From 0603e96c0827b2fd7fd2528a9ff838eafa84f588 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Wed, 29 Nov 2023 09:46:11 -0500 Subject: [PATCH] FIX: Update NIDS rule.reference in common.nids pipeline #11846 --- salt/elasticsearch/files/ingest/common.nids | 24 ++++++++++----------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/salt/elasticsearch/files/ingest/common.nids b/salt/elasticsearch/files/ingest/common.nids index 53a3f7b79b..84d170c932 100644 --- a/salt/elasticsearch/files/ingest/common.nids +++ b/salt/elasticsearch/files/ingest/common.nids @@ -1,17 +1,17 @@ { "description" : "common.nids", "processors" : [ - { "convert": { "if": "ctx.rule.uuid != null", "field": "rule.uuid", "type": "integer" } }, - { "set": { "if": "ctx.rule?.uuid < 1000000", "field": "rule.reference", "value": "https://www.snort.org/search?query={{rule.gid}}-{{rule.uuid}}" } }, - { "set": { "if": "ctx.rule?.uuid > 1999999", "field": "rule.reference", "value": "https://doc.emergingthreats.net/{{rule.uuid}}" } }, - { "convert": { "if": "ctx.rule.uuid != null", "field": "rule.uuid", "type": "string" } }, - { "dissect": { "if": "ctx.rule.name != null", "field": "rule.name", "pattern" : "%{rule_type} %{rest_of_rulename} ", "ignore_failure": true } }, - { "set": { "if": "ctx.rule_type == 'GPL'", "field": "rule.ruleset", "value": "Snort GPL" } }, - { "set": { "if": "ctx.rule_type == 'ET'", "field": "rule.ruleset", "value": "Emerging Threats" } }, - { "set": { "if": "ctx.rule.severity == 3", "field": "event.severity", "value": 1, "override": true } }, - { "set": { "if": "ctx.rule.severity == 2", "field": "event.severity", "value": 2, "override": true } }, - { "set": { "if": "ctx.rule.severity == 1", "field": "event.severity", "value": 3, "override": true } }, - { "remove": { "field": ["rule_type", "rest_of_rulename", "host"], "ignore_failure": true } }, - { "pipeline": { "name": "common" } } + { "convert": { "if": "ctx.rule.uuid != null", "field": "rule.uuid", "type": "integer" } }, + { "set": { "if": "ctx.rule?.uuid < 1000000", "field": "rule.reference", "value": "https://www.snort.org/rule_docs/{{rule.gid}}-{{rule.uuid}}" } }, + { "set": { "if": "ctx.rule?.uuid > 1999999", "field": "rule.reference", "value": "https://community.emergingthreats.net" } }, + { "convert": { "if": "ctx.rule.uuid != null", "field": "rule.uuid", "type": "string" } }, + { "dissect": { "if": "ctx.rule.name != null", "field": "rule.name", "pattern" : "%{rule_type} %{rest_of_rulename} ", "ignore_failure": true } }, + { "set": { "if": "ctx.rule_type == 'GPL'", "field": "rule.ruleset", "value": "Snort GPL" } }, + { "set": { "if": "ctx.rule_type == 'ET'", "field": "rule.ruleset", "value": "Emerging Threats" } }, + { "set": { "if": "ctx.rule.severity == 3", "field": "event.severity", "value": 1, "override": true } }, + { "set": { "if": "ctx.rule.severity == 2", "field": "event.severity", "value": 2, "override": true } }, + { "set": { "if": "ctx.rule.severity == 1", "field": "event.severity", "value": 3, "override": true } }, + { "remove": { "field": ["rule_type", "rest_of_rulename", "host"], "ignore_failure": true } }, + { "pipeline": { "name": "common" } } ] }