Fix wrong field notation in dpluger output

defenxor · Nov 4, 2018 · 4c9f26e · 4c9f26e
1 parent f57bc7c
commit 4c9f26e
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 25 deletions.
diff --git a/internal/pkg/dpluger/dpluger.go b/internal/pkg/dpluger/dpluger.go
@@ -213,6 +213,7 @@ func createPluginCollect(plugin Plugin, confFile, creator string, validate bool)
 	pt.Creator = creator
 	pt.SIDField = getLogstashFieldNotation(
 		strings.Replace(plugin.Fields.Title, "collect:", "", 1))
+	pt.SIDField = "%{" + pt.SIDField + "}"
 	pt.CreateDate = time.Now().Format(time.RFC3339)
 	transformToLogstashField(&pt.P.Fields)
 
@@ -269,6 +270,10 @@ func transformToLogstashField(fields *FieldMapping) {
 		if t := getType(str); t == ftES {
 			// convert to logstash [field][subfield] notation
 			v = getLogstashFieldNotation(str)
+			// do this except for timestamp, as it is only used in date filter
+			if typeOfT.Field(i).Name != "Timestamp" {
+				v = "%{" + v + "}"
+			}
 		} else {
 			v = str
 		}

diff --git a/internal/pkg/dpluger/template.go b/internal/pkg/dpluger/template.go
@@ -77,10 +77,10 @@ filter {
       # the rest should be the same as nonCollect plugin
       date {
         match => [ "{{.P.Fields.Timestamp}}", "{{.P.Fields.TimestampFormat}}" ]
-        target => "[timestamp]"
+        target => [timestamp]
       }
       mutate {
-        add_field => {
+        replace => {
           "title" => "{{.SIDField}}"
           "src_index_pattern" => "{{.P.Index}}"
           "sensor" => "{{.P.Fields.Sensor}}"
@@ -114,7 +114,7 @@ filter {
 
       # delete fields except those included in the whitelist below
       prune {
-        whitelist_names => [ "@metadata", "src_index_pattern", "title", "sensor", "product",
+        whitelist_names => [ "timestamp", "@metadata", "src_index_pattern", "title", "sensor", "product",
           "src_ip", "dst_ip", "plugin_id", "plugin_sid", "category", "subcategory",
           "src_port", "dst_port", "protocol", "custom_label1", "custom_label2", "custom_label3",
           "custom_data1", "custom_data2", "custom_data3" ]
@@ -190,7 +190,7 @@ filter {
   if [@metadata][siem_plugin_type] == "{{.P.Name}}" {
     date {
       match => [ "{{.P.Fields.Timestamp}}", "{{.P.Fields.TimestampFormat}}" ]
-      target => "[timestamp]"
+      target => [timestamp]
     }
     mutate {
       replace => {

diff --git a/test/dpluger/70_siem-plugin-suricata.conf b/test/dpluger/70_siem-plugin-suricata.conf
@@ -3,14 +3,14 @@
 # Dsiem suricata Plugin
 # Type: SID
 #
-# Auto-generated by dpluger on 2018-10-30T19:35:27+07:00
+# Auto-generated by dpluger on 2018-11-04T17:07:28+07:00
 ###############################################################################
 
 filter {
 
 # 1st step: identify the source log and clone it to another event with type => siem_events
 
-  if [application] == "suricata" and [alert]) {
+  if [application] == "suricata" and [alert] {
     clone {
       clones => [ "siem_events" ]
     }
@@ -61,23 +61,23 @@ filter {
   if [@metadata][siem_plugin_type] == "suricata" {
     date {
       match => [ "[timestamp]", "ISO8601" ]
-      target => "[timestamp]"
+      target => [timestamp]
     }
     mutate {
-      add_field => {
-        "title" => "[alert][signature]"
+      replace => {
+        "title" => "%{[alert][signature]}"
         "src_index_pattern" => "suricata-*"
-        "sensor" => "[host][name]"
+        "sensor" => "%{[host][name]}"
         "product" => "Intrusion Detection System"
-        "src_ip" => "[src_ip]"
-        "dst_ip" => "[dest_ip]"
-        "protocol" => "[proto]"
-        "category" => "[alert][category]"
+        "src_ip" => "%{[src_ip]}"
+        "dst_ip" => "%{[dest_ip]}"
+        "protocol" => "%{[proto]}"
+        "category" => "%{[alert][category]}"
 
         "plugin_id" => "1001"
-        "plugin_sid" => "[alert][signature_id]"
-        "src_port" => "[src_port]"
-        "dst_port" => "[dest_port]"
+        "plugin_sid" => "%{[alert][signature_id]}"
+        "src_port" => "%{[src_port]}"
+        "dst_port" => "%{[dest_port]}"
 
       }
     }
@@ -92,13 +92,11 @@ filter {
     }
 
     # delete fields except those included in the whitelist below
-    filter {
-      prune {
-        whitelist_names => [ "@metadata", "src_index_pattern", "title", "sensor", "product",
-          "src_ip", "dst_ip", "plugin_id", "plugin_sid", "category", "subcategory",
-          "src_port", "dst_port", "protocol", "custom_label1", "custom_label2", "custom_label3",
-          "custom_data1", "custom_data2", "custom_data3" ]
-      }
-    }		
+    prune {
+      whitelist_names => [ "timestamp", "@metadata", "src_index_pattern", "title", "sensor", "product",
+        "src_ip", "dst_ip", "plugin_id", "plugin_sid", "category", "subcategory",
+        "src_port", "dst_port", "protocol", "custom_label1", "custom_label2", "custom_label3",
+        "custom_data1", "custom_data2", "custom_data3" ]
+    }
   }
 }