Skip to content

Commit

Permalink
Merge pull request #12048 from Security-Onion-Solutions/2.4/improve-f…
Browse files Browse the repository at this point in the history 
…ilterlog-parser

FIX: Update dashboard and hunt query for firewall logs #12021
  • Loading branch information
@dougburks
dougburks authored Dec 19, 2023
2 parents 69472e7 + ab5de4c commit 5e8613f
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 19 deletions.
35 changes: 22 additions & 13 deletions salt/elasticsearch/files/ingest/filterlog
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,56 +4,65 @@
{
"dissect": {
"field": "real_message",
"pattern" : "%{rule.uuid},%{rule.sub_uuid},%{firewall.anchor},%{firewall.tracker_id},%{interface.name},%{rule.reason},%{rule.action},%{network.direction},%{ip.version},%{firewall.sub_message}",
"pattern" : "%{rule.uuid},%{rule.sub_uuid},%{firewall.anchor},%{rule.id},%{observer.ingress.interface.name},%{event.reason},%{event.action},%{network.direction},%{ip.version},%{firewall.sub_message}",
"on_failure" : [ {"set" : {"field" : "error.message","value" : "{{ _ingest.on_failure_message }}"}}]
}
},
{
"dissect": {
"if": "ctx.ip.version == '4'",
"if": "ctx.ip?.version == '4'",
"field": "firewall.sub_message",
"pattern" : "%{ip.tos},%{ip.ecn},%{ip.ttl},%{ip.id},%{ip.offset},%{ip.flags},%{network.transport_id},%{network.transport},%{data.length},%{source.ip},%{destination.ip},%{ip_sub_msg}",
"pattern" : "%{pfsense.ip.tos},%{pfsense.ip.ecn},%{pfsense.ip.ttl},%{pfsense.ip.id},%{pfsense.ip.offset},%{pfsense.ip.flags},%{network.iana_number},%{network.transport},%{network.bytes},%{source.address},%{destination.address},%{ip_sub_msg}",
"on_failure" : [ {"set" : {"field" : "error.message","value" : "{{ _ingest.on_failure_message }}"}}]
}
},
{
"dissect": {
"if": "ctx.ip?.version == '6'",
"field": "firewall.sub_message",
"pattern" : "%{network.class},%{network.flow_label},%{network.hop_limit},%{network.transport},%{network.transport_id},%{data.length},%{source.ip},%{destination.ip},%{ip_sub_msg}",
"pattern" : "%{pfsense.ip.tos},%{pfsense.ip.flow_label},%{network.hop_limit},%{network.transport},%{network.iana_number},%{network.bytes},%{source.address},%{destination.address},%{ip_sub_msg}",
"on_failure" : [ {"set" : {"field" : "error.message","value" : "{{ _ingest.on_failure_message }}"}}]
}
},
{
"dissect": {
"if": "ctx.network?.transport == 'tcp'",
"field": "ip_sub_msg",
"pattern" : "%{source.port},%{destination.port},%{data.length},%{tcp.flags},",
"pattern" : "%{source.port},%{destination.port},%{pfsense.tcp.length},%{pfsense.tcp.flags},",
"on_failure" : [ {"set" : {"field" : "error.message","value" : "{{ _ingest.on_failure_message }}"}}]
}
},
{
"dissect": {
"if": "ctx.network?.transport == 'udp'",
"field": "ip_sub_msg",
"pattern" : "%{source.port},%{destination.port},%{data.length}",
"pattern" : "%{source.port},%{destination.port},%{pfsense.udp.length}",
"on_failure" : [ {"set" : {"field" : "error.message","value" : "{{ _ingest.on_failure_message }}"}}]
}
},
{
"split": {
"if": "ctx.ip.version =='6' && ctx.network?.transport == 'Options'",
"if": "ctx.ip?.version =='6' && ctx.network?.transport == 'Options'",
"field": "ip_sub_msg",
"target_field": "ip.options",
"separator" : ",",
"on_failure" : [ {"set" : {"field" : "error.message","value" : "{{ _ingest.on_failure_message }}"}}]
}
},
{ "set": { "if": "ctx.network?.transport_id == '0'", "field": "network.transport", "value": "icmp", "override": true } },
{ "community_id": {} },
{ "set": { "field": "event.module", "value": "pfsense", "override": true } },
{ "set": { "field": "event.dataset", "value": "firewall", "override": true } },
{ "set": { "field": "category", "value": "network", "override": true } },
{ "remove": { "field": ["real_message", "ip_sub_msg", "firewall.sub_message"], "ignore_failure": true } }
{ "lowercase": { "field": "network.transport", "ignore_failure": true } },
{ "set": { "field": "destination.ip", "value": "{{{destination.address}}}", "override": true } },
{ "set": { "field": "source.ip", "value": "{{{source.address}}}", "override": true } },
{ "set": { "if": "ctx.ip?.version == '4'", "field": "network.type", "value": "ipv4", "override": true} },
{ "set": { "if": "ctx.ip?.version == '6'", "field": "network.type", "value": "ipv6", "override": true} },
{ "set": { "if": "ctx.network?.direction == 'in'", "field": "network.direction", "value": "inbound", "override": true} },
{ "set": { "if": "ctx.network?.direction == 'out'", "field": "network.direction", "value": "outbound", "override": true} },
{ "set": { "field": "category", "value": "network", "override": true } },
{ "set": { "field": "event.dataset", "value": "firewall", "override": true } },
{ "set": { "field": "event.kind", "value": "event", "override": true } },
{ "set": { "field": "event.module", "value": "pfsense", "override": true } },
{ "set": { "field": "event.provider", "value": "filterlog", "override": true } },
{ "set": { "field": "observer.type", "value": "firewall", "override": true } },
{ "community_id":{ } },
{ "remove": { "field": ["real_message", "ip_sub_msg", "firewall.sub_message"], "ignore_failure": true } }
]
}
10 changes: 4 additions & 6 deletions salt/soc/defaults.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -465,10 +465,9 @@ soc:
- destination.ip
- destination.port
- network.transport
- network.direction
- interface.name
- rule.action
- rule.reason
- network.type
- observer.ingress.interface.name
- event.action
- network.community_id
':pfsense:':
- soc_timestamp
Expand All @@ -477,10 +476,9 @@ soc:
- destination.ip
- destination.port
- network.transport
- network.direction
- network.type
- observer.ingress.interface.name
- event.action
- event.reason
- network.community_id
':osquery:':
- soc_timestamp
Expand Down

0 comments on commit 5e8613f

Please sign in to comment.