From 8a92b023b28e51613f564134c4c2e09410a84d7f Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 16 Jan 2024 18:09:16 +0000 Subject: [PATCH 1/4] Add interface name --- salt/elasticsearch/files/ingest/suricata.common | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elasticsearch/files/ingest/suricata.common b/salt/elasticsearch/files/ingest/suricata.common index 6b6a03a607..8143882c71 100644 --- a/salt/elasticsearch/files/ingest/suricata.common +++ b/salt/elasticsearch/files/ingest/suricata.common @@ -4,6 +4,7 @@ { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.pkt_src", "target_field": "network.packet_source","ignore_failure": true } }, { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_failure": true } }, + { "rename": { "field": "message2.in_iface", "target_field": "observer.ingress.interface.name", "ignore_failure": true } }, { "rename": { "field": "message2.flow_id", "target_field": "log.id.uid", "ignore_failure": true } }, { "rename": { "field": "message2.src_ip", "target_field": "source.ip", "ignore_failure": true } }, { "rename": { "field": "message2.src_port", "target_field": "source.port", "ignore_failure": true } }, From ea64ce92d3e0c7922894ad1ce88ac9c122f42f81 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 16 Jan 2024 18:09:46 +0000 Subject: [PATCH 2/4] Add Suricata IKE pipeline --- salt/elasticsearch/files/ingest/suricata.ike | 21 ++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 salt/elasticsearch/files/ingest/suricata.ike diff --git a/salt/elasticsearch/files/ingest/suricata.ike b/salt/elasticsearch/files/ingest/suricata.ike new file mode 100644 index 0000000000..daac589160 --- /dev/null +++ b/salt/elasticsearch/files/ingest/suricata.ike @@ -0,0 +1,21 @@ +{ + "description" : "suricata.ike logs", + "processors" : [ + { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } }, + { "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } }, + { "rename": { "field": "message2.ike.alg_auth", "target_field": "ike.algorithm.authentication", "ignore_missing": true } }, + { "rename": { "field": "message2.ike.alg_enc", "target_field": "ike.algorithm.encryption", "ignore_missing": true } }, + { "rename": { "field": "message2.ike.alg_esn", "target_field": "ike.algorithm.esn", "ignore_missing": true } }, + { "rename": { "field": "message2.ike.alg_dh", "target_field": "ike.algorithm.dh", "ignore_missing": true } }, + { "rename": { "field": "message2.ike.alg_prf", "target_field": "ike.algorithm.prf", "ignore_missing": true } }, + { "rename": { "field": "message2.ike.exchange_type", "target_field": "ike.exchange_type", "ignore_missing": true } }, + { "rename": { "field": "message2.ike.payload", "target_field": "ike.payload", "ignore_missing": true } }, + { "rename": { "field": "message2.ike.role", "target_field": "ike.role", "ignore_missing": true } }, + { "rename": { "field": "message2.ike.init_spi", "target_field": "ike.spi.initiator", "ignore_missing": true } }, + { "rename": { "field": "message2.ike.resp_spi", "target_field": "ike.spi.responder", "ignore_missing": true } }, + { "rename": { "field": "message2.ike.version_major", "target_field": "ike.version.major", "ignore_missing": true } }, + { "rename": { "field": "message2.ike.version_minor", "target_field": "ike.version.minor", "ignore_missing": true } }, + { "rename": { "field": "message2.ike.ikev2.errors", "target_field": "ike.ikev2.errors", "ignore_missing": true } }, + { "pipeline": { "name": "common" } } + ] +} From f6590ac0bf0591c09f12f4c4bf6762cc2e026b22 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 16 Jan 2024 18:10:00 +0000 Subject: [PATCH 3/4] Remove Suricata IKEv2 pipeline --- salt/elasticsearch/files/ingest/suricata.ikev2 | 8 -------- 1 file changed, 8 deletions(-) delete mode 100644 salt/elasticsearch/files/ingest/suricata.ikev2 diff --git a/salt/elasticsearch/files/ingest/suricata.ikev2 b/salt/elasticsearch/files/ingest/suricata.ikev2 deleted file mode 100644 index 1916f63691..0000000000 --- a/salt/elasticsearch/files/ingest/suricata.ikev2 +++ /dev/null @@ -1,8 +0,0 @@ -{ - "description" : "suricata.ikev2", - "processors" : [ - { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } }, - { "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } }, - { "pipeline": { "name": "common" } } - ] -} From e70ce5091205ac82da3d11bc32d51a0bc0454d7a Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 17 Jan 2024 14:06:16 +0000 Subject: [PATCH 4/4] Change description --- salt/elasticsearch/files/ingest/suricata.ike | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/suricata.ike b/salt/elasticsearch/files/ingest/suricata.ike index daac589160..890b99baf2 100644 --- a/salt/elasticsearch/files/ingest/suricata.ike +++ b/salt/elasticsearch/files/ingest/suricata.ike @@ -1,5 +1,5 @@ { - "description" : "suricata.ike logs", + "description" : "suricata.ike", "processors" : [ { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } }, { "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } },