Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add certificate fingerprints #11896

Merged
merged 2 commits into from
Nov 29, 2023
Merged

Add certificate fingerprints #11896

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7001e90
Client and server fingerprints
weslambert Nov 29, 2023
9d63a47
Certificate hash
weslambert Nov 29, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 34 additions & 20 deletions salt/elasticsearch/files/ingest/zeek.ssl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,26 +1,40 @@
{
"description" : "zeek.ssl",
"processors" : [
{ "set": { "field": "event.dataset", "value": "ssl" } },
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.version", "target_field": "ssl.version", "ignore_missing": true } },
{ "rename": { "field": "message2.cipher", "target_field": "ssl.cipher", "ignore_missing": true } },
{ "rename": { "field": "message2.curve", "target_field": "ssl.curve", "ignore_missing": true } },
{ "rename": { "field": "message2.server_name", "target_field": "ssl.server_name", "ignore_missing": true } },
{ "rename": { "field": "message2.resumed", "target_field": "ssl.resumed", "ignore_missing": true } },
{ "rename": { "field": "message2.last_alert", "target_field": "ssl.last_alert", "ignore_missing": true } },
{ "rename": { "field": "message2.next_protocol", "target_field": "ssl.next_protocol", "ignore_missing": true } },
{ "rename": { "field": "message2.established", "target_field": "ssl.established", "ignore_missing": true } },
{ "rename": { "field": "message2.cert_chain_fuids", "target_field": "ssl.certificate.chain_fuids", "ignore_missing": true } },
{ "rename": { "field": "message2.client_cert_chain_fuids", "target_field": "ssl.client.certificate.chain_fuids", "ignore_missing": true } },
{ "rename": { "field": "message2.subject", "target_field": "ssl.certificate.subject", "ignore_missing": true } },
{ "rename": { "field": "message2.issuer", "target_field": "ssl.certificate.issuer", "ignore_missing": true } },
{ "rename": { "field": "message2.client_subject", "target_field": "ssl.client.subject", "ignore_missing": true } },
{ "rename": { "field": "message2.client_issuer", "target_field": "ssl.client.issuer", "ignore_missing": true } },
{ "rename": { "field": "message2.validation_status","target_field": "ssl.validation_status", "ignore_missing": true } },
{ "rename": { "field": "message2.ja3", "target_field": "hash.ja3", "ignore_missing": true } },
{ "rename": { "field": "message2.ja3s", "target_field": "hash.ja3s", "ignore_missing": true } },
{ "set": { "field": "event.dataset", "value": "ssl" } },
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.version", "target_field": "ssl.version", "ignore_missing": true } },
{ "rename": { "field": "message2.cipher", "target_field": "ssl.cipher", "ignore_missing": true } },
{ "rename": { "field": "message2.curve", "target_field": "ssl.curve", "ignore_missing": true } },
{ "rename": { "field": "message2.server_name", "target_field": "ssl.server_name", "ignore_missing": true } },
{ "rename": { "field": "message2.resumed", "target_field": "ssl.resumed", "ignore_missing": true } },
{ "rename": { "field": "message2.last_alert", "target_field": "ssl.last_alert", "ignore_missing": true } },
{ "rename": { "field": "message2.next_protocol", "target_field": "ssl.next_protocol", "ignore_missing": true } },
{ "rename": { "field": "message2.established", "target_field": "ssl.established", "ignore_missing": true } },
{ "rename": { "if": "ctx.message2?.cert_chain_fps != null", "field": "message2.cert_chain_fps", "target_field": "tls.server.hash.sha256", "ignore_missing": true } },
{ "rename": { "field": "message2?.cert_chain_fuids", "target_field": "ssl.certificate.chain_fuids", "ignore_missing": true } },
{ "rename": { "if": "ctx.message2?.client_cert_chain_fps != null", "field": "message2.client_cert_chain_fps", "target_field": "tls.client.hash.sha256", "ignore_failure": true, "ignore_missing": true } },
{ "rename": { "field": "message2.client_cert_chain_fuids", "target_field": "ssl.client.certificate.chain_fuids", "ignore_missing": true } },
{ "rename": { "field": "message2.subject", "target_field": "ssl.certificate.subject", "ignore_missing": true } },
{ "rename": { "field": "message2.issuer", "target_field": "ssl.certificate.issuer", "ignore_missing": true } },
{ "rename": { "field": "message2.client_subject", "target_field": "ssl.client.subject", "ignore_missing": true } },
{ "rename": { "field": "message2.client_issuer", "target_field": "ssl.client.issuer", "ignore_missing": true } },
{ "rename": { "field": "message2.validation_status","target_field": "ssl.validation_status", "ignore_missing": true } },
{ "rename": { "field": "message2.ja3", "target_field": "hash.ja3", "ignore_missing": true } },
{ "rename": { "field": "message2.ja3s", "target_field": "hash.ja3s", "ignore_missing": true } },
{ "foreach":
{
"if": "ctx?.tls?.client?.hash?.sha256 !=null",
"field": "tls.client.hash.sha256",
"processor": {
"append": {
"field": "hash.sha256",
"value": "{{_ingest._value}}"
}
}
}
},
{ "pipeline": { "name": "zeek.common_ssl" } }
]
}
79 changes: 40 additions & 39 deletions salt/elasticsearch/files/ingest/zeek.x509
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,44 +3,45 @@
"processors" : [
{ "set": { "field": "event.dataset", "value": "x509" } },
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id", "target_field": "log.id.fuid", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.version", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.version", "target_field": "x509.certificate.version", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.serial", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.serial", "target_field": "x509.certificate.serial", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.subject", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.subject", "target_field": "x509.certificate.subject", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.issuer", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.issuer", "target_field": "x509.certificate.issuer", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.not_valid_before", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.not_valid_before", "target_field": "x509.certificate.not_valid_before", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.not_valid_after", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.not_valid_after", "target_field": "x509.certificate.not_valid_after", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.key_alg", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.key_alg", "target_field": "x509.certificate.key.algorithm", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.sig_alg", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.sig_alg", "target_field": "x509.certificate.signing_algorithm", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.key_type", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.key_type", "target_field": "x509.certificate.key.type", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.key_length", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.key_length", "target_field": "x509.certificate.key.length", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.exponent", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.exponent", "target_field": "x509.certificate.exponent", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.curve", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.curve", "target_field": "x509.certificate.curve", "ignore_missing": true } },
{ "dot_expander": { "field": "san.dns", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.san.dns", "target_field": "x509.san_dns", "ignore_missing": true } },
{ "dot_expander": { "field": "san.uri", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.san.uri", "target_field": "x509.san_uri", "ignore_missing": true } },
{ "dot_expander": { "field": "san.email", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.san.email", "target_field": "x509.san_email", "ignore_missing": true } },
{ "dot_expander": { "field": "san.ip", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.san.ip", "target_field": "x509.san_ip", "ignore_missing": true } },
{ "dot_expander": { "field": "basic_constraints.ca", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.basic_constraints.ca", "target_field": "x509.basic_constraints.ca", "ignore_missing": true } },
{ "dot_expander": { "field": "basic_constraints.path_length", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.basic_constraints.path_length", "target_field": "x509.basic_constraints.path_length", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common_ssl" } }
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.id", "target_field": "log.id.fuid", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.version", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.version", "target_field": "x509.certificate.version", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.serial", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.serial", "target_field": "x509.certificate.serial", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.subject", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.subject", "target_field": "x509.certificate.subject", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.issuer", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.issuer", "target_field": "x509.certificate.issuer", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.not_valid_before", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.not_valid_before", "target_field": "x509.certificate.not_valid_before", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.not_valid_after", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.not_valid_after", "target_field": "x509.certificate.not_valid_after", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.key_alg", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.key_alg", "target_field": "x509.certificate.key.algorithm", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.sig_alg", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.sig_alg", "target_field": "x509.certificate.signing_algorithm", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.key_type", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.key_type", "target_field": "x509.certificate.key.type", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.key_length", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.key_length", "target_field": "x509.certificate.key.length", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.exponent", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.exponent", "target_field": "x509.certificate.exponent", "ignore_missing": true } },
{ "dot_expander": { "field": "certificate.curve", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.certificate.curve", "target_field": "x509.certificate.curve", "ignore_missing": true } },
{ "dot_expander": { "field": "san.dns", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.san.dns", "target_field": "x509.san_dns", "ignore_missing": true } },
{ "dot_expander": { "field": "san.uri", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.san.uri", "target_field": "x509.san_uri", "ignore_missing": true } },
{ "dot_expander": { "field": "san.email", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.san.email", "target_field": "x509.san_email", "ignore_missing": true } },
{ "dot_expander": { "field": "san.ip", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.san.ip", "target_field": "x509.san_ip", "ignore_missing": true } },
{ "dot_expander": { "field": "basic_constraints.ca", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.basic_constraints.ca", "target_field": "x509.basic_constraints.ca", "ignore_missing": true } },
{ "dot_expander": { "field": "basic_constraints.path_length", "path": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.basic_constraints.path_length", "target_field": "x509.basic_constraints.path_length", "ignore_missing": true } },
{ "rename": { "field": "message2.fingerprint", "target_field": "hash.sha256", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common_ssl" } }
]
}