From 4a72770d60a2bde4049d9823f5f554a7bb5b77b7 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Thu, 21 Mar 2024 14:37:17 -0600 Subject: [PATCH] replace salesforce with corelight hassh plugin --- docs/components.md | 2 +- logstash/pipelines/zeek/11_zeek_parse.conf | 8 +++++++- logstash/pipelines/zeek/12_zeek_mutate.conf | 2 +- shared/bin/zeek_install_plugins.sh | 2 +- 4 files changed, 10 insertions(+), 4 deletions(-) diff --git a/docs/components.md b/docs/components.md index ed12d9e0c..2156df396 100644 --- a/docs/components.md +++ b/docs/components.md @@ -38,6 +38,7 @@ Malcolm leverages the following excellent open source tools, among others. * Corelight's [bro-xor-exe](https://github.com/corelight/bro-xor-exe-plugin) plugin * Corelight's [callstranger-detector](https://github.com/corelight/callstranger-detector) plugin * Corelight's [DCE/RPC remote code execution vulnerability (CVE-2022-26809)](https://github.com/corelight/cve-2022-26809) plugin + * Corelight's [HASSH](https://github.com/corelight/hassh) SSH fingerprinting plugin * Corelight's [HTTP More Filenames](https://github.com/corelight/http-more-files-names) plugin * Corelight's [HTTP protocol stack vulnerability (CVE-2021-31166)](https://github.com/corelight/CVE-2021-31166) plugin * Corelight's [OpenSSL RCE buffer overrun vulnerability (CVE-2022-3602)](https://github.com/corelight/CVE-2022-3602) plugin @@ -52,7 +53,6 @@ Malcolm leverages the following excellent open source tools, among others. * Lexi Brent's [EternalSafety](https://github.com/0xl3x1/zeek-EternalSafety) plugin * MITRE Cyber Analytics Repository's [Bro/Zeek ATT&CKĀ®-Based Analytics (BZAR)](https://github.com/mitre-attack/car/tree/master/implementations) script * Salesforce's [gQUIC](https://github.com/salesforce/GQUIC_Protocol_Analyzer) analyzer - * Salesforce's [HASSH](https://github.com/salesforce/hassh) SSH fingerprinting plugin * Salesforce's [JA3](https://github.com/salesforce/ja3) TLS fingerprinting plugin * Zeek's [Spicy](https://github.com/zeek/spicy) plugin framework * [GeoLite2](https://dev.maxmind.com/geoip/geoip2/geolite2/) - Malcolm includes GeoLite2 data created by [MaxMind](https://www.maxmind.com) diff --git a/logstash/pipelines/zeek/11_zeek_parse.conf b/logstash/pipelines/zeek/11_zeek_parse.conf index b6159b134..877477f3f 100644 --- a/logstash/pipelines/zeek/11_zeek_parse.conf +++ b/logstash/pipelines/zeek/11_zeek_parse.conf @@ -3366,7 +3366,13 @@ filter { # ssh.log # https://docs.zeek.org/en/stable/scripts/base/protocols/ssh/main.zeek.html#type-SSH::Info - if ("_jsonparsesuccess" not in [tags]) { + if ("_jsonparsesuccess" in [tags]) { + mutate { + id => "mutate_rename_zeek_json_ssh_fields" + rename => { "[zeek_cols][hasshServer_Algorithms]" => "[zeek_cols][hasshServerAlgorithms]" } + } + + } else { dissect { id => "dissect_zeek_ssh_with_all_fields_with_hassh" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP diff --git a/logstash/pipelines/zeek/12_zeek_mutate.conf b/logstash/pipelines/zeek/12_zeek_mutate.conf index 636ed1dab..32388c8ca 100644 --- a/logstash/pipelines/zeek/12_zeek_mutate.conf +++ b/logstash/pipelines/zeek/12_zeek_mutate.conf @@ -1812,7 +1812,7 @@ filter { merge => { "[ssh][key]" => "[@metadata][ssh_key_str]" } } } - # HASSH stuff (see https://github.com/salesforce/hassh/tree/master/bro) + # HASSH stuff (see https://github.com/corelight/hassh) if ([zeek][ssh][hassh]) { mutate { id => "mutate_merge_zeek_ssh_hassh" diff --git a/shared/bin/zeek_install_plugins.sh b/shared/bin/zeek_install_plugins.sh index 525b0827f..69b2b9b71 100755 --- a/shared/bin/zeek_install_plugins.sh +++ b/shared/bin/zeek_install_plugins.sh @@ -89,6 +89,7 @@ ZKG_GITHUB_URLS=( "https://github.com/corelight/cve-2022-22954" "https://github.com/corelight/cve-2022-26809" "https://github.com/corelight/CVE-2022-3602" + "https://github.com/corelight/hassh" "https://github.com/corelight/http-more-files-names" "https://github.com/corelight/pingback" "https://github.com/corelight/ripple20" @@ -106,7 +107,6 @@ ZKG_GITHUB_URLS=( "https://github.com/ncsa/bro-simple-scan" "https://github.com/precurse/zeek-httpattacks" "https://github.com/mmguero-dev/GQUIC_Protocol_Analyzer" - "https://github.com/salesforce/hassh" "https://github.com/salesforce/ja3" "https://github.com/zeek/spicy-dhcp" "https://github.com/zeek/spicy-dns"