Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Zeek] Add additional data sets #3340

Merged
merged 12 commits into from
Jun 28, 2022
Merged

[Zeek] Add additional data sets #3340

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
e3c16d0
Add Software Log
legoguy1000 May 11, 2022
9e5e007
Add Known Certs
legoguy1000 May 11, 2022
58141c1
Add Known Hosts
legoguy1000 May 11, 2022
7fdfff9
Add Known Services
legoguy1000 May 11, 2022
764a4f8
add samples
legoguy1000 May 11, 2022
5aeba45
update changelog
legoguy1000 May 11, 2022
7a93917
Updates per comments
legoguy1000 May 16, 2022
d9d019a
fixed spelling
legoguy1000 May 27, 2022
6864493
fix errors
legoguy1000 Jun 15, 2022
031b6dc
Merge remote-tracking branch 'upstream/main' into zeek-additional-logs
legoguy1000 Jun 15, 2022
b6301d8
fix dataset
legoguy1000 Jun 16, 2022
e3c1028
Default to `forwarded` tag to not add host fields to Zeek data
legoguy1000 Jun 17, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions packages/zeek/_dev/build/docs/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,12 @@ contains kerberos data.

{{fields "kerberos"}}

### known_certs
legoguy1000 marked this conversation as resolved.
Show resolved Hide resolved

The `known_certs` dataset captures information about SSL/TLS certificates seen on the local network.
legoguy1000 marked this conversation as resolved.
Show resolved Hide resolved

{{fields "known_certs"}}

### known_hosts
legoguy1000 marked this conversation as resolved.
Show resolved Hide resolved

The `known_hosts` dataset captures information about SSL/TLS certificates seen on the local network.
legoguy1000 marked this conversation as resolved.
Show resolved Hide resolved
Expand Down
4 changes: 4 additions & 0 deletions packages/zeek/data_stream/known_hosts/_dev/test/pipeline/test-common-config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
fields:
"@timestamp": "2020-04-28T11:07:58.223Z"
tags:
- preserve_original_event
5 changes: 5 additions & 0 deletions packages/zeek/data_stream/known_hosts/_dev/test/pipeline/test-known_hosts.log
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
{"ts":"2021-01-03T01:19:26.260073Z","host":"192.168.4.25"}
{"ts":"2021-01-03T01:19:27.353353Z","host":"192.168.4.29"}
{"ts":"2021-01-03T01:19:32.488179Z","host":"192.168.4.43"}
{"ts":"2021-01-03T01:19:58.792683Z","host":"192.168.4.142"}
{"ts":"2021-01-03T12:17:22.496004Z","host":"192.168.4.115"}
134 changes: 134 additions & 0 deletions packages/zeek/data_stream/known_hosts/_dev/test/pipeline/test-known_hosts.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,134 @@
{
"expected": [
{
"@timestamp": "2021-01-03T01:19:26.260Z",
"ecs": {
"version": "8.2.0"
},
"event": {
"category": "network",
"created": "2020-04-28T11:07:58.223Z",
"kind": "info",
"original": "{\"ts\":\"2021-01-03T01:19:26.260073Z\",\"host\":\"192.168.4.25\"}"
},
"host": {
"ip": "192.168.4.25"
},
"network": {
"type": "ipv4"
},
"related": {
"ip": [
"192.168.4.25"
]
},
"tags": [
"preserve_original_event"
]
},
{
"@timestamp": "2021-01-03T01:19:27.353Z",
"ecs": {
"version": "8.2.0"
},
"event": {
"category": "network",
"created": "2020-04-28T11:07:58.223Z",
"kind": "info",
"original": "{\"ts\":\"2021-01-03T01:19:27.353353Z\",\"host\":\"192.168.4.29\"}"
},
"host": {
"ip": "192.168.4.29"
},
"network": {
"type": "ipv4"
},
"related": {
"ip": [
"192.168.4.29"
]
},
"tags": [
"preserve_original_event"
]
},
{
"@timestamp": "2021-01-03T01:19:32.488Z",
"ecs": {
"version": "8.2.0"
},
"event": {
"category": "network",
"created": "2020-04-28T11:07:58.223Z",
"kind": "info",
"original": "{\"ts\":\"2021-01-03T01:19:32.488179Z\",\"host\":\"192.168.4.43\"}"
},
"host": {
"ip": "192.168.4.43"
},
"network": {
"type": "ipv4"
},
"related": {
"ip": [
"192.168.4.43"
]
},
"tags": [
"preserve_original_event"
]
},
{
"@timestamp": "2021-01-03T01:19:58.792Z",
"ecs": {
"version": "8.2.0"
},
"event": {
"category": "network",
"created": "2020-04-28T11:07:58.223Z",
"kind": "info",
"original": "{\"ts\":\"2021-01-03T01:19:58.792683Z\",\"host\":\"192.168.4.142\"}"
},
"host": {
"ip": "192.168.4.142"
},
"network": {
"type": "ipv4"
},
"related": {
"ip": [
"192.168.4.142"
]
},
"tags": [
"preserve_original_event"
]
},
{
"@timestamp": "2021-01-03T12:17:22.496Z",
"ecs": {
"version": "8.2.0"
},
"event": {
"category": "network",
"created": "2020-04-28T11:07:58.223Z",
"kind": "info",
"original": "{\"ts\":\"2021-01-03T12:17:22.496004Z\",\"host\":\"192.168.4.115\"}"
},
"host": {
"ip": "192.168.4.115"
},
"network": {
"type": "ipv4"
},
"related": {
"ip": [
"192.168.4.115"
]
},
"tags": [
"preserve_original_event"
]
}
]
}
6 changes: 6 additions & 0 deletions packages/zeek/data_stream/known_hosts/_dev/test/system/test-logs-config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
vars:
base_paths:
- "{{SERVICE_LOGS_DIR}}"
input: logfile
data_stream:
vars: ~
legoguy1000 marked this conversation as resolved.
Show resolved Hide resolved
21 changes: 21 additions & 0 deletions packages/zeek/data_stream/known_hosts/agent/stream/log.yml.hbs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
paths:
{{#each base_paths}}
{{#each ../filenames}}
- {{../this}}/{{this}}
{{/each}}
{{/each}}
exclude_files: [".gz$"]
tags:
{{#if preserve_original_event}}
- preserve_original_event
{{/if}}
{{#each tags as |tag i|}}
- {{tag}}
{{/each}}
{{#contains "forwarded" tags}}
publisher_pipeline.disable_host: true
{{/contains}}
{{#if processors}}
processors:
{{processors}}
{{/if}}
65 changes: 65 additions & 0 deletions packages/zeek/data_stream/known_hosts/elasticsearch/ingest_pipeline/default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
---
description: Pipeline for normalizing Zeek conn.log
processors:
- rename:
field: message
target_field: event.original
- json:
field: event.original
target_field: json
- drop:
description: Drop if no timestamp (invalid json)
if: 'ctx?.json?.ts == null'

# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down
- set:
field: event.created
copy_from: "@timestamp"
- set:
field: ecs.version
value: '8.2.0'
- set:
field: event.kind
value: info
- set:
field: event.category
value: network
- date:
field: json.ts
formats:
- UNIX
- ISO8601
- rename:
field: json.host
target_field: host.ip
ignore_missing: true
- set:
field: network.type
value: ipv4
if: ctx.host?.ip.contains('.')
- set:
field: network.type
value: ipv6
if: ctx.host?.ip.contains(':')
- append:
field: related.ip
value: "{{host.ip}}"
if: ctx?.host?.ip != null
allow_duplicates: false
- geoip:
field: host.ip
target_field: host.geo
ignore_missing: true
- remove:
field:
- json
ignore_missing: true
- remove:
field: event.original
if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
ignore_failure: true
ignore_missing: true
on_failure:
- set:
field: error.message
value: "{{ _ingest.on_failure_message }}"
Loading