forked from cisagov/Malcolm
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path13_zeek_convert.conf
446 lines (419 loc) · 18.1 KB
/
13_zeek_convert.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
filter {
# set data types for fields that belong to various zeek logs
# todo
# "[zeek][ecat_dev_info][fmmucnt]" => "integer"
# "[zeek][ecat_dev_info][smcount]" => "integer"
mutate {
id => "mutate_convert_zeek_bulk"
convert => {
"[zeek][bacnet][invoke_id]" => "integer"
"[zeek][bacnet_discovery][instance_number]" => "integer"
"[zeek][bacnet_discovery][range_high]" => "integer"
"[zeek][bacnet_discovery][range_low]" => "integer"
"[zeek][bacnet_property][array_index]" => "integer"
"[zeek][bacnet_property][instance_number]" => "integer"
"[zeek][bsap_ip_header][type_name]" => "integer"
"[zeek][bsap_ip_rdb][data_len]" => "integer"
"[zeek][bsap_ip_rdb][header_size]" => "integer"
"[zeek][bsap_ip_rdb][mes_seq]" => "integer"
"[zeek][bsap_ip_rdb][node_status]" => "integer"
"[zeek][bsap_ip_rdb][res_seq]" => "integer"
"[zeek][bsap_ip_rdb][sequence]" => "integer"
"[zeek][bsap_serial_header][ctl]" => "integer"
"[zeek][bsap_serial_header][dadd]" => "integer"
"[zeek][bsap_serial_header][nsb]" => "integer"
"[zeek][bsap_serial_header][sadd]" => "integer"
"[zeek][bsap_serial_header][seq]" => "integer"
"[zeek][bsap_serial_rdb_ext][nsb]" => "integer"
"[zeek][bsap_serial_rdb_ext][seq]" => "integer"
"[zeek][cip][cip_sequence_count]" => "integer"
"[zeek][cip_identity][device_type_id]" => "integer"
"[zeek][cip_identity][encapsulation_version]" => "integer"
"[zeek][cip_identity][product_code]" => "integer"
"[zeek][cip_identity][socket_port]" => "integer"
"[zeek][cip_identity][vendor_id]" => "integer"
"[zeek][cip_io][data_length]" => "integer"
"[zeek][cip_io][sequence_number]" => "integer"
"[zeek][conn][duration]" => "float"
"[zeek][dce_rpc][rtt]" => "float"
"[zeek][dhcp][duration]" => "float"
"[zeek][dnp3_control][execute_count]" => "integer"
"[zeek][dnp3_control][index_number]" => "integer"
"[zeek][dnp3_control][off_time]" => "integer"
"[zeek][dnp3_control][on_time]" => "integer"
"[zeek][dnp3_objects][object_count]" => "integer"
"[zeek][dnp3_objects][range_high]" => "integer"
"[zeek][dnp3_objects][range_low]" => "integer"
"[zeek][dns][rtt]" => "float"
"[zeek][ecat_log_address][length]" => "integer"
"[zeek][enip][length]" => "integer"
"[zeek][intel][cif_confidence]" => "float"
"[zeek][ipsec][exchange_type]" => "integer"
"[zeek][ipsec][ke_dh_groups]" => "integer"
"[zeek][ipsec][length]" => "integer"
"[zeek][ipsec][maj_ver]" => "integer"
"[zeek][ipsec][min_ver]" => "integer"
"[zeek][ipsec][proposals]" => "integer"
"[zeek][ldap][version]" => "integer"
"[zeek][ldap_search][result_count]" => "integer"
"[zeek][modbus_detailed][address]" => "integer"
"[zeek][modbus_detailed][quantity]" => "integer"
"[zeek][modbus_detailed][unit_id]" => "integer"
"[zeek][modbus_mask_write_register][address]" => "integer"
"[zeek][modbus_mask_write_register][and_mask]" => "integer"
"[zeek][modbus_mask_write_register][or_mask]" => "integer"
"[zeek][modbus_mask_write_register][unit_id]" => "integer"
"[zeek][modbus_read_write_multiple_registers][read_quantity]" => "integer"
"[zeek][modbus_read_write_multiple_registers][read_start_address]" => "integer"
"[zeek][modbus_read_write_multiple_registers][unit_id]" => "integer"
"[zeek][modbus_read_write_multiple_registers][write_start_address]" => "integer"
"[zeek][mqtt_publish][payload_len]" => "integer"
"[zeek][mqtt_subscribe][granted_qos_level]" => "integer"
"[zeek][mqtt_subscribe][qos_levels]" => "integer"
"[zeek][ntp][num_exts]" => "integer"
"[zeek][ntp][poll]" => "float"
"[zeek][ntp][precision]" => "float"
"[zeek][ntp][root_delay]" => "float"
"[zeek][ntp][root_disp]" => "float"
"[zeek][ntp][version]" => "integer"
"[zeek][opcua_binary][encoding_mask]" => "integer"
"[zeek][opcua_binary][error]" => "integer"
"[zeek][opcua_binary][identifier]" => "integer"
"[zeek][opcua_binary][max_chunk_cnt]" => "integer"
"[zeek][opcua_binary][max_msg_size]" => "integer"
"[zeek][opcua_binary][msg_size]" => "integer"
"[zeek][opcua_binary][namespace_idx]" => "integer"
"[zeek][opcua_binary][rcv_buf_size]" => "integer"
"[zeek][opcua_binary][rcv_cert_len]" => "integer"
"[zeek][opcua_binary][req_hdr_add_hdr_enc_mask]" => "integer"
"[zeek][opcua_binary][req_hdr_add_hdr_type_id]" => "integer"
"[zeek][opcua_binary][req_hdr_node_id_namespace_idx]" => "integer"
"[zeek][opcua_binary][req_hdr_node_id_numeric]" => "integer"
"[zeek][opcua_binary][req_hdr_request_handle]" => "integer"
"[zeek][opcua_binary][req_hdr_return_diag]" => "integer"
"[zeek][opcua_binary][request_id]" => "integer"
"[zeek][opcua_binary][res_hdr_add_hdr_enc_mask]" => "integer"
"[zeek][opcua_binary][res_hdr_add_hdr_type_id]" => "integer"
"[zeek][opcua_binary][res_hdr_request_handle]" => "integer"
"[zeek][opcua_binary][res_hdr_service_diag_encoding]" => "integer"
"[zeek][opcua_binary][res_hdr_service_result]" => "integer"
"[zeek][opcua_binary][sec_channel_id]" => "integer"
"[zeek][opcua_binary][sec_policy_uri_len]" => "integer"
"[zeek][opcua_binary][seq_number]" => "integer"
"[zeek][opcua_binary][snd_buf_size]" => "integer"
"[zeek][opcua_binary][snd_cert_len]" => "integer"
"[zeek][opcua_binary][version]" => "integer"
"[zeek][opcua_binary_diag_info_detail][inner_diag_level]" => "integer"
"[zeek][opcua_binary_diag_info_detail][locale]" => "integer"
"[zeek][opcua_binary_diag_info_detail][locale_txt]" => "integer"
"[zeek][opcua_binary_diag_info_detail][namespace_uri]" => "integer"
"[zeek][opcua_binary_diag_info_detail][symbolic_id]" => "integer"
"[zeek][opcua_binary_get_endpoints][application_type]" => "integer"
"[zeek][opcua_binary_get_endpoints][cert_size]" => "integer"
"[zeek][opcua_binary_get_endpoints][encoding_mask]" => "integer"
"[zeek][opcua_binary_get_endpoints][message_security_mode]" => "integer"
"[zeek][opcua_binary_get_endpoints][security_level]" => "integer"
"[zeek][opcua_binary_get_endpoints_user_token][user_token_type]" => "integer"
"[zeek][opcua_binary_opensecure_channel][client_proto_ver]" => "integer"
"[zeek][opcua_binary_opensecure_channel][message_security_mode]" => "integer"
"[zeek][opcua_binary_opensecure_channel][req_lifetime]" => "integer"
"[zeek][opcua_binary_opensecure_channel][sec_token_id]" => "integer"
"[zeek][opcua_binary_opensecure_channel][sec_token_request_type]" => "integer"
"[zeek][opcua_binary_opensecure_channel][sec_token_revised_time]" => "integer"
"[zeek][opcua_binary_opensecure_channel][sec_token_sec_channel_id]" => "integer"
"[zeek][opcua_binary_opensecure_channel][server_proto_ver]" => "integer"
"[zeek][opcua_binary_status_code_detail][historian_bits]" => "integer"
"[zeek][opcua_binary_status_code_detail][info_type]" => "integer"
"[zeek][opcua_binary_status_code_detail][limit_bits]" => "integer"
"[zeek][opcua_binary_status_code_detail][severity]" => "integer"
"[zeek][opcua_binary_status_code_detail][source]" => "integer"
"[zeek][opcua_binary_status_code_detail][sub_code]" => "integer"
"[zeek][ospf][interface_id]" => "integer"
"[zeek][ospf][metrics]" => "integer"
"[zeek][ospf][neighbor_interface_id]" => "integer"
"[zeek][ospf][prefix]" => "integer"
"[zeek][ospf][route_tags]" => "integer"
"[zeek][ospf][version]" => "integer"
"[zeek][s7comm][item_count]" => "integer"
"[zeek][signatures][host_count]" => "integer"
"[zeek][signatures][signature_count]" => "integer"
"[zeek][smb_cmd][rtt]" => "float"
"[zeek][smb_files][data_len_req]" => "integer"
"[zeek][smb_files][data_len_rsp]" => "integer"
"[zeek][smb_files][data_offset_req]" => "integer"
"[zeek][stun_nat][wan_port]" => "integer"
"[zeek][tftp][block_acked]" => "integer"
"[zeek][tftp][block_sent]" => "integer"
"[zeek][tftp][error_code]" => "integer"
"[zeek][tftp][size]" => "integer"
"[zeek][wireguard][receiver_index]" => "integer"
"[zeek][wireguard][sender_index]" => "integer"
}
}
# convert all zeek "time" types (minus zeek.ts, which was done earlier)
# https://docs.zeek.org/en/current/script-reference/types.html#type-time
if ([zeek][kerberos][from]) {
if ([zeek][kerberos][from] == "0.000000") {
mutate { id => "mutate_remove_field_zeek_kerberos_from_zero"
remove_field => [ "[zeek][kerberos][from]" ] }
} else {
date {
id => "date_zeek_kerberos_from"
match => [ "[zeek][kerberos][from]", "UNIX" ]
target => "[zeek][kerberos][from]"
}
}
}
if ([zeek][kerberos][till]) {
if ([zeek][kerberos][till] == "0.000000") {
mutate { id => "mutate_remove_field_zeek_kerberos_till_zero"
remove_field => [ "[zeek][kerberos][till]" ] }
} else {
date {
id => "date_zeek_kerberos_till"
match => [ "[zeek][kerberos][till]", "UNIX" ]
target => "[zeek][kerberos][till]"
}
}
}
if ([zeek][ntp][org_time]) {
if ([zeek][ntp][org_time] == "0.000000") {
mutate { id => "mutate_remove_field_zeek_ntp_org_time_zero"
remove_field => [ "[zeek][ntp][org_time]" ] }
} else {
date {
id => "date_zeek_ntp_org_time"
match => [ "[zeek][ntp][org_time]", "UNIX" ]
target => "[zeek][ntp][org_time]"
}
}
}
if ([zeek][ntp][rec_time]) {
if ([zeek][ntp][rec_time] == "0.000000") {
mutate { id => "mutate_remove_field_zeek_ntp_rec_time_zero"
remove_field => [ "[zeek][ntp][rec_time]" ] }
} else {
date {
id => "date_zeek_ntp_rec_time"
match => [ "[zeek][ntp][rec_time]", "UNIX" ]
target => "[zeek][ntp][rec_time]"
}
}
}
if ([zeek][ntp][ref_time]) {
if ([zeek][ntp][ref_time] == "0.000000") {
mutate { id => "mutate_remove_field_zeek_ntp_ref_time_zero"
remove_field => [ "[zeek][ntp][ref_time]" ] }
} else {
date {
id => "date_zeek_ntp_ref_time"
match => [ "[zeek][ntp][ref_time]", "UNIX" ]
target => "[zeek][ntp][ref_time]"
}
}
}
if ([zeek][ntp][xmt_time]) {
if ([zeek][ntp][xmt_time] == "0.000000") {
mutate { id => "mutate_remove_field_zeek_ntp_xmt_time_zero"
remove_field => [ "[zeek][ntp][xmt_time]" ] }
} else {
date {
id => "date_zeek_ntp_xmt_time"
match => [ "[zeek][ntp][xmt_time]", "UNIX" ]
target => "[zeek][ntp][xmt_time]"
}
}
}
if ([zeek][ocsp][nextUpdate]) {
if ([zeek][ocsp][nextUpdate] == "0.000000") {
mutate { id => "mutate_remove_field_zeek_ocsp_nextUpdate_zero"
remove_field => [ "[zeek][ocsp][nextUpdate]" ] }
} else {
date {
id => "date_zeek_ocsp_nextUpdate"
match => [ "[zeek][ocsp][nextUpdate]", "UNIX" ]
target => "[zeek][ocsp][nextUpdate]"
}
}
}
if ([zeek][ocsp][revoketime]) {
if ([zeek][ocsp][revoketime] == "0.000000") {
mutate { id => "mutate_remove_field_zeek_ocsp_revoketime_zero"
remove_field => [ "[zeek][ocsp][revoketime]" ] }
} else {
date {
id => "date_zeek_ocsp_revoketime"
match => [ "[zeek][ocsp][revoketime]", "UNIX" ]
target => "[zeek][ocsp][revoketime]"
}
}
}
if ([zeek][ocsp][thisUpdate]) {
if ([zeek][ocsp][thisUpdate] == "0.000000") {
mutate { id => "mutate_remove_field_zeek_ocsp_thisUpdate_zero"
remove_field => [ "[zeek][ocsp][thisUpdate]" ] }
} else {
date {
id => "date_zeek_ocsp_thisUpdate"
match => [ "[zeek][ocsp][thisUpdate]", "UNIX" ]
target => "[zeek][ocsp][thisUpdate]"
}
}
}
if ([zeek][opcua_binary][req_hdr_timeout_hint]) {
if ([zeek][opcua_binary][req_hdr_timeout_hint] == "0.000000") {
mutate { id => "mutate_remove_field_zeek_opcua_binary_req_hdr_timeout_hint_zero"
remove_field => [ "[zeek][opcua_binary][req_hdr_timeout_hint]" ] }
} else {
date {
id => "date_zeek_opcua_binary_req_hdr_timeout_hint"
match => [ "[zeek][opcua_binary][req_hdr_timeout_hint]", "UNIX" ]
target => "[zeek][opcua_binary][req_hdr_timeout_hint]"
}
}
}
if ([zeek][opcua_binary][req_hdr_timestamp]) {
if ([zeek][opcua_binary][req_hdr_timestamp] == "0.000000") {
mutate { id => "mutate_remove_field_zeek_opcua_binary_req_hdr_timestamp_zero"
remove_field => [ "[zeek][opcua_binary][req_hdr_timestamp]" ] }
} else {
date {
id => "date_zeek_opcua_binary_req_hdr_timestamp"
match => [ "[zeek][opcua_binary][req_hdr_timestamp]", "UNIX" ]
target => "[zeek][opcua_binary][req_hdr_timestamp]"
}
}
}
if ([zeek][opcua_binary][res_hdr_timestamp]) {
if ([zeek][opcua_binary][res_hdr_timestamp] == "0.000000") {
mutate { id => "mutate_remove_field_zeek_opcua_binary_res_hdr_timestamp_zero"
remove_field => [ "[zeek][opcua_binary][res_hdr_timestamp]" ] }
} else {
date {
id => "date_zeek_opcua_binary_res_hdr_timestamp"
match => [ "[zeek][opcua_binary][res_hdr_timestamp]", "UNIX" ]
target => "[zeek][opcua_binary][res_hdr_timestamp]"
}
}
}
if ([zeek][opcua_binary_opensecure_channel][sec_token_created_at]) {
if ([zeek][opcua_binary_opensecure_channel][sec_token_created_at] == "0.000000") {
mutate { id => "mutate_remove_field_zeek_opcua_binary_opensecure_channel_sec_token_created_at_zero"
remove_field => [ "[zeek][opcua_binary_opensecure_channel][sec_token_created_at]" ] }
} else {
date {
id => "date_zeek_opcua_binary_opensecure_channel_sec_token_created_at"
match => [ "[zeek][opcua_binary_opensecure_channel][sec_token_created_at]", "UNIX" ]
target => "[zeek][opcua_binary_opensecure_channel][sec_token_created_at]"
}
}
}
if ([zeek][pe][compile_ts]) {
if ([zeek][pe][compile_ts] == "0.000000") {
mutate { id => "mutate_remove_field_zeek_pe_compile_ts_zero"
remove_field => [ "[zeek][pe][compile_ts]" ] }
} else {
date {
id => "date_zeek_pe_compile_ts"
match => [ "[zeek][pe][compile_ts]", "UNIX" ]
target => "[zeek][pe][compile_ts]"
}
}
}
if ([zeek][smb_files][times_accessed]) {
if ([zeek][smb_files][times_accessed] == "0.000000") {
mutate { id => "mutate_remove_field_zeek_smb_files_times_accessed_zero"
remove_field => [ "[zeek][smb_files][times_accessed]" ] }
} else {
date {
id => "date_zeek_smb_files_times_accessed"
match => [ "[zeek][smb_files][times_accessed]", "UNIX" ]
target => "[zeek][smb_files][times_accessed]"
}
}
}
if ([zeek][smb_files][times_changed]) {
if ([zeek][smb_files][times_changed] == "0.000000") {
mutate { id => "mutate_remove_field_zeek_smb_files_times_changed_zero"
remove_field => [ "[zeek][smb_files][times_changed]" ] }
} else {
date {
id => "date_zeek_smb_files_times_changed"
match => [ "[zeek][smb_files][times_changed]", "UNIX" ]
target => "[zeek][smb_files][times_changed]"
}
}
}
if ([zeek][smb_files][times_created]) {
if ([zeek][smb_files][times_created] == "0.000000") {
mutate { id => "mutate_remove_field_zeek_smb_files_times_created_zero"
remove_field => [ "[zeek][smb_files][times_created]" ] }
} else {
date {
id => "date_zeek_smb_files_times_created"
match => [ "[zeek][smb_files][times_created]", "UNIX" ]
target => "[zeek][smb_files][times_created]"
}
}
}
if ([zeek][smb_files][times_modified]) {
if ([zeek][smb_files][times_modified] == "0.000000") {
mutate { id => "mutate_remove_field_zeek_smb_files_times_modified_zero"
remove_field => [ "[zeek][smb_files][times_modified]" ] }
} else {
date {
id => "date_zeek_smb_files_times_modified"
match => [ "[zeek][smb_files][times_modified]", "UNIX" ]
target => "[zeek][smb_files][times_modified]"
}
}
}
if ([zeek][smb_files][ts]) {
if ([zeek][smb_files][ts] == "0.000000") {
mutate { id => "mutate_remove_field_zeek_smb_files_ts_zero"
remove_field => [ "[zeek][smb_files][ts]" ] }
} else {
date {
id => "date_zeek_smb_files_ts"
match => [ "[zeek][smb_files][ts]", "UNIX" ]
target => "[zeek][smb_files][ts]"
}
}
}
if ([zeek][snmp][up_since]) {
if ([zeek][snmp][up_since] == "0.000000") {
mutate { id => "mutate_remove_field_zeek_snmp_up_since_zero"
remove_field => [ "[zeek][snmp][up_since]" ] }
} else {
date {
id => "date_zeek_snmp_up_since"
match => [ "[zeek][snmp][up_since]", "UNIX" ]
target => "[zeek][snmp][up_since]"
}
}
}
if ([zeek][x509][certificate_not_valid_after]) {
if ([zeek][x509][certificate_not_valid_after] == "0.000000") {
mutate { id => "mutate_remove_field_zeek_x509_certificate_not_valid_after_zero"
remove_field => [ "[zeek][x509][certificate_not_valid_after]" ] }
} else {
date {
id => "date_zeek_x509_certificate_not_valid_after"
match => [ "[zeek][x509][certificate_not_valid_after]", "UNIX" ]
target => "[zeek][x509][certificate_not_valid_after]"
}
}
}
if ([zeek][x509][certificate_not_valid_before]) {
if ([zeek][x509][certificate_not_valid_before] == "0.000000") {
mutate { id => "mutate_remove_field_zeek_x509_certificate_not_valid_before_zero"
remove_field => [ "[zeek][x509][certificate_not_valid_before]" ] }
} else {
date {
id => "date_zeek_x509_certificate_not_valid_before"
match => [ "[zeek][x509][certificate_not_valid_before]", "UNIX" ]
target => "[zeek][x509][certificate_not_valid_before]"
}
}
}
}