":\"C=US, ST=New York, L=New York City, O=Acme U.S.A., INC., CN=update.acme.com\",\"issuerdn\":\"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=GeoTrust RSA CA 2018\",\"serial\":\"0D:CE:DC:BC:AF:92:56:B4:C5:41:40:71:26:5B:1D:53\",\"fingerprint\":\"18:3c:11:45:46:e9:26:c7:87:64:0f:ed:47:86:1b:31:bf:0f:84:25\",\"version\":\"TLS 1.2\",\"notbefore\":\"2020-11-24T00:00:00\",\"notafter\":\"2021-12-25T23:59:59\",\"ja3\":{},\"ja3s\":{\"hash\":\"adc06261ef82c2e4688b3cf08c1b2f24\",\"string\":\"771,159,65281\"}}}", + "event.type": [ + "protocol" + ], + "fileset.name": "eve", + "input.type": "log", + "log.offset": 6267, + "network.community_id": "1:SKXuhLNyv4gfe01gqILs5v+qx40=", + "network.protocol": "tls", + "network.transport": "tcp", + "related.hash": [ + "183C114546E926C787640FED47861B31BF0F8425" + ], + "related.ip": [ + "192.168.50.1" + ], + "service.type": "suricata", + "source.address": "192.168.50.1", + "source.ip": "192.168.50.1", + "source.port": 60614, + "suricata.eve.event_type": "tls", + "suricata.eve.flow_id": "1298574590709840", + "suricata.eve.in_iface": "eno6", + "suricata.eve.tls.fingerprint": "18:3c:11:45:46:e9:26:c7:87:64:0f:ed:47:86:1b:31:bf:0f:84:25", + "suricata.eve.tls.issuerdn": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=GeoTrust RSA CA 2018", + "suricata.eve.tls.ja3s.hash": "adc06261ef82c2e4688b3cf08c1b2f24", + "suricata.eve.tls.ja3s.string": "771,159,65281", + "suricata.eve.tls.notafter": "2021-12-25T23:59:59", + "suricata.eve.tls.notbefore": "2020-11-24T00:00:00", + "suricata.eve.tls.serial": "0D:CE:DC:BC:AF:92:56:B4:C5:41:40:71:26:5B:1D:53", + "suricata.eve.tls.subject": "C=US, ST=New York, L=New York City, O=Acme U.S.A., INC., CN=update.acme.com", + "suricata.eve.tls.version": "TLS 1.2", + "tags": [ + "suricata" + ], + "tls.server.hash.sha1": "183C114546E926C787640FED47861B31BF0F8425", + "tls.server.issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=GeoTrust RSA CA 2018", + "tls.server.ja3s": "adc06261ef82c2e4688b3cf08c1b2f24", + "tls.server.not_after": "2021-12-25T23:59:59.000Z", + "tls.server.not_before": "2020-11-24T00:00:00.000Z", + "tls.server.subject": "C=US, ST=New York, L=New York City, O=Acme U.S.A., INC., CN=update.acme.com", + "tls.server.x509.issuer.common_name": "GeoTrust RSA CA 2018", + "tls.server.x509.issuer.country": "US", + "tls.server.x509.issuer.organization": "DigiCert Inc", + "tls.server.x509.issuer.organizational_unit": "www.digicert.com", + "tls.server.x509.not_after": "2021-12-25T23:59:59.000Z", + "tls.server.x509.not_before": "2020-11-24T00:00:00.000Z", + "tls.server.x509.serial_number": "0DCEDCBCAF9256B4C5414071265B1D53", + "tls.server.x509.subject.country": "US", + "tls.server.x509.subject.locality": "New York City", + "tls.server.x509.subject.organization": "Acme U.S.A.", + "tls.server.x509.subject.state_or_province": "New York", + "tls.version": "1.2", + "tls.version_protocol": "tls" + }, + { + "@timestamp": "2020-12-09T16:03:00.179Z", + "destination.address": "192.168.50.1", + "destination.domain": "192.168.50.1", + "destination.ip": "192.168.50.1", + "destination.port": 8081, + "event.category": [ + "network", + "web" + ], + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2020-12-09T16:03:00.179037+0000\",\"flow_id\":1097935193623328,\"in_iface\":\"eno6\",\"event_type\":\"http\",\"src_ip\":\"192.168.50.1\",\"src_port\":50898,\"dest_ip\":\"192.168.50.1\",\"dest_port\":8081,\"proto\":\"TCP\",\"tx_id\":0,\"http\":{\"hostname\":\"192.168.50.1\",\"http_port\":8081,\"url\":\"/uuid\",\"http_user_agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:84.0) Gecko/20100101 Firefox/84.0\",\"http_method\":\"POST\",\"protocol\":\"HTTP/1.1\",\"length\":0}}", + "event.type": [ + "access", + "protocol" + ], + "fileset.name": "eve", + "http.request.method": "POST", + "http.response.body.bytes": 0, + "input.type": "log", + "log.offset": 6958, + "network.community_id": "1:UHWPAQmxXu8t7EWZzPx9jl6b6TM=", + "network.protocol": "http", + "network.transport": "tcp", + "related.hosts": [ + "192.168.50.1" + ], + "related.ip": [ + "192.168.50.1" + ], + "service.type": "suricata", + "source.address": "192.168.50.1", + "source.ip": "192.168.50.1", + "source.port": 50898, + "suricata.eve.event_type": "http", + "suricata.eve.flow_id": "1097935193623328", + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.in_iface": "eno6", + "suricata.eve.tx_id": 0, + "tags": [ + "suricata" + ], + "url.domain": "192.168.50.1", + "url.original": "/uuid", + "url.path": "/uuid", + "url.port": 8081, + "user_agent.device.name": "Mac", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:84.0) Gecko/20100101 Firefox/84.0", + "user_agent.os.full": "Mac OS X 10.14", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.14", + "user_agent.version": "84.0." + }, + { + "@timestamp": "2020-12-09T16:03:50.083Z", + "destination.address": "192.168.50.1", + "destination.domain": "www.example.com", + "destination.ip": "192.168.50.1", + "destination.port": 443, + "event.category": [ + "network" + ], + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2020-12-09T16:03:50.083307+0000\",\"flow_id\":289459143040794,\"in_iface\":\"eno6\",\"event_type\":\"tls\",\"src_ip\":\"192.168.50.1\",\"src_port\":12509,\"dest_ip\":\"192.168.50.1\",\"dest_port\":443,\"proto\":\"TCP\",\"tls\":{\"sni\":\"www.example.com\",\"version\":\"UNDETERMINED\",\"ja3\":{\"hash\":\"44d502d471cfdb99c59bdfb0f220e5a8\",\"string\":\"771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-13-18-51-45-43-27-41,29-23-24,0\"},\"ja3s\":{}}}", + "event.type": [ + "protocol" + ], + "fileset.name": "eve", + "input.type": "log", + "log.offset": 7401, + "network.community_id": "1:0dSnqQKCiJXvy6HxZlV+50/b68k=", + "network.protocol": "tls", + "network.transport": "tcp", + "related.ip": [ + "192.168.50.1" + ], + "service.type": "suricata", + "source.address": "192.168.50.1", + "source.ip": "192.168.50.1", + "source.port": 12509, + "suricata.eve.event_type": "tls", + "suricata.eve.flow_id": "289459143040794", + "suricata.eve.in_iface": "eno6", + "suricata.eve.tls.ja3.hash": "44d502d471cfdb99c59bdfb0f220e5a8", + "suricata.eve.tls.ja3.string": "771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-13-18-51-45-43-27-41,29-23-24,0", + "suricata.eve.tls.sni": "www.example.com", + "suricata.eve.tls.version": "UNDETERMINED", + "tags": [ + "suricata" + ], + "tls.client.ja3": "44d502d471cfdb99c59bdfb0f220e5a8", + "tls.client.server_name": "www.example.com" + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/suricata/fields.go b/dynamite_nsm/confs/filebeat/module/suricata/fields.go new file mode 100644 index 00000000..59317202 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/suricata/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package suricata + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "suricata", asset.ModuleFieldsPri, AssetSuricata); err != nil { + panic(err) + } +} + +// AssetSuricata returns asset data. +// This is the base64 encoded gzipped contents of module/suricata. +func AssetSuricata() string { + return "eJzsXEuP2zYQvudX6JZTjCZtgmIPvaWHAmkPAXolaGokMeYr5Mhe99cXkr1e2SJl8YEtmmRPC+/y47w4Lw79ptrB8aFyveWMIn1VVchRwEP1+fmTGhyz3CDX6qH67VVVVdUnXfcCqkbbqqOqFly1FXZQffz7Y/XH57/+rIRuXWWsrnsGdbU9XvA2r6qq4SBq9zAivakUlXBFwfCDRwMPVWt1b86feKgYfn4fsarGajlS8LTPSIrQbdVwAZvzv083nm4Oe7h85tt7Yf8JDfBotMUTuzNhTBbcUnFDiUIyUHD15yeidnA8aFtf/ubFoMYQYzVqoi1v03GQGe/iW8mEeLpCIo2gV1JYTc4zjHFdAGCrtQCq7gFc6CDI8kihbJdHijuqTACkeGskkUxMxJGpGeswj5uGJ4njebkArhpdyF5dR9/mCWQgaPgtgEIFp3ORG4rdaelm+PWu+h4JrwMbCK3aF7Agh9pCiIaVqm+pCVnf2qPQ0XfvP+RxIuv3maLg/yRr+2qt18A5kyYcFsLaflpfg0MyhCfveh+BJ/KGdVzRIeptrpZ7d3GWpWzidG8ZrMAfo1okuAI8aLvboKXKrdiCUUOY8rNwX86DBLg/bN7lf7LOr0N1uzw5Hs8NKdbh2xIYCx5yLUb9nDMmQuS6UUSRsdoyXWfKIIH6S5gS+jDnPiJHBEn5LfvJURcp9kmJyJWXiz5+Ux937wyOftijsrUC7xBLJdWL4loKOQMNGwvOaOVgc4K55ilkq1BzCyyU6q0012F70juwhLYwc7RrGHhevBkqHK6ouLfpGDmYDp3UGNItNGDTxf61B4ebEcROcAI79jZE8qKArFgtmU47TMxUh21qLSm/m6EJUC2Girf1trrV9XGzPSK4VZqSgJ0OOcfVqrpBWdqQaYWB+j3Kj3FFeENZTg9AQCANi3c0EpAuhNlGUERQnjLgqmXy6YxS0a3ucWyQjERu7kmWUYRW22Nmeg57sBxDKEvWMPZkNjOAoJPcZ6QDbV5Fx1tFsbeZCQVlg8qSJaV7ZFrejSYXYlPSrwvIrCWUauVM8HA08sGFAG+CDtmDdT5xrlTKhFfd4IFayEV8PhJ2H4xk3xDH04SpVAXFqFk4Z2nC24FVIIihbAeehtwaRzADq632dFeSoHiTDnZJZwzyYKqxBqAGDCegaWL3hco4ojxJfR5JEiSj82VxapMgezeXdQxjDRdAxh5fUfa0AUUG7DxjqqGx9PZ+I1Pw9JEMoKTj2SeQm/0vQQg/eWECJ+0GLkH3XurW0TdRr6WtBFUEywJ1DuRWePLAtWgTyc27uT8kd/+4Cn0oehyQDeVuqheZuP26gDPL94ggwbZE6hoIKATfzUUyoPalUnFo8/vWWATO5NLRiQAJe651IM5QT9B48QDmE2lWfuugrzVpKPef1igROUVOZj1mablaUw4skqHCHm1RUDOSmUskuCHxzo2FJ7nl0nJUvmv3dDkpbSUVRcTkuc1/MWOfMrengteEdcB2rpfZyh+DXEErPVtmGR0K7rCE8nzDC5GCQgtUkhoMdsQCZV22d7hkBUdSxDQmeG22Ap4cTM2bhnhbg3F4ShNv7hJXDTBdF25n0H1LzA6J924/jsXrrnUaRn6CYGmakCee3OTSsBdUka9cfc3Eea16IV5ngggcUIIg6cVGr1xvTvOA/uuAtZRORL9DgloTJ6mX5KRYkSm/NjvLWyyTC9SLK816V6Le/0C4IgWo4WbpoKYb5VN+wM1CRzXaH+j/vjysZ3dlVQFxlT1wg9/LzTOYp9EYmWfSx1Ihbaygc5N6aUTuwXMLDvz/VjeDdSbbTAA7sApys9rBM5dyaADw60/v3tL5DEBUjucpRPP77KQVektzbeiM5R+qffnOvdAHItuy6bDVB0e2vZtfosfxNxDnyLkdWwRL6TJoI4dux43JLuCY0A5qYmzvG42IrI/gUAboJC0LUu+zsbZHM5SUhVgc55PLsXg2B8JVful8Qhx7Kvll/QAl6aOAXCdvCxMF0nimY2J8DjWGCHosXIMvNgYyLoO8aUf0PZA3H4tF8d4fJxAzdqWJP5uOBauVK4jk71zEIjlZUk5laJIuvYZaGmNKQeHS29mLVhgDa1gp7Z/AShnANhnlcvAff3iT79wBlDlt394xCVtz+Hwsj8kpjVtowvND9bRYCmBw53qwdWgede2wo+J5AKGGWRwVp+tUYsH1MvfhZMNVC9ZYHhxbXT8Iyj31bxSG0kgbDOZ+axTt+u2X7NclX+jPcT2CGhraCySjIQ/JgfAUDPcjgEPL1XwYLUz/HKKji35pvQC+Q/6nNchpCDkw6rsKxVNzpHrA8d6PoF4cL1+aqZ++Tlv19MUh9cyz3t/o/MzhanVgC7PDYjzdjjsHtqRtzthwgafuT4pcnJpfYvr8yneVDi1QlxtrzkrKpXetfgRYTItos7PrPXr3X3jP3vj5kxvPc9+1idHEu9x+f0iEd/FksanexTKDZCawSEORlAvSWD0fF4qC6UAkETIXLjwaYHNjinLg8y+buS/jfwMAAP//aZ7ziw==" +} diff --git a/dynamite_nsm/confs/filebeat/module/suricata/module.yml b/dynamite_nsm/confs/filebeat/module/suricata/module.yml new file mode 100644 index 00000000..d3747be1 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/suricata/module.yml @@ -0,0 +1,5 @@ +dashboards: +- id: 78289c40-86da-11e8-b59d-21efb914e65c-ecs + file: filebeat-suricata-event-overview.json +- id: 05268ee0-86d1-11e8-b59d-21efb914e65c-ecs + file: filebeat-suricata-alert-overview.json diff --git a/dynamite_nsm/confs/filebeat/module/zeek/README-developer.md b/dynamite_nsm/confs/filebeat/module/zeek/README-developer.md new file mode 100644 index 00000000..72f516fb --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/README-developer.md @@ -0,0 +1,66 @@ +# Zeek (Bro) module + +## Install and Configure Zeek/Bro + +### Install Zeek/Bro (for MacOS with Brew) + +``` +brew install bro +``` + +* Configure it to process network traffic and generate logs. +* Edit `/usr/local/etc/node.cfg` to use the proper network interfaces. +* Edit `/usr/local/etc/networks.cfg` to specify local networks accordingly. +* Set `redef LogAscii::use_json=T;` in `/usr/local/share/bro/site/local.bro` to use JSON output. + +### Install Zeek/Bro (for Ubuntu Linux) + +``` +apt install bro +apt install broctl +``` + +* Configure it to process network traffic and generate logs. +* Edit `/etc/bro/node.cfg` to use the proper network interfaces. +* Edit `/etc/bro/networks.cfg` to specify local networks accordingly. +* Set `redef LogAscii::use_json=T;` in `/usr/share/bro/site/local.bro` to use JSON output. + +## Start Zeek/Bro + +``` +sudo broctl deploy +``` + +## How to try the module from source + +Clone and build Filebeat + +``` +git clone git@github.com:elastic/beats.git +cd beats/x-pack/filebeat +make mage +mage clean update +mage build +``` + +## Configure Filebeat module and run + +Update filebeat.yml to point to Elasticsearch and Kibana. Setup Filebeat. + +``` +./filebeat setup --modules zeek -e -E 'setup.dashboards.directory=build/kibana' +``` + +Enable the Filebeat zeek module + +``` +./filebeat modules enable zeek +``` + +Start Filebeat + +``` +./filebeat -e +``` + +Now, you should see the Zeek logs and dashboards in Kibana. diff --git a/dynamite_nsm/confs/filebeat/module/zeek/README.md b/dynamite_nsm/confs/filebeat/module/zeek/README.md new file mode 100644 index 00000000..4f97e7e9 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/README.md @@ -0,0 +1,58 @@ +# Zeek (Bro) module + +## Install and Configure Zeek/Bro + +### Install Zeek/Bro (for MacOS with Brew) + +``` +brew install bro +``` + +* Configure it to process network traffic and generate logs. +* Edit `/usr/local/etc/node.cfg` to use the proper network interfaces. +* Edit `/usr/local/etc/networks.cfg` to specify local networks accordingly. +* Set `redef LogAscii::use_json=T;` in `/usr/local/share/bro/site/local.bro` to use JSON output. + +### Install Zeek/Bro (for Ubuntu Linux) + +``` +apt install bro +apt install broctl +``` + +* Configure it to process network traffic and generate logs. +* Edit `/etc/bro/node.cfg` to use the proper network interfaces. +* Edit `/etc/bro/networks.cfg` to specify local networks accordingly. +* Set `redef LogAscii::use_json=T;` in `/usr/share/bro/site/local.bro` to use JSON output. + +## Start Zeek/Bro + +``` +sudo broctl deploy +``` + +## Download and install Filebeat + +Grab the filebeat binary from elastic.co, and install it by following the instructions. + +## Configure Filebeat module and run + +Update filebeat.yml to point to Elasticsearch and Kibana. Setup Filebeat. + +``` +./filebeat setup --modules zeek -e -E 'setup.dashboards.enabled=true' +``` + +Enable the Filebeat zeek module + +``` +./filebeat modules enable zeek +``` + +Start Filebeat + +``` +./filebeat -e +``` + +Now, you should see the Zeek logs and dashboards in Kibana. diff --git a/dynamite_nsm/confs/filebeat/module/zeek/_meta/config.yml b/dynamite_nsm/confs/filebeat/module/zeek/_meta/config.yml new file mode 100644 index 00000000..cc4572f6 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/_meta/config.yml @@ -0,0 +1,81 @@ +- module: zeek + capture_loss: + enabled: true + connection: + enabled: true + dce_rpc: + enabled: true + dhcp: + enabled: true + dnp3: + enabled: true + dns: + enabled: true + dpd: + enabled: true + files: + enabled: true + ftp: + enabled: true + http: + enabled: true + intel: + enabled: true + irc: + enabled: true + kerberos: + enabled: true + modbus: + enabled: true + mysql: + enabled: true + notice: + enabled: true + ntlm: + enabled: true + ocsp: + enabled: true + pe: + enabled: true + radius: + enabled: true + rdp: + enabled: true + rfb: + enabled: true + signature: + enabled: true + sip: + enabled: true + smb_cmd: + enabled: true + smb_files: + enabled: true + smb_mapping: + enabled: true + smtp: + enabled: true + snmp: + enabled: true + socks: + enabled: true + ssh: + enabled: true + ssl: + enabled: true + stats: + enabled: true + syslog: + enabled: true + traceroute: + enabled: true + tunnel: + enabled: true + weird: + enabled: true + x509: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/dynamite_nsm/confs/filebeat/module/zeek/_meta/docs.asciidoc b/dynamite_nsm/confs/filebeat/module/zeek/_meta/docs.asciidoc new file mode 100644 index 00000000..aaef3f78 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/_meta/docs.asciidoc @@ -0,0 +1,39 @@ +[role="xpack"] + +:modulename: zeek +:has-dashboards: true + +== Zeek (Bro) Module + +This is a module for https://zeek.org/[Zeek], which used to be called Bro. It +parses logs that are in the Zeek JSON format. + +The Zeek SSL fileset will handle fields from these scripts if they are +installed in Zeek. + +- https://github.com/salesforce/ja3/tree/master/zeek[JA3/JA3S Hashes] +- https://github.com/rocknsm/rock-scripts/blob/1abcb137c3c0cb7bc1d54248d738255d2d6eb4ba/protocols/ssl/ssl-add-cert-hash.zeek[SHA1 Certificate Hashes] + +include::../include/gs-link.asciidoc[] + +[float] +=== Compatibility + +This module has been developed against Zeek 2.6.1, but is expected to work +with newer versions of Zeek. + +Zeek requires a Unix-like platform, and it currently supports Linux, FreeBSD, +and Mac OS X. + +[float] +=== Example dashboard + +This module comes with a sample dashboard. For example: + +[role="screenshot"] +image::./images/kibana-zeek.png[] + +:has-dashboards!: + +:modulename!: + diff --git a/dynamite_nsm/confs/filebeat/module/zeek/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/_meta/fields.yml new file mode 100644 index 00000000..66234178 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/_meta/fields.yml @@ -0,0 +1,14 @@ +- key: zeek + title: Zeek + description: > + Module for handling logs produced by Zeek/Bro + fields: + - name: zeek + type: group + description: > + Fields from Zeek/Bro logs after normalization + fields: + - name: session_id + type: keyword + description: > + A unique identifier of the session diff --git a/dynamite_nsm/confs/filebeat/module/zeek/_meta/images/kibana-zeek.png b/dynamite_nsm/confs/filebeat/module/zeek/_meta/images/kibana-zeek.png new file mode 100644 index 00000000..7c8458f1 Binary files /dev/null and b/dynamite_nsm/confs/filebeat/module/zeek/_meta/images/kibana-zeek.png differ diff --git a/dynamite_nsm/confs/filebeat/module/zeek/_meta/kibana/7/dashboard/Filebeat-Zeek-Overview.json b/dynamite_nsm/confs/filebeat/module/zeek/_meta/kibana/7/dashboard/Filebeat-Zeek-Overview.json new file mode 100644 index 00000000..1c8e79b5 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/_meta/kibana/7/dashboard/Filebeat-Zeek-Overview.json @@ -0,0 +1,859 @@ +{ + "objects": [ + { + "attributes": { + "description": "Overview of Zeek", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": {}, + "gridData": { + "h": 20, + "i": "1", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "1", + "panelRefName": "panel_0", + "version": "7.0.0-beta1" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "2", + "w": 16, + "x": 0, + "y": 20 + }, + "panelIndex": "2", + "panelRefName": "panel_1", + "version": "7.0.0-beta1" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "3", + "w": 16, + "x": 16, + "y": 20 + }, + "panelIndex": "3", + "panelRefName": "panel_2", + "version": "7.0.0-beta1" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "4", + "w": 16, + "x": 32, + "y": 20 + }, + "panelIndex": "4", + "panelRefName": "panel_3", + "version": "7.0.0-beta1" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "5", + "w": 16, + "x": 0, + "y": 32 + }, + "panelIndex": "5", + "panelRefName": "panel_4", + "version": "7.0.0-beta1" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "6", + "w": 16, + "x": 16, + "y": 32 + }, + "panelIndex": "6", + "panelRefName": "panel_5", + "version": "7.0.0-beta1" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "7", + "w": 16, + "x": 32, + "y": 32 + }, + "panelIndex": "7", + "panelRefName": "panel_6", + "version": "7.0.0-beta1" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 12, + "i": "8", + "w": 48, + "x": 0, + "y": 44 + }, + "panelIndex": "8", + "panelRefName": "panel_7", + "version": "7.0.0-beta1" + } + ], + "timeRestore": false, + "title": "[Filebeat Zeek] Overview", + "version": 1 + }, + "id": "7cbb5410-3700-11e9-aa6d-ff445a78330c", + "migrationVersion": { + "dashboard": "7.0.0" + }, + "references": [ + { + "id": "f469f230-370c-11e9-aa6d-ff445a78330c", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "1df7ea80-370d-11e9-aa6d-ff445a78330c", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "466e5850-370d-11e9-aa6d-ff445a78330c", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "649acd40-370d-11e9-aa6d-ff445a78330c", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "9436c270-370d-11e9-aa6d-ff445a78330c", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "bec2f0e0-370d-11e9-aa6d-ff445a78330c", + "name": "panel_5", + "type": "visualization" + }, + { + "id": "e042fda0-370d-11e9-aa6d-ff445a78330c", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "f8c40810-370d-11e9-aa6d-ff445a78330c", + "name": "panel_7", + "type": "visualization" + } + ], + "type": "dashboard", + "updated_at": "2019-02-23T05:05:18.205Z", + "version": "WzMxMTYsNF0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Destination Geo [Filebeat Zeek]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "autoPrecision": true, + "field": "destination.geo.location", + "isFilteredByCollar": true, + "mapCenter": [ + 0, + 0 + ], + "mapZoom": 2, + "precision": 2, + "useGeocentroid": true + }, + "schema": "segment", + "type": "geohash_grid" + } + ], + "params": { + "addTooltip": true, + "colorSchema": "Yellow to Red", + "dimensions": { + "geocentroid": null, + "geohash": null, + "metric": { + "accessor": 0, + "aggType": "count", + "format": { + "id": "number" + }, + "params": {} + } + }, + "heatClusterSize": 1.5, + "isDesaturated": true, + "legendPosition": "bottomright", + "mapCenter": [ + 0, + 0 + ], + "mapType": "Scaled Circle Markers", + "mapZoom": 2, + "wms": { + "enabled": false, + "options": { + "format": "image/png", + "transparent": true + } + } + }, + "title": "Destination Geo [Filebeat Zeek]", + "type": "tile_map" + } + }, + "id": "f469f230-370c-11e9-aa6d-ff445a78330c", + "migrationVersion": { + "visualization": "7.0.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2019-02-26T00:06:27.634Z", + "version": "WzMyNzUsNV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Network Transport [Filebeat Zeek]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "network.transport", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "dimensions": { + "metric": { + "accessor": 0, + "aggType": "count", + "format": { + "id": "number" + }, + "params": {} + } + }, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Network Transport [Filebeat Zeek]", + "type": "pie" + } + }, + "id": "1df7ea80-370d-11e9-aa6d-ff445a78330c", + "migrationVersion": { + "visualization": "7.0.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2019-02-26T00:07:08.521Z", + "version": "WzMyNzgsNV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Network Application [Filebeat Zeek]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "network.application", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "dimensions": { + "metric": { + "accessor": 0, + "aggType": "count", + "format": { + "id": "number" + }, + "params": {} + } + }, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Network Application [Filebeat Zeek]", + "type": "pie" + } + }, + "id": "466e5850-370d-11e9-aa6d-ff445a78330c", + "migrationVersion": { + "visualization": "7.0.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2019-02-26T00:06:41.868Z", + "version": "WzMyNzYsNV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Network Traffic Direction [Filebeat Zeek]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "network.direction", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "dimensions": { + "metric": { + "accessor": 0, + "aggType": "count", + "format": { + "id": "number" + }, + "params": {} + } + }, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Network Traffic Direction [Filebeat Zeek]", + "type": "pie" + } + }, + "id": "649acd40-370d-11e9-aa6d-ff445a78330c", + "migrationVersion": { + "visualization": "7.0.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2019-02-26T00:06:55.885Z", + "version": "WzMyNzcsNV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Top DNS Domains [Filebeat Zeek]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "zeek.dns.query", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "dimensions": { + "metric": { + "accessor": 0, + "aggType": "count", + "format": { + "id": "number" + }, + "params": {} + } + }, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Top DNS Domains [Filebeat Zeek]", + "type": "pie" + } + }, + "id": "9436c270-370d-11e9-aa6d-ff445a78330c", + "migrationVersion": { + "visualization": "7.0.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2019-02-26T00:07:23.763Z", + "version": "WzMyNzksNV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Top URL Domains [Filebeat Zeek]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "url.domain", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "dimensions": { + "buckets": [ + { + "accessor": 0, + "aggType": "terms", + "format": { + "id": "terms", + "params": { + "id": "string", + "missingBucketLabel": "Missing", + "otherBucketLabel": "Other" + } + }, + "params": {} + } + ], + "metric": { + "accessor": 1, + "aggType": "count", + "format": { + "id": "number" + }, + "params": {} + } + }, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Top URL Domains [Filebeat Zeek]", + "type": "pie" + } + }, + "id": "bec2f0e0-370d-11e9-aa6d-ff445a78330c", + "migrationVersion": { + "visualization": "7.0.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2019-02-26T00:07:49.910Z", + "version": "WzMyODEsNV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Top SSL Servers [Filebeat Zeek]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "zeek.ssl.server.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "dimensions": { + "metric": { + "accessor": 0, + "aggType": "count", + "format": { + "id": "number" + }, + "params": {} + } + }, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Top SSL Servers [Filebeat Zeek]", + "type": "pie" + } + }, + "id": "e042fda0-370d-11e9-aa6d-ff445a78330c", + "migrationVersion": { + "visualization": "7.0.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2019-02-26T00:07:36.653Z", + "version": "WzMyODAsNV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Number of Sessions Overtime [Filebeat Zeek]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "filebeat-*", + "interval": "auto", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "number", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "line_width": 1, + "metrics": [ + { + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "count" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_mode": "everything", + "stacked": "none" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "@timestamp", + "type": "timeseries" + }, + "title": "Number of Sessions Overtime [Filebeat Zeek]", + "type": "metrics" + } + }, + "id": "f8c40810-370d-11e9-aa6d-ff445a78330c", + "migrationVersion": { + "visualization": "7.0.0" + }, + "references": [], + "type": "visualization", + "updated_at": "2019-02-26T00:05:56.379Z", + "version": "WzMyNzQsNV0=" + } + ], + "version": "7.0.0-beta1" +} diff --git a/dynamite_nsm/confs/filebeat/module/zeek/capture_loss/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/capture_loss/_meta/fields.yml new file mode 100644 index 00000000..de9ff078 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/capture_loss/_meta/fields.yml @@ -0,0 +1,29 @@ +- name: capture_loss + type: group + description: > + Fields exported by the Zeek capture_loss log + fields: + - name: ts_delta + type: integer + description: | + The time delay between this measurement and the last. + + - name: peer + type: keyword + description: | + In the event that there are multiple Bro instances logging to the same host, this distinguishes each peer with its individual name. + + - name: gaps + type: integer + description: | + Number of missed ACKs from the previous measurement interval. + + - name: acks + type: integer + description: | + Total number of ACKs seen in the previous measurement interval. + + - name: percent_lost + type: double + description: | + Percentage of ACKs seen where the data being ACKed wasn't seen. diff --git a/dynamite_nsm/confs/filebeat/module/zeek/capture_loss/config/capture_loss.yml b/dynamite_nsm/confs/filebeat/module/zeek/capture_loss/config/capture_loss.yml new file mode 100644 index 00000000..66a028f3 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/capture_loss/config/capture_loss.yml @@ -0,0 +1,25 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +json.keys_under_root: false + +fields_under_root: true + +processors: + - rename: + fields: + - from: "json" + to: "zeek.capture_loss" + + ignore_missing: true + fail_on_error: false + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/capture_loss/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/capture_loss/ingest/pipeline.yml new file mode 100644 index 00000000..76e51785 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/capture_loss/ingest/pipeline.yml @@ -0,0 +1,24 @@ +description: Pipeline for normalizing Zeek capture_loss.log +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' +- date: + field: zeek.capture_loss.ts + formats: + - UNIX +- remove: + field: zeek.capture_loss.ts +- set: + field: event.kind + value: metric +- set: + field: event.type + value: info +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/dynamite_nsm/confs/filebeat/module/zeek/capture_loss/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/capture_loss/manifest.yml new file mode 100644 index 00000000..5349b058 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/capture_loss/manifest.yml @@ -0,0 +1,15 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/capture_loss.log + os.linux: + - /var/log/bro/current/capture_loss.log + os.darwin: + - /usr/local/var/logs/current/capture_loss.log + - name: tags + default: [zeek.capture_loss] + +ingest_pipeline: ingest/pipeline.yml +input: config/capture_loss.yml diff --git a/dynamite_nsm/confs/filebeat/module/zeek/capture_loss/test/capture_loss-json.log-expected.json b/dynamite_nsm/confs/filebeat/module/zeek/capture_loss/test/capture_loss-json.log-expected.json new file mode 100644 index 00000000..14f20eb3 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/capture_loss/test/capture_loss-json.log-expected.json @@ -0,0 +1,21 @@ +[ + { + "@timestamp": "2019-09-10T16:19:28.465Z", + "event.dataset": "zeek.capture_loss", + "event.kind": "metric", + "event.module": "zeek", + "event.type": "info", + "fileset.name": "capture_loss", + "input.type": "log", + "log.offset": 0, + "service.type": "zeek", + "tags": [ + "zeek.capture_loss" + ], + "zeek.capture_loss.acks": 206, + "zeek.capture_loss.gaps": 0, + "zeek.capture_loss.peer": "bro", + "zeek.capture_loss.percent_lost": 0, + "zeek.capture_loss.ts_delta": 32.282249 + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/zeek/connection/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/connection/_meta/fields.yml new file mode 100644 index 00000000..73cd048d --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/connection/_meta/fields.yml @@ -0,0 +1,59 @@ +- name: connection + type: group + default_field: false + description: > + Fields exported by the Zeek Connection log + fields: + - name: local_orig + type: boolean + description: > + Indicates whether the session is originated locally. + + - name: local_resp + type: boolean + description: > + Indicates whether the session is responded locally. + + - name: missed_bytes + type: long + description: > + Missed bytes for the session. + + - name: state + type: keyword + description: > + Code indicating the state of the session. + + - name: state_message + type: keyword + description: > + The state of the session. + + - name: icmp + type: group + fields: + - name: type + type: integer + description: > + ICMP message type. + + - name: code + type: integer + description: > + ICMP message code. + + - name: history + type: keyword + description: > + Flags indicating the history of the session. + + - name: vlan + type: integer + description: > + VLAN identifier. + + - name: inner_vlan + type: integer + description: > + VLAN identifier. + diff --git a/dynamite_nsm/confs/filebeat/module/zeek/connection/config/connection.yml b/dynamite_nsm/confs/filebeat/module/zeek/connection/config/connection.yml new file mode 100644 index 00000000..71169efd --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/connection/config/connection.yml @@ -0,0 +1,105 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +json.keys_under_root: false + +processors: + - drop_fields: + fields: ["json.orig_bytes","json.resp_bytes","json.tunnel_parents"] + ignore_missing: true + - rename: + fields: + - from: "json" + to: "zeek.connection" + + - from: "zeek.connection.duration" + to: "temp.duration" + + - from: "zeek.connection.id.orig_h" + to: "source.address" + + - from: "zeek.connection.id.orig_p" + to: "source.port" + + - from: "zeek.connection.id.resp_h" + to: "destination.address" + + - from: "zeek.connection.id.resp_p" + to: "destination.port" + + - from: "zeek.connection.proto" + to: "network.transport" + + - from: "zeek.connection.service" + to: "network.protocol" + + - from: "zeek.connection.uid" + to: "zeek.session_id" + + - from: "zeek.connection.orig_ip_bytes" + to: "source.bytes" + + - from: "zeek.connection.resp_ip_bytes" + to: "destination.bytes" + + - from: "zeek.connection.orig_pkts" + to: "source.packets" + + - from: "zeek.connection.resp_pkts" + to: "destination.packets" + + - from: "zeek.connection.conn_state" + to: "zeek.connection.state" + + - from: "zeek.connection.orig_l2_addr" + to: "source.mac" + + - from: "zeek.connection.resp_l2_addr" + to: "destination.mac" + + ignore_missing: true + fail_on_error: false + + - rename: + when.equals.network.transport: icmp + fields: + - from: "source.port" + to: "zeek.connection.icmp.type" + + - from: "destination.port" + to: "zeek.connection.icmp.code" + + ignore_missing: true + fail_on_error: false + - convert: + fields: + - {from: "zeek.session_id", to: "event.id"} + - {from: "source.address", to: "source.ip", type: "ip"} + - {from: "destination.address", to: "destination.ip", type: "ip"} + ignore_missing: true + fail_on_error: false + - add_fields: + target: event + fields: + kind: event + category: + - network + - if: + equals.network.transport: icmp + then: + community_id: + fields: + icmp_type: zeek.connection.icmp.type + icmp_code: zeek.connection.icmp.code + else: + community_id: + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/connection/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/connection/ingest/pipeline.yml new file mode 100644 index 00000000..93245720 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/connection/ingest/pipeline.yml @@ -0,0 +1,191 @@ +description: Pipeline for normalizing Zeek conn.log +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' +- date: + field: zeek.connection.ts + formats: + - UNIX +- remove: + field: zeek.connection.ts +- set: + field: event.id + value: '{{zeek.session_id}}' + if: ctx.zeek.session_id != null +- script: + source: ctx.event.duration = Math.round(ctx.temp.duration * params.scale) + params: + scale: 1000000000 + if: ctx.temp?.duration != null +- remove: + field: temp.duration + ignore_missing: true +- script: + source: if (ctx.zeek.connection.local_orig) ctx.tags.add("local_orig"); + if: ctx.zeek.connection.local_orig != null +- script: + source: if (ctx.zeek.connection.local_resp) ctx.tags.add("local_resp"); + if: ctx.zeek.connection.local_resp != null +- append: + field: related.ip + value: '{{source.ip}}' + if: ctx?.source?.ip != null +- append: + field: related.ip + value: '{{destination.ip}}' + if: ctx?.destination?.ip != null +- script: + source: ctx.network.packets = ctx.source.packets + ctx.destination.packets + ignore_failure: true +- script: + source: ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes + ignore_failure: true +- script: + source: |- + if (ctx?.zeek?.connection?.local_orig == null || + ctx?.zeek?.connection?.local_resp == null) { + return; + } + if (ctx.zeek.connection.local_orig == true && + ctx.zeek.connection.local_resp == true) { + ctx.network.direction = "internal"; + return; + } + if (ctx.zeek.connection.local_orig == true && + ctx.zeek.connection.local_resp == false) { + ctx.network.direction = "outbound"; + return; + } + if (ctx.zeek.connection.local_orig == false && + ctx.zeek.connection.local_resp == true) { + ctx.network.direction = "inbound"; + return; + } + if (ctx.zeek.connection.local_orig == false && + ctx.zeek.connection.local_resp == false) { + ctx.network.direction = "external"; + return; + } +- geoip: + field: destination.ip + target_field: destination.geo +- geoip: + field: source.ip + target_field: source.geo +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- script: + params: + S0: + conn_str: "Connection attempt seen, no reply." + types: + - connection + - start + S1: + conn_str: "Connection established, not terminated." + types: + - connection + - start + SF: + conn_str: "Normal establishment and termination." + types: + - connection + - start + - end + REJ: + conn_str: "Connection attempt rejected." + types: + - connection + - start + - denied + S2: + conn_str: "Connection established and close attempt by originator seen (but no reply from responder)." + types: + - connection + - info + S3: + conn_str: "Connection established and close attempt by responder seen (but no reply from originator)." + types: + - connection + - info + RSTO: + conn_str: "Connection established, originator aborted (sent a RST)." + types: + - connection + - info + RSTR: + conn_str: "Responder sent a RST." + types: + - connection + - info + RSTOS0: + conn_str: "Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder." + types: + - connection + - info + RSTRH: + conn_str: "Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator." + types: + - connection + - info + SH: + conn_str: "Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was 'half' open)." + types: + - connection + - info + SHR: + conn_str: "Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator." + types: + - connection + - info + OTH: + conn_str: "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed)." + types: + - connection + - info + source: >- + if (ctx?.zeek?.connection?.state == null) { + return; + } + if (params.containsKey(ctx.zeek.connection.state)) { + ctx.zeek.connection.state_message = params[ctx.zeek.connection.state]["conn_str"]; + ctx.event.type = params[ctx.zeek.connection.state]["types"]; + } +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/dynamite_nsm/confs/filebeat/module/zeek/connection/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/connection/manifest.yml new file mode 100644 index 00000000..08f79bc2 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/connection/manifest.yml @@ -0,0 +1,19 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/conn.log + os.linux: + - /var/log/bro/current/conn.log + os.darwin: + - /usr/local/var/logs/current/conn.log + - name: tags + default: [zeek.connection] + +ingest_pipeline: ingest/pipeline.yml +input: config/connection.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/dynamite_nsm/confs/filebeat/module/zeek/connection/test/connection-json.log-expected.json b/dynamite_nsm/confs/filebeat/module/zeek/connection/test/connection-json.log-expected.json new file mode 100644 index 00000000..b7c0e0bc --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/connection/test/connection-json.log-expected.json @@ -0,0 +1,222 @@ +[ + { + "@timestamp": "2019-01-11T06:33:35.857Z", + "destination.address": "192.168.86.1", + "destination.bytes": 206, + "destination.ip": "192.168.86.1", + "destination.packets": 1, + "destination.port": 53, + "event.category": [ + "network" + ], + "event.dataset": "zeek.connection", + "event.duration": 76967000, + "event.id": "CAcJw21BbVedgFnYH3", + "event.kind": "event", + "event.module": "zeek", + "event.type": [ + "connection", + "start", + "end" + ], + "fileset.name": "connection", + "input.type": "log", + "log.offset": 0, + "network.bytes": 309, + "network.community_id": "1:Z26DBGVYoBKQ1FT6qfPaAqBnJik=", + "network.direction": "internal", + "network.packets": 2, + "network.protocol": "dns", + "network.transport": "udp", + "related.ip": [ + "192.168.86.167", + "192.168.86.1" + ], + "service.type": "zeek", + "source.address": "192.168.86.167", + "source.bytes": 103, + "source.ip": "192.168.86.167", + "source.packets": 1, + "source.port": 38339, + "tags": [ + "zeek.connection", + "local_orig", + "local_resp" + ], + "zeek.connection.history": "Dd", + "zeek.connection.local_orig": true, + "zeek.connection.local_resp": true, + "zeek.connection.missed_bytes": 0, + "zeek.connection.state": "SF", + "zeek.connection.state_message": "Normal establishment and termination.", + "zeek.session_id": "CAcJw21BbVedgFnYH3" + }, + { + "@timestamp": "2019-01-11T06:33:36.857Z", + "destination.address": "8.8.8.8", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 206, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "event.category": [ + "network" + ], + "event.dataset": "zeek.connection", + "event.duration": 76967000, + "event.id": "CAcJw21BbVedgFnYH4", + "event.kind": "event", + "event.module": "zeek", + "event.type": [ + "connection", + "start", + "end" + ], + "fileset.name": "connection", + "input.type": "log", + "log.offset": 398, + "network.bytes": 309, + "network.community_id": "1:77KJyeznYjdDxCSKdZhW89aAaBI=", + "network.direction": "outbound", + "network.packets": 2, + "network.protocol": "dns", + "network.transport": "udp", + "related.ip": [ + "192.168.86.167", + "8.8.8.8" + ], + "service.type": "zeek", + "source.address": "192.168.86.167", + "source.bytes": 103, + "source.ip": "192.168.86.167", + "source.packets": 1, + "source.port": 38340, + "tags": [ + "zeek.connection", + "local_orig" + ], + "zeek.connection.history": "Dd", + "zeek.connection.local_orig": true, + "zeek.connection.local_resp": false, + "zeek.connection.missed_bytes": 0, + "zeek.connection.state": "SF", + "zeek.connection.state_message": "Normal establishment and termination.", + "zeek.session_id": "CAcJw21BbVedgFnYH4" + }, + { + "@timestamp": "2019-01-11T06:33:37.857Z", + "destination.address": "8.8.8.8", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.bytes": 206, + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "destination.packets": 1, + "destination.port": 53, + "event.category": [ + "network" + ], + "event.dataset": "zeek.connection", + "event.duration": 76967000, + "event.id": "CAcJw21BbVedgFnYH5", + "event.kind": "event", + "event.module": "zeek", + "event.type": [ + "connection", + "start", + "end" + ], + "fileset.name": "connection", + "input.type": "log", + "log.offset": 792, + "network.bytes": 309, + "network.community_id": "1:9xAq+MIBct9Is73ErTrU/RZ+Nq0=", + "network.direction": "external", + "network.packets": 2, + "network.protocol": "dns", + "network.transport": "udp", + "related.ip": [ + "4.4.2.2", + "8.8.8.8" + ], + "service.type": "zeek", + "source.address": "4.4.2.2", + "source.as.number": 3356, + "source.as.organization.name": "Level 3 Parent, LLC", + "source.bytes": 103, + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "4.4.2.2", + "source.packets": 1, + "source.port": 383341, + "tags": [ + "zeek.connection" + ], + "zeek.connection.history": "Dd", + "zeek.connection.local_orig": false, + "zeek.connection.local_resp": false, + "zeek.connection.missed_bytes": 0, + "zeek.connection.state": "SF", + "zeek.connection.state_message": "Normal establishment and termination.", + "zeek.session_id": "CAcJw21BbVedgFnYH5" + }, + { + "@timestamp": "2019-03-01T00:10:00.578Z", + "destination.address": "198.51.100.249", + "destination.bytes": 0, + "destination.ip": "198.51.100.249", + "destination.packets": 0, + "event.category": [ + "network" + ], + "event.dataset": "zeek.connection", + "event.id": "Cc6NJ3GRlfjE44I3h", + "event.kind": "event", + "event.module": "zeek", + "event.type": [ + "connection", + "info" + ], + "fileset.name": "connection", + "input.type": "log", + "log.offset": 1181, + "network.bytes": 107, + "network.community_id": "1:gzTID87+KHoT4RFDSqb5aInTPeg=", + "network.direction": "external", + "network.packets": 1, + "network.transport": "icmp", + "related.ip": [ + "192.0.2.205", + "198.51.100.249" + ], + "service.type": "zeek", + "source.address": "192.0.2.205", + "source.bytes": 107, + "source.ip": "192.0.2.205", + "source.packets": 1, + "tags": [ + "zeek.connection" + ], + "zeek.connection.icmp.code": 3, + "zeek.connection.icmp.type": 3, + "zeek.connection.local_orig": false, + "zeek.connection.local_resp": false, + "zeek.connection.missed_bytes": 0, + "zeek.connection.state": "OTH", + "zeek.connection.state_message": "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed).", + "zeek.session_id": "Cc6NJ3GRlfjE44I3h" + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/zeek/dce_rpc/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/dce_rpc/_meta/fields.yml new file mode 100644 index 00000000..77316f81 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/dce_rpc/_meta/fields.yml @@ -0,0 +1,25 @@ +- name: dce_rpc + type: group + default_field: false + description: > + Fields exported by the Zeek DCE_RPC log + fields: + - name: rtt + type: integer + description: | + Round trip time from the request to the response. If either the request or response wasn't seen, this will be null. + + - name: named_pipe + type: keyword + description: | + Remote pipe name. + + - name: endpoint + type: keyword + description: | + Endpoint name looked up from the uuid. + + - name: operation + type: keyword + description: | + Operation seen in the call. diff --git a/dynamite_nsm/confs/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml b/dynamite_nsm/confs/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml new file mode 100644 index 00000000..b1416556 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml @@ -0,0 +1,61 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +json.keys_under_root: false + +fields_under_root: true +fields: + network.transport: tcp + network.protocol: dce_rpc + +processors: + - rename: + fields: + - from: "json" + to: "zeek.dce_rpc" + + - from: "zeek.dce_rpc.id.orig_h" + to: "source.address" + + - from: "zeek.dce_rpc.id.orig_p" + to: "source.port" + + - from: "zeek.dce_rpc.id.resp_h" + to: "destination.address" + + - from: "zeek.dce_rpc.id.resp_p" + to: "destination.port" + + - from: "zeek.dce_rpc.uid" + to: "zeek.session_id" + + ignore_missing: true + fail_on_error: false + - convert: + fields: + - {from: "zeek.session_id", to: "event.id"} + - {from: "source.address", to: "source.ip", type: "ip"} + - {from: "destination.address", to: "destination.ip", type: "ip"} + ignore_missing: true + fail_on_error: false + - add_fields: + target: event + fields: + kind: event + category: + - network + type: + - connection + - protocol + - info + - community_id: + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/dce_rpc/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/dce_rpc/ingest/pipeline.yml new file mode 100644 index 00000000..f0a83770 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/dce_rpc/ingest/pipeline.yml @@ -0,0 +1,68 @@ +description: Pipeline for normalizing Zeek dce_rpc.log +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' +- date: + field: zeek.dce_rpc.ts + formats: + - UNIX +- remove: + field: zeek.dce_rpc.ts +- append: + field: related.ip + value: '{{source.ip}}' + if: ctx?.source?.ip != null +- geoip: + field: source.ip + target_field: source.geo +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- append: + field: related.ip + value: '{{destination.ip}}' + if: ctx?.destination?.ip != null +- geoip: + field: destination.ip + target_field: destination.geo +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- set: + field: event.action + value: '{{zeek.dce_rpc.operation}}' + if: "ctx?.zeek?.dce_rpc?.operation != null" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/dynamite_nsm/confs/filebeat/module/zeek/dce_rpc/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/dce_rpc/manifest.yml new file mode 100644 index 00000000..01bef572 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/dce_rpc/manifest.yml @@ -0,0 +1,15 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/dce_rpc.log + os.linux: + - /var/log/bro/current/dce_rpc.log + os.darwin: + - /usr/local/var/logs/current/dce_rpc.log + - name: tags + default: [zeek.dce_rpc] + +ingest_pipeline: ingest/pipeline.yml +input: config/dce_rpc.yml diff --git a/dynamite_nsm/confs/filebeat/module/zeek/dce_rpc/test/dce_rpc-json.log-expected.json b/dynamite_nsm/confs/filebeat/module/zeek/dce_rpc/test/dce_rpc-json.log-expected.json new file mode 100644 index 00000000..6128801c --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/dce_rpc/test/dce_rpc-json.log-expected.json @@ -0,0 +1,43 @@ +[ + { + "@timestamp": "2013-02-26T22:05:32.298Z", + "destination.address": "172.16.128.202", + "destination.ip": "172.16.128.202", + "destination.port": 445, + "event.action": "BrowserrQueryOtherDomains", + "event.category": [ + "network" + ], + "event.dataset": "zeek.dce_rpc", + "event.id": "CsNHVHa1lzFtvJzT8", + "event.kind": "event", + "event.module": "zeek", + "event.type": [ + "connection", + "protocol", + "info" + ], + "fileset.name": "dce_rpc", + "input.type": "log", + "log.offset": 0, + "network.community_id": "1:SJNAD5vtzZuhQjGtfaI8svTnyuw=", + "network.protocol": "dce_rpc", + "network.transport": "tcp", + "related.ip": [ + "172.16.133.6", + "172.16.128.202" + ], + "service.type": "zeek", + "source.address": "172.16.133.6", + "source.ip": "172.16.133.6", + "source.port": 1728, + "tags": [ + "zeek.dce_rpc" + ], + "zeek.dce_rpc.endpoint": "browser", + "zeek.dce_rpc.named_pipe": "\\PIPE\\browser", + "zeek.dce_rpc.operation": "BrowserrQueryOtherDomains", + "zeek.dce_rpc.rtt": 0.09211, + "zeek.session_id": "CsNHVHa1lzFtvJzT8" + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/zeek/dhcp/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/dhcp/_meta/fields.yml new file mode 100644 index 00000000..d90e6088 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/dhcp/_meta/fields.yml @@ -0,0 +1,133 @@ +- name: dhcp + type: group + default_field: false + description: > + Fields exported by the Zeek DHCP log + fields: + - name: domain + type: keyword + description: > + Domain given by the server in option 15. + + - name: duration + type: double + description: | + Duration of the DHCP session representing the time from the first + message to the last, in seconds. + + - name: hostname + type: keyword + description: > + Name given by client in Hostname option 12. + + - name: client_fqdn + type: keyword + description: > + FQDN given by client in Client FQDN option 81. + + - name: lease_time + type: integer + description: > + IP address lease interval in seconds. + + - name: address + type: group + description: > + Addresses seen in this DHCP exchange. + fields: + - name: assigned + type: ip + description: > + IP address assigned by the server. + + - name: client + type: ip + description: | + IP address of the client. If a transaction is only a client sending + INFORM messages then there is no lease information exchanged so this + is helpful to know who sent the messages. Getting an address in this + field does require that the client sources at least one DHCP message + using a non-broadcast address. + + - name: mac + type: keyword + description: > + Client's hardware address. + + - name: requested + type: ip + description: > + IP address requested by the client. + + - name: server + type: ip + description: > + IP address of the DHCP server. + + - name: msg + type: group + fields: + - name: types + type: keyword + description: > + List of DHCP message types seen in this exchange. + + - name: origin + type: ip + description: | + (present if policy/protocols/dhcp/msg-orig.bro is loaded) + The address that originated each message from the msg.types field. + + - name: client + type: keyword + description: | + Message typically accompanied with a DHCP_DECLINE so the client can + tell the server why it rejected an address. + + - name: server + type: keyword + description: | + Message typically accompanied with a DHCP_NAK to let the client know + why it rejected the request. + + - name: software + type: group + fields: + - name: client + type: keyword + description: | + (present if policy/protocols/dhcp/software.bro is loaded) + Software reported by the client in the vendor_class option. + + - name: server + type: keyword + description: | + (present if policy/protocols/dhcp/software.bro is loaded) + Software reported by the client in the vendor_class option. + + - name: id + type: group + fields: + - name: circuit + type: keyword + description: | + (present if policy/protocols/dhcp/sub-opts.bro is loaded) + Added by DHCP relay agents which terminate switched or permanent + circuits. It encodes an agent-local identifier of the circuit from + which a DHCP client-to-server packet was received. Typically it + should represent a router or switch interface number. + + - name: remote_agent + type: keyword + description: | + (present if policy/protocols/dhcp/sub-opts.bro is loaded) + A globally unique identifier added by relay agents to identify the + remote host end of the circuit. + + - name: subscriber + type: keyword + description: | + (present if policy/protocols/dhcp/sub-opts.bro is loaded) + The subscriber ID is a value independent of the physical network + configuration so that a customer's DHCP configuration can be given + to them correctly no matter where they are physically connected. diff --git a/dynamite_nsm/confs/filebeat/module/zeek/dhcp/config/dhcp.yml b/dynamite_nsm/confs/filebeat/module/zeek/dhcp/config/dhcp.yml new file mode 100644 index 00000000..b59227d3 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/dhcp/config/dhcp.yml @@ -0,0 +1,123 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +json.keys_under_root: false + +fields_under_root: true +fields: + network.transport: udp + network.protocol: dhcp + +processors: + - rename: + fields: + - from: "json" + to: "zeek.dhcp" + + - from: "zeek.dhcp.uids" + to: "zeek.session_id" + + - from: "zeek.dhcp.assigned_addr" + to: "zeek.dhcp.address.assigned" + + - from: "zeek.dhcp.client_addr" + to: "zeek.dhcp.address.client" + + - from: "zeek.dhcp.mac" + to: "zeek.dhcp.address.mac" + + - from: "zeek.dhcp.requested_addr" + to: "zeek.dhcp.address.requested" + + - from: "zeek.dhcp.server_addr" + to: "zeek.dhcp.address.server" + + - from: "zeek.dhcp.host_name" + to: "zeek.dhcp.hostname" + + - from: "zeek.dhcp.client_message" + to: "zeek.dhcp.msg.client" + + - from: "zeek.dhcp.server_message" + to: "zeek.dhcp.msg.server" + + - from: "zeek.dhcp.msg_types" + to: "zeek.dhcp.msg.types" + + - from: "zeek.dhcp.msg_orig" + to: "zeek.dhcp.msg.origin" + + - from: "zeek.dhcp.client_software" + to: "zeek.dhcp.software.client" + + - from: "zeek.dhcp.server_software" + to: "zeek.dhcp.software.server" + + - from: "zeek.dhcp.circuit_id" + to: "zeek.dhcp.id.circuit" + + - from: "zeek.dhcp.agent_remote_id" + to: "zeek.dhcp.id.remote_agent" + + - from: "zeek.dhcp.subscriber_id" + to: "zeek.dhcp.id.subscriber" + + - from: "zeek.dhcp.client_port" + to: "source.port" + + - from: "zeek.dhcp.server_port" + to: "destination.port" + + ignore_missing: true + fail_on_error: false + + - if: + not: + has_fields: ["source.port"] + then: + - add_fields: + target: source + fields: + port: 68 + + - if: + not: + has_fields: ["destination.port"] + then: + - add_fields: + target: destination + fields: + port: 67 + + - convert: + fields: + - {from: "zeek.dhcp.address.client", to: "source.address"} + - {from: "zeek.dhcp.address.client", to: "source.ip", type: "ip"} + - {from: "zeek.dhcp.address.client", to: "client.address"} + - {from: "zeek.dhcp.address.server", to: "destination.address"} + - {from: "zeek.dhcp.address.server", to: "destination.ip", type: "ip"} + - {from: "zeek.dhcp.address.server", to: "server.address"} + - {from: "zeek.dhcp.domain", to: "network.name"} + ignore_missing: true + fail_on_error: false + - add_fields: + target: event + fields: + kind: event + category: + - network + type: + - connection + - protocol + - info + - community_id: + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/dhcp/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/dhcp/ingest/pipeline.yml new file mode 100644 index 00000000..49216c07 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/dhcp/ingest/pipeline.yml @@ -0,0 +1,30 @@ +description: Pipeline for normalizing Zeek dhcp.log +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' +- date: + field: zeek.dhcp.ts + formats: + - UNIX +- remove: + field: zeek.dhcp.ts +- set: + field: event.id + value: '{{zeek.session_id}}' + if: ctx.zeek.session_id != null +- append: + field: related.ip + value: '{{source.ip}}' + if: 'ctx?.source?.ip != null' +- append: + field: related.ip + value: '{{destination.ip}}' + if: 'ctx?.destination?.ip != null' +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/dynamite_nsm/confs/filebeat/module/zeek/dhcp/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/dhcp/manifest.yml new file mode 100644 index 00000000..ee4a7c24 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/dhcp/manifest.yml @@ -0,0 +1,15 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/dhcp.log + os.linux: + - /var/log/bro/current/dhcp.log + os.darwin: + - /usr/local/var/logs/current/dhcp.log + - name: tags + default: [zeek.dhcp] + +ingest_pipeline: ingest/pipeline.yml +input: config/dhcp.yml diff --git a/dynamite_nsm/confs/filebeat/module/zeek/dhcp/test/dhcp-json.log-expected.json b/dynamite_nsm/confs/filebeat/module/zeek/dhcp/test/dhcp-json.log-expected.json new file mode 100644 index 00000000..ec36a36c --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/dhcp/test/dhcp-json.log-expected.json @@ -0,0 +1,58 @@ +[ + { + "@timestamp": "2016-10-16T08:11:38.771Z", + "client.address": "192.168.199.132", + "destination.address": "192.168.199.254", + "destination.ip": "192.168.199.254", + "destination.port": 67, + "event.category": [ + "network" + ], + "event.dataset": "zeek.dhcp", + "event.id": "{0=CmWOt6VWaNGqXYcH6, 1=CLObLo4YHn0u23Tp8a}", + "event.kind": "event", + "event.module": "zeek", + "event.type": [ + "connection", + "protocol", + "info" + ], + "fileset.name": "dhcp", + "input.type": "log", + "log.offset": 0, + "network.community_id": "1:HsGjbon+HsK9xnMq+1A32BR9C4Y=", + "network.name": "localdomain", + "network.protocol": "dhcp", + "network.transport": "udp", + "related.ip": [ + "192.168.199.132", + "192.168.199.254" + ], + "server.address": "192.168.199.254", + "service.type": "zeek", + "source.address": "192.168.199.132", + "source.ip": "192.168.199.132", + "source.port": 68, + "tags": [ + "zeek.dhcp" + ], + "zeek.dhcp.address.assigned": "192.168.199.132", + "zeek.dhcp.address.client": "192.168.199.132", + "zeek.dhcp.address.mac": "00:0c:29:03:df:ad", + "zeek.dhcp.address.requested": "192.168.199.132", + "zeek.dhcp.address.server": "192.168.199.254", + "zeek.dhcp.client_fqdn": "DESKTOP-2AEFM7G", + "zeek.dhcp.domain": "localdomain", + "zeek.dhcp.duration": 0.000161, + "zeek.dhcp.hostname": "DESKTOP-2AEFM7G", + "zeek.dhcp.lease_time": 1800, + "zeek.dhcp.msg.types": [ + "REQUEST", + "ACK" + ], + "zeek.session_id": [ + "CmWOt6VWaNGqXYcH6", + "CLObLo4YHn0u23Tp8a" + ] + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/zeek/dnp3/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/dnp3/_meta/fields.yml new file mode 100644 index 00000000..da516765 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/dnp3/_meta/fields.yml @@ -0,0 +1,24 @@ +- name: dnp3 + type: group + default_field: false + description: > + Fields exported by the Zeek DNP3 log + fields: + - name: function + type: group + fields: + - name: request + type: keyword + description: | + The name of the function message in the request. + + - name: reply + type: keyword + description: | + The name of the function message in the reply. + + - name: id + type: integer + description: | + The response's internal indication number. + diff --git a/dynamite_nsm/confs/filebeat/module/zeek/dnp3/config/dnp3.yml b/dynamite_nsm/confs/filebeat/module/zeek/dnp3/config/dnp3.yml new file mode 100644 index 00000000..6cd83108 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/dnp3/config/dnp3.yml @@ -0,0 +1,71 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +json.keys_under_root: false + +fields_under_root: true +fields: + network.transport: tcp + network.protocol: dnp3 + +processors: + - rename: + fields: + - from: "json" + to: "zeek.dnp3" + + - from: "zeek.dnp3.id.orig_h" + to: "source.address" + + - from: "zeek.dnp3.id.orig_p" + to: "source.port" + + - from: "zeek.dnp3.id.resp_h" + to: "destination.address" + + - from: "zeek.dnp3.id.resp_p" + to: "destination.port" + + - from: "zeek.dnp3.uid" + to: "event.id" + + - from: "zeek.dnp3.fc_request" + to: "zeek.dnp3.function.request" + + - from: "zeek.dnp3.fc_reply" + to: "zeek.dnp3.function.reply" + + - from: "zeek.dnp3.iin" + to: "zeek.dnp3.id" + + ignore_missing: true + fail_on_error: false + + - convert: + fields: + - {from: "zeek.session_id", to: "event.id"} + - {from: "source.address", to: "source.ip", type: "ip"} + - {from: "destination.address", to: "destination.ip", type: "ip"} + ignore_missing: true + fail_on_error: false + - add_fields: + target: event + fields: + kind: event + category: + - network + type: + - connection + - protocol + - info + - community_id: + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/dnp3/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/dnp3/ingest/pipeline.yml new file mode 100644 index 00000000..e104312e --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/dnp3/ingest/pipeline.yml @@ -0,0 +1,75 @@ +description: Pipeline for normalizing Zeek dnp3.log +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' +- date: + field: zeek.dnp3.ts + formats: + - UNIX +- remove: + field: zeek.dnp3.ts +- set: + field: event.action + value: '{{zeek.dnp3.function.request}}' + if: "ctx?.zeek?.dnp3?.function?.request != null" +- set: + field: event.action + value: '{{zeek.dnp3.function.reply}}' + if: "ctx?.zeek?.dnp3?.function?.reply != null" +- lowercase: + field: event.action + ignore_missing: true +- geoip: + field: destination.ip + target_field: destination.geo +- geoip: + field: source.ip + target_field: source.geo +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- append: + field: related.ip + value: '{{source.ip}}' + if: ctx?.source?.ip != null +- append: + field: related.ip + value: '{{destination.ip}}' + if: ctx?.destination?.ip != null +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/dynamite_nsm/confs/filebeat/module/zeek/dnp3/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/dnp3/manifest.yml new file mode 100644 index 00000000..97829b3d --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/dnp3/manifest.yml @@ -0,0 +1,15 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/dnp3.log + os.linux: + - /var/log/bro/current/dnp3.log + os.darwin: + - /usr/local/var/logs/current/dnp3.log + - name: tags + default: [zeek.dnp3] + +ingest_pipeline: ingest/pipeline.yml +input: config/dnp3.yml diff --git a/dynamite_nsm/confs/filebeat/module/zeek/dnp3/test/dnp3-json.log-expected.json b/dynamite_nsm/confs/filebeat/module/zeek/dnp3/test/dnp3-json.log-expected.json new file mode 100644 index 00000000..c9397cc7 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/dnp3/test/dnp3-json.log-expected.json @@ -0,0 +1,39 @@ +[ + { + "@timestamp": "2008-11-26T20:05:08.705Z", + "destination.address": "127.0.0.1", + "destination.ip": "127.0.0.1", + "destination.port": 20000, + "event.action": "read", + "event.category": [ + "network" + ], + "event.dataset": "zeek.dnp3", + "event.id": "CQV6tj1w1t4WzQpHoe", + "event.kind": "event", + "event.module": "zeek", + "event.type": [ + "connection", + "protocol", + "info" + ], + "fileset.name": "dnp3", + "input.type": "log", + "log.offset": 0, + "network.community_id": "1:E57Z1w3RrSdR+fi6rSZblbQVhzY=", + "network.protocol": "dnp3", + "network.transport": "tcp", + "related.ip": [ + "127.0.0.1", + "127.0.0.1" + ], + "service.type": "zeek", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "source.port": 42942, + "tags": [ + "zeek.dnp3" + ], + "zeek.dnp3.function.request": "READ" + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/zeek/dns/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/dns/_meta/fields.yml new file mode 100644 index 00000000..d3acfdd2 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/dns/_meta/fields.yml @@ -0,0 +1,107 @@ +- name: dns + type: group + description: > + Fields exported by the Zeek DNS log + fields: + - name: trans_id + type: keyword + description: > + DNS transaction identifier. + + - name: rtt + type: double + description: > + Round trip time for the query and response. + + - name: query + type: keyword + description: > + The domain name that is the subject of the DNS query. + + - name: qclass + type: long + description: > + The QCLASS value specifying the class of the query. + + - name: qclass_name + type: keyword + description: > + A descriptive name for the class of the query. + + - name: qtype + type: long + description: > + A QTYPE value specifying the type of the query. + + - name: qtype_name + type: keyword + description: > + A descriptive name for the type of the query. + + - name: rcode + type: long + description: > + The response code value in DNS response messages. + + - name: rcode_name + type: keyword + description: > + A descriptive name for the response code value. + + - name: AA + type: boolean + description: | + The Authoritative Answer bit for response messages specifies that the responding + name server is an authority for the domain name in the question section. + + - name: TC + type: boolean + description: > + The Truncation bit specifies that the message was truncated. + + - name: RD + type: boolean + description: | + The Recursion Desired bit in a request message indicates that the client + wants recursive service for this query. + + - name: RA + type: boolean + description: | + The Recursion Available bit in a response message indicates that the name + server supports recursive queries. + + - name: answers + type: keyword + description: > + The set of resource descriptions in the query answer. + + - name: TTLs + type: double + description: > + The caching intervals of the associated RRs described by the answers field. + + - name: rejected + type: boolean + description: > + Indicates whether the DNS query was rejected by the server. + + - name: total_answers + type: integer + description: > + The total number of resource records in the reply. + + - name: total_replies + type: integer + description: > + The total number of resource records in the reply message. + + - name: saw_query + type: boolean + description: > + Whether the full DNS query has been seen. + + - name: saw_reply + type: boolean + description: > + Whether the full DNS reply has been seen. diff --git a/dynamite_nsm/confs/filebeat/module/zeek/dns/config/dns.yml b/dynamite_nsm/confs/filebeat/module/zeek/dns/config/dns.yml new file mode 100644 index 00000000..73130461 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/dns/config/dns.yml @@ -0,0 +1,213 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - rename: + fields: + - {from: message, to: event.original} + - decode_json_fields: + fields: [event.original] + target: zeek.dns + - registered_domain: + ignore_missing: true + ignore_failure: true + field: zeek.dns.query + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain + - script: + lang: javascript + id: zeek_dns_flags + source: > + var net = require("net"); + + function addDnsHeaderFlags(evt) { + var flag = evt.Get("zeek.dns.AA"); + if (flag === true) { + evt.AppendTo("dns.header_flags", "AA"); + } + flag = evt.Get("zeek.dns.TC"); + if (flag === true) { + evt.AppendTo("dns.header_flags", "TC"); + } + flag = evt.Get("zeek.dns.RD"); + if (flag === true) { + evt.AppendTo("dns.header_flags", "RD"); + } + flag = evt.Get("zeek.dns.RA"); + if (flag === true) { + evt.AppendTo("dns.header_flags", "RA"); + } + } + + function addDnsQuestionClass(evt) { + var qclass = evt.Get("zeek.dns.qclass"); + if (!qclass) { + return; + } + switch (qclass) { + case 1: + qclass = "IN"; + break; + case 3: + qclass = "CH"; + break; + case 4: + qclass = "HS"; + break; + case 254: + qclass = "NONE"; + break; + case 255: + qclass = "ANY"; + break; + } + evt.Put("dns.question.class", qclass); + } + + function addDnsAnswers(evt) { + var answers = evt.Get("zeek.dns.answers"); + var ttls = evt.Get("zeek.dns.TTLs"); + if (!answers || !ttls || answers.length != ttls.length) { + return; + } + + var resolvedIps = []; + var answersObjs = []; + for (var i = 0; i < answers.length; i++) { + var answer = answers[i]; + answersObjs.push({ + data: answer, + ttl: ttls[i], + }) + if (net.isIP(answer)) { + resolvedIps.push(answer); + } + } + evt.Put("dns.answers", answersObjs); + if (resolvedIps.length > 0) { + evt.Put("dns.resolved_ip", resolvedIps); + } + } + + function setDnsType(evt) { + var response_code = evt.Get("zeek.dns.rcode_name"); + if (response_code) { + evt.Put("dns.type", "answer"); + } else { + evt.Put("dns.type", "query"); + } + } + + function addEventDuration(evt) { + var rttSec = evt.Get("zeek.dns.rtt"); + if (!rttSec) { + return; + } + evt.Put("event.duration", rttSec * 1000000000); + } + + function addTopLevelDomain(evt) { + var rd = evt.Get("dns.question.registered_domain"); + if (!rd) { + return; + } + var firstPeriod = rd.indexOf("."); + if (firstPeriod == -1) { + return; + } + evt.Put("dns.question.top_level_domain", rd.substr(firstPeriod + 1)); + } + + function addEventOutcome(evt) { + var rcode = evt.Get("zeek.dns.rcode"); + if (rcode == null) { + return; + } + if (rcode == 0) { + evt.Put("event.outcome", "success"); + } else { + evt.Put("event.outcome", "failure"); + } + } + + function addRelatedIP(evt) { + var related = []; + var src = evt.Get("zeek.dns.id.orig_h"); + if (src != null) { + related.push(src); + } + var dst = evt.Get("zeek.dns.id.resp_h"); + if (dst != null) { + related.push(dst); + } + if (related.length > 0) { + evt.Put("related.ip", related); + } + } + + function process(evt) { + addDnsHeaderFlags(evt); + addDnsQuestionClass(evt); + addDnsAnswers(evt); + setDnsType(evt); + addEventDuration(evt); + addTopLevelDomain(evt); + addEventOutcome(evt); + addRelatedIP(evt); + } + - convert: + ignore_missing: true + fail_on_error: false + mode: rename + fields: + - {from: zeek.dns.id.orig_h, to: source.address} + - {from: zeek.dns.id.orig_p, to: source.port, type: long} + - {from: zeek.dns.id.resp_h, to: destination.address} + - {from: zeek.dns.id.resp_p, to: destination.port, type: long} + - {from: zeek.dns.uid, to: zeek.session_id} + - {from: zeek.dns.proto, to: network.transport} + - convert: + ignore_missing: true + fail_on_error: false + mode: copy + fields: + - {from: source.address, to: source.ip, type: ip} + - {from: destination.address, to: destination.ip, type: ip} + - {from: zeek.session_id, to: event.id} + - {from: zeek.dns.trans_id, to: dns.id, type: string} + - {from: zeek.dns.query, to: dns.question.name} + - {from: zeek.dns.qtype_name, to: dns.question.type} + - {from: zeek.dns.rcode_name, to: dns.response_code} + - convert: + ignore_missing: true + fail_on_error: false + fields: + - {from: zeek.dns.trans_id, type: string} + - add_fields: + target: event + fields: + kind: event + category: + - network + type: + - connection + - info + - protocol + - community_id: + - drop_fields: + ignore_missing: true + fields: + - zeek.dns.Z + - zeek.dns.auth + - zeek.dns.addl + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/dns/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/dns/ingest/pipeline.yml new file mode 100644 index 00000000..6d9ed369 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/dns/ingest/pipeline.yml @@ -0,0 +1,65 @@ +--- +description: Pipeline for Filebeat Zeek dns.log + +processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + - set: + field: event.created + value: '{{@timestamp}}' + - date: + field: zeek.dns.ts + formats: + - UNIX + - remove: + field: zeek.dns.ts + + # IP Geolocation Lookup + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/dynamite_nsm/confs/filebeat/module/zeek/dns/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/dns/manifest.yml new file mode 100644 index 00000000..4ff46df9 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/dns/manifest.yml @@ -0,0 +1,19 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/dns.log + os.linux: + - /var/log/bro/current/dns.log + os.darwin: + - /usr/local/var/logs/current/dns.log + - name: tags + default: [zeek.dns] + +ingest_pipeline: ingest/pipeline.yml +input: config/dns.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/dynamite_nsm/confs/filebeat/module/zeek/dns/test/dns-json.log-expected.json b/dynamite_nsm/confs/filebeat/module/zeek/dns/test/dns-json.log-expected.json new file mode 100644 index 00000000..5be6888c --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/dns/test/dns-json.log-expected.json @@ -0,0 +1,215 @@ +[ + { + "@timestamp": "2019-01-11T06:33:35.857Z", + "destination.address": "192.168.86.1", + "destination.ip": "192.168.86.1", + "destination.port": 53, + "dns.answers": [ + { + "data": "proxy-production-us-west1.gcp.cloud.es.io", + "ttl": 119 + }, + { + "data": "proxy-production-us-west1-v1-009.gcp.cloud.es.io", + "ttl": 119 + }, + { + "data": "35.199.178.4", + "ttl": 59 + } + ], + "dns.header_flags": [ + "RD", + "RA" + ], + "dns.id": "15209", + "dns.question.class": "IN", + "dns.question.name": "dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io", + "dns.question.registered_domain": "es.io", + "dns.question.subdomain": "dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud", + "dns.question.top_level_domain": "io", + "dns.question.type": "A", + "dns.resolved_ip": [ + "35.199.178.4" + ], + "dns.response_code": "NOERROR", + "dns.type": "answer", + "event.category": [ + "network" + ], + "event.dataset": "zeek.dns", + "event.duration": 76967000, + "event.id": "CAcJw21BbVedgFnYH3", + "event.kind": "event", + "event.module": "zeek", + "event.original": "{\"ts\":1547188415.857497,\"uid\":\"CAcJw21BbVedgFnYH3\",\"id.orig_h\":\"192.168.86.167\",\"id.orig_p\":38339,\"id.resp_h\":\"192.168.86.1\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":15209,\"rtt\":0.076967,\"query\":\"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io\",\"qclass\":1,\"qclass_name\":\"C_INTERNET\",\"qtype\":1,\"qtype_name\":\"A\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":false,\"TC\":false,\"RD\":true,\"RA\":true,\"Z\":0,\"answers\":[\"proxy-production-us-west1.gcp.cloud.es.io\",\"proxy-production-us-west1-v1-009.gcp.cloud.es.io\",\"35.199.178.4\"],\"TTLs\":[119.0,119.0,59.0],\"rejected\":false}", + "event.outcome": "success", + "event.type": [ + "connection", + "info", + "protocol" + ], + "fileset.name": "dns", + "input.type": "log", + "log.offset": 0, + "network.community_id": "1:Z26DBGVYoBKQ1FT6qfPaAqBnJik=", + "network.transport": "udp", + "related.ip": [ + "192.168.86.167", + "192.168.86.1" + ], + "service.type": "zeek", + "source.address": "192.168.86.167", + "source.ip": "192.168.86.167", + "source.port": 38339, + "tags": [ + "zeek.dns" + ], + "zeek.dns.AA": false, + "zeek.dns.RA": true, + "zeek.dns.RD": true, + "zeek.dns.TC": false, + "zeek.dns.TTLs": [ + 119, + 119, + 59 + ], + "zeek.dns.answers": [ + "proxy-production-us-west1.gcp.cloud.es.io", + "proxy-production-us-west1-v1-009.gcp.cloud.es.io", + "35.199.178.4" + ], + "zeek.dns.qclass": 1, + "zeek.dns.qclass_name": "C_INTERNET", + "zeek.dns.qtype": 1, + "zeek.dns.qtype_name": "A", + "zeek.dns.query": "dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io", + "zeek.dns.rcode": 0, + "zeek.dns.rcode_name": "NOERROR", + "zeek.dns.rejected": false, + "zeek.dns.rtt": 0.076967, + "zeek.dns.trans_id": "15209", + "zeek.session_id": "CAcJw21BbVedgFnYH3" + }, + { + "@timestamp": "2019-08-29T16:23:50.680Z", + "destination.address": "ff02::fb", + "destination.ip": "ff02::fb", + "destination.port": 5353, + "dns.id": "0", + "dns.question.class": "IN", + "dns.question.name": "_googlecast._tcp.local", + "dns.question.registered_domain": "_tcp.local", + "dns.question.subdomain": "_googlecast", + "dns.question.top_level_domain": "local", + "dns.question.type": "PTR", + "dns.type": "query", + "event.category": [ + "network" + ], + "event.dataset": "zeek.dns", + "event.id": "C19a1k4lTv46YMbeOk", + "event.kind": "event", + "event.module": "zeek", + "event.original": "{\"ts\":1567095830.680046,\"uid\":\"C19a1k4lTv46YMbeOk\",\"id.orig_h\":\"fe80::4ef:15cf:769f:ff21\",\"id.orig_p\":5353,\"id.resp_h\":\"ff02::fb\",\"id.resp_p\":5353,\"proto\":\"udp\",\"trans_id\":0,\"query\":\"_googlecast._tcp.local\",\"qclass\":1,\"qclass_name\":\"C_INTERNET\",\"qtype\":12,\"qtype_name\":\"PTR\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":false,\"Z\":0,\"rejected\":false}", + "event.type": [ + "connection", + "info", + "protocol" + ], + "fileset.name": "dns", + "input.type": "log", + "log.offset": 566, + "network.community_id": "1:Jq0sRtlGSMjsvMBE1ZYybbR2tI0=", + "network.transport": "udp", + "related.ip": [ + "fe80::4ef:15cf:769f:ff21", + "ff02::fb" + ], + "service.type": "zeek", + "source.address": "fe80::4ef:15cf:769f:ff21", + "source.ip": "fe80::4ef:15cf:769f:ff21", + "source.port": 5353, + "tags": [ + "zeek.dns" + ], + "zeek.dns.AA": false, + "zeek.dns.RA": false, + "zeek.dns.RD": false, + "zeek.dns.TC": false, + "zeek.dns.qclass": 1, + "zeek.dns.qclass_name": "C_INTERNET", + "zeek.dns.qtype": 12, + "zeek.dns.qtype_name": "PTR", + "zeek.dns.query": "_googlecast._tcp.local", + "zeek.dns.rejected": false, + "zeek.dns.trans_id": "0", + "zeek.session_id": "C19a1k4lTv46YMbeOk" + }, + { + "@timestamp": "2019-08-29T16:23:50.734Z", + "destination.address": "224.0.0.251", + "destination.ip": "224.0.0.251", + "destination.port": 5353, + "dns.answers": [ + { + "data": "bravia-4k-gb-5c89f865c9d569ab338815b35e3acc56._googlecast._tcp.local", + "ttl": 120 + } + ], + "dns.header_flags": "AA", + "dns.id": "0", + "dns.question.name": "_googlecast._tcp.local", + "dns.question.registered_domain": "_tcp.local", + "dns.question.subdomain": "_googlecast", + "dns.question.top_level_domain": "local", + "dns.response_code": "NOERROR", + "dns.type": "answer", + "event.category": [ + "network" + ], + "event.dataset": "zeek.dns", + "event.id": "CdiVAw7jJw6gsX5H", + "event.kind": "event", + "event.module": "zeek", + "event.original": "{\"ts\":1567095830.734329,\"uid\":\"CdiVAw7jJw6gsX5H\",\"id.orig_h\":\"192.168.86.237\",\"id.orig_p\":5353,\"id.resp_h\":\"224.0.0.251\",\"id.resp_p\":5353,\"proto\":\"udp\",\"trans_id\":0,\"query\":\"_googlecast._tcp.local\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":true,\"TC\":false,\"RD\":false,\"RA\":false,\"Z\":0,\"answers\":[\"bravia-4k-gb-5c89f865c9d569ab338815b35e3acc56._googlecast._tcp.local\"],\"TTLs\":[120.0],\"rejected\":false}", + "event.outcome": "success", + "event.type": [ + "connection", + "info", + "protocol" + ], + "fileset.name": "dns", + "input.type": "log", + "log.offset": 909, + "network.community_id": "1:QIR5YXlirWwWA18ZyY/RnvQoaic=", + "network.transport": "udp", + "related.ip": [ + "192.168.86.237", + "224.0.0.251" + ], + "service.type": "zeek", + "source.address": "192.168.86.237", + "source.ip": "192.168.86.237", + "source.port": 5353, + "tags": [ + "zeek.dns" + ], + "zeek.dns.AA": true, + "zeek.dns.RA": false, + "zeek.dns.RD": false, + "zeek.dns.TC": false, + "zeek.dns.TTLs": [ + 120 + ], + "zeek.dns.answers": [ + "bravia-4k-gb-5c89f865c9d569ab338815b35e3acc56._googlecast._tcp.local" + ], + "zeek.dns.query": "_googlecast._tcp.local", + "zeek.dns.rcode": 0, + "zeek.dns.rcode_name": "NOERROR", + "zeek.dns.rejected": false, + "zeek.dns.trans_id": "0", + "zeek.session_id": "CdiVAw7jJw6gsX5H" + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/zeek/dpd/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/dpd/_meta/fields.yml new file mode 100644 index 00000000..c924c27b --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/dpd/_meta/fields.yml @@ -0,0 +1,21 @@ +- name: dpd + type: group + default_field: false + description: > + Fields exported by the Zeek DPD log + fields: + - name: analyzer + type: keyword + description: > + The analyzer that generated the violation. + + - name: failure_reason + type: keyword + description: > + The textual reason for the analysis failure. + + - name: packet_segment + type: keyword + description: | + (present if policy/frameworks/dpd/packet-segment-logging.bro is loaded) + A chunk of the payload that most likely resulted in the protocol violation. diff --git a/dynamite_nsm/confs/filebeat/module/zeek/dpd/config/dpd.yml b/dynamite_nsm/confs/filebeat/module/zeek/dpd/config/dpd.yml new file mode 100644 index 00000000..b7a9c30e --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/dpd/config/dpd.yml @@ -0,0 +1,60 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +json.keys_under_root: false + +fields_under_root: true + +processors: + - rename: + fields: + - from: "json" + to: "zeek.dpd" + + - from: "zeek.dpd.id.orig_h" + to: "source.address" + + - from: "zeek.dpd.id.orig_p" + to: "source.port" + + - from: "zeek.dpd.id.resp_h" + to: "destination.address" + + - from: "zeek.dpd.id.resp_p" + to: "destination.port" + + - from: "zeek.dpd.uid" + to: "zeek.session_id" + + - from: "zeek.dpd.proto" + to: "network.transport" + + ignore_missing: true + fail_on_error: false + - convert: + fields: + - {from: "source.address", to: "source.ip", type: "ip"} + - {from: "destination.address", to: "destination.ip", type: "ip"} + - {from: "zeek.session_id", to: "event.id"} + ignore_missing: true + fail_on_error: false + - add_fields: + target: event + fields: + kind: event + category: + - network + type: + - connection + - info + - community_id: + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/dpd/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/dpd/ingest/pipeline.yml new file mode 100644 index 00000000..32d1852c --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/dpd/ingest/pipeline.yml @@ -0,0 +1,66 @@ +description: Pipeline for normalizing Zeek dpd.log +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' +- date: + field: zeek.dpd.ts + formats: + - UNIX +- remove: + field: zeek.dpd.ts +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/dynamite_nsm/confs/filebeat/module/zeek/dpd/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/dpd/manifest.yml new file mode 100644 index 00000000..854eadbf --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/dpd/manifest.yml @@ -0,0 +1,15 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/dpd.log + os.linux: + - /var/log/bro/current/dpd.log + os.darwin: + - /usr/local/var/logs/current/dpd.log + - name: tags + default: [zeek.dpd] + +ingest_pipeline: ingest/pipeline.yml +input: config/dpd.yml diff --git a/dynamite_nsm/confs/filebeat/module/zeek/dpd/test/dpd-json.log-expected.json b/dynamite_nsm/confs/filebeat/module/zeek/dpd/test/dpd-json.log-expected.json new file mode 100644 index 00000000..0d6173e1 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/dpd/test/dpd-json.log-expected.json @@ -0,0 +1,38 @@ +[ + { + "@timestamp": "2017-10-09T16:45:00.423Z", + "destination.address": "192.168.10.10", + "destination.ip": "192.168.10.10", + "destination.port": 445, + "event.category": [ + "network" + ], + "event.dataset": "zeek.dpd", + "event.id": "CRrT7S1ccw9H6hzCR", + "event.kind": "event", + "event.module": "zeek", + "event.type": [ + "connection", + "info" + ], + "fileset.name": "dpd", + "input.type": "log", + "log.offset": 0, + "network.community_id": "1:b+Szw+ia464igf5e+MwW1WUzw9Y=", + "network.transport": "tcp", + "related.ip": [ + "192.168.10.31", + "192.168.10.10" + ], + "service.type": "zeek", + "source.address": "192.168.10.31", + "source.ip": "192.168.10.31", + "source.port": 49285, + "tags": [ + "zeek.dpd" + ], + "zeek.dpd.analyzer": "DCE_RPC", + "zeek.dpd.failure_reason": "Binpac exception: binpac exception: &enforce violation : DCE_RPC_Header:rpc_vers", + "zeek.session_id": "CRrT7S1ccw9H6hzCR" + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/zeek/fields.go b/dynamite_nsm/confs/filebeat/module/zeek/fields.go new file mode 100644 index 00000000..d048c716 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package zeek + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "zeek", asset.ModuleFieldsPri, AssetZeek); err != nil { + panic(err) + } +} + +// AssetZeek returns asset data. +// This is the base64 encoded gzipped contents of module/zeek. +func AssetZeek() string { + return "eJzsvW1v3Di2J/5+PgUx+ANJA7Yz6Xt7/nsb2Ltw20m30bHjsd0zd/dNgSWdquJYItUkZbsa98MvePggqSSVVCpWOcmOgelJ4iryx6fDw/PwO6fkEdY/kj8AHv9EiGY6gx/J/7F/S0ElkhWaCf4j+c8/EULItUjLDMhCSLKiPM0YX5JMLBUppEjLBFIyX+PX3/0kxZ8IWTDIUvUjfveUcJpD6Mv86HUBP5KlFGXh/qWjT/PzEdshCyny0LztmC40SMKFzGnG/qDmi+5b9b7r/StQigk+Y2n4lUfyCOtnIev/3oPH/JyTkrPfSyAsBa7ZgoEkYkH0CnwXra4TWuhSwiwTSrU6r0/DQNduOuClEFLbSTfdmplp9GGmqPbFzRmpQ9NqlkKmaeOXHhrjGpYgN37XAPjfG78k5GEFRLMcSAoZXZM56GcATvSKKZIDVaWEHLgmlKeIPqNKn4VWOkEW0ALRt3AjAF5x7BeeDAq9ouY/IIFQCSQvM82KDIjZaIwrTXkCOJ9Ls+e1sOtMcyArofSJHVbKlGZ8WTK1AkWAJiuETJ6ZXhGmFWE8ZU8sLWmGIxoY7pIWKt563JT53G7RnCkFKTm/+NUdKTOWQsITE2VzbUxH8olmA0Bp8hgR6IPQZn4CXMSpzN5hfG+oBcgEuDbHQ3dCTkU5z2A3xLe2UbqEJt5n3E8Gcko1JXMwe+f84ldIyTNV/I3Gj5215YTgHBJdFyH9UmJBy0zP8Gz/SBY0U7C/ELkIAHYQIZlIaDYTki07J3YuRAaUb5vZ/+w4oylLqAZl5tIcz7p8JUwR0x3j1AwA+8/WAxvAopSgiiOiNN0Jno4GaU/obL7W0H2wMsE3Z3kA47U99NgkXuA1iANolKZ680SMlrttJBciBZSECdUoTA0Q08XG9TkG1SwHpegyIrqHaWhYkndvqM0DS3pOUb0x883WL7fL1BEjMz9XF9e3xM0ZttczLNKQRukx0JhuBiZ5xZQWch1vsT9mdKk296LrZbf1f8paQmP0FdjG9fdP5zc1vXJo73EOcnZsBL73NIGZLJJXuqkuLz7M7m4vdrimpO6++CfpKneiNOqrZIXVdYM6JeH3EpT2mqK9ABSckasFARbuCP8xIcNH6qqB0yufWZaRORBeZkP6jflvOitYS4DsoSjfQS40ENPoGLUVeFoIxrtneRKAD65F7IBkQjxCSsqimu2yZOkAKlGApBsq1Z6wPvsmG9qpud/bKl26SorXOiK/XNzucD5SkVM2eZbakuQS2yNL9gTc41Ign0CaGRP4PfL+h4HlS8stqzdFZ790DXoxj7PkVTYJhQRlhJ+7E5qHe8Fk6/VAqmtVhPfsiRmigkTwVA3dbUJp86d4E39jDkuY9iRj9plEfnE9hbn/fgCa/eps8XsacVt8/NvlTRe6C/sn/LUD+D/eD+n0QBXMzBrFuwCvbglNUwlK2ebDA3P8krrvj1YLBxCd2+ag/hhmym5ceElWlC9rotn+DGmaVCm25LC5drW52wQ5AujG9Pk+mod/jOKJW2EPaO1TvwHNnX3bEd7NlGhJuaL28WsemDxbE+o3qAKestbTy7V78/Hz3bUXA8q0zJ1JiSnCRdhHCyFzK3v8sqVECVzNzoaZIivIikWZGdnyyMUzeV4JgwVNVqHHM/IzaBRZlIchum3S2TDuDpIKUKiIMDRWWDtYGLAoZQKKUI3wNRHcycrul5f9KRWiIFzw07kUNE3MVx2kESuf06R32bulDRm3La10eaPIisr0mUrYAZTT1Q57WEIn/rS4vTkMzx6rQ2Jr3pRbDnFYRtVtCpr6Ju7axRE2xSdm9vWisa1tf01J2xayvWitWSq66Hrr1BLCFqQQGUvW7woptEhEpt4ZFfNdrpanpvOzuRRGcGSCppB+19nawypsf3vua8Y0NF77uQiKT66WZ3ZicLn2l+Ej1617Nq6rpWJoVSM0SUReUM4gtUZ3ios6u/xw8enq5oOVskG2Ja0Hs4MGWVZXU59Xa8I0kfBPSMzcVNJ1/2N5pAm4Of/V3B0ZNIS7uUo6G94cce2pOmSVEwtt5Gq0c3/IDTR8nPxwxhyne/dZ83povMIq5db87Ql4KuQsyagRqYjvlbfRFz4Nwcy1Obw9NhWTScleb1eV81NRaDVmOs/T1E4h3k4Sfal0CVwr8rxiyYpokDkKbaKemU5WkBIhSQEyp7z75BA/fnVGrjQBnojUqHjcNnyKPooOt7b7Fl4HPWLDALIixy33qRanTowWNHkETZ6p0XISYE+QnpGHILo6l4MQtRJlllYvckKJFKU2qKQbsX2aLWgCzms4SpnLhYYZDvir2AZkmYk5TlQ77ID6PdLYHlr4z+D562zWTgMaHwjwdGOlx8ilcm5mYv6KsmmHWUTnTkBMri7NFyh5olmJLikogJsp8/NQrNbKbE/CQT8L+dh9mARfsKU3J6GKQc02TUqlRQ7yjXujNz+XUE7mzj7TrYWgrpKTREgJic7W5gmZU61RI3GO5TVGK3iY2dq7jiHtMEHy4t/+tLk4RzJB3tz+2w4myEXJN73f/Yj7GiPtp9thtqjZVNaeZjeNRx/UZ3fjbVegmnCLbNPLdXSwxaCXuudCnhwt5D0gb5SV6ByNbdY3J3i/bK82+MGiqi5v7ncJppKUq1nP9Ewzot/cNw1TY32Dfd6uYZN5G0TL2eWiCH4vQa4xjiu4ubaDwi/Emxyzd6zXwm5tlL9M2SdcOTdvmGC7uLm3vQ8hRL20E+LuoRcG398uPp3f37ubRhWQsMXaOxecDryoJnMUullcd8F59YEnJyP8Au8OsCOCYersnZO/Pfzv2w/dU2ca3RnY8SZuV3iyI9Zin10XfMqm3aDm4CkIvwrW4xHQjjdzHcgHAJ6fdwIbEdDVfRudl3olJNMUwZ1z9QySzM3zp+6sD9Z+uzEZqMqE7qK+uvwFOFbvBbVPL9fdOkxBXaS5WxkVCOtwTka8mB8upk5J93Z6kCV3l7GZiI4hey3CPPK0/TQMeebvLuMu3B0kpUQ37iUoJs1NztDsQEO4RaXs+MC9Db9Hq+Fnap5U0jb9ZNeOJX6/MjXqeN9F3qLVSM+fKMvoPIP6WJtbtGuwHceZ+G2pysIoQvVBmzGyQUlB8ah0X57TQ/IA73AJ1iFV/4qqnQ7UQ0z3Qyfj4VM3wCl60QNGfSQrcyl5L3G4LqlSImFoU7+7U66peaVeutnaalCv3gXWHhvvVHdHrgYtyRlrnBV4jP82qMBC02y2bStM8spjUsFGfHjYExISIVO1yxPGwjSfZD2RtseB6Q/pkHWdPs/6ledJO+AftXVflFlWW/wVVWQOwDei1HuRdT1bYyOzs9WDLDwEi3Zuz5EMHbeXO7wTKafZ+o/pOS3dG8+3asX8EjhI6p04T0xkdITmsKAsKyXMJFA1PWSu52DAiy5pRmzbQd1B2Iop3/dQIgdak2cKlnn7vt4jqK/D4LiQNIdnIR/Vu7RI39meT13Ppy4naMj8eE6SVckfg2WRrs0n7RrlQmmSsUfI1kZMlJlZrpDsYq2dXUsXVotlcDDTx0fTuNnUZyN39aKMafk4x9G1jd5Dgv1ltupL8Wl530dsWrSQW71JUq4WIKU7Ugbe0L19MDDekTIWSZX8GF0/w4adbrmiT2DV4jGY8FqMd4LPK/NY0gjxdPevt3yabZVSTc/Ih7PlGWGa5JinSKg394fD1+pD2LgAlqzM9+xrJ2yLEyIkoTbVx3ZTUL1yH7caFbUfUiIHIswt1+qB8aL04VdDsbFQ6NUkq0HH5DkrgRY1lxu+Rk0ndu7cshoJJcHKJHQ2aeXxkitO7q8fbk+6vHrOMldrEMj11fUHQrWmyQqz+QSvPyexvV8ebHtd32/14R96z0yvnCB9sC4YPurl7O/QiKfk3L9hwkVnI2lSwYGkpfQmLZxa/5nBPLEcZr22tkkwr1netFuNOMHmIweIXa4fVLYg1L9xR2X47ZOH2JEr3JYg4RSomsCoNtiJ/whkae3pzRYhH7QtVKrwqxBxZYWIb15IwsVQCA5TX/jg3Tdb/dj8WJQ4TgHxMyKqGIQqM7VhKUwHNYI9Mwh63A7enRvGZeS7kx6p0W3PyI1wEnQj42BkmiMAj5oIWuWB21zQQoonlhoVQrTlDwG+ZLwyy44QBvZJHRPxZkK4xW297BKsoUrZASQiLyRTUD0aRyDOmVKML/fA3G2e20TMattEaQk0t4N4BgmIPANtngAuP792JxRSJO1MAlK/TYbSn55ALjLx/LqD5EKTFDL2BNKul/tEtefMnbuZxGA6YookGAg0BxxLRovCzI7tVMj6psAP8jfafNY8MhXk82zQDK1ZDqkou7X0/Q0YjVOFfRFR6npcfbLTMSuoxKScPR5bHZK+FlNU2S1dIGkiuKaMg7SDwSvKhaCtMFHCCj940ZLaOFllUBqdp9XRzopO+kNETYyT68sfSMqWoHRDyzBDBK6H0KgVfR9TMbz/5fz9fnC+/+GvkQF9/8Nf94AUNkE8VJ/Cc8rHr1Q7bcR5CR+eJaUWi80tGcGG3jCh42RZhaaCaY5HUpoJXZAVmANvBGL1++oOGD0Yxf6I6TDelOYVNi1IytTjYO6vlqLoNgJP1bHqCVMpcMX0uqYN4m7sfquE54l+rdTbjw+7ZN6WKia90W8K5EYYRykl5lY+3I5UPguqVEfPe6C6dS1uA2XeCY7GaujSTkSeUx4R34VtsJmuvDUHK5gMZPeTa5oNSy5LNISEaXK42AIvWqYswhEP805QU4IoO0QN2SZuRgzT/NyzP1pP/caIw/OR2t97S9uYPMIe+wiJE0x5z9liASl2E2wmW+4ist1KHglV3YMxpwpqAdMLXbxDZ8GYYOmPNbv71eWga7rP9zcpPyMC5Uz35Nyh/xCDioKNpWIjCDET7i3s9uCYndZKdSRxVvOu7h7eH3OwhlBNZ8mKcg6b1u2RCeodNB0vhQ0UMLIcGc9cB7tmpZtrhz3174BuNW3khPpX2e35/d9JjlxUimixXGbWYINKhRRZG3wvXm+mYnzZ5eghe+d9Np0+ng6GcaZZxVtkZ3zIwk0ah9ZunWOCpkkCRQzMRt06jIwwwE3r5nHuH7geuMB4vYwpDdwMIgTrjRpIkG/PMVUWp0E9C/loIKVMQoIMVi7Oi6k6Fx3jZ+SnNcnpY1gEq/s6z8+bszcn5BkwQcXfvbalkmegFDqtNAY75QINVzyRoPEYpUwlwhl3fIwZvFhWTDIvTROPXDzzGkamiHg0sqscDBtP8rRPyZogrbym56PFnSKarckzZdqvLe2Iabc/g3dYfqD7/WL0pdSerUgQhtRT89Ddpp+ShoH798Mc4wtRcm2e48KojMkjWYlnklO+9miV9VNjIBG8QFIOx6oWlv9j5lvo3IyTEmD+VkIJ7v5x6CpXuot14hoPERearEHXWCW1QEs4DhNSsoIR4TNdV+w+TqJNL09D5BCaYBi1kL5nvHqHDrzjMt76DJ2E9hJs2mwF1/cRLir/Aq1CfMdlwGdU6Rkt9WrWRxiyh6zfrtovJUsXumgq921r+ickYyn1Crh2IRLvFCQlRp/nYPQeprzZniojmTvSCVd6lFllkt3kl4edDCc236o/DGJSDOedD3+w4QYFKyBjHFIXeMB40Lcrj+SisVHeVap5lbo1gtW0VLM+5pRJltN7bDO8ISToUo7lY6o4Jhdi1pudMmmCcRsiwcr7l5e6lQ9jA8MzbTrcqJM4jHav+dV0OTnWpCuKx8WaOAVOSDSRPlGJvNlUa8nmpRHWNY3NJvBl1Fl7KTpvWFJmtH0Bt3Z4QdnQEPc1JrbXJBgTrThkyamRakb0FSDNAkFaSygaI7y90N/7yulI4TzclVNI8cJi+lrOs8yb5FZAU5BOGcnpunoTuFGgrA7xVlR5NEMGI8qXMOtOzI6S0MCawhjfM1SpMgfy/V/+ajc3zbwLoW5JGUeHaCcGM+IintwHpEZJXMQLzq3tCDtXjegYT1t3I/xn8AXXDhMwuiHjSVamTjk8If8sla6tr219MBTFCLIvYOBOoh5t4EKyJXraY4YDciJkioK3GvaiYXKtVWeoAqHGQA1m70PjDYbvyVC9P/cYM2s30u5AjVx43eUfG+OGSF919XdC+oqLPxZndZ4iPy+81a7yuGMMtHmSaVbFUTVuV69hzkU6mEkedsKr4t5IQW0Cr5R13XBCHNNDf2X6Hspu6bkNW8Q90x1eQU9vfSIKw6UNo9CQZWyJcSehvxEGuvDZKJ7UfoDegYqmdL2qgaxSEcYwLm51ZuyF0gVCV7gQstF5cRv9+OP55eXdCXHEvyEA2qv3bgyjSm7wfvLQGEPAOTbAa+8/lytBN+K4GxYOm7vqSdmWglgiKoHWXqtLv4SiB5hcMzxYJLM6zGj/0SzA1BzwCGh8mx967w3Pa0kOpqdavaicapcrtBPeCDEFB9k2Jdtpz/juTAs+iaAKVN8oikFLLXKqHf/ZgmWZDa0dE4PRO1kCWYMON1dGIzmpQl56j5Ub88STFSPGJNoYu/fAtgH6XupTtIizEzpvdDx0Mc0oH2xpQdFgr7RH26lJjUsZZxM1VHcFOvv7mPR7S9MeD/q94323/m9VFkXGIHUQvXUKhzIUghY1GxgZ+qs8m40YdQTVmNIV87UZXdag2YU7RNmbj8wOkGV3XosZY4v2VljZPMeGORbh+jPx/y3agnEvudgYsUEfb7Af8f2CrnUMPvPclxUXir8MKNLX+LACIxBGDLipZA0PO+i18rWKVl3d7VKwirNkk3h0DzvbDUseeVUZpnLgjwxdiR+kvA+aLyj+F02Q8YD8HYNxNuMrJoQlp2l3gN/E3Pq1aZE5x1ftOhgdeJh0S5Ypr+aO8ObtDW5rtN5wJy9WvfF+5YmMC04xP7e9znwmk3dpkpwq4OmQN9//XF5cVNkxIfRgi5ZIhmO7yVB896uNth41bkbug8IJDfUc6x7YLZY+crx48f7ojV2noDPyfKxOEzVlcPuYOoLN2wPqCzT3gB9BzkGKMQw3h7itf3Xd71Jj0h6/yErjna8padb7FAkqqwgecu8YCd+e339HhCQPDOn2f5bUlrELv3/4+f67US7OeMhdUTc+XDzS8SpGfMi4YY/pu0w6sqz3cEb7BbOcTkOpc1K2zL+vm0HR/fT/YHBuq9ZL4qZFbEMxjjXviWYRa4f0VL9wOY7tStkjB+SOK2LFPsaY+7hmbW6iyFiwkxFgUrrur8+1146rGCtMHyiYtUXIlJ+wQSduwoo2zdI+pFcWAfBErgtLAdJfTjvsHSGfqUxpOw92DynzsWrUz8uQ+lfdUxye46K5803uisV+PNoxpWXL60niiJ5fqLK8U3Z8paMecQTOfwTl+91w1GcdMIeuWlzx8W6GJ/56eTF0dKCVabPHxbS9ntc+r7auF3iz9R2ebd1zSSplxsyKpZjbdhGSYXN8ZHhNbdosfFIBHvscLPv8H5HB3lflGZJdprUZkvY176Z7m8j59ewmNRXwa2yqbWCDjirSeflaj0vb+W70qluKI00OveTbagLVPFGD9kZ4wfzO2PhCs95dEmKL0BE0kjQYE6Rm2+pyT8rdut1So8wu8Dvs+TSHPKeD+TnXdk/YpLVWpdGwbdfq99eKmrpe3//t0y6btp0Mued+SOrZm2YLMKXKQR0zKkcHcm37REjb/W45+HvaG9qI6oRjfoKwE0iHnwLiOeKJaHIJ0cXCEgOYTk6Qy5OPCWA05zveermb1gm1Nowq6Ec3LVBRU9tusPWdzk5whkUtKXbVqu/pvc21wJ1xNEEsyYsjYbu6uB5LXoSm8KhU5LxRdLNFkKcYX2YuXMVnldc8+OistptrDHJH8Hegad2f3m/MGP5F7b0ntTfO4nHiT+zO7I46GXPQ/sU63Ds3Xx2H7wI/8/Ux+brj8u3T+eJA/8XpO3gJHbAUydVlSDGdLjq5aPlo9vFJbJScHKVsRM2SR86nMqccL0J0AwTqMid+RoFS5fygoFQ5Px3nPOy2Y0woY1opXIkouXaahOV72OZOrahnXNJtvInxVRZcFXjTgysrQ5ny4ZWj1gvBYW+d6DS8bNr9htbMFYmqfSzsoD1wWm9M5No3rlGnBVaEPdQFTe+k+0NOWTabi3Q9c0U+u9EOTWlbsv9kQ/f40laisqS58KI9lYnRFDLIAfcm2hFsczZeF14KylMiuBtG+/YK17ijPTYDGZTQdrgpZHQ90+IRpq9Nx2vBjtYcMnv1mvbDaihwpHQJLZ2aMS9Zpk8Zt6iQAsyZQmnGdLsiuxYEkWOAmb/c8bsEWLDE2G5DyTpz2J4g9YokfrzVcvg0tl+jsfA1V1NbgtvXlBh6oIeHX8ydX+naNQ30eWV2fu1KrArQhfNbSqPmoUMf0rLI8DHHl35nDd4NRSFBqdmiJ15mGtF0x8vBgM2AL12dIeZri+P+cWqAG6jLbJlDgDe49VMpiuIQxTwDA5d9Ol3deiOyTdWx3SLdSwrcbCX/lKJoj+yAHS5DndVjX45pcr55+HS9i9XMVk+Ot90va9WYd4/CXgml497dv7gWJ4CJHufWYsC3dYosbWYzShG9SLb/RdkXVlTPNYg7axv5BjvNWpereXocRE+I+f5+67R1hTbbjuJivby57zgKFSkxJRe/nH/69OHm5w8jvcMc9JyJI0C/Af3T1efY8LWEIwQLPEiA3YEHLotExS2E8N+jpffni/tNQj9CPvOMcSAXlXPeU9Xd+qKnb80XvzszH12TRALqEcHN6hTUbl/qVh86y2APy3pb1cQwCZb6hzcOd6P+dL3/FVXdlByTIt2ypZBMr/qjUvdKWsDwsdBHCHfzap31fErzlLSf5Kn7p19hbf5lDMMEfv4g0vA4mTwhxG7l5+MN5kQbrbYEtTI6Vn/8+SbmR2g/NY4DuSjnGUtMB8OXIaPZzBoK4x2je2y2Zn9EDcJ7j4dDjposmhFxWbE0HZCEJ/EYrxSHeYr0Hpcxcd89xOfmhdMgPa+N0Lm3zDjGUFF0Vg4ncUTSXVU5fCrUoGIWHdO1x8KsOjxMERYGQ943F8fZDp0DayWeMcvdEqxrUTNEJUJKSMYwYvC2VSkW/sw8qfXGMDg8N+o70bkodX1w3gFXX1yf6b2lHmxll3yl52qxW4hH5Hyrh/CoeaPIE0gk4rZWsEFLUTwUDaWIKaypgNZ3S7aOfxxTnpMmK8Zju0moXIL2bVfVCgK3RCLygrmSIMNJ6Oajsw6p3HtwxkCs2ZvqwJwWTIcerK3H1J5TJuH3kklIiSiM5odCZ6009GUq1Xw59nNx4YRma7E2DqAWRJZ8dAF6pmbwEjEF5krVnfC13Y4+HyQgpdxRDOGn/tcgvr/++7xVST0WQvLXfz+dM13DOYCnVKBmVGXdit80cmQBNUgYByA1OXdmy/uCJkA+0bW5HO4oT0XO/sALYwzSFDZv8ehAL6mm5APOn5G0txKegI/Fl4gUZhhlKdtOhmhQwdyyCVhO9dAbSVaQPKoxMBV0P1kjYCsVxhWUiWW/rmK9VxT9KgPwVlTNWG4WYqbjJrM1YaJCRTmxfZExR8VAs/rBcaDZvkZDM2rVcYAFyvmGKjcWZwrzcjnrKJofGSfBjkbBcs7Z/Wiwe4qwIlVtqBJvncAnhDlq2y3qrqQpe7VUljvsfBe1d1/7fnf0km8VI7y3c27WVMx4GK7PL7zDbQcIC0lzSDE3pRNKqwrbmOwEd39aY7GLDWw6+5ztuAHUOkMx5jdbE0pWjOuKOfnu/PLqt3tvc7Y5GD2tEhv00FDMVoI7N3Ars6VzXmxsyqw1/GmzcmcjXSqXaPfAE5Fl1sQThv1Qcg7ZqU3+PP3A00KYaQlybfCNgBGkM/PYjbfVLmyr+ITeYa+hZXqf8ihdE7utTGWyolkGfAnVFC8qUji1chYL7U5vw2k4+GS17BrxhnIf3JNGXV9gFMuGG3MozUx3U25NTqXxYR5kDvoZwIdjShXS6/Eg1oJO/nyOgzg9x6qFfw4rIySqCVIKWePXdEEckBd6fYLh8kC5i7ysNer7QkbmWvqdOeMjSCozsVxOj3fYlu7EFEbM0EwCTdfW6GV7w3lxfINsyYXsKmUl09cqEH53ebtbKpB4ZBGvywtszxV+RM9OwyPuzSPVqdXrwjEr0nDPHvt4WsOgbbaLMZBc6TeKUJKzl3BezDxzWAptj5HLFvWnQuEu+fniIsgrtLG0+OuHC6TYImqznuSSvTwjrj6bb5okK6E2XcAD+B5hPRdUprMMn9Lx0P3qGia2YfI2o3xZ0iV8Fwy4zQ01cFn2m0OnGOXnJcsOVIvT7Cs3NG9m3XKMukfdHnlXmG8kwDe1PO+d0RVSpGXSkZMWCdytbd8RDey8bVJQj1p0K4pT9s0zS7dwyOxVm/TSQrVdTF6PFbDl6kBFkD1C28dkiInIhOysQULi7BmbDJ4J6eoyBrqhjTPoclhWbLma1UDZTXBMApyORL5IU3HVSlZj3jvoaKp8tienWI3VSK+KwKpJlO3zSMzYXSNlf0xrY7ZEuYXgZ+/K3FVwgIHm2NHJf5398Jf/QEWvYgLlWJVGNk1OyYqyMXRMBcic8m1URXtVoW+Vyw0B1HWwQraxu/KGFhxGkUNeCEnlUMxGtdLR9nIGT9BPQLfXZv5QEathL+1UzDH0g6BX4kCXVQ2g7WY0wipEucerOek19IB0IZXb3Lx/zKlFFSVAGlRhVbfSOgnS22ILMYpMi3c+1H6mVNZkRfmu1djHjC5b8m3hc7SxMiumbt/ff+p44S3mr/XC+/jTLi88p0VGO6EHpFvL6T8761WRuIFq16aboF039JCR8XQ540cBarrZGegRmMxec6G2vktbQF9xoUY9oDtIJacfze40DBJHv/hHMxNjShYGOdJF2iR72UDqrtYtqmeYzhWVMFtkNCIHRYNQyb4j0M7ICbwkWamMEm3TeE3n6UhiGvdO3SuZt6OwR+1lrxJprcQ2MMZHCNL+KmLb3rx7GK//UX/fTkfV+dDdA9YvjUftKFxhm7Elp7qUrxVYeO/730WriEsz4CisNimEwswQjH4ZOq5sGZXbaJPEsELjKpdjba+hJ5IBvo9jrJNpR0ioPvVUMSJsIj1FkPhcHzOB5Twu0g+e2YkUdG20cFveRUjL+TSSbN2sa5cFYPRp3cZ2o9hSnZBSlba4kxQ5UWWeU7m2VocRWZiHA2daVycWFe3DVU3Ta7mc7q92cjnVSKxjlxK+C1VdrQWEFZAxDqmz5Dlagib7UrOo/7vgoRnm2q4U7d9L4D2sZFP0uDi6UXfS399Bzq1Hwdkvzep5N+zbq5u/Xz18OCF3H36+un/4cEdAJ2d9tT3qkDvzdiJBvhBc45o68XZxD7//6Kvth8CAUSm3pWTxxNtvd1eNmXSzOKSr9WWHTKuDsjE3l1TDxLlx8KPt4q1lLaJuCL99P0qRh8HfCDMTNjJ/+T+dR9rc3G9UkPe0KIDXWM5sWSejsiktGZIaiMUCfbnmzWMDAEacBr0ZkXOggT8IP9wx9md6qPoFDzU/jid4NtITedMEx55PSJ3qsdqaFv6YKtzIYGPJM3qH0VNUbIqQsX8//YQdTj5SWyhnv/Qz5e7B/+cOVRj5F3S6VINp+Ns/XaNsZzbosLUtIt6mGIN4OrgPgmmcZlnUJ2hr2miWnV5dTpRG3eUSIsJzZRKm6mYK5Iwu45aJ20D4mwJ5em76mDqH/XngX1ZRtfuKBrBVoGfQhB4eIocqtubQeXm2E8BgWKSSs5ZAirhZ/mE7GHv47bcj0yr3Cc4HbHJIbIZdm89nzYIJx7QPuN53C0uNXIW5XuGhzsw8VnDODoJIlfN+UDuE3/uiEfHQ+arVoRxFD77hsgvRmTOsKoSXf6iO4TPTx5XJkLp7poZp/jrSFETJU2IUW5teHc6if5Q6iF6rHIC2zVs/rep35ZS8v/5px9La8dOpaiVmIW0mVm1jXyDbibH2AHS1CEFqDapl08tG/JqEWuEiNPyE2SylxFJjo2bVNDTbsyxttzzxIXYI9W3K1KP1Op2QQhptQvq/GiAp2kdPtpr46vRWo5WeMTNeSWMJC5DAE0gdwfUJUVpIIEyTFdQLMNmfvWjw9nIrf/S10NkiFK/YkqRSB0W7CmxFgnVuDdm4VTOxJBISIc28elv4CHzdld8igPutiryuLfQWCgWy4V3phbVP/Ip+6fx1bw7gDgMmliYYsyTdwN1rXSPBhRnTyOAVeVSUEhJgTwMQawrl+5lYmAVNZymjGSQ64h3fX9lf5XPzv/enOWV8qOzZpQNGHNLdlL58/v24Ie5d4q17jN9HHWP9KYA19F/pMWCUECNId0rr7hSf+7jQJ4rM6jrsfghMclpeXQbRaBm/x3HM7KOXdTMr7XC3bbF67gHiluoVKcosq5swndrlK/VslE8yypqQ28qbV6lG8MREqSJXPLjy0hNnz27UMHtOgfT8Yp4b4o0KaMiIfEfF/ugGvHvNiJ/WGrC9emGrIXWV9fFRDCp/XUXOc1Ca5oXqRmB/BglKMdCwlflLdiKW67e2uzVyzANm/GOSVFaUt5ORI0OynYyGZIm9DgzJZraOhJSLFIsNHBYT9rLehikovlHr+fz2W58wN3L18uLDu7vbi+47Obelil7vVp5du2JJO9zLccV/Pd4Upb5pfgSH+h7P6O0VjyQ0qwBGf1bbrDnUx2axGe2QK9Hx2dXwj4p53seGvdXEcn/90/cnPrrZzrO/HBlPstKouOSjkOaD708aaYP4lVbb/tsppGXiyBl8S4Qq8gxZ1nXg9KsFy10/fCnRcuc2lBDJDb3mi0BttJyPjGs4nZ2Cg8TwrjppLZjueQUSSF5mmhVZjQwBy7rVtLbB4OzsgE7dXyAT41w6WEmoI+Rin5BYrOXjqIJAkQWaj10A2fX51Sfy8e7z9Th4Mil0VPf3VnB3F7cP5OHzOGi9QW67E5d2RbiNAxF35TZxfDQPlFE4Dhmh8DByKyeT6chG+CQvRu7X48RrjJ2SXMXNF9gEc62WV5fjoDA+O/zkXPFTH88yDtWx4kXGoXmZ+Sq6jC/72NuiwPqv089VT6dXtyOlDZNKz6wVtYeTaiojWwOdJem6c/2MXElIBE+PAM52tCO6jOLEFVk3Ve1kb5hpt9JePO21C6Wzyo4Ybw/ufetM4VGMHMgXL4Sqw4GMMZ6t+Klp4VM6m1wkrONdUSur5xa3pouuqCLqmWGSllno0qir5OHT/aCdEEsph8PSrwDuCdrRdPzZHxarsPzZL7UvAKi0e+I4YMPaM1Uzx/pktPWnPSigB+C7mG/fS1Vj0to+56XGCN81DET5BhFasjSiF6lOFtFysejiHbpBhkgizh1HLqTkCRJXwb1ZtdlxRVCtqd9sujrjQ1e/mj3DvKNkZ8w95sWNtUvjK0+KcrkilLjO8QUpF7ReTTbcHjx/tdfyzfVOr2VPa9n99phUxRMIzfGZ7At2thkzC5o8giZzyAS3ZWGtemPAuwTuQGvripYIDmP8K3uGA3WPp8ZTgBAHuZjqUXkl75Mn0+uK+GZ9Wd2GpoMQ3QxvJgjb+9xmyAdGSYzMoYoUVGo/xjeKvH16j4vw9H3yHaFpzjhTWqIB7p2nWbScyc9CPp6RewBy9/GCvH//w/9PhLR//o+/vB+YoyXEy6ByIWT9hA57RQg3qa+eqGRYP2XOkCEfa/T/DPrO5UX+DPoGXvxfye3lb07shTrCW5kK6sOal9nj7EsY209l9hhjQD6275UXyoJ45/+w85Cq18I3tIXvYfKeDZcKU0VG1zMrneLJvnNvnq99LjyNjdSz+8po2eDYwYf0/2KmWF8m8h41gxpFwnqgkSSjLFeE6TdOCywLgmg6NAqRPL5aAMrni1/vYxFoTYz8cYS79YvYoBrxuounHYfCxb7+ZuD9NpPDAn16IcXLUIx3QZXqQLBPBJhrMQa6A0WgO2I8L0uo1pAX2pwV+9QcCy923vXWqMm9gjltqYIaIao9S77sArnwFespr6ohUEeiIslc9Lpz6/jNmd33uhiJ33Q1sDpzUfZkfXxZa+M2JcL9elakgXrEaiS00KWE2VaBM+nNfAkaZM54jT/ViyDvY3ad+7D/ijSk44JrVGM+6vV2/8vXWScyZRL2CvPsWFPfZAeRakhDsDLhmSq8WhKa4SENZKeMd+SdI12bNven/bSP8/On7fNvDz99/u3m8oxc3eAfql8pCCUGWs2KohCKYYSeLseUBUH6oXZx5z3Xz1rI3yjTAtGrMp9jmMuISJzp+skAkp120p4KWxuKOVN5g4vy7XsjPr8fiu/pK6Q+OXzyghUrkFW7qkZAw1T7PWN/BrOQsdV976X+J1rFE10r+86wsMGYKEaRF9IO7HAQa51MwdhzECMCdG4rlE2PsH6jKpgj8D3CegYvNnr0cBiNvPC9TJnFdtG0iOAUW6Jx9u31+cV3Y9GFgxyTptW9FPa2iYxhtN8gP7VdK/IMRMxxS6Vn5hsS452zZ7pWhHbpeoRkQK3d+sS+6okSud+WiuRIf+mrl3LR7pjQeiRe/Qer69gSmNQ6ZbnQzmOLVLOZ52pXQKgEX2xH1ZF0tuzRuXJxRD+L0wVFL47BR97C2fKsUvTOby5JUc4fYT2G8iwS2273jj1vTp+tTdSlZ2avpmd+imVEmaQe3N9/evfw6T7cyCExd5SnsfPGi4DGtktUyTTsCqmUTxHjmD9kmfllYtvdxEKeV8CdneLDxeUv78x/PgyzWZV5zHJrloBfEE/a719e3mdm8LpOiYTKqmLumZxqkIxm4cJBLajjuAGVGQM5vogChxe9d72tjuh2eNFVrS1dL2UoFNRsRrQoMn/uM7oGiYiqr5qXBx9htgal6TxjajV9yTqiyjuXzKieKgvrFuIAahBq7ODZkEXsiWYs7ffjTqJG77IBkjjaxZ0tHOfqx/jSKtUgKnvBTqVGtnIDHR3wiav5ShX5XAA34r/2BYN1TJQXzfoKH006U5+MSoJtVgIOHTxpKf1xGn3utzxgp+y4w/EQNCKynAUNc2dc3IeQ4T6qZAW50uHQqrr46cFJakFVlYnEGbz63+D1GcBa4Fhh6DDb+AKLFzV3cSsP2o1SC79dgTCNRDFFBrp6Foyt4lQNatYVrhRpaJ1RR/XDanPKQp2Dyg0xPBcjBsmUKieUDhlD/OVCfmtM5fahgoG3tuRWvVzV9gFUP2NYHxKR566+eufnhldu5CCJI1AS3Fnaowx2YGwl17LL/hB9XNiRJZY7wsDQJNsOOTrAyD65no4xKiGXlLM/unScA4zsc623Y4+OZrOSs26TwsEGSTNiOj3GWI1ieQRxcq9d9T6s6seTdmmKmAPcngFCDnARfOOi/xsS9t+KeP/WBPq3LcK/QaG935BGOPAnERJ/CW829+D815ttl3KPX+qbbXMA1c/XcHHvOdgv9xo/5MC+mjfbTqN6/Sv+WKP7Ei78Q471i7j+Yw/wC3yzfd2i/xsS9t+KeP/WBPq3LcK/QaG985Dq6F8r4wn73onWD2ImGt0C1rummiyBg7QU+45594xcC6WzNT6FkqxUepjkIodctATpHulY5yG927bs2fyztYsNNP93/dNgClTyCD0E0VMe4oHtofciH1ONq9uBXFWYdair3lxEnfb0KXbvIDnAEx1T1z2VoiiOhNr1tR0zYQsigaZIbcmekHNlsWDJqLzeTr6cwwwG4xaEpRXIGH+MOqqQzbTWO3D5Dif3HmF+EHLo6iCzUoWIxJsbnXQp2dtV8DFaMZKtbL8H+8OHybjJNz8PF7f1eWkKRSsod9F8jw8Yz5PdLdMkWZl+3Sv42+VXtoKbgPdeQZbkX/cSXl1cf2Vr2EI8aRFDCOsT8KPqVHtlXlR3lsUdUav6vYTyaLBRV1/RJ7BBvLbvSUMIlyHLQcasmtm9l6NOhsVMVLKCtMzCBExbv16BESOr3RUfq5J+Ksx2EIPMlVlEpfAoi4OQ978gjrssFrTtM1s72q0RJGApV310SV/4Ml3e3AcGoK9ttRrY6TNlWL6LWhbjwUwZqhTk82w96y3eEvtREWX4vjSMUaZTqqlRM6rBjFijjkKBB4KI9Q2mYZS0v6xxVIyOts50iEVUJ8Et+SMXz/3xGFERu846kJK3voiD4Nma3F6dk3m5WIAkEnM/uXgeSofXvvjPLGutwB4GvE902SBlfKZZRpJMJI9I+OcWQVeVhwatBMFqu1aZeK2aLLbzXey2C5qwDsfMPnmNFoNvOESsjOM2VfAE8hB4fMM74nGfigfnYQWkyCjjRMOLbqMIG7/kHF4vU3cnRhgdtX55oyotzsJQpn3kUn91AIGoGF84IsHXdNpermdg8rWKpf/D9L3LenX4x/dw1iB7QM3hhVPRN1/dC5imzHkgGV9MrmfQ4acJDRPTsMwds0CSiLygfO0T/izkUbXJudB9xaP2Il4OWbEWC5ILZUoQXUqOicpYYtr2PuRXiuqLQ4EV/HG+oIJ3yCHaikh3BVmxKM1se9ccSaHIxDpHM4GZYSTZZUmZ0eC+I1ykgF+nWE1WS6RdJlpggz4Acu0YJbs/PUSaHYIoY04NlmqDLMWC38JRrj+x1KfLU7+1VM2T6W+gopSFUHhuUkhLl8LNl/Y7Clk2arg91bEjeZ8HOnHTXiitxLjSlCfN03i2AdUzJKawYBxaUBPBEyh0SbNsTSjx0KxArOpQ2qZbovDlh7/8xytJQtP1LoIwZi2XjzZUN9TAqnn8h3xJ1SdHP/sGwPxEFUuaMm8uSr0ZOrwr61M3JQfZ9V3RHUrxd0fLYd/TY8LWkM2hF8xekdn3liliPJaDh9BNj4k7chRZkICuClg99EVtjmUA+iuF88UbwisEvsUD/4rRbocZxKuGuMUb0qvFte03hMOnnVxhy9+EpLSTZHF/zeJywji+MJk5YQRfqODccyRfrPScMK4vUoSOHMe48x5BCUaupLe5UJqoAhID8zvXK0IYgRGzMQ8h6i82aajQSBcM9hOvgI7CbU3EPbXmR4I2Pw8eI5nDQkj3+m5uA+SwxFGN3M4l161qYIcDThca5GTcNYLZnTfGqEirHgblZg9Rjne9/PwjrEfx65LthvMDoPwV1tjcCWELhFlQqcCWvVkTUQBXKiNvgekVSCIVPSGpokZqQbKN1bQ+kgz4ssV32xzLDsFi28di+zICdM50X6RKHZxiS06xCMC2vRFBYN5sJOthpzuxLsNLIXg7Oz8Svg+uddwJd/fnp8NGKjLANxoJ2YVpGmF9uBiBKqxsy9w+2WTmMxVphiz9mj05t0YgxAslAaYb0NJWuHik+fvElPYhKMC1ZGBLWZ3fjAkXkOywqH67u9odFXRUuIyMC7vYHVmrfG8Fq/NXOyC6ut0djjBy21rSD0Qt/SDLwLRbv/ETwTVlHFKL4QTvfwmJWHL2h/lXae+a1J4kC3Eo34QqlswSwZWWlO0SyzvKJl5rOOrJrn11Rku9Eh1RDJFW4+KcLDK6xLogQpo5H7FJCqpXs95bOoL5/pq+sLzMsSN3RQ/Ru4rlLOkjd53kTL2tqvcWImPJul6/V2XvMrE8XQmlTa/qVPBs3azl22rwkyvpskHLwhTy1ksbqc0WuBRakI9nf/q/AQAA//8i4KAm" +} diff --git a/dynamite_nsm/confs/filebeat/module/zeek/files/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/files/_meta/fields.yml new file mode 100644 index 00000000..7abe041c --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/files/_meta/fields.yml @@ -0,0 +1,138 @@ +- name: files + type: group + description: > + Fields exported by the Zeek Files log. + fields: + - name: fuid + type: keyword + description: > + A file unique identifier. + + - name: tx_host + type: ip + description: > + The host that transferred the file. + + - name: rx_host + type: ip + description: > + The host that received the file. + + - name: session_ids + type: keyword + description: > + The sessions that have this file. + + - name: source + type: keyword + description: | + An identification of the source of the file data. E.g. it may be a network protocol + over which it was transferred, or a local file path which was read, or some other + input source. + + - name: depth + type: long + description: | + A value to represent the depth of this file in relation to its source. In SMTP, it + is the depth of the MIME attachment on the message. In HTTP, it is the depth of the + request within the TCP connection. + + - name: analyzers + type: keyword + description: > + A set of analysis types done during the file analysis. + + - name: mime_type + type: keyword + description: > + Mime type of the file. + + - name: filename + type: keyword + description: > + Name of the file if available. + + - name: local_orig + type: boolean + description: | + If the source of this file is a network connection, this field indicates if the data + originated from the local network or not. + + - name: is_orig + type: boolean + description: | + If the source of this file is a network connection, this field indicates if the file is + being sent by the originator of the connection or the responder. + + - name: duration + type: double + description: > + The duration the file was analyzed for. Not the duration of the session. + + - name: seen_bytes + type: long + description: > + Number of bytes provided to the file analysis engine for the file. + + - name: total_bytes + type: long + description: > + Total number of bytes that are supposed to comprise the full file. + + - name: missing_bytes + type: long + description: | + The number of bytes in the file stream that were completely missed during the process + of analysis. + + - name: overflow_bytes + type: long + description: | + The number of bytes in the file stream that were not delivered to stream file analyzers. + This could be overlapping bytes or bytes that couldn't be reassembled. + + - name: timedout + type: boolean + description: > + Whether the file analysis timed out at least once for the file. + + - name: parent_fuid + type: keyword + description: | + Identifier associated with a container file from which this one was extracted as part of + the file analysis. + + - name: md5 + type: keyword + description: > + An MD5 digest of the file contents. + + - name: sha1 + type: keyword + description: > + A SHA1 digest of the file contents. + + - name: sha256 + type: keyword + description: > + A SHA256 digest of the file contents. + + - name: extracted + type: keyword + description: > + Local filename of extracted file. + + - name: extracted_cutoff + type: boolean + description: > + Indicate whether the file being extracted was cut off hence not extracted completely. + + - name: extracted_size + type: long + description: > + The number of bytes extracted to disk. + + - name: entropy + type: double + description: > + The information density of the contents of the file. diff --git a/dynamite_nsm/confs/filebeat/module/zeek/files/config/files.yml b/dynamite_nsm/confs/filebeat/module/zeek/files/config/files.yml new file mode 100644 index 00000000..19dfddb9 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/files/config/files.yml @@ -0,0 +1,45 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +json.keys_under_root: false + +processors: + - drop_fields: + fields: ["json.x509"] + ignore_missing: true + - rename: + fields: + - from: "json" + to: "zeek.files" + - from: "zeek.files.conn_uids" + to: "zeek.files.session_ids" + ignore_missing: true + fail_on_error: false + - convert: + fields: + - {from: "zeek.files.mime_type", to: "file.mime_type"} + - {from: "zeek.files.filename", to: "file.name"} + - {from: "zeek.files.total_bytes", to: "file.size"} + - {from: "zeek.files.md5", to: "file.hash.md5"} + - {from: "zeek.files.sha1", to: "file.hash.sha1"} + - {from: "zeek.files.sha256", to: "file.hash.sha256"} + ignore_missing: true + fail_on_error: false + - add_fields: + target: event + fields: + kind: event + category: + - file + type: + - info + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/files/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/files/ingest/pipeline.yml new file mode 100644 index 00000000..754720e9 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/files/ingest/pipeline.yml @@ -0,0 +1,69 @@ +description: Pipeline for normalizing Zeek files.log +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' +- date: + field: zeek.files.ts + formats: + - UNIX +- remove: + field: zeek.files.ts +- script: + lang: painless + source: ctx.zeek.session_id = ctx.zeek.files.session_ids[0]; + if: ctx.zeek.files.session_ids != null + ignore_failure: true +- set: + field: event.id + value: '{{zeek.session_id}}' + if: ctx.zeek.session_id != null +- foreach: + field: zeek.files.tx_hosts + processor: + append: + field: related.ip + value: "{{_ingest._value}}" + ignore_missing: true +- script: + lang: painless + source: ctx.zeek.files.tx_host = ctx.zeek.files.tx_hosts[0]; ctx.zeek.files.remove('tx_hosts'); + ignore_failure: true +- set: + field: server.ip + value: "{{zeek.files.tx_host}}" + if: "ctx?.zeek?.files?.tx_host != null" +- foreach: + field: zeek.files.rx_hosts + processor: + append: + field: related.ip + value: "{{_ingest._value}}" + ignore_missing: true +- script: + lang: painless + source: ctx.zeek.files.rx_host = ctx.zeek.files.rx_hosts[0]; ctx.zeek.files.remove('rx_hosts'); + ignore_failure: true +- set: + field: client.ip + value: "{{zeek.files.rx_host}}" + if: "ctx?.zeek?.files?.rx_host != null" +- append: + field: related.hash + value: "{{file.hash.md5}}" + if: "ctx?.file?.hash?.md5 != null" +- append: + field: related.hash + value: "{{file.hash.sha1}}" + if: "ctx?.file?.hash?.sha1 != null" +- append: + field: related.hash + value: "{{file.hash.sha256}}" + if: "ctx?.file?.hash?.sha256 != null" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/dynamite_nsm/confs/filebeat/module/zeek/files/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/files/manifest.yml new file mode 100644 index 00000000..bef3d721 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/files/manifest.yml @@ -0,0 +1,19 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/files.log + os.linux: + - /var/log/bro/current/files.log + os.darwin: + - /usr/local/var/logs/current/files.log + - name: tags + default: [zeek.files] + - name: community_id + default: true + +ingest_pipeline: ingest/pipeline.yml +input: config/files.yml + +requires.processors: diff --git a/dynamite_nsm/confs/filebeat/module/zeek/files/test/files-json.log-expected.json b/dynamite_nsm/confs/filebeat/module/zeek/files/test/files-json.log-expected.json new file mode 100644 index 00000000..6fc38a5d --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/files/test/files-json.log-expected.json @@ -0,0 +1,116 @@ +[ + { + "@timestamp": "2019-01-17T01:33:16.636Z", + "client.ip": "10.178.98.102", + "event.category": [ + "file" + ], + "event.dataset": "zeek.files", + "event.id": "C8I0zn3r9EPbfLgta6", + "event.kind": "event", + "event.module": "zeek", + "event.type": [ + "info" + ], + "file.hash.md5": "79e4a9840d7d3a96d7c04fe2434c892e", + "file.hash.sha1": "a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436", + "file.mime_type": "application/pkix-cert", + "fileset.name": "files", + "input.type": "log", + "log.offset": 0, + "related.hash": [ + "79e4a9840d7d3a96d7c04fe2434c892e", + "a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436" + ], + "related.ip": [ + "35.199.178.4", + "10.178.98.102" + ], + "server.ip": "35.199.178.4", + "service.type": "zeek", + "tags": [ + "zeek.files" + ], + "zeek.files.analyzers": [ + "X509", + "MD5", + "SHA1" + ], + "zeek.files.depth": 0, + "zeek.files.duration": 0, + "zeek.files.fuid": "FMkioa222mEuM2RuQ9", + "zeek.files.is_orig": false, + "zeek.files.local_orig": false, + "zeek.files.md5": "79e4a9840d7d3a96d7c04fe2434c892e", + "zeek.files.mime_type": "application/pkix-cert", + "zeek.files.missing_bytes": 0, + "zeek.files.overflow_bytes": 0, + "zeek.files.rx_host": "10.178.98.102", + "zeek.files.seen_bytes": 947, + "zeek.files.session_ids": [ + "C8I0zn3r9EPbfLgta6" + ], + "zeek.files.sha1": "a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436", + "zeek.files.source": "SSL", + "zeek.files.timedout": false, + "zeek.files.tx_host": "35.199.178.4", + "zeek.session_id": "C8I0zn3r9EPbfLgta6" + }, + { + "@timestamp": "2019-01-17T01:33:21.566Z", + "client.ip": "10.178.98.102", + "event.category": [ + "file" + ], + "event.dataset": "zeek.files", + "event.id": "C6sjVo23iNApLnlAt6", + "event.kind": "event", + "event.module": "zeek", + "event.type": [ + "info" + ], + "file.hash.md5": "b9742f12eb97eff531d94f7800c6706c", + "file.hash.sha1": "b88d13fe319d342e7a808ce3a0a1158111fc3c2a", + "file.mime_type": "application/pkix-cert", + "fileset.name": "files", + "input.type": "log", + "log.offset": 452, + "related.hash": [ + "b9742f12eb97eff531d94f7800c6706c", + "b88d13fe319d342e7a808ce3a0a1158111fc3c2a" + ], + "related.ip": [ + "17.134.127.250", + "10.178.98.102" + ], + "server.ip": "17.134.127.250", + "service.type": "zeek", + "tags": [ + "zeek.files" + ], + "zeek.files.analyzers": [ + "X509", + "MD5", + "SHA1" + ], + "zeek.files.depth": 0, + "zeek.files.duration": 0, + "zeek.files.fuid": "FShtIS1gydeSFf8M63", + "zeek.files.is_orig": false, + "zeek.files.local_orig": false, + "zeek.files.md5": "b9742f12eb97eff531d94f7800c6706c", + "zeek.files.mime_type": "application/pkix-cert", + "zeek.files.missing_bytes": 0, + "zeek.files.overflow_bytes": 0, + "zeek.files.rx_host": "10.178.98.102", + "zeek.files.seen_bytes": 2089, + "zeek.files.session_ids": [ + "C6sjVo23iNApLnlAt6" + ], + "zeek.files.sha1": "b88d13fe319d342e7a808ce3a0a1158111fc3c2a", + "zeek.files.source": "SSL", + "zeek.files.timedout": false, + "zeek.files.tx_host": "17.134.127.250", + "zeek.session_id": "C6sjVo23iNApLnlAt6" + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/zeek/ftp/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/ftp/_meta/fields.yml new file mode 100644 index 00000000..3c36e53e --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/ftp/_meta/fields.yml @@ -0,0 +1,128 @@ +- name: ftp + type: group + default_field: false + description: > + Fields exported by the Zeek FTP log + fields: + - name: user + type: keyword + description: | + User name for the current FTP session. + + - name: password + type: keyword + description: | + Password for the current FTP session if captured. + + - name: command + type: keyword + description: | + Command given by the client. + + - name: arg + type: keyword + description: | + Argument for the command if one is given. + + - name: file + type: group + fields: + - name: size + type: long + description: | + Size of the file if the command indicates a file transfer. + + - name: mime_type + type: keyword + description: | + Sniffed mime type of file. + + - name: fuid + type: keyword + description: | + (present if base/protocols/ftp/files.bro is loaded) + File unique ID. + + - name: reply + type: group + fields: + - name: code + type: integer + description: | + Reply code from the server in response to the command. + + - name: msg + type: keyword + description: | + Reply message from the server in response to the command. + + - name: data_channel + type: group + description: | + Expected FTP data channel. + fields: + - name: passive + type: boolean + description: | + Whether PASV mode is toggled for control channel. + + - name: originating_host + type: ip + description: | + The host that will be initiating the data connection. + + - name: response_host + type: ip + description: | + The host that will be accepting the data connection. + + - name: response_port + type: integer + description: | + The port at which the acceptor is listening for the data connection. + + - name: cwd + type: keyword + description: | + Current working directory that this session is in. By making the default value '.', we can indicate that unless something more concrete is discovered that the existing but unknown directory is ok to use. + + - name: cmdarg + type: group + description: | + Command that is currently waiting for a response. + fields: + - name: cmd + type: keyword + description: | + Command. + + - name: arg + type: keyword + description: | + Argument for the command if one was given. + + - name: seq + type: integer + description: | + Counter to track how many commands have been executed. + + - name: pending_commands + type: integer + description: | + Queue for commands that have been sent but not yet responded to are tracked here. + + - name: passive + type: boolean + description: | + Indicates if the session is in active or passive mode. + + - name: capture_password + type: boolean + description: | + Determines if the password will be captured for this request. + + - name: last_auth_requested + type: keyword + description: | + present if base/protocols/ftp/gridftp.bro is loaded. + Last authentication/security mechanism that was used. diff --git a/dynamite_nsm/confs/filebeat/module/zeek/ftp/config/ftp.yml b/dynamite_nsm/confs/filebeat/module/zeek/ftp/config/ftp.yml new file mode 100644 index 00000000..6acba2ed --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/ftp/config/ftp.yml @@ -0,0 +1,89 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +json.keys_under_root: false + +fields_under_root: true +fields: + network.transport: tcp + network.protocol: ftp + +processors: + - rename: + fields: + - from: "json" + to: "zeek.ftp" + + - from: "zeek.ftp.id.orig_h" + to: "source.address" + + - from: "zeek.ftp.id.orig_p" + to: "source.port" + + - from: "zeek.ftp.id.resp_h" + to: "destination.address" + + - from: "zeek.ftp.id.resp_p" + to: "destination.port" + + - from: "zeek.ftp.uid" + to: "zeek.session_id" + + - from: "zeek.ftp.file_size" + to: "zeek.ftp.file.size" + + - from: "zeek.ftp.mime_type" + to: "zeek.ftp.file.mime_type" + + - from: "zeek.ftp.fuid" + to: "zeek.ftp.file.uid" + + - from: "zeek.ftp.reply_code" + to: "zeek.ftp.reply.code" + + - from: "zeek.ftp.reply_msg" + to: "zeek.ftp.reply.msg" + + - from: "zeek.ftp.data_channel.orig_h" + to: "zeek.ftp.data_channel.originating_host" + + - from: "zeek.ftp.data_channel.resp_h" + to: "zeek.ftp.data_channel.response_host" + + - from: "zeek.ftp.data_channel.resp_p" + to: "zeek.ftp.data_channel.response_port" + + ignore_missing: true + fail_on_error: false + - convert: + fields: + - {from: "zeek.session_id", to: "event.id"} + - {from: "source.address", to: "source.ip", type: "ip"} + - {from: "destination.address", to: "destination.ip", type: "ip"} + - {from: "zeek.ftp.user", to: "user.name"} + - {from: "zeek.ftp.command", to: "event.action"} + - {from: "zeek.ftp.mime.type", to: "file.mime_type"} + - {from: "zeek.ftp.file.size", to: "file.size"} + ignore_missing: true + fail_on_error: false + - add_fields: + target: event + fields: + kind: event + category: + - network + type: + - connection + - info + - protocol + - community_id: + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/ftp/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/ftp/ingest/pipeline.yml new file mode 100644 index 00000000..f1f7d0b4 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/ftp/ingest/pipeline.yml @@ -0,0 +1,71 @@ +description: Pipeline for normalizing Zeek ftp.log +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' +- date: + field: zeek.ftp.ts + formats: + - UNIX +- remove: + field: zeek.ftp.ts +- dot_expander: + field: data_channel.passive + path: zeek.ftp +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" +- append: + field: related.user + value: "{{user.name}}" + if: "ctx?.user?.name != null" +- geoip: + field: destination.ip + target_field: destination.geo +- geoip: + field: source.ip + target_field: source.geo +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/dynamite_nsm/confs/filebeat/module/zeek/ftp/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/ftp/manifest.yml new file mode 100644 index 00000000..1f37ead0 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/ftp/manifest.yml @@ -0,0 +1,15 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/ftp.log + os.linux: + - /var/log/bro/current/ftp.log + os.darwin: + - /usr/local/var/logs/current/ftp.log + - name: tags + default: [zeek.ftp] + +ingest_pipeline: ingest/pipeline.yml +input: config/ftp.yml diff --git a/dynamite_nsm/confs/filebeat/module/zeek/ftp/test/ftp.log-expected.json b/dynamite_nsm/confs/filebeat/module/zeek/ftp/test/ftp.log-expected.json new file mode 100644 index 00000000..e6a47bd3 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/ftp/test/ftp.log-expected.json @@ -0,0 +1,148 @@ +[ + { + "@timestamp": "2007-08-17T19:31:44.955Z", + "destination.address": "192.168.1.231", + "destination.ip": "192.168.1.231", + "destination.port": 21, + "event.action": "EPSV", + "event.category": [ + "network" + ], + "event.dataset": "zeek.ftp", + "event.id": "CpQoCn3o28tke89zv9", + "event.kind": "event", + "event.module": "zeek", + "event.type": [ + "connection", + "info", + "protocol" + ], + "fileset.name": "ftp", + "input.type": "log", + "log.offset": 0, + "network.community_id": "1:Szmpl33Czo3dQvU2V4/SrHfmBC0=", + "network.protocol": "ftp", + "network.transport": "tcp", + "related.ip": [ + "192.168.1.182", + "192.168.1.231" + ], + "related.user": [ + "ftp" + ], + "service.type": "zeek", + "source.address": "192.168.1.182", + "source.ip": "192.168.1.182", + "source.port": 62014, + "tags": [ + "zeek.ftp" + ], + "user.name": "ftp", + "zeek.ftp.command": "EPSV", + "zeek.ftp.data_channel.originating_host": "192.168.1.182", + "zeek.ftp.data_channel.passive": true, + "zeek.ftp.data_channel.response_host": "192.168.1.231", + "zeek.ftp.data_channel.response_port": 37100, + "zeek.ftp.password": "ftp", + "zeek.ftp.reply.code": 229, + "zeek.ftp.reply.msg": "Entering Extended Passive Mode (|||37100|)", + "zeek.ftp.user": "ftp", + "zeek.session_id": "CpQoCn3o28tke89zv9" + }, + { + "@timestamp": "2007-08-17T19:31:45.019Z", + "destination.address": "192.168.1.231", + "destination.ip": "192.168.1.231", + "destination.port": 21, + "event.action": "RETR", + "event.category": [ + "network" + ], + "event.dataset": "zeek.ftp", + "event.id": "CpQoCn3o28tke89zv9", + "event.kind": "event", + "event.module": "zeek", + "event.type": [ + "connection", + "info", + "protocol" + ], + "file.size": 39424, + "fileset.name": "ftp", + "input.type": "log", + "log.offset": 394, + "network.community_id": "1:Szmpl33Czo3dQvU2V4/SrHfmBC0=", + "network.protocol": "ftp", + "network.transport": "tcp", + "related.ip": [ + "192.168.1.182", + "192.168.1.231" + ], + "related.user": [ + "ftp" + ], + "service.type": "zeek", + "source.address": "192.168.1.182", + "source.ip": "192.168.1.182", + "source.port": 62014, + "tags": [ + "zeek.ftp" + ], + "user.name": "ftp", + "zeek.ftp.arg": "ftp://192.168.1.231/resume.doc", + "zeek.ftp.command": "RETR", + "zeek.ftp.file.size": 39424, + "zeek.ftp.password": "ftp", + "zeek.ftp.reply.code": 226, + "zeek.ftp.reply.msg": "Transfer complete.", + "zeek.ftp.user": "ftp", + "zeek.session_id": "CpQoCn3o28tke89zv9" + }, + { + "@timestamp": "2007-08-17T19:31:57.579Z", + "destination.address": "192.168.1.231", + "destination.ip": "192.168.1.231", + "destination.port": 21, + "event.action": "STOR", + "event.category": [ + "network" + ], + "event.dataset": "zeek.ftp", + "event.id": "CpQoCn3o28tke89zv9", + "event.kind": "event", + "event.module": "zeek", + "event.type": [ + "connection", + "info", + "protocol" + ], + "fileset.name": "ftp", + "input.type": "log", + "log.offset": 688, + "network.community_id": "1:Szmpl33Czo3dQvU2V4/SrHfmBC0=", + "network.protocol": "ftp", + "network.transport": "tcp", + "related.ip": [ + "192.168.1.182", + "192.168.1.231" + ], + "related.user": [ + "ftp" + ], + "service.type": "zeek", + "source.address": "192.168.1.182", + "source.ip": "192.168.1.182", + "source.port": 62014, + "tags": [ + "zeek.ftp" + ], + "user.name": "ftp", + "zeek.ftp.arg": "ftp://192.168.1.231/uploads/README", + "zeek.ftp.command": "STOR", + "zeek.ftp.password": "ftp", + "zeek.ftp.reply.code": 226, + "zeek.ftp.reply.msg": "Transfer complete.", + "zeek.ftp.user": "ftp", + "zeek.session_id": "CpQoCn3o28tke89zv9" + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/zeek/http/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/http/_meta/fields.yml new file mode 100644 index 00000000..5369d458 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/http/_meta/fields.yml @@ -0,0 +1,102 @@ +- name: http + type: group + description: > + Fields exported by the Zeek HTTP log + fields: + - name: trans_depth + type: integer + description: > + Represents the pipelined depth into the connection of this request/response transaction. + + - name: status_msg + type: keyword + description: > + Status message returned by the server. + + - name: info_code + type: integer + description: > + Last seen 1xx informational reply code returned by the server. + + - name: info_msg + type: keyword + description: > + Last seen 1xx informational reply message returned by the server. + + - name: tags + type: keyword + description: | + A set of indicators of various attributes discovered and related to a particular + request/response pair. + + - name: password + type: keyword + description: > + Password if basic-auth is performed for the request. + + - name: captured_password + type: boolean + description: > + Determines if the password will be captured for this request. + + - name: proxied + type: keyword + description: > + All of the headers that may indicate if the HTTP request was proxied. + + - name: range_request + type: boolean + description: > + Indicates if this request can assume 206 partial content in response. + + - name: client_header_names + type: keyword + description: | + The vector of HTTP header names sent by the client. No header values + are included here, just the header names. + + - name: server_header_names + type: keyword + description: | + The vector of HTTP header names sent by the server. No header values + are included here, just the header names. + + - name: orig_fuids + type: keyword + description: > + An ordered vector of file unique IDs from the originator. + + - name: orig_mime_types + type: keyword + description: > + An ordered vector of mime types from the originator. + + - name: orig_filenames + type: keyword + description: > + An ordered vector of filenames from the originator. + + - name: resp_fuids + type: keyword + description: > + An ordered vector of file unique IDs from the responder. + + - name: resp_mime_types + type: keyword + description: > + An ordered vector of mime types from the responder. + + - name: resp_filenames + type: keyword + description: > + An ordered vector of filenames from the responder. + + - name: orig_mime_depth + type: integer + description: > + Current number of MIME entities in the HTTP request message body. + + - name: resp_mime_depth + type: integer + description: > + Current number of MIME entities in the HTTP response message body. diff --git a/dynamite_nsm/confs/filebeat/module/zeek/http/config/http.yml b/dynamite_nsm/confs/filebeat/module/zeek/http/config/http.yml new file mode 100644 index 00000000..25bdbf70 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/http/config/http.yml @@ -0,0 +1,97 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +json.keys_under_root: false + +fields_under_root: true +fields: + network.transport: tcp + +processors: + - rename: + fields: + - from: "json" + to: "zeek.http" + + - from: "zeek.http.id.orig_h" + to: "source.address" + + - from: "zeek.http.id.orig_p" + to: "source.port" + + - from: "zeek.http.id.resp_h" + to: "destination.address" + + - from: "zeek.http.id.resp_p" + to: "destination.port" + + - from: "zeek.http.uid" + to: "zeek.session_id" + + - from: "zeek.http.method" + to: "http.request.method" + + - from: "zeek.http.referrer" + to: "http.request.referrer" + + - from: "zeek.http.status_code" + to: "http.response.status_code" + + - from: "zeek.http.version" + to: "http.version" + + - from: "zeek.http.request_body_len" + to: "http.request.body.bytes" + + - from: "zeek.http.response_body_len" + to: "http.response.body.bytes" + + - from: "zeek.http.uri" + to: "url.original" + + - from: "zeek.http.host" + to: "url.domain" + + - from: "zeek.http.username" + to: "url.username" + + - from: "zeek.http.password" + to: "url.password" + + - from: "zeek.http.user_agent" + to: "user_agent.original" + + ignore_missing: true + fail_on_error: false + - convert: + fields: + - {from: "zeek.session_id", to: "event.id"} + - {from: "source.address", to: "source.ip", type: "ip"} + - {from: "destination.address", to: "destination.ip", type: "ip"} + - {from: "destination.port", to: "url.port"} + - {from: "http.request.method", to: "event.action"} + - {from: "url.username", to: "user.name"} + ignore_missing: true + fail_on_error: false + - add_fields: + target: event + fields: + kind: event + category: + - network + - web + type: + - connection + - info + - protocol + - community_id: + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/http/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/http/ingest/pipeline.yml new file mode 100644 index 00000000..a2c4a85b --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/http/ingest/pipeline.yml @@ -0,0 +1,82 @@ +description: Pipeline for normalizing Zeek http.log +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' +- date: + field: zeek.http.ts + formats: + - UNIX +- remove: + field: zeek.http.ts +- geoip: + field: destination.ip + target_field: destination.geo +- geoip: + field: source.ip + target_field: source.geo +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- user_agent: + field: user_agent.original + ignore_missing: true +- lowercase: + field: "event.action" + ignore_missing: true +- set: + field: event.outcome + value: success + if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code < 400" +- set: + field: event.outcome + value: failure + if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code >= 400" +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" +- append: + field: related.user + value: "{{url.username}}" + if: "ctx?.url?.username != null" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/dynamite_nsm/confs/filebeat/module/zeek/http/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/http/manifest.yml new file mode 100644 index 00000000..acf134c2 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/http/manifest.yml @@ -0,0 +1,21 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/http.log + os.linux: + - /var/log/bro/current/http.log + os.darwin: + - /usr/local/var/logs/current/http.log + - name: tags + default: [zeek.http] + +ingest_pipeline: ingest/pipeline.yml +input: config/http.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip +- name: user_agent + plugin: ingest-user_agent diff --git a/dynamite_nsm/confs/filebeat/module/zeek/http/test/http-json.log-expected.json b/dynamite_nsm/confs/filebeat/module/zeek/http/test/http-json.log-expected.json new file mode 100644 index 00000000..0b101cda --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/http/test/http-json.log-expected.json @@ -0,0 +1,144 @@ +[ + { + "@timestamp": "2019-01-17T01:05:30.172Z", + "destination.address": "17.253.5.203", + "destination.as.number": 6185, + "destination.as.organization.name": "Apple Inc.", + "destination.geo.city_name": "San Jose", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.3388, + "destination.geo.location.lon": -121.8914, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": "17.253.5.203", + "destination.port": 80, + "event.action": "get", + "event.category": [ + "network", + "web" + ], + "event.dataset": "zeek.http", + "event.id": "CCNp8v1SNzY7v9d1Ih", + "event.kind": "event", + "event.module": "zeek", + "event.outcome": "success", + "event.type": [ + "connection", + "info", + "protocol" + ], + "fileset.name": "http", + "http.request.body.bytes": 0, + "http.request.method": "GET", + "http.response.body.bytes": 3735, + "http.response.status_code": 200, + "http.version": "1.1", + "input.type": "log", + "log.offset": 0, + "network.community_id": "1:dtBPRfpKEZyg1iOHss95buwv+cw=", + "network.transport": "tcp", + "related.ip": [ + "10.178.98.102", + "17.253.5.203" + ], + "related.user": [ + "user" + ], + "service.type": "zeek", + "source.address": "10.178.98.102", + "source.ip": "10.178.98.102", + "source.port": 62995, + "tags": [ + "zeek.http" + ], + "url.domain": "ocsp.apple.com", + "url.original": "/ocsp04-aaica02/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFNqvF+Za6oA4ceFRLsAWwEInjUhJBBQx6napI3Sl39T97qDBpp7GEQ4R7AIIUP1IOZZ86ns=", + "url.port": 80, + "url.username": "user", + "user.name": "user", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "com.apple.trustd/2.0", + "zeek.http.resp_fuids": [ + "F5zuip1tSwASjNAHy7" + ], + "zeek.http.resp_mime_types": [ + "application/ocsp-response" + ], + "zeek.http.status_msg": "OK", + "zeek.http.tags": [], + "zeek.http.trans_depth": 1, + "zeek.session_id": "CCNp8v1SNzY7v9d1Ih" + }, + { + "@timestamp": "2019-01-17T06:36:59.757Z", + "destination.address": "34.206.130.40", + "destination.as.number": 14618, + "destination.as.organization.name": "Amazon.com, Inc.", + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "34.206.130.40", + "destination.port": 80, + "event.action": "get", + "event.category": [ + "network", + "web" + ], + "event.dataset": "zeek.http", + "event.id": "CMnIaR2V8VXyu7EPs", + "event.kind": "event", + "event.module": "zeek", + "event.outcome": "success", + "event.type": [ + "connection", + "info", + "protocol" + ], + "fileset.name": "http", + "http.request.body.bytes": 0, + "http.request.method": "GET", + "http.response.body.bytes": 32, + "http.response.status_code": 200, + "http.version": "1.1", + "input.type": "log", + "log.offset": 574, + "network.community_id": "1:Ol0Btm49e1mxnu/BXm1GM8w5ixY=", + "network.transport": "tcp", + "related.ip": [ + "10.20.8.197", + "34.206.130.40" + ], + "service.type": "zeek", + "source.address": "10.20.8.197", + "source.ip": "10.20.8.197", + "source.port": 35684, + "tags": [ + "zeek.http" + ], + "url.domain": "httpbin.org", + "url.original": "/ip", + "url.port": 80, + "user_agent.device.name": "Other", + "user_agent.name": "curl", + "user_agent.original": "curl/7.58.0", + "user_agent.version": "7.58.0", + "zeek.http.resp_fuids": [ + "FwGPlr1GcKUWWdkXoi" + ], + "zeek.http.resp_mime_types": [ + "text/json" + ], + "zeek.http.status_msg": "OK", + "zeek.http.tags": [], + "zeek.http.trans_depth": 1, + "zeek.session_id": "CMnIaR2V8VXyu7EPs" + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/zeek/intel/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/intel/_meta/fields.yml new file mode 100644 index 00000000..e43f5951 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/intel/_meta/fields.yml @@ -0,0 +1,80 @@ +- name: intel + type: group + default_field: false + description: > + Fields exported by the Zeek Intel log. + fields: + + - name: seen + type: group + fields: + - name: indicator + type: keyword + description: > + The intelligence indicator. + + - name: indicator_type + type: keyword + description: > + The type of data the indicator represents. + + - name: host + type: keyword + description: > + If the indicator type was Intel::ADDR, then this field will be present. + + - name: conn + type: keyword + description: > + If the data was discovered within a connection, the connection record should go here to give context to the data. + + - name: where + type: keyword + description: > + Where the data was discovered. + + - name: node + type: keyword + description: > + The name of the node where the match was discovered. + + - name: uid + type: keyword + description: > + If the data was discovered within a connection, the connection uid should go here to give context to the data. If the conn field is provided, this will be automatically filled out. + + - name: f + type: object + description: > + If the data was discovered within a file, the file record should go here to provide context to the data. + + - name: fuid + type: keyword + description: > + If the data was discovered within a file, the file uid should go here to provide context to the data. If the file record f is provided, this will be automatically filled out. + + + - name: matched + type: keyword + description: > + Event to represent a match in the intelligence data from data that was seen. + + - name: sources + type: keyword + description: > + Sources which supplied data for this match. + + - name: fuid + type: keyword + description: > + If a file was associated with this intelligence hit, this is the uid for the file. + + - name: file_mime_type + type: keyword + description: > + A mime type if the intelligence hit is related to a file. If the $f field is provided this will be automatically filled out. + + - name: file_desc + type: keyword + description: > + Frequently files can be described to give a bit more context. If the $f field is provided this field will be automatically filled out. diff --git a/dynamite_nsm/confs/filebeat/module/zeek/intel/config/intel.yml b/dynamite_nsm/confs/filebeat/module/zeek/intel/config/intel.yml new file mode 100644 index 00000000..d48dec70 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/intel/config/intel.yml @@ -0,0 +1,70 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - rename: + fields: + - {from: message, to: event.original} + - decode_json_fields: + fields: [event.original] + target: zeek.intel + - convert: + ignore_missing: true + fields: + - {from: zeek.intel.id.orig_h, to: source.address} + - {from: zeek.intel.id.orig_h, to: source.ip, type: ip} + - {from: zeek.intel.id.orig_p, to: source.port, type: long} + - {from: zeek.intel.id.resp_h, to: destination.address} + - {from: zeek.intel.id.resp_h, to: destination.ip, type: ip} + - {from: zeek.intel.id.resp_p, to: destination.port, type: long} + - rename: + ignore_missing: true + fields: + - from: zeek.intel.uid + to: zeek.session_id + + # Expand field names containing dots. + - from: zeek.intel.seen.indicator + to: seen.indicator + - from: zeek.intel.seen.indicator_type + to: seen.indicator_type + - from: zeek.intel.seen.host + to: seen.host + - from: zeek.intel.seen.where + to: seen.where + - from: zeek.intel.seen.node + to: seen.node + - from: zeek.intel.seen.conn + to: seen.conn + - from: zeek.intel.seen.uid + to: seen.uid + - from: zeek.intel.seen.f + to: seen.f + - from: zeek.intel.seen.fuid + to: seen.fuid + - from: seen + to: zeek.intel.seen + - drop_fields: + ignore_missing: true + fields: + - zeek.intel.id.orig_h + - zeek.intel.id.orig_p + - zeek.intel.id.resp_h + - zeek.intel.id.resp_p + - add_fields: + target: event + fields: + kind: alert + type: + - info + - community_id: + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/intel/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/intel/ingest/pipeline.yml new file mode 100644 index 00000000..f7009431 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/intel/ingest/pipeline.yml @@ -0,0 +1,89 @@ +--- +description: Pipeline for normalizing Zeek intel.log. +processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + - set: + field: event.created + value: '{{@timestamp}}' + - date: + field: zeek.intel.ts + formats: + - UNIX + - remove: + field: zeek.intel.ts + # IP Geolocation Lookup + - geoip: + if: ctx.source?.geo == null + field: source.ip + target_field: source.geo + ignore_missing: true + properties: + - city_name + - continent_name + - country_iso_code + - country_name + - location + - region_iso_code + - region_name + - geoip: + if: ctx.destination?.geo == null + field: destination.ip + target_field: destination.geo + ignore_missing: true + properties: + - city_name + - continent_name + - country_iso_code + - country_name + - location + - region_iso_code + - region_name + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + field: "related.ip" + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" + - append: + field: "related.ip" + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" + +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/dynamite_nsm/confs/filebeat/module/zeek/intel/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/intel/manifest.yml new file mode 100644 index 00000000..a84788f4 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/intel/manifest.yml @@ -0,0 +1,19 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/intel.log + os.linux: + - /var/log/bro/current/intel.log + os.darwin: + - /usr/local/var/logs/current/intel.log + - name: tags + default: [zeek.intel] + +ingest_pipeline: ingest/pipeline.yml +input: config/intel.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/dynamite_nsm/confs/filebeat/module/zeek/intel/test/intel-json.log-expected.json b/dynamite_nsm/confs/filebeat/module/zeek/intel/test/intel-json.log-expected.json new file mode 100644 index 00000000..d9de4e04 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/intel/test/intel-json.log-expected.json @@ -0,0 +1,47 @@ +[ + { + "@timestamp": "2019-11-06T09:03:00.989Z", + "destination.address": "198.41.0.4", + "destination.as.number": 20172, + "destination.as.organization.name": "VeriSign Global Registry Services", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "198.41.0.4", + "destination.port": 53, + "event.dataset": "zeek.intel", + "event.kind": "alert", + "event.module": "zeek", + "event.original": "{\"ts\":1573030980.989353,\"uid\":\"Ctefoj1tgOPt4D0EK2\",\"id.orig_h\":\"192.168.1.1\",\"id.orig_p\":37598,\"id.resp_h\":\"198.41.0.4\",\"id.resp_p\":53,\"seen.indicator\":\"198.41.0.4\",\"seen.indicator_type\":\"Intel::ADDR\",\"seen.where\":\"Conn::IN_RESP\",\"seen.node\":\"worker-1-2\",\"matched\":[\"Intel::ADDR\"],\"sources\":[\"ETPRO Rep: AbusedTLD Score: 127\"]}", + "event.type": [ + "info" + ], + "fileset.name": "intel", + "input.type": "log", + "log.offset": 0, + "related.ip": [ + "192.168.1.1", + "198.41.0.4" + ], + "service.type": "zeek", + "source.address": "192.168.1.1", + "source.ip": "192.168.1.1", + "source.port": 37598, + "tags": [ + "zeek.intel" + ], + "zeek.intel.matched": [ + "Intel::ADDR" + ], + "zeek.intel.seen.indicator": "198.41.0.4", + "zeek.intel.seen.indicator_type": "Intel::ADDR", + "zeek.intel.seen.node": "worker-1-2", + "zeek.intel.seen.where": "Conn::IN_RESP", + "zeek.intel.sources": [ + "ETPRO Rep: AbusedTLD Score: 127" + ], + "zeek.session_id": "Ctefoj1tgOPt4D0EK2" + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/zeek/irc/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/irc/_meta/fields.yml new file mode 100644 index 00000000..5981bea0 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/irc/_meta/fields.yml @@ -0,0 +1,60 @@ +- name: irc + type: group + default_field: false + description: > + Fields exported by the Zeek IRC log + fields: + - name: nick + type: keyword + description: | + Nickname given for the connection. + + - name: user + type: keyword + description: | + Username given for the connection. + + - name: command + type: keyword + description: | + Command given by the client. + + - name: value + type: keyword + description: | + Value for the command given by the client. + + - name: addl + type: keyword + description: | + Any additional data for the command. + + - name: dcc + type: group + fields: + - name: file + type: group + fields: + - name: name + type: keyword + description: | + Present if base/protocols/irc/dcc-send.bro is loaded. + DCC filename requested. + + - name: size + type: long + description: | + Present if base/protocols/irc/dcc-send.bro is loaded. + Size of the DCC transfer as indicated by the sender. + + - name: mime_type + type: keyword + description: | + present if base/protocols/irc/dcc-send.bro is loaded. + Sniffed mime type of the file. + + - name: fuid + type: keyword + description: | + present if base/protocols/irc/files.bro is loaded. + File unique ID. diff --git a/dynamite_nsm/confs/filebeat/module/zeek/irc/config/irc.yml b/dynamite_nsm/confs/filebeat/module/zeek/irc/config/irc.yml new file mode 100644 index 00000000..58e1d861 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/irc/config/irc.yml @@ -0,0 +1,75 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +json.keys_under_root: false + +fields_under_root: true +fields: + network.transport: tcp + network.protocol: irc + +processors: + - rename: + fields: + - from: "json" + to: "zeek.irc" + + - from: "zeek.irc.id.orig_h" + to: "source.address" + + - from: "zeek.irc.id.orig_p" + to: "source.port" + + - from: "zeek.irc.id.resp_h" + to: "destination.address" + + - from: "zeek.irc.id.resp_p" + to: "destination.port" + + - from: "zeek.irc.uid" + to: "zeek.session_id" + + - from: "zeek.irc.dcc_file_name" + to: "zeek.irc.dcc.file.name" + + - from: "zeek.irc.dcc_file_size" + to: "zeek.irc.dcc.file.size" + + - from: "zee.irc.dcc_mime_type" + to: "zeek.irc.dcc.mime_type" + + ignore_missing: true + fail_on_error: false + - convert: + fields: + - {from: "zeek.session_id", to: "event.id"} + - {from: "source.address", to: "source.ip", type: "ip"} + - {from: "destination.address", to: "destination.ip", type: "ip"} + - {from: "zeek.irc.user", to: "user.name"} + - {from: "zeek.irc.command", to: "event.action"} + - {from: "zeek.irc.dcc.file.name", to: "file.name"} + - {from: "zeek.irc.dcc.file.size", to: "file.size"} + - {from: "zeek.irc.dcc.mime_type", to: "file.mime_type"} + ignore_missing: true + fail_on_error: false + - add_fields: + target: event + fields: + kind: event + category: + - network + type: + - connection + - protocol + - info + - community_id: + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/irc/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/irc/ingest/pipeline.yml new file mode 100644 index 00000000..dd1e37a7 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/irc/ingest/pipeline.yml @@ -0,0 +1,68 @@ +description: Pipeline for normalizing Zeek irc.log +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' +- date: + field: zeek.irc.ts + formats: + - UNIX +- remove: + field: zeek.irc.ts +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" +- append: + field: related.user + value: "{{user.name}}" + if: "ctx?.user?.name != null" +- geoip: + field: destination.ip + target_field: destination.geo +- geoip: + field: source.ip + target_field: source.geo +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/dynamite_nsm/confs/filebeat/module/zeek/irc/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/irc/manifest.yml new file mode 100644 index 00000000..36cf10a5 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/irc/manifest.yml @@ -0,0 +1,15 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/irc.log + os.linux: + - /var/log/bro/current/irc.log + os.darwin: + - /usr/local/var/logs/current/irc.log + - name: tags + default: [zeek.irc] + +ingest_pipeline: ingest/pipeline.yml +input: config/irc.yml diff --git a/dynamite_nsm/confs/filebeat/module/zeek/irc/test/irc-json.log-expected.json b/dynamite_nsm/confs/filebeat/module/zeek/irc/test/irc-json.log-expected.json new file mode 100644 index 00000000..06d833b6 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/irc/test/irc-json.log-expected.json @@ -0,0 +1,154 @@ +[ + { + "@timestamp": "2013-12-20T15:44:10.647Z", + "destination.address": "38.229.70.20", + "destination.as.number": 23028, + "destination.as.organization.name": "Team Cymru Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "38.229.70.20", + "destination.port": 8000, + "event.action": "USER", + "event.category": [ + "network" + ], + "event.dataset": "zeek.irc", + "event.id": "CNJBX5FQdL62VUUP1", + "event.kind": "event", + "event.module": "zeek", + "event.type": [ + "connection", + "protocol", + "info" + ], + "fileset.name": "irc", + "input.type": "log", + "log.offset": 0, + "network.community_id": "1:YdkGov/c+KLtmg7Cf5DLDB4+YdQ=", + "network.protocol": "irc", + "network.transport": "tcp", + "related.ip": [ + "10.180.156.249", + "38.229.70.20" + ], + "service.type": "zeek", + "source.address": "10.180.156.249", + "source.ip": "10.180.156.249", + "source.port": 45921, + "tags": [ + "zeek.irc" + ], + "zeek.irc.addl": "+iw xxxxx XxxxxxXxxx ", + "zeek.irc.command": "USER", + "zeek.irc.value": "xxxxx", + "zeek.session_id": "CNJBX5FQdL62VUUP1" + }, + { + "@timestamp": "2013-12-20T15:44:10.647Z", + "destination.address": "38.229.70.20", + "destination.as.number": 23028, + "destination.as.organization.name": "Team Cymru Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "38.229.70.20", + "destination.port": 8000, + "event.action": "NICK", + "event.category": [ + "network" + ], + "event.dataset": "zeek.irc", + "event.id": "CNJBX5FQdL62VUUP1", + "event.kind": "event", + "event.module": "zeek", + "event.type": [ + "connection", + "protocol", + "info" + ], + "fileset.name": "irc", + "input.type": "log", + "log.offset": 206, + "network.community_id": "1:YdkGov/c+KLtmg7Cf5DLDB4+YdQ=", + "network.protocol": "irc", + "network.transport": "tcp", + "related.ip": [ + "10.180.156.249", + "38.229.70.20" + ], + "related.user": [ + "xxxxx" + ], + "service.type": "zeek", + "source.address": "10.180.156.249", + "source.ip": "10.180.156.249", + "source.port": 45921, + "tags": [ + "zeek.irc" + ], + "user.name": "xxxxx", + "zeek.irc.addl": "+iw xxxxx XxxxxxXxxx ", + "zeek.irc.command": "NICK", + "zeek.irc.user": "xxxxx", + "zeek.irc.value": "molochtest", + "zeek.session_id": "CNJBX5FQdL62VUUP1" + }, + { + "@timestamp": "2013-12-20T15:44:10.706Z", + "destination.address": "38.229.70.20", + "destination.as.number": 23028, + "destination.as.organization.name": "Team Cymru Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "38.229.70.20", + "destination.port": 8000, + "event.action": "JOIN", + "event.category": [ + "network" + ], + "event.dataset": "zeek.irc", + "event.id": "CNJBX5FQdL62VUUP1", + "event.kind": "event", + "event.module": "zeek", + "event.type": [ + "connection", + "protocol", + "info" + ], + "fileset.name": "irc", + "input.type": "log", + "log.offset": 432, + "network.community_id": "1:YdkGov/c+KLtmg7Cf5DLDB4+YdQ=", + "network.protocol": "irc", + "network.transport": "tcp", + "related.ip": [ + "10.180.156.249", + "38.229.70.20" + ], + "related.user": [ + "xxxxx" + ], + "service.type": "zeek", + "source.address": "10.180.156.249", + "source.ip": "10.180.156.249", + "source.port": 45921, + "tags": [ + "zeek.irc" + ], + "user.name": "xxxxx", + "zeek.irc.addl": " with channel key: '-'", + "zeek.irc.command": "JOIN", + "zeek.irc.nick": "molochtest", + "zeek.irc.user": "xxxxx", + "zeek.irc.value": "#moloch-fpc", + "zeek.session_id": "CNJBX5FQdL62VUUP1" + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/zeek/kerberos/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/kerberos/_meta/fields.yml new file mode 100644 index 00000000..6d247788 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/kerberos/_meta/fields.yml @@ -0,0 +1,123 @@ +- name: kerberos + type: group + default_field: false + description: > + Fields exported by the Zeek Kerberos log + fields: + - name: request_type + type: keyword + description: > + Request type - Authentication Service (AS) or Ticket Granting Service (TGS). + + - name: client + type: keyword + description: > + Client name. + + - name: service + type: keyword + description: > + Service name. + + - name: success + type: boolean + description: > + Request result. + + - name: error + type: group + fields: + - name: code + type: integer + description: > + Error code. + + - name: msg + type: keyword + description: > + Error message. + + - name: valid + type: group + fields: + - name: from + type: date + description: > + Ticket valid from. + + - name: until + type: date + description: > + Ticket valid until. + + - name: days + type: integer + description: > + Number of days the ticket is valid for. + + - name: cipher + type: keyword + description: > + Ticket encryption type. + + - name: forwardable + type: boolean + description: > + Forwardable ticket requested. + + - name: renewable + type: boolean + description: > + Renewable ticket requested. + + - name: ticket + type: group + fields: + - name: auth + type: keyword + description: > + Hash of ticket used to authorize request/transaction. + + - name: new + type: keyword + description: > + Hash of ticket returned by the KDC. + + - name: cert + type: group + fields: + - name: client + type: group + fields: + - name: value + type: keyword + description: > + Client certificate. + + - name: fuid + type: keyword + description: > + File unique ID of client cert. + + - name: subject + type: keyword + description: > + Subject of client certificate. + + - name: server + type: group + fields: + - name: value + type: keyword + description: > + Server certificate. + + - name: fuid + type: keyword + description: > + File unique ID of server certificate. + + - name: subject + type: keyword + description: > + Subject of server certificate. diff --git a/dynamite_nsm/confs/filebeat/module/zeek/kerberos/config/kerberos.yml b/dynamite_nsm/confs/filebeat/module/zeek/kerberos/config/kerberos.yml new file mode 100644 index 00000000..6035aa9f --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/kerberos/config/kerberos.yml @@ -0,0 +1,107 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +json.keys_under_root: false + +fields_under_root: true +fields: + network.transport: tcp + network.protocol: kerberos + +processors: + - rename: + fields: + - from: "json" + to: "zeek.kerberos" + + - from: "zeek.kerberos.id.orig_h" + to: "source.address" + + - from: "zeek.kerberos.id.orig_p" + to: "source.port" + + - from: "zeek.kerberos.id.resp_h" + to: "destination.address" + + - from: "zeek.kerberos.id.resp_p" + to: "destination.port" + + - from: "zeek.kerberos.uid" + to: "zeek.session_id" + + - from: "zeek.kerberos.till" + to: "zeek.kerberos.valid.until" + + - from: "zeek.kerberos.from" + to: "zeek.kerberos.valid.from" + + - from: "zeek.kerberos.error_code" + to: "zeek.kerberos.error.code" + + - from: "zeek.kerberos.error_msg" + to: "zeek.kerberos.error.msg" + + - from: "zeek.kerberos.cert.client" + to: "zeek.kerberos.cert.client.value" + + - from: "zeek.kerberos.cert.client_subject" + to: "zeek.kerberos.cert.client.subject" + + - from: "zeek.kerberos.cert.client_fuid" + to: "zeek.kerberos.cert.client.fuid" + + - from: "zeek.kerberos.cert.server" + to: "zeek.kerberos.cert.server.value" + + - from: "zeek.kerberos.cert.server_subject" + to: "zeek.kerberos.cert.server.subject" + + - from: "zeek.kerberos.cert.server_fuid" + to: "zeek.kerberos.cert.server.fuid" + + - from: "zeek.kerberos.auth_ticket" + to: "zeek.kerberos.ticket.auth" + + - from: "zeek.kerberos.new_ticket" + to: "zeek.kerberos.ticket.new" + + ignore_missing: true + fail_on_error: false + - convert: + fields: + - {from: "zeek.session_id", to: "event.id"} + - {from: "source.address", to: "source.ip", type: "ip"} + - {from: "source.address", to: "client.address"} + - {from: "destination.address", to: "destination.ip", type: "ip"} + - {from: "destination.address", to: "server.address"} + - {from: "zeek.kerberos.request_type", to: "event.action"} + ignore_missing: true + fail_on_error: false + - add_fields: + target: event + fields: + kind: event + category: + - network + type: + - connection + - protocol + - authentication + - dissect: + when: + contains: + zeek.kerberos.client: "/" + tokenizer: "%{user.name}/%{user.domain}" + field: zeek.kerberos.client + target_prefix: "" + - community_id: + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/kerberos/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/kerberos/ingest/pipeline.yml new file mode 100644 index 00000000..e0f45f71 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/kerberos/ingest/pipeline.yml @@ -0,0 +1,169 @@ +description: Pipeline for normalizing Zeek kerberos.log +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' +- date: + field: zeek.kerberos.ts + formats: + - UNIX +- remove: + field: zeek.kerberos.ts +- script: + source: "ctx.zeek.kerberos.valid.days = Math.round( (ctx.zeek.kerberos.valid.until - ctx.zeek.kerberos.valid.from) / 86400 )" + if: "ctx.zeek.kerberos.valid?.from != null && ctx.zeek.kerberos.valid?.until != null" +- date: + field: zeek.kerberos.valid.until + target_field: zeek.kerberos.valid.until + formats: + - UNIX + if: ctx.zeek.kerberos.valid?.until != null +- date: + field: zeek.kerberos.valid.from + target_field: zeek.kerberos.valid.from + formats: + - UNIX + if: ctx.zeek.kerberos.valid?.from != null +- set: + field: event.outcome + value: success + if: "ctx?.zeek?.kerberos?.success == true" +- set: + field: event.outcome + value: failure + if: "ctx?.zeek?.kerberos?.success == false" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" +- append: + field: related.user + value: "{{user.name}}" + if: "ctx?.user?.name != null" +- gsub: + field: zeek.kerberos.cert.client.subject + pattern: \\, + replacement: "" + ignore_missing: true +- kv: + field: zeek.kerberos.cert.client.subject + field_split: ',' + value_split: '=' + target_field: zeek.kerberos.cert.client.kv_sub + ignore_missing: true +- rename: + field: zeek.kerberos.cert.client.kv_sub.C + target_field: tls.client.x509.subject.country + ignore_missing: true +- rename: + field: zeek.kerberos.cert.client.kv_sub.CN + target_field: tls.client.x509.subject.common_name + ignore_missing: true +- rename: + field: zeek.kerberos.cert.client.kv_sub.L + target_field: tls.client.x509.subject.locality + ignore_missing: true +- rename: + field: zeek.kerberos.cert.client.kv_sub.O + target_field: tls.client.x509.subject.organization + ignore_missing: true +- rename: + field: zeek.kerberos.cert.client.kv_sub.OU + target_field: tls.client.x509.subject.organizational_unit + ignore_missing: true +- rename: + field: zeek.kerberos.cert.client.kv_sub.ST + target_field: tls.client.x509.subject.state_or_province + ignore_missing: true +- remove: + field: zeek.kerberos.cert.client.kv_sub + ignore_missing: true +- gsub: + field: zeek.kerberos.cert.server.subject + pattern: \\, + replacement: "" + ignore_missing: true +- kv: + field: zeek.kerberos.cert.server.subject + field_split: ',' + value_split: '=' + target_field: zeek.kerberos.cert.server.kv_sub + ignore_missing: true +- rename: + field: zeek.kerberos.cert.server.kv_sub.C + target_field: tls.server.x509.subject.country + ignore_missing: true +- rename: + field: zeek.kerberos.cert.server.kv_sub.CN + target_field: tls.server.x509.subject.common_name + ignore_missing: true +- rename: + field: zeek.kerberos.cert.server.kv_sub.L + target_field: tls.server.x509.subject.locality + ignore_missing: true +- rename: + field: zeek.kerberos.cert.server.kv_sub.O + target_field: tls.server.x509.subject.organization + ignore_missing: true +- rename: + field: zeek.kerberos.cert.server.kv_sub.OU + target_field: tls.server.x509.subject.organizational_unit + ignore_missing: true +- rename: + field: zeek.kerberos.cert.server.kv_sub.ST + target_field: tls.server.x509.subject.state_or_province + ignore_missing: true +- remove: + field: zeek.kerberos.cert.server.kv_sub + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/dynamite_nsm/confs/filebeat/module/zeek/kerberos/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/kerberos/manifest.yml new file mode 100644 index 00000000..3f527b15 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/kerberos/manifest.yml @@ -0,0 +1,18 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/kerberos.log + os.linux: + - /var/log/bro/current/kerberos.log + os.darwin: + - /usr/local/var/logs/current/kerberos.log + - name: tags + default: [zeek.kerberos] + +ingest_pipeline: ingest/pipeline.yml +input: config/kerberos.yml + +requires.processors: +- name: date diff --git a/dynamite_nsm/confs/filebeat/module/zeek/kerberos/test/kerberos-json.log-expected.json b/dynamite_nsm/confs/filebeat/module/zeek/kerberos/test/kerberos-json.log-expected.json new file mode 100644 index 00000000..686322c4 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/kerberos/test/kerberos-json.log-expected.json @@ -0,0 +1,67 @@ +[ + { + "@timestamp": "2017-10-09T16:13:19.590Z", + "client.address": "192.168.10.31", + "destination.address": "192.168.10.10", + "destination.ip": "192.168.10.10", + "destination.port": 88, + "event.action": "TGS", + "event.category": [ + "network" + ], + "event.dataset": "zeek.kerberos", + "event.id": "C56Flhb4WQBNkfMOl", + "event.kind": "event", + "event.module": "zeek", + "event.outcome": "success", + "event.type": [ + "connection", + "protocol", + "authentication" + ], + "fileset.name": "kerberos", + "input.type": "log", + "log.offset": 0, + "network.community_id": "1:DW/lSsosl8gZ8pqO9kKMm7cZheQ=", + "network.protocol": "kerberos", + "network.transport": "tcp", + "related.ip": [ + "192.168.10.31", + "192.168.10.10" + ], + "related.user": [ + "RonHD" + ], + "server.address": "192.168.10.10", + "service.type": "zeek", + "source.address": "192.168.10.31", + "source.ip": "192.168.10.31", + "source.port": 49242, + "tags": [ + "zeek.kerberos" + ], + "tls.client.x509.subject.common_name": "*.gcp.cloud.es.io", + "tls.client.x509.subject.country": "US", + "tls.client.x509.subject.locality": "Mountain View", + "tls.client.x509.subject.organization": "Elasticsearch Inc.", + "tls.client.x509.subject.state_or_province": "California", + "tls.server.x509.subject.common_name": "*.gcp.cloud.es.io", + "tls.server.x509.subject.country": "US", + "tls.server.x509.subject.locality": "Mountain View", + "tls.server.x509.subject.organization": "Elasticsearch Inc.", + "tls.server.x509.subject.state_or_province": "California", + "user.domain": "CONTOSO.LOCAL", + "user.name": "RonHD", + "zeek.kerberos.cert.client.subject": "CN=*.gcp.cloud.es.io,O=Elasticsearch Inc.,L=Mountain View,ST=California,C=US", + "zeek.kerberos.cert.server.subject": "CN=*.gcp.cloud.es.io,O=Elasticsearch Inc.,L=Mountain View,ST=California,C=US", + "zeek.kerberos.cipher": "aes256-cts-hmac-sha1-96", + "zeek.kerberos.client": "RonHD/CONTOSO.LOCAL", + "zeek.kerberos.forwardable": true, + "zeek.kerberos.renewable": true, + "zeek.kerberos.request_type": "TGS", + "zeek.kerberos.service": "HOST/admin-pc", + "zeek.kerberos.success": true, + "zeek.kerberos.valid.until": "2037-09-13T02:48:05.000Z", + "zeek.session_id": "C56Flhb4WQBNkfMOl" + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/zeek/modbus/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/modbus/_meta/fields.yml new file mode 100644 index 00000000..3a8e70f8 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/modbus/_meta/fields.yml @@ -0,0 +1,21 @@ +- name: modbus + type: group + default_field: false + description: > + Fields exported by the Zeek modbus log. + fields: + - name: function + type: keyword + description: | + The name of the function message that was sent. + + - name: exception + type: keyword + description: | + The exception if the response was a failure. + + - name: track_address + type: integer + description: | + Present if policy/protocols/modbus/track-memmap.bro is loaded. + Modbus track address. diff --git a/dynamite_nsm/confs/filebeat/module/zeek/modbus/config/modbus.yml b/dynamite_nsm/confs/filebeat/module/zeek/modbus/config/modbus.yml new file mode 100644 index 00000000..759dfc78 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/modbus/config/modbus.yml @@ -0,0 +1,76 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +json.keys_under_root: false + +fields_under_root: true +fields: + network.transport: tcp + network.protocol: modbus + +processors: + - rename: + fields: + - from: "json" + to: "zeek.modbus" + + - from: "zeek.modbus.id.orig_h" + to: "source.address" + + - from: "zeek.modbus.id.orig_p" + to: "source.port" + + - from: "zeek.modbus.id.resp_h" + to: "destination.address" + + - from: "zeek.modbus.id.resp_p" + to: "destination.port" + + - from: "zeek.modbus.uid" + to: "zeek.session_id" + + - from: "zeek.modbus.func" + to: "zeek.modbus.function" + + ignore_missing: true + fail_on_error: false + - convert: + fields: + - {from: "zeek.session_id", to: "event.id"} + - {from: "source.address", to: "source.ip", type: "ip"} + - {from: "destination.address", to: "destination.ip", type: "ip"} + - {from: "zeek.modbus.function", to: "event.action"} + ignore_missing: true + fail_on_error: false + - add_fields: + target: event + fields: + kind: event + category: + - network + type: + - connection + - protocol + - if: + has_fields: ['zeek.modbus.exception'] + then: + - add_fields: + target: event + fields: + outcome: failure + else: + - add_fields: + target: event + fields: + outcome: success + - community_id: + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/modbus/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/modbus/ingest/pipeline.yml new file mode 100644 index 00000000..d918b2de --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/modbus/ingest/pipeline.yml @@ -0,0 +1,66 @@ +description: Pipeline for normalizing Zeek modbus.log +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' +- date: + field: zeek.modbus.ts + formats: + - UNIX +- remove: + field: zeek.modbus.ts +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/dynamite_nsm/confs/filebeat/module/zeek/modbus/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/modbus/manifest.yml new file mode 100644 index 00000000..c4afd631 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/modbus/manifest.yml @@ -0,0 +1,15 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/modbus.log + os.linux: + - /var/log/bro/current/modbus.log + os.darwin: + - /usr/local/var/logs/current/modbus.log + - name: tags + default: [zeek.modbus] + +ingest_pipeline: ingest/pipeline.yml +input: config/modbus.yml diff --git a/dynamite_nsm/confs/filebeat/module/zeek/modbus/test/modbus-json.log-expected.json b/dynamite_nsm/confs/filebeat/module/zeek/modbus/test/modbus-json.log-expected.json new file mode 100644 index 00000000..ba9034a3 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/modbus/test/modbus-json.log-expected.json @@ -0,0 +1,40 @@ +[ + { + "@timestamp": "2012-11-12T11:04:25.222Z", + "destination.address": "192.168.1.164", + "destination.ip": "192.168.1.164", + "destination.port": 502, + "event.action": "READ_COILS", + "event.category": [ + "network" + ], + "event.dataset": "zeek.modbus", + "event.id": "CpIIXl4DFGswmjH2bl", + "event.kind": "event", + "event.module": "zeek", + "event.outcome": "success", + "event.type": [ + "connection", + "protocol" + ], + "fileset.name": "modbus", + "input.type": "log", + "log.offset": 0, + "network.community_id": "1:jEXbR2FqHyMgLJgyYyFQN3yxbpc=", + "network.protocol": "modbus", + "network.transport": "tcp", + "related.ip": [ + "192.168.1.10", + "192.168.1.164" + ], + "service.type": "zeek", + "source.address": "192.168.1.10", + "source.ip": "192.168.1.10", + "source.port": 64342, + "tags": [ + "zeek.modbus" + ], + "zeek.modbus.function": "READ_COILS", + "zeek.session_id": "CpIIXl4DFGswmjH2bl" + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/zeek/module.yml b/dynamite_nsm/confs/filebeat/module/zeek/module.yml new file mode 100644 index 00000000..4d55536c --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/module.yml @@ -0,0 +1,3 @@ +dashboards: +- id: 7cbb5410-3700-11e9-aa6d-ff445a78330c + file: Filebeat-Zeek-Overview.json diff --git a/dynamite_nsm/confs/filebeat/module/zeek/mysql/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/mysql/_meta/fields.yml new file mode 100644 index 00000000..d779391f --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/mysql/_meta/fields.yml @@ -0,0 +1,30 @@ +- name: mysql + type: group + default_field: false + description: > + Fields exported by the Zeek MySQL log. + fields: + - name: cmd + type: keyword + description: | + The command that was issued. + + - name: arg + type: keyword + description: | + The argument issued to the command. + + - name: success + type: boolean + description: | + Whether the command succeeded. + + - name: rows + type: integer + description: | + The number of affected rows, if any. + + - name: response + type: keyword + description: | + Server message, if any. diff --git a/dynamite_nsm/confs/filebeat/module/zeek/mysql/config/mysql.yml b/dynamite_nsm/confs/filebeat/module/zeek/mysql/config/mysql.yml new file mode 100644 index 00000000..b3f5d82d --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/mysql/config/mysql.yml @@ -0,0 +1,75 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +json.keys_under_root: false + +fields_under_root: true +fields: + network.transport: tcp + network.protocol: mysql + +processors: + - rename: + fields: + - from: "json" + to: "zeek.mysql" + + - from: "zeek.mysql.id.orig_h" + to: "source.address" + + - from: "zeek.mysql.id.orig_p" + to: "source.port" + + - from: "zeek.mysql.id.resp_h" + to: "destination.address" + + - from: "zeek.mysql.id.resp_p" + to: "destination.port" + + - from: "zeek.mysql.uid" + to: "zeek.session_id" + + ignore_missing: true + fail_on_error: false + - convert: + fields: + - {from: "zeek.session_id", to: "event.id"} + - {from: "source.address", to: "source.ip", type: "ip"} + - {from: "destination.address", to: "destination.ip", type: "ip"} + - {from: "zeek.mysql.cmd", to: "event.action"} + ignore_missing: true + fail_on_error: false + - add_fields: + target: event + fields: + kind: event + category: + - database + - network + type: + - connection + - protocol + - if: + equals: + zeek.mysql.success: true + then: + - add_fields: + target: event + fields: + outcome: success + else: + - add_fields: + target: event + fields: + outcome: failure + - community_id: + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/mysql/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/mysql/ingest/pipeline.yml new file mode 100644 index 00000000..d5552af6 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/mysql/ingest/pipeline.yml @@ -0,0 +1,90 @@ +description: Pipeline for normalizing Zeek mysql.log +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' +- date: + field: zeek.mysql.ts + formats: + - UNIX +- remove: + field: zeek.mysql.ts +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- append: + field: event.type + value: access + if: "ctx?.zeek?.mysql?.cmd != null && (ctx.zeek.mysql.cmd == 'connect' || ctx.zeek.mysql.cmd == 'connect_out')" +- append: + field: event.type + value: change + if: "ctx?.zeek?.mysql?.cmd != null && (ctx.zeek.mysql.cmd == 'init_db' || ctx.zeek.mysql.cmd == 'change_user' || ctx.zeek.mysql.cmd == 'set_option' || ctx.zeek.mysql.cmd == 'drop_db' || ctx.zeek.mysql.cmd == 'create_db' || ctx.zeek.mysql.cmd == 'process_kill' || ctx.zeek.mysql.cmd == 'delayed_insert')" +- append: + field: event.type + value: info + if: "ctx?.zeek?.mysql?.cmd != null && ctx.zeek.mysql.cmd != 'init_db' && ctx.zeek.mysql.cmd != 'change_user' && ctx.zeek.mysql.cmd != 'set_option' && ctx.zeek.mysql.cmd != 'drop_db' && ctx.zeek.mysql.cmd != 'create_db' && ctx.zeek.mysql.cmd != 'process_kill' && ctx.zeek.mysql.cmd != 'delayed_insert' && ctx.zeek.mysql.cmd != 'connect' && ctx.zeek.mysql.cmd != 'connect_out'" +- append: + field: event.type + value: start + if: "ctx?.zeek?.mysql?.cmd != null && ctx.zeek.mysql.cmd == 'connect'" +- append: + field: event.type + value: end + if: "ctx?.zeek?.mysql?.cmd != null && ctx.zeek.mysql.cmd == 'connect_out'" +- append: + field: event.category + value: session + if: "ctx?.zeek?.mysql?.cmd != null && (ctx.zeek.mysql.cmd == 'connect' || ctx.zeek.mysql.cmd == 'connect_out')" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/dynamite_nsm/confs/filebeat/module/zeek/mysql/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/mysql/manifest.yml new file mode 100644 index 00000000..bba253a4 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/mysql/manifest.yml @@ -0,0 +1,15 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/mysql.log + os.linux: + - /var/log/bro/current/mysql.log + os.darwin: + - /usr/local/var/logs/current/mysql.log + - name: tags + default: [zeek.mysql] + +ingest_pipeline: ingest/pipeline.yml +input: config/mysql.yml diff --git a/dynamite_nsm/confs/filebeat/module/zeek/mysql/test/mysql-json.log-expected.json b/dynamite_nsm/confs/filebeat/module/zeek/mysql/test/mysql-json.log-expected.json new file mode 100644 index 00000000..bf68cae4 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/mysql/test/mysql-json.log-expected.json @@ -0,0 +1,45 @@ +[ + { + "@timestamp": "2008-07-17T07:51:27.437Z", + "destination.address": "192.168.0.254", + "destination.ip": "192.168.0.254", + "destination.port": 3306, + "event.action": "query", + "event.category": [ + "database", + "network" + ], + "event.dataset": "zeek.mysql", + "event.id": "C5Hol527kLMUw36hj3", + "event.kind": "event", + "event.module": "zeek", + "event.outcome": "success", + "event.type": [ + "connection", + "protocol", + "info" + ], + "fileset.name": "mysql", + "input.type": "log", + "log.offset": 0, + "network.community_id": "1:0HUQbshhYbATQXDHv/ysOs0DlZA=", + "network.protocol": "mysql", + "network.transport": "tcp", + "related.ip": [ + "192.168.0.254", + "192.168.0.254" + ], + "service.type": "zeek", + "source.address": "192.168.0.254", + "source.ip": "192.168.0.254", + "source.port": 56162, + "tags": [ + "zeek.mysql" + ], + "zeek.mysql.arg": "select count(*) from foo", + "zeek.mysql.cmd": "query", + "zeek.mysql.rows": 1, + "zeek.mysql.success": true, + "zeek.session_id": "C5Hol527kLMUw36hj3" + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/zeek/notice/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/notice/_meta/fields.yml new file mode 100644 index 00000000..8a9fc977 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/notice/_meta/fields.yml @@ -0,0 +1,133 @@ +- name: notice + type: group + description: > + Fields exported by the Zeek Notice log. + fields: + - name: connection_id + type: keyword + description: > + Identifier of the related connection session. + + - name: icmp_id + type: keyword + description: > + Identifier of the related ICMP session. + + - name: file.id + type: keyword + description: > + An identifier associated with a single file that is related to this notice. + + - name: file.parent_id + type: keyword + description: > + Identifier associated with a container file from which this one was extracted. + + - name: file.source + type: keyword + description: | + An identification of the source of the file data. E.g. it may be a network protocol + over which it was transferred, or a local file path which was read, or some other + input source. + + - name: file.mime_type + type: keyword + description: > + A mime type if the notice is related to a file. + + - name: file.is_orig + type: boolean + description: | + If the source of this file is a network connection, this field indicates if the file is + being sent by the originator of the connection or the responder. + + - name: file.seen_bytes + type: long + description: > + Number of bytes provided to the file analysis engine for the file. + + - name: ffile.total_bytes + type: long + description: > + Total number of bytes that are supposed to comprise the full file. + + - name: file.missing_bytes + type: long + description: | + The number of bytes in the file stream that were completely missed during the process + of analysis. + + - name: file.overflow_bytes + type: long + description: | + The number of bytes in the file stream that were not delivered to stream file analyzers. + This could be overlapping bytes or bytes that couldn't be reassembled. + + - name: fuid + type: keyword + description: > + A file unique ID if this notice is related to a file. + + - name: note + type: keyword + description: > + The type of the notice. + + - name: msg + type: keyword + description: > + The human readable message for the notice. + + - name: sub + type: keyword + description: > + The human readable sub-message. + + - name: n + type: long + description: > + Associated count, or a status code. + + - name: peer_name + type: keyword + description: > + Name of remote peer that raised this notice. + + - name: peer_descr + type: text + description: > + Textual description for the peer that raised this notice. + + - name: actions + type: keyword + description: > + The actions which have been applied to this notice. + + - name: email_body_sections + type: text + description: | + By adding chunks of text into this element, other scripts can expand on notices + that are being emailed. + + - name: email_delay_tokens + type: keyword + description: | + Adding a string token to this set will cause the built-in emailing functionality + to delay sending the email either the token has been removed or the email + has been delayed for the specified time duration. + + - name: identifier + type: keyword + description: > + This field is provided when a notice is generated for the purpose of deduplicating notices. + + - name: suppress_for + type: double + description: > + This field indicates the length of time that this unique notice should be suppressed. + + - name: dropped + type: boolean + description: > + Indicate if the source IP address was dropped and denied network access. + diff --git a/dynamite_nsm/confs/filebeat/module/zeek/notice/config/notice.yml b/dynamite_nsm/confs/filebeat/module/zeek/notice/config/notice.yml new file mode 100644 index 00000000..4b09b7bc --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/notice/config/notice.yml @@ -0,0 +1,107 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +json.keys_under_root: false + +processors: + - drop_fields: + fields: ["json.actions"] + ignore_missing: true + - rename: + fields: + - from: "json" + to: "zeek.notice" + + - from: "zeek.notice.src" + to: "source.address" + + - from: "zeek.notice.dst" + to: "destination.address" + + - from: "zeek.notice.uid" + to: "zeek.session_id" + + - from: "zeek.notice.p" + to: "destination.port" + + - from: "zeek.notice.conn" + to: "zeek.notice.connnection_id" + + - from: "zeek.notice.iconn" + to: "zeek.notice.icmp_id" + + - from: "zeek.notice.id.orig_h" + to: "source.address" + + - from: "zeek.notice.id.orig_p" + to: "source.port" + + - from: "zeek.notice.id.resp_h" + to: "destination.address" + + - from: "zeek.notice.id.resp_p" + to: "destination.port" + + - from: "zeek.notice.proto" + to: "network.transport" + + - from: "zeek.notice.id.orig_p" + to: "source.port" + + - from: "zeek.notice.f.id" + to: "zeek.notice.file.id" + + - from: "zeek.notice.f.parent_id" + to: "zeek.notice.file.parent_id" + + - from: "zeek.notice.f.source" + to: "zeek.notice.file.source" + + - from: "zeek.notice.f.is_orig" + to: "zeek.notice.file.is_orig" + + - from: "zeek.notice.f.seen_bytes" + to: "zeek.notice.file.seen_bytes" + + - from: "zeek.notice.f.total_bytes" + to: "zeek.notice.file.total_bytes" + + - from: "zeek.notice.file_mime_type" + to: "zeek.notice.file.mime_type" + + ignore_missing: true + fail_on_error: false + + - drop_fields: + fields: ["zeek.notice.remote_location", "zeek.notice.f"] + ignore_missing: true + - convert: + fields: + - {from: "zeek.session_id", to: "event.id"} + - {from: "source.address", to: "source.ip", type: "ip"} + - {from: "destination.address", to: "destination.ip", type: "ip"} + - {from: "zeek.notice.file.total_bytes", to: "file.size"} + - {from: "zeek.notice.file.mime_type", to: "file.mime_type"} + - {from: "zeek.notice.note", to: "rule.name"} + - {from: "zeek.notice.msg", to: "rule.description"} + ignore_missing: true + fail_on_error: false + - add_fields: + target: event + fields: + kind: alert + category: + - intrusion_detection + type: + - info + - community_id: + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/notice/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/notice/ingest/pipeline.yml new file mode 100644 index 00000000..c741d355 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/notice/ingest/pipeline.yml @@ -0,0 +1,74 @@ +description: Pipeline for normalizing Zeek notice.log +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' +- date: + field: zeek.notice.ts + formats: + - UNIX +- remove: + field: zeek.notice.ts +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" +- append: + field: event.type + value: allowed + if: "ctx?.zeek?.notice?.dropped == false" +- append: + field: event.type + value: denied + if: "ctx?.zeek?.notice?.dropped == true" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/dynamite_nsm/confs/filebeat/module/zeek/notice/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/notice/manifest.yml new file mode 100644 index 00000000..e14f7222 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/notice/manifest.yml @@ -0,0 +1,19 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/notice.log + os.linux: + - /var/log/bro/current/notice.log + os.darwin: + - /usr/local/var/logs/current/notice.log + - name: tags + default: [zeek.notice] + +ingest_pipeline: ingest/pipeline.yml +input: config/notice.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/dynamite_nsm/confs/filebeat/module/zeek/notice/test/notice-json.log-expected.json b/dynamite_nsm/confs/filebeat/module/zeek/notice/test/notice-json.log-expected.json new file mode 100644 index 00000000..90bb5e31 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/notice/test/notice-json.log-expected.json @@ -0,0 +1,91 @@ +[ + { + "@timestamp": "2011-11-04T19:44:35.879Z", + "event.category": [ + "intrusion_detection" + ], + "event.dataset": "zeek.notice", + "event.kind": "alert", + "event.module": "zeek", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "notice", + "input.type": "log", + "log.offset": 0, + "related.ip": [ + "172.16.238.1" + ], + "rule.description": "172.16.238.1 appears to be guessing SSH passwords (seen in 30 connections).", + "rule.name": "SSH::Password_Guessing", + "service.type": "zeek", + "source.address": "172.16.238.1", + "source.ip": "172.16.238.1", + "tags": [ + "zeek.notice" + ], + "zeek.notice.dropped": false, + "zeek.notice.msg": "172.16.238.1 appears to be guessing SSH passwords (seen in 30 connections).", + "zeek.notice.note": "SSH::Password_Guessing", + "zeek.notice.peer_descr": "bro", + "zeek.notice.sub": "Sampled servers: 172.16.238.136, 172.16.238.136, 172.16.238.136, 172.16.238.136, 172.16.238.136", + "zeek.notice.suppress_for": 3600 + }, + { + "@timestamp": "2019-02-28T22:36:28.426Z", + "destination.address": "207.154.238.205", + "destination.as.number": 14061, + "destination.as.organization.name": "DigitalOcean, LLC", + "destination.geo.city_name": "Frankfurt am Main", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", + "destination.geo.location.lat": 50.1188, + "destination.geo.location.lon": 8.6843, + "destination.geo.region_iso_code": "DE-HE", + "destination.geo.region_name": "Hesse", + "destination.ip": "207.154.238.205", + "event.category": [ + "intrusion_detection" + ], + "event.dataset": "zeek.notice", + "event.kind": "alert", + "event.module": "zeek", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "notice", + "input.type": "log", + "log.offset": 357, + "related.ip": [ + "8.42.77.171", + "207.154.238.205" + ], + "rule.description": "8.42.77.171 scanned at least 15 unique ports of host 207.154.238.205 in 0m0s", + "rule.name": "Scan::Port_Scan", + "service.type": "zeek", + "source.address": "8.42.77.171", + "source.as.number": 393552, + "source.as.organization.name": "Longmont Power & Communications", + "source.geo.city_name": "Longmont", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 40.1559, + "source.geo.location.lon": -105.1624, + "source.geo.region_iso_code": "US-CO", + "source.geo.region_name": "Colorado", + "source.ip": "8.42.77.171", + "tags": [ + "zeek.notice" + ], + "zeek.notice.dropped": false, + "zeek.notice.msg": "8.42.77.171 scanned at least 15 unique ports of host 207.154.238.205 in 0m0s", + "zeek.notice.note": "Scan::Port_Scan", + "zeek.notice.peer_descr": "bro", + "zeek.notice.sub": "remote", + "zeek.notice.suppress_for": 3600 + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/zeek/ntlm/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/ntlm/_meta/fields.yml new file mode 100644 index 00000000..35b383c2 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/ntlm/_meta/fields.yml @@ -0,0 +1,46 @@ +- name: ntlm + type: group + default_field: false + description: > + Fields exported by the Zeek NTLM log. + fields: + - name: domain + type: keyword + description: > + Domain name given by the client. + + - name: hostname + type: keyword + description: > + Hostname given by the client. + + - name: success + type: boolean + description: > + Indicate whether or not the authentication was successful. + + - name: username + type: keyword + description: > + Username given by the client. + + - name: server + type: group + fields: + - name: name + type: group + fields: + - name: dns + type: keyword + description: > + DNS name given by the server in a CHALLENGE. + + - name: netbios + type: keyword + description: > + NetBIOS name given by the server in a CHALLENGE. + + - name: tree + type: keyword + description: > + Tree name given by the server in a CHALLENGE. diff --git a/dynamite_nsm/confs/filebeat/module/zeek/ntlm/config/ntlm.yml b/dynamite_nsm/confs/filebeat/module/zeek/ntlm/config/ntlm.yml new file mode 100644 index 00000000..bcdf04d8 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/ntlm/config/ntlm.yml @@ -0,0 +1,89 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +json.keys_under_root: false + +fields_under_root: true +fields: + network.transport: tcp + network.protocol: ntlm + +processors: + - rename: + fields: + - from: "json" + to: "zeek.ntlm" + + - from: "zeek.ntlm.id.orig_h" + to: "source.address" + + - from: "zeek.ntlm.id.orig_p" + to: "source.port" + + - from: "zeek.ntlm.id.resp_h" + to: "destination.address" + + - from: "zeek.ntlm.id.resp_p" + to: "destination.port" + + - from: "zeek.ntlm.uid" + to: "zeek.session_id" + + - from: "zeek.ntlm.domainname" + to: "zeek.ntlm.domain" + + - from: "zeek.ntlm.server_dns_computer_name" + to: "zeek.ntlm.server.name.dns" + + - from: "zeek.ntlm.server_nb_computer_name" + to: "zeek.ntlm.server.name.netbios" + + - from: "zeek.ntlm.server_tree_name" + to: "zeek.ntlm.server.name.tree" + + ignore_missing: true + fail_on_error: false + - convert: + fields: + - {from: "zeek.session_id", to: "event.id"} + - {from: "source.address", to: "source.ip", type: "ip"} + - {from: "destination.address", to: "destination.ip", type: "ip"} + - {from: "zeek.ntlm.username", to: "user.name"} + - {from: "zeek.ntlm.domain", to: "user.domain"} + - add_fields: + target: event + fields: + kind: event + category: + - authentication + - network + type: + - info + - connection + - if: + equals: + zeek.ntlm.success: true + then: + - add_fields: + target: event + fields: + outcome: success + - if: + equals: + zeek.ntlm.success: false + then: + - add_fields: + target: event + fields: + outcome: failure + - community_id: + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/ntlm/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/ntlm/ingest/pipeline.yml new file mode 100644 index 00000000..690fd54a --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/ntlm/ingest/pipeline.yml @@ -0,0 +1,70 @@ +description: Pipeline for normalizing Zeek ntlm.log +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' +- date: + field: zeek.ntlm.ts + formats: + - UNIX +- remove: + field: zeek.ntlm.ts +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" +- append: + field: related.user + value: "{{user.name}}" + if: "ctx?.user?.name != null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/dynamite_nsm/confs/filebeat/module/zeek/ntlm/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/ntlm/manifest.yml new file mode 100644 index 00000000..e16e6ec8 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/ntlm/manifest.yml @@ -0,0 +1,15 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/ntlm.log + os.linux: + - /var/log/bro/current/ntlm.log + os.darwin: + - /usr/local/var/logs/current/ntlm.log + - name: tags + default: [zeek.ntlm] + +ingest_pipeline: ingest/pipeline.yml +input: config/ntlm.yml diff --git a/dynamite_nsm/confs/filebeat/module/zeek/ntlm/test/ntlm-json.log-expected.json b/dynamite_nsm/confs/filebeat/module/zeek/ntlm/test/ntlm-json.log-expected.json new file mode 100644 index 00000000..c85d3127 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/ntlm/test/ntlm-json.log-expected.json @@ -0,0 +1,49 @@ +[ + { + "@timestamp": "2017-10-25T19:18:37.814Z", + "destination.address": "192.168.10.31", + "destination.ip": "192.168.10.31", + "destination.port": 445, + "event.category": [ + "authentication", + "network" + ], + "event.dataset": "zeek.ntlm", + "event.id": "CHphiNUKDC20fsy09", + "event.kind": "event", + "event.module": "zeek", + "event.type": [ + "info", + "connection" + ], + "fileset.name": "ntlm", + "input.type": "log", + "log.offset": 0, + "network.community_id": "1:zxnXAE/Cme5fQhh6sJLs7GItc08=", + "network.protocol": "ntlm", + "network.transport": "tcp", + "related.ip": [ + "192.168.10.50", + "192.168.10.31" + ], + "related.user": [ + "JeffV" + ], + "service.type": "zeek", + "source.address": "192.168.10.50", + "source.ip": "192.168.10.50", + "source.port": 46785, + "tags": [ + "zeek.ntlm" + ], + "user.domain": "contoso.local", + "user.name": "JeffV", + "zeek.ntlm.domain": "contoso.local", + "zeek.ntlm.hostname": "ybaARon55QykXrgu", + "zeek.ntlm.server.name.dns": "Victim-PC.contoso.local", + "zeek.ntlm.server.name.netbios": "VICTIM-PC", + "zeek.ntlm.server.name.tree": "contoso.local", + "zeek.ntlm.username": "JeffV", + "zeek.session_id": "CHphiNUKDC20fsy09" + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/zeek/ocsp/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/ocsp/_meta/fields.yml new file mode 100644 index 00000000..4e98f4c6 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/ocsp/_meta/fields.yml @@ -0,0 +1,68 @@ +- name: ocsp + type: group + default_field: false + description: | + Fields exported by the Zeek OCSP log + Online Certificate Status Protocol (OCSP). Only created if policy script is loaded. + fields: + - name: file_id + type: keyword + description: | + File id of the OCSP reply. + - name: hash + type: group + fields: + - name: algorithm + type: keyword + description: | + Hash algorithm used to generate issuerNameHash and issuerKeyHash. + + - name: issuer + type: group + fields: + - name: name + type: keyword + description: | + Hash of the issuer's distingueshed name. + + - name: key + type: keyword + description: | + Hash of the issuer's public key. + + - name: serial_number + type: keyword + description: | + Serial number of the affected certificate. + + - name: status + type: keyword + description: | + Status of the affected certificate. + + - name: revoke + type: group + fields: + - name: time + type: date + description: | + Time at which the certificate was revoked. + + - name: reason + type: keyword + description: | + Reason for which the certificate was revoked. + + - name: update + type: group + fields: + - name: this + type: date + description: | + The time at which the status being shows is known to have been correct. + + - name: next + type: date + description: | + The latest time at which new information about the status of the certificate will be available. + diff --git a/dynamite_nsm/confs/filebeat/module/zeek/ocsp/config/ocsp.yml b/dynamite_nsm/confs/filebeat/module/zeek/ocsp/config/ocsp.yml new file mode 100644 index 00000000..d929f706 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/ocsp/config/ocsp.yml @@ -0,0 +1,67 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +json.keys_under_root: false + +fields_under_root: true +fields: + network.transport: tcp + +processors: + - rename: + fields: + - from: "json" + to: "zeek.ocsp" + + - from: "zeek.ocsp.id" + to: "zeek.ocsp.file_id" + + - from: "zeek.ocsp.hashAlgorithm" + to: "zeek.ocsp.hash.algorithm" + + - from: "zeek.ocsp.issuerNameHash" + to: "zeek.ocsp.hash.issuer.name" + + - from: "zeek.ocsp.issuerKeyHash" + to: "zeek.ocsp.hash.issuer.key" + + - from: "zeek.ocsp.serialNumber" + to: "zeek.ocsp.serial_number" + + - from: "zeek.ocsp.serialNumber" + to: "zeek.ocsp.serial_number" + + - from: "zeek.ocsp.certStatus" + to: "zeek.ocsp.status" + + - from: "zeek.ocsp.certStatus" + to: "zeek.ocsp.status" + + - from: "zeek.ocsp.revoketime" + to: "zeek.ocsp.revoke.date" + + - from: "zeek.ocsp.revokereason" + to: "zeek.ocsp.revoke.reason" + + - from: "zeek.ocsp.thisUpdate" + to: "zeek.ocsp.update.this" + + - from: "zeek.ocsp.nextUpdate" + to: "zeek.ocsp.update.next" + + ignore_missing: true + fail_on_error: false + - add_fields: + target: event + fields: + kind: event + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/ocsp/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/ocsp/ingest/pipeline.yml new file mode 100644 index 00000000..462c1f36 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/ocsp/ingest/pipeline.yml @@ -0,0 +1,44 @@ +description: Pipeline for normalizing Zeek ocsp.log +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' +- date: + field: zeek.ocsp.ts + formats: + - UNIX +- remove: + field: zeek.ocsp.ts +- date: + field: zeek.ocsp.revoke.date + target_field: zeek.ocsp.revoke.date + formats: + - UNIX + if: ctx.zeek.ocsp.revoke?.date != null +- date: + field: zeek.ocsp.update.this + target_field: zeek.ocsp.update.this + formats: + - UNIX + if: ctx.zeek.ocsp.update?.this != null +- date: + field: zeek.ocsp.update.next + target_field: zeek.ocsp.update.next + formats: + - UNIX + if: ctx.zeek.ocsp.update?.next != null +- append: + field: related.hash + value: "{{zeek.ocsp.issuerNameHash}}" + if: "ctx?.zeek?.ocsp?.issuerNameHash != null" +- append: + field: related.hash + value: "{{zeek.ocsp.issuerKeyHash}}" + if: "ctx?.zeek?.ocsp?.issuerKeyHash != null" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/dynamite_nsm/confs/filebeat/module/zeek/ocsp/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/ocsp/manifest.yml new file mode 100644 index 00000000..35bcfccd --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/ocsp/manifest.yml @@ -0,0 +1,15 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/ocsp.log + os.linux: + - /var/log/bro/current/ocsp.log + os.darwin: + - /usr/local/var/logs/current/ocsp.log + - name: tags + default: [zeek.ocsp] + +ingest_pipeline: ingest/pipeline.yml +input: config/ocsp.yml diff --git a/dynamite_nsm/confs/filebeat/module/zeek/pe/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/pe/_meta/fields.yml new file mode 100644 index 00000000..b862b77c --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/pe/_meta/fields.yml @@ -0,0 +1,91 @@ +- name: pe + type: group + default_field: false + description: > + Fields exported by the Zeek pe log. + fields: + - name: client + type: keyword + description: > + The client's version string. + + - name: id + type: keyword + description: > + File id of this portable executable file. + + - name: machine + type: keyword + description: > + The target machine that the file was compiled for. + + - name: compile_time + type: date + description: > + The time that the file was created at. + + - name: os + type: keyword + description: > + The required operating system. + + - name: subsystem + type: keyword + description: > + The subsystem that is required to run this file. + + - name: is_exe + type: boolean + description: > + Is the file an executable, or just an object file? + + - name: is_64bit + type: boolean + description: > + Is the file a 64-bit executable? + + - name: uses_aslr + type: boolean + description: > + Does the file support Address Space Layout Randomization? + + - name: uses_dep + type: boolean + description: > + Does the file support Data Execution Prevention? + + - name: uses_code_integrity + type: boolean + description: > + Does the file enforce code integrity checks? + + - name: uses_seh + type: boolean + description: > + Does the file use structured exception handing? + + - name: has_import_table + type: boolean + description: > + Does the file have an import table? + + - name: has_export_table + type: boolean + description: > + Does the file have an export table? + + - name: has_cert_table + type: boolean + description: > + Does the file have an attribute certificate table? + + - name: has_debug_data + type: boolean + description: > + Does the file have a debug table? + + - name: section_names + type: keyword + description: > + The names of the sections, in order. + diff --git a/dynamite_nsm/confs/filebeat/module/zeek/pe/config/pe.yml b/dynamite_nsm/confs/filebeat/module/zeek/pe/config/pe.yml new file mode 100644 index 00000000..34b81b46 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/pe/config/pe.yml @@ -0,0 +1,36 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +json.keys_under_root: false + +fields_under_root: true + +processors: + - rename: + fields: + - from: "json" + to: "zeek.pe" + + - from: "zeek.pe.compile_ts" + to: "zeek.pe.compile_time" + + ignore_missing: true + fail_on_error: false + - add_fields: + target: event + fields: + kind: event + category: + - file + type: + - info + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/pe/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/pe/ingest/pipeline.yml new file mode 100644 index 00000000..6e1272a8 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/pe/ingest/pipeline.yml @@ -0,0 +1,24 @@ +description: Pipeline for normalizing Zeek pe.log +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' +- date: + field: zeek.pe.ts + formats: + - UNIX +- remove: + field: zeek.pe.ts +- date: + field: zeek.pe.compile_time + target_field: zeek.pe.compile_time + formats: + - UNIX + if: ctx.zeek.pe.compile_time != null +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/dynamite_nsm/confs/filebeat/module/zeek/pe/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/pe/manifest.yml new file mode 100644 index 00000000..16dfe2e4 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/pe/manifest.yml @@ -0,0 +1,17 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/pe.log + os.linux: + - /var/log/bro/current/pe.log + os.darwin: + - /usr/local/var/logs/current/pe.log + - name: tags + default: [zeek.pe] + - name: community_id + default: true + +ingest_pipeline: ingest/pipeline.yml +input: config/pe.yml diff --git a/dynamite_nsm/confs/filebeat/module/zeek/pe/test/pe-json.log-expected.json b/dynamite_nsm/confs/filebeat/module/zeek/pe/test/pe-json.log-expected.json new file mode 100644 index 00000000..3356f0ef --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/pe/test/pe-json.log-expected.json @@ -0,0 +1,43 @@ +[ + { + "@timestamp": "2017-10-09T16:13:19.578Z", + "event.category": [ + "file" + ], + "event.dataset": "zeek.pe", + "event.kind": "event", + "event.module": "zeek", + "event.type": [ + "info" + ], + "fileset.name": "pe", + "input.type": "log", + "log.offset": 0, + "service.type": "zeek", + "tags": [ + "zeek.pe" + ], + "zeek.pe.compile_time": "2016-06-28T18:41:54.000Z", + "zeek.pe.has_cert_table": true, + "zeek.pe.has_debug_data": false, + "zeek.pe.has_export_table": false, + "zeek.pe.has_import_table": true, + "zeek.pe.id": "FtIFnm3ZqI1s96P74l", + "zeek.pe.is_64bit": false, + "zeek.pe.is_exe": true, + "zeek.pe.machine": "I386", + "zeek.pe.os": "Windows XP", + "zeek.pe.section_names": [ + ".text", + ".rdata", + ".data", + ".rsrc", + ".reloc" + ], + "zeek.pe.subsystem": "WINDOWS_CUI", + "zeek.pe.uses_aslr": true, + "zeek.pe.uses_code_integrity": false, + "zeek.pe.uses_dep": true, + "zeek.pe.uses_seh": true + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/zeek/radius/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/radius/_meta/fields.yml new file mode 100644 index 00000000..a71dd2f0 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/radius/_meta/fields.yml @@ -0,0 +1,50 @@ +- name: radius + type: group + default_field: false + description: > + Fields exported by the Zeek Radius log. + fields: + - name: username + type: keyword + description: | + The username, if present. + + - name: mac + type: keyword + description: | + MAC address, if present. + + - name: framed_addr + type: ip + description: | + The address given to the network access server, if present. This is only a hint from the RADIUS server and the network access server is not required to honor the address. + + - name: remote_ip + type: ip + description: | + Remote IP address, if present. This is collected from the Tunnel-Client-Endpoint attribute. + + - name: connect_info + type: keyword + description: | + Connect info, if present. + + - name: reply_msg + type: keyword + description: | + Reply message from the server challenge. This is frequently shown to the user authenticating. + + - name: result + type: keyword + description: | + Successful or failed authentication. + + - name: ttl + type: integer + description: | + The duration between the first request and either the "Access-Accept" message or an error. If the field is empty, it means that either the request or response was not seen. + + - name: logged + type: boolean + description: | + Whether this has already been logged and can be ignored. diff --git a/dynamite_nsm/confs/filebeat/module/zeek/radius/config/radius.yml b/dynamite_nsm/confs/filebeat/module/zeek/radius/config/radius.yml new file mode 100644 index 00000000..0779807c --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/radius/config/radius.yml @@ -0,0 +1,61 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +json.keys_under_root: false + +fields_under_root: true +fields: + network.transport: udp + network.protocol: radius + +processors: + - rename: + fields: + - from: "json" + to: "zeek.radius" + + - from: "zeek.radius.id.orig_h" + to: "source.address" + + - from: "zeek.radius.id.orig_p" + to: "source.port" + + - from: "zeek.radius.id.resp_h" + to: "destination.address" + + - from: "zeek.radius.id.resp_p" + to: "destination.port" + + - from: "zeek.radius.uid" + to: "zeek.session_id" + + ignore_missing: true + fail_on_error: false + - convert: + fields: + - {from: "zeek.session_id", to: "event.id"} + - {from: "source.address", to: "source.ip", type: "ip"} + - {from: "destination.address", to: "destination.ip", type: "ip"} + - {from: "zeek.radius.username", to: "user.name"} + - {from: "zeek.radius.result", to: "event.outcome"} + - add_fields: + target: event + fields: + kind: event + category: + - authentication + - network + type: + - info + - connection + - community_id: + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/radius/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/radius/ingest/pipeline.yml new file mode 100644 index 00000000..acc7fad2 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/radius/ingest/pipeline.yml @@ -0,0 +1,70 @@ +description: Pipeline for normalizing Zeek radius.log +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' +- date: + field: zeek.radius.ts + formats: + - UNIX +- remove: + field: zeek.radius.ts +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- append: + field: related.user + value: "{{user.name}}" + if: "ctx?.user?.name != null" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/dynamite_nsm/confs/filebeat/module/zeek/radius/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/radius/manifest.yml new file mode 100644 index 00000000..d3bdee06 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/radius/manifest.yml @@ -0,0 +1,15 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/radius.log + os.linux: + - /var/log/bro/current/radius.log + os.darwin: + - /usr/local/var/logs/current/radius.log + - name: tags + default: [zeek.radius] + +ingest_pipeline: ingest/pipeline.yml +input: config/radius.yml diff --git a/dynamite_nsm/confs/filebeat/module/zeek/radius/test/radius-json.log-expected.json b/dynamite_nsm/confs/filebeat/module/zeek/radius/test/radius-json.log-expected.json new file mode 100644 index 00000000..894b85f4 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/radius/test/radius-json.log-expected.json @@ -0,0 +1,46 @@ +[ + { + "@timestamp": "2008-08-01T22:52:17.916Z", + "destination.address": "10.0.0.100", + "destination.ip": "10.0.0.100", + "destination.port": 1812, + "event.category": [ + "authentication", + "network" + ], + "event.dataset": "zeek.radius", + "event.id": "CRe9VD3flCDWbPmpIh", + "event.kind": "event", + "event.module": "zeek", + "event.outcome": "success", + "event.type": [ + "info", + "connection" + ], + "fileset.name": "radius", + "input.type": "log", + "log.offset": 0, + "network.community_id": "1:3SdDgWXPnheV2oGfVmxQjfwtr8E=", + "network.protocol": "radius", + "network.transport": "udp", + "related.ip": [ + "10.0.0.1", + "10.0.0.100" + ], + "related.user": [ + "John.McGuirk" + ], + "service.type": "zeek", + "source.address": "10.0.0.1", + "source.ip": "10.0.0.1", + "source.port": 1645, + "tags": [ + "zeek.radius" + ], + "user.name": "John.McGuirk", + "zeek.radius.mac": "00:14:22:e9:54:5e", + "zeek.radius.result": "success", + "zeek.radius.username": "John.McGuirk", + "zeek.session_id": "CRe9VD3flCDWbPmpIh" + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/zeek/rdp/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/rdp/_meta/fields.yml new file mode 100644 index 00000000..fc7566a3 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/rdp/_meta/fields.yml @@ -0,0 +1,103 @@ +- name: rdp + type: group + default_field: false + description: > + Fields exported by the Zeek RDP log. + fields: + - name: cookie + type: keyword + description: | + Cookie value used by the client machine. This is typically a username. + + - name: result + type: keyword + description: | + Status result for the connection. It's a mix between RDP negotation failure messages and GCC server create response messages. + + - name: security_protocol + type: keyword + description: | + Security protocol chosen by the server. + + - name: keyboard_layout + type: keyword + description: | + Keyboard layout (language) of the client machine. + + - name: client + type: group + fields: + - name: build + type: keyword + description: | + RDP client version used by the client machine. + + - name: client_name + type: keyword + description: | + Name of the client machine. + + - name: product_id + type: keyword + description: | + Product ID of the client machine. + + - name: desktop + type: group + fields: + - name: width + type: integer + description: | + Desktop width of the client machine. + + - name: height + type: integer + description: | + Desktop height of the client machine. + + - name: color_depth + type: keyword + description: | + The color depth requested by the client in the high_color_depth field. + + - name: cert + type: group + fields: + - name: type + type: keyword + description: | + If the connection is being encrypted with native RDP encryption, this is the type of cert being used. + + - name: count + type: integer + description: | + The number of certs seen. X.509 can transfer an entire certificate chain. + + - name: permanent + type: boolean + description: | + Indicates if the provided certificate or certificate chain is permanent or temporary. + + - name: encryption + type: group + fields: + - name: level + type: keyword + description: | + Encryption level of the connection. + + - name: method + type: keyword + description: | + Encryption method of the connection. + + - name: done + type: boolean + description: | + Track status of logging RDP connections. + + - name: ssl + type: boolean + description: | + (present if policy/protocols/rdp/indicate_ssl.bro is loaded) + Flag the connection if it was seen over SSL. diff --git a/dynamite_nsm/confs/filebeat/module/zeek/rdp/config/rdp.yml b/dynamite_nsm/confs/filebeat/module/zeek/rdp/config/rdp.yml new file mode 100644 index 00000000..f29a099d --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/rdp/config/rdp.yml @@ -0,0 +1,91 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +json.keys_under_root: false + +fields_under_root: true +fields: + network.transport: tcp + network.protocol: rdp + +processors: + - rename: + fields: + - from: "json" + to: "zeek.rdp" + + - from: "zeek.rdp.id.orig_h" + to: "source.address" + + - from: "zeek.rdp.id.orig_p" + to: "source.port" + + - from: "zeek.rdp.id.resp_h" + to: "destination.address" + + - from: "zeek.rdp.id.resp_p" + to: "destination.port" + + - from: "zeek.rdp.uid" + to: "zeek.session_id" + + - from: "zeek.rdp.client_build" + to: "zeek.rdp.client.build" + + - from: "zeek.rdp.client_name" + to: "zeek.rdp.client.name" + + - from: "zeek.rdp.client_dig_product_id" + to: "zeek.rdp.client.product_id" + + - from: "zeek.rdp.desktop_width" + to: "zeek.rdp.desktop.width" + + - from: "zeek.rdp.desktop_height" + to: "zeek.rdp.desktop.height" + + - from: "zeek.rdp.requested_color_depth" + to: "zeek.rdp.desktop.color_depth" + + - from: "zeek.rdp.cert_type" + to: "zeek.rdp.cert.type" + + - from: "zeek.rdp.cert_count" + to: "zeek.rdp.cert.count" + + - from: "zeek.rdp.cert_permanent" + to: "zeek.rdp.cert.permanent" + + - from: "zeek.rdp.encryption_level" + to: "zeek.rdp.encryption.level" + + - from: "zeek.rdp.encryption_method" + to: "zeek.rdp.encryption.method" + + ignore_missing: true + fail_on_error: false + - convert: + fields: + - {from: "zeek.session_id", to: "event.id"} + - {from: "source.address", to: "source.ip", type: "ip"} + - {from: "destination.address", to: "destination.ip", type: "ip"} + - add_fields: + target: event + fields: + kind: event + category: + - network + type: + - protocol + - info + - community_id: + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/rdp/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/rdp/ingest/pipeline.yml new file mode 100644 index 00000000..bbe4abce --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/rdp/ingest/pipeline.yml @@ -0,0 +1,71 @@ +description: Pipeline for normalizing Zeek rdp.log +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' +- date: + field: zeek.rdp.ts + formats: + - UNIX +- remove: + field: zeek.rdp.ts +- convert: + field: zeek.rdp.ssl + target_field: tls.established + type: boolean + ignore_missing: true +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/dynamite_nsm/confs/filebeat/module/zeek/rdp/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/rdp/manifest.yml new file mode 100644 index 00000000..0a2bc7b7 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/rdp/manifest.yml @@ -0,0 +1,15 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/rdp.log + os.linux: + - /var/log/bro/current/rdp.log + os.darwin: + - /usr/local/var/logs/current/rdp.log + - name: tags + default: [zeek.rdp] + +ingest_pipeline: ingest/pipeline.yml +input: config/rdp.yml diff --git a/dynamite_nsm/confs/filebeat/module/zeek/rdp/test/rdp-json.log-expected.json b/dynamite_nsm/confs/filebeat/module/zeek/rdp/test/rdp-json.log-expected.json new file mode 100644 index 00000000..878eb3e2 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/rdp/test/rdp-json.log-expected.json @@ -0,0 +1,42 @@ +[ + { + "@timestamp": "2019-09-10T16:18:59.668Z", + "destination.address": "192.168.131.131", + "destination.ip": "192.168.131.131", + "destination.port": 3389, + "event.category": [ + "network" + ], + "event.dataset": "zeek.rdp", + "event.id": "C2PcYV7D3ntaHm056", + "event.kind": "event", + "event.module": "zeek", + "event.type": [ + "protocol", + "info" + ], + "fileset.name": "rdp", + "input.type": "log", + "log.offset": 0, + "network.community_id": "1:PsQu6lSZioPVi0A5K7UaeGsVqS0=", + "network.protocol": "rdp", + "network.transport": "tcp", + "related.ip": [ + "192.168.131.1", + "192.168.131.131" + ], + "service.type": "zeek", + "source.address": "192.168.131.1", + "source.ip": "192.168.131.1", + "source.port": 33872, + "tags": [ + "zeek.rdp" + ], + "tls.established": true, + "zeek.rdp.cert.count": 0, + "zeek.rdp.result": "encrypted", + "zeek.rdp.security_protocol": "HYBRID", + "zeek.rdp.ssl": true, + "zeek.session_id": "C2PcYV7D3ntaHm056" + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/zeek/rfb/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/rfb/_meta/fields.yml new file mode 100644 index 00000000..16e11029 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/rfb/_meta/fields.yml @@ -0,0 +1,67 @@ +- name: rfb + type: group + default_field: false + description: > + Fields exported by the Zeek RFB log. + fields: + - name: version + type: group + fields: + - name: client + type: group + fields: + - name: major + type: keyword + description: | + Major version of the client. + + - name: minor + type: keyword + description: | + Minor version of the client. + + - name: server + type: group + fields: + - name: major + type: keyword + description: | + Major version of the server. + + - name: minor + type: keyword + description: | + Minor version of the server. + + - name: auth + type: group + fields: + - name: success + type: boolean + description: | + Whether or not authentication was successful. + + - name: method + type: keyword + description: | + Identifier of authentication method used. + + - name: share_flag + type: boolean + description: | + Whether the client has an exclusive or a shared session. + + - name: desktop_name + type: keyword + description: | + Name of the screen that is being shared. + + - name: width + type: integer + description: | + Width of the screen that is being shared. + + - name: height + type: integer + description: | + Height of the screen that is being shared. diff --git a/dynamite_nsm/confs/filebeat/module/zeek/rfb/config/rfb.yml b/dynamite_nsm/confs/filebeat/module/zeek/rfb/config/rfb.yml new file mode 100644 index 00000000..0f974ac0 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/rfb/config/rfb.yml @@ -0,0 +1,76 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +json.keys_under_root: false + +fields_under_root: true +fields: + network.transport: tcp + network.protocol: rfb + +processors: + - rename: + fields: + - from: "json" + to: "zeek.rfb" + + - from: "zeek.rfb.id.orig_h" + to: "source.address" + + - from: "zeek.rfb.id.orig_p" + to: "source.port" + + - from: "zeek.rfb.id.resp_h" + to: "destination.address" + + - from: "zeek.rfb.id.resp_p" + to: "destination.port" + + - from: "zeek.rfb.uid" + to: "zeek.session_id" + + - from: "zeek.rfb.client_major_version" + to: "zeek.rfb.version.client.major" + + - from: "zeek.rfb.client_minor_version" + to: "zeek.rfb.version.client.minor" + + - from: "zeek.rfb.server_major_version" + to: "zeek.rfb.version.server.major" + + - from: "zeek.rfb.server_minor_version" + to: "zeek.rfb.version.server.minor" + + - from: "zeek.rfb.auth" + to: "zeek.rfb.auth.success" + + - from: "zeek.rfb.authentication_method" + to: "zeek.rfb.auth.method" + + ignore_missing: true + fail_on_error: false + - convert: + fields: + - {from: "zeek.session_id", to: "event.id"} + - {from: "source.address", to: "source.ip", type: "ip"} + - {from: "destination.address", to: "destination.ip", type: "ip"} + - add_fields: + target: event + fields: + kind: event + category: + - network + type: + - connection + - info + - community_id: + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/rfb/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/rfb/ingest/pipeline.yml new file mode 100644 index 00000000..2ce5fda4 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/rfb/ingest/pipeline.yml @@ -0,0 +1,66 @@ +description: Pipeline for normalizing Zeek rfb.log +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' +- date: + field: zeek.rfb.ts + formats: + - UNIX +- remove: + field: zeek.rfb.ts +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/dynamite_nsm/confs/filebeat/module/zeek/rfb/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/rfb/manifest.yml new file mode 100644 index 00000000..4bba4f4f --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/rfb/manifest.yml @@ -0,0 +1,15 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/rfb.log + os.linux: + - /var/log/bro/current/rfb.log + os.darwin: + - /usr/local/var/logs/current/rfb.log + - name: tags + default: [zeek.rfb] + +ingest_pipeline: ingest/pipeline.yml +input: config/rfb.yml diff --git a/dynamite_nsm/confs/filebeat/module/zeek/rfb/test/rfb-json.log-expected.json b/dynamite_nsm/confs/filebeat/module/zeek/rfb/test/rfb-json.log-expected.json new file mode 100644 index 00000000..83b5544b --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/rfb/test/rfb-json.log-expected.json @@ -0,0 +1,47 @@ +[ + { + "@timestamp": "2012-02-07T16:35:34.517Z", + "destination.address": "192.168.1.10", + "destination.ip": "192.168.1.10", + "destination.port": 5900, + "event.category": [ + "network" + ], + "event.dataset": "zeek.rfb", + "event.id": "CXoIzM3wH3fUwXtKN1", + "event.kind": "event", + "event.module": "zeek", + "event.type": [ + "connection", + "info" + ], + "fileset.name": "rfb", + "input.type": "log", + "log.offset": 0, + "network.community_id": "1:AtPVA5phuztnwqMfO/2142WXVdY=", + "network.protocol": "rfb", + "network.transport": "tcp", + "related.ip": [ + "192.168.1.123", + "192.168.1.10" + ], + "service.type": "zeek", + "source.address": "192.168.1.123", + "source.ip": "192.168.1.123", + "source.port": 58102, + "tags": [ + "zeek.rfb" + ], + "zeek.rfb.auth.method": "VNC", + "zeek.rfb.auth.success": true, + "zeek.rfb.desktop_name": "\u00a0", + "zeek.rfb.height": 600, + "zeek.rfb.share_flag": false, + "zeek.rfb.version.client.major": "003", + "zeek.rfb.version.client.minor": "008", + "zeek.rfb.version.server.major": "003", + "zeek.rfb.version.server.minor": "008", + "zeek.rfb.width": 800, + "zeek.session_id": "CXoIzM3wH3fUwXtKN1" + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/zeek/signature/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/signature/_meta/fields.yml new file mode 100644 index 00000000..7637ddd5 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/signature/_meta/fields.yml @@ -0,0 +1,35 @@ +- name: signature + type: group + default_field: false + description: > + Fields exported by the Zeek Signature log. + fields: + - name: note + type: keyword + description: > + Notice associated with signature event. + + - name: sig_id + type: keyword + description: > + The name of the signature that matched. + + - name: event_msg + type: keyword + description: > + A more descriptive message of the signature-matching event. + + - name: sub_msg + type: keyword + description: > + Extracted payload data or extra message. + + - name: sig_count + type: integer + description: > + Number of sigs, usually from summary count. + + - name: host_count + type: integer + description: > + Number of hosts, from a summary count. diff --git a/dynamite_nsm/confs/filebeat/module/zeek/signature/config/signature.yml b/dynamite_nsm/confs/filebeat/module/zeek/signature/config/signature.yml new file mode 100644 index 00000000..e6bef4d1 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/signature/config/signature.yml @@ -0,0 +1,50 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - rename: + fields: + - {from: message, to: event.original} + - decode_json_fields: + fields: [event.original] + target: zeek.signature + - convert: + ignore_missing: true + fields: + - {from: zeek.signature.src_addr, to: source.address} + - {from: zeek.signature.src_addr, to: source.ip, type: ip} + - {from: zeek.signature.src_port, to: source.port, type: long} + - {from: zeek.signature.dst_addr, to: destination.address} + - {from: zeek.signature.dst_addr, to: destination.ip, type: ip} + - {from: zeek.signature.dst_port, to: destination.port, type: long} + - rename: + ignore_missing: true + fields: + - from: zeek.signature.uid + to: zeek.session_id + - from: zeek.signature.sig_id + to: rule.id + - from: zeek.signature.event_msg + to: rule.description + - drop_fields: + ignore_missing: true + fields: + - zeek.signature.src_addr + - zeek.signature.src_port + - zeek.signature.dst_addr + - zeek.signature.dst_port + - add_fields: + target: event + fields: + kind: alert + - community_id: + - add_fields: + target: '' + fields: + ecs.version: 1.7.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/signature/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/signature/ingest/pipeline.yml new file mode 100644 index 00000000..539ea5d7 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/signature/ingest/pipeline.yml @@ -0,0 +1,89 @@ +--- +description: Pipeline for normalizing Zeek signature.log. +processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + - set: + field: event.created + value: '{{@timestamp}}' + - date: + field: zeek.signature.ts + formats: + - UNIX + - remove: + field: zeek.signature.ts + # IP Geolocation Lookup + - geoip: + if: ctx.source?.geo == null + field: source.ip + target_field: source.geo + ignore_missing: true + properties: + - city_name + - continent_name + - country_iso_code + - country_name + - location + - region_iso_code + - region_name + - geoip: + if: ctx.destination?.geo == null + field: destination.ip + target_field: destination.geo + ignore_missing: true + properties: + - city_name + - continent_name + - country_iso_code + - country_name + - location + - region_iso_code + - region_name + + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + field: "related.ip" + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" + - append: + field: "related.ip" + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" + +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/dynamite_nsm/confs/filebeat/module/zeek/signature/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/signature/manifest.yml new file mode 100644 index 00000000..e0d00562 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/signature/manifest.yml @@ -0,0 +1,19 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/signatures.log + os.linux: + - /var/log/bro/current/signatures.log + os.darwin: + - /usr/local/var/logs/current/signatures.log + - name: tags + default: [zeek.signature] + +ingest_pipeline: ingest/pipeline.yml +input: config/signature.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/dynamite_nsm/confs/filebeat/module/zeek/signature/test/signature-json.log-expected.json b/dynamite_nsm/confs/filebeat/module/zeek/signature/test/signature-json.log-expected.json new file mode 100644 index 00000000..d06eb256 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/signature/test/signature-json.log-expected.json @@ -0,0 +1,48 @@ +[ + { + "@timestamp": "2021-01-28T16:53:29.869Z", + "destination.address": "160.218.27.63", + "destination.as.number": 5610, + "destination.as.organization.name": "O2 Czech Republic, a.s.", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "CZ", + "destination.geo.country_name": "Czechia", + "destination.geo.location.lat": 50.0848, + "destination.geo.location.lon": 14.4112, + "destination.ip": "160.218.27.63", + "destination.port": 445, + "event.dataset": "zeek.signature", + "event.kind": "alert", + "event.module": "zeek", + "event.original": "{\"ts\": 1611852809.869245,\"uid\": \"CbjAXE4CBxJ8W7VoJg\",\"src_addr\": \"124.51.137.154\",\"src_port\": 51617,\"dst_addr\": \"160.218.27.63\",\"dst_port\": 445,\"note\": \"Signatures::Sensitive_Signature\",\"sig_id\": \"my-second-sig\",\"event_msg\": \"124.51.137.154: TCP traffic\",\"sub_msg\": \"\"}", + "fileset.name": "signature", + "input.type": "log", + "log.offset": 0, + "related.ip": [ + "124.51.137.154", + "160.218.27.63" + ], + "rule.description": "124.51.137.154: TCP traffic", + "rule.id": "my-second-sig", + "service.type": "zeek", + "source.address": "124.51.137.154", + "source.as.number": 17858, + "source.as.organization.name": "LG POWERCOMM", + "source.geo.city_name": "Busan", + "source.geo.continent_name": "Asia", + "source.geo.country_iso_code": "KR", + "source.geo.country_name": "South Korea", + "source.geo.location.lat": 35.1003, + "source.geo.location.lon": 129.0442, + "source.geo.region_iso_code": "KR-26", + "source.geo.region_name": "Busan", + "source.ip": "124.51.137.154", + "source.port": 51617, + "tags": [ + "zeek.signature" + ], + "zeek.session_id": "CbjAXE4CBxJ8W7VoJg", + "zeek.signature.note": "Signatures::Sensitive_Signature", + "zeek.signature.sub_msg": "" + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/zeek/sip/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/sip/_meta/fields.yml new file mode 100644 index 00000000..09e40c63 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/sip/_meta/fields.yml @@ -0,0 +1,122 @@ +- name: sip + type: group + default_field: false + description: > + Fields exported by the Zeek SIP log. + fields: + - name: transaction_depth + type: integer + description: > + Represents the pipelined depth into the connection of this request/response transaction. + + - name: sequence + type: group + fields: + - name: method + type: keyword + description: > + Verb used in the SIP request (INVITE, REGISTER etc.). + + - name: number + type: keyword + description: > + Contents of the CSeq: header from the client. + + - name: uri + type: keyword + description: > + URI used in the request. + + - name: date + type: keyword + description: > + Contents of the Date: header from the client. + + - name: request + type: group + fields: + - name: from + type: keyword + description: > + Contents of the request From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged. + + - name: to + type: keyword + description: > + Contents of the To: header. + + - name: path + type: keyword + description: > + The client message transmission path, as extracted from the headers. + + - name: body_length + type: long + description: > + Contents of the Content-Length: header from the client. + + - name: response + type: group + fields: + - name: from + type: keyword + description: > + Contents of the response From: header Note: The tag= value that's usually appended to the sender is stripped off and not logged. + + - name: to + type: keyword + description: > + Contents of the response To: header. + + - name: path + type: keyword + description: > + The server message transmission path, as extracted from the headers. + + - name: body_length + type: long + description: > + Contents of the Content-Length: header from the server. + + - name: reply_to + type: keyword + description: > + Contents of the Reply-To: header. + + - name: call_id + type: keyword + description: > + Contents of the Call-ID: header from the client. + + - name: subject + type: keyword + description: > + Contents of the Subject: header from the client. + + - name: user_agent + type: keyword + description: > + Contents of the User-Agent: header from the client. + + - name: status + type: group + fields: + - name: code + type: integer + description: > + Status code returned by the server. + + - name: msg + type: keyword + description: > + Status message returned by the server. + + - name: warning + type: keyword + description: > + Contents of the Warning: header. + + - name: content_type + type: keyword + description: > + Contents of the Content-Type: header from the server. diff --git a/dynamite_nsm/confs/filebeat/module/zeek/sip/config/sip.yml b/dynamite_nsm/confs/filebeat/module/zeek/sip/config/sip.yml new file mode 100644 index 00000000..3530b53c --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/sip/config/sip.yml @@ -0,0 +1,98 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +json.keys_under_root: false + +fields_under_root: true +fields: + network.transport: udp + network.protocol: sip + +processors: + - rename: + fields: + - from: "json" + to: "zeek.sip" + + - from: "zeek.sip.id.orig_h" + to: "source.address" + + - from: "zeek.sip.id.orig_p" + to: "source.port" + + - from: "zeek.sip.id.resp_h" + to: "destination.address" + + - from: "zeek.sip.id.resp_p" + to: "destination.port" + + - from: "zeek.sip.uid" + to: "zeek.session_id" + + - from: "zeek.sip.trans_depth" + to: "zeek.sip.transaction_depth" + + - from: "zeek.sip.method" + to: "zeek.sip.sequence.method" + + - from: "zeek.sip.request_from" + to: "zeek.sip.request.from" + + - from: "zeek.sip.request_to" + to: "zeek.sip.request.to" + + - from: "zeek.sip.request_path" + to: "zeek.sip.request.path" + + - from: "zeek.sip.request_body_len" + to: "zeek.sip.request.body_length" + + - from: "zeek.sip.response_from" + to: "zeek.sip.response.from" + + - from: "zeek.sip.response_to" + to: "zeek.sip.response.to" + + - from: "zeek.sip.response_path" + to: "zeek.sip.response.path" + + - from: "zeek.sip.response_body_len" + to: "zeek.sip.response.body_length" + + - from: "zeek.sip.status_code" + to: "zeek.sip.status.code" + + - from: "zeek.sip.status_msg" + to: "zeek.sip.status.msg" + + ignore_missing: true + fail_on_error: false + - convert: + fields: + - {from: "zeek.session_id", to: "event.id"} + - {from: "source.address", to: "source.ip", type: "ip"} + - {from: "destination.address", to: "destination.ip", type: "ip"} + - {from: "zeek.sip.sequence.method", to: "event.action"} + - {from: "zeek.sip.uri", to: "url.full"} + ignore_missing: true + fail_on_error: false + - add_fields: + target: event + fields: + kind: event + category: + - network + type: + - connection + - protocol + - community_id: + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/sip/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/sip/ingest/pipeline.yml new file mode 100644 index 00000000..d8408c51 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/sip/ingest/pipeline.yml @@ -0,0 +1,86 @@ +description: Pipeline for normalizing Zeek sip.log +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' +- date: + field: zeek.sip.ts + formats: + - UNIX +- remove: + field: zeek.sip.ts +- grok: + field: zeek.sip.seq + patterns: + - '%{NUMBER:zeek.sip.sequence.number}' + ignore_missing: true +- remove: + field: zeek.sip.seq + ignore_missing: true +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" +- append: + field: event.type + value: error + if: "ctx?.zeek?.sip?.status?.code != null && ctx.zeek.sip.status.code >= 400" +- set: + field: event.outcome + value: failure + if: "ctx?.zeek?.sip?.status?.code != null && ctx.zeek.sip.status.code >= 400" +- set: + field: event.outcome + value: success + if: "ctx?.zeek?.sip?.status?.code != null && ctx.zeek.sip.status.code < 400" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/dynamite_nsm/confs/filebeat/module/zeek/sip/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/sip/manifest.yml new file mode 100644 index 00000000..2186e6b0 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/sip/manifest.yml @@ -0,0 +1,15 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/sip.log + os.linux: + - /var/log/bro/current/sip.log + os.darwin: + - /usr/local/var/logs/current/sip.log + - name: tags + default: [zeek.sip] + +ingest_pipeline: ingest/pipeline.yml +input: config/sip.yml diff --git a/dynamite_nsm/confs/filebeat/module/zeek/sip/test/sip-json.log-expected.json b/dynamite_nsm/confs/filebeat/module/zeek/sip/test/sip-json.log-expected.json new file mode 100644 index 00000000..71061cd2 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/sip/test/sip-json.log-expected.json @@ -0,0 +1,227 @@ +[ + { + "@timestamp": "2013-02-26T22:02:39.055Z", + "destination.address": "74.63.41.218", + "destination.as.number": 29791, + "destination.as.organization.name": "Internap Corporation", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "74.63.41.218", + "destination.port": 5060, + "event.action": "REGISTER", + "event.category": [ + "network" + ], + "event.dataset": "zeek.sip", + "event.id": "CPRLCB4eWHdjP852Bk", + "event.kind": "event", + "event.module": "zeek", + "event.outcome": "failure", + "event.type": [ + "connection", + "protocol", + "error" + ], + "fileset.name": "sip", + "input.type": "log", + "log.offset": 0, + "network.community_id": "1:t8Jl0amIXPHemzxKgsLjtkB+ewo=", + "network.protocol": "sip", + "network.transport": "udp", + "related.ip": [ + "172.16.133.19", + "74.63.41.218" + ], + "service.type": "zeek", + "source.address": "172.16.133.19", + "source.ip": "172.16.133.19", + "source.port": 5060, + "tags": [ + "zeek.sip" + ], + "url.full": "sip:newyork.voip.ms:5060", + "zeek.session_id": "CPRLCB4eWHdjP852Bk", + "zeek.sip.call_id": "8694cd7e-976e4fc3-d76f6e38@172.16.133.19", + "zeek.sip.request.body_length": 0, + "zeek.sip.request.from": "\"AppNeta\" ", + "zeek.sip.request.path": [ + "SIP/2.0/UDP 172.16.133.19:5060" + ], + "zeek.sip.request.to": "", + "zeek.sip.response.body_length": 0, + "zeek.sip.response.from": "\"AppNeta\" ", + "zeek.sip.response.path": [ + "SIP/2.0/UDP 172.16.133.19:5060" + ], + "zeek.sip.response.to": ";tag=as023f66a5", + "zeek.sip.sequence.method": "REGISTER", + "zeek.sip.sequence.number": "4127", + "zeek.sip.status.code": 401, + "zeek.sip.status.msg": "Unauthorized", + "zeek.sip.transaction_depth": 0, + "zeek.sip.uri": "sip:newyork.voip.ms:5060", + "zeek.sip.user_agent": "PolycomSoundStationIP-SSIP_5000-UA/3.2.4.0267" + }, + { + "@timestamp": "2005-01-14T17:58:02.965Z", + "destination.address": "200.57.7.195", + "destination.as.number": 18734, + "destination.as.organization.name": "Operbes, S.A. de C.V.", + "destination.geo.city_name": "Mexico City", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "MX", + "destination.geo.country_name": "Mexico", + "destination.geo.location.lat": 19.4357, + "destination.geo.location.lon": -99.1438, + "destination.geo.region_iso_code": "MX-CMX", + "destination.geo.region_name": "Mexico City", + "destination.ip": "200.57.7.195", + "destination.port": 5060, + "event.action": "INVITE", + "event.category": [ + "network" + ], + "event.dataset": "zeek.sip", + "event.id": "ComJz236lSOcuOmix3", + "event.kind": "event", + "event.module": "zeek", + "event.outcome": "success", + "event.type": [ + "connection", + "protocol" + ], + "fileset.name": "sip", + "input.type": "log", + "log.offset": 805, + "network.community_id": "1:U/Makwsc8lm6pVKLfRMzoNTI++0=", + "network.protocol": "sip", + "network.transport": "udp", + "related.ip": [ + "200.57.7.204", + "200.57.7.195" + ], + "service.type": "zeek", + "source.address": "200.57.7.204", + "source.as.number": 18734, + "source.as.organization.name": "Operbes, S.A. de C.V.", + "source.geo.city_name": "Mexico City", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "MX", + "source.geo.country_name": "Mexico", + "source.geo.location.lat": 19.4357, + "source.geo.location.lon": -99.1438, + "source.geo.region_iso_code": "MX-CMX", + "source.geo.region_name": "Mexico City", + "source.ip": "200.57.7.204", + "source.port": 5061, + "tags": [ + "zeek.sip" + ], + "url.full": "sip:francisco@bestel.com:55060", + "zeek.session_id": "ComJz236lSOcuOmix3", + "zeek.sip.call_id": "12013223@200.57.7.195", + "zeek.sip.request.body_length": 229, + "zeek.sip.request.from": "", + "zeek.sip.request.path": [ + "SIP/2.0/UDP 200.57.7.195", + "SIP/2.0/UDP 200.57.7.195:55061" + ], + "zeek.sip.request.to": "\"francisco@bestel.com\" ", + "zeek.sip.response.body_length": 0, + "zeek.sip.response.from": "", + "zeek.sip.response.path": [ + "SIP/2.0/UDP 200.57.7.195", + "SIP/2.0/UDP 200.57.7.195:55061", + "SIP/2.0/UDP 200.57.7.195", + "SIP/2.0/UDP 200.57.7.195:55061" + ], + "zeek.sip.response.to": "\"francisco@bestel.com\" ;tag=298852044", + "zeek.sip.sequence.method": "INVITE", + "zeek.sip.sequence.number": "1", + "zeek.sip.status.code": 180, + "zeek.sip.status.msg": "Ringing", + "zeek.sip.transaction_depth": 0, + "zeek.sip.uri": "sip:francisco@bestel.com:55060" + }, + { + "@timestamp": "2005-01-14T17:58:07.022Z", + "destination.address": "200.57.7.195", + "destination.as.number": 18734, + "destination.as.organization.name": "Operbes, S.A. de C.V.", + "destination.geo.city_name": "Mexico City", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "MX", + "destination.geo.country_name": "Mexico", + "destination.geo.location.lat": 19.4357, + "destination.geo.location.lon": -99.1438, + "destination.geo.region_iso_code": "MX-CMX", + "destination.geo.region_name": "Mexico City", + "destination.ip": "200.57.7.195", + "destination.port": 5060, + "event.action": "REGISTER", + "event.category": [ + "network" + ], + "event.dataset": "zeek.sip", + "event.id": "CJZDWgixtwqXctWEg", + "event.kind": "event", + "event.module": "zeek", + "event.outcome": "success", + "event.type": [ + "connection", + "protocol" + ], + "fileset.name": "sip", + "input.type": "log", + "log.offset": 1654, + "network.community_id": "1:0hvHF/bh5wFKg7nfRXxsno4F198=", + "network.protocol": "sip", + "network.transport": "udp", + "related.ip": [ + "200.57.7.205", + "200.57.7.195" + ], + "service.type": "zeek", + "source.address": "200.57.7.205", + "source.as.number": 18734, + "source.as.organization.name": "Operbes, S.A. de C.V.", + "source.geo.city_name": "Mexico City", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "MX", + "source.geo.country_name": "Mexico", + "source.geo.location.lat": 19.4357, + "source.geo.location.lon": -99.1438, + "source.geo.region_iso_code": "MX-CMX", + "source.geo.region_name": "Mexico City", + "source.ip": "200.57.7.205", + "source.port": 5061, + "tags": [ + "zeek.sip" + ], + "url.full": "sip:Verso.com", + "zeek.session_id": "CJZDWgixtwqXctWEg", + "zeek.sip.call_id": "46E1C3CB36304F84A020CF6DD3F96461@Verso.com", + "zeek.sip.request.body_length": 0, + "zeek.sip.request.from": "Ivan ", + "zeek.sip.request.path": [ + "SIP/2.0/UDP 200.57.7.205:5061;rport" + ], + "zeek.sip.request.to": "Ivan ", + "zeek.sip.response.body_length": 0, + "zeek.sip.response.from": "\"Ivan\" ", + "zeek.sip.response.path": [ + "SIP/2.0/UDP 200.57.7.205:5061;received=200.57.7.205;rport=5061" + ], + "zeek.sip.response.to": "\"Ivan\" ", + "zeek.sip.sequence.method": "REGISTER", + "zeek.sip.sequence.number": "37764", + "zeek.sip.status.code": 200, + "zeek.sip.status.msg": "OK", + "zeek.sip.transaction_depth": 0, + "zeek.sip.uri": "sip:Verso.com", + "zeek.sip.user_agent": "Verso Softphone release 1104w" + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/zeek/smb_cmd/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/smb_cmd/_meta/fields.yml new file mode 100644 index 00000000..820ca0e6 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/smb_cmd/_meta/fields.yml @@ -0,0 +1,95 @@ +- name: smb_cmd + type: group + default_field: false + description: > + Fields exported by the Zeek smb_cmd log. + fields: + - name: command + type: keyword + description: | + The command sent by the client. + + - name: sub_command + type: keyword + description: | + The subcommand sent by the client, if present. + + - name: argument + type: keyword + description: | + Command argument sent by the client, if any. + + - name: status + type: keyword + description: | + Server reply to the client's command. + + - name: rtt + type: double + description: | + Round trip time from the request to the response. + + - name: version + type: keyword + description: | + Version of SMB for the command. + + - name: username + type: keyword + description: | + Authenticated username, if available. + + - name: tree + type: keyword + description: | + If this is related to a tree, this is the tree that was used for the current command. + + - name: tree_service + type: keyword + description: | + The type of tree (disk share, printer share, named pipe, etc.). + + - name: file + type: group + description: | + If the command referenced a file, store it here. + fields: + - name: name + type: keyword + description: | + Filename if one was seen. + + - name: action + type: keyword + description: | + Action this log record represents. + + - name: uid + type: keyword + description: | + UID of the referenced file. + + - name: host + type: group + fields: + - name: tx + type: ip + description: | + Address of the transmitting host. + + - name: rx + type: ip + description: | + Address of the receiving host. + + - name: smb1_offered_dialects + type: keyword + description: | + Present if base/protocols/smb/smb1-main.bro is loaded. + Dialects offered by the client. + + - name: smb2_offered_dialects + type: integer + description: | + Present if base/protocols/smb/smb2-main.bro is loaded. + Dialects offered by the client. diff --git a/dynamite_nsm/confs/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml b/dynamite_nsm/confs/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml new file mode 100644 index 00000000..7b0ba2dd --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml @@ -0,0 +1,104 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +json.keys_under_root: false + +fields_under_root: true +fields: + network.transport: tcp + network.protocol: smb + +processors: + - rename: + fields: + - from: "json" + to: "zeek.smb_cmd" + + - drop_fields: + fields: + - "zeek.smb_cmd.referenced_file.ts" + - "zeek.smb_cmd.referenced_file.id.orig_p" + - "zeek.smb_cmd.referenced_file.id.resp_p" + - "zeek.smb_cmd.referenced_file.size" + - "zeek.smb_cmd.referenced_file.times.modified" + - "zeek.smb_cmd.referenced_file.times.accessed" + - "zeek.smb_cmd.referenced_file.times.created" + - "zeek.smb_cmd.referenced_file.times.changed" + ignore_missing: true + + - drop_fields: + when: + not: + has_fields: ["zeek.smb_cmd.referenced_file.action"] + fields: + - "zeek.smb_cmd.referenced_file.uid" + - "zeek.smb_cmd.referenced_file.id.orig_h" + - "zeek.smb_cmd.referenced_file.id.resp_h" + ignore_missing: true + + - rename: + fields: + - from: "zeek.smb_cmd.id.orig_h" + to: "source.address" + + - from: "zeek.smb_cmd.id.orig_p" + to: "source.port" + + - from: "zeek.smb_cmd.id.resp_h" + to: "destination.address" + + - from: "zeek.smb_cmd.id.resp_p" + to: "destination.port" + + - from: "zeek.smb_cmd.uid" + to: "zeek.session_id" + + - from: "zeek.smb_cmd.referenced_file.uid" + to: "zeek.smb_cmd.file.uid" + + - from: "zeek.smb_cmd.referenced_file.id.orig_h" + to: "zeek.smb_cmd.file.host.tx" + + - from: "zeek.smb_cmd.referenced_file.id.resp_h" + to: "zeek.smb_cmd.file.host.rx" + + - from: "zeek.smb_cmd.referenced_file.name" + to: "zeek.smb_cmd.file.name" + + - from: "zeek.smb_cmd.referenced_file.path" + to: "zeek.smb_cmd.file.path" + + - from: "zeek.smb_cmd.referenced_file.action" + to: "zeek.smb_cmd.file.action" + + ignore_missing: true + fail_on_error: false + - convert: + fields: + - {from: "zeek.session_id", to: "event.id"} + - {from: "source.address", to: "source.ip", type: "ip"} + - {from: "destination.address", to: "destination.ip", type: "ip"} + - {from: "zeek.smb_cmd.command", to: "event.action"} + - {from: "zeek.smb_cmd.username", to: "user.name"} + ignore_missing: true + fail_on_error: false + - add_fields: + target: event + fields: + kind: event + category: + - network + type: + - connection + - protocol + - community_id: + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/smb_cmd/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/smb_cmd/ingest/pipeline.yml new file mode 100644 index 00000000..0a853104 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/smb_cmd/ingest/pipeline.yml @@ -0,0 +1,85 @@ +description: Pipeline for normalizing Zeek smb_cmd.log +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' +- date: + field: zeek.smb_cmd.ts + formats: + - UNIX +- remove: + field: zeek.smb_cmd.ts +- remove: + field: zeek.smb_cmd.referenced_file + ignore_missing: true +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" +- append: + field: related.user + value: "{{user.name}}" + if: "ctx?.user?.name != null" +- append: + field: event.type + value: error + if: "ctx?.zeek?.smb_cmd?.status != null && ctx.zeek.smb_cmd.status.toLowerCase() != 'success'" +- set: + field: event.outcome + value: success + if: "ctx?.zeek?.smb_cmd?.status != null && ctx.zeek.smb_cmd.status.toLowerCase() == 'success'" +- set: + field: event.outcome + value: failure + if: "ctx?.zeek?.smb_cmd?.status != null && ctx.zeek.smb_cmd.status.toLowerCase() != 'success'" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/dynamite_nsm/confs/filebeat/module/zeek/smb_cmd/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/smb_cmd/manifest.yml new file mode 100644 index 00000000..331cafae --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/smb_cmd/manifest.yml @@ -0,0 +1,15 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/smb_cmd.log + os.linux: + - /var/log/bro/current/smb_cmd.log + os.darwin: + - /usr/local/var/logs/current/smb_cmd.log + - name: tags + default: [zeek.smb_cmd] + +ingest_pipeline: ingest/pipeline.yml +input: config/smb_cmd.yml diff --git a/dynamite_nsm/confs/filebeat/module/zeek/smb_cmd/test/smb_cmd-json.log-expected.json b/dynamite_nsm/confs/filebeat/module/zeek/smb_cmd/test/smb_cmd-json.log-expected.json new file mode 100644 index 00000000..e18caef3 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/smb_cmd/test/smb_cmd-json.log-expected.json @@ -0,0 +1,51 @@ +[ + { + "@timestamp": "2013-02-26T22:05:32.020Z", + "destination.address": "172.16.128.202", + "destination.ip": "172.16.128.202", + "destination.port": 445, + "event.action": "NT_CREATE_ANDX", + "event.category": [ + "network" + ], + "event.dataset": "zeek.smb_cmd", + "event.id": "CbT8mpAXseu6Pt4R7", + "event.kind": "event", + "event.module": "zeek", + "event.outcome": "success", + "event.type": [ + "connection", + "protocol" + ], + "fileset.name": "smb_cmd", + "input.type": "log", + "log.offset": 0, + "network.community_id": "1:SJNAD5vtzZuhQjGtfaI8svTnyuw=", + "network.protocol": "smb", + "network.transport": "tcp", + "related.ip": [ + "172.16.133.6", + "172.16.128.202" + ], + "service.type": "zeek", + "source.address": "172.16.133.6", + "source.ip": "172.16.133.6", + "source.port": 1728, + "tags": [ + "zeek.smb_cmd" + ], + "zeek.session_id": "CbT8mpAXseu6Pt4R7", + "zeek.smb_cmd.argument": "\\browser", + "zeek.smb_cmd.command": "NT_CREATE_ANDX", + "zeek.smb_cmd.file.action": "SMB::FILE_OPEN", + "zeek.smb_cmd.file.host.rx": "172.16.128.202", + "zeek.smb_cmd.file.host.tx": "172.16.133.6", + "zeek.smb_cmd.file.name": "\\browser", + "zeek.smb_cmd.file.uid": "CbT8mpAXseu6Pt4R7", + "zeek.smb_cmd.rtt": 0.091141, + "zeek.smb_cmd.status": "SUCCESS", + "zeek.smb_cmd.tree": "\\\\JSRVR20\\IPC$", + "zeek.smb_cmd.tree_service": "IPC", + "zeek.smb_cmd.version": "SMB1" + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/zeek/smb_files/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/smb_files/_meta/fields.yml new file mode 100644 index 00000000..c41211ed --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/smb_files/_meta/fields.yml @@ -0,0 +1,65 @@ +- name: smb_files + type: group + default_field: false + description: > + Fields exported by the Zeek SMB Files log. + fields: + - name: action + type: keyword + description: > + Action this log record represents. + + - name: fid + type: integer + description: > + ID referencing this file. + + - name: name + type: keyword + description: > + Filename if one was seen. + + - name: path + type: keyword + description: > + Path pulled from the tree this file was transferred to or from. + + - name: previous_name + type: keyword + description: > + If the rename action was seen, this will be the file's previous name. + + - name: size + type: long + description: > + Byte size of the file. + + - name: times + type: group + description: > + Timestamps of the file. + fields: + - name: accessed + type: date + description: > + The file's access time. + + - name: changed + type: date + description: > + The file's change time. + + - name: created + type: date + description: > + The file's create time. + + - name: modified + type: date + description: > + The file's modify time. + + - name: uuid + type: keyword + description: > + UUID referencing this file if DCE/RPC. diff --git a/dynamite_nsm/confs/filebeat/module/zeek/smb_files/config/smb_files.yml b/dynamite_nsm/confs/filebeat/module/zeek/smb_files/config/smb_files.yml new file mode 100644 index 00000000..aa530a6f --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/smb_files/config/smb_files.yml @@ -0,0 +1,64 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +json.keys_under_root: false + +fields_under_root: true +fields: + network.transport: tcp + network.protocol: smb + +processors: + - rename: + fields: + - from: "json" + to: "zeek.smb_files" + + - from: "zeek.smb_files.id.orig_h" + to: "source.address" + + - from: "zeek.smb_files.id.orig_p" + to: "source.port" + + - from: "zeek.smb_files.id.resp_h" + to: "destination.address" + + - from: "zeek.smb_files.id.resp_p" + to: "destination.port" + + - from: "zeek.smb_files.uid" + to: "zeek.session_id" + + ignore_missing: true + fail_on_error: false + - convert: + fields: + - {from: "zeek.session_id", to: "event.id"} + - {from: "source.address", to: "source.ip", type: "ip"} + - {from: "destination.address", to: "destination.ip", type: "ip"} + - {from: "zeek.smb_files.action", to: "event.action"} + - {from: "zeek.smb_files.name", to: "file.name"} + - {from: "zeek.smb_files.size", to: "file.size"} + ignore_missing: true + fail_on_error: false + - add_fields: + target: event + fields: + kind: event + category: + - network + - file + type: + - connection + - protocol + - community_id: + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/smb_files/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/smb_files/ingest/pipeline.yml new file mode 100644 index 00000000..b1c0d3a6 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/smb_files/ingest/pipeline.yml @@ -0,0 +1,138 @@ +description: Pipeline for normalizing Zeek smb_files.log +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' +- date: + field: zeek.smb_files.ts + formats: + - UNIX +- remove: + field: zeek.smb_files.ts +- dot_expander: + field: times.accessed + path: zeek.smb_files +- dot_expander: + field: times.changed + path: zeek.smb_files +- dot_expander: + field: times.created + path: zeek.smb_files +- dot_expander: + field: times.modified + path: zeek.smb_files +- date: + field: zeek.smb_files.times.accessed + target_field: zeek.smb_files.times.accessed + formats: + - UNIX + if: ctx.zeek.smb_files.times?.accessed != null +- set: + field: file.accessed + value: "{{zeek.smb_files.times.accessed}}" + if: "ctx?.zeek?.smb_files?.times?.accessed != null" +- date: + field: zeek.smb_files.times.changed + target_field: zeek.smb_files.times.changed + formats: + - UNIX + if: ctx.zeek.smb_files.times?.accessed != null +- set: + field: file.ctime + value: "{{zeek.smb_files.times.changed}}" + if: "ctx?.zeek?.smb_files?.times?.changed != null" +- date: + field: zeek.smb_files.times.created + target_field: zeek.smb_files.times.created + formats: + - UNIX + if: ctx.zeek.smb_files.times?.accessed != null +- set: + field: file.created + value: "{{zeek.smb_files.times.created}}" + if: "ctx?.zeek?.smb_files?.times?.created != null" +- date: + field: zeek.smb_files.times.modified + target_field: zeek.smb_files.times.modified + formats: + - UNIX + if: ctx.zeek.smb_files.times?.accessed != null +- set: + field: file.mtime + value: "{{zeek.smb_files.times.modified}}" + if: "ctx?.zeek?.smb_files?.times?.modified != null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" +- append: + field: related.user + value: "{{user.name}}" + if: "ctx?.user?.name != null" +- set: + field: file.path + value: "{{zeek.smb_files.path}}\\{{zeek.smb_files.name}}" + if: "ctx?.zeek?.smb_files?.path != null && ctx?.zeek?.smb_files?.name != null" +- append: + field: event.type + value: deletion + if: "ctx?.zeek?.smb_files?.action == 'SMB::FILE_DELETE'" +- append: + field: event.type + value: change + if: "ctx?.zeek?.smb_files?.action == 'SMB::FILE_RENAME' || ctx?.zeek?.smb_files?.action == 'SMB::FILE_SET_ATTRIBUTE'" +- append: + field: event.type + value: info + if: "ctx?.zeek?.smb_files?.action != null && ctx.zeek.smb_files != 'SMB::FILE_DELETE' && ctx.zeek.smb_files != 'SMB::FILE_RENAME' && ctx.zeek.smb_files != 'SMB::FILE_SET_ATTRIBUTE'" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/dynamite_nsm/confs/filebeat/module/zeek/smb_files/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/smb_files/manifest.yml new file mode 100644 index 00000000..bdbf0324 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/smb_files/manifest.yml @@ -0,0 +1,15 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/smb_files.log + os.linux: + - /var/log/bro/current/smb_files.log + os.darwin: + - /usr/local/var/logs/current/smb_files.log + - name: tags + default: [zeek.smb_files] + +ingest_pipeline: ingest/pipeline.yml +input: config/smb_files.yml diff --git a/dynamite_nsm/confs/filebeat/module/zeek/smb_files/test/smb_files-json.log-expected.json b/dynamite_nsm/confs/filebeat/module/zeek/smb_files/test/smb_files-json.log-expected.json new file mode 100644 index 00000000..c7d5ab98 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/smb_files/test/smb_files-json.log-expected.json @@ -0,0 +1,55 @@ +[ + { + "@timestamp": "2017-10-09T16:13:19.576Z", + "destination.address": "192.168.10.30", + "destination.ip": "192.168.10.30", + "destination.port": 445, + "event.action": "SMB::FILE_OPEN", + "event.category": [ + "network", + "file" + ], + "event.dataset": "zeek.smb_files", + "event.id": "C9YAaEzWLL62yWMn5", + "event.kind": "event", + "event.module": "zeek", + "event.type": [ + "connection", + "protocol", + "info" + ], + "file.accessed": "2017-10-09T16:13:19.607Z", + "file.created": "2017-10-09T16:13:19.607Z", + "file.ctime": "2017-10-09T16:13:19.607Z", + "file.mtime": "2017-10-09T16:13:19.607Z", + "file.name": "PSEXESVC.exe", + "file.path": "\\\\\\\\admin-pc\\\\ADMIN$\\PSEXESVC.exe", + "file.size": 0, + "fileset.name": "smb_files", + "input.type": "log", + "log.offset": 0, + "network.community_id": "1:k308wDxRMx/FIEzeh+YwD86zgoA=", + "network.protocol": "smb", + "network.transport": "tcp", + "related.ip": [ + "192.168.10.31", + "192.168.10.30" + ], + "service.type": "zeek", + "source.address": "192.168.10.31", + "source.ip": "192.168.10.31", + "source.port": 49239, + "tags": [ + "zeek.smb_files" + ], + "zeek.session_id": "C9YAaEzWLL62yWMn5", + "zeek.smb_files.action": "SMB::FILE_OPEN", + "zeek.smb_files.name": "PSEXESVC.exe", + "zeek.smb_files.path": "\\\\admin-pc\\ADMIN$", + "zeek.smb_files.size": 0, + "zeek.smb_files.times.accessed": "2017-10-09T16:13:19.607Z", + "zeek.smb_files.times.changed": "2017-10-09T16:13:19.607Z", + "zeek.smb_files.times.created": "2017-10-09T16:13:19.607Z", + "zeek.smb_files.times.modified": "2017-10-09T16:13:19.607Z" + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/zeek/smb_mapping/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/smb_mapping/_meta/fields.yml new file mode 100644 index 00000000..64ffaadb --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/smb_mapping/_meta/fields.yml @@ -0,0 +1,26 @@ +- name: smb_mapping + type: group + default_field: false + description: > + Fields exported by the Zeek SMB_Mapping log. + fields: + - name: path + type: keyword + description: > + Name of the tree path. + + - name: service + type: keyword + description: > + The type of resource of the tree (disk share, printer share, named pipe, etc.). + + - name: native_file_system + type: keyword + description: > + File system of the tree. + + - name: share_type + type: keyword + description: | + If this is SMB2, a share type will be included. For SMB1, the type of share + will be deduced and included as well. diff --git a/dynamite_nsm/confs/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml b/dynamite_nsm/confs/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml new file mode 100644 index 00000000..414432e3 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml @@ -0,0 +1,60 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +json.keys_under_root: false + +fields_under_root: true +fields: + network.transport: tcp + network.protocol: smb + +processors: + - rename: + fields: + - from: "json" + to: "zeek.smb_mapping" + + - from: "zeek.smb_mapping.id.orig_h" + to: "source.address" + + - from: "zeek.smb_mapping.id.orig_p" + to: "source.port" + + - from: "zeek.smb_mapping.id.resp_h" + to: "destination.address" + + - from: "zeek.smb_mapping.id.resp_p" + to: "destination.port" + + - from: "zeek.smb_mapping.uid" + to: "zeek.session_id" + + ignore_missing: true + fail_on_error: false + - convert: + fields: + - {from: "zeek.session_id", to: "event.id"} + - {from: "source.address", to: "source.ip", type: "ip"} + - {from: "destination.address", to: "destination.ip", type: "ip"} + ignore_missing: true + fail_on_error: false + - add_fields: + target: event + fields: + kind: event + category: + - network + type: + - connection + - protocol + - community_id: + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/smb_mapping/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/smb_mapping/ingest/pipeline.yml new file mode 100644 index 00000000..e116e1bf --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/smb_mapping/ingest/pipeline.yml @@ -0,0 +1,66 @@ +description: Pipeline for normalizing Zeek smb_mapping.log +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' +- date: + field: zeek.smb_mapping.ts + formats: + - UNIX +- remove: + field: zeek.smb_mapping.ts +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/dynamite_nsm/confs/filebeat/module/zeek/smb_mapping/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/smb_mapping/manifest.yml new file mode 100644 index 00000000..f4afd881 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/smb_mapping/manifest.yml @@ -0,0 +1,15 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/smb_mapping.log + os.linux: + - /var/log/bro/current/smb_mapping.log + os.darwin: + - /usr/local/var/logs/current/smb_mapping.log + - name: tags + default: [zeek.smb_mapping] + +ingest_pipeline: ingest/pipeline.yml +input: config/smb_mapping.yml diff --git a/dynamite_nsm/confs/filebeat/module/zeek/smb_mapping/test/smb_mapping-json.log-expected.json b/dynamite_nsm/confs/filebeat/module/zeek/smb_mapping/test/smb_mapping-json.log-expected.json new file mode 100644 index 00000000..71efd1e5 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/smb_mapping/test/smb_mapping-json.log-expected.json @@ -0,0 +1,39 @@ +[ + { + "@timestamp": "2017-10-09T16:13:19.576Z", + "destination.address": "192.168.10.30", + "destination.ip": "192.168.10.30", + "destination.port": 445, + "event.category": [ + "network" + ], + "event.dataset": "zeek.smb_mapping", + "event.id": "C9YAaEzWLL62yWMn5", + "event.kind": "event", + "event.module": "zeek", + "event.type": [ + "connection", + "protocol" + ], + "fileset.name": "smb_mapping", + "input.type": "log", + "log.offset": 0, + "network.community_id": "1:k308wDxRMx/FIEzeh+YwD86zgoA=", + "network.protocol": "smb", + "network.transport": "tcp", + "related.ip": [ + "192.168.10.31", + "192.168.10.30" + ], + "service.type": "zeek", + "source.address": "192.168.10.31", + "source.ip": "192.168.10.31", + "source.port": 49239, + "tags": [ + "zeek.smb_mapping" + ], + "zeek.session_id": "C9YAaEzWLL62yWMn5", + "zeek.smb_mapping.path": "\\\\admin-pc\\ADMIN$", + "zeek.smb_mapping.share_type": "DISK" + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/zeek/smtp/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/smtp/_meta/fields.yml new file mode 100644 index 00000000..48894bf0 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/smtp/_meta/fields.yml @@ -0,0 +1,121 @@ +- name: smtp + type: group + default_field: false + description: > + Fields exported by the Zeek SMTP log. + fields: + - name: transaction_depth + type: integer + description: > + A count to represent the depth of this message transaction in a single connection where multiple messages were transferred. + + - name: helo + type: keyword + description: > + Contents of the Helo header. + + - name: mail_from + type: keyword + description: > + Email addresses found in the MAIL FROM header. + + - name: rcpt_to + type: keyword + description: > + Email addresses found in the RCPT TO header. + + - name: date + type: date + description: > + Contents of the Date header. + + - name: from + type: keyword + description: > + Contents of the From header. + + - name: to + type: keyword + description: > + Contents of the To header. + + - name: cc + type: keyword + description: > + Contents of the CC header. + + - name: reply_to + type: keyword + description: > + Contents of the ReplyTo header. + + - name: msg_id + type: keyword + description: > + Contents of the MsgID header. + + - name: in_reply_to + type: keyword + description: > + Contents of the In-Reply-To header. + + - name: subject + type: keyword + description: > + Contents of the Subject header. + + - name: x_originating_ip + type: keyword + description: > + Contents of the X-Originating-IP header. + + - name: first_received + type: keyword + description: | + Contents of the first Received header. + + - name: second_received + type: keyword + description: | + Contents of the second Received header. + + - name: last_reply + type: keyword + description: | + The last message that the server sent to the client. + + - name: path + type: ip + description: | + The message transmission path, as extracted from the headers. + + - name: user_agent + type: keyword + description: | + Value of the User-Agent header from the client. + + - name: tls + type: boolean + description: | + Indicates that the connection has switched to using TLS. + + - name: process_received_from + type: boolean + description: | + Indicates if the "Received: from" headers should still be processed. + + - name: has_client_activity + type: boolean + description: | + Indicates if client activity has been seen, but not yet logged. + + - name: fuids + type: keyword + description: | + (present if base/protocols/smtp/files.bro is loaded) + An ordered vector of file unique IDs seen attached to the message. + + - name: is_webmail + type: boolean + description: | + Indicates if the message was sent through a webmail interface. diff --git a/dynamite_nsm/confs/filebeat/module/zeek/smtp/config/smtp.yml b/dynamite_nsm/confs/filebeat/module/zeek/smtp/config/smtp.yml new file mode 100644 index 00000000..cf31baf7 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/smtp/config/smtp.yml @@ -0,0 +1,70 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +json.keys_under_root: false + +fields_under_root: true +fields: + network.transport: tcp + network.protocol: smtp + +processors: + - rename: + fields: + - from: "json" + to: "zeek.smtp" + + - from: "zeek.smtp.id.orig_h" + to: "source.address" + + - from: "zeek.smtp.id.orig_p" + to: "source.port" + + - from: "zeek.smtp.id.resp_h" + to: "destination.address" + + - from: "zeek.smtp.id.resp_p" + to: "destination.port" + + - from: "zeek.smtp.uid" + to: "zeek.session_id" + + - from: "zeek.smtp.trans_depth" + to: "zeek.smtp.transaction_depth" + + - from: "zeek.smtp.mailfrom" + to: "zeek.smtp.mail_from" + + - from: "zeek.smtp.rcptto" + to: "zeek.smtp.rcpt_to" + + ignore_missing: true + fail_on_error: false + - convert: + fields: + - {from: "zeek.session_id", to: "event.id"} + - {from: "source.address", to: "source.ip", type: "ip"} + - {from: "destination.address", to: "destination.ip", type: "ip"} + - {from: "zeek.smtp.tls", to: "tls.established", type: boolean} + ignore_missing: true + fail_on_error: false + - add_fields: + target: event + fields: + kind: event + category: + - network + type: + - connection + - protocol + - community_id: + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/smtp/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/smtp/ingest/pipeline.yml new file mode 100644 index 00000000..03e2ffb6 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/smtp/ingest/pipeline.yml @@ -0,0 +1,72 @@ +description: Pipeline for normalizing Zeek smtp.log +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' +- date: + field: zeek.smtp.ts + formats: + - UNIX +- remove: + field: zeek.smtp.ts +- date: + field: zeek.smtp.date + target_field: zeek.smtp.date + formats: + - EEE, d MMM yyyy HH:mm:ss Z + if: ctx.zeek.smtp.date != null +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/dynamite_nsm/confs/filebeat/module/zeek/smtp/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/smtp/manifest.yml new file mode 100644 index 00000000..bc0d1802 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/smtp/manifest.yml @@ -0,0 +1,15 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/smtp.log + os.linux: + - /var/log/bro/current/smtp.log + os.darwin: + - /usr/local/var/logs/current/smtp.log + - name: tags + default: [zeek.smtp] + +ingest_pipeline: ingest/pipeline.yml +input: config/smtp.yml diff --git a/dynamite_nsm/confs/filebeat/module/zeek/smtp/test/smtp-json.log-expected.json b/dynamite_nsm/confs/filebeat/module/zeek/smtp/test/smtp-json.log-expected.json new file mode 100644 index 00000000..61e1be27 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/smtp/test/smtp-json.log-expected.json @@ -0,0 +1,47 @@ +[ + { + "@timestamp": "2018-12-03T22:59:47.381Z", + "destination.address": "192.168.1.9", + "destination.ip": "192.168.1.9", + "destination.port": 25, + "event.category": [ + "network" + ], + "event.dataset": "zeek.smtp", + "event.id": "CWWzPB3RjqhFf528c", + "event.kind": "event", + "event.module": "zeek", + "event.type": [ + "connection", + "protocol" + ], + "fileset.name": "smtp", + "input.type": "log", + "log.offset": 0, + "network.community_id": "1:38H0puTqOoHT/5r2bKFUVSXifQw=", + "network.protocol": "smtp", + "network.transport": "tcp", + "related.ip": [ + "192.168.1.10", + "192.168.1.9" + ], + "service.type": "zeek", + "source.address": "192.168.1.10", + "source.ip": "192.168.1.10", + "source.port": 33782, + "tags": [ + "zeek.smtp" + ], + "tls.established": true, + "zeek.session_id": "CWWzPB3RjqhFf528c", + "zeek.smtp.fuids": [], + "zeek.smtp.helo": "EXAMPLE.COM", + "zeek.smtp.is_webmail": false, + "zeek.smtp.last_reply": "220 2.0.0 SMTP server ready", + "zeek.smtp.path": [ + "192.168.1.9" + ], + "zeek.smtp.tls": true, + "zeek.smtp.transaction_depth": 1 + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/zeek/snmp/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/snmp/_meta/fields.yml new file mode 100644 index 00000000..0ec5b677 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/snmp/_meta/fields.yml @@ -0,0 +1,56 @@ +- name: snmp + type: group + default_field: false + description: > + Fields exported by the Zeek SNMP log. + fields: + - name: duration + type: double + description: > + The amount of time between the first packet beloning to the SNMP session and the latest one seen. + + - name: version + type: keyword + description: > + The version of SNMP being used. + + - name: community + type: keyword + description: > + The community string of the first SNMP packet associated with the session. This is used as part of SNMP's (v1 and v2c) administrative/security framework. See RFC 1157 or RFC 1901. + + - name: get + type: group + fields: + - name: requests + type: integer + description: > + The number of variable bindings in GetRequest/GetNextRequest PDUs seen for the session. + + - name: bulk_requests + type: integer + description: > + The number of variable bindings in GetBulkRequest PDUs seen for the session. + + - name: responses + type: integer + description: > + The number of variable bindings in GetResponse/Response PDUs seen for the session. + + - name: set + type: group + fields: + - name: requests + type: integer + description: > + The number of variable bindings in SetRequest PDUs seen for the session. + + - name: display_string + type: keyword + description: > + A system description of the SNMP responder endpoint. + + - name: up_since + type: date + description: > + The time at which the SNMP responder endpoint claims it's been up since. diff --git a/dynamite_nsm/confs/filebeat/module/zeek/snmp/config/snmp.yml b/dynamite_nsm/confs/filebeat/module/zeek/snmp/config/snmp.yml new file mode 100644 index 00000000..b508ee87 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/snmp/config/snmp.yml @@ -0,0 +1,72 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +json.keys_under_root: false + +fields_under_root: true +fields: + network.transport: udp + network.protocol: snmp + +processors: + - rename: + fields: + - from: "json" + to: "zeek.snmp" + + - from: "zeek.snmp.id.orig_h" + to: "source.address" + + - from: "zeek.snmp.id.orig_p" + to: "source.port" + + - from: "zeek.snmp.id.resp_h" + to: "destination.address" + + - from: "zeek.snmp.id.resp_p" + to: "destination.port" + + - from: "zeek.snmp.uid" + to: "event.id" + + - from: "zeek.snmp.get_requests" + to: "zeek.snmp.get.requests" + + - from: "zeek.snmp.get_bulk_requests" + to: "zeek.snmp.get.bulk_requests" + + - from: "zeek.snmp.get_responses" + to: "zeek.snmp.get.responses" + + - from: "zeek.snmp.set_requests" + to: "zeek.snmp.set.requests" + + ignore_missing: true + fail_on_error: false + - convert: + fields: + - {from: "zeek.session_id", to: "event.id"} + - {from: "source.address", to: "source.ip", type: "ip"} + - {from: "destination.address", to: "destination.ip", type: "ip"} + ignore_missing: true + fail_on_error: false + - add_fields: + target: event + fields: + kind: event + category: + - network + type: + - connection + - protocol + - community_id: + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/snmp/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/snmp/ingest/pipeline.yml new file mode 100644 index 00000000..1aefc539 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/snmp/ingest/pipeline.yml @@ -0,0 +1,72 @@ +description: Pipeline for normalizing Zeek snmp.log +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' +- date: + field: zeek.snmp.ts + formats: + - UNIX +- remove: + field: zeek.snmp.ts +- date: + field: zeek.snmp.up_since + target_field: zeek.snmp.up_since + formats: + - UNIX + if: ctx.zeek.snmp.up_since != null +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/dynamite_nsm/confs/filebeat/module/zeek/snmp/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/snmp/manifest.yml new file mode 100644 index 00000000..e25fb364 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/snmp/manifest.yml @@ -0,0 +1,15 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/snmp.log + os.linux: + - /var/log/bro/current/snmp.log + os.darwin: + - /usr/local/var/logs/current/snmp.log + - name: tags + default: [zeek.snmp] + +ingest_pipeline: ingest/pipeline.yml +input: config/snmp.yml diff --git a/dynamite_nsm/confs/filebeat/module/zeek/snmp/test/snmp-json.log-expected.json b/dynamite_nsm/confs/filebeat/module/zeek/snmp/test/snmp-json.log-expected.json new file mode 100644 index 00000000..65345db7 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/snmp/test/snmp-json.log-expected.json @@ -0,0 +1,44 @@ +[ + { + "@timestamp": "2018-12-03T22:59:08.916Z", + "destination.address": "192.168.1.1", + "destination.ip": "192.168.1.1", + "destination.port": 161, + "event.category": [ + "network" + ], + "event.dataset": "zeek.snmp", + "event.id": "CnKW1B4w9fpRa6Nkf2", + "event.kind": "event", + "event.module": "zeek", + "event.type": [ + "connection", + "protocol" + ], + "fileset.name": "snmp", + "input.type": "log", + "log.offset": 0, + "network.community_id": "1:X15ey/8/tEH+tlelK6P+GfgwBPc=", + "network.protocol": "snmp", + "network.transport": "udp", + "related.ip": [ + "192.168.1.2", + "192.168.1.1" + ], + "service.type": "zeek", + "source.address": "192.168.1.2", + "source.ip": "192.168.1.2", + "source.port": 59696, + "tags": [ + "zeek.snmp" + ], + "zeek.snmp.community": "public", + "zeek.snmp.duration": 7.849924, + "zeek.snmp.get.bulk_requests": 0, + "zeek.snmp.get.requests": 0, + "zeek.snmp.get.responses": 8, + "zeek.snmp.set.requests": 0, + "zeek.snmp.up_since": "2018-12-01T02:26:44.766Z", + "zeek.snmp.version": "2c" + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/zeek/socks/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/socks/_meta/fields.yml new file mode 100644 index 00000000..31e80f49 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/socks/_meta/fields.yml @@ -0,0 +1,56 @@ +- name: socks + type: group + default_field: false + description: > + Fields exported by the Zeek SOCKS log. + fields: + - name: version + type: integer + description: | + Protocol version of SOCKS. + + - name: user + type: keyword + description: | + Username used to request a login to the proxy. + + - name: password + type: keyword + description: | + Password used to request a login to the proxy. + + - name: status + type: keyword + description: | + Server status for the attempt at using the proxy. + + - name: request + type: group + fields: + - name: host + type: keyword + description: | + Client requested SOCKS address. Could be an address, a name or both. + + - name: port + type: integer + description: | + Client requested port. + + - name: bound + type: group + fields: + - name: host + type: keyword + description: | + Server bound address. Could be an address, a name or both. + + - name: port + type: integer + description: | + Server bound port. + + - name: capture_password + type: boolean + description: | + Determines if the password will be captured for this request. diff --git a/dynamite_nsm/confs/filebeat/module/zeek/socks/config/socks.yml b/dynamite_nsm/confs/filebeat/module/zeek/socks/config/socks.yml new file mode 100644 index 00000000..cc486a60 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/socks/config/socks.yml @@ -0,0 +1,70 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +json.keys_under_root: false + +fields_under_root: true +fields: + network.transport: tcp + network.protocol: socks + +processors: + - rename: + fields: + - from: "json" + to: "zeek.socks" + + - from: "zeek.socks.id.orig_h" + to: "source.address" + + - from: "zeek.socks.id.orig_p" + to: "source.port" + + - from: "zeek.socks.id.resp_h" + to: "destination.address" + + - from: "zeek.socks.id.resp_p" + to: "destination.port" + + - from: "zeek.socks.uid" + to: "zeek.session_id" + + - from: "zeek.socks.request.name" + to: "zeek.socks.request.host" + + - from: "zeek.socks.request_p" + to: "zeek.socks.request.port" + + - from: "zeek.socks.bound_p" + to: "zeek.socks.bound.port" + + ignore_missing: true + fail_on_error: false + - convert: + fields: + - {from: "zeek.session_id", to: "event.id"} + - {from: "source.address", to: "source.ip", type: "ip"} + - {from: "destination.address", to: "destination.ip", type: "ip"} + - {from: "zeek.socks.user", to: "user.name"} + ignore_missing: true + fail_on_error: false + - add_fields: + target: event + fields: + kind: event + category: + - network + type: + - connection + - protocol + - community_id: + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/socks/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/socks/ingest/pipeline.yml new file mode 100644 index 00000000..e64c5ec9 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/socks/ingest/pipeline.yml @@ -0,0 +1,85 @@ +description: Pipeline for normalizing Zeek socks.log +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' +- date: + field: zeek.socks.ts + formats: + - UNIX +- remove: + field: zeek.socks.ts +- dot_expander: + field: bound.host + path: zeek.socks +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" +- append: + field: related.user + value: "{{user.name}}" + if: "ctx?.user?.name != null" +- append: + field: event.type + value: error + if: "ctx?.zeek?.socks?.status != null && ctx.zeek.socks.status != 'succeeded'" +- set: + field: event.outcome + value: success + if: "ctx?.zeek?.socks?.status != null && ctx.zeek.socks.status == 'succeeded'" +- set: + field: event.outcome + value: failure + if: "ctx?.zeek?.socks?.status != null && ctx.zeek.socks.status != 'succeeded'" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/dynamite_nsm/confs/filebeat/module/zeek/socks/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/socks/manifest.yml new file mode 100644 index 00000000..55c4a387 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/socks/manifest.yml @@ -0,0 +1,15 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/socks.log + os.linux: + - /var/log/bro/current/socks.log + os.darwin: + - /usr/local/var/logs/current/socks.log + - name: tags + default: [zeek.socks] + +ingest_pipeline: ingest/pipeline.yml +input: config/socks.yml diff --git a/dynamite_nsm/confs/filebeat/module/zeek/socks/test/socks-json.log-expected.json b/dynamite_nsm/confs/filebeat/module/zeek/socks/test/socks-json.log-expected.json new file mode 100644 index 00000000..0a45d16a --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/socks/test/socks-json.log-expected.json @@ -0,0 +1,44 @@ +[ + { + "@timestamp": "2019-08-22T21:08:13.094Z", + "destination.address": "127.0.0.1", + "destination.ip": "127.0.0.1", + "destination.port": 8080, + "event.category": [ + "network" + ], + "event.dataset": "zeek.socks", + "event.id": "Cmz4Cb4qCw1hGqYw1c", + "event.kind": "event", + "event.module": "zeek", + "event.outcome": "success", + "event.type": [ + "connection", + "protocol" + ], + "fileset.name": "socks", + "input.type": "log", + "log.offset": 0, + "network.community_id": "1:1Hp/o0hOC62lAwrV+a0ZKDE3rrs=", + "network.protocol": "socks", + "network.transport": "tcp", + "related.ip": [ + "127.0.0.1", + "127.0.0.1" + ], + "service.type": "zeek", + "source.address": "127.0.0.1", + "source.ip": "127.0.0.1", + "source.port": 35368, + "tags": [ + "zeek.socks" + ], + "zeek.session_id": "Cmz4Cb4qCw1hGqYw1c", + "zeek.socks.bound.host": "0.0.0.0", + "zeek.socks.bound.port": 0, + "zeek.socks.request.host": "www.google.com", + "zeek.socks.request.port": 443, + "zeek.socks.status": "succeeded", + "zeek.socks.version": 5 + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/zeek/ssh/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/ssh/_meta/fields.yml new file mode 100644 index 00000000..5097e876 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/ssh/_meta/fields.yml @@ -0,0 +1,78 @@ +- name: ssh + type: group + default_field: false + description: > + Fields exported by the Zeek SSH log. + fields: + - name: client + type: keyword + description: > + The client's version string. + + - name: direction + type: keyword + description: | + Direction of the connection. If the client was a local host logging into + an external host, this would be OUTBOUND. INBOUND would be set for the + opposite situation. + + - name: host_key + type: keyword + description: > + The server's key thumbprint. + + - name: server + type: keyword + description: > + The server's version string. + + - name: version + type: integer + description: > + SSH major version (1 or 2). + + - name: algorithm + type: group + description: > + Cipher algorithms used in this session. + fields: + - name: cipher + type: keyword + description: > + The encryption algorithm in use. + + - name: compression + type: keyword + description: > + The compression algorithm in use. + + - name: host_key + type: keyword + description: > + The server host key's algorithm. + + - name: key_exchange + type: keyword + description: > + The key exchange algorithm in use. + + - name: mac + type: keyword + description: > + The signing (MAC) algorithm in use. + + - name: auth + type: group + fields: + - name: attempts + type: integer + description: | + The number of authentication attemps we observed. There's always at + least one, since some servers might support no authentication at all. + It's important to note that not all of these are failures, since some + servers require two-factor auth (e.g. password AND pubkey). + + - name: success + type: boolean + description: > + Authentication result. diff --git a/dynamite_nsm/confs/filebeat/module/zeek/ssh/config/ssh.yml b/dynamite_nsm/confs/filebeat/module/zeek/ssh/config/ssh.yml new file mode 100644 index 00000000..14e673c3 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/ssh/config/ssh.yml @@ -0,0 +1,79 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +json.keys_under_root: false + +fields_under_root: true +fields: + network.transport: tcp + network.protocol: ssh + +processors: + - rename: + fields: + - from: "json" + to: "zeek.ssh" + + - from: "zeek.ssh.id.orig_h" + to: "source.address" + + - from: "zeek.ssh.id.orig_p" + to: "source.port" + + - from: "zeek.ssh.id.resp_h" + to: "destination.address" + + - from: "zeek.ssh.id.resp_p" + to: "destination.port" + + - from: "zeek.ssh.uid" + to: "zeek.session_id" + + - from: "zeek.ssh.auth_attempts" + to: "zeek.ssh.auth.attempts" + + - from: "zeek.ssh.auth_success" + to: "zeek.ssh.auth.success" + + - from: "zeek.ssh.cipher_alg" + to: "zeek.ssh.algorithm.cipher" + + - from: "zeek.ssh.mac_alg" + to: "zeek.ssh.algorithm.mac" + + - from: "zeek.ssh.compression_alg" + to: "zeek.ssh.algorithm.compression" + + - from: "zeek.ssh.kex_alg" + to: "zeek.ssh.algorithm.key_exchange" + + - from: "zeek.ssh.host_key_alg" + to: "zeek.ssh.algorithm.host_key" + + ignore_missing: true + fail_on_error: false + - convert: + fields: + - {from: "zeek.session_id", to: "event.id"} + - {from: "source.address", to: "source.ip", type: "ip"} + - {from: "destination.address", to: "destination.ip", type: "ip"} + - add_fields: + target: event + fields: + kind: event + category: + - network + type: + - connection + - protocol + - community_id: + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/ssh/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/ssh/ingest/pipeline.yml new file mode 100644 index 00000000..26980d26 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/ssh/ingest/pipeline.yml @@ -0,0 +1,74 @@ +description: Pipeline for normalizing Zeek ssh.log +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' +- date: + field: zeek.ssh.ts + formats: + - UNIX +- remove: + field: zeek.ssh.ts +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" +- set: + field: event.outcome + value: failure + if: "ctx?.zeek?.ssh?.auth?.success != null && ctx.zeek.ssh.auth.success == false" +- set: + field: event.outcome + value: success + if: "ctx?.zeek?.ssh?.auth?.success != null && ctx.zeek.ssh.auth.success == true" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/dynamite_nsm/confs/filebeat/module/zeek/ssh/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/ssh/manifest.yml new file mode 100644 index 00000000..9d2f3921 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/ssh/manifest.yml @@ -0,0 +1,15 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/ssh.log + os.linux: + - /var/log/bro/current/ssh.log + os.darwin: + - /usr/local/var/logs/current/ssh.log + - name: tags + default: [zeek.ssh] + +ingest_pipeline: ingest/pipeline.yml +input: config/ssh.yml diff --git a/dynamite_nsm/confs/filebeat/module/zeek/ssh/test/ssh-json.log-expected.json b/dynamite_nsm/confs/filebeat/module/zeek/ssh/test/ssh-json.log-expected.json new file mode 100644 index 00000000..343aa739 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/ssh/test/ssh-json.log-expected.json @@ -0,0 +1,49 @@ +[ + { + "@timestamp": "2019-07-07T19:25:32.904Z", + "destination.address": "192.168.1.1", + "destination.ip": "192.168.1.1", + "destination.port": 22, + "event.category": [ + "network" + ], + "event.dataset": "zeek.ssh", + "event.id": "CajWfz1b3qnnWT0BU9", + "event.kind": "event", + "event.module": "zeek", + "event.outcome": "failure", + "event.type": [ + "connection", + "protocol" + ], + "fileset.name": "ssh", + "input.type": "log", + "log.offset": 0, + "network.community_id": "1:42tg9bemt74qgrdvJOy2n5Veg4A=", + "network.protocol": "ssh", + "network.transport": "tcp", + "related.ip": [ + "192.168.1.2", + "192.168.1.1" + ], + "service.type": "zeek", + "source.address": "192.168.1.2", + "source.ip": "192.168.1.2", + "source.port": 48380, + "tags": [ + "zeek.ssh" + ], + "zeek.session_id": "CajWfz1b3qnnWT0BU9", + "zeek.ssh.algorithm.cipher": "chacha20-poly1305@openssh.com", + "zeek.ssh.algorithm.compression": "none", + "zeek.ssh.algorithm.host_key": "ecdsa-sha2-nistp256", + "zeek.ssh.algorithm.key_exchange": "curve25519-sha256@libssh.org", + "zeek.ssh.algorithm.mac": "umac-64-etm@openssh.com", + "zeek.ssh.auth.attempts": 2, + "zeek.ssh.auth.success": false, + "zeek.ssh.client": "SSH-2.0-OpenSSH_7.9p1 Ubuntu-10", + "zeek.ssh.host_key": "86:71:ac:9c:35:1c:28:29:05:81:48:ec:66:67:de:bd", + "zeek.ssh.server": "SSH-2.0-OpenSSH_6.6.1p1 Debian-4~bpo70+1", + "zeek.ssh.version": 2 + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/zeek/ssl/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/ssl/_meta/fields.yml new file mode 100644 index 00000000..604c9ab6 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/ssl/_meta/fields.yml @@ -0,0 +1,226 @@ +- name: ssl + type: group + default_field: false + description: > + Fields exported by the Zeek SSL log. + fields: + - name: version + type: keyword + description: > + SSL/TLS version that was logged. + + - name: cipher + type: keyword + description: > + SSL/TLS cipher suite that was logged. + + - name: curve + type: keyword + description: > + Elliptic curve that was logged when using ECDH/ECDHE. + + - name: resumed + type: boolean + description: | + Flag to indicate if the session was resumed reusing the key material exchanged in an + earlier connection. + + - name: next_protocol + type: keyword + description: > + Next protocol the server chose using the application layer next protocol extension. + + - name: established + type: boolean + description: > + Flag to indicate if this ssl session has been established successfully. + + - name: validation + type: group + fields: + - name: status + type: keyword + description: > + Result of certificate validation for this connection. + + - name: code + type: keyword + description: > + Result of certificate validation for this connection, given as OpenSSL validation code. + + - name: last_alert + type: keyword + description: > + Last alert that was seen during the connection. + + - name: server + type: group + fields: + - name: name + type: keyword + description: | + Value of the Server Name Indicator SSL/TLS extension. It indicates the server name + that the client was requesting. + + - name: cert_chain + type: keyword + description: > + Chain of certificates offered by the server to validate its complete signing chain. + + - name: cert_chain_fuids + type: keyword + description: > + An ordered vector of certificate file identifiers for the certificates offered by the server. + + - name: issuer + type: group + description: > + Subject of the signer of the X.509 certificate offered by the server. + fields: + - name: common_name + type: keyword + description: > + Common name of the signer of the X.509 certificate offered by the server. + + - name: country + type: keyword + description: > + Country code of the signer of the X.509 certificate offered by the server. + + - name: locality + type: keyword + description: > + Locality of the signer of the X.509 certificate offered by the server. + + - name: organization + type: keyword + description: > + Organization of the signer of the X.509 certificate offered by the server. + + - name: organizational_unit + type: keyword + description: > + Organizational unit of the signer of the X.509 certificate offered by the server. + + - name: state + type: keyword + description: > + State or province name of the signer of the X.509 certificate offered by the server. + + - name: subject + type: group + description: > + Subject of the X.509 certificate offered by the server. + fields: + - name: common_name + type: keyword + description: > + Common name of the X.509 certificate offered by the server. + + - name: country + type: keyword + description: > + Country code of the X.509 certificate offered by the server. + + - name: locality + type: keyword + description: > + Locality of the X.509 certificate offered by the server. + + - name: organization + type: keyword + description: > + Organization of the X.509 certificate offered by the server. + + - name: organizational_unit + type: keyword + description: > + Organizational unit of the X.509 certificate offered by the server. + + - name: state + type: keyword + description: > + State or province name of the X.509 certificate offered by the server. + + - name: client + type: group + fields: + - name: cert_chain + type: keyword + description: > + Chain of certificates offered by the client to validate its complete signing chain. + + - name: cert_chain_fuids + type: keyword + description: > + An ordered vector of certificate file identifiers for the certificates offered by the client. + + - name: issuer + type: group + description: > + Subject of the signer of the X.509 certificate offered by the client. + fields: + - name: common_name + type: keyword + description: > + Common name of the signer of the X.509 certificate offered by the client. + + - name: country + type: keyword + description: > + Country code of the signer of the X.509 certificate offered by the client. + + - name: locality + type: keyword + description: > + Locality of the signer of the X.509 certificate offered by the client. + + - name: organization + type: keyword + description: > + Organization of the signer of the X.509 certificate offered by the client. + + - name: organizational_unit + type: keyword + description: > + Organizational unit of the signer of the X.509 certificate offered by the client. + + - name: state + type: keyword + description: > + State or province name of the signer of the X.509 certificate offered by the client. + + - name: subject + type: group + description: > + Subject of the X.509 certificate offered by the client. + fields: + - name: common_name + type: keyword + description: > + Common name of the X.509 certificate offered by the client. + + - name: country + type: keyword + description: > + Country code of the X.509 certificate offered by the client. + + - name: locality + type: keyword + description: > + Locality of the X.509 certificate offered by the client. + + - name: organization + type: keyword + description: > + Organization of the X.509 certificate offered by the client. + + - name: organizational_unit + type: keyword + description: > + Organizational unit of the X.509 certificate offered by the client. + + - name: state + type: keyword + description: > + State or province name of the X.509 certificate offered by the client. diff --git a/dynamite_nsm/confs/filebeat/module/zeek/ssl/config/ssl.yml b/dynamite_nsm/confs/filebeat/module/zeek/ssl/config/ssl.yml new file mode 100644 index 00000000..cf3281a5 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/ssl/config/ssl.yml @@ -0,0 +1,97 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +json.keys_under_root: false + +fields_under_root: true +fields: + network.transport: tcp + +processors: + - rename: + fields: + - from: "json" + to: "zeek.ssl" + + - from: "zeek.ssl.id.orig_h" + to: "source.address" + + - from: "zeek.ssl.id.orig_p" + to: "source.port" + + - from: "zeek.ssl.id.resp_h" + to: "destination.address" + + - from: "zeek.ssl.id.resp_p" + to: "destination.port" + + - from: "zeek.ssl.uid" + to: "zeek.session_id" + + - from: "zeek.ssl.server_name" + to: "zeek.ssl.server.name" + + - from: "zeek.ssl.cert_chain" + to: "zeek.ssl.server.cert_chain" + + - from: "zeek.ssl.cert_chain_fuids" + to: "zeek.ssl.server.cert_chain_fuids" + + - from: "zeek.ssl.client_cert_chain" + to: "zeek.ssl.client.cert_chain" + + - from: "zeek.ssl.client_cert_chain_fuids" + to: "zeek.ssl.client.cert_chain_fuids" + + - from: "zeek.ssl.validation_status" + to: "zeek.ssl.validation.status" + + - from: "zeek.ssl.validation_code" + to: "zeek.ssl.validation.code" + + # These JA3 fields are available when using the zeek/salesforce/ja3 package. + - from: zeek.ssl.ja3 + to: tls.client.ja3 + - from: zeek.ssl.ja3s + to: tls.server.ja3s + + - from: zeek.ssl.not_valid_before + to: tls.server.not_before + - from: zeek.ssl.not_valid_after + to: tls.server.not_after + + - from: zeek.ssl.orig_certificate_sha1 + to: tls.client.hash.sha1 + - from: zeek.ssl.resp_certificate_sha1 + to: tls.server.hash.sha1 + ignore_missing: true + fail_on_error: false + - convert: + fields: + - {from: "zeek.session_id", to: "event.id"} + - {from: "source.address", to: "source.ip", type: "ip"} + - {from: "source.address", to: "client.address"} + - {from: "destination.address", to: "destination.ip", type: "ip"} + - {from: "destination.address", to: "server.address"} + ignore_missing: true + fail_on_error: false + - add_fields: + target: event + fields: + kind: event + category: + - network + type: + - connection + - protocol + - community_id: + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/ssl/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/ssl/ingest/pipeline.yml new file mode 100644 index 00000000..4a980be9 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/ssl/ingest/pipeline.yml @@ -0,0 +1,366 @@ +--- +description: Pipeline for normalizing Zeek ssl.log +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' +- date: + field: zeek.ssl.ts + formats: + - UNIX +- remove: + field: zeek.ssl.ts +- date: + if: ctx.tls?.server?.not_before != null + field: tls.server.not_before + target_field: tls.server.not_before + formats: + - UNIX +- date: + if: ctx.tls?.server?.not_after != null + field: tls.server.not_after + target_field: tls.server.not_after + formats: + - UNIX +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- remove: + field: zeek.ssl.client.cert_chain_fuids + if: ctx.zeek.ssl.client?.cert_chain_fuids?.length == 0 + ignore_missing: true +- gsub: + field: zeek.ssl.issuer + pattern: \\, + replacement: "" + ignore_missing: true +- kv: + field: zeek.ssl.issuer + field_split: ',' + value_split: '=' + target_field: zeek.ssl.server.issuer + ignore_missing: true +- rename: + field: zeek.ssl.issuer + target_field: tls.server.issuer + ignore_missing: true +- rename: + field: zeek.ssl.server.issuer.C + target_field: zeek.ssl.server.issuer.country + ignore_missing: true +- set: + field: tls.server.x509.issuer.country + value: '{{zeek.ssl.server.issuer.country}}' + ignore_empty_value: true +- rename: + field: zeek.ssl.server.issuer.CN + target_field: zeek.ssl.server.issuer.common_name + ignore_missing: true +- set: + field: tls.server.x509.issuer.common_name + value: '{{zeek.ssl.server.issuer.common_name}}' + ignore_empty_value: true +- rename: + field: zeek.ssl.server.issuer.L + target_field: zeek.ssl.server.issuer.locality + ignore_missing: true +- set: + field: tls.server.x509.issuer.locality + value: '{{zeek.ssl.server.issuer.locality}}' + ignore_empty_value: true +- rename: + field: zeek.ssl.server.issuer.O + target_field: zeek.ssl.server.issuer.organization + ignore_missing: true +- set: + field: tls.server.x509.issuer.organization + value: '{{zeek.ssl.server.issuer.organization}}' + ignore_empty_value: true +- rename: + field: zeek.ssl.server.issuer.OU + target_field: zeek.ssl.server.issuer.organizational_unit + ignore_missing: true +- set: + field: tls.server.x509.issuer.organizational_unit + value: '{{zeek.ssl.server.issuer.organizational_unit}}' + ignore_empty_value: true +- rename: + field: zeek.ssl.server.issuer.ST + target_field: zeek.ssl.server.issuer.state + ignore_missing: true +- set: + field: tls.server.x509.issuer.state_or_province + value: '{{zeek.ssl.server.issuer.state}}' + ignore_empty_value: true +- gsub: + field: zeek.ssl.subject + pattern: \\, + replacement: "" + ignore_missing: true +- kv: + field: zeek.ssl.subject + field_split: ',' + value_split: '=' + target_field: zeek.ssl.server.subject + ignore_missing: true +- rename: + field: zeek.ssl.subject + target_field: tls.server.subject + ignore_missing: true +- rename: + field: zeek.ssl.server.subject.C + target_field: zeek.ssl.server.subject.country + ignore_missing: true +- set: + field: tls.server.x509.subject.country + value: '{{zeek.ssl.server.subject.country}}' + ignore_empty_value: true +- rename: + field: zeek.ssl.server.subject.CN + target_field: zeek.ssl.server.subject.common_name + ignore_missing: true +- set: + field: tls.server.x509.subject.common_name + value: '{{zeek.ssl.server.subject.common_name}}' + ignore_empty_value: true +- rename: + field: zeek.ssl.server.subject.L + target_field: zeek.ssl.server.subject.locality + ignore_missing: true +- set: + field: tls.server.x509.subject.locality + value: '{{zeek.ssl.server.subject.locality}}' + ignore_empty_value: true +- rename: + field: zeek.ssl.server.subject.O + target_field: zeek.ssl.server.subject.organization + ignore_missing: true +- set: + field: tls.server.x509.subject.organization + value: '{{zeek.ssl.server.subject.organization}}' + ignore_empty_value: true +- rename: + field: zeek.ssl.server.subject.OU + target_field: zeek.ssl.server.subject.organizational_unit + ignore_missing: true +- set: + field: tls.server.x509.subject.organizational_unit + value: '{{zeek.ssl.server.subject.organizational_unit}}' + ignore_empty_value: true +- rename: + field: zeek.ssl.server.subject.ST + target_field: zeek.ssl.server.subject.state + ignore_missing: true +- set: + field: tls.server.x509.subject.state_or_province + value: '{{zeek.ssl.server.subject.state}}' + ignore_empty_value: true +- gsub: + field: zeek.ssl.client_issuer + pattern: \\, + replacement: "" + ignore_missing: true +- kv: + field: zeek.ssl.client_issuer + field_split: ',' + value_split: '=' + target_field: zeek.ssl.client.issuer + ignore_missing: true +- rename: + field: zeek.ssl.client_issuer + target_field: tls.client.issuer + ignore_missing: true +- rename: + field: zeek.ssl.client.issuer.C + target_field: zeek.ssl.client.issuer.country + ignore_missing: true +- set: + field: tls.client.x509.issuer.country + value: '{{zeek.ssl.client.issuer.country}}' + ignore_empty_value: true +- rename: + field: zeek.ssl.client.issuer.CN + target_field: zeek.ssl.client.issuer.common_name + ignore_missing: true +- set: + field: tls.client.x509.issuer.common_name + value: '{{zeek.ssl.client.issuer.common_name}}' + ignore_empty_value: true +- rename: + field: zeek.ssl.client.issuer.L + target_field: zeek.ssl.client.issuer.locality + ignore_missing: true +- set: + field: tls.client.x509.issuer.locality + value: '{{zeek.ssl.client.issuer.locality}}' + ignore_empty_value: true +- rename: + field: zeek.ssl.client.issuer.O + target_field: zeek.ssl.client.issuer.organization + ignore_missing: true +- set: + field: tls.client.x509.issuer.organization + value: '{{zeek.ssl.client.issuer.organization}}' + ignore_empty_value: true +- rename: + field: zeek.ssl.client.issuer.OU + target_field: zeek.ssl.client.issuer.organizational_unit + ignore_missing: true +- set: + field: tls.client.x509.issuer.organizational_unit + value: '{{zeek.ssl.client.issuer.organizational_unit}}' + ignore_empty_value: true +- rename: + field: zeek.ssl.client.issuer.ST + target_field: zeek.ssl.client.issuer.state + ignore_missing: true +- set: + field: tls.client.x509.issuer.state_or_province + value: '{{zeek.ssl.client.issuer.state}}' + ignore_empty_value: true +- gsub: + field: zeek.ssl.client_subject + pattern: \\, + replacement: "" + ignore_missing: true +- kv: + field: zeek.ssl.client_subject + field_split: ',' + value_split: '=' + target_field: zeek.ssl.client.subject + ignore_missing: true +- remove: + field: zeek.ssl.client_subject + ignore_missing: true +- rename: + field: zeek.ssl.client.subject.C + target_field: zeek.ssl.client.subject.country + ignore_missing: true +- set: + field: tls.client.x509.subject.country + value: '{{zeek.ssl.client.subject.country}}' + ignore_empty_value: true +- rename: + field: zeek.ssl.client.subject.CN + target_field: zeek.ssl.client.subject.common_name + ignore_missing: true +- set: + field: tls.client.x509.subject.common_name + value: '{{zeek.ssl.client.subject.common_name}}' + ignore_empty_value: true +- rename: + field: zeek.ssl.client.subject.L + target_field: zeek.ssl.client.subject.locality + ignore_missing: true +- set: + field: tls.client.x509.subject.locality + value: '{{zeek.ssl.client.subject.locality}}' + ignore_empty_value: true +- rename: + field: zeek.ssl.client.subject.O + target_field: zeek.ssl.client.subject.organization + ignore_missing: true +- set: + field: tls.client.x509.subject.organization + value: '{{zeek.ssl.client.subject.organization}}' + ignore_empty_value: true +- rename: + field: zeek.ssl.client.subject.OU + target_field: zeek.ssl.client.subject.organizational_unit + ignore_missing: true +- set: + field: tls.client.x509.subject.organizational_unit + value: '{{zeek.ssl.client.subject.organizational_unit}}' + ignore_empty_value: true +- rename: + field: zeek.ssl.client.subject.ST + target_field: zeek.ssl.client.subject.state + ignore_missing: true +- set: + field: tls.client.x509.subject.state_or_province + value: '{{zeek.ssl.client.subject.state}}' + ignore_empty_value: true +- set: + field: tls.cipher + value: '{{zeek.ssl.cipher}}' + if: ctx.zeek?.ssl?.cipher != null +- set: + field: tls.curve + value: '{{zeek.ssl.curve}}' + if: ctx.zeek?.ssl?.curve != null +- convert: + target_field: tls.established + field: zeek.ssl.established + type: boolean + ignore_missing: true +- convert: + target_field: tls.resumed + field: zeek.ssl.resumed + type: boolean + ignore_missing: true +- script: + lang: painless + if: ctx.zeek?.ssl?.version != null + source: >- + def parts = ctx.zeek.ssl.version.splitOnToken("v"); + if (parts.length != 2) { + return; + } + if (parts[0] == "SSL") { + ctx.tls.version = parts[1] + ".0"; + } else { + ctx.tls.version = parts[1].substring(0,1) + "." + parts[1].substring(1); + } + ctx.tls.version_protocol = parts[0].toLowerCase(); +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/dynamite_nsm/confs/filebeat/module/zeek/ssl/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/ssl/manifest.yml new file mode 100644 index 00000000..49e474df --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/ssl/manifest.yml @@ -0,0 +1,19 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/ssl.log + os.linux: + - /var/log/bro/current/ssl.log + os.darwin: + - /usr/local/var/logs/current/ssl.log + - name: tags + default: [zeek.ssl] + +ingest_pipeline: ingest/pipeline.yml +input: config/ssl.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/dynamite_nsm/confs/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json b/dynamite_nsm/confs/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json new file mode 100644 index 00000000..72ac1dc8 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json @@ -0,0 +1,166 @@ +[ + { + "@timestamp": "2019-01-17T01:32:16.805Z", + "client.address": "10.178.98.102", + "destination.address": "35.199.178.4", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.city_name": "Mountain View", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.4043, + "destination.geo.location.lon": -122.0748, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": "35.199.178.4", + "destination.port": 9243, + "event.category": [ + "network" + ], + "event.dataset": "zeek.ssl", + "event.id": "CAOvs1BMFCX2Eh0Y3", + "event.kind": "event", + "event.module": "zeek", + "event.type": [ + "connection", + "protocol" + ], + "fileset.name": "ssl", + "input.type": "log", + "log.offset": 0, + "network.community_id": "1:1PMhYqOKBIyRAQeMbg/pWiJ198g=", + "network.transport": "tcp", + "related.ip": [ + "10.178.98.102", + "35.199.178.4" + ], + "server.address": "35.199.178.4", + "service.type": "zeek", + "source.address": "10.178.98.102", + "source.ip": "10.178.98.102", + "source.port": 63199, + "tags": [ + "zeek.ssl" + ], + "tls.cipher": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "tls.curve": "secp256r1", + "tls.established": true, + "tls.resumed": false, + "tls.server.issuer": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", + "tls.server.subject": "CN=*.gcp.cloud.es.io,O=Elasticsearch Inc.,L=Mountain View,ST=California,C=US", + "tls.server.x509.issuer.common_name": "DigiCert SHA2 Secure Server CA", + "tls.server.x509.issuer.country": "US", + "tls.server.x509.issuer.organization": "DigiCert Inc", + "tls.server.x509.subject.common_name": "*.gcp.cloud.es.io", + "tls.server.x509.subject.country": "US", + "tls.server.x509.subject.locality": "Mountain View", + "tls.server.x509.subject.organization": "Elasticsearch Inc.", + "tls.server.x509.subject.state_or_province": "California", + "tls.version": "1.2", + "tls.version_protocol": "tls", + "zeek.session_id": "CAOvs1BMFCX2Eh0Y3", + "zeek.ssl.cipher": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "zeek.ssl.curve": "secp256r1", + "zeek.ssl.established": true, + "zeek.ssl.resumed": false, + "zeek.ssl.server.cert_chain_fuids": [ + "FebkbHWVCV8rEEEne", + "F4BDY41MGUBT6URZMd", + "FWlfEfiHVkv8evDL3" + ], + "zeek.ssl.server.issuer.common_name": "DigiCert SHA2 Secure Server CA", + "zeek.ssl.server.issuer.country": "US", + "zeek.ssl.server.issuer.organization": "DigiCert Inc", + "zeek.ssl.server.name": "dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io", + "zeek.ssl.server.subject.common_name": "*.gcp.cloud.es.io", + "zeek.ssl.server.subject.country": "US", + "zeek.ssl.server.subject.locality": "Mountain View", + "zeek.ssl.server.subject.organization": "Elasticsearch Inc.", + "zeek.ssl.server.subject.state": "California", + "zeek.ssl.validation.status": "ok", + "zeek.ssl.version": "TLSv12" + }, + { + "@timestamp": "2019-01-17T01:32:16.805Z", + "client.address": "10.178.98.102", + "destination.address": "35.199.178.4", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.city_name": "Mountain View", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.4043, + "destination.geo.location.lon": -122.0748, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": "35.199.178.4", + "destination.port": 9243, + "event.category": [ + "network" + ], + "event.dataset": "zeek.ssl", + "event.id": "C3mki91FnnNtm0u1ok", + "event.kind": "event", + "event.module": "zeek", + "event.type": [ + "connection", + "protocol" + ], + "fileset.name": "ssl", + "input.type": "log", + "log.offset": 635, + "network.community_id": "1:zYbLmqRN6PLPB067HNAiAQISqvI=", + "network.transport": "tcp", + "related.ip": [ + "10.178.98.102", + "35.199.178.4" + ], + "server.address": "35.199.178.4", + "service.type": "zeek", + "source.address": "10.178.98.102", + "source.ip": "10.178.98.102", + "source.port": 63198, + "tags": [ + "zeek.ssl" + ], + "tls.cipher": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "tls.curve": "secp256r1", + "tls.established": true, + "tls.resumed": false, + "tls.server.issuer": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", + "tls.server.subject": "CN=*.gcp.cloud.es.io,O=Elasticsearch Inc.,L=Mountain View,ST=California,C=US", + "tls.server.x509.issuer.common_name": "DigiCert SHA2 Secure Server CA", + "tls.server.x509.issuer.country": "US", + "tls.server.x509.issuer.organization": "DigiCert Inc", + "tls.server.x509.subject.common_name": "*.gcp.cloud.es.io", + "tls.server.x509.subject.country": "US", + "tls.server.x509.subject.locality": "Mountain View", + "tls.server.x509.subject.organization": "Elasticsearch Inc.", + "tls.server.x509.subject.state_or_province": "California", + "tls.version": "1.2", + "tls.version_protocol": "tls", + "zeek.session_id": "C3mki91FnnNtm0u1ok", + "zeek.ssl.cipher": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "zeek.ssl.curve": "secp256r1", + "zeek.ssl.established": true, + "zeek.ssl.resumed": false, + "zeek.ssl.server.cert_chain_fuids": [ + "Fue9H32OmuitQk2zR", + "FpbiBP215tk2xftxM6", + "FEdROj1vUzTGw3BIUa" + ], + "zeek.ssl.server.issuer.common_name": "DigiCert SHA2 Secure Server CA", + "zeek.ssl.server.issuer.country": "US", + "zeek.ssl.server.issuer.organization": "DigiCert Inc", + "zeek.ssl.server.name": "dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io", + "zeek.ssl.server.subject.common_name": "*.gcp.cloud.es.io", + "zeek.ssl.server.subject.country": "US", + "zeek.ssl.server.subject.locality": "Mountain View", + "zeek.ssl.server.subject.organization": "Elasticsearch Inc.", + "zeek.ssl.server.subject.state": "California", + "zeek.ssl.validation.status": "ok", + "zeek.ssl.version": "TLSv12" + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/zeek/ssl/test/ssl-with-ja3-and-custom-fields-json.log-expected.json b/dynamite_nsm/confs/filebeat/module/zeek/ssl/test/ssl-with-ja3-and-custom-fields-json.log-expected.json new file mode 100644 index 00000000..c4b3cb7a --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/ssl/test/ssl-with-ja3-and-custom-fields-json.log-expected.json @@ -0,0 +1,78 @@ +[ + { + "@timestamp": "2020-10-08T17:50:57.352Z", + "client.address": "10.0.0.1", + "destination.address": "192.168.50.1", + "destination.ip": "192.168.50.1", + "destination.port": 443, + "event.category": [ + "network" + ], + "event.dataset": "zeek.ssl", + "event.id": "CK17Dl2SB8bZOVonSl", + "event.kind": "event", + "event.module": "zeek", + "event.type": [ + "connection", + "protocol" + ], + "fileset.name": "ssl", + "input.type": "log", + "log.offset": 0, + "network.community_id": "1:qNHgoGHFvyhhK2jU7LlS3537ODc=", + "network.transport": "tcp", + "related.ip": [ + "10.0.0.1", + "192.168.50.1" + ], + "server.address": "192.168.50.1", + "service.type": "zeek", + "source.address": "10.0.0.1", + "source.ip": "10.0.0.1", + "source.port": 49228, + "tags": [ + "zeek.ssl" + ], + "tls.cipher": "TLS_RSA_WITH_AES_128_CBC_SHA256", + "tls.client.ja3": "74927e242d6c3febf8cb9cab10a7f889", + "tls.established": true, + "tls.resumed": false, + "tls.server.hash.sha1": "5dad8b55621b6b9c30679d9d61248dd132a83c94", + "tls.server.issuer": "CN=CA,OU=CA@example.com,O=Example Corp,L=foo,C=HI", + "tls.server.ja3s": "80b3a14bccc8598a1f3bbe83e71f735f", + "tls.server.not_after": "2019-12-30T23:23:44.000Z", + "tls.server.not_before": "2019-07-01T23:07:01.000Z", + "tls.server.subject": "CN=foo,OU=foo@bar,O=org,L=locality,C=LO", + "tls.server.x509.issuer.common_name": "CA", + "tls.server.x509.issuer.country": "HI", + "tls.server.x509.issuer.locality": "foo", + "tls.server.x509.issuer.organization": "Example Corp", + "tls.server.x509.issuer.organizational_unit": "CA@example.com", + "tls.server.x509.subject.common_name": "foo", + "tls.server.x509.subject.country": "LO", + "tls.server.x509.subject.locality": "locality", + "tls.server.x509.subject.organization": "org", + "tls.server.x509.subject.organizational_unit": "foo@bar", + "tls.version": "1.2", + "tls.version_protocol": "tls", + "zeek.session_id": "CK17Dl2SB8bZOVonSl", + "zeek.ssl.cipher": "TLS_RSA_WITH_AES_128_CBC_SHA256", + "zeek.ssl.established": true, + "zeek.ssl.resumed": false, + "zeek.ssl.server.cert_chain_fuids": [ + "FOLwYQ6rs70bIMSf9" + ], + "zeek.ssl.server.issuer.common_name": "CA", + "zeek.ssl.server.issuer.country": "HI", + "zeek.ssl.server.issuer.locality": "foo", + "zeek.ssl.server.issuer.organization": "Example Corp", + "zeek.ssl.server.issuer.organizational_unit": "CA@example.com", + "zeek.ssl.server.subject.common_name": "foo", + "zeek.ssl.server.subject.country": "LO", + "zeek.ssl.server.subject.locality": "locality", + "zeek.ssl.server.subject.organization": "org", + "zeek.ssl.server.subject.organizational_unit": "foo@bar", + "zeek.ssl.validation.status": "self signed certificate", + "zeek.ssl.version": "TLSv12" + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/zeek/stats/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/stats/_meta/fields.yml new file mode 100644 index 00000000..c043adcc --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/stats/_meta/fields.yml @@ -0,0 +1,163 @@ +- name: stats + type: group + default_field: false + description: > + Fields exported by the Zeek stats log. + fields: + - name: peer + type: keyword + description: | + Peer that generated this log. Mostly for clusters. + + - name: memory + type: integer + description: | + Amount of memory currently in use in MB. + + - name: packets + type: group + fields: + - name: processed + type: long + description: | + Number of packets processed since the last stats interval. + + - name: dropped + type: long + description: | + Number of packets dropped since the last stats interval if reading live traffic. + + - name: received + type: long + description: | + Number of packets seen on the link since the last stats interval if reading live traffic. + + - name: bytes + type: group + fields: + - name: received + type: long + description: | + Number of bytes received since the last stats interval if reading live traffic. + + - name: connections + type: group + fields: + - name: tcp + type: group + fields: + - name: active + type: integer + description: | + TCP connections currently in memory. + + - name: count + type: integer + description: | + TCP connections seen since last stats interval. + + - name: udp + type: group + fields: + - name: active + type: integer + description: | + UDP connections currently in memory. + + - name: count + type: integer + description: | + UDP connections seen since last stats interval. + + - name: icmp + type: group + fields: + - name: active + type: integer + description: | + ICMP connections currently in memory. + + - name: count + type: integer + description: | + ICMP connections seen since last stats interval. + + - name: events + type: group + fields: + - name: processed + type: integer + description: | + Number of events processed since the last stats interval. + + - name: queued + type: integer + description: | + Number of events that have been queued since the last stats interval. + + - name: timers + type: group + fields: + - name: count + type: integer + description: | + Number of timers scheduled since last stats interval. + + - name: active + type: integer + description: | + Current number of scheduled timers. + + - name: files + type: group + fields: + - name: count + type: integer + description: | + Number of files seen since last stats interval. + + - name: active + type: integer + description: | + Current number of files actively being seen. + + - name: dns_requests + type: group + fields: + - name: count + type: integer + description: | + Number of DNS requests seen since last stats interval. + + - name: active + type: integer + description: | + Current number of DNS requests awaiting a reply. + + - name: reassembly_size + type: group + fields: + - name: tcp + type: integer + description: | + Current size of TCP data in reassembly. + + - name: file + type: integer + description: | + Current size of File data in reassembly. + + - name: frag + type: integer + description: | + Current size of packet fragment data in reassembly. + + - name: unknown + type: integer + description: | + Current size of unknown data in reassembly (this is only PIA buffer right now). + + - name: timestamp_lag + type: integer + description: | + Lag between the wall clock and packet timestamps if reading live traffic. diff --git a/dynamite_nsm/confs/filebeat/module/zeek/stats/config/stats.yml b/dynamite_nsm/confs/filebeat/module/zeek/stats/config/stats.yml new file mode 100644 index 00000000..a8fcb0ce --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/stats/config/stats.yml @@ -0,0 +1,100 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +json.keys_under_root: false + +fields_under_root: true + +processors: + - rename: + fields: + - from: "json" + to: "zeek.stats" + + - from: "zeek.stats.mem" + to: "zeek.stats.memory" + + - from: "zeek.stats.pkts_proc" + to: "zeek.stats.packets.processed" + + - from: "zeek.stats.pkts_dropped" + to: "zeek.stats.packets.dropped" + + - from: "zeek.stats.pkts_link" + to: "zeek.stats.packets.received" + + - from: "zeek.stats.pkts_link" + to: "zeek.stats.packets.received" + + - from: "zeek.stats.bytes_recv" + to: "zeek.stats.bytes.received" + + - from: "zeek.stats.tcp_conns" + to: "zeek.stats.connections.tcp.count" + + - from: "zeek.stats.active_tcp_conns" + to: "zeek.stats.connections.tcp.active" + + - from: "zeek.stats.udp_conns" + to: "zeek.stats.connections.udp.count" + + - from: "zeek.stats.active_udp_conns" + to: "zeek.stats.connections.udp.active" + + - from: "zeek.stats.icmp_conns" + to: "zeek.stats.connections.icmp.count" + + - from: "zeek.stats.active_icmp_conns" + to: "zeek.stats.connections.icmp.active" + + - from: "zeek.stats.events_proc" + to: "zeek.stats.events.processed" + + - from: "zeek.stats.events_queued" + to: "zeek.stats.events.queued" + + - from: "zeek.stats.timers" + to: "zeek.stats.timers.count" + + - from: "zeek.stats.active_timers" + to: "zeek.stats.timers.active" + + - from: "zeek.stats.files" + to: "zeek.stats.files.count" + + - from: "zeek.stats.active_files" + to: "zeek.stats.files.active" + + - from: "zeek.stats.dns_requests" + to: "zeek.stats.dns_requests.count" + + - from: "zeek.stats.active_dns_requests" + to: "zeek.stats.dns_requests.active" + + - from: "zeek.stats.reassem_tcp_size" + to: "zeek.stats.reassembly_size.tcp" + + - from: "zeek.stats.reassem_file_size" + to: "zeek.stats.reassembly_size.file" + + - from: "zeek.stats.reassem_frag_size" + to: "zeek.stats.reassembly_size.frag" + + - from: "zeek.stats.reassem_unknown_size" + to: "zeek.stats.reassembly_size.unknown" + + - from: "zeek.stats.pkt_lag" + to: "zeek.stats.timestamp_lag" + + ignore_missing: true + fail_on_error: false + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/stats/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/stats/ingest/pipeline.yml new file mode 100644 index 00000000..04e851e1 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/stats/ingest/pipeline.yml @@ -0,0 +1,21 @@ +description: Pipeline for normalizing Zeek stats.log +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' +- date: + field: zeek.stats.ts + formats: + - UNIX +- remove: + field: zeek.stats.ts +- set: + field: event.kind + value: metric +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/dynamite_nsm/confs/filebeat/module/zeek/stats/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/stats/manifest.yml new file mode 100644 index 00000000..f63ad40b --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/stats/manifest.yml @@ -0,0 +1,15 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/stats.log + os.linux: + - /var/log/bro/current/stats.log + os.darwin: + - /usr/local/var/logs/current/stats.log + - name: tags + default: [zeek.stats] + +ingest_pipeline: ingest/pipeline.yml +input: config/stats.yml diff --git a/dynamite_nsm/confs/filebeat/module/zeek/stats/test/stats-json.log-expected.json b/dynamite_nsm/confs/filebeat/module/zeek/stats/test/stats-json.log-expected.json new file mode 100644 index 00000000..bcb5f24f --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/stats/test/stats-json.log-expected.json @@ -0,0 +1,37 @@ +[ + { + "@timestamp": "2016-10-16T08:17:58.714Z", + "event.dataset": "zeek.stats", + "event.kind": "metric", + "event.module": "zeek", + "fileset.name": "stats", + "input.type": "log", + "log.offset": 0, + "service.type": "zeek", + "tags": [ + "zeek.stats" + ], + "zeek.stats.bytes.received": 39674, + "zeek.stats.connections.icmp.active": 0, + "zeek.stats.connections.icmp.count": 2, + "zeek.stats.connections.tcp.active": 1, + "zeek.stats.connections.tcp.count": 6, + "zeek.stats.connections.udp.active": 3, + "zeek.stats.connections.udp.count": 36, + "zeek.stats.dns_requests.active": 0, + "zeek.stats.dns_requests.count": 0, + "zeek.stats.events.processed": 723, + "zeek.stats.events.queued": 728, + "zeek.stats.files.active": 0, + "zeek.stats.files.count": 0, + "zeek.stats.memory": 94, + "zeek.stats.packets.processed": 296, + "zeek.stats.peer": "bro", + "zeek.stats.reassembly_size.file": 0, + "zeek.stats.reassembly_size.frag": 0, + "zeek.stats.reassembly_size.tcp": 0, + "zeek.stats.reassembly_size.unknown": 0, + "zeek.stats.timers.active": 38, + "zeek.stats.timers.count": 797 + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/zeek/syslog/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/syslog/_meta/fields.yml new file mode 100644 index 00000000..8f5f9f0e --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/syslog/_meta/fields.yml @@ -0,0 +1,20 @@ +- name: syslog + type: group + default_field: false + description: > + Fields exported by the Zeek syslog log. + fields: + - name: facility + type: keyword + description: > + Syslog facility for the message. + + - name: severity + type: keyword + description: > + Syslog severity for the message. + + - name: message + type: keyword + description: > + The plain text message. diff --git a/dynamite_nsm/confs/filebeat/module/zeek/syslog/config/syslog.yml b/dynamite_nsm/confs/filebeat/module/zeek/syslog/config/syslog.yml new file mode 100644 index 00000000..167e7ea9 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/syslog/config/syslog.yml @@ -0,0 +1,60 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +json.keys_under_root: false + +fields_under_root: true +fields: + network.protocol: syslog + +processors: + - rename: + fields: + - from: "json" + to: "zeek.syslog" + + - from: "zeek.syslog.id.orig_h" + to: "source.address" + + - from: "zeek.syslog.id.orig_p" + to: "source.port" + + - from: "zeek.syslog.id.resp_h" + to: "destination.address" + + - from: "zeek.syslog.id.resp_p" + to: "destination.port" + + - from: "zeek.syslog.uid" + to: "zeek.session_id" + + - from: "zeek.syslog.proto" + to: "network.transport" + + - from: "zeek.syslog.message" + to: "zeek.syslog.msg" + + ignore_missing: true + fail_on_error: false + - convert: + fields: + - {from: "zeek.session_id", to: "event.id"} + - {from: "source.address", to: "source.ip", type: "ip"} + - {from: "destination.address", to: "destination.ip", type: "ip"} + - {from: "zeek.syslog.facility", to: "log.syslog.facility.name"} + - {from: "zeek.syslog.severity", to: "log.syslog.severity.name"} + - add_fields: + target: event + fields: + kind: event + - community_id: + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/syslog/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/syslog/ingest/pipeline.yml new file mode 100644 index 00000000..5f3432ec --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/syslog/ingest/pipeline.yml @@ -0,0 +1,66 @@ +description: Pipeline for normalizing Zeek syslog.log +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' +- date: + field: zeek.syslog.ts + formats: + - UNIX +- remove: + field: zeek.syslog.ts +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/dynamite_nsm/confs/filebeat/module/zeek/syslog/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/syslog/manifest.yml new file mode 100644 index 00000000..03a80586 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/syslog/manifest.yml @@ -0,0 +1,15 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/syslog.log + os.linux: + - /var/log/bro/current/syslog.log + os.darwin: + - /usr/local/var/logs/current/syslog.log + - name: tags + default: [zeek.syslog] + +ingest_pipeline: ingest/pipeline.yml +input: config/syslog.yml diff --git a/dynamite_nsm/confs/filebeat/module/zeek/traceroute/config/traceroute.yml b/dynamite_nsm/confs/filebeat/module/zeek/traceroute/config/traceroute.yml new file mode 100644 index 00000000..35671bd1 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/traceroute/config/traceroute.yml @@ -0,0 +1,48 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +json.keys_under_root: false + +fields_under_root: true + +processors: + - rename: + fields: + - from: "json" + to: "zeek.traceroute" + + - from: "zeek.traceroute.src" + to: "source.address" + + - from: "zeek.traceroute.dst" + to: "destination.address" + + - from: "zeek.traceroute.proto" + to: "network.transport" + + ignore_missing: true + fail_on_error: false + - convert: + fields: + - {from: "source.address", to: "source.ip", type: "ip"} + - {from: "destination.address", to: "destination.ip", type: "ip"} + ignore_missing: true + fail_on_error: false + - add_fields: + target: event + fields: + kind: event + category: + - network + type: + - info + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/traceroute/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/traceroute/ingest/pipeline.yml new file mode 100644 index 00000000..f4744c54 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/traceroute/ingest/pipeline.yml @@ -0,0 +1,66 @@ +description: Pipeline for normalizing Zeek traceroute.log +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' +- date: + field: zeek.traceroute.ts + formats: + - UNIX +- remove: + field: zeek.traceroute.ts +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/dynamite_nsm/confs/filebeat/module/zeek/traceroute/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/traceroute/manifest.yml new file mode 100644 index 00000000..0761e9b3 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/traceroute/manifest.yml @@ -0,0 +1,15 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/traceroute.log + os.linux: + - /var/log/bro/current/traceroute.log + os.darwin: + - /usr/local/var/logs/current/traceroute.log + - name: tags + default: [zeek.traceroute] + +ingest_pipeline: ingest/pipeline.yml +input: config/traceroute.yml diff --git a/dynamite_nsm/confs/filebeat/module/zeek/traceroute/test/traceroute-json.log-expected.json b/dynamite_nsm/confs/filebeat/module/zeek/traceroute/test/traceroute-json.log-expected.json new file mode 100644 index 00000000..34d60017 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/traceroute/test/traceroute-json.log-expected.json @@ -0,0 +1,37 @@ +[ + { + "@timestamp": "2013-02-26T22:02:38.650Z", + "destination.address": "8.8.8.8", + "destination.as.number": 15169, + "destination.as.organization.name": "Google LLC", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "8.8.8.8", + "event.category": [ + "network" + ], + "event.dataset": "zeek.traceroute", + "event.kind": "event", + "event.module": "zeek", + "event.type": [ + "info" + ], + "fileset.name": "traceroute", + "input.type": "log", + "log.offset": 0, + "network.transport": "udp", + "related.ip": [ + "192.168.1.1", + "8.8.8.8" + ], + "service.type": "zeek", + "source.address": "192.168.1.1", + "source.ip": "192.168.1.1", + "tags": [ + "zeek.traceroute" + ] + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/zeek/tunnel/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/tunnel/_meta/fields.yml new file mode 100644 index 00000000..bef9c6e9 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/tunnel/_meta/fields.yml @@ -0,0 +1,15 @@ +- name: tunnel + type: group + default_field: false + description: > + Fields exported by the Zeek SSH log. + fields: + - name: type + type: keyword + description: > + The type of tunnel. + + - name: action + type: keyword + description: > + The type of activity that occurred. diff --git a/dynamite_nsm/confs/filebeat/module/zeek/tunnel/config/tunnel.yml b/dynamite_nsm/confs/filebeat/module/zeek/tunnel/config/tunnel.yml new file mode 100644 index 00000000..8bf2bd3e --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/tunnel/config/tunnel.yml @@ -0,0 +1,59 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +json.keys_under_root: false + +fields_under_root: true + +processors: + - rename: + fields: + - from: "json" + to: "zeek.tunnel" + + - from: "zeek.tunnel.id.orig_h" + to: "source.address" + + - from: "zeek.tunnel.id.orig_p" + to: "source.port" + + - from: "zeek.tunnel.id.resp_h" + to: "destination.address" + + - from: "zeek.tunnel.id.resp_p" + to: "destination.port" + + - from: "zeek.tunnel.uid" + to: "zeek.session_id" + + - from: "zeek.tunnel.tunnel_type" + to: "zeek.tunnel.type" + + ignore_missing: true + fail_on_error: false + - convert: + fields: + - {from: "zeek.session_id", to: "event.id"} + - {from: "source.address", to: "source.ip", type: "ip"} + - {from: "destination.address", to: "destination.ip", type: "ip"} + - {from: "zeek.tunnel.action", to: "event.action"} + ignore_missing: true + fail_on_error: false + - add_fields: + target: event + fields: + kind: event + category: + - network + type: + - connection + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/tunnel/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/tunnel/ingest/pipeline.yml new file mode 100644 index 00000000..9ca83da3 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/tunnel/ingest/pipeline.yml @@ -0,0 +1,66 @@ +description: Pipeline for normalizing Zeek tunnel.log +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' +- date: + field: zeek.tunnel.ts + formats: + - UNIX +- remove: + field: zeek.tunnel.ts +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/dynamite_nsm/confs/filebeat/module/zeek/tunnel/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/tunnel/manifest.yml new file mode 100644 index 00000000..a0618a12 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/tunnel/manifest.yml @@ -0,0 +1,15 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/tunnel.log + os.linux: + - /var/log/bro/current/tunnel.log + os.darwin: + - /usr/local/var/logs/current/tunnel.log + - name: tags + default: [zeek.tunnel] + +ingest_pipeline: ingest/pipeline.yml +input: config/tunnel.yml diff --git a/dynamite_nsm/confs/filebeat/module/zeek/tunnel/test/tunnel-json.log-expected.json b/dynamite_nsm/confs/filebeat/module/zeek/tunnel/test/tunnel-json.log-expected.json new file mode 100644 index 00000000..3ef70950 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/tunnel/test/tunnel-json.log-expected.json @@ -0,0 +1,48 @@ +[ + { + "@timestamp": "2018-12-10T01:34:26.743Z", + "destination.address": "132.16.110.133", + "destination.as.number": 427, + "destination.as.organization.name": "Air Force Systems Networking", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "132.16.110.133", + "destination.port": 8080, + "event.action": "Tunnel::DISCOVER", + "event.category": [ + "network" + ], + "event.dataset": "zeek.tunnel", + "event.kind": "event", + "event.module": "zeek", + "event.type": [ + "connection" + ], + "fileset.name": "tunnel", + "input.type": "log", + "log.offset": 0, + "related.ip": [ + "132.16.146.79", + "132.16.110.133" + ], + "service.type": "zeek", + "source.address": "132.16.146.79", + "source.as.number": 427, + "source.as.organization.name": "Air Force Systems Networking", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "132.16.146.79", + "source.port": 0, + "tags": [ + "zeek.tunnel" + ], + "zeek.tunnel.action": "Tunnel::DISCOVER", + "zeek.tunnel.type": "Tunnel::HTTP" + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/zeek/weird/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/weird/_meta/fields.yml new file mode 100644 index 00000000..72a0791a --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/weird/_meta/fields.yml @@ -0,0 +1,30 @@ +- name: weird + type: group + default_field: false + description: > + Fields exported by the Zeek Weird log. + fields: + - name: name + type: keyword + description: | + The name of the weird that occurred. + + - name: additional_info + type: keyword + description: | + Additional information accompanying the weird if any. + + - name: notice + type: boolean + description: | + Indicate if this weird was also turned into a notice. + + - name: peer + type: keyword + description: | + The peer that originated this weird. This is helpful in cluster deployments if a particular cluster node is having trouble to help identify which node is having trouble. + + - name: identifier + type: keyword + description: | + This field is to be provided when a weird is generated for the purpose of deduplicating weirds. The identifier string should be unique for a single instance of the weird. This field is used to define when a weird is conceptually a duplicate of a previous weird. diff --git a/dynamite_nsm/confs/filebeat/module/zeek/weird/config/weird.yml b/dynamite_nsm/confs/filebeat/module/zeek/weird/config/weird.yml new file mode 100644 index 00000000..317001ec --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/weird/config/weird.yml @@ -0,0 +1,59 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +json.keys_under_root: false + +fields_under_root: true + +processors: + - rename: + fields: + - from: "json" + to: "zeek.weird" + + - from: "zeek.weird.id.orig_h" + to: "source.address" + + - from: "zeek.weird.id.orig_p" + to: "source.port" + + - from: "zeek.weird.id.resp_h" + to: "destination.address" + + - from: "zeek.weird.id.resp_p" + to: "destination.port" + + - from: "zeek.weird.uid" + to: "zeek.session_id" + + - from: "zeek.weird.addl" + to: "zeek.weird.additional_info" + + ignore_missing: true + fail_on_error: false + - convert: + fields: + - {from: "zeek.session_id", to: "event.id"} + - {from: "source.address", to: "source.ip", type: "ip"} + - {from: "destination.address", to: "destination.ip", type: "ip"} + - {from: "zeek.weird.name", to: "rule.name"} + ignore_missing: true + fail_on_error: false + - add_fields: + target: event + fields: + kind: alert + category: + - network + type: + - info + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/weird/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/weird/ingest/pipeline.yml new file mode 100644 index 00000000..d791eb77 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/weird/ingest/pipeline.yml @@ -0,0 +1,66 @@ +description: Pipeline for normalizing Zeek weird.log +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: event.created + value: '{{@timestamp}}' +- date: + field: zeek.weird.ts + formats: + - UNIX +- remove: + field: zeek.weird.ts +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/dynamite_nsm/confs/filebeat/module/zeek/weird/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/weird/manifest.yml new file mode 100644 index 00000000..3e91c91c --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/weird/manifest.yml @@ -0,0 +1,15 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/weird.log + os.linux: + - /var/log/bro/current/weird.log + os.darwin: + - /usr/local/var/logs/current/weird.log + - name: tags + default: [zeek.weird] + +ingest_pipeline: ingest/pipeline.yml +input: config/weird.yml diff --git a/dynamite_nsm/confs/filebeat/module/zeek/weird/test/weird-json.log-expected.json b/dynamite_nsm/confs/filebeat/module/zeek/weird/test/weird-json.log-expected.json new file mode 100644 index 00000000..cc9f7f49 --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/weird/test/weird-json.log-expected.json @@ -0,0 +1,60 @@ +[ + { + "@timestamp": "2018-12-03T22:59:59.993Z", + "destination.address": "192.168.1.2", + "destination.ip": "192.168.1.2", + "destination.port": 53, + "event.category": [ + "network" + ], + "event.dataset": "zeek.weird", + "event.id": "C1ralPp062bkwWt4e", + "event.kind": "alert", + "event.module": "zeek", + "event.type": [ + "info" + ], + "fileset.name": "weird", + "input.type": "log", + "log.offset": 0, + "related.ip": [ + "192.168.1.1", + "192.168.1.2" + ], + "rule.name": "dns_unmatched_reply", + "service.type": "zeek", + "source.address": "192.168.1.1", + "source.ip": "192.168.1.1", + "source.port": 64521, + "tags": [ + "zeek.weird" + ], + "zeek.session_id": "C1ralPp062bkwWt4e", + "zeek.weird.name": "dns_unmatched_reply", + "zeek.weird.notice": false, + "zeek.weird.peer": "worker-6" + }, + { + "@timestamp": "2020-01-28T16:00:59.342Z", + "event.category": [ + "network" + ], + "event.dataset": "zeek.weird", + "event.kind": "alert", + "event.module": "zeek", + "event.type": [ + "info" + ], + "fileset.name": "weird", + "input.type": "log", + "log.offset": 197, + "rule.name": "non_ip_packet_in_ethernet", + "service.type": "zeek", + "tags": [ + "zeek.weird" + ], + "zeek.weird.name": "non_ip_packet_in_ethernet", + "zeek.weird.notice": false, + "zeek.weird.peer": "ens3f1-4" + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/module/zeek/x509/_meta/fields.yml b/dynamite_nsm/confs/filebeat/module/zeek/x509/_meta/fields.yml new file mode 100644 index 00000000..bc08ad5c --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/x509/_meta/fields.yml @@ -0,0 +1,199 @@ +- name: x509 + type: group + default_field: false + description: > + Fields exported by the Zeek x509 log. + fields: + - name: id + type: keyword + description: > + File id of this certificate. + + - name: certificate + type: group + description: > + Basic information about the certificate. + fields: + - name: version + type: integer + description: > + Version number. + + - name: serial + type: keyword + description: > + Serial number. + + - name: subject + type: group + description: > + Subject. + fields: + - name: country + type: keyword + description: > + Country provided in the certificate subject. + + - name: common_name + type: keyword + description: > + Common name provided in the certificate subject. + + - name: locality + type: keyword + description: > + Locality provided in the certificate subject. + + - name: organization + type: keyword + description: > + Organization provided in the certificate subject. + + - name: organizational_unit + type: keyword + description: > + Organizational unit provided in the certificate subject. + + - name: state + type: keyword + description: > + State or province provided in the certificate subject. + + - name: issuer + type: group + description: > + Issuer. + fields: + - name: country + type: keyword + description: > + Country provided in the certificate issuer field. + + - name: common_name + type: keyword + description: > + Common name provided in the certificate issuer field. + + - name: locality + type: keyword + description: > + Locality provided in the certificate issuer field. + + - name: organization + type: keyword + description: > + Organization provided in the certificate issuer field. + + - name: organizational_unit + type: keyword + description: > + Organizational unit provided in the certificate issuer field. + + - name: state + type: keyword + description: > + State or province provided in the certificate issuer field. + + - name: common_name + type: keyword + description: > + Last (most specific) common name. + + - name: valid + type: group + description: > + Certificate validity timestamps + fields: + - name: from + type: date + description: > + Timestamp before when certificate is not valid. + + - name: until + type: date + description: > + Timestamp after when certificate is not valid. + + - name: key + type: group + fields: + - name: algorithm + type: keyword + description: > + Name of the key algorithm. + + - name: type + type: keyword + description: > + Key type, if key parseable by openssl (either rsa, dsa or ec). + + - name: length + type: integer + description: > + Key length in bits. + + - name: signature_algorithm + type: keyword + description: > + Name of the signature algorithm. + + - name: exponent + type: keyword + description: > + Exponent, if RSA-certificate. + + - name: curve + type: keyword + description: > + Curve, if EC-certificate. + + - name: san + type: group + description: > + Subject alternative name extension of the certificate. + fields: + - name: dns + type: keyword + description: > + List of DNS entries in SAN. + + - name: uri + type: keyword + description: > + List of URI entries in SAN. + + - name: email + type: keyword + description: > + List of email entries in SAN. + + - name: ip + type: ip + description: > + List of IP entries in SAN. + + - name: other_fields + type: boolean + description: > + True if the certificate contained other, not recognized or parsed name fields. + + - name: basic_constraints + type: group + description: > + Basic constraints extension of the certificate. + fields: + - name: certificate_authority + type: boolean + description: > + CA flag set or not. + + - name: path_length + type: integer + description: > + Maximum path length. + + - name: log_cert + type: boolean + description: | + Present if policy/protocols/ssl/log-hostcerts-only.bro is loaded + Logging of certificate is suppressed if set to F. diff --git a/dynamite_nsm/confs/filebeat/module/zeek/x509/config/x509.yml b/dynamite_nsm/confs/filebeat/module/zeek/x509/config/x509.yml new file mode 100644 index 00000000..0f9b418e --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/x509/config/x509.yml @@ -0,0 +1,70 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +json.keys_under_root: false + +fields_under_root: true + +processors: + - rename: + fields: + - from: "json" + to: "zeek.x509" + + - from: "zeek.x509.id" + to: "zeek.session_id" + + - from: "zeek.x509.certificate.not_valid_before" + to: "zeek.x509.certificate.valid.from" + + - from: "zeek.x509.certificate.not_valid_after" + to: "zeek.x509.certificate.valid.until" + + - from: "zeek.x509.basic_constraints.ca" + to: "zeek.x509.basic_constraints.certificate_authority" + + - from: "zeek.x509.basic_constraints.path_len" + to: "zeek.x509.basic_constraints.path_length" + + - from: "zeek.x509.certificate.cn" + to: "zeek.x509.certificate.common_name" + + - from: "zeek.x509.certificate.issuer" + to: "zeek.x509.certificate.iss" + + - from: "zeek.x509.certificate.subject" + to: "zeek.x509.certificate.sub" + + - from: "zeek.x509.certificate.key_alg" + to: "zeek.x509.certificate.key.algorithm" + + - from: "zeek.x509.certificate.key_length" + to: "zeek.x509.certificate.key.length" + + - from: "zeek.x509.certificate.key_type" + to: "zeek.x509.certificate.key.type" + + - from: "zeek.x509.certificate.sig_alg" + to: "zeek.x509.certificate.signature_algorithm" + + - from: "zeek.x509.logcert" + to: "zeek.x509.log_cert" + + ignore_missing: true + fail_on_error: false + - add_fields: + target: event + fields: + kind: event + type: + - info + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/dynamite_nsm/confs/filebeat/module/zeek/x509/ingest/pipeline.yml b/dynamite_nsm/confs/filebeat/module/zeek/x509/ingest/pipeline.yml new file mode 100644 index 00000000..db9317cc --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/x509/ingest/pipeline.yml @@ -0,0 +1,274 @@ +--- +description: Pipeline for normalizing Zeek x509.log +processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + - set: + field: event.created + value: '{{@timestamp}}' + - date: + field: zeek.x509.ts + formats: + - UNIX + - remove: + field: zeek.x509.ts + - set: + field: event.id + value: '{{zeek.session_id}}' + if: ctx.zeek.session_id != null + - set: + field: file.x509.signature_algorithm + value: '{{zeek.x509.certificate.signature_algorithm}}' + ignore_empty_value: true + - script: + lang: painless + params: + "md2WithRSAEncryption": MD2-RSA + "md5WithRSAEncryption": MD5-RSA + "sha-1WithRSAEncryption": SHA1-RSA + "sha256WithRSAEncryption": SHA256-RSA + "sha384WithRSAEncryption": SHA384-RSA + "sha512WithRSAEncryption": SHA512-RSA + "dsaWithSha1": DSA-SHA1 + "dsaWithSha256": DSA-SHA256 + "ecdsa-with-SHA1": ECDSA-SHA1 + "ecdsa-with-SHA256": ECDSA-SHA256 + "ecdsa-with-SHA384": ECDSA-SHA384 + "ecdsa-with-SHA512": ECDSA-SHA512 + "id-Ed25519": Ed25519 + source: | + String algo = params.get(ctx.file.x509.signature_algorithm); + if (algo != null) { + ctx.file.x509.signature_algorithm = algo; + } + if: ctx?.file?.x509?.signature_algorithm != null + - set: + field: file.x509.public_key_algorithm + value: '{{zeek.x509.certificate.key.algorithm}}' + ignore_empty_value: true + - convert: + field: zeek.x509.certificate.key.length + target_field: file.x509.public_key_size + type: long + ignore_missing: true + - dot_expander: + field: certificate.exponent + path: zeek.x509 + - convert: + field: zeek.x509.certificate.exponent + target_field: file.x509.public_key_exponent + type: long + ignore_missing: true + - dot_expander: + field: certificate.serial + path: zeek.x509 + - set: + field: file.x509.serial_number + value: '{{zeek.x509.certificate.serial}}' + ignore_empty_value: true + - dot_expander: + field: certificate.version + path: zeek.x509 + - set: + field: file.x509.version_number + value: '{{zeek.x509.certificate.version}}' + ignore_empty_value: true + - dot_expander: + field: san.dns + path: zeek.x509 + - foreach: + field: zeek.x509.san.dns + ignore_missing: true + processor: + append: + field: file.x509.alternative_names + value: '{{_ingest._value}}' + - dot_expander: + field: san.uri + path: zeek.x509 + - foreach: + field: zeek.x509.san.uri + ignore_missing: true + processor: + append: + field: file.x509.alternative_names + value: '{{_ingest._value}}' + - dot_expander: + field: san.email + path: zeek.x509 + - foreach: + field: zeek.x509.san.email + ignore_missing: true + processor: + append: + field: file.x509.alternative_names + value: '{{_ingest._value}}' + - dot_expander: + field: san.ip + path: zeek.x509 + - foreach: + field: zeek.x509.san.ip + ignore_missing: true + processor: + append: + field: file.x509.alternative_names + value: '{{_ingest._value}}' + - dot_expander: + field: san.other_fields + path: zeek.x509 + - foreach: + field: zeek.x509.san.other_fields + ignore_missing: true + processor: + append: + field: file.x509.alternative_names + value: '{{_ingest._value}}' + - date: + field: zeek.x509.certificate.valid.from + target_field: zeek.x509.certificate.valid.from + formats: + - UNIX + if: ctx.zeek.x509.certificate?.valid?.from != null + - set: + field: file.x509.not_before + value: '{{zeek.x509.certificate.valid.from}}' + ignore_empty_value: true + - date: + field: zeek.x509.certificate.valid.until + target_field: zeek.x509.certificate.valid.until + formats: + - UNIX + if: ctx.zeek.x509.certificate?.valid?.until != null + - set: + field: file.x509.not_after + value: '{{zeek.x509.certificate.valid.until}}' + ignore_empty_value: true + - gsub: + field: zeek.x509.certificate.iss + pattern: \\, + replacement: "" + ignore_missing: true + - kv: + field: zeek.x509.certificate.iss + field_split: ',' + value_split: '=' + target_field: zeek.x509.certificate.issuer + ignore_missing: true + - remove: + field: zeek.x509.certificate.iss + ignore_missing: true + - rename: + field: zeek.x509.certificate.issuer.C + target_field: zeek.x509.certificate.issuer.country + ignore_missing: true + - set: + field: file.x509.issuer.country + value: '{{zeek.x509.certificate.issuer.country}}' + ignore_empty_value: true + - rename: + field: zeek.x509.certificate.issuer.CN + target_field: zeek.x509.certificate.issuer.common_name + ignore_missing: true + - set: + field: file.x509.issuer.common_name + value: '{{zeek.x509.certificate.issuer.common_name}}' + ignore_empty_value: true + - rename: + field: zeek.x509.certificate.issuer.L + target_field: zeek.x509.certificate.issuer.locality + ignore_missing: true + - set: + field: file.x509.issuer.locality + value: '{{zeek.x509.certificate.issuer.locality}}' + ignore_empty_value: true + - rename: + field: zeek.x509.certificate.issuer.O + target_field: zeek.x509.certificate.issuer.organization + ignore_missing: true + - set: + field: file.x509.issuer.organization + value: '{{zeek.x509.certificate.issuer.organization}}' + ignore_empty_value: true + - rename: + field: zeek.x509.certificate.issuer.OU + target_field: zeek.x509.certificate.issuer.organizational_unit + ignore_missing: true + - set: + field: file.x509.issuer.organizational_unit + value: '{{zeek.x509.certificate.issuer.organizational_unit}}' + ignore_empty_value: true + - rename: + field: zeek.x509.certificate.issuer.ST + target_field: zeek.x509.certificate.issuer.state + ignore_missing: true + - set: + field: file.x509.issuer.state_or_province + value: '{{zeek.x509.certificate.issuer.state}}' + ignore_empty_value: true + - gsub: + field: zeek.x509.certificate.sub + pattern: \\, + replacement: "" + ignore_missing: true + - kv: + field: zeek.x509.certificate.sub + field_split: ',' + value_split: '=' + target_field: zeek.x509.certificate.subject + ignore_missing: true + - remove: + field: zeek.x509.certificate.sub + ignore_missing: true + - rename: + field: zeek.x509.certificate.subject.C + target_field: zeek.x509.certificate.subject.country + ignore_missing: true + - set: + field: file.x509.subject.country + value: '{{zeek.x509.certificate.subject.country}}' + ignore_empty_value: true + - rename: + field: zeek.x509.certificate.subject.CN + target_field: zeek.x509.certificate.subject.common_name + ignore_missing: true + - set: + field: file.x509.subject.common_name + value: '{{zeek.x509.certificate.subject.common_name}}' + ignore_empty_value: true + - rename: + field: zeek.x509.certificate.subject.L + target_field: zeek.x509.certificate.subject.locality + ignore_missing: true + - set: + field: file.x509.subject.locality + value: '{{zeek.x509.certificate.subject.locality}}' + ignore_empty_value: true + - rename: + field: zeek.x509.certificate.subject.O + target_field: zeek.x509.certificate.subject.organization + ignore_missing: true + - set: + field: file.x509.subject.organization + value: '{{zeek.x509.certificate.subject.organization}}' + ignore_empty_value: true + - rename: + field: zeek.x509.certificate.subject.OU + target_field: zeek.x509.certificate.subject.organizational_unit + ignore_missing: true + - set: + field: file.x509.subject.organizational_unit + value: '{{zeek.x509.certificate.subject.organizational_unit}}' + ignore_empty_value: true + - rename: + field: zeek.x509.certificate.subject.ST + target_field: zeek.x509.certificate.subject.state + ignore_missing: true + - set: + field: file.x509.subject.state_or_province + value: '{{zeek.x509.certificate.subject.state}}' + ignore_empty_value: true +on_failure: + - set: + field: error.message + value: '{{_ingest.on_failure_message}}' diff --git a/dynamite_nsm/confs/filebeat/module/zeek/x509/manifest.yml b/dynamite_nsm/confs/filebeat/module/zeek/x509/manifest.yml new file mode 100644 index 00000000..a183f7db --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/x509/manifest.yml @@ -0,0 +1,15 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/x509.log + os.linux: + - /var/log/bro/current/x509.log + os.darwin: + - /usr/local/var/logs/current/x509.log + - name: tags + default: [zeek.x509] + +ingest_pipeline: ingest/pipeline.yml +input: config/x509.yml diff --git a/dynamite_nsm/confs/filebeat/module/zeek/x509/test/x509-json.log-expected.json b/dynamite_nsm/confs/filebeat/module/zeek/x509/test/x509-json.log-expected.json new file mode 100644 index 00000000..603a125e --- /dev/null +++ b/dynamite_nsm/confs/filebeat/module/zeek/x509/test/x509-json.log-expected.json @@ -0,0 +1,199 @@ +[ + { + "@timestamp": "2018-12-03T20:00:00.143Z", + "event.dataset": "zeek.x509", + "event.id": "FxZ6gZ3YR6vFlIocq3", + "event.kind": "event", + "event.module": "zeek", + "event.type": [ + "info" + ], + "file.x509.alternative_names": [ + "www.bing.com", + "dict.bing.com.cn", + "*.platform.bing.com", + "*.bing.com", + "bing.com", + "ieonline.microsoft.com", + "*.windowssearch.com", + "cn.ieonline.microsoft.com", + "*.origin.bing.com", + "*.mm.bing.net", + "*.api.bing.com", + "ecn.dev.virtualearth.net", + "*.cn.bing.net", + "*.cn.bing.com", + "ssl-api.bing.com", + "ssl-api.bing.net", + "*.api.bing.net", + "*.bingapis.com", + "bingsandbox.com", + "feedback.microsoft.com", + "insertmedia.bing.office.net", + "r.bat.bing.com", + "*.r.bat.bing.com", + "*.dict.bing.com.cn", + "*.dict.bing.com", + "*.ssl.bing.com", + "*.appex.bing.com", + "*.platform.cn.bing.com", + "wp.m.bing.com", + "*.m.bing.com", + "global.bing.com", + "windowssearch.com", + "search.msn.com", + "*.bingsandbox.com", + "*.api.tiles.ditu.live.com", + "*.ditu.live.com", + "*.t0.tiles.ditu.live.com", + "*.t1.tiles.ditu.live.com", + "*.t2.tiles.ditu.live.com", + "*.t3.tiles.ditu.live.com", + "*.tiles.ditu.live.com", + "3d.live.com", + "api.search.live.com", + "beta.search.live.com", + "cnweb.search.live.com", + "dev.live.com", + "ditu.live.com", + "farecast.live.com", + "image.live.com", + "images.live.com", + "local.live.com.au", + "localsearch.live.com", + "ls4d.search.live.com", + "mail.live.com", + "mapindia.live.com", + "local.live.com", + "maps.live.com", + "maps.live.com.au", + "mindia.live.com", + "news.live.com", + "origin.cnweb.search.live.com", + "preview.local.live.com", + "search.live.com", + "test.maps.live.com", + "video.live.com", + "videos.live.com", + "virtualearth.live.com", + "wap.live.com", + "webmaster.live.com", + "webmasters.live.com", + "www.local.live.com.au", + "www.maps.live.com.au" + ], + "file.x509.issuer.common_name": "Microsoft IT TLS CA 5", + "file.x509.issuer.country": "US", + "file.x509.issuer.locality": "Redmond", + "file.x509.issuer.organization": "Microsoft Corporation", + "file.x509.issuer.organizational_unit": "Microsoft IT", + "file.x509.issuer.state_or_province": "Washington", + "file.x509.not_after": "2019-07-10T17:47:08.000Z", + "file.x509.not_before": "2017-07-20T17:47:08.000Z", + "file.x509.public_key_algorithm": "rsaEncryption", + "file.x509.public_key_exponent": 65537, + "file.x509.public_key_size": 2048, + "file.x509.serial_number": "2D00003299D7071DB7D1708A42000000003299", + "file.x509.signature_algorithm": "SHA256-RSA", + "file.x509.subject.common_name": "www.bing.com", + "file.x509.version_number": "3", + "fileset.name": "x509", + "input.type": "log", + "log.offset": 0, + "service.type": "zeek", + "tags": [ + "zeek.x509" + ], + "zeek.session_id": "FxZ6gZ3YR6vFlIocq3", + "zeek.x509.certificate.exponent": "65537", + "zeek.x509.certificate.issuer.common_name": "Microsoft IT TLS CA 5", + "zeek.x509.certificate.issuer.country": "US", + "zeek.x509.certificate.issuer.locality": "Redmond", + "zeek.x509.certificate.issuer.organization": "Microsoft Corporation", + "zeek.x509.certificate.issuer.organizational_unit": "Microsoft IT", + "zeek.x509.certificate.issuer.state": "Washington", + "zeek.x509.certificate.key.algorithm": "rsaEncryption", + "zeek.x509.certificate.key.length": 2048, + "zeek.x509.certificate.key.type": "rsa", + "zeek.x509.certificate.serial": "2D00003299D7071DB7D1708A42000000003299", + "zeek.x509.certificate.signature_algorithm": "sha256WithRSAEncryption", + "zeek.x509.certificate.subject.common_name": "www.bing.com", + "zeek.x509.certificate.valid.from": "2017-07-20T17:47:08.000Z", + "zeek.x509.certificate.valid.until": "2019-07-10T17:47:08.000Z", + "zeek.x509.certificate.version": 3, + "zeek.x509.san.dns": [ + "www.bing.com", + "dict.bing.com.cn", + "*.platform.bing.com", + "*.bing.com", + "bing.com", + "ieonline.microsoft.com", + "*.windowssearch.com", + "cn.ieonline.microsoft.com", + "*.origin.bing.com", + "*.mm.bing.net", + "*.api.bing.com", + "ecn.dev.virtualearth.net", + "*.cn.bing.net", + "*.cn.bing.com", + "ssl-api.bing.com", + "ssl-api.bing.net", + "*.api.bing.net", + "*.bingapis.com", + "bingsandbox.com", + "feedback.microsoft.com", + "insertmedia.bing.office.net", + "r.bat.bing.com", + "*.r.bat.bing.com", + "*.dict.bing.com.cn", + "*.dict.bing.com", + "*.ssl.bing.com", + "*.appex.bing.com", + "*.platform.cn.bing.com", + "wp.m.bing.com", + "*.m.bing.com", + "global.bing.com", + "windowssearch.com", + "search.msn.com", + "*.bingsandbox.com", + "*.api.tiles.ditu.live.com", + "*.ditu.live.com", + "*.t0.tiles.ditu.live.com", + "*.t1.tiles.ditu.live.com", + "*.t2.tiles.ditu.live.com", + "*.t3.tiles.ditu.live.com", + "*.tiles.ditu.live.com", + "3d.live.com", + "api.search.live.com", + "beta.search.live.com", + "cnweb.search.live.com", + "dev.live.com", + "ditu.live.com", + "farecast.live.com", + "image.live.com", + "images.live.com", + "local.live.com.au", + "localsearch.live.com", + "ls4d.search.live.com", + "mail.live.com", + "mapindia.live.com", + "local.live.com", + "maps.live.com", + "maps.live.com.au", + "mindia.live.com", + "news.live.com", + "origin.cnweb.search.live.com", + "preview.local.live.com", + "search.live.com", + "test.maps.live.com", + "video.live.com", + "videos.live.com", + "virtualearth.live.com", + "wap.live.com", + "webmaster.live.com", + "webmasters.live.com", + "www.local.live.com.au", + "www.maps.live.com.au" + ] + } +] \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/modules.d/suricata.yml.disabled b/dynamite_nsm/confs/filebeat/modules.d/suricata.yml.disabled new file mode 100644 index 00000000..8d66878c --- /dev/null +++ b/dynamite_nsm/confs/filebeat/modules.d/suricata.yml.disabled @@ -0,0 +1,4 @@ +- module: suricata + # All logs + eve: + enabled: true \ No newline at end of file diff --git a/dynamite_nsm/confs/filebeat/modules.d/zeek.yml.disabled b/dynamite_nsm/confs/filebeat/modules.d/zeek.yml.disabled new file mode 100644 index 00000000..fabe64ff --- /dev/null +++ b/dynamite_nsm/confs/filebeat/modules.d/zeek.yml.disabled @@ -0,0 +1,77 @@ +- module: zeek + capture_loss: + enabled: true + connection: + enabled: true + dce_rpc: + enabled: true + dhcp: + enabled: true + dnp3: + enabled: true + dns: + enabled: true + dpd: + enabled: true + files: + enabled: true + ftp: + enabled: true + http: + enabled: true + intel: + enabled: true + irc: + enabled: true + kerberos: + enabled: true + modbus: + enabled: true + mysql: + enabled: true + notice: + enabled: true + ntlm: + enabled: true + ocsp: + enabled: true + pe: + enabled: true + radius: + enabled: true + rdp: + enabled: true + rfb: + enabled: true + signature: + enabled: true + sip: + enabled: true + smb_cmd: + enabled: true + smb_files: + enabled: true + smb_mapping: + enabled: true + smtp: + enabled: true + snmp: + enabled: true + socks: + enabled: true + ssh: + enabled: true + ssl: + enabled: true + stats: + enabled: true + syslog: + enabled: true + traceroute: + enabled: true + tunnel: + enabled: true + weird: + enabled: true + x509: + enabled: true \ No newline at end of file diff --git a/dynamite_nsm/confs/kibana/kibana.yml b/dynamite_nsm/confs/kibana/kibana.yml new file mode 100644 index 00000000..64ecb6c9 --- /dev/null +++ b/dynamite_nsm/confs/kibana/kibana.yml @@ -0,0 +1,35 @@ +# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"). +# You may not use this file except in compliance with the License. +# A copy of the License is located at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# or in the "license" file accompanying this file. This file is distributed +# on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +# express or implied. See the License for the specific language governing +# permissions and limitations under the License. + +# Description: +# Default Kibana configuration for Open Distro. + +elasticsearch.hosts: https://localhost:9200 +elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"] +elasticsearch.ssl.verificationMode: none + +opendistro_security.multitenancy.enabled: true +opendistro_security.multitenancy.tenants.enable_private: false +opendistro_security.multitenancy.tenants.preferred: ["Global"] +opendistro_security.readonly_mode.roles: ["kibana_read_only"] + +# Use this setting if you are running kibana without https +opendistro_security.cookie.secure: false + +newsfeed.enabled: false +telemetry.optIn: false +telemetry.enabled: false +security.showInsecureClusterWarning: false +elasticsearch.username: kibanaserver +elasticsearch.password: kibanaserver + diff --git a/dynamite_nsm/confs/kibana/node.options b/dynamite_nsm/confs/kibana/node.options new file mode 100644 index 00000000..2927d1b5 --- /dev/null +++ b/dynamite_nsm/confs/kibana/node.options @@ -0,0 +1,6 @@ +## Node command line options +## See `node --help` and `node --v8-options` for available options +## Please note you should specify one option per line + +## max size of old space in megabytes +#--max-old-space-size=4096 diff --git a/dynamite_nsm/confs/logstash/jvm.options b/dynamite_nsm/confs/logstash/jvm.options new file mode 100644 index 00000000..c9fbca30 --- /dev/null +++ b/dynamite_nsm/confs/logstash/jvm.options @@ -0,0 +1,13 @@ +-Xms1g +-Xmx1g +-XX:+UseConcMarkSweepGC +-XX:CMSInitiatingOccupancyFraction=75 +-XX:+UseCMSInitiatingOccupancyOnly +-Djava.awt.headless=true +-Dfile.encoding=UTF-8 +-Djruby.compile.invokedynamic=true +-Djruby.jit.threshold=0 +-Djruby.regexp.interruptible=true +-XX:+HeapDumpOnOutOfMemoryError +-Djava.security.egd=file:/dev/urandom +-Dlog4j2.isThreadContextMapInheritable=true diff --git a/dynamite_nsm/confs/logstash/logstash.yml b/dynamite_nsm/confs/logstash/logstash.yml new file mode 100644 index 00000000..27bc0a38 --- /dev/null +++ b/dynamite_nsm/confs/logstash/logstash.yml @@ -0,0 +1,208 @@ +# Settings file in YAML +# +# Settings can be specified either in hierarchical form, e.g.: +# +# pipeline: +# batch: +# size: 125 +# delay: 5 +# +# Or as flat keys: +# +# pipeline.batch.size: 125 +# pipeline.batch.delay: 5 +# +# ------------ Node identity ------------ +# +# Use a descriptive name for the node: +# +node.name: dynamite-ls-node +# +# If omitted the node name will default to the machine's host name +# +# ------------ Data path ------------------ +# +# Which directory should be used by logstash and its plugins +# for any persistent needs. Defaults to LOGSTASH_HOME/data +# +path.data: /opt/dynamite/logstash/data/ +# +# ------------ Pipeline Settings -------------- +# +# The ID of the pipeline. +# +# pipeline.id: main +# +# Set the number of workers that will, in parallel, execute the filters+outputs +# stage of the pipeline. +# +# This defaults to the number of the host's CPU cores. +# +# pipeline.workers: 2 +# +# How many events to retrieve from inputs before sending to filters+workers +# +pipeline.batch.size: 125 +# +# How long to wait in milliseconds while polling for the next event +# before dispatching an undersized batch to filters+outputs +# +pipeline.batch.delay: 50 +# +# Force Logstash to exit during shutdown even if there are still inflight +# events in memory. By default, logstash will refuse to quit until all +# received events have been pushed to the outputs. +# +# WARNING: enabling this can lead to data loss during shutdown +# +# pipeline.unsafe_shutdown: false +# +# ------------ Pipeline Configuration Settings -------------- +# +# Where to fetch the pipeline configuration for the main pipeline +# +# path.config: +# +# Pipeline configuration string for the main pipeline +# +# config.string: +# +# At startup, test if the configuration is valid and exit (dry run) +# +# config.test_and_exit: false +# +# Periodically check if the configuration has changed and reload the pipeline +# This can also be triggered manually through the SIGHUP signal +# +# config.reload.automatic: false +# +# How often to check if the pipeline configuration has changed (in seconds) +# +# config.reload.interval: 3s +# +# Show fully compiled configuration as debug log message +# NOTE: --log.level must be 'debug' +# +# config.debug: false +# +# When enabled, process escaped characters such as \n and \" in strings in the +# pipeline configuration files. +# +# config.support_escapes: false +# +# ------------ Module Settings --------------- +# Define modules here. Modules definitions must be defined as an array. +# The simple way to see this is to prepend each `name` with a `-`, and keep +# all associated variables under the `name` they are associated with, and +# above the next, like this: +# +# modules: +# - name: MODULE_NAME +# var.PLUGINTYPE1.PLUGINNAME1.KEY1: VALUE +# var.PLUGINTYPE1.PLUGINNAME1.KEY2: VALUE +# var.PLUGINTYPE2.PLUGINNAME1.KEY1: VALUE +# var.PLUGINTYPE3.PLUGINNAME3.KEY1: VALUE +# +# Module variable names must be in the format of +# +# var.PLUGIN_TYPE.PLUGIN_NAME.KEY +# +# modules: +# +# ------------ Cloud Settings --------------- +# Define Elastic Cloud settings here. +# Format of cloud.id is a base64 value e.g. dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRub3RhcmVhbCRpZGVudGlmaWVy +# and it may have an label prefix e.g. staging:dXMtZ... +# This will overwrite 'var.elasticsearch.hosts' and 'var.kibana.host' +# cloud.id: +# +# Format of cloud.auth is: : +# This is optional +# If supplied this will overwrite 'var.elasticsearch.username' and 'var.elasticsearch.password' +# If supplied this will overwrite 'var.kibana.username' and 'var.kibana.password' +# cloud.auth: elastic: +# +# ------------ Queuing Settings -------------- +# +# Internal queuing model, "memory" for legacy in-memory based queuing and +# "persisted" for disk-based acked queueing. Defaults is memory +# +# queue.type: memory +# +# If using queue.type: persisted, the directory path where the data files will be stored. +# Default is path.data/queue +# +# path.queue: +# +# If using queue.type: persisted, the page data files size. The queue data consists of +# append-only data files separated into pages. Default is 64mb +# +# queue.page_capacity: 64mb +# +# If using queue.type: persisted, the maximum number of unread events in the queue. +# Default is 0 (unlimited) +# +# queue.max_events: 0 +# +# If using queue.type: persisted, the total capacity of the queue in number of bytes. +# If you would like more unacked events to be buffered in Logstash, you can increase the +# capacity using this setting. Please make sure your disk drive has capacity greater than +# the size specified here. If both max_bytes and max_events are specified, Logstash will pick +# whichever criteria is reached first +# Default is 1024mb or 1gb +# +# queue.max_bytes: 1024mb +# +# If using queue.type: persisted, the maximum number of acked events before forcing a checkpoint +# Default is 1024, 0 for unlimited +# +# queue.checkpoint.acks: 1024 +# +# If using queue.type: persisted, the maximum number of written events before forcing a checkpoint +# Default is 1024, 0 for unlimited +# +# queue.checkpoint.writes: 1024 +# +# If using queue.type: persisted, the interval in milliseconds when a checkpoint is forced on the head page +# Default is 1000, 0 for no periodic checkpoint. +# +# queue.checkpoint.interval: 1000 +# +# ------------ Dead-Letter Queue Settings -------------- +# Flag to turn on dead-letter queue. +# +# dead_letter_queue.enable: false + +# If using dead_letter_queue.enable: true, the maximum size of each dead letter queue. Entries +# will be dropped if they would increase the size of the dead letter queue beyond this setting. +# Default is 1024mb +# dead_letter_queue.max_bytes: 1024mb + +# If using dead_letter_queue.enable: true, the directory path where the data files will be stored. +# Default is path.data/dead_letter_queue +# +# path.dead_letter_queue: +# +# ------------ Metrics Settings -------------- +# +# Bind address for the metrics REST endpoint +# +# http.host: "127.0.0.1" +# +# Bind port for the metrics REST endpoint, this option also accept a range +# (9600-9700) and logstash will pick up the first available ports. +# +# http.port: 9600-9700 +# +# ------------ Debugging Settings -------------- +# +# Options for log.level: +# * fatal +# * error +# * warn +# * info (default) +# * debug +# * trace +# +# log.level: info +path.logs: /var/log/dynamite/logstash/ \ No newline at end of file diff --git a/dynamite_nsm/confs/mirrors/dynamited b/dynamite_nsm/confs/mirrors/dynamited new file mode 100644 index 00000000..ddef5371 --- /dev/null +++ b/dynamite_nsm/confs/mirrors/dynamited @@ -0,0 +1 @@ +https://dynamite-tools.s3-us-west-2.amazonaws.com/dynamited-0.1.0.tar.gz, dynamited-0.1.0.tar.gz, dynamited-0.1.0 \ No newline at end of file diff --git a/dynamite_nsm/confs/mirrors/elasticsearch b/dynamite_nsm/confs/mirrors/elasticsearch new file mode 100644 index 00000000..9ecd9a7a --- /dev/null +++ b/dynamite_nsm/confs/mirrors/elasticsearch @@ -0,0 +1 @@ +https://d3g5vo6xdbdb9a.cloudfront.net/tarball/opendistro-elasticsearch/opendistroforelasticsearch-1.13.0-linux-x64.tar.gz, opendistroforelasticsearch-1.13.0-linux-x64.tar.gz, opendistroforelasticsearch-1.13.0 \ No newline at end of file diff --git a/dynamite_nsm/confs/mirrors/filebeat b/dynamite_nsm/confs/mirrors/filebeat new file mode 100644 index 00000000..75bd018a --- /dev/null +++ b/dynamite_nsm/confs/mirrors/filebeat @@ -0,0 +1 @@ +https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-oss-7.11.1-linux-x86_64.tar.gz, filebeat-oss-7.11.1-linux-x86_64.tar.gz, filebeat-7.11.1-linux-x86_64 \ No newline at end of file diff --git a/dynamite_nsm/confs/mirrors/java b/dynamite_nsm/confs/mirrors/java new file mode 100644 index 00000000..ab8cd051 --- /dev/null +++ b/dynamite_nsm/confs/mirrors/java @@ -0,0 +1 @@ +https://download.java.net/java/GA/jdk13.0.1/cec27d702aa74d5a8630c65ae61e4305/9/GPL/openjdk-13.0.1_linux-x64_bin.tar.gz, openjdk-13.0.1_linux-x64_bin.tar.gz, jdk-13.0.1 \ No newline at end of file diff --git a/dynamite_nsm/confs/mirrors/kibana b/dynamite_nsm/confs/mirrors/kibana new file mode 100644 index 00000000..6715eb90 --- /dev/null +++ b/dynamite_nsm/confs/mirrors/kibana @@ -0,0 +1 @@ +https://d3g5vo6xdbdb9a.cloudfront.net/tarball/opendistroforelasticsearch-kibana/opendistroforelasticsearch-kibana-1.13.0-linux-x64.tar.gz, opendistroforelasticsearch-kibana-1.13.0-linux-x64.tar.gz, opendistroforelasticsearch-kibana \ No newline at end of file diff --git a/dynamite_nsm/confs/mirrors/logstash b/dynamite_nsm/confs/mirrors/logstash new file mode 100644 index 00000000..dd780789 --- /dev/null +++ b/dynamite_nsm/confs/mirrors/logstash @@ -0,0 +1 @@ +https://artifacts.elastic.co/downloads/logstash/logstash-oss-7.11.1-linux-x86_64.tar.gz, logstash-oss-7.11.1-linux-x86_64.tar.gz, logstash-7.11.1 \ No newline at end of file diff --git a/dynamite_nsm/confs/mirrors/oinkmaster_nightly b/dynamite_nsm/confs/mirrors/oinkmaster_nightly new file mode 100644 index 00000000..0a46a3a4 --- /dev/null +++ b/dynamite_nsm/confs/mirrors/oinkmaster_nightly @@ -0,0 +1 @@ +http://oinkmaster.sourceforge.net/oinkmaster-snapshot.tar.gz, oinkmaster-snapshot.tar.gz, oinkmaster \ No newline at end of file diff --git a/dynamite_nsm/confs/mirrors/suricata b/dynamite_nsm/confs/mirrors/suricata new file mode 100644 index 00000000..19b509cf --- /dev/null +++ b/dynamite_nsm/confs/mirrors/suricata @@ -0,0 +1,2 @@ +https://www.openinfosecfoundation.org/download/suricata-4.1.8.tar.gz, suricata-4.1.8.tar.gz, suricata-4.1.8 +https://dynamite-tools.s3-us-west-2.amazonaws.com/suricata-4.1.8.tar.gz, suricata-4.1.8.tar.gz, suricata-4.1.8 diff --git a/dynamite_nsm/confs/mirrors/zeek b/dynamite_nsm/confs/mirrors/zeek new file mode 100644 index 00000000..cc89efd5 --- /dev/null +++ b/dynamite_nsm/confs/mirrors/zeek @@ -0,0 +1,2 @@ +https://github.com/zeek/zeek/releases/download/v4.0.3/zeek-4.0.3.tar.gz, zeek-4.0.3.tar.gz, zeek-4.0.3 +https://dynamite-tools.s3-us-west-2.amazonaws.com/zeek-4.0.3.tar.gz, zeek-4.0.3.tar.gz, zeek-4.0.3 \ No newline at end of file diff --git a/dynamite_nsm/confs/suricata/suricata.yaml b/dynamite_nsm/confs/suricata/suricata.yaml new file mode 100644 index 00000000..0dcc379a --- /dev/null +++ b/dynamite_nsm/confs/suricata/suricata.yaml @@ -0,0 +1,1491 @@ +%YAML 1.1 +--- + +# Suricata configuration file. In addition to the comments describing all +# options in this file, full documentation can be found at: +# https://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html + +## +## Step 1: inform Suricata about your network +## + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + + EXTERNAL_NET: "!$HOME_NET" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + +## +## Step 2: select outputs to enable +## + +# The default logging directory. Any log or output file will be +# placed here if its not specified with a full path name. This can be +# overridden with the -l command line parameter. +default-log-dir: /opt/dynamite/suricata/logs/ + +# global stats configuration +stats: + enabled: yes + # The interval field (in seconds) controls at what interval + # the loggers are invoked. + interval: 8 + # Add decode events as stats. + #decoder-events: true + # Decoder event prefix in stats. Has been 'decoder' before, but that leads + # to missing events in the eve.stats records. See issue #2225. + decoder-events-prefix: "decoder.event" + # Add stream events as stats. + #stream-events: false + +# Configure the type of alert (and other) logging you would like. +outputs: + + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + #prefix: "@cee: " # prefix to prepend to each log entry + # the following are valid when type: syslog above + #identity: "suricata" + #facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + #redis: + # server: 127.0.0.1 + # port: 6379 + # async: true ## if redis replies are read asynchronously + # mode: list ## possible values: list|lpush (default), rpush, channel|publish + # ## lpush and rpush are using a Redis list. "list" is an alias for lpush + # ## publish is using a Redis channel. "channel" is an alias for publish + # key: suricata ## key or channel to use (default to suricata) + # Redis pipelining set up. This will enable to only do a query every + # 'batch-size' events. This should lower the latency induced by network + # connection at the cost of some memory. There is no flushing implemented + # so this setting as to be reserved to high traffic suricata. + # pipelining: + # enabled: yes ## set enable to yes to enable query pipelining + # batch-size: 10 ## number of entry to keep in buffer + + # Include top level metadata. Default yes. + #metadata: no + + # include the name of the input pcap file in pcap file processing mode + pcap-file: false + + # Community Flow ID + # Adds a 'community_id' field to EVE records. These are meant to give + # a records a predictable flow id that can be used to match records to + # output of other tools such as Bro. + # + # Takes a 'seed' that needs to be same across sensors and tools + # to make the id less predictable. + + # enable/disable the community id feature. + community-id: true + # Seed value for the ID output. Valid values are 0-65535. + community-id-seed: 0 + + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + types: + - alert: + enabled: yes + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # http-body: yes # enable dumping of http body in Base64 + # http-body-printable: yes # enable dumping of http body in printable format + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + - http: + extended: yes # enable this for extended logging information + enabled: no + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + - dns: + # Use version 2 logging with the new format: + # dns answers will be logged in one single event + # rather than an event for each of the answers. + # Without setting a version the version + # will fallback to 1 for backwards compatibility. + enabled: no + version: 2 + + # Enable/disable this logger. Default: enabled. + #enabled: no + + # Control logging of requests and responses: + # - requests: enable logging of DNS queries + # - responses: enable logging of DNS answers + # By default both requests and responses are logged. + #requests: no + #responses: no + + # Format of answer logging: + # - detailed: array item per answer + # - grouped: answers aggregated by type + # Default: all + #answer-format: [detailed, grouped] + + # Answer types to log. + # Default: all + #answer-types: [a, aaaa, cname, mx, ns, ptr, txt] + - tls: + enabled: no + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # custom allows to control which tls fields that are included + # in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain] + - files: + enabled: no + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + #force-hash: [md5] + #- drop: + # alerts: yes # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. + - smtp: + enabled: no + #extended: yes # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + #md5: [body, subject] + + # NFS logging. Requires Rust. + - nfs: + enabled: no + # IKEv2 logging. Requires Rust. + - ikev2: + enabled: no + - ssh: + enabled: no + - stats: + enabled: no + totals: no # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + - dhcp: + # DHCP logging requires Rust. + enabled: no + # When extended mode is on, all DHCP messages are logged + # with full detail. When extended mode is off (the + # default), just enough information to map a MAC address + # to an IP address is logged. + extended: no + + # alert output for use with Barnyard2 + - unified2-alert: + enabled: no + filename: unified2.alert + + # File size limit. Can be specified in kb, mb, gb. Just a number + # is parsed as bytes. + #limit: 32mb + + # By default unified2 log files have the file creation time (in + # unix epoch format) appended to the filename. Set this to yes to + # disable this behaviour. + #nostamp: no + + # Sensor ID field of unified2 alerts. + #sensor-id: 0 + + # Include payload of packets related to alerts. Defaults to true, set to + # false if payload is not required. + #payload: yes + + # HTTP X-Forwarded-For support by adding the unified2 extra header or + # overwriting the source or destination IP address (depending on flow + # direction) with the one reported in the X-Forwarded-For HTTP header. + # This is helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". Note + # that in the "overwrite" mode, if the reported IP address in the HTTP + # X-Forwarded-For header is of a different version of the packet + # received, it will fall-back to "extra-data" mode. + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + # a line based log of HTTP requests (no alerts) + - http-log: + enabled: no + filename: http.log + append: yes + #extended: yes # enable this for extended logging information + #custom: yes # enabled the custom logging format (defined by customformat) + #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P" + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # a line based log of TLS handshake parameters (no alerts) + - tls-log: + enabled: no # Log TLS connections. + filename: tls.log # File to store TLS logs. + append: yes + #extended: yes # Log extended information like fingerprint + #custom: yes # enabled the custom logging format (defined by customformat) + #customformat: "%{%D-%H:%M:%S}t.%z %a:%p -> %A:%P %v %n %d %D" + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + + # output module to store certificates chain to disk + - tls-store: + enabled: no + #certs-log-dir: certs # directory to store the certificates files + + # a line based log of DNS requests and/or replies (no alerts) + # Note: not available when Rust is enabled (--enable-rust). + - dns-log: + enabled: no + filename: dns.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # Packet log... log packets in pcap format. 3 modes of operation: "normal" + # "multi" and "sguil". + # + # In normal mode a pcap file "filename" is created in the default-log-dir, + # or are as specified by "dir". + # In multi mode, a file is created per thread. This will perform much + # better, but will create multiple files where 'normal' would create one. + # In multi mode the filename takes a few special variables: + # - %n -- thread number + # - %i -- thread id + # - %t -- timestamp (secs or secs.usecs based on 'ts-format' + # E.g. filename: pcap.%n.%t + # + # Note that it's possible to use directories, but the directories are not + # created by Suricata. E.g. filename: pcaps/%n/log.%s will log into the + # per thread directory. + # + # Also note that the limit and max-files settings are enforced per thread. + # So the size limit when using 8 threads with 1000mb files and 2000 files + # is: 8*1000*2000 ~ 16TiB. + # + # In Sguil mode "dir" indicates the base directory. In this base dir the + # pcaps are created in th directory structure Sguil expects: + # + # $sguil-base-dir/YYYY-MM-DD/$filename. + # + # By default all packets are logged except: + # - TCP streams beyond stream.reassembly.depth + # - encrypted streams after the key exchange + # + - pcap-log: + enabled: no + filename: log.pcap + + # File size limit. Can be specified in kb, mb, gb. Just a number + # is parsed as bytes. + limit: 1000mb + + # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" + max-files: 2000 + + # Compression algorithm for pcap files. Possible values: none, lz4. + # Enabling compression is incompatible with the sguil mode. Note also + # that on Windows, enabling compression will *increase* disk I/O. + compression: none + + # Further options for lz4 compression. The compression level can be set + # to a value between 0 and 16, where higher values result in higher + # compression. + #lz4-checksum: no + #lz4-level: 0 + + mode: normal # normal, multi or sguil. + + # Directory to place pcap files. If not provided the default log + # directory will be used. Required for "sguil" mode. + #dir: /nsm_data/ + + #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec + use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets + honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stopped being logged. + + # a full alerts log containing much information for signature writers + # or for investigating suspected false positives. + - alert-debug: + enabled: no + filename: alert-debug.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # alert output to prelude (https://www.prelude-siem.org/) only + # available if Suricata has been compiled with --enable-prelude + - alert-prelude: + enabled: no + profile: suricata + log-packet-content: no + log-packet-header: yes + + # Stats.log contains data from various counters of the Suricata engine. + - stats: + enabled: yes + filename: stats.log + append: yes # append to file (yes) or overwrite it (no) + totals: yes # stats for all threads merged together + threads: no # per thread stats + #null-values: yes # print counters that have value 0 + + # a line based alerts log similar to fast.log into syslog + - syslog: + enabled: no + # reported identity to syslog. If ommited the program name (usually + # suricata) will be used. + #identity: "suricata" + facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + + # a line based information for dropped packets in IPS mode + - drop: + enabled: no + filename: drop.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # Output module for storing files on disk. Files are stored in a + # directory names consisting of the first 2 characters of the + # SHA256 of the file. Each file is given its SHA256 as a filename. + # + # When a duplicate file is found, the existing file is touched to + # have its timestamps updated. + # + # Unlike the older filestore, metadata is not written out by default + # as each file should already have a "fileinfo" record in the + # eve.log. If write-fileinfo is set to yes, the each file will have + # one more associated .json files that consists of the fileinfo + # record. A fileinfo file will be written for each occurrence of the + # file seen using a filename suffix to ensure uniqueness. + # + # To prune the filestore directory see the "suricatactl filestore + # prune" command which can delete files over a certain age. + - file-store: + version: 2 + enabled: no + + # Set the directory for the filestore. If the path is not + # absolute will be be relative to the default-log-dir. + #dir: filestore + + # Write out a fileinfo record for each occurrence of a + # file. Disabled by default as each occurrence is already logged + # as a fileinfo record to the main eve-log. + #write-fileinfo: yes + + # Force storing of all files. Default: no. + #force-filestore: yes + + # Override the global stream-depth for sessions in which we want + # to perform file extraction. Set to 0 for unlimited. + #stream-depth: 0 + + # Uncomment the following variable to define how many files can + # remain open for filestore by Suricata. Default value is 0 which + # means files get closed after each write + #max-open-files: 1000 + + # Force logging of checksums, available hash functions are md5, + # sha1 and sha256. Note that SHA256 is automatically forced by + # the use of this output module as it uses the SHA256 as the + # file naming scheme. + #force-hash: [sha1, md5] + # NOTE: X-Forwarded configuration is ignored if write-fileinfo is disabled + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + # output module to store extracted files to disk (old style, deprecated) + # + # The files are stored to the log-dir in a format "file." where is + # an incrementing number starting at 1. For each file "file." a meta + # file "file..meta" is created. Before they are finalized, they will + # have a ".tmp" suffix to indicate that they are still being processed. + # + # If include-pid is yes, then the files are instead "file..", with + # meta files named as "file...meta" + # + # File extraction depends on a lot of things to be fully done: + # - file-store stream-depth. For optimal results, set this to 0 (unlimited) + # - http request / response body sizes. Again set to 0 for optimal results. + # - rules that contain the "filestore" keyword. + - file-store: + enabled: no # set to yes to enable + log-dir: files # directory to store the files + force-magic: no # force logging magic on all stored files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + #force-hash: [md5] + force-filestore: no # force storing of all files + # override global stream-depth for sessions in which we want to + # perform file extraction. Set to 0 for unlimited. + #stream-depth: 0 + #waldo: file.waldo # waldo file to store the file_id across runs + # uncomment to disable meta file writing + #write-meta: no + # uncomment the following variable to define how many files can + # remain open for filestore by Suricata. Default value is 0 which + # means files get closed after each write + #max-open-files: 1000 + include-pid: no # set to yes to include pid in file names + + # output module to log files tracked in a easily parsable JSON format + - file-log: + enabled: no + filename: files-json.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + #force-hash: [md5] + + # Log TCP data after stream normalization + # 2 types: file or dir. File logs into a single logfile. Dir creates + # 2 files per TCP session and stores the raw TCP data into them. + # Using 'both' will enable both file and dir modes. + # + # Note: limited by stream.depth + - tcp-data: + enabled: no + type: file + filename: tcp-data.log + + # Log HTTP body data after normalization, dechunking and unzipping. + # 2 types: file or dir. File logs into a single logfile. Dir creates + # 2 files per HTTP session and stores the normalized data into them. + # Using 'both' will enable both file and dir modes. + # + # Note: limited by the body limit settings + - http-body-data: + enabled: no + type: file + filename: http-data.log + + # Lua Output Support - execute lua script to generate alert and event + # output. + # Documented at: + # https://suricata.readthedocs.io/en/latest/output/lua-output.html + - lua: + enabled: no + #scripts-dir: /etc/suricata/lua-output/ + scripts: + # - script1.lua + +# Logging configuration. This is not about logging IDS alerts/events, but +# output about what Suricata is doing, like startup messages, errors, etc. +logging: + # The default log level, can be overridden in an output section. + # Note that debug level logging will only be emitted if Suricata was + # compiled with the --enable-debug configure option. + # + # This value is overridden by the SC_LOG_LEVEL env var. + default-log-level: notice + + # The default output format. Optional parameter, should default to + # something reasonable if not provided. Can be overridden in an + # output section. You can leave this out to get the default. + # + # This value is overridden by the SC_LOG_FORMAT env var. + #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " + + # A regex to filter output. Can be overridden in an output section. + # Defaults to empty (no filter). + # + + # Define your logging outputs. If none are defined, or they are all + # disabled you will get the default - console output. + outputs: + - console: + enabled: yes + # type: json + - file: + enabled: true + filename: /opt/dynamite/suricata/logs/suricata.log + level: info + type: json + - syslog: + enabled: no + facility: local5 + format: "[%i] <%d> -- " + # type: json + + +## +## Step 4: configure common capture settings +## +## See "Advanced Capture Options" below for more options, including NETMAP +## and PF_RING. +## + +af-packet: [] + +# Settings for reading pcap files +pcap-file: + # Possible values are: + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: Suricata uses a statistical approach to detect when + # checksum off-loading is used. (default) + # Warning: 'checksum-validation' must be set to yes to have checksum tested + checksum-checks: auto + +# See "Advanced Capture Options" below for more options, including NETMAP +# and PF_RING. + + +## +## Step 5: App Layer Protocol Configuration +## + +# Configure the app-layer parsers. The protocols section details each +# protocol. +# +# The option "enabled" takes 3 values - "yes", "no", "detection-only". +# "yes" enables both detection and the parser, "no" disables both, and +# "detection-only" enables protocol detection only (parser disabled). +app-layer: + protocols: + krb5: + enabled: yes + ikev2: + enabled: yes + tls: + enabled: yes + detection-ports: + dp: 443 + + # Generate JA3 fingerprint from client hello + ja3-fingerprints: yes + + # What to do when the encrypted communications start: + # - default: keep tracking TLS session, check for protocol anomalies, + # inspect tls_* keywords. Disables inspection of unmodified + # 'content' signatures. + # - bypass: stop processing this flow as much as possible. No further + # TLS parsing and inspection. Offload flow bypass to kernel + # or hardware if possible. + # - full: keep tracking and inspection as normal. Unmodified content + # keyword signatures are inspected as well. + # + # For best performance, select 'bypass'. + # + #encryption-handling: default + + dcerpc: + enabled: yes + ftp: + enabled: yes + # memcap: 64mb + ssh: + enabled: yes + smtp: + enabled: yes + # Configure SMTP-MIME Decoder + mime: + # Decode MIME messages from SMTP transactions + # (may be resource intensive) + # This field supercedes all others because it turns the entire + # process on or off + decode-mime: no + + # Decode MIME entity bodies (ie. base64, quoted-printable, etc.) + decode-base64: no + decode-quoted-printable: no + + # Maximum bytes per header data value stored in the data structure + # (default is 2000) + header-value-depth: 2000 + + # Extract URLs and save in state data structure + extract-urls: yes + # Set to yes to compute the md5 of the mail body. You will then + # be able to journalize it. + body-md5: no + # Configure inspected-tracker for file_data keyword + inspected-tracker: + content-limit: 100000 + content-inspect-min-size: 32768 + content-inspect-window: 4096 + imap: + enabled: detection-only + msn: + enabled: detection-only + # Note: --enable-rust is required for full SMB1/2 support. W/o rust + # only minimal SMB1 support is available. + smb: + enabled: yes + detection-ports: + dp: 139, 445 + + # Stream reassembly size for SMB streams. By default track it completely. + #stream-depth: 0 + + # Note: NFS parser depends on Rust support: pass --enable-rust + # to configure. + nfs: + enabled: yes + tftp: + enabled: yes + dns: + # memcaps. Globally and per flow/state. + #global-memcap: 16mb + #state-memcap: 512kb + + # How many unreplied DNS requests are considered a flood. + # If the limit is reached, app-layer-event:dns.flooded; will match. + #request-flood: 500 + + tcp: + enabled: yes + detection-ports: + dp: 53 + udp: + enabled: yes + detection-ports: + dp: 53 + http: + enabled: yes + # memcap: 64mb + + # default-config: Used when no server-config matches + # personality: List of personalities used by default + # request-body-limit: Limit reassembly of request body for inspection + # by http_client_body & pcre /P option. + # response-body-limit: Limit reassembly of response body for inspection + # by file_data, http_server_body & pcre /Q option. + # double-decode-path: Double decode path section of the URI + # double-decode-query: Double decode query section of the URI + # response-body-decompress-layer-limit: + # Limit to how many layers of compression will be + # decompressed. Defaults to 2. + # + # server-config: List of server configurations to use if address matches + # address: List of IP addresses or networks for this block + # personalitiy: List of personalities used by this block + # request-body-limit: Limit reassembly of request body for inspection + # by http_client_body & pcre /P option. + # response-body-limit: Limit reassembly of response body for inspection + # by file_data, http_server_body & pcre /Q option. + # double-decode-path: Double decode path section of the URI + # double-decode-query: Double decode query section of the URI + # + # uri-include-all: Include all parts of the URI. By default the + # 'scheme', username/password, hostname and port + # are excluded. Setting this option to true adds + # all of them to the normalized uri as inspected + # by http_uri, urilen, pcre with /U and the other + # keywords that inspect the normalized uri. + # Note that this does not affect http_raw_uri. + # Also, note that including all was the default in + # 1.4 and 2.0beta1. + # + # meta-field-limit: Hard size limit for request and response size + # limits. Applies to request line and headers, + # response line and headers. Does not apply to + # request or response bodies. Default is 18k. + # If this limit is reached an event is raised. + # + # Currently Available Personalities: + # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0, + # IIS_7_0, IIS_7_5, Apache_2 + libhtp: + default-config: + personality: IDS + + # Can be specified in kb, mb, gb. Just a number indicates + # it's in bytes. + request-body-limit: 100kb + response-body-limit: 100kb + + # inspection limits + request-body-minimal-inspect-size: 32kb + request-body-inspect-window: 4kb + response-body-minimal-inspect-size: 40kb + response-body-inspect-window: 16kb + + # response body decompression (0 disables) + response-body-decompress-layer-limit: 2 + + # auto will use http-body-inline mode in IPS mode, yes or no set it statically + http-body-inline: auto + + # Decompress SWF files. + # 2 types: 'deflate', 'lzma', 'both' will decompress deflate and lzma + # compress-depth: + # Specifies the maximum amount of data to decompress, + # set 0 for unlimited. + # decompress-depth: + # Specifies the maximum amount of decompressed data to obtain, + # set 0 for unlimited. + swf-decompression: + enabled: yes + type: both + compress-depth: 0 + decompress-depth: 0 + + # Take a random value for inspection sizes around the specified value. + # This lower the risk of some evasion technics but could lead + # detection change between runs. It is set to 'yes' by default. + #randomize-inspection-sizes: yes + # If randomize-inspection-sizes is active, the value of various + # inspection size will be choosen in the [1 - range%, 1 + range%] + # range + # Default value of randomize-inspection-range is 10. + #randomize-inspection-range: 10 + + # decoding + double-decode-path: no + double-decode-query: no + + server-config: + + #- apache: + # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] + # personality: Apache_2 + # # Can be specified in kb, mb, gb. Just a number indicates + # # it's in bytes. + # request-body-limit: 4096 + # response-body-limit: 4096 + # double-decode-path: no + # double-decode-query: no + + #- iis7: + # address: + # - 192.168.0.0/24 + # - 192.168.10.0/24 + # personality: IIS_7_0 + # # Can be specified in kb, mb, gb. Just a number indicates + # # it's in bytes. + # request-body-limit: 4096 + # response-body-limit: 4096 + # double-decode-path: no + # double-decode-query: no + + # Note: Modbus probe parser is minimalist due to the poor significant field + # Only Modbus message length (greater than Modbus header length) + # And Protocol ID (equal to 0) are checked in probing parser + # It is important to enable detection port and define Modbus port + # to avoid false positive + modbus: + # How many unreplied Modbus requests are considered a flood. + # If the limit is reached, app-layer-event:modbus.flooded; will match. + #request-flood: 500 + + enabled: no + detection-ports: + dp: 502 + # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it + # is recommended to keep the TCP connection opened with a remote device + # and not to open and close it for each MODBUS/TCP transaction. In that + # case, it is important to set the depth of the stream reassembling as + # unlimited (stream.reassembly.depth: 0) + + # Stream reassembly size for modbus. By default track it completely. + stream-depth: 0 + + # DNP3 + dnp3: + enabled: yes + detection-ports: + dp: 20000 + + # SCADA EtherNet/IP and CIP protocol support + enip: + enabled: yes + detection-ports: + dp: 44818 + sp: 44818 + + # Note: parser depends on Rust support + ntp: + enabled: yes + + dhcp: + enabled: yes + +# Limit for the maximum number of asn1 frames to decode (default 256) +asn1-max-frames: 256 + + +############################################################################## +## +## Advanced settings below +## +############################################################################## + +## +## Run Options +## + +# Run suricata as user and group. +#run-as: +# user: suri +# group: suri + +# Some logging module will use that name in event as identifier. The default +# value is the hostname +#sensor-name: suricata + +# Default location of the pid file. The pid file is only used in +# daemon mode (start Suricata with -D). If not running in daemon mode +# the --pidfile command line option must be used to create a pid file. +#pid-file: /var/dynamite/suricata/run/suricata.pid + +# Daemon working directory +# Suricata will change directory to this one if provided +# Default: "/" +#daemon-directory: "/" + +# Umask. +# Suricata will use this umask if it is provided. By default it will use the +# umask passed on by the shell. +#umask: 022 + +# Suricata core dump configuration. Limits the size of the core dump file to +# approximately max-dump. The actual core dump size will be a multiple of the +# page size. Core dumps that would be larger than max-dump are truncated. On +# Linux, the actual core dump size may be a few pages larger than max-dump. +# Setting max-dump to 0 disables core dumping. +# Setting max-dump to 'unlimited' will give the full core dump file. +# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size +# to be 'unlimited'. + +coredump: + max-dump: unlimited + +# If Suricata box is a router for the sniffed networks, set it to 'router'. If +# it is a pure sniffing setup, set it to 'sniffer-only'. +# If set to auto, the variable is internally switch to 'router' in IPS mode +# and 'sniffer-only' in IDS mode. +# This feature is currently only used by the reject* keywords. +host-mode: auto + +# Number of packets preallocated per thread. The default is 1024. A higher number +# will make sure each CPU will be more easily kept busy, but may negatively +# impact caching. +#max-pending-packets: 1024 + +# Runmode the engine should use. Please check --list-runmodes to get the available +# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned +# load balancing). +runmode: autofp + +# Specifies the kind of flow load balancer used by the flow pinned autofp mode. +# +# Supported schedulers are: +# +# round-robin - Flows assigned to threads in a round robin fashion. +# active-packets - Flows assigned to threads that have the lowest number of +# unprocessed packets (default). +# hash - Flow allocated using the address hash. More of a random +# technique. Was the default in Suricata 1.2.1 and older. +# +#autofp-scheduler: active-packets + +# Preallocated size for packet. Default is 1514 which is the classical +# size for pcap on ethernet. You should adjust this value to the highest +# packet size (MTU + hardware header) on your system. +#default-packet-size: 1514 + +# Unix command socket can be used to pass commands to Suricata. +# An external tool can then connect to get information from Suricata +# or trigger some modifications of the engine. Set enabled to yes +# to activate the feature. In auto mode, the feature will only be +# activated in live capture mode. You can use the filename variable to set +# the file name of the socket. +unix-command: + enabled: no + #filename: custom.socket + +# Magic file. The extension .mgc is added to the value here. +#magic-file: /usr/share/file/magic +#magic-file: + +legacy: + uricontent: enabled + +## +## Detection settings +## + +# Set the order of alerts based on actions +# The default order is pass, drop, reject, alert +# action-order: +# - pass +# - drop +# - reject +# - alert + +# IP Reputation +#reputation-categories-file: /etc/dynamite/suricata/iprep/categories.txt +#default-reputation-path: /etc/dynamite/suricata/iprep +#reputation-files: +# - reputation.list + +# When run with the option --engine-analysis, the engine will read each of +# the parameters below, and print reports for each of the enabled sections +# and exit. The reports are printed to a file in the default log dir +# given by the parameter "default-log-dir", with engine reporting +# subsection below printing reports in its own report file. +engine-analysis: + # enables printing reports for fast-pattern for every rule. + rules-fast-pattern: yes + # enables printing reports for each rule + rules: yes + +#recursion and match limits for PCRE where supported +pcre: + match-limit: 3500 + match-limit-recursion: 1500 + +## +## Advanced Traffic Tracking and Reconstruction Settings +## + +# Host specific policies for defragmentation and TCP stream +# reassembly. The host OS lookup is done using a radix tree, just +# like a routing table so the most specific entry matches. +host-os-policy: + # Make the default policy windows. + windows: [0.0.0.0/0] + bsd: [] + bsd-right: [] + old-linux: [] + linux: [] + old-solaris: [] + solaris: [] + hpux10: [] + hpux11: [] + irix: [] + macos: [] + vista: [] + windows2k3: [] + +# Defrag settings: + +defrag: + memcap: 32mb + hash-size: 65536 + trackers: 65535 # number of defragmented flows to follow + max-frags: 65535 # number of fragments to keep (higher than trackers) + prealloc: yes + timeout: 60 + +# Enable defrag per host settings +# host-config: +# +# - dmz: +# timeout: 30 +# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] +# +# - lan: +# timeout: 45 +# address: +# - 192.168.0.0/24 +# - 192.168.10.0/24 +# - 172.16.14.0/24 + +# Flow settings: +# By default, the reserved memory (memcap) for flows is 32MB. This is the limit +# for flow allocation inside the engine. You can change this value to allow +# more memory usage for flows. +# The hash-size determine the size of the hash used to identify flows inside +# the engine, and by default the value is 65536. +# At the startup, the engine can preallocate a number of flows, to get a better +# performance. The number of flows preallocated is 10000 by default. +# emergency-recovery is the percentage of flows that the engine need to +# prune before unsetting the emergency state. The emergency state is activated +# when the memcap limit is reached, allowing to create new flows, but +# pruning them with the emergency timeouts (they are defined below). +# If the memcap is reached, the engine will try to prune flows +# with the default timeouts. If it doesn't find a flow to prune, it will set +# the emergency bit and it will try again with more aggressive timeouts. +# If that doesn't work, then it will try to kill the last time seen flows +# not in use. +# The memcap can be specified in kb, mb, gb. Just a number indicates it's +# in bytes. + +flow: + memcap: 128mb + hash-size: 65536 + prealloc: 10000 + emergency-recovery: 30 + #managers: 1 # default to one flow manager + #recyclers: 1 # default to one flow recycler thread + +# This option controls the use of vlan ids in the flow (and defrag) +# hashing. Normally this should be enabled, but in some (broken) +# setups where both sides of a flow are not tagged with the same vlan +# tag, we can ignore the vlan id's in the flow hashing. +vlan: + use-for-tracking: true + +# Specific timeouts for flows. Here you can specify the timeouts that the +# active flows will wait to transit from the current state to another, on each +# protocol. The value of "new" determine the seconds to wait after a handshake or +# stream startup before the engine free the data of that flow it doesn't +# change the state to established (usually if we don't receive more packets +# of that flow). The value of "established" is the amount of +# seconds that the engine will wait to free the flow if it spend that amount +# without receiving new packets or closing the connection. "closed" is the +# amount of time to wait after a flow is closed (usually zero). "bypassed" +# timeout controls locally bypassed flows. For these flows we don't do any other +# tracking. If no packets have been seen after this timeout, the flow is discarded. +# +# There's an emergency mode that will become active under attack circumstances, +# making the engine to check flow status faster. This configuration variables +# use the prefix "emergency-" and work similar as the normal ones. +# Some timeouts doesn't apply to all the protocols, like "closed", for udp and +# icmp. + +flow-timeouts: + + default: + new: 30 + established: 300 + closed: 0 + bypassed: 100 + emergency-new: 10 + emergency-established: 100 + emergency-closed: 0 + emergency-bypassed: 50 + tcp: + new: 60 + established: 600 + closed: 60 + bypassed: 100 + emergency-new: 5 + emergency-established: 100 + emergency-closed: 10 + emergency-bypassed: 50 + udp: + new: 30 + established: 300 + bypassed: 100 + emergency-new: 10 + emergency-established: 100 + emergency-bypassed: 50 + icmp: + new: 30 + established: 300 + bypassed: 100 + emergency-new: 10 + emergency-established: 100 + emergency-bypassed: 50 + +stream: + memcap: 64mb + checksum-validation: yes # reject wrong csums + inline: auto # auto will use inline mode in IPS mode, yes or no set it statically + reassembly: + memcap: 256mb + depth: 1mb # reassemble 1mb into a stream + toserver-chunk-size: 2560 + toclient-chunk-size: 2560 + randomize-chunk-size: yes + #randomize-chunk-range: 10 + #raw: yes + #segment-prealloc: 2048 + #check-overlap-different-data: true + +# Host table: +# +# Host table is used by tagging and per host thresholding subsystems. +# +host: + hash-size: 4096 + prealloc: 1000 + memcap: 32mb + +# IP Pair table: +# +# Used by xbits 'ippair' tracking. +# +#ippair: +# hash-size: 4096 +# prealloc: 1000 +# memcap: 32mb + +# Decoder settings + +decoder: + # Teredo decoder is known to not be completely accurate + # it will sometimes detect non-teredo as teredo. + teredo: + enabled: true + vxlan: + enabled: true + ports: 4789 + +## +## Performance tuning and profiling +## + +# The detection engine builds internal groups of signatures. The engine +# allow us to specify the profile to use for them, to manage memory on an +# efficient way keeping a good performance. For the profile keyword you +# can use the words "low", "medium", "high" or "custom". If you use custom +# make sure to define the values at "- custom-values" as your convenience. +# Usually you would prefer medium/high/low. +# +# "sgh mpm-context", indicates how the staging should allot mpm contexts for +# the signature groups. "single" indicates the use of a single context for +# all the signature group heads. "full" indicates a mpm-context for each +# group head. "auto" lets the engine decide the distribution of contexts +# based on the information the engine gathers on the patterns from each +# group head. +# +# The option inspection-recursion-limit is used to limit the recursive calls +# in the content inspection code. For certain payload-sig combinations, we +# might end up taking too much time in the content inspection code. +# If the argument specified is 0, the engine uses an internally defined +# default limit. On not specifying a value, we use no limits on the recursion. +detect: + profile: medium + custom-values: + toclient-groups: 3 + toserver-groups: 25 + sgh-mpm-context: auto + inspection-recursion-limit: 3000 + # If set to yes, the loading of signatures will be made after the capture + # is started. This will limit the downtime in IPS mode. + #delayed-detect: yes + + prefilter: + # default prefiltering setting. "mpm" only creates MPM/fast_pattern + # engines. "auto" also sets up prefilter engines for other keywords. + # Use --list-keywords=all to see which keywords support prefiltering. + default: mpm + + # the grouping values above control how many groups are created per + # direction. Port whitelisting forces that port to get it's own group. + # Very common ports will benefit, as well as ports with many expensive + # rules. + grouping: + #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 + #udp-whitelist: 53, 135, 5060 + + profiling: + # Log the rules that made it past the prefilter stage, per packet + # default is off. The threshold setting determines how many rules + # must have made it past pre-filter for that rule to trigger the + # logging. + #inspect-logging-threshold: 200 + grouping: + dump-to-disk: false + include-rules: false # very verbose + include-mpm-stats: false + +# Select the multi pattern algorithm you want to run for scan/search the +# in the engine. +# +# The supported algorithms are: +# "ac" - Aho-Corasick, default implementation +# "ac-bs" - Aho-Corasick, reduced memory implementation +# "ac-ks" - Aho-Corasick, "Ken Steele" variant +# "hs" - Hyperscan, available when built with Hyperscan support +# +# The default mpm-algo value of "auto" will use "hs" if Hyperscan is +# available, "ac" otherwise. +# +# The mpm you choose also decides the distribution of mpm contexts for +# signature groups, specified by the conf - "detect.sgh-mpm-context". +# Selecting "ac" as the mpm would require "detect.sgh-mpm-context" +# to be set to "single", because of ac's memory requirements, unless the +# ruleset is small enough to fit in one's memory, in which case one can +# use "full" with "ac". Rest of the mpms can be run in "full" mode. + +mpm-algo: auto + +# Select the matching algorithm you want to use for single-pattern searches. +# +# Supported algorithms are "bm" (Boyer-Moore) and "hs" (Hyperscan, only +# available if Suricata has been built with Hyperscan support). +# +# The default of "auto" will use "hs" if available, otherwise "bm". + +spm-algo: auto + +# Suricata is multi-threaded. Here the threading can be influenced. +threading: + set-cpu-affinity: no + # Tune cpu affinity of threads. Each family of threads can be bound + # on specific CPUs. + # + # These 2 apply to the all runmodes: + # management-cpu-set is used for flow timeout handling, counters + # worker-cpu-set is used for 'worker' threads + # + # Additionally, for autofp these apply: + # receive-cpu-set is used for capture threads + # verdict-cpu-set is used for IPS verdict threads + # + cpu-affinity: + - management-cpu-set: + cpu: [ 0 ] # include only these CPUs in affinity settings + - receive-cpu-set: + cpu: [ 0 ] # include only these CPUs in affinity settings + - worker-cpu-set: + cpu: [ "all" ] + mode: "exclusive" + # Use explicitely 3 threads and don't compute number by using + # detect-thread-ratio variable: + # threads: 3 + prio: + low: [ 0 ] + medium: [ "1-2" ] + high: [ 3 ] + default: "medium" + #- verdict-cpu-set: + # cpu: [ 0 ] + # prio: + # default: "high" + # + # By default Suricata creates one "detect" thread per available CPU/CPU core. + # This setting allows controlling this behaviour. A ratio setting of 2 will + # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this + # will result in 4 detect threads. If values below 1 are used, less threads + # are created. So on a dual core CPU a setting of 0.5 results in 1 detect + # thread being created. Regardless of the setting at a minimum 1 detect + # thread will always be created. + # + detect-thread-ratio: 1.0 + +# Luajit has a strange memory requirement, it's 'states' need to be in the +# first 2G of the process' memory. +# +# 'luajit.states' is used to control how many states are preallocated. +# State use: per detect script: 1 per detect thread. Per output script: 1 per +# script. +luajit: + states: 128 + +# Profiling settings. Only effective if Suricata has been built with the +# the --enable-profiling configure flag. +# +profiling: + # Run profiling for every xth packet. The default is 1, which means we + # profile every packet. If set to 1000, one packet is profiled for every + # 1000 received. + #sample-rate: 1000 + + # rule profiling + rules: + + # Profiling can be disabled here, but it will still have a + # performance impact if compiled in. + enabled: yes + filename: rule_perf.log + append: yes + + # Sort options: ticks, avgticks, checks, matches, maxticks + # If commented out all the sort options will be used. + #sort: avgticks + + # Limit the number of sids for which stats are shown at exit (per sort). + limit: 10 + + # output to json + json: yes + + # per keyword profiling + keywords: + enabled: yes + filename: keyword_perf.log + append: yes + + prefilter: + enabled: yes + filename: prefilter_perf.log + append: yes + + # per rulegroup profiling + rulegroups: + enabled: yes + filename: rule_group_perf.log + append: yes + + # packet profiling + packets: + + # Profiling can be disabled here, but it will still have a + # performance impact if compiled in. + enabled: yes + filename: packet_stats.log + append: yes + + # per packet csv output + csv: + + # Output can be disabled here, but it will still have a + # performance impact if compiled in. + enabled: no + filename: packet_stats.csv + + # profiling of locking. Only available when Suricata was built with + # --enable-profiling-locks. + locks: + enabled: no + filename: lock_stats.log + append: yes + + pcap-log: + enabled: no + filename: pcaplog_stats.log + append: yes + + +default-rule-path: /etc/dynamite/suricata/rules + +rule-files: + - botcc.rules + - botcc.portgrouped.rules + - ciarmy.rules + - compromised.rules +# - drop.rules + - dshield.rules +# - emerging-activex.rules + - emerging-attack_response.rules + - emerging-chat.rules + - emerging-current_events.rules + - emerging-dns.rules + - emerging-dos.rules + - emerging-exploit.rules + - emerging-ftp.rules +# - emerging-games.rules +# - emerging-icmp_info.rules +# - emerging-icmp.rules + - emerging-imap.rules +# - emerging-inappropriate.rules +# - emerging-info.rules + - emerging-malware.rules + - emerging-misc.rules + - emerging-mobile_malware.rules + - emerging-netbios.rules + - emerging-p2p.rules + - emerging-policy.rules +# - emerging-pop3.rules + - emerging-rpc.rules +# - emerging-scada.rules +# - emerging-scada_special.rules +# - emerging-scan.rules +# - emerging-shellcode.rules + - emerging-smtp.rules + - emerging-snmp.rules + - emerging-sql.rules +# - emerging-telnet.rules +# - emerging-tftp.rules + - emerging-trojan.rules + - emerging-user_agents.rules +# - emerging-voip.rules + - emerging-web_client.rules + - emerging-web_server.rules +# - emerging-web_specific_apps.rules + - emerging-worm.rules + - tor.rules +# - decoder-events.rules # available in suricata sources under rules dir +# - stream-events.rules # available in suricata sources under rules dir +# - http-events.rules # available in suricata sources under rules dir +# - smtp-events.rules # available in suricata sources under rules dir +# - dns-events.rules # available in suricata sources under rules dir +# - tls-events.rules # available in suricata sources under rules dir +# - modbus-events.rules # available in suricata sources under rules dir +# - app-layer-events.rules # available in suricata sources under rules dir +# - dnp3-events.rules # available in suricata sources under rules dir +# - ntp-events.rules # available in suricata sources under rules dir +# - ipsec-events.rules # available in suricata sources under rules dir +# - kerberos-events.rules # available in suricata sources under rules dir + +## +## Auxiliary configuration files. +## + +classification-file: /etc/dynamite/suricata/rules/classification.config +reference-config-file: /etc/dynamite/suricata/reference.config diff --git a/dynamite_nsm/confs/suricata/suricata_rule_definitions.json b/dynamite_nsm/confs/suricata/suricata_rule_definitions.json new file mode 100644 index 00000000..270a125a --- /dev/null +++ b/dynamite_nsm/confs/suricata/suricata_rule_definitions.json @@ -0,0 +1,440 @@ +{ + "7199f4a": { + "friendly_name": "Attack/Response Traffic", + "description": "Responses indicative of intrusion\u2014LMHost file download, certain banners, Metasploit Meterpreter kill command detected, etc.", + "categories": [ + "alerts" + ] + }, + "5d8f630": { + "friendly_name": "Chat", + "description": "Identification of traffic related to numerous chat clients, irc, and possible check-in activity", + "categories": [ + "alerts" + ] + }, + "af37eeb": { + "friendly_name": "Suspicious DNS Behavior", + "description": "Rules for attacks and vulnerabilities regarding DNS. Also category for abuse of the service for things such as tunneling.", + "categories": [ + "alerts" + ] + }, + "41381a3": { + "friendly_name": "Miscellaneous Attacks", + "description": "Various attacks uncategorizable attack detections.", + "categories": [ + "alerts" + ] + }, + "046da61": { + "friendly_name": "Denial of Service", + "description": "Denial of Service attempt detection. Intended to catch inbound DOS activity, and outbound indications.", + "categories": [ + "alerts" + ] + }, + "9d6f3a2": { + "friendly_name": "Generic Exploits", + "description": "Exploits that are not covered in specific service category. Rules to detect direct exploits.", + "categories": [ + "alerts" + ] + }, + "15158f6": { + "friendly_name": "Remote Shellcode Execution", + "description": "Detect remote shellcode execution attempts. Remote shellcode relies on standard TCP/IP socket connections to allow the attacker access to the shell on the target machine.", + "categories": [ + "alerts" + ] + }, + "a79291b": { + "friendly_name": "Suspicious FTP Behavior", + "description": "Rules for attacks, exploits, and vulnerabilities regarding FTP. Also includes basic none malicious FTP activity for logging purposes, such as login, etc.", + "categories": [ + "alerts" + ] + }, + "2808034": { + "friendly_name": "General Malware/Spyware", + "description": "Malware and Spyware related, no clear criminal intent.", + "categories": [ + "alerts" + ] + }, + "1aeb6e4": { + "friendly_name": "Mobile Malware/Spyware", + "description": "Specific to mobile platforms: Malware and Spyware related, no clear criminal intent.", + "categories": [ + "alerts" + ] + }, + "b4bf3f3": { + "friendly_name": "Trojan Traffic", + "description": "Malicious software that has clear criminal intent. Rules here detect malicious software that is in transit, active, infecting, attacking, updating, and whatever else we can detect on the wire.", + "categories": [ + "alerts" + ] + }, + "f1a3b79": { + "friendly_name": "Suspicious VOIP Behavior", + "description": "Rules for attacks and vulnerabilities related to VOIP environments.", + "categories": [ + "alerts" + ] + }, + "8f9153c": { + "friendly_name": "Webapp Specific Attacks", + "description": "Detect attacks and vulnerabilities in specific web applications", + "categories": [ + "alerts" + ] + }, + "e47fd80": { + "friendly_name": "ActiveX Attacks", + "description": "Detect attacks against Microsoft ActiveX controls and exploits targeting vulnerabilities in ActiveX controls", + "categories": [ + "alerts" + ] + }, + "9d2f33f": { + "friendly_name": "Suspicious Client-side Behavior", + "description": "Web client side attacks and vulnerabilities.", + "categories": [ + "alerts" + ] + }, + "0d4c512": { + "friendly_name": "Suspicious Server-side Behavior", + "description": "Rules for attacks and vulnerabilities against web servers.", + "categories": [ + "alerts" + ] + }, + "eec9aa1": { + "friendly_name": "Worm Traffic", + "description": "Traffic indicative of network based worm activity.", + "categories": [ + "alerts" + ] + }, + "01a5bf8": { + "friendly_name": "ICMP Attacks", + "description": "Attacks and vulnerabilities regarding Internet Control Message Protocol (ICMP).", + "categories": [ + "alerts" + ] + }, + "452d3a8": { + "friendly_name": "Kerberos Events", + "description": "Kerberos app layer events", + "categories": [ + "events" + ] + }, + "699bed1": { + "friendly_name": "HTTP Events", + "description": "Logs HTTP protocol specific events, typically normal operation.", + "categories": [ + "events" + ] + }, + "21b255f": { + "friendly_name": "NFS Events", + "description": "Logs NFS (Network Filesystem) protocol specific events, typically normal operation.", + "categories": [ + "events" + ] + }, + "bff1a55": { + "friendly_name": "NTP Events", + "description": "Logs NTP (Network Time Protocol) specific events, typically normal operation.", + "categories": [ + "events" + ] + }, + "f44826e": { + "friendly_name": "Suspicious POP3 Behavior", + "description": "Rules for the identification, as well as attacks and vulnerabilities regarding the POP3 protocol. Also included are rules detecting basic activity of the protocol for logging purposes.", + "categories": [ + "events" + ] + }, + "1f27f73": { + "friendly_name": "SMTP Events", + "description": "Rules that will log SMTP operations.", + "categories": [ + "events" + ] + }, + "2730471": { + "friendly_name": "Informational Events", + "description": "Provide audit level events that are useful for correlation and identifying interesting activity which may not be inherently malicious but is often observed in malware and other threats", + "categories": [ + "events" + ] + }, + "6aa22d5": { + "friendly_name": "ICMP Events", + "description": "ICMP protocol specific events, typically associated with normal operations for logging purposes.", + "categories": [ + "events" + ] + }, + "e562432": { + "friendly_name": "SMB Events", + "description": "Logs SMB (Server Message Block) specific events, typically normal operation.", + "categories": [ + "events" + ] + }, + "0fe51c0": { + "friendly_name": "IPSec Events", + "description": "Logs IPSec tunneling events, typically normal operation.", + "categories": [ + "events" + ] + }, + "9aa717e": { + "friendly_name": "Modbus Events", + "description": "Logs Modbus protocol events, typically normal operation.", + "categories": [ + "events" + ] + }, + "537ea06": { + "friendly_name": "Suspicious IMAP Behavior", + "description": "Rules for the identification, as well as attacks and vulnerabilities regarding the IMAP protocol. ", + "categories": [ + "alerts", + "events" + ] + }, + "f200a57": { + "friendly_name": "Suspicious Netbios Behavior", + "description": "Rules for the identification, as well as attacks, exploits and vulnerabilities regarding Netbios. Also included are rules detecting basic activity of the protocol for logging purposes.", + "categories": [ + "alerts", + "events" + ] + }, + "218827b": { + "friendly_name": "Suspicious RPC Behavior", + "description": "RPC related attacks, vulnerabilities, and protocol detection. Also included are rules detecting basic activity of the protocol for logging purposes.", + "categories": [ + "alerts", + "events" + ] + }, + "4c8db3e": { + "friendly_name": "Suspicious SMTP Traffic", + "description": "Rules for attacks, exploits, and vulnerabilities regarding SMTP. Also included are rules detecting basic activity of the protocol for logging purposes.", + "categories": [ + "alerts", + "events" + ] + }, + "7741f26": { + "friendly_name": "Suspicious SNMP Behavior", + "description": "Rules for attacks, exploits, and vulnerabilities regarding SNMP. Also included are rules detecting basic activity of the protocol for logging purposes.", + "categories": [ + "alerts", + "events" + ] + }, + "9b9f037": { + "friendly_name": "Suspicious SQL Behavior", + "description": "Rules for attacks, exploits, and vulnerabilities regarding SQL. Also included are rules detecting basic activity of the protocol for logging purposes.", + "categories": [ + "alerts", + "events" + ] + }, + "b4b79b2": { + "friendly_name": "Suspicious Telnet Behavior", + "description": "Rules for attacks and vulnerabilities regarding the TELNET service. Also included are rules detecting basic activity of the protocol for logging purposes.", + "categories": [ + "alerts", + "events" + ] + }, + "509dbc0": { + "friendly_name": "Suspicious TFTP Behavior", + "description": "Rules for attacks and vulnerabilities regarding the TFTP service. Also included are rules detecting basic activity of the protocol for logging purposes.", + "categories": [ + "alerts", + "events" + ] + }, + "e649d09": { + "friendly_name": "Suspicious TLS Behavior", + "description": "Rules for matching on TLS events and anomalies.", + "categories": [ + "alerts", + "events" + ] + }, + "0bbab15": { + "friendly_name": "SCADA Attacks", + "description": "Detect attacks, exploits attempts, and vulnerabilities related to supervisory control and data acquisition (SCADA) systems. Also contains non-malicious SCADA activity for logging purposes", + "categories": [ + "alerts", + "events" + ] + }, + "ef2ed47": { + "friendly_name": "Protocol Decoder Errors", + "description": "Various detectable protocol decode errors.", + "categories": [ + "identifications" + ] + }, + "cfef511": { + "friendly_name": "Peer-to-Peer Identification", + "description": "Rules for the identification of Peer-to-Peer traffic and attacks against. Including torrents, edonkey, Bittorrent, Gnutella, Limewire, etc.", + "categories": [ + "identifications" + ] + }, + "e1bc960": { + "friendly_name": "Application Identification", + "description": "Application Identification category. Includes signatures for applications like DropBox and Google Apps, etc. Also covers off port protocols, basic DLP such as credit card numbers and social security numbers.", + "categories": [ + "identifications" + ] + }, + "0ab7276": { + "friendly_name": "User Agent Identification", + "description": "User agent identification and detection.", + "categories": [ + "identifications" + ] + }, + "cd52f5a": { + "friendly_name": "Inappropriate Traffic", + "description": "Detect activity related to sites that are pornographic or otherwise not appropriate for a work environment.", + "categories": [ + "identifications" + ] + }, + "b6d4a5f": { + "friendly_name": "DNS Issues", + "description": "Various detectable DNS issues, not necessarily malicious.", + "categories": [ + "identifications" + ] + }, + "99d33ad": { + "friendly_name": "Network Scanners", + "description": "Detect reconnaissance and probing from tools such as Nessus, Nikto, and other port scanning, tools", + "categories": [ + "identifications" + ] + }, + "19db558": { + "friendly_name": "Application Layer Issues", + "description": "Detect various application layer transactional issues.", + "categories": [ + "identifications" + ] + }, + "65c7e8a": { + "friendly_name": "DNP3 Issues", + "description": "Detect various issues with DNP3 protocol.", + "categories": [ + "identifications" + ] + }, + "599cbf7": { + "friendly_name": "Bot Command and Control", + "description": "These are auto-generated from several sources of known and confirmed active Botnet and other Command and Control hosts. Updated daily, primary data source is Shadowserver.org.", + "categories": [ + "alerts", + "auto-generated" + ] + }, + "deee35b": { + "friendly_name": "Bot Command and Control (Port Grouped)", + "description": "These are auto-generated from several sources of known and confirmed active Botnet and other Command and Control hosts. Updated daily, primary data source is Shadowserver.org. This set is grouped by destination-port.", + "categories": [ + "alerts", + "auto-generated" + ] + }, + "305fa51": { + "friendly_name": "Gaming Attacks", + "description": "Common gaming traffic and various attacks against those games.", + "categories": [ + "identifications", + "alerts" + ] + }, + "84b87f1": { + "friendly_name": "Compromised Hosts", + "description": " Based on a list of known compromised hosts that is confirmed and updated daily.", + "categories": [ + "alerts", + "threat-community" + ] + }, + "fff95c8": { + "friendly_name": "Current Events", + "description": "Active and short lived campaigns. This category covers exploit kits and malware that will be aged and removed quickly due to the short lived nature of the threat.", + "categories": [ + "alerts", + "threat-community" + ] + }, + "3a38db2": { + "friendly_name": "DShield", + "description": "IP based rules for Dshield Identified attackers. Daily updated list of the DShield top attackers list.", + "categories": [ + "alerts", + "threat-community" + ] + }, + "79d6a51": { + "friendly_name": "Spamhaus DROP Alerts", + "description": "Detects IP addresses on the Spamhaus DROP (Don\u2019t Route or Peer) list. These lists are maintained daily.", + "categories": [ + "alerts", + "threat-community" + ] + }, + "f0277e9": { + "friendly_name": "Command and Control Blocklist (Threatview.io)", + "description": "Command and Control servers identified by the Threatview.io research team.", + "categories": [ + "alerts", + "auto-generated", + "threat-community" + ] + }, + "bdfac29": { + "friendly_name": "CIArmy", + "description": "Collective Intelligence generated IP rules for blocking based upon cinsscore.com.", + "categories": [ + "alerts", + "threat-community", + "auto-generated" + ] + }, + "3e21ddf": { + "friendly_name": "3coresec", + "description": "This category is for signatures that are generated automatically from the 3CORESec team\u2019s IP block lists.", + "categories": [ + "alerts", + "threat-community", + "auto-generated" + ] + }, + "f9ead59": { + "friendly_name": "TOR Traffic Identification", + "description": "IP Based rules for the identification of traffic to and from TOR exit nodes.", + "categories": [ + "alerts", + "identifications", + "threat-community" + ] + } +} \ No newline at end of file diff --git a/dynamite_nsm/confs/suricata/update.yaml b/dynamite_nsm/confs/suricata/update.yaml new file mode 100644 index 00000000..731f0aa9 --- /dev/null +++ b/dynamite_nsm/confs/suricata/update.yaml @@ -0,0 +1,9 @@ +disable-conf: /etc/dynamite/suricata/disable.conf +enable-conf: /etc/dynamite/suricata/enable.conf +drop-conf: /etc/dynamite/suricata/drop.conf +modify-conf: /etc/dynamite/suricata/modify.conf +ignore: + - "*deleted.rules" + +local: + - /etc/dynamite/suricata/rules \ No newline at end of file diff --git a/dynamite_nsm/confs/systemd/dynamited.service b/dynamite_nsm/confs/systemd/dynamited.service new file mode 100644 index 00000000..2c4e15e3 --- /dev/null +++ b/dynamite_nsm/confs/systemd/dynamited.service @@ -0,0 +1,16 @@ +[Unit] +Description=Dynamite Daemon Service Manager +Wants=network-online.target +After=network-online.target + +[Service] +Environment="DYNAMITED_CONFIG=-c /etc/dynamite/dynamited/config.yml" +PIDFile=/var/run/dynamite/dynamited/dynamited.pid +ExecStart=/opt/dynamite/dynamited/bin/dynamited $DYNAMITED_CONFIG +Restart=always +StandardOutput=syslog +StandardError=syslog +SyslogIdentifier=dynamited + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/dynamite_nsm/confs/systemd/elasticsearch.service b/dynamite_nsm/confs/systemd/elasticsearch.service new file mode 100644 index 00000000..f5d959fd --- /dev/null +++ b/dynamite_nsm/confs/systemd/elasticsearch.service @@ -0,0 +1,31 @@ +Description=Elasticsearch +Documentation=https://www.elastic.co +Wants=network-online.target +After=network-online.target + +[Service] +Type=simple +RuntimeDirectory=elasticsearch +PrivateTmp=true +Environment=PID_DIR=/var/run/dynamite/ +Environment=ES_SD_NOTIFY=true +EnvironmentFile=/etc/dynamite/environment + +WorkingDirectory=/opt/dynamite/elasticsearch + +User=dynamite +Group=dynamite + +ExecStart=/opt/dynamite/elasticsearch/bin/elasticsearch -p ${PID_DIR}/elasticsearch.pid + +StandardOutput=journal +StandardError=inherit +LimitNOFILE=65536 +LimitMEMLOCK=infinity +TimeoutStopSec=0 +KillSignal=SIGTERM +SendSIGKILL=no +SuccessExitStatus=143 + +[Install] +WantedBy=multi-user.target diff --git a/dynamite_nsm/confs/systemd/filebeat.service b/dynamite_nsm/confs/systemd/filebeat.service new file mode 100644 index 00000000..4cdf8ae1 --- /dev/null +++ b/dynamite_nsm/confs/systemd/filebeat.service @@ -0,0 +1,17 @@ +[Unit] +Description=Filebeat Log Collector +Wants=network-online.target +After=network-online.target + +[Service] +User=dynamite +Group=dynamite +EnvironmentFile=/etc/dynamite/environment +ExecStart=/bin/bash -c "${FILEBEAT_HOME}/filebeat -c ${FILEBEAT_HOME}/filebeat.yml --strict.perms=false" +Restart=always +RestartSec=10s +StandardOutput=syslog +StandardError=syslog + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/dynamite_nsm/confs/systemd/kibana.service b/dynamite_nsm/confs/systemd/kibana.service new file mode 100644 index 00000000..4441d7ba --- /dev/null +++ b/dynamite_nsm/confs/systemd/kibana.service @@ -0,0 +1,18 @@ +[Unit] +Description=Kibana +After=network.target + +[Service] +ExecStart=/opt/dynamite/kibana/bin/kibana -c ${KIBANA_PATH_CONF}/kibana.yml -l ${KIBANA_LOGS}/kibana.log + +Type=simple +PIDFile=/var/run/dynamite/kibana.pid +Restart=always +EnvironmentFile=/etc/dynamite/environment + + +User=dynamite +Group=dynamite + +[Install] +WantedBy=default.target \ No newline at end of file diff --git a/dynamite_nsm/confs/systemd/logstash.service b/dynamite_nsm/confs/systemd/logstash.service new file mode 100644 index 00000000..4d7bb3ac --- /dev/null +++ b/dynamite_nsm/confs/systemd/logstash.service @@ -0,0 +1,31 @@ +[Service] +EnvironmentFile=/etc/dynamite/environment + +Restart=always + +User=dynamite +Group=dynamite + +ExecStart=/opt/dynamite/logstash/bin/logstash --path.settings $LS_PATH_CONF + +# Connects standard output to /dev/null + +# Connects standard error to journal +StandardError=journal + +# When a JVM receives a SIGTERM signal it exits with code 143 +SuccessExitStatus=143 + +# Specifies the maximum file descriptor number that can be opened by this process +LimitNOFILE=65535 + +# Specifies the maximum number of bytes of memory that may be locked into RAM +# Set to "infinity" if you use the 'bootstrap.mlockall: true' option +# in elasticsearch.yml and 'MAX_LOCKED_MEMORY=unlimited' in /etc/default/elasticsearch +LimitMEMLOCK=infinity + +# Shutdown delay in seconds, before process is tried to be killed with KILL (if configured) +TimeoutStopSec=20 + +[Install] +WantedBy=multi-user.target diff --git a/dynamite_nsm/confs/systemd/suricata.service b/dynamite_nsm/confs/systemd/suricata.service new file mode 100644 index 00000000..fce256ea --- /dev/null +++ b/dynamite_nsm/confs/systemd/suricata.service @@ -0,0 +1,19 @@ +[Unit] +Description=Suricata IDS +After=network.target +Requires=network.target + +[Service] +User=dynamite +Group=dynamite +Type=forking +EnvironmentFile=/etc/dynamite/environment +ExecStart=/bin/bash -c "${SURICATA_HOME}/bin/suricata -c ${SURICATA_CONFIG}/suricata.yaml --af-packet -D" +ExecReload=/bin/kill -SIGHUP $MAINPID +ExecStop=/bin/kill -SIGTERM $MAINPID +PrivateTmp=yes +StandardOutput=syslog +StandardError=syslog + +[Install] +WantedBy=multi-user.target diff --git a/dynamite_nsm/confs/systemd/zeek.service b/dynamite_nsm/confs/systemd/zeek.service new file mode 100644 index 00000000..5aed3a82 --- /dev/null +++ b/dynamite_nsm/confs/systemd/zeek.service @@ -0,0 +1,23 @@ +[Unit] +Description=Zeek Network Traffic Monitor +After=network.target + +[Service] +User=dynamite +Group=dynamite +EnvironmentFile=/etc/dynamite/environment +Environment="PYTHON_BIN=/usr/bin/python3" +ExecStartPre=/bin/bash -c "${PYTHON_BIN} ${ZEEK_HOME}/bin/zeekctl cleanup" +ExecStartPre=/bin/bash -c "${PYTHON_BIN} ${ZEEK_HOME}/bin/zeekctl check" +ExecStartPre=/bin/bash -c "${PYTHON_BIN} ${ZEEK_HOME}/bin/zeekctl install" +ExecStart=/bin/bash -c "${PYTHON_BIN} ${ZEEK_HOME}/bin/zeekctl start" +ExecStop=/bin/bash -c "${PYTHON_BIN} ${ZEEK_HOME}/bin/zeekctl stop" +RestartSec=10s +Type=oneshot +RemainAfterExit=yes +TimeoutStopSec=600 +StandardOutput=syslog +StandardError=syslog + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/dynamite_nsm/confs/zeek/broctl-nodes.cfg b/dynamite_nsm/confs/zeek/broctl-nodes.cfg new file mode 100644 index 00000000..dc57a6b9 --- /dev/null +++ b/dynamite_nsm/confs/zeek/broctl-nodes.cfg @@ -0,0 +1,11 @@ +[dynamite-logger] +type=logger +host=localhost + +[dynamite-manager] +type=manager +host=localhost + +[dynamite-proxy-1] +type=proxy +host=localhost \ No newline at end of file diff --git a/dynamite_nsm/confs/zeek/local.zeek b/dynamite_nsm/confs/zeek/local.zeek new file mode 100644 index 00000000..1d0bc3af --- /dev/null +++ b/dynamite_nsm/confs/zeek/local.zeek @@ -0,0 +1,101 @@ +@load policy/tuning/json-logs +@load misc/loaded-scripts +@load tuning/defaults +@load misc/capture-loss +@load misc/stats + +# Signatures +@load-sigs frameworks/signatures/detect-windows-shells + + +# Load the scan detection script. +@load misc/scan + +# Conn Protocol Scripts +@load policy/protocols/conn/vlan-logging +@load policy/protocols/conn/mac-logging + +# FTP Protocol Scripts +# @load protocols/ftp/detect +# @load protocols/ftp/software +# @load protocols/ftp/detect-bruteforcing + +# DHCP Protocol Scripts +@load protocols/dhcp/msg-orig +@load protocols/dhcp/software +@load protocols/dhcp/sub-opts + +# DNS Protocol Scripts +@load protocols/dns/auth-addl +# @load protocols/dns/detect-external-names + +# HTTP Protocol Scripts +# @load protocols/http/detect-sqli +# @load protocols/http/detect-webapps +@load protocols/http/header-names +# @load protocols/http/software-browser-plugins +# @load protocols/http/software +# @load protocols/http/var-extraction-cookies +@load protocols/http/var-extraction-uri + +# Kerberos Protocol Scripts +# @load protocols/krb/ticket-logging + +# Modbus Protocol Scripts +# @load protocols/modbus/known-masters-slaves +# @load protocols/modbus/track-memmap + +# Mysql Protocol Scripts +# @load protocols/mysql/software + +# RDP Protocol Scripts +@load protocols/rdp/indicate_ssl + +# SMB Protocol Scripts +@load protocols/smb/log-cmds + +# SMTP Protocol Scripts +# @load protocols/smtp/blocklists +# @load protocols/smtp/detect-suspicious-orig +# @load protocols/smtp/entities-excerpt +# @load protocols/smtp/software + +# SSH Protocol Scripts +@load protocols/ssh/detect-bruteforcing +# @load protocols/ssh/geo-data +# @load protocols/ssh/interesting-hostnames +# @load protocols/ssh/software + +# SSL Protocol Scripts +# @load protocols/ssl/expiring-certs +# @load protocols/ssl/extract-certs-pem +# @load protocols/ssl/heartbleed +# @load protocols/ssl/known-certs +# @load protocols/ssl/log-hostcerts-only +@load protocols/ssl/notary +# @load protocols/ssl/validate-ocsp +# @load protocols/ssl/validate-sct +# @load protocols/ssl/weak-keys + +# Dynamic Protocol Detection Framework +# @load frameworks/dpd/detect-protocols +# @load frameworks/dpd/packet-segment-logging + +# Files Framework +# @load frameworks/files/detect-MHR +# @load frameworks/files/entropy-test-all-files +# @load frameworks/files/extract-all-files +@load frameworks/files/hash-all-files + +# Notice Framework +# @load policy/frameworks/notice/extend-email/hostnames + +# Packages +@load packages/dynamite-community-id.git +@load packages/cve-2021-44228.git +@load packages/zeek-utils.git/pcr.zeek +@load packages/zeek-utils.git/orientation.zeek +@load packages/zeek-utils.git/dns_query_labels.zeek + +redef ignore_checksums = T; +redef Stats::report_interval = 1 mins; diff --git a/dynamite_nsm/confs/zeek/zeek_script_definitions.json b/dynamite_nsm/confs/zeek/zeek_script_definitions.json new file mode 100644 index 00000000..f4f9435d --- /dev/null +++ b/dynamite_nsm/confs/zeek/zeek_script_definitions.json @@ -0,0 +1,423 @@ +{ + "6a2a78c": { + "friendly_name": "Log SMB Commands", + "description": "Load this script to generate an SMB command log, smb_cmd.log. This is primarily useful for debugging.", + "categories": [ + "smb" + ] + }, + "c978807": { + "friendly_name": "Track Certificates", + "description": "Log information about certificates while attempting to avoid duplicate logging.", + "categories": [ + "ssl" + ] + }, + "3a50886": { + "friendly_name": "Add Additional Authoritative Responses", + "description": "This script adds authoritative and additional responses for the current query to the DNS log. It can cause severe overhead due to the need for all authoritative and additional responses to have events generated.", + "categories": [ + "dns" + ] + }, + "ed26c25": { + "friendly_name": "Add DNS Query Labels", + "description": "Adds additional labels to dns log", + "categories": [ + "dns" + ] + }, + "ddda379": { + "friendly_name": "Add Message Origin", + "description": "Add a field that logs the order of hosts sending messages using the same DHCP transaction ID. This information is occasionally needed on some networks to fully explain the DHCP sequence.", + "categories": [ + "dhcp" + ] + }, + "a925e33": { + "friendly_name": "Add Subscriber Options", + "description": "Adds circuit identifier which typically represents the router or switch interface number.", + "categories": [ + "dhcp" + ] + }, + "740bf81": { + "friendly_name": "Add Header Names", + "description": "Extract and include the header names used for each request in the HTTP logging stream. The headers in the logging stream will be stored in the same order which they were seen on the wire.", + "categories": [ + "http" + ] + }, + "d903a55": { + "friendly_name": "Extract URI Variables", + "description": "Extracts and logs variables from the requested URI in the default HTTP logging stream.", + "categories": [ + "http" + ] + }, + "e2aeebe": { + "friendly_name": "Extract Cookie Variables", + "description": "Extracts and logs variable names from cookies sent by clients.", + "categories": [ + "http" + ] + }, + "cd749ac": { + "friendly_name": "Add Body Excerpt", + "description": "This script is for optionally adding a body excerpt to the SMTP entities log.", + "categories": [ + "smtp" + ] + }, + "e4a5fef": { + "friendly_name": "Hash All Files", + "description": "Perform MD5 and SHA1 hashing on all files.", + "categories": [ + "files" + ] + }, + "5ffd187": { + "friendly_name": "Add File Entropy", + "description": "Calculates the information density of the contents of the file, expressed as a number of bits per character. ", + "categories": [ + "files" + ] + }, + "1a4d828": { + "friendly_name": "Extract All Files", + "description": "Extract all files to disk.", + "categories": [ + "files" + ] + }, + "10f6c01": { + "friendly_name": "Tune Defaults", + "description": "Miscellaneous tuning parameters.", + "categories": [ + "tuning" + ] + }, + "782a147": { + "friendly_name": "Track Modbus Master/Slave", + "description": "Script for tracking known Modbus masters and slaves.", + "categories": [ + "modbus" + ] + }, + "e38d1ba": { + "friendly_name": "Track Memory Map", + "description": "This script tracks the memory map of holding (read/write) registers and logs changes as they are discovered.", + "categories": [ + "modbus" + ] + }, + "7093e8e": { + "friendly_name": "Enable JSON Logging", + "description": "Loading this script will cause all logs to be written out as JSON by default.", + "categories": [ + "logging" + ] + }, + "60c8f2a": { + "friendly_name": "Log Loaded Scripts", + "description": "Log the loaded scripts.", + "categories": [ + "logging" + ] + }, + "924eab7": { + "friendly_name": "Log Capture Loss", + "description": "This script logs evidence regarding the degree to which the packet capture process suffers from measurement loss.", + "categories": [ + "logging" + ] + }, + "41e0fa2": { + "friendly_name": "Log General Statistics", + "description": "Log memory/packet/lag statistics.", + "categories": [ + "logging" + ] + }, + "2878963": { + "friendly_name": "Log Host Certificates Only", + "description": "When this script is loaded, only the host certificates (client and server) will be logged to x509.log.", + "categories": [ + "ssl", + "x509" + ] + }, + "3e224d4": { + "friendly_name": "Extract Host Certificates", + "description": "This script is used to extract host certificates seen on the wire to disk after being converted to PEM files. The certificates will be stored in a single file, one for local certificates and one for remote certificates.", + "categories": [ + "ssl", + "x509" + ] + }, + "a21ae7b": { + "friendly_name": "Add Kerberos Ticket Hashes", + "description": "Add Kerberos ticket hashes to the kerberos log.", + "categories": [ + "kerberos" + ] + }, + "d154f23": { + "friendly_name": "Enable Dynamite Protocol Detection", + "description": "Finds connections with protocols on non-standard ports with DPD.", + "categories": [ + "detections" + ] + }, + "7505295": { + "friendly_name": "Detect TCP Scan", + "description": "Detects probable TCP scans.", + "categories": [ + "detections" + ] + }, + "80fbab7": { + "friendly_name": "Add Community Id", + "description": "Community Id allows for correlation across Suricata generated logs. If enabled, community_id will be added to connections and relevant protocol logs.", + "categories": [ + "detections" + ] + }, + "d3b8337": { + "friendly_name": "Detect Protocol Violations", + "description": "This script enables logging of packet segment data when a protocol parsing violation is encountered.", + "categories": [ + "detections" + ] + }, + "a3003e5": { + "friendly_name": "MAC Address Logging", + "description": "This script adds link-layer address (MAC) information to the connection logs", + "categories": [ + "connections" + ] + }, + "c880156": { + "friendly_name": "Connection Orientation", + "description": "Adds the orientation field to the connection log. Orientation is merely a way to describe the hosts/networks involved in the communication, and how it was initiated.", + "categories": [ + "connections" + ] + }, + "ce8bc6e": { + "friendly_name": "Producer/Consumer Ratios", + "description": "This script calculates and adds PCR to the connection log using application bytes. ", + "categories": [ + "connections" + ] + }, + "e17c61d": { + "friendly_name": "Detect Suspicious Traffic", + "description": "Detect various potentially bad FTP activities.", + "categories": [ + "ftp", + "detections" + ] + }, + "98e4cdb": { + "friendly_name": "Detect Software", + "description": "Software identification and extraction for FTP protocol.", + "categories": [ + "ftp", + "detections" + ] + }, + "1b03381": { + "friendly_name": "Detect External Names", + "description": "This script detects names which are not within zones considered to be local but resolving to addresses considered local.", + "categories": [ + "dns", + "detections" + ] + }, + "a2cf3b1": { + "friendly_name": "Detect RDP Over SSL", + "description": "If an RDP session is \u201cupgraded\u201d to SSL, this will be indicated with this script in a new field added to the RDP log.", + "categories": [ + "rdp", + "detections" + ] + }, + "9363b9a": { + "friendly_name": "Detect Software", + "description": "Extracts SSH client and server information from SSH connections and forwards it to the software framework.", + "categories": [ + "ssh", + "detections" + ] + }, + "8049148": { + "friendly_name": "Detect Software", + "description": "Software identification and extraction for DHCP traffic.", + "categories": [ + "dhcp", + "detections" + ] + }, + "8c7bc4e": { + "friendly_name": "Detect Web Applications", + "description": "Detect and log web applications through the software framework.", + "categories": [ + "http", + "detections" + ] + }, + "baaccfa": { + "friendly_name": "Detect Software", + "description": "Software identification and extraction for HTTP traffic.", + "categories": [ + "http", + "detections" + ] + }, + "5a02d33": { + "friendly_name": "Detect Browser Plugins", + "description": "Detect browser plugins as they leak through requests to Omniture advertising servers.", + "categories": [ + "http", + "detections" + ] + }, + "ba9197e": { + "friendly_name": "Detect Email Address Blacklisted", + "description": "Watch for various SPAM blocklist URLs in SMTP error messages.", + "categories": [ + "smtp", + "detections" + ] + }, + "67f08c7": { + "friendly_name": "Detect Software", + "description": "This script feeds software detected through email into the software framework. Mail clients and webmail interfaces are the only thing currently detected.", + "categories": [ + "smtp", + "detections" + ] + }, + "7cfebb3": { + "friendly_name": "Validate Signed Certificate Timestamps", + "description": "Perform validation of Signed Certificate Timestamps, as used for Certificate Transparency. See RFC6962 for more details.", + "categories": [ + "ssl", + "validations" + ] + }, + "39d6c7e": { + "friendly_name": "Validate OCSP", + "description": "Perform validation of stapled OCSP responses.", + "categories": [ + "ssl", + "validations" + ] + }, + "c6dd7f2": { + "friendly_name": "Add ICSI Certificate Notary", + "description": "Include the ISCI notary information.", + "categories": [ + "ssl", + "validations" + ] + }, + "4b3ac05": { + "friendly_name": "Detect Malware By Known Hashes", + "description": "Detect file downloads that have hash values matching files in Team Cymru\u2019s Malware Hash Registry", + "categories": [ + "files", + "detections" + ] + }, + "5576da3": { + "friendly_name": "Detect Software", + "description": "Software identification and extraction for MySQL traffic.", + "categories": [ + "mysql", + "detections" + ] + }, + "20d7e67": { + "friendly_name": "Detect Log4Shell Attack", + "description": "Detect Log4Shell (CVE-2021-44228) attack over HTTP.", + "categories": [ + "detections", + "notices" + ] + }, + "ba6557d": { + "friendly_name": "Detect Weak Keys", + "description": "Generate notices when SSL/TLS connections use certificates, DH parameters, or cipher suites that are deemed to be insecure.", + "categories": [ + "ssl", + "detections", + "notices" + ] + }, + "b627a93": { + "friendly_name": "Detect Heartbleed Attack", + "description": "Detect the TLS Heartbleed (CVE-2014-0160) attack.", + "categories": [ + "ssl", + "detections", + "notices" + ] + }, + "e202e1e": { + "friendly_name": "Detect Suspicious SSH Traffic", + "description": "This script will generate a notice if an apparent SSH login originates or heads to a host with a reverse hostname that looks suspicious.", + "categories": [ + "ssh", + "detections", + "notices" + ] + }, + "99e00b3": { + "friendly_name": "Detect Brute Force Attacks", + "description": "Detect hosts which are doing password guessing attacks and/or password bruteforcing over SSH.", + "categories": [ + "ssh", + "detections", + "notices" + ] + }, + "b156bba": { + "friendly_name": "Detect Brute Force Attacks", + "description": "FTP brute-forcing detector, triggering when too many rejected usernames or failed passwords have occurred from a single address.", + "categories": [ + "ftp", + "detections", + "notices" + ] + }, + "0fd1658": { + "friendly_name": "Add DNS Derived Hostnames", + "description": "Loading this script extends the Notice::ACTION_EMAIL action by appending to the email the hostnames associated with Notice::Info\u2019s src and dst fields as determined by a DNS lookup.", + "categories": [ + "smtp", + "detections", + "notices" + ] + }, + "0727dc2": { + "friendly_name": "Detect SQL Injection Attacks", + "description": "SQL injection attack detection over the HTTP protocol.", + "categories": [ + "http", + "detections", + "notices" + ] + }, + "07dab12": { + "friendly_name": "Detect Expiring Certificates", + "description": "Generate notices when X.509 certificates over SSL/TLS are expired or going to expire soon based on the date and time values stored within the certificate.", + "categories": [ + "ssl", + "x509", + "detections", + "notices" + ] + } +} diff --git a/dynamite_nsm/services/base/tasks.py b/dynamite_nsm/services/base/tasks.py index 25849fb7..b2b32d1a 100644 --- a/dynamite_nsm/services/base/tasks.py +++ b/dynamite_nsm/services/base/tasks.py @@ -1,19 +1,30 @@ import os import sys +import logging import requests import subprocess from time import sleep import crontab + +from typing import List, Optional, Tuple + from dynamite_nsm import const from dynamite_nsm import utilities -from typing import List, Optional, Tuple +from dynamite_nsm.logger import get_logger class BaseTask: - def __init__(self, name: str, package_link: Optional[str] = None, description: Optional[str] = None): + def __init__(self, name: str, package_link: Optional[str] = None, description: Optional[str] = None, + verbose: Optional[bool] = False, stdout: Optional[bool] = True): self.name = name self.package_link = package_link self.description = description + log_level = logging.INFO + if verbose: + log_level = logging.DEBUG + self.stdout = stdout + self.verbose = verbose + self.logger = get_logger(str(name), level=log_level, stdout=stdout) def download_and_install(self): raise NotImplemented() @@ -24,11 +35,13 @@ def invoke(self): class BaseShellCommandsTask(BaseTask): - def __init__(self, name: str, package_link: str, commands: List[List[str]], description: Optional[str] = None): - super().__init__(name, package_link, description) + def __init__(self, name: str, package_link: str, commands: List[List[str]], description: Optional[str] = None, + verbose: Optional[bool] = False, stdout: Optional[bool] = True): + super().__init__(name, package_link, description, stdout=stdout, verbose=verbose) self.commands = commands - def invoke(self, shell: Optional[bool] = False, cwd: Optional[str] = os.getcwd()) -> List[Tuple[List, bytes, bytes]]: + def invoke(self, shell: Optional[bool] = False, cwd: Optional[str] = os.getcwd()) -> List[ + Tuple[List, bytes, bytes]]: results = [] for command in self.commands: if not shell: @@ -62,13 +75,15 @@ def remove_cronjob(self): class BaseShellCommandTask(BaseShellCommandsTask): - def __init__(self, name: str, package_link: str, command: str, args: List[str], description: Optional[str] = None): + def __init__(self, name: str, package_link: str, command: str, args: List[str], description: Optional[str] = None, + verbose: Optional[bool] = False, stdout: Optional[bool] = True): command = [ command ] command.extend(args) - super().__init__(name, commands=[command], package_link=package_link, description=description) + super().__init__(name, commands=[command], package_link=package_link, description=description, verbose=verbose, + stdout=stdout) self.command = command self.args = args @@ -92,8 +107,8 @@ def __init__(self, name: str, kibana_package_link: Optional[str] = None, usernam password: Optional[str] = 'admin', target: Optional[str] = f'http://{utilities.get_primary_ip_address()}:5601', tenant: Optional[str] = '', - description: Optional[str] = ''): - super().__init__(name, kibana_package_link, description) + description: Optional[str] = '', verbose: Optional[bool] = False, stdout: Optional[bool] = True): + super().__init__(name, kibana_package_link, description, verbose=verbose, stdout=stdout) self.username = username self.password = password self.target = target diff --git a/dynamite_nsm/services/setup/install.py b/dynamite_nsm/services/setup/install.py index 9797ad5c..944eda41 100644 --- a/dynamite_nsm/services/setup/install.py +++ b/dynamite_nsm/services/setup/install.py @@ -1,11 +1,11 @@ import os import shutil +import pkg_resources from dynamite_nsm import const from dynamite_nsm import logger from dynamite_nsm import utilities from dynamite_nsm import exceptions -from dynamite_nsm.services.updates import install as update_installer systemctl_bin_path = shutil.which('systemctl') setcap_bin_path = shutil.which('setcap') @@ -84,8 +84,33 @@ def patch_sudoers(): with open(f'{include_directory}/dynamite', 'w') as dynamite_sudoers_out: dynamite_sudoers_out.write(sudoers_patch) + def extract_included_configurations(self) -> None: + """Extracts default configurations included with this package to the root configuration path + Returns: + None + """ + es_confs = pkg_resources.resource_filename('dynamite_nsm', 'confs/elasticsearch') + ls_confs = pkg_resources.resource_filename('dynamite_nsm', 'confs/logstash') + kb_confs = pkg_resources.resource_filename('dynamite_nsm', 'confs/kibana') + fb_confs = pkg_resources.resource_filename('dynamite_nsm', 'confs/filebeat') + sa_confs = pkg_resources.resource_filename('dynamite_nsm', 'confs/suricata') + zk_confs = pkg_resources.resource_filename('dynamite_nsm', 'confs/zeek') + systemd = pkg_resources.resource_filename('dynamite_nsm', 'confs/systemd') + mirrors = pkg_resources.resource_filename('dynamite_nsm', 'confs/mirrors') + default_confs = [es_confs, ls_confs, kb_confs, fb_confs, sa_confs, zk_confs, systemd] + for p in default_confs: + top_dir = os.path.basename(p) + dst_dir = f'{const.DEFAULT_CONFIGS}/{top_dir}' + utilities.makedirs(dst_dir) + self.logger.debug(f'Copying {p} -> {dst_dir}') + utilities.copytree(p, f'{const.DEFAULT_CONFIGS}/{top_dir}') + + self.logger.debug(f'Copying {mirrors} -> {const.MIRRORS}') + utilities.copytree(mirrors, const.MIRRORS) + def setup(self): - fresh_install_paths = [const.LOG_PATH, const.CONFIG_PATH, const.INSTALL_PATH, const.INSTALL_CACHE] + fresh_install_paths = [const.LOG_PATH, const.CONFIG_PATH, const.DEFAULT_CONFIGS, const.MIRRORS, + const.INSTALL_PATH, const.INSTALL_CACHE] try: self.logger.info('Creating dynamite user and group.') utilities.create_dynamite_user() @@ -98,8 +123,8 @@ def setup(self): utilities.create_dynamite_environment_file() self.logger.info('Patching sudoers file.') self.patch_sudoers() - self.logger.info('Checking for updates') - update_installer.InstallManager(stdout=True, verbose=True).setup() + self.logger.info('Setting up default configurations and mirrors.') + self.extract_included_configurations() self.logger.info('Setup complete. You can now install and manage services.') except Exception: raise exceptions.InstallError('Failed to setup DynamiteNSM directory structure.') @@ -158,5 +183,3 @@ def uninstall(self): shutil.rmtree(directory) except Exception: raise exceptions.UninstallError('Failed to remove DynamiteNSM from this system.') - - diff --git a/dynamite_nsm/services/suricata/config.py b/dynamite_nsm/services/suricata/config.py index b68c8f68..106628bd 100644 --- a/dynamite_nsm/services/suricata/config.py +++ b/dynamite_nsm/services/suricata/config.py @@ -7,15 +7,36 @@ from yaml import Loader from yaml import load +from suricata.update import config +from suricata.update import sources +from suricata.update.commands.enablesource import write_source_config -from dynamite_nsm import exceptions as general_exceptions from dynamite_nsm import const, utilities from dynamite_nsm.services.base import install -from dynamite_nsm.services.base.config import YamlConfigManager +from dynamite_nsm import exceptions as general_exceptions +from dynamite_nsm.services.base.config import YamlConfigManager, GenericConfigManager from dynamite_nsm.services.base.config_objects.suricata import misc, rules +class SourceAlreadyExists(Exception): + def __init__(self, name): + msg = f"This source ({name}) already exists. You must first remove it before it can be added again." + super(SourceAlreadyExists, self).__init__(msg) + + +class SourceUrlMissing(Exception): + def __init__(self, name): + msg = f"You must specify a URL for this source ({name})." + super(SourceUrlMissing, self).__init__(msg) + + +class SourceSecretMissing(Exception): + def __init__(self, name): + msg = f"You must specify a secret for this source ({name})." + super(SourceSecretMissing, self).__init__(msg) + + def lookup_rule_definition(rule_id: str) -> Dict: """Return the definition, categories, and friendly_name of a given script Args: @@ -280,3 +301,158 @@ def commit(self, out_file_path: Optional[str] = None, backup_directory: Optional self._af_packet_interfaces_raw = self.af_packet_interfaces.get_raw() self._threading_raw = self.threading.get_raw() super(ConfigManager, self).commit(out_file_path, backup_directory, top_text=top_text) + + +class UpdateConfigManager(YamlConfigManager): + + def __init__(self, configuration_directory: str, verbose: Optional[bool] = False, stdout: Optional[bool] = True): + extract_tokens = { + 'disable_conf': ('disable-conf',), + 'enable_conf': ('enable-conf',), + 'modify_conf': ('modify-conf',), + 'ignore': ('ignore',), + 'sources': ('sources',), + 'local': ('local',) + } + self.disable_conf = None + self.enable_conf = None + self.modify_conf = None + self.ignore = None + self.sources = None + self.local = None + + self.configuration_directory = configuration_directory + self.suricata_config_file = os.path.join(self.configuration_directory, 'update.yaml') + try: + with open(self.suricata_config_file, 'r') as configyaml: + self.config_data_raw = load(configyaml, Loader=Loader) + except (IOError, ValueError): + raise general_exceptions.ReadConfigError(f'Failed to read or parse {self.suricata_config_file}.') + + super().__init__(self.config_data_raw, name='suricata.update.config', verbose=verbose, stdout=stdout, + **extract_tokens) + + self.parse_yaml_file() + + def commit(self, out_file_path: Optional[str] = None, backup_directory: Optional[str] = None, + top_text: Optional[str] = None) -> None: + if not out_file_path: + out_file_path = f'{self.configuration_directory}/update.yaml' + super(UpdateConfigManager, self).commit(out_file_path, backup_directory, top_text=top_text) + + +class SourcesConfigManager(GenericConfigManager): + + DEFAULT_SOURCE = 'et/open' + + def __init__(self, configuration_directory: str, verbose: Optional[bool] = False, + stdout: Optional[bool] = True): + self.configuration_directory = configuration_directory + config.DEFAULT_DATA_DIRECTORY = f'{self.configuration_directory}/data/' + config.DEFAULT_UPDATE_YAML_PATH = f'{self.configuration_directory}/update.yaml' + config.DEFAULT_SURICATA_YAML_PATH = [f'{self.configuration_directory}/suricata.yaml'] + self.config = config + self.source_index = sources.load_source_index(config) + super().__init__({}, 'suricata.update.sources', verbose, stdout) + + def _enable_index_source(self, name: str, secret: Optional[str] = None): + source_directory = sources.get_source_directory() + source = self.source_index.get_sources()[name] + source_parameters = source.get('parameters', {}) + if 'secret-code' in source_parameters: + if not secret: + raise SourceSecretMissing(name) + source_parameters['secret-code'] = secret + if 'checksum' in source: + checksum = source["checksum"] + else: + checksum = source.get("checksum", True) + new_source = sources.SourceConfiguration( + name, params=source_parameters, checksum=checksum) + if not os.path.exists(source_directory): + utilities.makedirs(source_directory) + if "replaces" in source and self.DEFAULT_SOURCE in source["replaces"]: + self.logger.debug("Not enabling default source as selected source replaces it") + elif new_source.name == self.DEFAULT_SOURCE: + self.logger.debug( + "Not enabling default source as selected source is the default") + else: + self.logger.info(f"Enabling default source {self.DEFAULT_SOURCE}") + if not self.source_index.get_source_by_name(self.DEFAULT_SOURCE): + self.logger.error(f"Default source {self.DEFAULT_SOURCE} not in index") + else: + default_source_config = sources.SourceConfiguration(self.DEFAULT_SOURCE) + write_source_config(default_source_config, True) + write_source_config(new_source, True) + self.logger.info(f'Source {str(new_source)} enabled.') + if "replaces" in source: + for replaces in source["replaces"]: + filename = sources.get_enabled_source_filename(replaces) + if os.path.exists(filename): + os.unlink(filename) + + def add_source(self, name: str, url: Optional[str] = None, secret: Optional[str] = None, + header: Optional[str] = None) -> None: + """Add a source from an index of known public sources, or add a source from a custom URL + Args: + name: The name of the source to add, if not found within the index a new one will be created + url: The url where the rules can be downloaded + secret: A secret key required to retrieve some commercial rule-sets + header: An http header sometimes required when basic HTTP authentication is used + + Returns: + None + """ + enabled_source_filename = sources.get_enabled_source_filename(name) + if os.path.exists(enabled_source_filename): + raise SourceAlreadyExists(name) + + if name not in self.source_index.get_sources(): + if not url: + raise SourceUrlMissing(name) + checksum = None + if sources.source_name_exists(name): + raise SourceAlreadyExists(name) + source_config = sources.SourceConfiguration( + name, header=header, url=url, checksum=checksum) + sources.save_source_config(source_config) + else: + self._enable_index_source(name, secret) + + def list_enabled_sources(self) -> Dict[str, Dict]: + """Get enabled sources + Returns: + A dictionary where keys are the source names and values are the metadata associated with that source + """ + self.logger.debug(f'Fetching enabled sources from {sources.get_source_directory()}') + return sources.get_enabled_sources() + + def list_available_sources(self) -> Dict[str, Dict]: + """Get all available sources + Returns: + A dictionary where keys are the source names and values are the metadata associated with that source + """ + return sources.load_source_index(self.config).get_sources() + + def remove_source(self, name: str) -> None: + """Remove a source + Args: + name: The name of the source + Returns: + None + """ + enabled_source_filename = sources.get_enabled_source_filename(name) + if os.path.exists(enabled_source_filename): + self.logger.debug(f"Deleting file {enabled_source_filename}.") + os.remove(enabled_source_filename) + self.logger.info(f"Source {name} removed, previously enabled.") + disabled_source_filename = sources.get_disabled_source_filename(name) + if os.path.exists(disabled_source_filename): + self.logger.debug(f"Deleting file {disabled_source_filename}.", ) + os.remove(disabled_source_filename) + self.logger.info(f"Source {name} removed, previously disabled.") + + +if __name__ == '__main__': + s = SourcesConfigManager('/etc/dynamite/suricata/') + s.remove_source('et/open') \ No newline at end of file diff --git a/dynamite_nsm/services/suricata/install.py b/dynamite_nsm/services/suricata/install.py index ddd38319..9550a0be 100644 --- a/dynamite_nsm/services/suricata/install.py +++ b/dynamite_nsm/services/suricata/install.py @@ -167,6 +167,8 @@ def setup(self, inspect_interfaces: List[str]): self.create_update_suricata_environment_variables() self.logger.debug(f'Creating directory: {self.configuration_directory}') utilities.makedirs(self.configuration_directory) + self.logger.debug(f'Creating directory: {self.configuration_directory}/data') + utilities.makedirs(f'{self.configuration_directory}/data') self.logger.debug(f'Creating directory: {self.install_directory}') utilities.makedirs(self.install_directory) self.logger.debug(f'Creating directory: {self.log_directory}') @@ -181,6 +183,10 @@ def setup(self, inspect_interfaces: List[str]): f'{const.DEFAULT_CONFIGS}/suricata/suricata.yaml', self.configuration_directory ) + self.copy_file_or_directory_to_destination( + f'{const.DEFAULT_CONFIGS}/suricata/update.yaml', + self.configuration_directory + ) suricata_config = config.ConfigManager(self.configuration_directory, stdout=self.stdout, verbose=self.verbose) suricata_config.default_log_directory = self.log_directory @@ -212,6 +218,8 @@ def setup(self, inspect_interfaces: List[str]): utilities.set_ownership_of_file(self.install_directory, user='dynamite', group='dynamite') utilities.set_ownership_of_file(self.log_directory, user='dynamite', group='dynamite') utilities.set_permissions_of_file(f'{self.configuration_directory}/suricata.yaml', 660) + utilities.set_permissions_of_file(f'{self.configuration_directory}/update.yaml', 660) + utilities.set_permissions_of_file(f'{self.configuration_directory}/data', 770) post_install_bootstrap_updater(self.install_directory, stdout=self.stdout, verbose=self.verbose) self.logger.info('Setting up Suricata capture rules for dynamite user.') diff --git a/dynamite_nsm/services/suricata/rules/__init__.py b/dynamite_nsm/services/suricata/rules/__init__.py new file mode 100644 index 00000000..fd40910d --- /dev/null +++ b/dynamite_nsm/services/suricata/rules/__init__.py @@ -0,0 +1,4 @@ + + + + diff --git a/dynamite_nsm/services/suricata/rules/objects.py b/dynamite_nsm/services/suricata/rules/objects.py new file mode 100644 index 00000000..f063e963 --- /dev/null +++ b/dynamite_nsm/services/suricata/rules/objects.py @@ -0,0 +1,584 @@ +from __future__ import annotations + +import os.path +import re +from random import randint +from typing import Dict, List, Optional, Tuple, Union + +import sqlalchemy.exc +from sqlalchemy import create_engine +from sqlalchemy.ext.declarative import declarative_base +from sqlalchemy import Column, Boolean, Integer, String +from sqlalchemy.orm import scoped_session, sessionmaker + +from dynamite_nsm import utilities +from dynamite_nsm.services.suricata.rules import validators +from dynamite_nsm.services.base.config import GenericConfigManager + +env = utilities.get_environment_file_dict() + +SURICATA_CONFIGURATION = env.get('SURICATA_CONFIG') +Model = declarative_base(name='Model') + + +class MissingSid(Exception): + def __init__(self): + msg = f"This rule is missing an 'sid'." + super(MissingSid, self).__init__(msg) + + +class InvalidRule(Exception): + def __init__(self, sid, msg): + msg = f"SID: {sid} is invalid: {msg}." + super(InvalidRule, self).__init__(msg) + + +class MissingRule(Exception): + def __init__(self, sid): + msg = f"Rule with SID: {sid} does not exist." + super(MissingRule, self).__init__(msg) + + +def parse_suricata_rule_options_blob(opts: str) -> List[Union[Tuple, str]]: + """Parses the options section of Suricata Rules + Args: + opts: A valid set of ";" separated options + + Returns: + A List of options + """ + options = [] + + # split by ; excluding those found inside quotations + tokenized_opts = re.split(r";(?![(\"]*[\")])", opts) + for opt in tokenized_opts: + opt = opt.strip() + if not opt: + continue + tokenized_opt = opt.split(':') + if opt.startswith('pcre:'): + k = tokenized_opt[0] + v = opt[5:] + options.append((k, v)) + elif len(tokenized_opt) == 2: + k, v = tokenized_opt + v = v.replace(';', '') + options.append((k, v)) + elif len(tokenized_opt) == 1: + options.append(tokenized_opt[0].replace(';', '')) + else: + k = tokenized_opt[0] + v = ':'.join(tokenized_opt[1:]) + options.append((k, v)) + return options + + +def serialize_suricata_rule(rule: str) -> Rule: + """Convert a plaintext Suricata rule into a Rule object + Args: + rule: A plaintext Suricata rule + + Returns: + A Suricata Rule object + + """ + enabled = True + if rule.startswith('#'): + enabled = False + rule = rule[1:].strip() + o_paren_index = rule.index('(') + 1 + c_paren_index = max([i for i, c in enumerate(rule) if c == ')']) + action_header = re.sub(r'\s+', ' ', rule[0: o_paren_index - 1]).strip() + rule_options = rule[o_paren_index:c_paren_index] + action = action_header.split(' ')[0].strip() + header = action_header.replace(action, '').strip() + header_proto = header.split(' ')[0].strip() + header_source = header.split(' ')[1].strip() + header_source_port = header.split(' ')[2].strip() + header_direction = header.split(' ')[3].strip() + header_destination = header.split(' ')[4].strip() + header_destination_port = header.split(' ')[5].strip() + options = parse_suricata_rule_options_blob(rule_options) + return Rule(enabled, action, header_proto, header_source, header_source_port, header_direction, header_destination, + header_destination_port, options) + + +class Rule: + + def __init__(self, enabled: bool, action: str, proto: str, source: str, source_port: str, direction: str, + destination: str, destination_port: str, options: List): + extracted_options = self.extract_options(options) + self.sid = extracted_options.get('sid') + self.class_type = extracted_options.get('class_type') + self.enabled = enabled + self.action = action + self.proto = proto + self.source = source + self.source_port = source_port + self.direction = direction + self.destination = destination + self.destination_port = destination_port + self.options = options + + def __str__(self): + enabled = '#' if not self.enabled else '' + return f'{enabled}{self.action} {self.proto} {self.source} {self.source_port} {self.direction} ' \ + f'{self.destination} {self.destination_port} ({self.options_blob()})' + + @classmethod + def create_from_ruleset_entry(cls, ruleset: Ruleset) -> Rule: + """Create an instance of this class using `models.Ruleset` entry + Args: + ruleset: A `models.Ruleset` instance + + Returns: + An instance of this class + """ + return Rule(enabled=ruleset.enabled, + action=ruleset.action, + proto=ruleset.proto, + source=ruleset.source, + source_port=ruleset.source_port, + direction=ruleset.direction, + destination=ruleset.destination, + destination_port=ruleset.destination_port, + options=parse_suricata_rule_options_blob(ruleset.options_blob) + ) + + @staticmethod + def generate_sid(): + return randint(10 ** 5, 10 ** 6) + + @staticmethod + def extract_options(options: List) -> Dict: + """Parse out the required sid and classtype fields from given options + Returns: + The SID of the rule. + """ + key_val_opts = dict([opt for opt in options if isinstance(opt, tuple)]) + sid = key_val_opts.get('sid') + if not sid: + sid = Rule.generate_sid() + class_type = key_val_opts.get('classtype') + if not class_type: + class_type = 'unknown' + return dict(sid=sid, class_type=class_type) + + def compare(self, rule: Rule): + if self.action != rule.action: + return False + elif self.source != rule.source: + return False + elif self.source_port != rule.source_port: + return False + elif self.direction != rule.direction: + return False + elif self.destination != rule.destination: + return False + elif self.destination_port != rule.destination_port: + return False + elif self.options != rule.options: + return False + return True + + def header(self) -> str: + """Retrieve the rule header + Returns: + The rule header (E.G tcp 192.168.0.5 any -> 192.168.0.13 3389) + """ + return f'{self.action} {self.proto} {self.source} {self.source_port} {self.direction} {self.destination_port}' + + def options_blob(self) -> str: + """Retrieve the rule options as a string + Returns: + A String representation of the rule options + """ + options = [] + found_sid = False + found_class_type = False + for opt in self.options: + if isinstance(opt, tuple): + k, v = opt + # PCRE options have lots of string literals that often need to be escaped + if k.lower() == 'pcre': + # repr function attempts to escape single quote characters which is not what we want as all pcre + # options are encapsulated in double quotes. + v = v.replace("'", "singlequotechar") + v = repr(v)[1:-1] + v = v.replace('singlequotechar', "'") + # replace double backslashes with single backslashes + v = v.replace('\\\\', '\\') + elif k.lower() == 'sid': + v = self.sid + found_sid = True + elif k.lower() == 'classtype': + v = self.class_type + found_class_type = True + options.append(f'{k}:{v}') + elif isinstance(opt, str): + options.append(opt) + if not found_class_type: + options.append(f'classtype:{self.class_type}') + if not found_sid: + options.append(f'sid:{self.sid}') + return '; '.join(options) + ';' + + def validate(self) -> Dict: + """Determine if the rule is valid, and return metadata associated with it + Returns: + A dictionary containing the sid, options count, and rule character count + """ + if not validators.validate_suricata_address_group_values(self.source): + raise InvalidRule(sid=self.sid, msg=f'source is invalid: {self.source}') + elif not validators.validate_suricata_port_group_values(self.source_port): + raise InvalidRule(sid=self.sid, msg=f'source_port is invalid: {self.source_port}') + elif not validators.validate_suricata_address_group_values(self.destination): + raise InvalidRule(sid=self.sid, msg=f'destination is invalid: {self.destination}') + if not validators.validate_suricata_port_group_values(self.destination_port): + raise InvalidRule(sid=self.sid, msg=f'destination_port is invalid: {self.destination_port}') + return { + 'enabled': self.enabled, + 'sid': self.sid, + 'class_type': self.class_type, + 'options': len(self.options), + 'characters': len(self.__str__()) + } + + +class Ruleset(Model): + __tablename__ = 'ruleset' + id = Column('id', Integer, primary_key=True, autoincrement=True, nullable=False) + sid = Column('sid', Integer, unique=True, index=True) + class_type = Column('class_type', String(254), index=True) + lineno = Column('lineno', Integer, index=True) + lineos = Column('lineos', Integer, index=True) + enabled = Column('enabled', Boolean) + action = Column('action', String(12)) + proto = Column('proto', String(12)) + source = Column('source', String(2048)) + source_port = Column('source_port', String(2048)) + direction = Column('direction', String(2)) + destination = Column('destination', String(2048)) + destination_port = Column('destination_port', String(2048)) + options_blob = Column('options', String(4096)) + + def __init__(self, sid: int, class_type: str, lineno: int, lineos: int, enabled: bool, action: str, proto: str, + source: str, source_port: str, direction: str, destination: str, destination_port: str, + options_blob: str): + self.sid = sid + self.class_type = class_type + self.lineno = lineno + self.lineos = lineos + self.enabled = enabled + self.action = action + self.proto = proto + self.source = source + self.source_port = source_port + self.direction = direction + self.destination = destination + self.destination_port = destination_port + self.options_blob = options_blob + + @classmethod + def create_from_rule(cls, rule: Rule, sid: Optional[int] = None, lineno: Optional[int] = -1, + lineos: Optional[int] = -1) -> Ruleset: + if sid: + rule.sid = sid + + return cls( + sid=rule.sid, + class_type=rule.class_type, + enabled=rule.enabled, + action=rule.action, + proto=rule.proto, + source=rule.source, + source_port=rule.source_port, + direction=rule.direction, + destination=rule.destination, + destination_port=rule.destination_port, + options_blob=rule.options_blob(), + lineno=lineno, + lineos=lineos, + ) + + +class RuleFile(GenericConfigManager): + + def __init__(self, rule_file_path: str): + self._idx = 1 + super().__init__({}, 'suricata.rules.manager') + first_init = False + db_path = f"{SURICATA_CONFIGURATION}/{os.path.basename(rule_file_path).replace('.rules', '.db')}" + if not os.path.exists(db_path): + first_init = True + self.cache_path = db_path + self.engine = create_engine(f'sqlite:///{self.cache_path}') + self.db_session = scoped_session(sessionmaker(autocommit=False, autoflush=False, bind=self.engine)) + self.rule_file_path = rule_file_path + self.suricata_configuration_root = env['SURICATA_CONFIG'] + if first_init: + self.logger.info('First init detected, building cache.') + self.build_cache() + + def __iter__(self): + return self + + def __next__(self): + _raw = self.db_session.query(Ruleset).get(self._idx) + self._idx += 1 + if not _raw: + raise StopIteration() + return Rule.create_from_ruleset_entry(_raw) + + def init_cache(self): + utilities.safely_remove_file(self.cache_path) + Model.metadata.create_all(bind=self.engine) + + def build_cache(self): + self.init_cache() + with open(self.rule_file_path, 'r') as rule_file_in: + lineno = 1 + while True: + line = rule_file_in.readline() + if line == '': + break + rule = serialize_suricata_rule(line) + if not validators.validate_suricata_address_group_values(rule.source): + self.logger.warning(f'{rule.sid} source ({rule.source}) is not valid.') + elif not validators.validate_suricata_port_group_values(rule.source_port): + self.logger.warning(f'{rule.sid} source_port ({rule.source_port}) is not valid.') + elif not validators.validate_suricata_address_group_values(rule.destination): + self.logger.warning(f'{rule.sid} destination ({rule.destination}) is not valid.') + elif not validators.validate_suricata_port_group_values(rule.destination_port): + self.logger.warning(f'{rule.sid} destination_port ({rule.destination_port}) is not valid.') + + rs = Ruleset( + sid=rule.sid, + class_type=rule.class_type, + lineno=lineno + 1, + lineos=rule_file_in.tell(), + enabled=rule.enabled, + action=rule.action, + proto=rule.proto, + source=rule.source, + source_port=rule.source_port, + direction=rule.direction, + destination=rule.destination, + destination_port=rule.destination_port, + options_blob=rule.options_blob() + ) + self.db_session.add(rs) + lineno += 1 + self.db_session.commit() + + def get_rule(self, sid: int) -> Optional[Rule]: + """Given the sid for a cached rule, returns the corresponding `Rule` instance + Args: + sid: The sid of the rule to fetch + + Returns: + A `Rule` instance + """ + self.logger.debug(f'Fetching rule {sid}.') + rule_record = self.db_session.query(Ruleset).filter_by(sid=sid).one() + if rule_record: + return Rule( + enabled=rule_record.enabled, + action=rule_record.action, + proto=rule_record.proto, + source=rule_record.source, + source_port=rule_record.source_port, + direction=rule_record.direction, + destination=rule_record.destination, + destination_port=rule_record.destination_port, + options=parse_suricata_rule_options_blob(rule_record.options_blob) + ) + raise MissingRule(sid) + + def add_rule(self, new_rule: Rule) -> None: + """Add a new custom rule + Args: + new_rule: A `Rule` instance + Returns: + None + """ + new_rule.validate() + self.logger.debug(f'Adding rule {new_rule.sid} -> {new_rule}') + with open(f'{self.suricata_configuration_root}/.deltas', 'a') as deltas_f_out: + deltas_f_out.write( + f'{new_rule.sid},add,{new_rule}\n' + ) + + def delete_rule(self, sid: int) -> None: + """Remove a custom rule if it was previously added via the `add_rule` method. + Args: + sid: The sid of the rule to delete + Returns: + None + """ + new_content = '' + with open(f'{self.suricata_configuration_root}/.deltas', 'r') as deltas_f_in: + for line in deltas_f_in.readlines(): + line_tokens = line.split(',') + parsed_sid = line_tokens[0] + if parsed_sid.strip() == str(sid): + new_content += f'{sid},delete\n' + else: + new_content += f'{line.strip()}\n' + + with open(f'{self.suricata_configuration_root}/.deltas', 'w') as deltas_f_out: + deltas_f_out.write(new_content) + + def disable_rule(self, sid: int) -> None: + """Disable a rule + Args: + sid: The sid of the rule to enable + Returns: + None + """ + self.get_rule(sid) + with open(f'{self.suricata_configuration_root}/.deltas', 'a') as deltas_f_out: + deltas_f_out.write( + f'{sid},disable\n' + ) + + def enable_rule(self, sid: int) -> None: + """Enable a rule + Args: + sid: The sid of the rule to enable + Returns: + None + """ + self.get_rule(sid) + with open(f'{self.suricata_configuration_root}/.deltas', 'a') as deltas_f_out: + deltas_f_out.write( + f'{sid},enable\n' + ) + + def edit_rule(self, sid: int, new_rule: Rule) -> None: + """Replace an existing rule with a new one + Args: + sid: The sid of the rule to delete + new_rule: A `Rule` instance + Returns: + None + """ + new_rule.sid = sid + self.get_rule(sid) + new_rule.validate() + self.logger.debug(f'Editing rule {new_rule.sid} -> {new_rule}') + with open(f'{self.suricata_configuration_root}/.deltas', 'a') as deltas_f_out: + deltas_f_out.write( + f'{new_rule.sid},edit,{new_rule}\n' + ) + + def merge(self): + """Perform operations found in the .deltas file against the cache: + - Add custom rules + - Remove custom rules + - Edit any rule + - Enable any rule + - Disable any rule + The `commit` method must be called to apply the changes to the suricata.rules file. + """ + change_set_map = {} + with open(f'{self.suricata_configuration_root}/.deltas', 'r') as deltas_f_in: + # Loop through the .deltas file and parse out the sid, action, and data + # Create a change_set_map that maps a rule sid to the actions to perform on that rule + # {sid: [(action, data), ...]} + for line in deltas_f_in.readlines(): + tokenized_line = line.split(',') + sid = tokenized_line[0] + action = tokenized_line[1] + data = ','.join(tokenized_line[2:]).strip() + if not change_set_map.get(sid): + change_set_map[sid] = [(action, data)] + else: + change_set_map[sid].append((action, data)) + + # Loop through change_set_map, each iteration will inspect a rule mapped to one or more changes. + # Changes are applied to the database in order. + for sid, changes in change_set_map.items(): + # Loop through all the changes that are applied to a particular rule + for change in changes: + action, data = change + action, data = action.strip(), data.strip() + + # Add the rule to our ruleset database cache. + if action == 'add': + self.logger.info(f'Adding {sid} -> {data} to cache.') + rule = serialize_suricata_rule(data) + rs = Ruleset.create_from_rule(rule, sid=int(sid)) + self.db_session.add(rs) + try: + self.db_session.commit() + except sqlalchemy.exc.IntegrityError as e: + if 'UNIQUE constraint failed' in str(e): + self.db_session.rollback() + self.logger.info(f'{sid} already exists in the cache, skipping add.') + + # Remove the rule from our ruleset database cache. + elif action == 'delete': + self.logger.info(f'Deleting {sid} from cache.') + ruleset = self.db_session.query(Ruleset).get(sid) + if ruleset: + self.db_session.delete(ruleset) + self.db_session.commit() + else: + self.logger.info(f'{sid} does not exists in the cache, skipping delete.') + elif action == 'disable': + self.logger.info(f'Disabling {sid} in cache.') + ruleset = self.db_session.query(Ruleset).get(sid) + if ruleset: + ruleset.enabled = False + self.db_session.commit() + else: + self.logger.info(f'{sid} does not exists in the cache, skipping disable.') + elif action == 'enable': + self.logger.info(f'Enabling {sid} in cache.') + ruleset = self.db_session.query(Ruleset).get(sid) + if ruleset: + ruleset.enabled = True + self.db_session.commit() + else: + self.logger.info(f'{sid} does not exists in the cache, skipping enable.') + elif action == 'edit': + self.logger.info(f'Editing {sid} in cache.') + rule = serialize_suricata_rule(data) + ruleset = self.db_session.query(Ruleset).get(sid) + if rule.action != ruleset.action: + self.logger.debug(f'Updating action {ruleset.action} -> {rule.action}') + ruleset.action = rule.action + if rule.enabled != ruleset.enabled: + self.logger.debug(f'Updating enabled {ruleset.enabled} -> {rule.enabled}') + ruleset.enabled = rule.enabled + if rule.source != ruleset.source: + self.logger.debug(f'Updating source {ruleset.source} -> {rule.source}') + ruleset.source = rule.source + if rule.source_port != ruleset.source_port: + self.logger.debug(f'Updating source_port {ruleset.source_port} -> {rule.source_port}') + ruleset.source_port = rule.source_port + if rule.direction != ruleset.direction: + self.logger.debug(f'Updating direction {ruleset.direction} -> {rule.direction}') + ruleset.direction = rule.direction + if rule.destination != ruleset.destination: + self.logger.debug(f'Updating destination {ruleset.destination} -> {rule.destination}') + ruleset.destination = rule.destination + if rule.destination_port != ruleset.destination_port: + self.logger.debug(f'Updating destination_port {ruleset.destination_port} -> ' + f'{rule.destination_port}') + ruleset.destination_port = rule.destination_port + if rule.options_blob() != ruleset.options_blob: + self.logger.debug(f'Updating destination_port {ruleset.options_blob} -> {rule.options_blob()}') + ruleset.options_blob = rule.options_blob() + + def commit(self, out_file_path: Optional[str] = None, backup_directory: Optional[str] = None) -> None: + """Dump the database to a suricata.rules file""" + if not out_file_path: + out_file_path = self.rule_file_path + row_count = self.db_session.query(Ruleset.sid).count() + self.logger.info(f'Dumping {row_count} rules to {out_file_path}.') + with open(out_file_path, 'w') as rule_file_out: + for row in self.db_session.query(Ruleset).order_by(Ruleset.lineno): + rule = Rule.create_from_ruleset_entry(row) + rule_file_out.write(str(rule) + '\n') \ No newline at end of file diff --git a/dynamite_nsm/services/suricata/rules/tests/__init__.py b/dynamite_nsm/services/suricata/rules/tests/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/dynamite_nsm/services/suricata/rules/tests/rule_cache_tests.py b/dynamite_nsm/services/suricata/rules/tests/rule_cache_tests.py new file mode 100644 index 00000000..893cad9f --- /dev/null +++ b/dynamite_nsm/services/suricata/rules/tests/rule_cache_tests.py @@ -0,0 +1,65 @@ +import os +import unittest +from dynamite_nsm.services.suricata.rules import objects +from dynamite_nsm.utilities import get_environment_file_dict, safely_remove_file + + +class TestSuricataRuleCache(unittest.TestCase): + """ + Test the logic that handles Suricata rule caching + """ + env_file = get_environment_file_dict() + test_rules_directory = '/tmp/' + + suricata_config = env_file.get('SURICATA_CONFIG') + suricata_rules = objects.RuleFile(f'{suricata_config}/data/rules/suricata.rules') + delta_file = f'{suricata_config}/.deltas' + + def test_caches_are_equivalent(self): + # Serialize the suricata.rules file located at /etc/dynamite/suricata/data/rules/suricata.rules + # into a temporary sqlite3 cache; then dump the cache into a new file at /tmp/suricata-test.rules + # and compare them against one another + + self.suricata_rules.commit(f'{self.test_rules_directory}/suricata-test.rules') + temp_rule_file = objects.RuleFile(f'{self.test_rules_directory}/suricata-test.rules') + equivalent = True + for rule in self.suricata_rules: + new_rule = temp_rule_file.get_rule(rule.sid) + if not rule.compare(new_rule): + equivalent = False + break + assert (equivalent is True) + + def test_add_rule(self): + temp_rules_path = f'{self.test_rules_directory}/suricata-test.rules' + os.rename(self.delta_file, f'{self.delta_file}.original') + self.suricata_rules.commit(temp_rules_path) + temp_rule_file = objects.RuleFile(temp_rules_path) + temp_rule_file.build_cache() + temp_rule_file.add_rule( + objects.Rule( + enabled=True, + action='alert', + proto='tcp', + source='192.168.0.5/24', + direction='->', + destination='$EXTERNAL_NET', + source_port='any', + destination_port='[53,5353]', + options=[('sid', 333333333)] + ) + ) + temp_rule_file.merge() + temp_rule_file.commit() + os.rename(f'{self.delta_file}.original', self.delta_file) + with open(temp_rules_path) as new_rules_in: + new_rule_sid = objects.serialize_suricata_rule(new_rules_in.readline()).sid + safely_remove_file(f'{self.test_rules_directory}/suricata-test.rules') + assert (str(new_rule_sid) == str(333333333)) + + @classmethod + def tearDownClass(cls) -> None: + if os.path.exists(f'{cls.delta_file}.original'): + os.rename(f'{cls.delta_file}.original', cls.delta_file) + if os.path.exists(f'{cls.suricata_config}/suricata-test.db'): + safely_remove_file(f'{cls.suricata_config}/suricata-test.db') diff --git a/dynamite_nsm/services/suricata/rules/validators.py b/dynamite_nsm/services/suricata/rules/validators.py new file mode 100644 index 00000000..a5a8909e --- /dev/null +++ b/dynamite_nsm/services/suricata/rules/validators.py @@ -0,0 +1,197 @@ +import re + + +ipv4_address_pattern = re.compile('^(?:(?:[0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}(?:[0-9]|[1-9][0-9]|1' + '[0-9]{2}|2[0-4][0-9]|25[0-5])$') +ipv4_cidr_pattern = re.compile(f'^{ipv4_address_pattern.pattern[1:-1]}/((?:[0-9])|(?:[1-2][0-9])|(?:3[0-2]))$') + +ipv6_address_pattern = re.compile('^(?:(?:[0-9A-Fa-f]{1,4}:){6}(?:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}|(?:(?:[0-9]' + '|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}(?:[0-9]|[1-9][0-9]|1[0-9]' + '{2}|2[0-4][0-9]|25[0-5]))|::(?:[0-9A-Fa-f]{1,4}:){5}(?:[0-9A-Fa-f]{1,4}:' + '[0-9A-Fa-f]{1,4}|(?:(?:[0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.)' + '{3}(?:[0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))|(?:[0-9A-Fa-f]{1,4})?::' + '(?:[0-9A-Fa-f]{1,4}:){4}(?:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}|(?:(?:[0-9]|[1-9][0-9]' + '|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}(?:[0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25' + '[0-5]))|(?:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4})?::(?:[0-9A-Fa-f]{1,4}:){3}(?:' + '[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}|(?:(?:[0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]' + '|25[0-5])\\.){3}(?:[0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))|(?:(?:' + '[0-9A-Fa-f]{1,4}:){,2}[0-9A-Fa-f]{1,4})?::(?:[0-9A-Fa-f]{1,4}:){2}(?:[0-9A-Fa-f]' + '{1,4}:[0-9A-Fa-f]{1,4}|(?:(?:[0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.)' + '{3}(?:[0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))|(?:(?:[0-9A-Fa-f]{1,4}:)' + '{,3}[0-9A-Fa-f]{1,4})?::[0-9A-Fa-f]{1,4}:(?:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}|' + '(?:(?:[0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}(?:[0-9]|[1-9][0-9]|' + '1[0-9]{2}|2[0-4][0-9]|25[0-5]))|(?:(?:[0-9A-Fa-f]{1,4}:){,4}[0-9A-Fa-f]{1,4})?::' + '(?:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}|(?:(?:[0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]' + '|25[0-5])\\.){3}(?:[0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))|(?:(?:' + '[0-9A-Fa-f]{1,4}:){,5}[0-9A-Fa-f]{1,4})?::[0-9A-Fa-f]{1,4}|(?:(?:[0-9A-Fa-f]{1,4}:)' + '{,6}[0-9A-Fa-f]{1,4})?::)$') + +ipv6_cidr_pattern = re.compile( + f'^{ipv6_address_pattern.pattern[1:-1]}/((?:[0-9])|(?:[1-9][0-9])|(?:10[0-9])|(?:11[0-9])|(?:12[0-8]))$') + + +def validate_suricata_address_group_values(s): + """Determine if a string is a valid Suricata address group + Must be like the following: + ! 1.1.1.1 (Every IP address but 1.1.1.1) + ![1.1.1.1, 1.1.1.2] (Every IP address but 1.1.1.1 and 1.1.1.2) + $HOME_NET (Your setting of HOME_NET in yaml) + [$EXTERNAL_NET, !$HOME_NET] (EXTERNAL_NET and not HOME_NET) + [10.0.0.0/24, !10.0.0.5] (10.0.0.0/24 except for 10.0.0.5) + Args: + s: Test String + Returns: + True if meets the suricata_address_group_value conditions + """ + + def validate_token(token): + if str(token).startswith('!'): + token = token[1:] + + def token_is_cidr(tok): + if '/' in tok: + # Not a valid IP/CIDR pair + try: + ip, prefix = tok.split('/') + except ValueError: + return False + # Check for invalid prefix + try: + if int(prefix) < 0 or int(prefix) > 128: + return False + except ValueError: + return False + else: + return False + return True + + def token_is_ip(tok): + return bool(ipv4_address_pattern.findall(tok) or ipv6_address_pattern.findall(tok)) + + def token_is_list(tok): + tok = str(tok) + if '[' in tok and ']' in tok: + # Negation is valid against sets as well (E.G ![ $HOME_NET, 192.168.0.0/24]) + if tok.startswith('!'): + tok = tok[1:] + return validate_suricata_address_group_values(tok) + return False + + return token_is_cidr(token) or token_is_ip(token) or token_is_list(token) + + s = str(s).replace(' ', '') + valid_group_value_vars = ['$HOME_NET', '$EXTERNAL_NET', '$HTTP_SERVERS', '$SQL_SERVERS', + '$DNS_SERVERS', '$TELNET_SERVERS', '$AIM_SERVERS', '$DC_SERVERS', + '$SMTP_SERVERS', '$MODBUS_SERVER', '$MODBUS_CLIENT', '$ENIP_CLIENT', '$ENIP_SERVER'] + valid_neg_group_value_vars = ['!' + g for g in valid_group_value_vars] + + valid_var_subs = valid_group_value_vars + valid_neg_group_value_vars + + # List Formatting + if '[' in s and ']' in s: + + # Negation is valid against sets as well (E.G ![ $HOME_NET, 192.168.0.0/24]) + if s.startswith('!'): + s = s.replace(' ', '')[1:] + + # split on comma, but exclude values in square brackets + tokenized_list = re.split(r",(?![^(\[]*[\])])", s[1:-1]) + for t in tokenized_list: + # Check if token in string is valid variable substitution, IP, or CIDR + if t not in valid_var_subs and not validate_token(t): + return False + # Check if 'any' is in the list (you can't combine any with other values) + elif 'any' == t: + return False + return True + # String formatting + else: + if 'any' == s: + return True + # Check if string is valid variable substitution, IP, or CIDR + return validate_token(s) or s in valid_var_subs + + +def validate_suricata_port_group_values(s): + """Determine if a string is a valid Suricata address group + Must be like the following: + [80, 81, 82] (port 80, 81 and 82) + [80: 82] (Range from 80 till 82) + [1024: ] (From 1024 till the highest port-number) + !80 (Every port but 80) + [80:100,!99] (Range from 80 till 100 but 99 excluded) + [1:80,![2,4]] + + Args: + s: Test String + Returns: + True if meets the suricata_address_group_value conditions + """ + + def validate_token(token): + + if str(token).startswith('!'): + token = token[1:] + + def token_is_port(tok): + tok = str(tok) + try: + int(tok) + if int(tok) < 0 or int(tok) > 65535: + return False + except ValueError: + return False + return '.' not in str(tok) + + def token_is_range(tok): + tok = str(tok) + if ':' in str(tok): + port_range = tok.split(':') + port_range = [p for p in port_range if p.strip()] + if len(port_range) == 1: + tok = port_range[0] + return token_is_port(tok) + elif len(port_range) == 2: + r1, r2 = port_range + return token_is_port(r1) and token_is_port(r2) and int(r1) < int(r2) + + else: + return False + + def token_is_list(tok): + tok = str(tok) + if '[' in tok and ']' in tok: + + # Negation is valid against sets as well (E.G ![ $HOME_NET, 192.168.0.0/24]) + if tok.startswith('!'): + tok = tok[1:] + return validate_suricata_port_group_values(tok) + return False + + return token_is_range(token) or token_is_port(token) or token_is_list(token) + + s = str(s).replace(' ', '') + valid_group_value_vars = ['$HTTP_PORTS', '$SHELLCODE_PORTS', '$ORACLE_PORTS', '$SSH_PORTS', + '$DNP3_PORTS', '$MODBUS_PORTS', '$FILE_DATA_PORTS', '$FTP_PORTS'] + + valid_neg_group_value_vars = ['!' + g for g in valid_group_value_vars] + + valid_var_subs = valid_group_value_vars + valid_neg_group_value_vars + # List Formatting + if '[' in s and ']' in s: + # Negation is valid against sets as well (E.G ![ $HOME_NET, 192.168.0.0/24]) + if s.startswith('!'): + s = s[1:] + # split on comma, but exclude values in square brackets + tokenized_list = re.split(r",(?![^(\[]*[\])])", s[1:-1]) + for t in tokenized_list: + if t not in valid_var_subs and not validate_token(t): + return False + # Check if 'any' is in the list (you can't combine any with other values) + elif 'any' == t: + return False + return True + else: + if 'any' == s: + return True + return validate_token(s) or s in valid_var_subs \ No newline at end of file diff --git a/dynamite_nsm/services/suricata/tasks/set_caps.py b/dynamite_nsm/services/suricata/tasks/set_caps.py index b006521a..1e0702c1 100644 --- a/dynamite_nsm/services/suricata/tasks/set_caps.py +++ b/dynamite_nsm/services/suricata/tasks/set_caps.py @@ -12,3 +12,7 @@ def __init__(self, suricata_install_directory: str): def invoke(self, shell: Optional[bool] = False, cwd: Optional[str] = os.getcwd()) -> List[Tuple[List, bytes, bytes]]: return super().invoke(shell, cwd) + + +if __name__ == '__main__': + SetCapturePermissions('/opt/dynamite/suricata/').invoke() \ No newline at end of file diff --git a/dynamite_nsm/services/suricata/tasks/update_rules.py b/dynamite_nsm/services/suricata/tasks/update_rules.py new file mode 100644 index 00000000..a5cd9910 --- /dev/null +++ b/dynamite_nsm/services/suricata/tasks/update_rules.py @@ -0,0 +1,275 @@ +import io +import os +import re +import shutil +import subprocess +from typing import Optional +from datetime import datetime + +from suricata.update import net +from suricata.update import util +from suricata.update import config +from suricata.update import engine + +from dynamite_nsm import utilities +from dynamite_nsm import exceptions +from dynamite_nsm.services.base import tasks +from dynamite_nsm.services.suricata.rules.objects import RuleFile + + +class DummyArgs: + config = None + offline = False + force = False + quiet = True + url = [] + now = datetime.now() + + +class UpdateRules(tasks.BaseTask): + + def __init__(self, no_merge: Optional[bool] = False, sid_msg_map_file: Optional[str] = None, + sid_msg_map_2_file: Optional[str] = None, threshold_in_file: Optional[str] = None, + threshold_out_file: Optional[str] = None, + yaml_fragment_file: Optional[str] = None, force: Optional[bool] = False, + verbose: Optional[bool] = False, stdout: Optional[bool] = True): + + env = utilities.get_environment_file_dict() + self.configuration_directory = env.get('SURICATA_CONFIG') + self.install_directory = env.get('SURICATA_HOME') + self.no_merge = no_merge + self.threshold_in_file = threshold_in_file + self.threshold_out_file = threshold_out_file + self.sid_msg_map_file = sid_msg_map_file + self.sid_msg_map_2_file = sid_msg_map_2_file + self.force = force + self.yaml_fragment_file = yaml_fragment_file + config.DEFAULT_DATA_DIRECTORY = f'{self.configuration_directory}/data/' + config.DEFAULT_UPDATE_YAML_PATH = f'{self.configuration_directory}/update.yaml' + config.DEFAULT_SURICATA_YAML_PATH = [f'{self.configuration_directory}/suricata.yaml'] + self.config = config + super().__init__('update_suricata_rules', verbose=verbose, stdout=stdout) + + def invoke(self): + from suricata.update import main + from suricata.update.main import FileTracker, ThresholdProcessor + from suricata.update.main import DEFAULT_OUTPUT_RULE_FILENAME + + from suricata.update.main import build_rule_map, check_vars, check_output_directory, copytree, \ + copytree_ignore_backup, disable_ja3, ignore_file, load_matchers, load_filters, load_drop_filters, \ + load_sources, load_dist_rules, matchers_mod, manage_classification, notes, rule_mod, resolve_flowbits, \ + test_suricata, write_merged, write_yaml_fragment, write_sid_msg_map, write_to_directory + + main.args = DummyArgs() + config.init(DummyArgs()) + self.logger.info('Beginning Suricata Rule Update') + suricata_path = f'{self.install_directory}/bin/suricata' + suricata_conf_path = f'{self.configuration_directory}/suricata.yaml' + suricata_version = engine.get_version(suricata_path) + net.set_user_agent_suricata_version(suricata_version.full) + file_tracker = FileTracker() + + disable_matchers = [] + enable_matchers = [] + modify_filters = [] + drop_filters = [] + + # Load user provided disable filters. + disable_conf_filename = config.get("disable-conf") + if disable_conf_filename and os.path.exists(disable_conf_filename): + self.logger.info(f"Loading {disable_conf_filename}.") + disable_matchers += load_matchers(disable_conf_filename) + + # Load user provided enable filters. + enable_conf_filename = config.get("enable-conf") + if enable_conf_filename and os.path.exists(enable_conf_filename): + self.logger.info(f"Loading {enable_conf_filename}.") + enable_matchers += load_matchers(enable_conf_filename) + + # Load user provided modify filters. + modify_conf_filename = config.get("modify-conf") + if modify_conf_filename and os.path.exists(modify_conf_filename): + modify_filters += load_filters(modify_conf_filename) + + # Load user provided drop filters. + drop_conf_filename = config.get("drop-conf") + if drop_conf_filename and os.path.exists(drop_conf_filename): + drop_filters += load_drop_filters(drop_conf_filename) + + # Load the Suricata configuration if we can. + suriconf = None + + if suricata_conf_path and \ + os.path.exists(suricata_conf_path) and \ + suricata_path and os.path.exists(suricata_path): + try: + suriconf = engine.Configuration.load( + suricata_conf_path, suricata_path=suricata_path) + except subprocess.CalledProcessError: + return exceptions.CallProcessError(f'Could not invoke {suricata_path}') + # Disable rule that are for app-layers that are not enabled. + if suriconf: + for key in suriconf.keys(): + m = re.match("app-layer\.protocols\.([^\.]+)\.enabled", key) + if m: + proto = m.group(1) + if not suriconf.is_true(key, ["detection-only"]): + disable_matchers.append(matchers_mod.ProtoRuleMatcher(proto)) + elif proto == "smb" and suriconf.build_info: + # Special case for SMB rules. For versions less + # than 5, disable smb rules if Rust is not + # available. + if suriconf.build_info["version"].major < 5: + if not "RUST" in suriconf.build_info["features"]: + disable_matchers.append(matchers_mod.ProtoRuleMatcher(proto)) + # Check that the cache directory exists and is writable. + if not os.path.exists(config.get_cache_dir()): + try: + os.makedirs(config.get_cache_dir(), mode=0o770) + except Exception: + config.set_cache_dir("/var/tmp") + + files = load_sources(suricata_version) + + load_dist_rules(files) + + rules = [] + classification_files = [] + dep_files = {} + for entry in sorted(files, key=lambda e: e.filename): + if "classification.config" in entry.filename: + classification_files.append((entry.filename, entry.content)) + continue + if not entry.filename.endswith(".rules"): + dep_files.update({entry.filename: entry.content}) + continue + if ignore_file(config.get("ignore"), entry.filename): + continue + rules += rule_mod.parse_fileobj(io.BytesIO(entry.content), entry.filename) + + rulemap = build_rule_map(rules) + + # Counts of user enabled and modified rules. + enable_count = 0 + modify_count = 0 + drop_count = 0 + + # List of rules disabled by user. Used for counting, and to log + # rules that are re-enabled to meet flowbit requirements. + disabled_rules = [] + for key, rule in rulemap.items(): + + # To avoid duplicate counts when a rule has more than one modification + # to it, we track the actions here then update the counts at the end. + enabled = False + modified = False + dropped = False + + for matcher in disable_matchers: + if rule.enabled and matcher.match(rule): + rule.enabled = False + disabled_rules.append(rule) + + for matcher in enable_matchers: + if not rule.enabled and matcher.match(rule): + rule.enabled = True + enabled = True + + for fltr in drop_filters: + if fltr.match(rule): + rule = fltr.run(rule) + dropped = True + + for fltr in modify_filters: + if fltr.match(rule): + rule = fltr.run(rule) + modified = True + + if enabled: + enable_count += 1 + if modified: + modify_count += 1 + if dropped: + drop_count += 1 + + rulemap[key] = rule + + # Check if we should disable ja3 rules. + try: + disable_ja3(suriconf, rulemap, disabled_rules) + except Exception as err: + self.logger.error("Failed to dynamically disable ja3 rules: %s" % (err)) + + # Check rule vars, disabling rules that use unknown vars. + check_vars(suriconf, rulemap) + + self.logger.info("Disabled %d rules." % (len(disabled_rules))) + self.logger.info("Enabled %d rules." % (enable_count)) + self.logger.info("Modified %d rules." % (modify_count)) + self.logger.info("Dropped %d rules." % (drop_count)) + + # Fixup flowbits. + resolve_flowbits(rulemap, disabled_rules) + + # Check that output directory exists, creating it if needed. + check_output_directory(config.get_output_dir()) + + # Check that output directory is writable. + if not os.access(config.get_output_dir(), os.W_OK): + self.logger.error(f"Output directory is not writable: {config.get_output_dir()}") + raise PermissionError(config.get_output_dir()) + + # Backup the output directory. + self.logger.info("Backing up current rules.") + backup_directory = util.mktempdir() + shutil.copytree(config.get_output_dir(), os.path.join( + backup_directory, "backup"), ignore=copytree_ignore_backup) + + if not self.no_merge: + # The default, write out a merged file. + output_filename = os.path.join( + config.get_output_dir(), DEFAULT_OUTPUT_RULE_FILENAME) + file_tracker.add(output_filename) + write_merged(os.path.join(output_filename), rulemap, dep_files) + else: + for file in files: + file_tracker.add( + os.path.join( + config.get_output_dir(), os.path.basename(file.filename))) + write_to_directory(config.get_output_dir(), files, rulemap, dep_files) + + manage_classification(suriconf, classification_files) + + if self.yaml_fragment_file: + file_tracker.add(self.yaml_fragment_file) + write_yaml_fragment(self.yaml_fragment_file, files) + + if self.sid_msg_map_file: + write_sid_msg_map(self.sid_msg_map_file, rulemap, version=1) + if self.sid_msg_map_2_file: + write_sid_msg_map(self.sid_msg_map_2_file, rulemap, version=2) + + if self.threshold_in_file and self.threshold_out_file: + file_tracker.add(self.threshold_out_file) + threshold_processor = ThresholdProcessor() + threshold_processor.process( + open(self.threshold_in_file), open(self.threshold_out_file, "w"), rulemap) + + if not self.force and not file_tracker.any_modified(): + self.logger.info("No changes detected, exiting.") + notes.dump_notes() + return 0 + self.logger.info('Merging in changes.') + rule_file = RuleFile(f'{self.configuration_directory}/data/rules/suricata.rules') + rule_file.merge() + rule_file.commit() + + if not test_suricata(suricata_path): + self.logger.error("Suricata test failed, aborting.") + self.logger.error("Restoring previous rules.") + copytree( + os.path.join(backup_directory, "backup"), config.get_output_dir()) + + +if __name__ == '__main__': + UpdateRules().invoke() diff --git a/dynamite_nsm/services/suricata/update.py b/dynamite_nsm/services/suricata/update.py index 9c0a17b1..abdb972d 100644 --- a/dynamite_nsm/services/suricata/update.py +++ b/dynamite_nsm/services/suricata/update.py @@ -1,5 +1,5 @@ from typing import Optional -from dynamite_nsm.services.suricata.oinkmaster import update_suricata_rules +from dynamite_nsm.services.suricata.tasks import update_rules from dynamite_nsm.services.base.install import BaseInstallManager @@ -21,4 +21,4 @@ def update(self): Returns: None """ - update_suricata_rules(stdout=self.stdout, verbose=self.verbose) + update_rules.UpdateRules().invoke() diff --git a/setup.py b/setup.py index b60df7ef..2f9baae3 100644 --- a/setup.py +++ b/setup.py @@ -1,5 +1,20 @@ +import os +from typing import List from setuptools import setup, find_packages + +def package_files(directory: str) -> List[str]: + paths = [] + for (path, directories, filenames) in os.walk(directory): + for filename in filenames: + paths.append(os.path.join('..', path, filename)) + return paths + + +package_data = ['bin/*'] +package_data.extend(package_files('dynamite_nsm/confs')) + + setup( name='dynamite-nsm', version='1.1.4', @@ -15,7 +30,7 @@ 'make securing your network environment simple and intuitive.', include_package_data=True, package_data={ - 'dynamite_nsm': ['bin/*'] + 'dynamite_nsm': package_data }, install_requires=[ 'bcrypt==3.2.0',