From 72fcec70450d70dd320f53bead22c701f8aee98e Mon Sep 17 00:00:00 2001 From: Alex Resnick Date: Wed, 24 Mar 2021 00:00:04 +0000 Subject: [PATCH 1/9] Add network direction processor to zeek and suricata module --- CHANGELOG.next.asciidoc | 1 + .../module/suricata/eve/config/eve.yml | 7 ++++++ .../filebeat/module/suricata/eve/manifest.yml | 2 ++ .../eve/test/eve-6.0.log-expected.json | 1 + .../eve/test/eve-alerts.log-expected.json | 22 +++++++++++++++++ .../eve/test/eve-dns-4.1.4.log-expected.json | 24 +++++++++++++++++++ .../eve/test/eve-small.log-expected.json | 11 +++++++++ .../zeek/connection/config/connection.yml | 7 ++++++ .../module/zeek/connection/manifest.yml | 2 ++ .../module/zeek/dce_rpc/config/dce_rpc.yml | 7 ++++++ .../filebeat/module/zeek/dce_rpc/manifest.yml | 2 ++ .../test/dce_rpc-json.log-expected.json | 1 + .../filebeat/module/zeek/dhcp/config/dhcp.yml | 7 ++++++ x-pack/filebeat/module/zeek/dhcp/manifest.yml | 2 ++ .../dhcp/test/dhcp-json.log-expected.json | 1 + .../filebeat/module/zeek/dnp3/config/dnp3.yml | 7 ++++++ x-pack/filebeat/module/zeek/dnp3/manifest.yml | 2 ++ .../dnp3/test/dnp3-json.log-expected.json | 1 + .../filebeat/module/zeek/dns/config/dns.yml | 11 +++++++++ x-pack/filebeat/module/zeek/dns/manifest.yml | 2 ++ .../zeek/dns/test/dns-json.log-expected.json | 6 +++++ .../filebeat/module/zeek/dpd/config/dpd.yml | 7 ++++++ x-pack/filebeat/module/zeek/dpd/manifest.yml | 2 ++ .../zeek/dpd/test/dpd-json.log-expected.json | 1 + .../filebeat/module/zeek/ftp/config/ftp.yml | 7 ++++++ x-pack/filebeat/module/zeek/ftp/manifest.yml | 2 ++ .../zeek/ftp/test/ftp.log-expected.json | 3 +++ .../filebeat/module/zeek/http/config/http.yml | 8 +++++++ x-pack/filebeat/module/zeek/http/manifest.yml | 2 ++ .../http/test/http-json.log-expected.json | 4 ++++ .../module/zeek/intel/config/intel.yml | 7 ++++++ .../filebeat/module/zeek/intel/manifest.yml | 2 ++ .../intel/test/intel-json.log-expected.json | 1 + .../filebeat/module/zeek/irc/config/irc.yml | 7 ++++++ x-pack/filebeat/module/zeek/irc/manifest.yml | 2 ++ .../zeek/irc/test/irc-json.log-expected.json | 3 +++ .../module/zeek/kerberos/config/kerberos.yml | 7 ++++++ .../module/zeek/kerberos/manifest.yml | 2 ++ .../test/kerberos-json.log-expected.json | 1 + .../module/zeek/modbus/config/modbus.yml | 7 ++++++ .../filebeat/module/zeek/modbus/manifest.yml | 2 ++ .../modbus/test/modbus-json.log-expected.json | 1 + .../module/zeek/mysql/config/mysql.yml | 7 ++++++ .../filebeat/module/zeek/mysql/manifest.yml | 2 ++ .../mysql/test/mysql-json.log-expected.json | 1 + .../module/zeek/notice/config/notice.yml | 7 ++++++ .../filebeat/module/zeek/notice/manifest.yml | 2 ++ .../notice/test/notice-json.log-expected.json | 1 + .../filebeat/module/zeek/ntlm/config/ntlm.yml | 7 ++++++ x-pack/filebeat/module/zeek/ntlm/manifest.yml | 2 ++ .../ntlm/test/ntlm-json.log-expected.json | 1 + .../filebeat/module/zeek/ntp/config/ntp.yml | 7 ++++++ x-pack/filebeat/module/zeek/ntp/manifest.yml | 2 ++ .../zeek/ntp/test/ntp-json.log-expected.json | 2 ++ .../module/zeek/radius/config/radius.yml | 7 ++++++ .../filebeat/module/zeek/radius/manifest.yml | 2 ++ .../radius/test/radius-json.log-expected.json | 1 + .../filebeat/module/zeek/rdp/config/rdp.yml | 7 ++++++ x-pack/filebeat/module/zeek/rdp/manifest.yml | 2 ++ .../zeek/rdp/test/rdp-json.log-expected.json | 1 + .../filebeat/module/zeek/rfb/config/rfb.yml | 7 ++++++ x-pack/filebeat/module/zeek/rfb/manifest.yml | 2 ++ .../zeek/rfb/test/rfb-json.log-expected.json | 1 + .../zeek/signature/config/signature.yml | 7 ++++++ .../module/zeek/signature/manifest.yml | 2 ++ .../test/signature-json.log-expected.json | 1 + .../filebeat/module/zeek/sip/config/sip.yml | 7 ++++++ x-pack/filebeat/module/zeek/sip/manifest.yml | 2 ++ .../zeek/sip/test/sip-json.log-expected.json | 3 +++ .../module/zeek/smb_cmd/config/smb_cmd.yml | 7 ++++++ .../filebeat/module/zeek/smb_cmd/manifest.yml | 2 ++ .../test/smb_cmd-json.log-expected.json | 1 + .../zeek/smb_files/config/smb_files.yml | 7 ++++++ .../module/zeek/smb_files/manifest.yml | 2 ++ .../test/smb_files-json.log-expected.json | 1 + .../zeek/smb_mapping/config/smb_mapping.yml | 7 ++++++ .../module/zeek/smb_mapping/manifest.yml | 2 ++ .../test/smb_mapping-json.log-expected.json | 1 + .../filebeat/module/zeek/smtp/config/smtp.yml | 7 ++++++ x-pack/filebeat/module/zeek/smtp/manifest.yml | 2 ++ .../smtp/test/smtp-json.log-expected.json | 1 + .../filebeat/module/zeek/snmp/config/snmp.yml | 7 ++++++ x-pack/filebeat/module/zeek/snmp/manifest.yml | 2 ++ .../snmp/test/snmp-json.log-expected.json | 1 + .../module/zeek/socks/config/socks.yml | 7 ++++++ .../filebeat/module/zeek/socks/manifest.yml | 2 ++ .../socks/test/socks-json.log-expected.json | 1 + .../filebeat/module/zeek/ssh/config/ssh.yml | 7 ++++++ x-pack/filebeat/module/zeek/ssh/manifest.yml | 2 ++ .../zeek/ssh/test/ssh-json.log-expected.json | 1 + .../filebeat/module/zeek/ssl/config/ssl.yml | 7 ++++++ x-pack/filebeat/module/zeek/ssl/manifest.yml | 2 ++ .../zeek/ssl/test/ssl-json.log-expected.json | 2 ++ ...3-and-custom-fields-json.log-expected.json | 1 + .../module/zeek/syslog/config/syslog.yml | 7 ++++++ .../filebeat/module/zeek/syslog/manifest.yml | 2 ++ .../zeek/traceroute/config/traceroute.yml | 7 ++++++ .../module/zeek/traceroute/manifest.yml | 2 ++ .../test/traceroute-json.log-expected.json | 1 + .../module/zeek/tunnel/config/tunnel.yml | 7 ++++++ .../filebeat/module/zeek/tunnel/manifest.yml | 2 ++ .../tunnel/test/tunnel-json.log-expected.json | 1 + .../module/zeek/weird/config/weird.yml | 7 ++++++ .../filebeat/module/zeek/weird/manifest.yml | 2 ++ .../weird/test/weird-json.log-expected.json | 1 + 105 files changed, 418 insertions(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 54ad2fa21ec3..1c02028818fa 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -857,6 +857,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add new grok pattern for iptables module for Ubiquiti UDM {issue}25615[25615] {pull}25616[25616] - Add multiline support to aws-s3 input. {issue}25249[25249] {pull}25710[25710] - Add monitoring metrics to the `aws-s3` input. {pull}25711[25711] +- Added `network.direction` fields to Zeek and Suricata module using the `add_network_direction` processor {pull}24620[24620] *Heartbeat* diff --git a/x-pack/filebeat/module/suricata/eve/config/eve.yml b/x-pack/filebeat/module/suricata/eve/config/eve.yml index 4f290f47525a..7ed6b3808c04 100644 --- a/x-pack/filebeat/module/suricata/eve/config/eve.yml +++ b/x-pack/filebeat/module/suricata/eve/config/eve.yml @@ -42,6 +42,13 @@ processors: - suricata.eve.timestamp {{ if .community_id }} - community_id: +{{ end }} +{{ if .internal_networks }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - registered_domain: when: diff --git a/x-pack/filebeat/module/suricata/eve/manifest.yml b/x-pack/filebeat/module/suricata/eve/manifest.yml index a712ab663364..ae3b99ba315f 100644 --- a/x-pack/filebeat/module/suricata/eve/manifest.yml +++ b/x-pack/filebeat/module/suricata/eve/manifest.yml @@ -12,6 +12,8 @@ var: default: [suricata] - name: community_id default: true + - name: internal_networks + default: [ private ] ingest_pipeline: - ingest/pipeline.yml diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-6.0.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-6.0.log-expected.json index c95a0baa7d92..26adbe463017 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-6.0.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-6.0.log-expected.json @@ -30,6 +30,7 @@ "message": "Potentially Bad Traffic", "network.bytes": 1372, "network.community_id": "1:/b5R3BDG/6TU2Pu+pRF8w6d1Z18=", + "network.direction": "inbound", "network.packets": 11, "network.protocol": "http", "network.transport": "tcp", diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json index 97b556a628a7..c9878e61a1cb 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json @@ -39,6 +39,7 @@ "message": "Attempted Information Leak", "network.bytes": 2001, "network.community_id": "1:Tx1T2pcsxn4KDSlkBTi/5q9tZuo=", + "network.direction": "outbound", "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", @@ -120,6 +121,7 @@ "message": "Attempted Information Leak", "network.bytes": 2001, "network.community_id": "1:A30Bhw0tTI2EifayU+MwAocMCZs=", + "network.direction": "outbound", "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", @@ -201,6 +203,7 @@ "message": "Attempted Information Leak", "network.bytes": 2001, "network.community_id": "1:QI9ZBw/ltPo2cnzG5ne3IrgSdhw=", + "network.direction": "outbound", "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", @@ -282,6 +285,7 @@ "message": "Attempted Information Leak", "network.bytes": 2001, "network.community_id": "1:kvem4ydd+kylAQHyyYnQUREfRDY=", + "network.direction": "outbound", "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", @@ -363,6 +367,7 @@ "message": "Attempted Information Leak", "network.bytes": 2001, "network.community_id": "1:HpBUwS4J4Fkh+ON3BdMMGV4jy8I=", + "network.direction": "outbound", "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", @@ -444,6 +449,7 @@ "message": "Attempted Information Leak", "network.bytes": 2001, "network.community_id": "1:Bp3vB9bJiV2y/u23rxSpviRLSto=", + "network.direction": "outbound", "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", @@ -525,6 +531,7 @@ "message": "Not Suspicious Traffic", "network.bytes": 2151, "network.community_id": "1:/kMBCIkdcM80Xtj2MYPWlkzcovg=", + "network.direction": "outbound", "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", @@ -606,6 +613,7 @@ "message": "Not Suspicious Traffic", "network.bytes": 904, "network.community_id": "1:v4+r8WgQyj/+LOpAIRGXwdlh/Xk=", + "network.direction": "outbound", "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", @@ -687,6 +695,7 @@ "message": "Not Suspicious Traffic", "network.bytes": 4287, "network.community_id": "1:v4+r8WgQyj/+LOpAIRGXwdlh/Xk=", + "network.direction": "outbound", "network.packets": 11, "network.protocol": "http", "network.transport": "tcp", @@ -768,6 +777,7 @@ "message": "Not Suspicious Traffic", "network.bytes": 95353, "network.community_id": "1:/kMBCIkdcM80Xtj2MYPWlkzcovg=", + "network.direction": "outbound", "network.packets": 126, "network.protocol": "http", "network.transport": "tcp", @@ -849,6 +859,7 @@ "message": "Not Suspicious Traffic", "network.bytes": 151605, "network.community_id": "1:/kMBCIkdcM80Xtj2MYPWlkzcovg=", + "network.direction": "outbound", "network.packets": 185, "network.protocol": "http", "network.transport": "tcp", @@ -930,6 +941,7 @@ "message": "Not Suspicious Traffic", "network.bytes": 341985, "network.community_id": "1:/kMBCIkdcM80Xtj2MYPWlkzcovg=", + "network.direction": "outbound", "network.packets": 377, "network.protocol": "http", "network.transport": "tcp", @@ -1011,6 +1023,7 @@ "message": "Not Suspicious Traffic", "network.bytes": 101449, "network.community_id": "1:v4+r8WgQyj/+LOpAIRGXwdlh/Xk=", + "network.direction": "outbound", "network.packets": 131, "network.protocol": "http", "network.transport": "tcp", @@ -1092,6 +1105,7 @@ "message": "Not Suspicious Traffic", "network.bytes": 181775, "network.community_id": "1:v4+r8WgQyj/+LOpAIRGXwdlh/Xk=", + "network.direction": "outbound", "network.packets": 210, "network.protocol": "http", "network.transport": "tcp", @@ -1173,6 +1187,7 @@ "message": "Not Suspicious Traffic", "network.bytes": 388131, "network.community_id": "1:v4+r8WgQyj/+LOpAIRGXwdlh/Xk=", + "network.direction": "outbound", "network.packets": 412, "network.protocol": "http", "network.transport": "tcp", @@ -1254,6 +1269,7 @@ "message": "Not Suspicious Traffic", "network.bytes": 482156, "network.community_id": "1:v4+r8WgQyj/+LOpAIRGXwdlh/Xk=", + "network.direction": "outbound", "network.packets": 504, "network.protocol": "http", "network.transport": "tcp", @@ -1335,6 +1351,7 @@ "message": "Not Suspicious Traffic", "network.bytes": 903684, "network.community_id": "1:v4+r8WgQyj/+LOpAIRGXwdlh/Xk=", + "network.direction": "outbound", "network.packets": 916, "network.protocol": "http", "network.transport": "tcp", @@ -1416,6 +1433,7 @@ "message": "Not Suspicious Traffic", "network.bytes": 908100, "network.community_id": "1:v4+r8WgQyj/+LOpAIRGXwdlh/Xk=", + "network.direction": "outbound", "network.packets": 921, "network.protocol": "http", "network.transport": "tcp", @@ -1496,6 +1514,7 @@ "message": "Not Suspicious Traffic", "network.bytes": 1504422, "network.community_id": "1:v4+r8WgQyj/+LOpAIRGXwdlh/Xk=", + "network.direction": "outbound", "network.packets": 1503, "network.protocol": "http", "network.transport": "tcp", @@ -1576,6 +1595,7 @@ "message": "Not Suspicious Traffic", "network.bytes": 1658832, "network.community_id": "1:v4+r8WgQyj/+LOpAIRGXwdlh/Xk=", + "network.direction": "outbound", "network.packets": 1654, "network.protocol": "http", "network.transport": "tcp", @@ -1637,6 +1657,7 @@ "input.type": "log", "log.offset": 16546, "network.community_id": "1:qsGDjYDIWp+kHhxotTdhPbUaWSo=", + "network.direction": "internal", "network.protocol": "tls", "network.transport": "tcp", "related.hash": [ @@ -1717,6 +1738,7 @@ "message": "", "network.bytes": 5734, "network.community_id": "1:W6fjhboFUwyEchJ3ELaqSBzDEJE=", + "network.direction": "internal", "network.packets": 15, "network.protocol": "tls", "network.transport": "tcp", diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log-expected.json index c320226749ef..202d0f84df24 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log-expected.json @@ -24,6 +24,7 @@ "input.type": "log", "log.offset": 0, "network.community_id": "1:HActqwgIaYeC8fc4sfMGrL8jjaI=", + "network.direction": "internal", "network.protocol": "dns", "network.transport": "udp", "related.ip": [ @@ -71,6 +72,7 @@ "input.type": "log", "log.offset": 280, "network.community_id": "1:Z5dwZB2hQ1ZuxC+6Jw04VtuJ1lw=", + "network.direction": "internal", "network.protocol": "dns", "network.transport": "udp", "related.ip": [ @@ -134,6 +136,7 @@ "input.type": "log", "log.offset": 564, "network.community_id": "1:Z5dwZB2hQ1ZuxC+6Jw04VtuJ1lw=", + "network.direction": "internal", "network.protocol": "dns", "network.transport": "udp", "related.ip": [ @@ -198,6 +201,7 @@ "input.type": "log", "log.offset": 1089, "network.community_id": "1:HActqwgIaYeC8fc4sfMGrL8jjaI=", + "network.direction": "internal", "network.protocol": "dns", "network.transport": "udp", "related.ip": [ @@ -247,6 +251,7 @@ "input.type": "log", "log.offset": 1552, "network.community_id": "1:vfjW/QLkaS6+iMbv/HRuEOgqA4o=", + "network.direction": "internal", "network.protocol": "dns", "network.transport": "udp", "related.ip": [ @@ -295,6 +300,7 @@ "input.type": "log", "log.offset": 1835, "network.community_id": "1:SDBTqhsjpXwQyrvRX6xpeEaMsAg=", + "network.direction": "internal", "network.protocol": "dns", "network.transport": "udp", "related.ip": [ @@ -386,6 +392,7 @@ "input.type": "log", "log.offset": 2122, "network.community_id": "1:vfjW/QLkaS6+iMbv/HRuEOgqA4o=", + "network.direction": "internal", "network.protocol": "dns", "network.transport": "udp", "related.ip": [ @@ -481,6 +488,7 @@ "input.type": "log", "log.offset": 3116, "network.community_id": "1:SDBTqhsjpXwQyrvRX6xpeEaMsAg=", + "network.direction": "internal", "network.protocol": "dns", "network.transport": "udp", "related.ip": [ @@ -533,6 +541,7 @@ "input.type": "log", "log.offset": 4327, "network.community_id": "1:O4Lt3gevExgYQL5MQJq7vgssBrQ=", + "network.direction": "internal", "network.protocol": "dns", "network.transport": "udp", "related.ip": [ @@ -581,6 +590,7 @@ "input.type": "log", "log.offset": 4610, "network.community_id": "1:NKecJMP5cHplk+fr2uNww69SdWg=", + "network.direction": "internal", "network.protocol": "dns", "network.transport": "udp", "related.ip": [ @@ -637,6 +647,7 @@ "input.type": "log", "log.offset": 4896, "network.community_id": "1:O4Lt3gevExgYQL5MQJq7vgssBrQ=", + "network.direction": "internal", "network.protocol": "dns", "network.transport": "udp", "related.ip": [ @@ -698,6 +709,7 @@ "input.type": "log", "log.offset": 5288, "network.community_id": "1:O4Lt3gevExgYQL5MQJq7vgssBrQ=", + "network.direction": "internal", "network.protocol": "dns", "network.transport": "udp", "related.ip": [ @@ -760,6 +772,7 @@ "input.type": "log", "log.offset": 5675, "network.community_id": "1:O4Lt3gevExgYQL5MQJq7vgssBrQ=", + "network.direction": "internal", "network.protocol": "dns", "network.transport": "udp", "related.ip": [ @@ -822,6 +835,7 @@ "input.type": "log", "log.offset": 6062, "network.community_id": "1:O4Lt3gevExgYQL5MQJq7vgssBrQ=", + "network.direction": "internal", "network.protocol": "dns", "network.transport": "udp", "related.ip": [ @@ -884,6 +898,7 @@ "input.type": "log", "log.offset": 6446, "network.community_id": "1:O4Lt3gevExgYQL5MQJq7vgssBrQ=", + "network.direction": "internal", "network.protocol": "dns", "network.transport": "udp", "related.ip": [ @@ -943,6 +958,7 @@ "input.type": "log", "log.offset": 6829, "network.community_id": "1:NKecJMP5cHplk+fr2uNww69SdWg=", + "network.direction": "internal", "network.protocol": "dns", "network.transport": "udp", "related.ip": [ @@ -1004,6 +1020,7 @@ "input.type": "log", "log.offset": 7221, "network.community_id": "1:NKecJMP5cHplk+fr2uNww69SdWg=", + "network.direction": "internal", "network.protocol": "dns", "network.transport": "udp", "related.ip": [ @@ -1066,6 +1083,7 @@ "input.type": "log", "log.offset": 7636, "network.community_id": "1:NKecJMP5cHplk+fr2uNww69SdWg=", + "network.direction": "internal", "network.protocol": "dns", "network.transport": "udp", "related.ip": [ @@ -1128,6 +1146,7 @@ "input.type": "log", "log.offset": 8051, "network.community_id": "1:NKecJMP5cHplk+fr2uNww69SdWg=", + "network.direction": "internal", "network.protocol": "dns", "network.transport": "udp", "related.ip": [ @@ -1190,6 +1209,7 @@ "input.type": "log", "log.offset": 8466, "network.community_id": "1:NKecJMP5cHplk+fr2uNww69SdWg=", + "network.direction": "internal", "network.protocol": "dns", "network.transport": "udp", "related.ip": [ @@ -1241,6 +1261,7 @@ "input.type": "log", "log.offset": 8881, "network.community_id": "1:zh0UVYktuWGDSL+4ROPa1CTtEPE=", + "network.direction": "internal", "network.protocol": "dns", "network.transport": "udp", "related.ip": [ @@ -1289,6 +1310,7 @@ "input.type": "log", "log.offset": 9165, "network.community_id": "1:fuLDtU46PU3PHindOSCj0JKYUaA=", + "network.direction": "internal", "network.protocol": "dns", "network.transport": "udp", "related.ip": [ @@ -1380,6 +1402,7 @@ "input.type": "log", "log.offset": 9452, "network.community_id": "1:zh0UVYktuWGDSL+4ROPa1CTtEPE=", + "network.direction": "internal", "network.protocol": "dns", "network.transport": "udp", "related.ip": [ @@ -1475,6 +1498,7 @@ "input.type": "log", "log.offset": 10310, "network.community_id": "1:fuLDtU46PU3PHindOSCj0JKYUaA=", + "network.direction": "internal", "network.protocol": "dns", "network.transport": "udp", "related.ip": [ diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json index 8fb7eb1a9ee5..312ed45c58bb 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json @@ -18,6 +18,7 @@ "input.type": "log", "log.offset": 0, "network.community_id": "1:NLm1MbaBR6humQxEQI2Ai7h/XiI=", + "network.direction": "internal", "network.protocol": "ssh", "network.transport": "tcp", "related.ip": [ @@ -66,6 +67,7 @@ "message": "Potential Corporate Privacy Violation", "network.bytes": 1136, "network.community_id": "1:BWtsS+4pk477zAwfzve3Nm+x1Ms=", + "network.direction": "internal", "network.packets": 7, "network.protocol": "tls", "network.transport": "tcp", @@ -128,6 +130,7 @@ "input.type": "log", "log.offset": 985, "network.community_id": "1:gjMiDGtS5SVvdwzjjQdAKGBrDA4=", + "network.direction": "internal", "network.protocol": "http", "network.transport": "tcp", "related.hosts": [ @@ -184,6 +187,7 @@ "input.type": "log", "log.offset": 1507, "network.community_id": "1:XhhAO/Twj86+bD+1fV8FnpLIEDs=", + "network.direction": "internal", "network.protocol": "http", "network.transport": "tcp", "related.hosts": [ @@ -257,6 +261,7 @@ "input.type": "log", "log.offset": 2347, "network.community_id": "1:pC3b0nBNCU4LxSue53drHp4b4cs=", + "network.direction": "internal", "network.protocol": "dns", "network.transport": "udp", "related.ip": [ @@ -443,6 +448,7 @@ "input.type": "log", "log.offset": 4683, "network.community_id": "1:u67AuA4ybOaspT7mp9OZ3jWvnKw=", + "network.direction": "outbound", "network.protocol": "tls", "network.transport": "tcp", "related.hash": [ @@ -517,6 +523,7 @@ "log.offset": 5308, "network.bytes": 110, "network.community_id": "1:fNUIKjMfx/xaM1gOO3eaVAeWLZA=", + "network.direction": "external", "network.packets": 1, "network.transport": "udp", "related.ip": [ @@ -563,6 +570,7 @@ "input.type": "log", "log.offset": 5796, "network.community_id": "1:Y8m38aDR9cy/emlD86XGhosniqY=", + "network.direction": "internal", "network.protocol": "http", "network.transport": "tcp", "related.hosts": [ @@ -613,6 +621,7 @@ "input.type": "log", "log.offset": 6267, "network.community_id": "1:SKXuhLNyv4gfe01gqILs5v+qx40=", + "network.direction": "internal", "network.protocol": "tls", "network.transport": "tcp", "related.hash": [ @@ -684,6 +693,7 @@ "input.type": "log", "log.offset": 6958, "network.community_id": "1:UHWPAQmxXu8t7EWZzPx9jl6b6TM=", + "network.direction": "internal", "network.protocol": "http", "network.transport": "tcp", "related.hosts": [ @@ -736,6 +746,7 @@ "input.type": "log", "log.offset": 7401, "network.community_id": "1:0dSnqQKCiJXvy6HxZlV+50/b68k=", + "network.direction": "internal", "network.protocol": "tls", "network.transport": "tcp", "related.ip": [ diff --git a/x-pack/filebeat/module/zeek/connection/config/connection.yml b/x-pack/filebeat/module/zeek/connection/config/connection.yml index 7f5fda3b4ed9..c2fee6dca9e9 100644 --- a/x-pack/filebeat/module/zeek/connection/config/connection.yml +++ b/x-pack/filebeat/module/zeek/connection/config/connection.yml @@ -99,6 +99,13 @@ processors: icmp_code: zeek.connection.icmp.code else: community_id: +{{ if .internal_networks }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} +{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/connection/manifest.yml b/x-pack/filebeat/module/zeek/connection/manifest.yml index 08f79bc28caf..9cf9d5127fa0 100644 --- a/x-pack/filebeat/module/zeek/connection/manifest.yml +++ b/x-pack/filebeat/module/zeek/connection/manifest.yml @@ -10,6 +10,8 @@ var: - /usr/local/var/logs/current/conn.log - name: tags default: [zeek.connection] + - name: internal_networks + default: [ private ] ingest_pipeline: ingest/pipeline.yml input: config/connection.yml diff --git a/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml b/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml index 062eff8f09aa..95a0f810a04f 100644 --- a/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml +++ b/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml @@ -55,6 +55,13 @@ processors: - protocol - info - community_id: +{{ if .internal_networks }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} +{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/dce_rpc/manifest.yml b/x-pack/filebeat/module/zeek/dce_rpc/manifest.yml index 01bef572b679..8cd608dc8787 100644 --- a/x-pack/filebeat/module/zeek/dce_rpc/manifest.yml +++ b/x-pack/filebeat/module/zeek/dce_rpc/manifest.yml @@ -10,6 +10,8 @@ var: - /usr/local/var/logs/current/dce_rpc.log - name: tags default: [zeek.dce_rpc] + - name: internal_networks + default: [ private ] ingest_pipeline: ingest/pipeline.yml input: config/dce_rpc.yml diff --git a/x-pack/filebeat/module/zeek/dce_rpc/test/dce_rpc-json.log-expected.json b/x-pack/filebeat/module/zeek/dce_rpc/test/dce_rpc-json.log-expected.json index 822fd214a517..a42f28836ab4 100644 --- a/x-pack/filebeat/module/zeek/dce_rpc/test/dce_rpc-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/dce_rpc/test/dce_rpc-json.log-expected.json @@ -21,6 +21,7 @@ "input.type": "log", "log.offset": 0, "network.community_id": "1:SJNAD5vtzZuhQjGtfaI8svTnyuw=", + "network.direction": "internal", "network.protocol": "dce_rpc", "network.transport": "tcp", "related.ip": [ diff --git a/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml b/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml index 01c30bd3ae97..be8f090724c8 100644 --- a/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml +++ b/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml @@ -117,6 +117,13 @@ processors: - protocol - info - community_id: +{{ if .internal_networks }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} +{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/dhcp/manifest.yml b/x-pack/filebeat/module/zeek/dhcp/manifest.yml index ee4a7c24f3b7..aadaf2c923ab 100644 --- a/x-pack/filebeat/module/zeek/dhcp/manifest.yml +++ b/x-pack/filebeat/module/zeek/dhcp/manifest.yml @@ -10,6 +10,8 @@ var: - /usr/local/var/logs/current/dhcp.log - name: tags default: [zeek.dhcp] + - name: internal_networks + default: [ private ] ingest_pipeline: ingest/pipeline.yml input: config/dhcp.yml diff --git a/x-pack/filebeat/module/zeek/dhcp/test/dhcp-json.log-expected.json b/x-pack/filebeat/module/zeek/dhcp/test/dhcp-json.log-expected.json index b10a71fdd776..40e43895becd 100644 --- a/x-pack/filebeat/module/zeek/dhcp/test/dhcp-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/dhcp/test/dhcp-json.log-expected.json @@ -21,6 +21,7 @@ "input.type": "log", "log.offset": 0, "network.community_id": "1:HsGjbon+HsK9xnMq+1A32BR9C4Y=", + "network.direction": "internal", "network.name": "localdomain", "network.protocol": "dhcp", "network.transport": "udp", diff --git a/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml b/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml index beb62e217c78..e342eb73731e 100644 --- a/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml +++ b/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml @@ -65,6 +65,13 @@ processors: - protocol - info - community_id: +{{ if .internal_networks }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} +{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/dnp3/manifest.yml b/x-pack/filebeat/module/zeek/dnp3/manifest.yml index 97829b3d0d0d..c2b305d8e9b3 100644 --- a/x-pack/filebeat/module/zeek/dnp3/manifest.yml +++ b/x-pack/filebeat/module/zeek/dnp3/manifest.yml @@ -10,6 +10,8 @@ var: - /usr/local/var/logs/current/dnp3.log - name: tags default: [zeek.dnp3] + - name: internal_networks + default: [ private ] ingest_pipeline: ingest/pipeline.yml input: config/dnp3.yml diff --git a/x-pack/filebeat/module/zeek/dnp3/test/dnp3-json.log-expected.json b/x-pack/filebeat/module/zeek/dnp3/test/dnp3-json.log-expected.json index bb22f51cf061..056f2e0d0284 100644 --- a/x-pack/filebeat/module/zeek/dnp3/test/dnp3-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/dnp3/test/dnp3-json.log-expected.json @@ -21,6 +21,7 @@ "input.type": "log", "log.offset": 0, "network.community_id": "1:E57Z1w3RrSdR+fi6rSZblbQVhzY=", + "network.direction": "external", "network.protocol": "dnp3", "network.transport": "tcp", "related.ip": [ diff --git a/x-pack/filebeat/module/zeek/dns/config/dns.yml b/x-pack/filebeat/module/zeek/dns/config/dns.yml index fbc26fe59a48..f11fcf957267 100644 --- a/x-pack/filebeat/module/zeek/dns/config/dns.yml +++ b/x-pack/filebeat/module/zeek/dns/config/dns.yml @@ -7,6 +7,10 @@ exclude_files: [".gz$"] tags: {{.tags | tojson}} publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} +fields_under_root: true +fields: + network.protocol: dns + processors: - rename: fields: @@ -201,6 +205,13 @@ processors: - info - protocol - community_id: +{{ if .internal_networks }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} +{{ end }} - drop_fields: ignore_missing: true fields: diff --git a/x-pack/filebeat/module/zeek/dns/manifest.yml b/x-pack/filebeat/module/zeek/dns/manifest.yml index 4ff46df94b9d..37ccaaf46ea8 100644 --- a/x-pack/filebeat/module/zeek/dns/manifest.yml +++ b/x-pack/filebeat/module/zeek/dns/manifest.yml @@ -10,6 +10,8 @@ var: - /usr/local/var/logs/current/dns.log - name: tags default: [zeek.dns] + - name: internal_networks + default: [ private ] ingest_pipeline: ingest/pipeline.yml input: config/dns.yml diff --git a/x-pack/filebeat/module/zeek/dns/test/dns-json.log-expected.json b/x-pack/filebeat/module/zeek/dns/test/dns-json.log-expected.json index 03d8f10a3ace..d27f42275e95 100644 --- a/x-pack/filebeat/module/zeek/dns/test/dns-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/dns/test/dns-json.log-expected.json @@ -53,6 +53,8 @@ "input.type": "log", "log.offset": 0, "network.community_id": "1:Z26DBGVYoBKQ1FT6qfPaAqBnJik=", + "network.direction": "internal", + "network.protocol": "dns", "network.transport": "udp", "related.ip": [ "192.168.86.1", @@ -121,6 +123,8 @@ "input.type": "log", "log.offset": 566, "network.community_id": "1:Jq0sRtlGSMjsvMBE1ZYybbR2tI0=", + "network.direction": "external", + "network.protocol": "dns", "network.transport": "udp", "related.ip": [ "fe80::4ef:15cf:769f:ff21", @@ -183,6 +187,8 @@ "input.type": "log", "log.offset": 909, "network.community_id": "1:QIR5YXlirWwWA18ZyY/RnvQoaic=", + "network.direction": "outbound", + "network.protocol": "dns", "network.transport": "udp", "related.ip": [ "192.168.86.237", diff --git a/x-pack/filebeat/module/zeek/dpd/config/dpd.yml b/x-pack/filebeat/module/zeek/dpd/config/dpd.yml index b65f5dd64413..9bc5eda83bdb 100644 --- a/x-pack/filebeat/module/zeek/dpd/config/dpd.yml +++ b/x-pack/filebeat/module/zeek/dpd/config/dpd.yml @@ -54,6 +54,13 @@ processors: - connection - info - community_id: +{{ if .internal_networks }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} +{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/dpd/manifest.yml b/x-pack/filebeat/module/zeek/dpd/manifest.yml index 854eadbf4914..7f6fa8e0a148 100644 --- a/x-pack/filebeat/module/zeek/dpd/manifest.yml +++ b/x-pack/filebeat/module/zeek/dpd/manifest.yml @@ -10,6 +10,8 @@ var: - /usr/local/var/logs/current/dpd.log - name: tags default: [zeek.dpd] + - name: internal_networks + default: [ private ] ingest_pipeline: ingest/pipeline.yml input: config/dpd.yml diff --git a/x-pack/filebeat/module/zeek/dpd/test/dpd-json.log-expected.json b/x-pack/filebeat/module/zeek/dpd/test/dpd-json.log-expected.json index e36fc1dcbc27..10e0ed1b7fc8 100644 --- a/x-pack/filebeat/module/zeek/dpd/test/dpd-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/dpd/test/dpd-json.log-expected.json @@ -19,6 +19,7 @@ "input.type": "log", "log.offset": 0, "network.community_id": "1:b+Szw+ia464igf5e+MwW1WUzw9Y=", + "network.direction": "internal", "network.transport": "tcp", "related.ip": [ "192.168.10.10", diff --git a/x-pack/filebeat/module/zeek/ftp/config/ftp.yml b/x-pack/filebeat/module/zeek/ftp/config/ftp.yml index 8af9f478f8f0..a00617f21dd0 100644 --- a/x-pack/filebeat/module/zeek/ftp/config/ftp.yml +++ b/x-pack/filebeat/module/zeek/ftp/config/ftp.yml @@ -83,6 +83,13 @@ processors: - info - protocol - community_id: +{{ if .internal_networks }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} +{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/ftp/manifest.yml b/x-pack/filebeat/module/zeek/ftp/manifest.yml index 1f37ead03d0a..2a6025e9cfd3 100644 --- a/x-pack/filebeat/module/zeek/ftp/manifest.yml +++ b/x-pack/filebeat/module/zeek/ftp/manifest.yml @@ -10,6 +10,8 @@ var: - /usr/local/var/logs/current/ftp.log - name: tags default: [zeek.ftp] + - name: internal_networks + default: [ private ] ingest_pipeline: ingest/pipeline.yml input: config/ftp.yml diff --git a/x-pack/filebeat/module/zeek/ftp/test/ftp.log-expected.json b/x-pack/filebeat/module/zeek/ftp/test/ftp.log-expected.json index e6a47bd369e1..0830fae2eaae 100644 --- a/x-pack/filebeat/module/zeek/ftp/test/ftp.log-expected.json +++ b/x-pack/filebeat/module/zeek/ftp/test/ftp.log-expected.json @@ -21,6 +21,7 @@ "input.type": "log", "log.offset": 0, "network.community_id": "1:Szmpl33Czo3dQvU2V4/SrHfmBC0=", + "network.direction": "internal", "network.protocol": "ftp", "network.transport": "tcp", "related.ip": [ @@ -72,6 +73,7 @@ "input.type": "log", "log.offset": 394, "network.community_id": "1:Szmpl33Czo3dQvU2V4/SrHfmBC0=", + "network.direction": "internal", "network.protocol": "ftp", "network.transport": "tcp", "related.ip": [ @@ -120,6 +122,7 @@ "input.type": "log", "log.offset": 688, "network.community_id": "1:Szmpl33Czo3dQvU2V4/SrHfmBC0=", + "network.direction": "internal", "network.protocol": "ftp", "network.transport": "tcp", "related.ip": [ diff --git a/x-pack/filebeat/module/zeek/http/config/http.yml b/x-pack/filebeat/module/zeek/http/config/http.yml index 7d94572208c4..b22da788463a 100644 --- a/x-pack/filebeat/module/zeek/http/config/http.yml +++ b/x-pack/filebeat/module/zeek/http/config/http.yml @@ -12,6 +12,7 @@ json.keys_under_root: false fields_under_root: true fields: network.transport: tcp + network.protocol: http processors: - rename: @@ -91,6 +92,13 @@ processors: - info - protocol - community_id: +{{ if .internal_networks }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} +{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/http/manifest.yml b/x-pack/filebeat/module/zeek/http/manifest.yml index acf134c2333e..3bc4ea2c527c 100644 --- a/x-pack/filebeat/module/zeek/http/manifest.yml +++ b/x-pack/filebeat/module/zeek/http/manifest.yml @@ -10,6 +10,8 @@ var: - /usr/local/var/logs/current/http.log - name: tags default: [zeek.http] + - name: internal_networks + default: [ private ] ingest_pipeline: ingest/pipeline.yml input: config/http.yml diff --git a/x-pack/filebeat/module/zeek/http/test/http-json.log-expected.json b/x-pack/filebeat/module/zeek/http/test/http-json.log-expected.json index 0b101cda6e1c..c5e64d5aee88 100644 --- a/x-pack/filebeat/module/zeek/http/test/http-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/http/test/http-json.log-expected.json @@ -38,6 +38,8 @@ "input.type": "log", "log.offset": 0, "network.community_id": "1:dtBPRfpKEZyg1iOHss95buwv+cw=", + "network.direction": "outbound", + "network.protocol": "http", "network.transport": "tcp", "related.ip": [ "10.178.98.102", @@ -111,6 +113,8 @@ "input.type": "log", "log.offset": 574, "network.community_id": "1:Ol0Btm49e1mxnu/BXm1GM8w5ixY=", + "network.direction": "outbound", + "network.protocol": "http", "network.transport": "tcp", "related.ip": [ "10.20.8.197", diff --git a/x-pack/filebeat/module/zeek/intel/config/intel.yml b/x-pack/filebeat/module/zeek/intel/config/intel.yml index 4a40bd9da5f7..45c703aa6920 100644 --- a/x-pack/filebeat/module/zeek/intel/config/intel.yml +++ b/x-pack/filebeat/module/zeek/intel/config/intel.yml @@ -64,6 +64,13 @@ processors: type: - info - community_id: +{{ if .internal_networks }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} +{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/intel/manifest.yml b/x-pack/filebeat/module/zeek/intel/manifest.yml index a84788f4d757..c89feeed1498 100644 --- a/x-pack/filebeat/module/zeek/intel/manifest.yml +++ b/x-pack/filebeat/module/zeek/intel/manifest.yml @@ -10,6 +10,8 @@ var: - /usr/local/var/logs/current/intel.log - name: tags default: [zeek.intel] + - name: internal_networks + default: [ private ] ingest_pipeline: ingest/pipeline.yml input: config/intel.yml diff --git a/x-pack/filebeat/module/zeek/intel/test/intel-json.log-expected.json b/x-pack/filebeat/module/zeek/intel/test/intel-json.log-expected.json index d9de4e04efd5..c22918b6f781 100644 --- a/x-pack/filebeat/module/zeek/intel/test/intel-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/intel/test/intel-json.log-expected.json @@ -21,6 +21,7 @@ "fileset.name": "intel", "input.type": "log", "log.offset": 0, + "network.direction": "outbound", "related.ip": [ "192.168.1.1", "198.41.0.4" diff --git a/x-pack/filebeat/module/zeek/irc/config/irc.yml b/x-pack/filebeat/module/zeek/irc/config/irc.yml index 0f98977aa914..4509c1837861 100644 --- a/x-pack/filebeat/module/zeek/irc/config/irc.yml +++ b/x-pack/filebeat/module/zeek/irc/config/irc.yml @@ -69,6 +69,13 @@ processors: - protocol - info - community_id: +{{ if .internal_networks }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} +{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/irc/manifest.yml b/x-pack/filebeat/module/zeek/irc/manifest.yml index 36cf10a5bb32..804199e78dce 100644 --- a/x-pack/filebeat/module/zeek/irc/manifest.yml +++ b/x-pack/filebeat/module/zeek/irc/manifest.yml @@ -10,6 +10,8 @@ var: - /usr/local/var/logs/current/irc.log - name: tags default: [zeek.irc] + - name: internal_networks + default: [ private ] ingest_pipeline: ingest/pipeline.yml input: config/irc.yml diff --git a/x-pack/filebeat/module/zeek/irc/test/irc-json.log-expected.json b/x-pack/filebeat/module/zeek/irc/test/irc-json.log-expected.json index 0c495c74bd54..0d4aa51901f4 100644 --- a/x-pack/filebeat/module/zeek/irc/test/irc-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/irc/test/irc-json.log-expected.json @@ -28,6 +28,7 @@ "input.type": "log", "log.offset": 0, "network.community_id": "1:YdkGov/c+KLtmg7Cf5DLDB4+YdQ=", + "network.direction": "outbound", "network.protocol": "irc", "network.transport": "tcp", "related.ip": [ @@ -75,6 +76,7 @@ "input.type": "log", "log.offset": 206, "network.community_id": "1:YdkGov/c+KLtmg7Cf5DLDB4+YdQ=", + "network.direction": "outbound", "network.protocol": "irc", "network.transport": "tcp", "related.ip": [ @@ -127,6 +129,7 @@ "input.type": "log", "log.offset": 432, "network.community_id": "1:YdkGov/c+KLtmg7Cf5DLDB4+YdQ=", + "network.direction": "outbound", "network.protocol": "irc", "network.transport": "tcp", "related.ip": [ diff --git a/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml b/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml index 4cdcb14dbb57..f788b6abfb0e 100644 --- a/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml +++ b/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml @@ -101,6 +101,13 @@ processors: field: zeek.kerberos.client target_prefix: "" - community_id: +{{ if .internal_networks }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} +{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/kerberos/manifest.yml b/x-pack/filebeat/module/zeek/kerberos/manifest.yml index 3f527b150137..281cd6ea3e8d 100644 --- a/x-pack/filebeat/module/zeek/kerberos/manifest.yml +++ b/x-pack/filebeat/module/zeek/kerberos/manifest.yml @@ -10,6 +10,8 @@ var: - /usr/local/var/logs/current/kerberos.log - name: tags default: [zeek.kerberos] + - name: internal_networks + default: [ private ] ingest_pipeline: ingest/pipeline.yml input: config/kerberos.yml diff --git a/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log-expected.json b/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log-expected.json index 43862a491702..38bafd606410 100644 --- a/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log-expected.json @@ -23,6 +23,7 @@ "input.type": "log", "log.offset": 0, "network.community_id": "1:DW/lSsosl8gZ8pqO9kKMm7cZheQ=", + "network.direction": "internal", "network.protocol": "kerberos", "network.transport": "tcp", "related.ip": [ diff --git a/x-pack/filebeat/module/zeek/modbus/config/modbus.yml b/x-pack/filebeat/module/zeek/modbus/config/modbus.yml index 5f17276db41b..ba6e17b0610c 100644 --- a/x-pack/filebeat/module/zeek/modbus/config/modbus.yml +++ b/x-pack/filebeat/module/zeek/modbus/config/modbus.yml @@ -70,6 +70,13 @@ processors: fields: outcome: success - community_id: +{{ if .internal_networks }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} +{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/modbus/manifest.yml b/x-pack/filebeat/module/zeek/modbus/manifest.yml index c4afd6315d4e..73fc02e009e7 100644 --- a/x-pack/filebeat/module/zeek/modbus/manifest.yml +++ b/x-pack/filebeat/module/zeek/modbus/manifest.yml @@ -10,6 +10,8 @@ var: - /usr/local/var/logs/current/modbus.log - name: tags default: [zeek.modbus] + - name: internal_networks + default: [ private ] ingest_pipeline: ingest/pipeline.yml input: config/modbus.yml diff --git a/x-pack/filebeat/module/zeek/modbus/test/modbus-json.log-expected.json b/x-pack/filebeat/module/zeek/modbus/test/modbus-json.log-expected.json index ba9034a3621c..d0fbe505d0bf 100644 --- a/x-pack/filebeat/module/zeek/modbus/test/modbus-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/modbus/test/modbus-json.log-expected.json @@ -21,6 +21,7 @@ "input.type": "log", "log.offset": 0, "network.community_id": "1:jEXbR2FqHyMgLJgyYyFQN3yxbpc=", + "network.direction": "internal", "network.protocol": "modbus", "network.transport": "tcp", "related.ip": [ diff --git a/x-pack/filebeat/module/zeek/mysql/config/mysql.yml b/x-pack/filebeat/module/zeek/mysql/config/mysql.yml index fedacd63dec4..34f641fc8134 100644 --- a/x-pack/filebeat/module/zeek/mysql/config/mysql.yml +++ b/x-pack/filebeat/module/zeek/mysql/config/mysql.yml @@ -69,6 +69,13 @@ processors: fields: outcome: failure - community_id: +{{ if .internal_networks }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} +{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/mysql/manifest.yml b/x-pack/filebeat/module/zeek/mysql/manifest.yml index bba253a418e9..5d7d6c9824b6 100644 --- a/x-pack/filebeat/module/zeek/mysql/manifest.yml +++ b/x-pack/filebeat/module/zeek/mysql/manifest.yml @@ -10,6 +10,8 @@ var: - /usr/local/var/logs/current/mysql.log - name: tags default: [zeek.mysql] + - name: internal_networks + default: [ private ] ingest_pipeline: ingest/pipeline.yml input: config/mysql.yml diff --git a/x-pack/filebeat/module/zeek/mysql/test/mysql-json.log-expected.json b/x-pack/filebeat/module/zeek/mysql/test/mysql-json.log-expected.json index 676080e9d3e0..54a6c19e12eb 100644 --- a/x-pack/filebeat/module/zeek/mysql/test/mysql-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/mysql/test/mysql-json.log-expected.json @@ -23,6 +23,7 @@ "input.type": "log", "log.offset": 0, "network.community_id": "1:0HUQbshhYbATQXDHv/ysOs0DlZA=", + "network.direction": "internal", "network.protocol": "mysql", "network.transport": "tcp", "related.ip": [ diff --git a/x-pack/filebeat/module/zeek/notice/config/notice.yml b/x-pack/filebeat/module/zeek/notice/config/notice.yml index cd840bd2fed0..34c5cc5f4e56 100644 --- a/x-pack/filebeat/module/zeek/notice/config/notice.yml +++ b/x-pack/filebeat/module/zeek/notice/config/notice.yml @@ -101,6 +101,13 @@ processors: type: - info - community_id: +{{ if .internal_networks }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} +{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/notice/manifest.yml b/x-pack/filebeat/module/zeek/notice/manifest.yml index e14f72220656..746d8734138e 100644 --- a/x-pack/filebeat/module/zeek/notice/manifest.yml +++ b/x-pack/filebeat/module/zeek/notice/manifest.yml @@ -10,6 +10,8 @@ var: - /usr/local/var/logs/current/notice.log - name: tags default: [zeek.notice] + - name: internal_networks + default: [ private ] ingest_pipeline: ingest/pipeline.yml input: config/notice.yml diff --git a/x-pack/filebeat/module/zeek/notice/test/notice-json.log-expected.json b/x-pack/filebeat/module/zeek/notice/test/notice-json.log-expected.json index 8fa5ffbaf488..7d804ac76db9 100644 --- a/x-pack/filebeat/module/zeek/notice/test/notice-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/notice/test/notice-json.log-expected.json @@ -59,6 +59,7 @@ "fileset.name": "notice", "input.type": "log", "log.offset": 357, + "network.direction": "external", "related.ip": [ "207.154.238.205", "8.42.77.171" diff --git a/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml b/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml index 3d35ec38bb42..c121bd5afb80 100644 --- a/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml +++ b/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml @@ -83,6 +83,13 @@ processors: fields: outcome: failure - community_id: +{{ if .internal_networks }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} +{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/ntlm/manifest.yml b/x-pack/filebeat/module/zeek/ntlm/manifest.yml index e16e6ec8b3aa..bbeac1c6878f 100644 --- a/x-pack/filebeat/module/zeek/ntlm/manifest.yml +++ b/x-pack/filebeat/module/zeek/ntlm/manifest.yml @@ -10,6 +10,8 @@ var: - /usr/local/var/logs/current/ntlm.log - name: tags default: [zeek.ntlm] + - name: internal_networks + default: [ private ] ingest_pipeline: ingest/pipeline.yml input: config/ntlm.yml diff --git a/x-pack/filebeat/module/zeek/ntlm/test/ntlm-json.log-expected.json b/x-pack/filebeat/module/zeek/ntlm/test/ntlm-json.log-expected.json index d6f6099290c8..0f4c276be586 100644 --- a/x-pack/filebeat/module/zeek/ntlm/test/ntlm-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/ntlm/test/ntlm-json.log-expected.json @@ -20,6 +20,7 @@ "input.type": "log", "log.offset": 0, "network.community_id": "1:zxnXAE/Cme5fQhh6sJLs7GItc08=", + "network.direction": "internal", "network.protocol": "ntlm", "network.transport": "tcp", "related.ip": [ diff --git a/x-pack/filebeat/module/zeek/ntp/config/ntp.yml b/x-pack/filebeat/module/zeek/ntp/config/ntp.yml index 83d43fd686f4..690315319a47 100644 --- a/x-pack/filebeat/module/zeek/ntp/config/ntp.yml +++ b/x-pack/filebeat/module/zeek/ntp/config/ntp.yml @@ -51,6 +51,13 @@ processors: protocol: ntp transport: udp - community_id: +{{ if .internal_networks }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} +{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/ntp/manifest.yml b/x-pack/filebeat/module/zeek/ntp/manifest.yml index 034861b73fef..f91e2ef5431d 100644 --- a/x-pack/filebeat/module/zeek/ntp/manifest.yml +++ b/x-pack/filebeat/module/zeek/ntp/manifest.yml @@ -10,6 +10,8 @@ var: - /usr/local/var/logs/current/ntp.log - name: tags default: [zeek.ntp] + - name: internal_networks + default: [ private ] ingest_pipeline: ingest/pipeline.yml input: config/ntp.yml diff --git a/x-pack/filebeat/module/zeek/ntp/test/ntp-json.log-expected.json b/x-pack/filebeat/module/zeek/ntp/test/ntp-json.log-expected.json index 0d9f847e271a..7c7b34cbefac 100644 --- a/x-pack/filebeat/module/zeek/ntp/test/ntp-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/ntp/test/ntp-json.log-expected.json @@ -27,6 +27,7 @@ "input.type": "log", "log.offset": 0, "network.community_id": "1:IDiKR+C1G8mk7LQhFpp+4p1tHrk=", + "network.direction": "external", "network.protocol": "ntp", "network.transport": "udp", "network.type": "ipv4", @@ -89,6 +90,7 @@ "input.type": "log", "log.offset": 335, "network.community_id": "1:IDiKR+C1G8mk7LQhFpp+4p1tHrk=", + "network.direction": "external", "network.protocol": "ntp", "network.transport": "udp", "network.type": "ipv4", diff --git a/x-pack/filebeat/module/zeek/radius/config/radius.yml b/x-pack/filebeat/module/zeek/radius/config/radius.yml index 64498bc76e21..cbe891c9d2f8 100644 --- a/x-pack/filebeat/module/zeek/radius/config/radius.yml +++ b/x-pack/filebeat/module/zeek/radius/config/radius.yml @@ -55,6 +55,13 @@ processors: - info - connection - community_id: +{{ if .internal_networks }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} +{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/radius/manifest.yml b/x-pack/filebeat/module/zeek/radius/manifest.yml index d3bdee065b05..d66478b16892 100644 --- a/x-pack/filebeat/module/zeek/radius/manifest.yml +++ b/x-pack/filebeat/module/zeek/radius/manifest.yml @@ -10,6 +10,8 @@ var: - /usr/local/var/logs/current/radius.log - name: tags default: [zeek.radius] + - name: internal_networks + default: [ private ] ingest_pipeline: ingest/pipeline.yml input: config/radius.yml diff --git a/x-pack/filebeat/module/zeek/radius/test/radius-json.log-expected.json b/x-pack/filebeat/module/zeek/radius/test/radius-json.log-expected.json index bd8ab187529b..83824400fa3f 100644 --- a/x-pack/filebeat/module/zeek/radius/test/radius-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/radius/test/radius-json.log-expected.json @@ -21,6 +21,7 @@ "input.type": "log", "log.offset": 0, "network.community_id": "1:3SdDgWXPnheV2oGfVmxQjfwtr8E=", + "network.direction": "internal", "network.protocol": "radius", "network.transport": "udp", "related.ip": [ diff --git a/x-pack/filebeat/module/zeek/rdp/config/rdp.yml b/x-pack/filebeat/module/zeek/rdp/config/rdp.yml index ebc98d1709e0..66d984cc5fc9 100644 --- a/x-pack/filebeat/module/zeek/rdp/config/rdp.yml +++ b/x-pack/filebeat/module/zeek/rdp/config/rdp.yml @@ -85,6 +85,13 @@ processors: - protocol - info - community_id: +{{ if .internal_networks }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} +{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/rdp/manifest.yml b/x-pack/filebeat/module/zeek/rdp/manifest.yml index 0a2bc7b77ecb..b9293c5c7cac 100644 --- a/x-pack/filebeat/module/zeek/rdp/manifest.yml +++ b/x-pack/filebeat/module/zeek/rdp/manifest.yml @@ -10,6 +10,8 @@ var: - /usr/local/var/logs/current/rdp.log - name: tags default: [zeek.rdp] + - name: internal_networks + default: [ private ] ingest_pipeline: ingest/pipeline.yml input: config/rdp.yml diff --git a/x-pack/filebeat/module/zeek/rdp/test/rdp-json.log-expected.json b/x-pack/filebeat/module/zeek/rdp/test/rdp-json.log-expected.json index 1d2763f149bb..0eda0a721d82 100644 --- a/x-pack/filebeat/module/zeek/rdp/test/rdp-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/rdp/test/rdp-json.log-expected.json @@ -19,6 +19,7 @@ "input.type": "log", "log.offset": 0, "network.community_id": "1:PsQu6lSZioPVi0A5K7UaeGsVqS0=", + "network.direction": "internal", "network.protocol": "rdp", "network.transport": "tcp", "related.ip": [ diff --git a/x-pack/filebeat/module/zeek/rfb/config/rfb.yml b/x-pack/filebeat/module/zeek/rfb/config/rfb.yml index 33d4ffd4b90d..0b4391e4ccd2 100644 --- a/x-pack/filebeat/module/zeek/rfb/config/rfb.yml +++ b/x-pack/filebeat/module/zeek/rfb/config/rfb.yml @@ -70,6 +70,13 @@ processors: - connection - info - community_id: +{{ if .internal_networks }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} +{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/rfb/manifest.yml b/x-pack/filebeat/module/zeek/rfb/manifest.yml index 4bba4f4f37c2..2172035aca64 100644 --- a/x-pack/filebeat/module/zeek/rfb/manifest.yml +++ b/x-pack/filebeat/module/zeek/rfb/manifest.yml @@ -10,6 +10,8 @@ var: - /usr/local/var/logs/current/rfb.log - name: tags default: [zeek.rfb] + - name: internal_networks + default: [ private ] ingest_pipeline: ingest/pipeline.yml input: config/rfb.yml diff --git a/x-pack/filebeat/module/zeek/rfb/test/rfb-json.log-expected.json b/x-pack/filebeat/module/zeek/rfb/test/rfb-json.log-expected.json index 822336f5ea82..dcd221c6fad4 100644 --- a/x-pack/filebeat/module/zeek/rfb/test/rfb-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/rfb/test/rfb-json.log-expected.json @@ -19,6 +19,7 @@ "input.type": "log", "log.offset": 0, "network.community_id": "1:AtPVA5phuztnwqMfO/2142WXVdY=", + "network.direction": "internal", "network.protocol": "rfb", "network.transport": "tcp", "related.ip": [ diff --git a/x-pack/filebeat/module/zeek/signature/config/signature.yml b/x-pack/filebeat/module/zeek/signature/config/signature.yml index a5a0015f3100..ff76140e6669 100644 --- a/x-pack/filebeat/module/zeek/signature/config/signature.yml +++ b/x-pack/filebeat/module/zeek/signature/config/signature.yml @@ -44,6 +44,13 @@ processors: fields: kind: alert - community_id: +{{ if .internal_networks }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} +{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/signature/manifest.yml b/x-pack/filebeat/module/zeek/signature/manifest.yml index e0d005622d0a..9ac3efc44521 100644 --- a/x-pack/filebeat/module/zeek/signature/manifest.yml +++ b/x-pack/filebeat/module/zeek/signature/manifest.yml @@ -10,6 +10,8 @@ var: - /usr/local/var/logs/current/signatures.log - name: tags default: [zeek.signature] + - name: internal_networks + default: [ private ] ingest_pipeline: ingest/pipeline.yml input: config/signature.yml diff --git a/x-pack/filebeat/module/zeek/signature/test/signature-json.log-expected.json b/x-pack/filebeat/module/zeek/signature/test/signature-json.log-expected.json index d06eb256245b..6951cedca700 100644 --- a/x-pack/filebeat/module/zeek/signature/test/signature-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/signature/test/signature-json.log-expected.json @@ -18,6 +18,7 @@ "fileset.name": "signature", "input.type": "log", "log.offset": 0, + "network.direction": "external", "related.ip": [ "124.51.137.154", "160.218.27.63" diff --git a/x-pack/filebeat/module/zeek/sip/config/sip.yml b/x-pack/filebeat/module/zeek/sip/config/sip.yml index 6f726c62949d..459f64c9e772 100644 --- a/x-pack/filebeat/module/zeek/sip/config/sip.yml +++ b/x-pack/filebeat/module/zeek/sip/config/sip.yml @@ -92,6 +92,13 @@ processors: - connection - protocol - community_id: +{{ if .internal_networks }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} +{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/sip/manifest.yml b/x-pack/filebeat/module/zeek/sip/manifest.yml index 2186e6b0f3fe..20e4ccacc33e 100644 --- a/x-pack/filebeat/module/zeek/sip/manifest.yml +++ b/x-pack/filebeat/module/zeek/sip/manifest.yml @@ -10,6 +10,8 @@ var: - /usr/local/var/logs/current/sip.log - name: tags default: [zeek.sip] + - name: internal_networks + default: [ private ] ingest_pipeline: ingest/pipeline.yml input: config/sip.yml diff --git a/x-pack/filebeat/module/zeek/sip/test/sip-json.log-expected.json b/x-pack/filebeat/module/zeek/sip/test/sip-json.log-expected.json index 55c08baec97f..5352052b0cd8 100644 --- a/x-pack/filebeat/module/zeek/sip/test/sip-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/sip/test/sip-json.log-expected.json @@ -29,6 +29,7 @@ "input.type": "log", "log.offset": 0, "network.community_id": "1:t8Jl0amIXPHemzxKgsLjtkB+ewo=", + "network.direction": "outbound", "network.protocol": "sip", "network.transport": "udp", "related.ip": [ @@ -100,6 +101,7 @@ "input.type": "log", "log.offset": 805, "network.community_id": "1:U/Makwsc8lm6pVKLfRMzoNTI++0=", + "network.direction": "external", "network.protocol": "sip", "network.transport": "udp", "related.ip": [ @@ -185,6 +187,7 @@ "input.type": "log", "log.offset": 1654, "network.community_id": "1:0hvHF/bh5wFKg7nfRXxsno4F198=", + "network.direction": "external", "network.protocol": "sip", "network.transport": "udp", "related.ip": [ diff --git a/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml b/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml index 97936f705444..05acce04817d 100644 --- a/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml +++ b/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml @@ -98,6 +98,13 @@ processors: - connection - protocol - community_id: +{{ if .internal_networks }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} +{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/smb_cmd/manifest.yml b/x-pack/filebeat/module/zeek/smb_cmd/manifest.yml index 331cafae30fc..d8dd32232774 100644 --- a/x-pack/filebeat/module/zeek/smb_cmd/manifest.yml +++ b/x-pack/filebeat/module/zeek/smb_cmd/manifest.yml @@ -10,6 +10,8 @@ var: - /usr/local/var/logs/current/smb_cmd.log - name: tags default: [zeek.smb_cmd] + - name: internal_networks + default: [ private ] ingest_pipeline: ingest/pipeline.yml input: config/smb_cmd.yml diff --git a/x-pack/filebeat/module/zeek/smb_cmd/test/smb_cmd-json.log-expected.json b/x-pack/filebeat/module/zeek/smb_cmd/test/smb_cmd-json.log-expected.json index dea6f2dda606..66651b05cea6 100644 --- a/x-pack/filebeat/module/zeek/smb_cmd/test/smb_cmd-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/smb_cmd/test/smb_cmd-json.log-expected.json @@ -21,6 +21,7 @@ "input.type": "log", "log.offset": 0, "network.community_id": "1:SJNAD5vtzZuhQjGtfaI8svTnyuw=", + "network.direction": "internal", "network.protocol": "smb", "network.transport": "tcp", "related.ip": [ diff --git a/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml b/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml index 1490649b7cd8..063854ccc142 100644 --- a/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml +++ b/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml @@ -58,6 +58,13 @@ processors: - connection - protocol - community_id: +{{ if .internal_networks }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} +{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/smb_files/manifest.yml b/x-pack/filebeat/module/zeek/smb_files/manifest.yml index bdbf0324fd9c..1c176d8fd39f 100644 --- a/x-pack/filebeat/module/zeek/smb_files/manifest.yml +++ b/x-pack/filebeat/module/zeek/smb_files/manifest.yml @@ -10,6 +10,8 @@ var: - /usr/local/var/logs/current/smb_files.log - name: tags default: [zeek.smb_files] + - name: internal_networks + default: [ private ] ingest_pipeline: ingest/pipeline.yml input: config/smb_files.yml diff --git a/x-pack/filebeat/module/zeek/smb_files/test/smb_files-json.log-expected.json b/x-pack/filebeat/module/zeek/smb_files/test/smb_files-json.log-expected.json index aba4c5e64899..db4e59fef892 100644 --- a/x-pack/filebeat/module/zeek/smb_files/test/smb_files-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/smb_files/test/smb_files-json.log-expected.json @@ -29,6 +29,7 @@ "input.type": "log", "log.offset": 0, "network.community_id": "1:k308wDxRMx/FIEzeh+YwD86zgoA=", + "network.direction": "internal", "network.protocol": "smb", "network.transport": "tcp", "related.ip": [ diff --git a/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml b/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml index 065b62277ff1..54414b0ac0cf 100644 --- a/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml +++ b/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml @@ -54,6 +54,13 @@ processors: - connection - protocol - community_id: +{{ if .internal_networks }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} +{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/smb_mapping/manifest.yml b/x-pack/filebeat/module/zeek/smb_mapping/manifest.yml index f4afd881b540..6cceda0d585e 100644 --- a/x-pack/filebeat/module/zeek/smb_mapping/manifest.yml +++ b/x-pack/filebeat/module/zeek/smb_mapping/manifest.yml @@ -10,6 +10,8 @@ var: - /usr/local/var/logs/current/smb_mapping.log - name: tags default: [zeek.smb_mapping] + - name: internal_networks + default: [ private ] ingest_pipeline: ingest/pipeline.yml input: config/smb_mapping.yml diff --git a/x-pack/filebeat/module/zeek/smb_mapping/test/smb_mapping-json.log-expected.json b/x-pack/filebeat/module/zeek/smb_mapping/test/smb_mapping-json.log-expected.json index 95bb44ae35b5..5c6616d773c4 100644 --- a/x-pack/filebeat/module/zeek/smb_mapping/test/smb_mapping-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/smb_mapping/test/smb_mapping-json.log-expected.json @@ -19,6 +19,7 @@ "input.type": "log", "log.offset": 0, "network.community_id": "1:k308wDxRMx/FIEzeh+YwD86zgoA=", + "network.direction": "internal", "network.protocol": "smb", "network.transport": "tcp", "related.ip": [ diff --git a/x-pack/filebeat/module/zeek/smtp/config/smtp.yml b/x-pack/filebeat/module/zeek/smtp/config/smtp.yml index bb5125513895..866483510bc4 100644 --- a/x-pack/filebeat/module/zeek/smtp/config/smtp.yml +++ b/x-pack/filebeat/module/zeek/smtp/config/smtp.yml @@ -64,6 +64,13 @@ processors: - connection - protocol - community_id: +{{ if .internal_networks }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} +{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/smtp/manifest.yml b/x-pack/filebeat/module/zeek/smtp/manifest.yml index bc0d180278b8..ace763487d2e 100644 --- a/x-pack/filebeat/module/zeek/smtp/manifest.yml +++ b/x-pack/filebeat/module/zeek/smtp/manifest.yml @@ -10,6 +10,8 @@ var: - /usr/local/var/logs/current/smtp.log - name: tags default: [zeek.smtp] + - name: internal_networks + default: [ private ] ingest_pipeline: ingest/pipeline.yml input: config/smtp.yml diff --git a/x-pack/filebeat/module/zeek/smtp/test/smtp-json.log-expected.json b/x-pack/filebeat/module/zeek/smtp/test/smtp-json.log-expected.json index 61e1be27bf64..1feda03d1534 100644 --- a/x-pack/filebeat/module/zeek/smtp/test/smtp-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/smtp/test/smtp-json.log-expected.json @@ -19,6 +19,7 @@ "input.type": "log", "log.offset": 0, "network.community_id": "1:38H0puTqOoHT/5r2bKFUVSXifQw=", + "network.direction": "internal", "network.protocol": "smtp", "network.transport": "tcp", "related.ip": [ diff --git a/x-pack/filebeat/module/zeek/snmp/config/snmp.yml b/x-pack/filebeat/module/zeek/snmp/config/snmp.yml index 1a4e45822633..f60c520e942e 100644 --- a/x-pack/filebeat/module/zeek/snmp/config/snmp.yml +++ b/x-pack/filebeat/module/zeek/snmp/config/snmp.yml @@ -66,6 +66,13 @@ processors: - connection - protocol - community_id: +{{ if .internal_networks }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} +{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/snmp/manifest.yml b/x-pack/filebeat/module/zeek/snmp/manifest.yml index e25fb364b1ed..28eb5127b884 100644 --- a/x-pack/filebeat/module/zeek/snmp/manifest.yml +++ b/x-pack/filebeat/module/zeek/snmp/manifest.yml @@ -10,6 +10,8 @@ var: - /usr/local/var/logs/current/snmp.log - name: tags default: [zeek.snmp] + - name: internal_networks + default: [ private ] ingest_pipeline: ingest/pipeline.yml input: config/snmp.yml diff --git a/x-pack/filebeat/module/zeek/snmp/test/snmp-json.log-expected.json b/x-pack/filebeat/module/zeek/snmp/test/snmp-json.log-expected.json index 47c6aace67fe..41c2cf3262a9 100644 --- a/x-pack/filebeat/module/zeek/snmp/test/snmp-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/snmp/test/snmp-json.log-expected.json @@ -19,6 +19,7 @@ "input.type": "log", "log.offset": 0, "network.community_id": "1:X15ey/8/tEH+tlelK6P+GfgwBPc=", + "network.direction": "internal", "network.protocol": "snmp", "network.transport": "udp", "related.ip": [ diff --git a/x-pack/filebeat/module/zeek/socks/config/socks.yml b/x-pack/filebeat/module/zeek/socks/config/socks.yml index 4affcb5a09ca..37e98cf69e23 100644 --- a/x-pack/filebeat/module/zeek/socks/config/socks.yml +++ b/x-pack/filebeat/module/zeek/socks/config/socks.yml @@ -64,6 +64,13 @@ processors: - connection - protocol - community_id: +{{ if .internal_networks }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} +{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/socks/manifest.yml b/x-pack/filebeat/module/zeek/socks/manifest.yml index 55c4a387524b..06a9de15d7eb 100644 --- a/x-pack/filebeat/module/zeek/socks/manifest.yml +++ b/x-pack/filebeat/module/zeek/socks/manifest.yml @@ -10,6 +10,8 @@ var: - /usr/local/var/logs/current/socks.log - name: tags default: [zeek.socks] + - name: internal_networks + default: [ private ] ingest_pipeline: ingest/pipeline.yml input: config/socks.yml diff --git a/x-pack/filebeat/module/zeek/socks/test/socks-json.log-expected.json b/x-pack/filebeat/module/zeek/socks/test/socks-json.log-expected.json index 0a45d16a5690..2c4c9fe0f878 100644 --- a/x-pack/filebeat/module/zeek/socks/test/socks-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/socks/test/socks-json.log-expected.json @@ -20,6 +20,7 @@ "input.type": "log", "log.offset": 0, "network.community_id": "1:1Hp/o0hOC62lAwrV+a0ZKDE3rrs=", + "network.direction": "external", "network.protocol": "socks", "network.transport": "tcp", "related.ip": [ diff --git a/x-pack/filebeat/module/zeek/ssh/config/ssh.yml b/x-pack/filebeat/module/zeek/ssh/config/ssh.yml index e171128c3358..93289dc87db1 100644 --- a/x-pack/filebeat/module/zeek/ssh/config/ssh.yml +++ b/x-pack/filebeat/module/zeek/ssh/config/ssh.yml @@ -73,6 +73,13 @@ processors: - connection - protocol - community_id: +{{ if .internal_networks }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} +{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/ssh/manifest.yml b/x-pack/filebeat/module/zeek/ssh/manifest.yml index 9d2f39212b55..99e51bc4e631 100644 --- a/x-pack/filebeat/module/zeek/ssh/manifest.yml +++ b/x-pack/filebeat/module/zeek/ssh/manifest.yml @@ -10,6 +10,8 @@ var: - /usr/local/var/logs/current/ssh.log - name: tags default: [zeek.ssh] + - name: internal_networks + default: [ private ] ingest_pipeline: ingest/pipeline.yml input: config/ssh.yml diff --git a/x-pack/filebeat/module/zeek/ssh/test/ssh-json.log-expected.json b/x-pack/filebeat/module/zeek/ssh/test/ssh-json.log-expected.json index e0f16cfc6925..7172e08c3a5c 100644 --- a/x-pack/filebeat/module/zeek/ssh/test/ssh-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/ssh/test/ssh-json.log-expected.json @@ -20,6 +20,7 @@ "input.type": "log", "log.offset": 0, "network.community_id": "1:42tg9bemt74qgrdvJOy2n5Veg4A=", + "network.direction": "internal", "network.protocol": "ssh", "network.transport": "tcp", "related.ip": [ diff --git a/x-pack/filebeat/module/zeek/ssl/config/ssl.yml b/x-pack/filebeat/module/zeek/ssl/config/ssl.yml index a2f80412b684..91d05b6824ff 100644 --- a/x-pack/filebeat/module/zeek/ssl/config/ssl.yml +++ b/x-pack/filebeat/module/zeek/ssl/config/ssl.yml @@ -91,6 +91,13 @@ processors: - connection - protocol - community_id: +{{ if .internal_networks }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} +{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/ssl/manifest.yml b/x-pack/filebeat/module/zeek/ssl/manifest.yml index 49e474dfadc2..d602418cfec8 100644 --- a/x-pack/filebeat/module/zeek/ssl/manifest.yml +++ b/x-pack/filebeat/module/zeek/ssl/manifest.yml @@ -10,6 +10,8 @@ var: - /usr/local/var/logs/current/ssl.log - name: tags default: [zeek.ssl] + - name: internal_networks + default: [ private ] ingest_pipeline: ingest/pipeline.yml input: config/ssl.yml diff --git a/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json b/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json index db88b09da238..d7c6816aa069 100644 --- a/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json @@ -30,6 +30,7 @@ "input.type": "log", "log.offset": 0, "network.community_id": "1:1PMhYqOKBIyRAQeMbg/pWiJ198g=", + "network.direction": "outbound", "network.transport": "tcp", "related.ip": [ "10.178.98.102", @@ -112,6 +113,7 @@ "input.type": "log", "log.offset": 635, "network.community_id": "1:zYbLmqRN6PLPB067HNAiAQISqvI=", + "network.direction": "outbound", "network.transport": "tcp", "related.ip": [ "10.178.98.102", diff --git a/x-pack/filebeat/module/zeek/ssl/test/ssl-with-ja3-and-custom-fields-json.log-expected.json b/x-pack/filebeat/module/zeek/ssl/test/ssl-with-ja3-and-custom-fields-json.log-expected.json index c4b3cb7a8710..6f3cac8fdca1 100644 --- a/x-pack/filebeat/module/zeek/ssl/test/ssl-with-ja3-and-custom-fields-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/ssl/test/ssl-with-ja3-and-custom-fields-json.log-expected.json @@ -20,6 +20,7 @@ "input.type": "log", "log.offset": 0, "network.community_id": "1:qNHgoGHFvyhhK2jU7LlS3537ODc=", + "network.direction": "internal", "network.transport": "tcp", "related.ip": [ "10.0.0.1", diff --git a/x-pack/filebeat/module/zeek/syslog/config/syslog.yml b/x-pack/filebeat/module/zeek/syslog/config/syslog.yml index 44b6c7062c06..6ce6d17373a3 100644 --- a/x-pack/filebeat/module/zeek/syslog/config/syslog.yml +++ b/x-pack/filebeat/module/zeek/syslog/config/syslog.yml @@ -54,6 +54,13 @@ processors: fields: kind: event - community_id: +{{ if .internal_networks }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} +{{ end }} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zeek/syslog/manifest.yml b/x-pack/filebeat/module/zeek/syslog/manifest.yml index 03a80586303e..10ec76396bda 100644 --- a/x-pack/filebeat/module/zeek/syslog/manifest.yml +++ b/x-pack/filebeat/module/zeek/syslog/manifest.yml @@ -10,6 +10,8 @@ var: - /usr/local/var/logs/current/syslog.log - name: tags default: [zeek.syslog] + - name: internal_networks + default: [ private ] ingest_pipeline: ingest/pipeline.yml input: config/syslog.yml diff --git a/x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml b/x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml index 229594da4725..1ed6932b02d9 100644 --- a/x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml +++ b/x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml @@ -34,6 +34,13 @@ processors: - {from: "destination.address", to: "destination.ip", type: "ip"} ignore_missing: true fail_on_error: false +{{ if .internal_networks }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} +{{ end }} - add_fields: target: event fields: diff --git a/x-pack/filebeat/module/zeek/traceroute/manifest.yml b/x-pack/filebeat/module/zeek/traceroute/manifest.yml index 0761e9b3bf4f..b357530bb1b7 100644 --- a/x-pack/filebeat/module/zeek/traceroute/manifest.yml +++ b/x-pack/filebeat/module/zeek/traceroute/manifest.yml @@ -10,6 +10,8 @@ var: - /usr/local/var/logs/current/traceroute.log - name: tags default: [zeek.traceroute] + - name: internal_networks + default: [ private ] ingest_pipeline: ingest/pipeline.yml input: config/traceroute.yml diff --git a/x-pack/filebeat/module/zeek/traceroute/test/traceroute-json.log-expected.json b/x-pack/filebeat/module/zeek/traceroute/test/traceroute-json.log-expected.json index 34d600174ac1..89e3ebcbe095 100644 --- a/x-pack/filebeat/module/zeek/traceroute/test/traceroute-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/traceroute/test/traceroute-json.log-expected.json @@ -22,6 +22,7 @@ "fileset.name": "traceroute", "input.type": "log", "log.offset": 0, + "network.direction": "outbound", "network.transport": "udp", "related.ip": [ "192.168.1.1", diff --git a/x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml b/x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml index 82886945a083..94918403879f 100644 --- a/x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml +++ b/x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml @@ -45,6 +45,13 @@ processors: - {from: "zeek.tunnel.action", to: "event.action"} ignore_missing: true fail_on_error: false +{{ if .internal_networks }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} +{{ end }} - add_fields: target: event fields: diff --git a/x-pack/filebeat/module/zeek/tunnel/manifest.yml b/x-pack/filebeat/module/zeek/tunnel/manifest.yml index a0618a12b7eb..0e36b8914ca3 100644 --- a/x-pack/filebeat/module/zeek/tunnel/manifest.yml +++ b/x-pack/filebeat/module/zeek/tunnel/manifest.yml @@ -10,6 +10,8 @@ var: - /usr/local/var/logs/current/tunnel.log - name: tags default: [zeek.tunnel] + - name: internal_networks + default: [ private ] ingest_pipeline: ingest/pipeline.yml input: config/tunnel.yml diff --git a/x-pack/filebeat/module/zeek/tunnel/test/tunnel-json.log-expected.json b/x-pack/filebeat/module/zeek/tunnel/test/tunnel-json.log-expected.json index 7070aaf5b2cf..9138243618c3 100644 --- a/x-pack/filebeat/module/zeek/tunnel/test/tunnel-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/tunnel/test/tunnel-json.log-expected.json @@ -24,6 +24,7 @@ "fileset.name": "tunnel", "input.type": "log", "log.offset": 0, + "network.direction": "external", "related.ip": [ "132.16.110.133", "132.16.146.79" diff --git a/x-pack/filebeat/module/zeek/weird/config/weird.yml b/x-pack/filebeat/module/zeek/weird/config/weird.yml index 289e74d52da0..7b3d2f5bcccf 100644 --- a/x-pack/filebeat/module/zeek/weird/config/weird.yml +++ b/x-pack/filebeat/module/zeek/weird/config/weird.yml @@ -45,6 +45,13 @@ processors: - {from: "zeek.weird.name", to: "rule.name"} ignore_missing: true fail_on_error: false +{{ if .internal_networks }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} +{{ end }} - add_fields: target: event fields: diff --git a/x-pack/filebeat/module/zeek/weird/manifest.yml b/x-pack/filebeat/module/zeek/weird/manifest.yml index 3e91c91c64a2..18eef40dff67 100644 --- a/x-pack/filebeat/module/zeek/weird/manifest.yml +++ b/x-pack/filebeat/module/zeek/weird/manifest.yml @@ -10,6 +10,8 @@ var: - /usr/local/var/logs/current/weird.log - name: tags default: [zeek.weird] + - name: internal_networks + default: [ private ] ingest_pipeline: ingest/pipeline.yml input: config/weird.yml diff --git a/x-pack/filebeat/module/zeek/weird/test/weird-json.log-expected.json b/x-pack/filebeat/module/zeek/weird/test/weird-json.log-expected.json index cc9f7f495085..2965e9fb0983 100644 --- a/x-pack/filebeat/module/zeek/weird/test/weird-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/weird/test/weird-json.log-expected.json @@ -17,6 +17,7 @@ "fileset.name": "weird", "input.type": "log", "log.offset": 0, + "network.direction": "internal", "related.ip": [ "192.168.1.1", "192.168.1.2" From 775f39c67951c92d0bd95fcad451d98ebc3b7f34 Mon Sep 17 00:00:00 2001 From: Alex Resnick Date: Sun, 28 Mar 2021 01:13:41 +0000 Subject: [PATCH 2/9] Add Snort & Sonicwall --- .../module/snort/log/config/input.yml | 9 +- .../module/snort/log/config/liblogparser.js | 8 +- x-pack/filebeat/module/snort/log/manifest.yml | 2 + .../log/test/generated.log-expected.json | 298 ++++++----------- .../sonicwall/firewall/config/input.yml | 7 + .../sonicwall/firewall/config/liblogparser.js | 8 +- .../module/sonicwall/firewall/manifest.yml | 2 + .../firewall/test/general.log-expected.json | 40 +-- .../firewall/test/generated.log-expected.json | 306 ++++++------------ 9 files changed, 242 insertions(+), 438 deletions(-) diff --git a/x-pack/filebeat/module/snort/log/config/input.yml b/x-pack/filebeat/module/snort/log/config/input.yml index f0ed0aaa1e73..4d6ec8140bb5 100644 --- a/x-pack/filebeat/module/snort/log/config/input.yml +++ b/x-pack/filebeat/module/snort/log/config/input.yml @@ -37,7 +37,14 @@ processors: - ${path.home}/module/snort/log/config/liblogparser.js - ${path.home}/module/snort/log/config/pipeline.js {{ if .community_id }} -- community_id: ~ +- community_id: +{{ end }} +{{ if .internal_networks }} +- add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - registered_domain: ignore_missing: true diff --git a/x-pack/filebeat/module/snort/log/config/liblogparser.js b/x-pack/filebeat/module/snort/log/config/liblogparser.js index cec99a043e86..935bed305a8e 100644 --- a/x-pack/filebeat/module/snort/log/config/liblogparser.js +++ b/x-pack/filebeat/module/snort/log/config/liblogparser.js @@ -1007,8 +1007,8 @@ var ecs_mappings = { "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, @@ -1088,8 +1088,8 @@ var ecs_mappings = { "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, diff --git a/x-pack/filebeat/module/snort/log/manifest.yml b/x-pack/filebeat/module/snort/log/manifest.yml index ae467072b222..e50a6c8c68d2 100644 --- a/x-pack/filebeat/module/snort/log/manifest.yml +++ b/x-pack/filebeat/module/snort/log/manifest.yml @@ -20,6 +20,8 @@ var: default: false - name: debug default: false + - name: internal_networks + default: [ private ] ingest_pipeline: ingest/pipeline.yml input: config/input.yml diff --git a/x-pack/filebeat/module/snort/log/test/generated.log-expected.json b/x-pack/filebeat/module/snort/log/test/generated.log-expected.json index eb5036f51901..c2f15701738b 100644 --- a/x-pack/filebeat/module/snort/log/test/generated.log-expected.json +++ b/x-pack/filebeat/module/snort/log/test/generated.log-expected.json @@ -38,9 +38,7 @@ }, { "destination.bytes": 3676, - "destination.ip": [ - "10.212.11.114" - ], + "destination.ip": "10.212.11.114", "destination.port": 3716, "event.action": "deny", "event.code": "NGIPS_events", @@ -53,6 +51,7 @@ "log.level": "medium", "log.offset": 135, "network.application": "nsequat", + "network.direction": "internal", "network.protocol": "igmp", "observer.egress.interface.name": "eth4091", "observer.product": "IDS", @@ -84,9 +83,7 @@ "rule.name": "iatisu", "service.type": "snort", "source.bytes": 4512, - "source.ip": [ - "10.38.77.13" - ], + "source.ip": "10.38.77.13", "source.port": 3971, "tags": [ "forwarded", @@ -189,9 +186,7 @@ }, { "destination.bytes": 3365, - "destination.ip": [ - "10.24.67.250" - ], + "destination.ip": "10.24.67.250", "destination.port": 2026, "event.action": "block", "event.code": "NGIPS_events", @@ -204,6 +199,7 @@ "log.level": "low", "log.offset": 1016, "network.application": "dol", + "network.direction": "internal", "network.protocol": "ipv6-icmp", "observer.egress.interface.name": "enp0s5361", "observer.product": "IDS", @@ -213,8 +209,8 @@ "itame189.domain" ], "related.ip": [ - "10.182.199.231", - "10.24.67.250" + "10.24.67.250", + "10.182.199.231" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "oei", @@ -235,9 +231,7 @@ "rule.name": "doloremi", "service.type": "snort", "source.bytes": 651, - "source.ip": [ - "10.182.199.231" - ], + "source.ip": "10.182.199.231", "source.port": 4478, "tags": [ "forwarded", @@ -313,9 +307,7 @@ }, { "destination.geo.country_name": "eeufugia", - "destination.ip": [ - "10.157.18.252" - ], + "destination.ip": "10.157.18.252", "destination.port": 5300, "event.code": "5979", "event.dataset": "snort.log", @@ -326,6 +318,7 @@ "input.type": "log", "log.level": "oremeu", "log.offset": 1748, + "network.direction": "internal", "network.protocol": "ipv6", "observer.product": "IDS", "observer.type": "IDS", @@ -357,9 +350,7 @@ "rsa.time.event_time_str": "May 22 14:30:33 2016 UTC", "rsa.time.month": "May", "service.type": "snort", - "source.ip": [ - "10.110.31.190" - ], + "source.ip": "10.110.31.190", "tags": [ "forwarded", "snort.log" @@ -808,9 +799,7 @@ "user.name": "smodtem" }, { - "destination.ip": [ - "10.9.200.197" - ], + "destination.ip": "10.9.200.197", "event.code": "27813", "event.dataset": "snort.log", "event.module": "snort", @@ -820,6 +809,7 @@ "input.type": "log", "log.level": "dolor", "log.offset": 5841, + "network.direction": "internal", "network.protocol": "icmp", "observer.product": "IDS", "observer.type": "IDS", @@ -851,9 +841,7 @@ "rsa.time.month": "Dec", "service.type": "snort", "source.geo.country_name": "tur", - "source.ip": [ - "10.182.213.195" - ], + "source.ip": "10.182.213.195", "source.port": 7119, "tags": [ "forwarded", @@ -862,9 +850,7 @@ }, { "destination.bytes": 3813, - "destination.ip": [ - "10.111.33.70" - ], + "destination.ip": "10.111.33.70", "destination.port": 3758, "event.action": "allow", "event.code": "NGIPS_events", @@ -877,6 +863,7 @@ "log.level": "medium", "log.offset": 6066, "network.application": "num", + "network.direction": "internal", "network.protocol": "tcp", "observer.egress.interface.name": "enp0s6049", "observer.product": "IDS", @@ -908,9 +895,7 @@ "rule.name": "eriam", "service.type": "snort", "source.bytes": 3465, - "source.ip": [ - "10.210.180.142" - ], + "source.ip": "10.210.180.142", "source.port": 3015, "tags": [ "forwarded", @@ -948,9 +933,7 @@ ] }, { - "destination.ip": [ - "10.222.183.123" - ], + "destination.ip": "10.222.183.123", "event.code": "MALWARE", "event.dataset": "snort.log", "event.module": "snort", @@ -959,6 +942,7 @@ "host.name": "cidu921.internal.lan", "input.type": "log", "log.offset": 6746, + "network.direction": "internal", "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", @@ -979,18 +963,14 @@ "rsa.time.day": "20", "rsa.time.month": "Jan", "service.type": "snort", - "source.ip": [ - "10.165.33.19" - ], + "source.ip": "10.165.33.19", "tags": [ "forwarded", "snort.log" ] }, { - "destination.ip": [ - "10.238.223.171" - ], + "destination.ip": "10.238.223.171", "event.code": "16539", "event.dataset": "snort.log", "event.module": "snort", @@ -1000,6 +980,7 @@ "input.type": "log", "log.level": "uisautei", "log.offset": 6886, + "network.direction": "internal", "network.protocol": "rdp", "observer.product": "IDS", "observer.type": "IDS", @@ -1030,9 +1011,7 @@ "rsa.time.event_time_str": "Feb 3 21:16:50 2017 UTC", "rsa.time.month": "Feb", "service.type": "snort", - "source.ip": [ - "10.52.190.18" - ], + "source.ip": "10.52.190.18", "source.port": 4411, "tags": [ "forwarded", @@ -1040,9 +1019,7 @@ ] }, { - "destination.ip": [ - "10.160.178.109" - ], + "destination.ip": "10.160.178.109", "destination.port": 1934, "event.code": "26992", "event.dataset": "snort.log", @@ -1053,6 +1030,7 @@ "input.type": "log", "log.level": "onsec", "log.offset": 7109, + "network.direction": "internal", "network.protocol": "udp", "observer.product": "IDS", "observer.type": "IDS", @@ -1084,9 +1062,7 @@ "rsa.time.event_time_str": "Feb 18 04:19:24 2017 UTC", "rsa.time.month": "Feb", "service.type": "snort", - "source.ip": [ - "10.68.233.163" - ], + "source.ip": "10.68.233.163", "tags": [ "forwarded", "snort.log" @@ -1192,9 +1168,7 @@ ] }, { - "destination.ip": [ - "10.213.100.153" - ], + "destination.ip": "10.213.100.153", "event.code": "11634", "event.dataset": "snort.log", "event.module": "snort", @@ -1204,6 +1178,7 @@ "input.type": "log", "log.level": "dexer", "log.offset": 7690, + "network.direction": "internal", "network.protocol": "igmp", "observer.product": "IDS", "observer.type": "IDS", @@ -1235,9 +1210,7 @@ "rsa.time.event_time_str": "Apr 16 08:29:41 2017 UTC", "rsa.time.month": "Apr", "service.type": "snort", - "source.ip": [ - "10.116.175.84" - ], + "source.ip": "10.116.175.84", "tags": [ "forwarded", "snort.log" @@ -1476,9 +1449,7 @@ }, { "destination.bytes": 4902, - "destination.ip": [ - "10.251.159.118" - ], + "destination.ip": "10.251.159.118", "destination.port": 2795, "event.action": "cancel", "event.code": "NGIPS_events", @@ -1491,6 +1462,7 @@ "log.level": "high", "log.offset": 9801, "network.application": "ipi", + "network.direction": "internal", "network.protocol": "ipv6-icmp", "observer.egress.interface.name": "lo6367", "observer.product": "IDS", @@ -1522,9 +1494,7 @@ "rule.name": "emagnam", "service.type": "snort", "source.bytes": 1580, - "source.ip": [ - "10.240.144.78" - ], + "source.ip": "10.240.144.78", "source.port": 2998, "tags": [ "forwarded", @@ -1623,9 +1593,7 @@ }, { "destination.bytes": 5413, - "destination.ip": [ - "10.201.132.114" - ], + "destination.ip": "10.201.132.114", "destination.port": 639, "event.action": "cancel", "event.code": "NGIPS_events", @@ -1638,6 +1606,7 @@ "log.level": "low", "log.offset": 10685, "network.application": "icta", + "network.direction": "internal", "network.protocol": "igmp", "observer.egress.interface.name": "lo3580", "observer.product": "IDS", @@ -1647,8 +1616,8 @@ "urau1660.www.lan" ], "related.ip": [ - "10.140.209.249", - "10.201.132.114" + "10.201.132.114", + "10.140.209.249" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "lor", @@ -1669,9 +1638,7 @@ "rule.name": "temse", "service.type": "snort", "source.bytes": 470, - "source.ip": [ - "10.140.209.249" - ], + "source.ip": "10.140.209.249", "source.port": 1801, "tags": [ "forwarded", @@ -1713,9 +1680,7 @@ }, { "destination.geo.country_name": "ariatu", - "destination.ip": [ - "10.36.122.169" - ], + "destination.ip": "10.36.122.169", "destination.port": 6751, "event.code": "13228", "event.dataset": "snort.log", @@ -1726,6 +1691,7 @@ "input.type": "log", "log.level": "onev", "log.offset": 11356, + "network.direction": "internal", "network.protocol": "ipv6", "observer.product": "IDS", "observer.type": "IDS", @@ -1756,9 +1722,7 @@ "rsa.time.event_time_str": "Nov 2 11:05:41 2017 UTC", "rsa.time.month": "Nov", "service.type": "snort", - "source.ip": [ - "10.198.44.231" - ], + "source.ip": "10.198.44.231", "tags": [ "forwarded", "snort.log" @@ -1766,9 +1730,7 @@ }, { "destination.bytes": 6430, - "destination.ip": [ - "10.144.162.122" - ], + "destination.ip": "10.144.162.122", "destination.port": 2080, "event.action": "block", "event.code": "NGIPS_events", @@ -1781,6 +1743,7 @@ "log.level": "medium", "log.offset": 11593, "network.application": "rehende", + "network.direction": "internal", "network.protocol": "icmp", "observer.egress.interface.name": "lo5079", "observer.product": "IDS", @@ -1812,9 +1775,7 @@ "rule.name": "ffici", "service.type": "snort", "source.bytes": 3273, - "source.ip": [ - "10.77.86.215" - ], + "source.ip": "10.77.86.215", "source.port": 5913, "tags": [ "forwarded", @@ -2096,9 +2057,7 @@ }, { "destination.geo.country_name": "icons", - "destination.ip": [ - "10.60.137.215" - ], + "destination.ip": "10.60.137.215", "destination.port": 3266, "event.code": "5155", "event.dataset": "snort.log", @@ -2109,6 +2068,7 @@ "input.type": "log", "log.level": "umqua", "log.offset": 15504, + "network.direction": "internal", "network.protocol": "tcp", "observer.product": "IDS", "observer.type": "IDS", @@ -2139,9 +2099,7 @@ "rsa.time.event_time_str": "Mar 25 09:31:24 2018 UTC", "rsa.time.month": "Mar", "service.type": "snort", - "source.ip": [ - "10.28.105.106" - ], + "source.ip": "10.28.105.106", "tags": [ "forwarded", "snort.log" @@ -2211,9 +2169,7 @@ ] }, { - "destination.ip": [ - "10.49.190.163" - ], + "destination.ip": "10.49.190.163", "destination.nat.ip": "10.20.167.114", "destination.nat.port": 6975, "destination.port": 4220, @@ -2225,6 +2181,7 @@ "host.name": "Loremips5368.www5.corp", "input.type": "log", "log.offset": 17035, + "network.direction": "internal", "observer.egress.interface.name": "enp0s484", "observer.ingress.interface.name": "lo7626", "observer.product": "IDS", @@ -2251,9 +2208,7 @@ "rsa.time.day": "7", "rsa.time.month": "May", "service.type": "snort", - "source.ip": [ - "10.166.40.137" - ], + "source.ip": "10.166.40.137", "source.nat.ip": "10.65.144.119", "source.nat.port": 6233, "source.port": 5279, @@ -2263,9 +2218,7 @@ ] }, { - "destination.ip": [ - "10.162.128.87" - ], + "destination.ip": "10.162.128.87", "event.code": "MALWARE", "event.dataset": "snort.log", "event.module": "snort", @@ -2274,6 +2227,7 @@ "host.name": "mexer1548.www5.example", "input.type": "log", "log.offset": 17238, + "network.direction": "internal", "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", @@ -2294,18 +2248,14 @@ "rsa.time.day": "21", "rsa.time.month": "May", "service.type": "snort", - "source.ip": [ - "10.104.78.147" - ], + "source.ip": "10.104.78.147", "tags": [ "forwarded", "snort.log" ] }, { - "destination.ip": [ - "10.82.180.46" - ], + "destination.ip": "10.82.180.46", "event.code": "MALWARE", "event.dataset": "snort.log", "event.module": "snort", @@ -2314,6 +2264,7 @@ "host.name": "emulla6625.www5.corp", "input.type": "log", "log.offset": 17380, + "network.direction": "internal", "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", @@ -2334,9 +2285,7 @@ "rsa.time.day": "4", "rsa.time.month": "Jun", "service.type": "snort", - "source.ip": [ - "10.237.43.87" - ], + "source.ip": "10.237.43.87", "tags": [ "forwarded", "snort.log" @@ -2344,9 +2293,7 @@ }, { "destination.geo.country_name": "quovol", - "destination.ip": [ - "10.180.28.156" - ], + "destination.ip": "10.180.28.156", "destination.port": 4665, "event.code": "5315", "event.dataset": "snort.log", @@ -2357,6 +2304,7 @@ "input.type": "log", "log.level": "aturQui", "log.offset": 17526, + "network.direction": "internal", "network.protocol": "icmp", "observer.product": "IDS", "observer.type": "IDS", @@ -2389,9 +2337,7 @@ "rsa.time.month": "Jun", "service.type": "snort", "source.geo.country_name": "eos", - "source.ip": [ - "10.234.234.205" - ], + "source.ip": "10.234.234.205", "source.port": 5714, "tags": [ "forwarded", @@ -2430,9 +2376,7 @@ }, { "destination.bytes": 4280, - "destination.ip": [ - "10.166.10.187" - ], + "destination.ip": "10.166.10.187", "destination.port": 793, "event.action": "block", "event.code": "NGIPS_events", @@ -2445,6 +2389,7 @@ "log.level": "very", "log.offset": 17884, "network.application": "tuserror", + "network.direction": "internal", "network.protocol": "igmp", "observer.egress.interface.name": "lo2032", "observer.product": "IDS", @@ -2476,9 +2421,7 @@ "rule.name": "iconseq", "service.type": "snort", "source.bytes": 1259, - "source.ip": [ - "10.40.250.209" - ], + "source.ip": "10.40.250.209", "source.port": 3941, "tags": [ "forwarded", @@ -2519,9 +2462,7 @@ ] }, { - "destination.ip": [ - "10.78.180.219" - ], + "destination.ip": "10.78.180.219", "event.code": "MALWARE", "event.dataset": "snort.log", "event.module": "snort", @@ -2530,6 +2471,7 @@ "host.name": "ita7851.localhost", "input.type": "log", "log.offset": 19724, + "network.direction": "internal", "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", @@ -2550,9 +2492,7 @@ "rsa.time.day": "15", "rsa.time.month": "Aug", "service.type": "snort", - "source.ip": [ - "10.198.202.72" - ], + "source.ip": "10.198.202.72", "tags": [ "forwarded", "snort.log" @@ -2560,9 +2500,7 @@ }, { "destination.geo.country_name": "maccusan", - "destination.ip": [ - "10.232.67.182" - ], + "destination.ip": "10.232.67.182", "destination.port": 2086, "event.code": "26152", "event.dataset": "snort.log", @@ -2573,6 +2511,7 @@ "input.type": "log", "log.level": "ionu", "log.offset": 19864, + "network.direction": "internal", "network.interface.name": "enp0s2413", "network.protocol": "ggp", "observer.product": "IDS", @@ -2606,18 +2545,14 @@ "rsa.time.event_time_str": "Aug 29 14:59:40 2018 UTC", "rsa.time.month": "Aug", "service.type": "snort", - "source.ip": [ - "10.147.155.100" - ], + "source.ip": "10.147.155.100", "tags": [ "forwarded", "snort.log" ] }, { - "destination.ip": [ - "10.95.152.78" - ], + "destination.ip": "10.95.152.78", "destination.port": 1267, "event.code": "9193", "event.dataset": "snort.log", @@ -2628,6 +2563,7 @@ "input.type": "log", "log.level": "periam", "log.offset": 20125, + "network.direction": "internal", "network.protocol": "ggp", "observer.product": "IDS", "observer.type": "IDS", @@ -2659,9 +2595,7 @@ "rsa.time.event_time_str": "Sep 12 22:02:15 2018 UTC", "rsa.time.month": "Sep", "service.type": "snort", - "source.ip": [ - "10.4.147.70" - ], + "source.ip": "10.4.147.70", "source.port": 3210, "tags": [ "forwarded", @@ -2772,9 +2706,7 @@ ] }, { - "destination.ip": [ - "10.216.14.36" - ], + "destination.ip": "10.216.14.36", "event.code": "MALWARE", "event.dataset": "snort.log", "event.module": "snort", @@ -2783,6 +2715,7 @@ "host.name": "essequ121.localdomain", "input.type": "log", "log.offset": 21841, + "network.direction": "internal", "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", @@ -2803,18 +2736,14 @@ "rsa.time.day": "9", "rsa.time.month": "Nov", "service.type": "snort", - "source.ip": [ - "10.224.250.83" - ], + "source.ip": "10.224.250.83", "tags": [ "forwarded", "snort.log" ] }, { - "destination.ip": [ - "10.231.10.63" - ], + "destination.ip": "10.231.10.63", "event.code": "10329", "event.dataset": "snort.log", "event.module": "snort", @@ -2824,6 +2753,7 @@ "input.type": "log", "log.level": "upt", "log.offset": 21984, + "network.direction": "internal", "network.protocol": "ggp", "observer.product": "IDS", "observer.type": "IDS", @@ -2856,9 +2786,7 @@ "rsa.time.month": "Nov", "service.type": "snort", "source.geo.country_name": "ipi", - "source.ip": [ - "10.38.22.60" - ], + "source.ip": "10.38.22.60", "source.port": 653, "tags": [ "forwarded", @@ -2867,9 +2795,7 @@ }, { "destination.bytes": 560, - "destination.ip": [ - "10.29.231.11" - ], + "destination.ip": "10.29.231.11", "destination.port": 2231, "event.action": "cancel", "event.code": "NGIPS_events", @@ -2882,6 +2808,7 @@ "log.level": "high", "log.offset": 22224, "network.application": "atat", + "network.direction": "internal", "network.protocol": "tcp", "observer.egress.interface.name": "eth1891", "observer.product": "IDS", @@ -2913,9 +2840,7 @@ "rule.name": "tlab", "service.type": "snort", "source.bytes": 42, - "source.ip": [ - "10.46.57.181" - ], + "source.ip": "10.46.57.181", "source.port": 3760, "tags": [ "forwarded", @@ -3024,9 +2949,7 @@ }, { "destination.bytes": 1881, - "destination.ip": [ - "10.135.250.25" - ], + "destination.ip": "10.135.250.25", "destination.port": 1306, "event.action": "block", "event.code": "NGIPS_events", @@ -3039,6 +2962,7 @@ "log.level": "low", "log.offset": 24183, "network.application": "tlabor", + "network.direction": "internal", "network.protocol": "ggp", "observer.egress.interface.name": "lo3342", "observer.product": "IDS", @@ -3070,9 +2994,7 @@ "rule.name": "Secti", "service.type": "snort", "source.bytes": 4673, - "source.ip": [ - "10.107.144.80" - ], + "source.ip": "10.107.144.80", "source.port": 703, "tags": [ "forwarded", @@ -3144,9 +3066,7 @@ "user.name": "iscing" }, { - "destination.ip": [ - "10.5.88.183" - ], + "destination.ip": "10.5.88.183", "destination.port": 7518, "event.code": "FTD_events", "event.dataset": "snort.log", @@ -3156,6 +3076,7 @@ "host.name": "onsecte5119.www.invalid", "input.type": "log", "log.offset": 24956, + "network.direction": "internal", "network.protocol": "icmp", "observer.ingress.interface.name": "enp0s3923", "observer.product": "IDS", @@ -3178,9 +3099,7 @@ "rsa.time.day": "17", "rsa.time.month": "Mar", "service.type": "snort", - "source.ip": [ - "10.198.207.31" - ], + "source.ip": "10.198.207.31", "source.port": 579, "tags": [ "forwarded", @@ -3396,9 +3315,7 @@ }, { "destination.bytes": 4560, - "destination.ip": [ - "10.186.68.87" - ], + "destination.ip": "10.186.68.87", "destination.port": 2129, "event.action": "allow", "event.code": "NGIPS_events", @@ -3411,6 +3328,7 @@ "log.level": "medium", "log.offset": 28227, "network.application": "labo", + "network.direction": "internal", "network.protocol": "ipv6-icmp", "observer.egress.interface.name": "eth2658", "observer.product": "IDS", @@ -3442,9 +3360,7 @@ "rule.name": "itsed", "service.type": "snort", "source.bytes": 2005, - "source.ip": [ - "10.154.87.98" - ], + "source.ip": "10.154.87.98", "source.port": 2632, "tags": [ "forwarded", @@ -3453,9 +3369,7 @@ }, { "destination.bytes": 584, - "destination.ip": [ - "10.67.211.63" - ], + "destination.ip": "10.67.211.63", "destination.port": 7478, "event.action": "allow", "event.code": "NGIPS_events", @@ -3468,6 +3382,7 @@ "log.level": "medium", "log.offset": 28825, "network.application": "Ciceroin", + "network.direction": "internal", "network.protocol": "udp", "observer.egress.interface.name": "eth3613", "observer.product": "IDS", @@ -3499,9 +3414,7 @@ "rule.name": "dantiu", "service.type": "snort", "source.bytes": 4338, - "source.ip": [ - "10.35.59.140" - ], + "source.ip": "10.35.59.140", "source.port": 1832, "tags": [ "forwarded", @@ -3640,9 +3553,7 @@ "user.name": "uptate" }, { - "destination.ip": [ - "10.179.27.185" - ], + "destination.ip": "10.179.27.185", "event.code": "MALWARE", "event.dataset": "snort.log", "event.module": "snort", @@ -3651,6 +3562,7 @@ "host.name": "cididu3187.home", "input.type": "log", "log.offset": 29815, + "network.direction": "internal", "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", @@ -3671,9 +3583,7 @@ "rsa.time.day": "19", "rsa.time.month": "Sep", "service.type": "snort", - "source.ip": [ - "10.14.46.141" - ], + "source.ip": "10.14.46.141", "tags": [ "forwarded", "snort.log" @@ -3818,9 +3728,7 @@ "user.name": "ctobea" }, { - "destination.ip": [ - "10.118.103.185" - ], + "destination.ip": "10.118.103.185", "destination.nat.ip": "10.240.77.10", "destination.nat.port": 2226, "destination.port": 1333, @@ -3832,6 +3740,7 @@ "host.name": "erunt3957.internal.lan", "input.type": "log", "log.offset": 30328, + "network.direction": "internal", "observer.egress.interface.name": "lo2571", "observer.ingress.interface.name": "lo5895", "observer.product": "IDS", @@ -3858,9 +3767,7 @@ "rsa.time.day": "30", "rsa.time.month": "Nov", "service.type": "snort", - "source.ip": [ - "10.125.130.61" - ], + "source.ip": "10.125.130.61", "source.nat.ip": "10.32.195.34", "source.nat.port": 135, "source.port": 6154, @@ -3870,9 +3777,7 @@ ] }, { - "destination.ip": [ - "10.111.130.177" - ], + "destination.ip": "10.111.130.177", "event.code": "MALWARE", "event.dataset": "snort.log", "event.module": "snort", @@ -3881,6 +3786,7 @@ "host.name": "ntNe7144.api.lan", "input.type": "log", "log.offset": 30540, + "network.direction": "internal", "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", @@ -3901,12 +3807,10 @@ "rsa.time.day": "14", "rsa.time.month": "Dec", "service.type": "snort", - "source.ip": [ - "10.188.88.133" - ], + "source.ip": "10.188.88.133", "tags": [ "forwarded", "snort.log" ] } -] \ No newline at end of file +] diff --git a/x-pack/filebeat/module/sonicwall/firewall/config/input.yml b/x-pack/filebeat/module/sonicwall/firewall/config/input.yml index 2b7d20e77f48..ff0b8145857c 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/config/input.yml +++ b/x-pack/filebeat/module/sonicwall/firewall/config/input.yml @@ -39,6 +39,13 @@ processors: {{ if .community_id }} - community_id: ~ {{ end }} +{{ if .internal_networks }} +- add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} +{{ end }} - registered_domain: ignore_missing: true ignore_failure: true diff --git a/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js b/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js index cec99a043e86..935bed305a8e 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js +++ b/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js @@ -1007,8 +1007,8 @@ var ecs_mappings = { "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, @@ -1088,8 +1088,8 @@ var ecs_mappings = { "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, diff --git a/x-pack/filebeat/module/sonicwall/firewall/manifest.yml b/x-pack/filebeat/module/sonicwall/firewall/manifest.yml index f9949f03fd52..16e3130f2239 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/manifest.yml +++ b/x-pack/filebeat/module/sonicwall/firewall/manifest.yml @@ -20,6 +20,8 @@ var: default: false - name: debug default: false + - name: internal_networks + default: [ private ] ingest_pipeline: ingest/pipeline.yml input: config/input.yml diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json index 5f03c23e5dad..fca66478545a 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json +++ b/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json @@ -29,9 +29,7 @@ "source.geo.country_name": "France", "source.geo.location.lat": 48.8582, "source.geo.location.lon": 2.3387, - "source.ip": [ - "2.2.2.2" - ], + "source.ip": "2.2.2.2", "source.port": 36701, "tags": [ "forwarded", @@ -95,9 +93,7 @@ "source.geo.country_name": "France", "source.geo.location.lat": 48.8582, "source.geo.location.lon": 2.3387, - "source.ip": [ - "2.2.2.2" - ], + "source.ip": "2.2.2.2", "source.port": 36702, "tags": [ "forwarded", @@ -246,9 +242,7 @@ "source.geo.country_name": "France", "source.geo.location.lat": 48.8582, "source.geo.location.lon": 2.3387, - "source.ip": [ - "2.2.2.2" - ], + "source.ip": "2.2.2.2", "source.port": 36703, "tags": [ "forwarded", @@ -312,9 +306,7 @@ "source.geo.country_name": "France", "source.geo.location.lat": 48.8582, "source.geo.location.lon": 2.3387, - "source.ip": [ - "2.2.2.2" - ], + "source.ip": "2.2.2.2", "source.port": 36704, "tags": [ "forwarded", @@ -350,9 +342,7 @@ "source.geo.country_name": "New Zealand", "source.geo.location.lat": -41.0, "source.geo.location.lon": 174.0, - "source.ip": [ - "219.89.19.223" - ], + "source.ip": "219.89.19.223", "source.port": 1026, "tags": [ "forwarded", @@ -439,9 +429,7 @@ "source.geo.country_name": "Australia", "source.geo.location.lat": -33.494, "source.geo.location.lon": 143.2104, - "source.ip": [ - "1.1.1.1" - ], + "source.ip": "1.1.1.1", "source.port": 500, "tags": [ "forwarded", @@ -491,9 +479,7 @@ "rsa.network.sinterface": "WAN dst=192.168.5.10:53:LAN proto=tcp/dns", "rsa.time.event_time": "2007-01-03T16:48:15.000Z", "service.type": "sonicwall", - "source.ip": [ - "192.168.115.10" - ], + "source.ip": "192.168.115.10", "source.port": 11549, "tags": [ "forwarded", @@ -523,9 +509,7 @@ "rsa.network.sinterface": "LAN dst=192.168.1.100:445:WAN proto=tcp/445", "rsa.time.event_time": "2007-01-03T16:48:17.000Z", "service.type": "sonicwall", - "source.ip": [ - "192.168.5.64" - ], + "source.ip": "192.168.5.64", "source.port": 3182, "tags": [ "forwarded", @@ -611,9 +595,7 @@ "rsa.network.sinterface": "WAN dst=192.168.5.10:3582:LAN proto=udp/3582", "rsa.time.event_time": "2007-01-03T16:48:20.000Z", "service.type": "sonicwall", - "source.ip": [ - "192.168.125.75" - ], + "source.ip": "192.168.125.75", "source.port": 524, "tags": [ "forwarded", @@ -643,9 +625,7 @@ "rsa.network.sinterface": "WAN dst=192.168.5.10:53:LAN proto=tcp/dns", "rsa.time.event_time": "2007-01-03T16:48:21.000Z", "service.type": "sonicwall", - "source.ip": [ - "192.168.6.10" - ], + "source.ip": "192.168.6.10", "source.port": 28503, "tags": [ "forwarded", diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json index 296004b2c9d0..7ce4d95ec2f9 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json +++ b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json @@ -1,9 +1,7 @@ [ { "@timestamp": "2016-01-29T08:09:59.000Z", - "destination.ip": [ - "10.208.15.216" - ], + "destination.ip": "10.208.15.216", "destination.port": 4257, "event.code": "1197", "event.dataset": "sonicwall.firewall", @@ -13,6 +11,7 @@ "input.type": "log", "log.offset": 0, "log.original": "itv", + "network.direction": "internal", "network.protocol": "udp", "observer.egress.interface.name": "lo6125", "observer.ingress.interface.name": "eth5722", @@ -31,9 +30,7 @@ "rsa.time.date": "2016/01/29", "rsa.time.event_time": "2016-01-29T08:09:59.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.20.234.169" - ], + "source.ip": "10.20.234.169", "source.port": 1001, "tags": [ "forwarded", @@ -104,9 +101,7 @@ }, { "@timestamp": "2016-03-12T05:17:42.000Z", - "destination.ip": [ - "10.227.15.1" - ], + "destination.ip": "10.227.15.1", "destination.mac": "01:00:5e:f7:a9:ff", "destination.port": 410, "event.action": "allow", @@ -119,6 +114,7 @@ "input.type": "log", "log.level": "medium", "log.offset": 538, + "network.direction": "internal", "network.protocol": "rdp", "observer.egress.interface.name": "eth1977", "observer.ingress.interface.name": "eth6183", @@ -144,9 +140,7 @@ "rsa.time.date": "2016-3-12", "rsa.time.event_time": "2016-03-12T05:17:42.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.150.156.22" - ], + "source.ip": "10.150.156.22", "source.mac": "01:00:5e:84:66:6c", "source.port": 6378, "tags": [ @@ -197,9 +191,7 @@ }, { "@timestamp": "2016-04-24T02:25:25.000Z", - "destination.ip": [ - "10.13.70.213" - ], + "destination.ip": "10.13.70.213", "event.code": "372", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -208,6 +200,7 @@ "input.type": "log", "log.offset": 1033, "log.original": "llu", + "network.direction": "internal", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", @@ -220,9 +213,7 @@ "rsa.time.date": "2016/04/24", "rsa.time.event_time": "2016-04-24T02:25:25.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.95.245.65" - ], + "source.ip": "10.95.245.65", "tags": [ "forwarded", "sonicwall.firewall" @@ -291,9 +282,7 @@ }, { "@timestamp": "2016-06-20T06:35:42.000Z", - "destination.ip": [ - "10.16.52.205" - ], + "destination.ip": "10.16.52.205", "event.action": "accept", "event.code": "139", "event.dataset": "sonicwall.firewall", @@ -302,13 +291,14 @@ "fileset.name": "firewall", "input.type": "log", "log.offset": 1567, + "network.direction": "internal", "observer.ingress.interface.name": "enp0s2489", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.136.153.149", - "10.16.52.205" + "10.16.52.205", + "10.136.153.149" ], "rsa.internal.messageid": "139", "rsa.misc.action": [ @@ -317,9 +307,7 @@ "rsa.network.sinterface": "enp0s2489", "rsa.time.event_time": "2016-06-20T06:35:42.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.136.153.149" - ], + "source.ip": "10.136.153.149", "source.port": 3788, "tags": [ "forwarded", @@ -571,9 +559,7 @@ }, { "@timestamp": "2016-11-24T12:03:59.000Z", - "destination.ip": [ - "10.206.136.206" - ], + "destination.ip": "10.206.136.206", "destination.port": 4108, "event.code": "242", "event.dataset": "sonicwall.firewall", @@ -583,6 +569,7 @@ "input.type": "log", "log.offset": 3028, "log.original": "imidest", + "network.direction": "internal", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", @@ -595,9 +582,7 @@ "rsa.time.date": "2016/11/24", "rsa.time.event_time": "2016-11-24T12:03:59.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.153.136.222" - ], + "source.ip": "10.153.136.222", "tags": [ "forwarded", "sonicwall.firewall" @@ -605,9 +590,7 @@ }, { "@timestamp": "2016-12-08T19:06:33.000Z", - "destination.ip": [ - "10.239.201.234" - ], + "destination.ip": "10.239.201.234", "event.code": "87", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -616,6 +599,7 @@ "input.type": "log", "log.offset": 3184, "log.original": "Loremip", + "network.direction": "internal", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", @@ -628,9 +612,7 @@ "rsa.time.date": "2016/12/08", "rsa.time.event_time": "2016-12-08T19:06:33.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.204.11.20" - ], + "source.ip": "10.204.11.20", "tags": [ "forwarded", "sonicwall.firewall" @@ -638,9 +620,7 @@ }, { "@timestamp": "2016-12-23T14:09:07.000Z", - "destination.ip": [ - "10.219.116.137" - ], + "destination.ip": "10.219.116.137", "destination.mac": "01:00:5e:e1:73:47", "destination.port": 3452, "event.action": "accept", @@ -653,6 +633,7 @@ "input.type": "log", "log.level": "very-high", "log.offset": 3331, + "network.direction": "internal", "network.protocol": "icmp", "observer.egress.interface.name": "enp0s3611", "observer.ingress.interface.name": "eth4059", @@ -678,9 +659,7 @@ "rsa.time.date": "2016-12-23", "rsa.time.event_time": "2016-12-23T14:09:07.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.245.200.97" - ], + "source.ip": "10.245.200.97", "source.mac": "01:00:5e:1a:ec:91", "source.port": 3768, "tags": [ @@ -690,9 +669,7 @@ }, { "@timestamp": "2017-01-06T09:11:41.000Z", - "destination.ip": [ - "10.252.122.195" - ], + "destination.ip": "10.252.122.195", "event.code": "401", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -701,6 +678,7 @@ "input.type": "log", "log.offset": 3587, "log.original": "inesci", + "network.direction": "internal", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", @@ -714,9 +692,7 @@ "rsa.time.date": "2017/01/06", "rsa.time.event_time": "2017-01-06T09:11:41.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.118.80.140" - ], + "source.ip": "10.118.80.140", "tags": [ "forwarded", "sonicwall.firewall" @@ -808,9 +784,7 @@ }, { "@timestamp": "2017-03-18T08:24:33.000Z", - "destination.ip": [ - "10.30.153.159" - ], + "destination.ip": "10.30.153.159", "destination.port": 6843, "event.action": "cancel", "event.code": "794", @@ -820,6 +794,7 @@ "fileset.name": "firewall", "input.type": "log", "log.offset": 4257, + "network.direction": "internal", "network.protocol": "icmp", "observer.egress.interface.name": "enp0s6487", "observer.ingress.interface.name": "lo6501", @@ -841,9 +816,7 @@ "rsa.time.date": "2017-3-18", "rsa.time.event_time": "2017-03-18T08:24:33.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.86.101.235" - ], + "source.ip": "10.86.101.235", "source.port": 3266, "tags": [ "forwarded", @@ -894,9 +867,7 @@ }, { "@timestamp": "2017-04-30T17:32:16.000Z", - "destination.ip": [ - "10.162.172.28" - ], + "destination.ip": "10.162.172.28", "event.code": "255", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -905,6 +876,7 @@ "input.type": "log", "log.offset": 4750, "log.original": "nre", + "network.direction": "internal", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", @@ -916,9 +888,7 @@ "rsa.internal.msg": "nre", "rsa.time.event_time": "2017-04-30T17:32:16.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.237.163.139" - ], + "source.ip": "10.237.163.139", "tags": [ "forwarded", "sonicwall.firewall" @@ -951,9 +921,7 @@ "rsa.network.sinterface": "eth4488", "rsa.time.event_time": "2017-05-15T00:34:50.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.191.23.41" - ], + "source.ip": "10.191.23.41", "source.port": 1493, "tags": [ "forwarded", @@ -1062,9 +1030,7 @@ }, { "@timestamp": "2017-07-25T11:47:41.000Z", - "destination.ip": [ - "10.131.61.13" - ], + "destination.ip": "10.131.61.13", "event.action": "accept", "event.code": "538", "event.dataset": "sonicwall.firewall", @@ -1073,6 +1039,7 @@ "fileset.name": "firewall", "input.type": "log", "log.offset": 5613, + "network.direction": "internal", "observer.ingress.interface.name": "lo3470", "observer.product": "Firewalls", "observer.type": "Firewall", @@ -1089,9 +1056,7 @@ "rsa.time.date": "2017/07/25", "rsa.time.event_time": "2017-07-25T11:47:41.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.143.76.137" - ], + "source.ip": "10.143.76.137", "source.port": 1414, "tags": [ "forwarded", @@ -1273,9 +1238,7 @@ }, { "@timestamp": "2017-11-16T20:08:15.000Z", - "destination.ip": [ - "10.192.27.157" - ], + "destination.ip": "10.192.27.157", "event.action": "accept", "event.code": "140", "event.dataset": "sonicwall.firewall", @@ -1284,6 +1247,7 @@ "fileset.name": "firewall", "input.type": "log", "log.offset": 6746, + "network.direction": "internal", "observer.ingress.interface.name": "enp0s5632", "observer.product": "Firewalls", "observer.type": "Firewall", @@ -1299,9 +1263,7 @@ "rsa.network.sinterface": "enp0s5632", "rsa.time.event_time": "2017-11-16T20:08:15.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.230.173.4" - ], + "source.ip": "10.230.173.4", "source.port": 2631, "tags": [ "forwarded", @@ -1353,9 +1315,7 @@ { "@timestamp": "2017-12-29T17:15:58.000Z", "destination.bytes": 6587, - "destination.ip": [ - "10.190.175.158" - ], + "destination.ip": "10.190.175.158", "destination.port": 7005, "event.code": "195", "event.dataset": "sonicwall.firewall", @@ -1365,6 +1325,7 @@ "input.type": "log", "log.offset": 7140, "log.original": "taevita", + "network.direction": "internal", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", @@ -1377,9 +1338,7 @@ "rsa.time.date": "2017/12/29", "rsa.time.event_time": "2017-12-29T17:15:58.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.227.15.253" - ], + "source.ip": "10.227.15.253", "source.port": 271, "tags": [ "forwarded", @@ -1409,9 +1368,7 @@ }, { "@timestamp": "2018-01-27T07:21:06.000Z", - "destination.ip": [ - "10.15.97.155" - ], + "destination.ip": "10.15.97.155", "destination.port": 5935, "event.action": "block", "event.code": "616", @@ -1421,6 +1378,7 @@ "fileset.name": "firewall", "input.type": "log", "log.offset": 7426, + "network.direction": "internal", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", @@ -1435,9 +1393,7 @@ "rsa.time.date": "2018/01/27", "rsa.time.event_time": "2018-01-27T07:21:06.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.29.155.171" - ], + "source.ip": "10.29.155.171", "source.port": 1871, "tags": [ "forwarded", @@ -1512,9 +1468,7 @@ }, { "@timestamp": "2018-03-25T11:31:24.000Z", - "destination.ip": [ - "10.25.32.107" - ], + "destination.ip": "10.25.32.107", "event.code": "261", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -1523,6 +1477,7 @@ "input.type": "log", "log.offset": 7907, "log.original": "lor", + "network.direction": "internal", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", @@ -1538,9 +1493,7 @@ "rsa.time.date": "2018/03/25", "rsa.time.event_time": "2018-03-25T11:31:24.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.18.204.87" - ], + "source.ip": "10.18.204.87", "tags": [ "forwarded", "sonicwall.firewall" @@ -1549,9 +1502,7 @@ }, { "@timestamp": "2018-04-08T06:33:58.000Z", - "destination.ip": [ - "10.246.0.167" - ], + "destination.ip": "10.246.0.167", "destination.mac": "01:00:5e:2c:22:06", "destination.port": 2189, "event.action": "block", @@ -1564,6 +1515,7 @@ "input.type": "log", "log.level": "medium", "log.offset": 8059, + "network.direction": "internal", "network.protocol": "icmp", "observer.egress.interface.name": "eth2632", "observer.ingress.interface.name": "lo3856", @@ -1589,9 +1541,7 @@ "rsa.time.date": "2018-4-8", "rsa.time.event_time": "2018-04-08T06:33:58.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.71.238.250" - ], + "source.ip": "10.71.238.250", "source.mac": "01:00:5e:7c:42:0b", "source.port": 41, "tags": [ @@ -1601,9 +1551,7 @@ }, { "@timestamp": "2018-04-22T13:36:32.000Z", - "destination.ip": [ - "10.176.209.227" - ], + "destination.ip": "10.176.209.227", "destination.port": 6362, "event.action": "allow", "event.code": "794", @@ -1613,6 +1561,7 @@ "fileset.name": "firewall", "input.type": "log", "log.offset": 8303, + "network.direction": "internal", "network.protocol": "ipv6", "observer.egress.interface.name": "eth7037", "observer.ingress.interface.name": "enp0s5411", @@ -1634,9 +1583,7 @@ "rsa.time.date": "2018-4-22", "rsa.time.event_time": "2018-04-22T13:36:32.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.13.66.97" - ], + "source.ip": "10.13.66.97", "source.port": 2000, "tags": [ "forwarded", @@ -1696,9 +1643,7 @@ }, { "@timestamp": "2018-06-04T22:44:15.000Z", - "destination.ip": [ - "10.187.210.173" - ], + "destination.ip": "10.187.210.173", "event.code": "255", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -1707,6 +1652,7 @@ "input.type": "log", "log.offset": 8821, "log.original": "quamnih", + "network.direction": "internal", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", @@ -1719,9 +1665,7 @@ "rsa.time.date": "2018/06/04", "rsa.time.event_time": "2018-06-04T22:44:15.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.44.150.31" - ], + "source.ip": "10.44.150.31", "tags": [ "forwarded", "sonicwall.firewall" @@ -1729,9 +1673,7 @@ }, { "@timestamp": "2018-06-19T05:46:49.000Z", - "destination.ip": [ - "10.251.248.228" - ], + "destination.ip": "10.251.248.228", "destination.mac": "01:00:5e:c3:ed:55", "destination.port": 6909, "event.action": "deny", @@ -1744,6 +1686,7 @@ "input.type": "log", "log.level": "low", "log.offset": 8976, + "network.direction": "internal", "network.protocol": "udp", "observer.ingress.interface.name": "eth163", "observer.product": "Firewalls", @@ -1767,9 +1710,7 @@ "rsa.time.date": "2018-6-19", "rsa.time.event_time": "2018-06-19T05:46:49.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.113.100.237" - ], + "source.ip": "10.113.100.237", "source.mac": "01:00:5e:8b:c1:b4", "source.port": 3887, "tags": [ @@ -1843,9 +1784,7 @@ }, { "@timestamp": "2018-08-15T09:57:06.000Z", - "destination.ip": [ - "10.50.44.5" - ], + "destination.ip": "10.50.44.5", "destination.port": 7668, "event.action": "block", "event.code": "237", @@ -1855,6 +1794,7 @@ "fileset.name": "firewall", "input.type": "log", "log.offset": 9550, + "network.direction": "internal", "observer.egress.interface.name": "lo1441", "observer.ingress.interface.name": "enp0s382", "observer.product": "Firewalls", @@ -1872,9 +1812,7 @@ "rsa.network.sinterface": "enp0s382", "rsa.time.event_time": "2018-08-15T09:57:06.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.105.46.101" - ], + "source.ip": "10.105.46.101", "source.port": 3346, "tags": [ "forwarded", @@ -1883,9 +1821,7 @@ }, { "@timestamp": "2018-08-29T16:59:40.000Z", - "destination.ip": [ - "10.52.248.251" - ], + "destination.ip": "10.52.248.251", "destination.port": 5776, "event.code": "328", "event.dataset": "sonicwall.firewall", @@ -1895,14 +1831,15 @@ "input.type": "log", "log.offset": 9729, "log.original": "squ", + "network.direction": "internal", "observer.egress.interface.name": "lo2241", "observer.ingress.interface.name": "eth6291", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.52.248.251", - "10.60.142.127" + "10.60.142.127", + "10.52.248.251" ], "rsa.internal.messageid": "328", "rsa.internal.msg": "squ", @@ -1911,9 +1848,7 @@ "rsa.time.date": "2018/08/29", "rsa.time.event_time": "2018-08-29T16:59:40.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.60.142.127" - ], + "source.ip": "10.60.142.127", "source.port": 1081, "tags": [ "forwarded", @@ -1979,9 +1914,7 @@ }, { "@timestamp": "2018-10-11T14:07:23.000Z", - "destination.ip": [ - "10.115.38.80" - ], + "destination.ip": "10.115.38.80", "event.code": "441", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -1990,6 +1923,7 @@ "input.type": "log", "log.offset": 10161, "log.original": "labor", + "network.direction": "internal", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", @@ -2002,9 +1936,7 @@ "rsa.time.date": "2018/10/11", "rsa.time.event_time": "2018-10-11T14:07:23.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.240.54.28" - ], + "source.ip": "10.240.54.28", "tags": [ "forwarded", "sonicwall.firewall" @@ -2033,9 +1965,7 @@ }, { "@timestamp": "2018-11-09T04:12:32.000Z", - "destination.ip": [ - "10.104.49.142" - ], + "destination.ip": "10.104.49.142", "event.code": "252", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -2044,6 +1974,7 @@ "input.type": "log", "log.offset": 10428, "log.original": "eprehend", + "network.direction": "internal", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", @@ -2056,9 +1987,7 @@ "rsa.time.date": "2018/11/09", "rsa.time.event_time": "2018-11-09T04:12:32.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.102.166.19" - ], + "source.ip": "10.102.166.19", "tags": [ "forwarded", "sonicwall.firewall" @@ -2066,9 +1995,7 @@ }, { "@timestamp": "2018-11-23T11:15:06.000Z", - "destination.ip": [ - "10.120.25.169" - ], + "destination.ip": "10.120.25.169", "destination.port": 1965, "event.action": "block", "event.code": "199", @@ -2078,6 +2005,7 @@ "fileset.name": "firewall", "input.type": "log", "log.offset": 10577, + "network.direction": "internal", "observer.egress.interface.name": "lo4527", "observer.ingress.interface.name": "lo4991", "observer.product": "Firewalls", @@ -2096,9 +2024,7 @@ "rsa.time.date": "2018/11/23", "rsa.time.event_time": "2018-11-23T11:15:06.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.203.77.154" - ], + "source.ip": "10.203.77.154", "source.port": 3916, "tags": [ "forwarded", @@ -2149,9 +2075,7 @@ { "@timestamp": "2019-01-05T08:22:49.000Z", "destination.bytes": 1629, - "destination.ip": [ - "10.137.217.159" - ], + "destination.ip": "10.137.217.159", "destination.port": 563, "event.code": "195", "event.dataset": "sonicwall.firewall", @@ -2161,6 +2085,7 @@ "input.type": "log", "log.offset": 10985, "log.original": "rorsit", + "network.direction": "internal", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", @@ -2173,9 +2098,7 @@ "rsa.time.date": "2019/01/05", "rsa.time.event_time": "2019-01-05T08:22:49.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.77.95.12" - ], + "source.ip": "10.77.95.12", "source.port": 2310, "tags": [ "forwarded", @@ -2272,8 +2195,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.116.173.79", - "10.185.37.32" + "10.185.37.32", + "10.116.173.79" ], "rsa.internal.messageid": "178", "rsa.internal.msg": "ende", @@ -2322,9 +2245,7 @@ }, { "@timestamp": "2019-04-01T02:38:14.000Z", - "destination.ip": [ - "10.88.244.209" - ], + "destination.ip": "10.88.244.209", "destination.port": 6953, "event.code": "97", "event.dataset": "sonicwall.firewall", @@ -2333,6 +2254,7 @@ "fileset.name": "firewall", "input.type": "log", "log.offset": 11885, + "network.direction": "internal", "network.protocol": "ipv6-icmp", "observer.egress.interface.name": "enp0s2460", "observer.ingress.interface.name": "enp0s3423", @@ -2351,9 +2273,7 @@ "rsa.time.event_time": "2019-04-01T02:38:14.000Z", "service.type": "sonicwall", "source.bytes": 5835, - "source.ip": [ - "10.152.35.175" - ], + "source.ip": "10.152.35.175", "source.port": 2737, "tags": [ "forwarded", @@ -2364,9 +2284,7 @@ "@timestamp": "2019-04-15T09:40:49.000Z", "destination.address": "ugitsedq5067.internal.test", "destination.bytes": 1635, - "destination.ip": [ - "10.107.216.138" - ], + "destination.ip": "10.107.216.138", "destination.port": 3147, "event.action": "accept", "event.code": "537", @@ -2376,6 +2294,7 @@ "fileset.name": "firewall", "input.type": "log", "log.offset": 12100, + "network.direction": "internal", "network.protocol": "rdp", "observer.egress.interface.name": "lo5057", "observer.product": "Firewalls", @@ -2397,9 +2316,7 @@ "rsa.time.event_time": "2019-04-15T09:40:49.000Z", "service.type": "sonicwall", "source.bytes": 5943, - "source.ip": [ - "10.132.171.15" - ], + "source.ip": "10.132.171.15", "tags": [ "forwarded", "sonicwall.firewall" @@ -2428,9 +2345,7 @@ }, { "@timestamp": "2019-05-13T23:45:57.000Z", - "destination.ip": [ - "10.195.223.82" - ], + "destination.ip": "10.195.223.82", "event.code": "351", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -2439,6 +2354,7 @@ "input.type": "log", "log.offset": 12443, "log.original": "CSe", + "network.direction": "internal", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", @@ -2451,9 +2367,7 @@ "rsa.time.date": "2019/05/13", "rsa.time.event_time": "2019-05-13T23:45:57.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.135.70.159" - ], + "source.ip": "10.135.70.159", "tags": [ "forwarded", "sonicwall.firewall" @@ -2461,9 +2375,7 @@ }, { "@timestamp": "2019-05-28T06:48:31.000Z", - "destination.ip": [ - "10.142.120.198" - ], + "destination.ip": "10.142.120.198", "event.code": "261", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -2472,6 +2384,7 @@ "input.type": "log", "log.offset": 12591, "log.original": "rsitvolu", + "network.direction": "internal", "observer.ingress.interface.name": "eth3249", "observer.product": "Firewalls", "observer.type": "Firewall", @@ -2489,9 +2402,7 @@ "rsa.time.date": "2019/05/28", "rsa.time.event_time": "2019-05-28T06:48:31.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.22.244.71" - ], + "source.ip": "10.22.244.71", "source.port": 1865, "tags": [ "forwarded", @@ -2617,9 +2528,7 @@ { "@timestamp": "2019-08-22T01:03:57.000Z", "destination.bytes": 7416, - "destination.ip": [ - "10.117.63.181" - ], + "destination.ip": "10.117.63.181", "destination.port": 6863, "event.code": "195", "event.dataset": "sonicwall.firewall", @@ -2629,6 +2538,7 @@ "input.type": "log", "log.offset": 13364, "log.original": "magnaal", + "network.direction": "internal", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", @@ -2641,9 +2551,7 @@ "rsa.time.date": "2019/08/21", "rsa.time.event_time": "2019-08-22T01:03:57.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.222.169.140" - ], + "source.ip": "10.222.169.140", "source.port": 5299, "tags": [ "forwarded", @@ -2696,9 +2604,7 @@ }, { "@timestamp": "2019-10-03T10:11:40.000Z", - "destination.ip": [ - "10.200.122.184" - ], + "destination.ip": "10.200.122.184", "destination.port": 1176, "event.action": "allow", "event.code": "794", @@ -2708,6 +2614,7 @@ "fileset.name": "firewall", "input.type": "log", "log.offset": 13775, + "network.direction": "internal", "network.protocol": "rdp", "observer.egress.interface.name": "eth5397", "observer.ingress.interface.name": "lo1325", @@ -2729,9 +2636,7 @@ "rsa.time.date": "2019-10-3", "rsa.time.event_time": "2019-10-03T10:11:40.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.57.255.4" - ], + "source.ip": "10.57.255.4", "source.port": 239, "tags": [ "forwarded", @@ -2813,9 +2718,7 @@ }, { "@timestamp": "2019-11-30T02:21:57.000Z", - "destination.ip": [ - "10.119.4.120" - ], + "destination.ip": "10.119.4.120", "destination.port": 3822, "event.code": "520", "event.dataset": "sonicwall.firewall", @@ -2825,6 +2728,7 @@ "input.type": "log", "log.offset": 14380, "log.original": "itse", + "network.direction": "internal", "observer.egress.interface.name": "enp0s234", "observer.ingress.interface.name": "lo5561", "observer.product": "Firewalls", @@ -2841,9 +2745,7 @@ "rsa.time.date": "2019/11/30", "rsa.time.event_time": "2019-11-30T02:21:57.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.167.9.200" - ], + "source.ip": "10.167.9.200", "source.port": 4003, "tags": [ "forwarded", @@ -2873,4 +2775,4 @@ "sonicwall.firewall" ] } -] \ No newline at end of file +] From 3ab6feaf552db9b50fca937a13c9f5ed983034cc Mon Sep 17 00:00:00 2001 From: Alex Resnick Date: Fri, 2 Apr 2021 12:22:49 +0000 Subject: [PATCH 3/9] update changelog --- CHANGELOG.next.asciidoc | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 1c02028818fa..e1561118e354 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -858,6 +858,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add multiline support to aws-s3 input. {issue}25249[25249] {pull}25710[25710] - Add monitoring metrics to the `aws-s3` input. {pull}25711[25711] - Added `network.direction` fields to Zeek and Suricata module using the `add_network_direction` processor {pull}24620[24620] +- Added `network.direction` fields to Zeek, Suricata, Snort, Sonicwall modules using the `add_network_direction` processor {pull}24620[24620] *Heartbeat* From 62c7a6f4f98b6887cc3c7b86831c0985614a065d Mon Sep 17 00:00:00 2001 From: Alex Resnick Date: Wed, 28 Apr 2021 20:09:58 +0000 Subject: [PATCH 4/9] use ES network_direction processor --- .../module/snort/log/config/input.yml | 12 ++--- .../module/snort/log/ingest/pipeline.yml | 13 +++++ x-pack/filebeat/module/snort/log/manifest.yml | 2 - .../log/test/generated.log-expected.json | 28 +++++------ .../sonicwall/firewall/config/input.yml | 12 ++--- .../sonicwall/firewall/ingest/pipeline.yml | 13 +++++ .../module/sonicwall/firewall/manifest.yml | 2 - .../firewall/test/generated.log-expected.json | 48 +++++++++---------- .../module/suricata/eve/config/eve.yml | 12 ++--- .../module/suricata/eve/ingest/pipeline.yml | 13 +++++ .../filebeat/module/suricata/eve/manifest.yml | 2 - .../zeek/connection/config/connection.yml | 25 +++++----- .../zeek/connection/ingest/pipeline.yml | 14 ++++++ .../test/connection-json.log-expected.json | 2 + .../module/zeek/dce_rpc/config/dce_rpc.yml | 10 ++-- .../module/zeek/dce_rpc/ingest/pipeline.yml | 13 +++++ .../filebeat/module/zeek/dhcp/config/dhcp.yml | 10 ++-- .../module/zeek/dhcp/ingest/pipeline.yml | 13 +++++ .../filebeat/module/zeek/dnp3/config/dnp3.yml | 10 ++-- .../module/zeek/dnp3/ingest/pipeline.yml | 13 +++++ .../filebeat/module/zeek/dns/config/dns.yml | 10 ++-- .../module/zeek/dns/ingest/pipeline.yml | 14 +++++- .../filebeat/module/zeek/dpd/config/dpd.yml | 10 ++-- .../module/zeek/dpd/ingest/pipeline.yml | 13 +++++ .../filebeat/module/zeek/ftp/config/ftp.yml | 10 ++-- .../module/zeek/ftp/ingest/pipeline.yml | 13 +++++ .../filebeat/module/zeek/http/config/http.yml | 10 ++-- .../module/zeek/http/ingest/pipeline.yml | 13 +++++ .../module/zeek/intel/config/intel.yml | 10 ++-- .../module/zeek/intel/ingest/pipeline.yml | 13 +++++ .../filebeat/module/zeek/irc/config/irc.yml | 10 ++-- .../module/zeek/irc/ingest/pipeline.yml | 13 +++++ .../module/zeek/kerberos/config/kerberos.yml | 10 ++-- .../module/zeek/kerberos/ingest/pipeline.yml | 13 +++++ .../module/zeek/modbus/config/modbus.yml | 10 ++-- .../module/zeek/modbus/ingest/pipeline.yml | 13 +++++ .../module/zeek/mysql/config/mysql.yml | 10 ++-- .../module/zeek/mysql/ingest/pipeline.yml | 13 +++++ .../module/zeek/notice/config/notice.yml | 10 ++-- .../module/zeek/notice/ingest/pipeline.yml | 13 +++++ .../filebeat/module/zeek/ntlm/config/ntlm.yml | 10 ++-- .../module/zeek/ntlm/ingest/pipeline.yml | 13 +++++ .../filebeat/module/zeek/ntp/config/ntp.yml | 10 ++-- .../module/zeek/ntp/ingest/pipeline.yml | 13 +++++ .../module/zeek/radius/config/radius.yml | 10 ++-- .../module/zeek/radius/ingest/pipeline.yml | 13 +++++ .../filebeat/module/zeek/rdp/config/rdp.yml | 10 ++-- .../module/zeek/rdp/ingest/pipeline.yml | 13 +++++ .../filebeat/module/zeek/rfb/config/rfb.yml | 10 ++-- .../module/zeek/rfb/ingest/pipeline.yml | 13 +++++ .../zeek/signature/config/signature.yml | 10 ++-- .../module/zeek/signature/ingest/pipeline.yml | 13 +++++ .../filebeat/module/zeek/sip/config/sip.yml | 10 ++-- .../module/zeek/sip/ingest/pipeline.yml | 13 +++++ .../module/zeek/smb_cmd/config/smb_cmd.yml | 10 ++-- .../module/zeek/smb_cmd/ingest/pipeline.yml | 13 +++++ .../zeek/smb_files/config/smb_files.yml | 10 ++-- .../module/zeek/smb_files/ingest/pipeline.yml | 13 +++++ .../zeek/smb_mapping/config/smb_mapping.yml | 10 ++-- .../zeek/smb_mapping/ingest/pipeline.yml | 13 +++++ .../filebeat/module/zeek/smtp/config/smtp.yml | 10 ++-- .../module/zeek/smtp/ingest/pipeline.yml | 13 +++++ .../filebeat/module/zeek/snmp/config/snmp.yml | 10 ++-- .../module/zeek/snmp/ingest/pipeline.yml | 13 +++++ .../module/zeek/socks/config/socks.yml | 10 ++-- .../module/zeek/socks/ingest/pipeline.yml | 13 +++++ .../filebeat/module/zeek/ssh/config/ssh.yml | 10 ++-- .../module/zeek/ssh/ingest/pipeline.yml | 13 +++++ .../filebeat/module/zeek/ssl/config/ssl.yml | 10 ++-- .../module/zeek/ssl/ingest/pipeline.yml | 13 +++++ .../module/zeek/syslog/config/syslog.yml | 10 ++-- .../module/zeek/syslog/ingest/pipeline.yml | 13 +++++ .../zeek/traceroute/config/traceroute.yml | 9 ++-- .../zeek/traceroute/ingest/pipeline.yml | 11 +++++ .../module/zeek/tunnel/config/tunnel.yml | 9 ++-- .../module/zeek/tunnel/ingest/pipeline.yml | 11 +++++ .../module/zeek/weird/config/weird.yml | 9 ++-- .../module/zeek/weird/ingest/pipeline.yml | 13 +++++ 78 files changed, 656 insertions(+), 272 deletions(-) diff --git a/x-pack/filebeat/module/snort/log/config/input.yml b/x-pack/filebeat/module/snort/log/config/input.yml index 4d6ec8140bb5..d9e5fcf6706f 100644 --- a/x-pack/filebeat/module/snort/log/config/input.yml +++ b/x-pack/filebeat/module/snort/log/config/input.yml @@ -36,15 +36,11 @@ processors: files: - ${path.home}/module/snort/log/config/liblogparser.js - ${path.home}/module/snort/log/config/pipeline.js -{{ if .community_id }} -- community_id: -{{ end }} {{ if .internal_networks }} -- add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} +- add_fields: + target: _conf + fields: + internal_networks: {{ .internal_networks | tojson }} {{ end }} - registered_domain: ignore_missing: true diff --git a/x-pack/filebeat/module/snort/log/ingest/pipeline.yml b/x-pack/filebeat/module/snort/log/ingest/pipeline.yml index 262bbcff330f..341d5d696fe0 100644 --- a/x-pack/filebeat/module/snort/log/ingest/pipeline.yml +++ b/x-pack/filebeat/module/snort/log/ingest/pipeline.yml @@ -10,6 +10,19 @@ processors: - user_agent: field: user_agent.original ignore_missing: true + # Network Direction + - network_direction: + source_ip: source.ip + destination_ip: destination.ip + target_field: network.direction + internal_networks_field: _conf.internal_networks + ignore_missing: true + - community_id: + ignore_missing: true + - remove: + field: + - _conf + ignore_missing: true # IP Geolocation Lookup - geoip: field: source.ip diff --git a/x-pack/filebeat/module/snort/log/manifest.yml b/x-pack/filebeat/module/snort/log/manifest.yml index e50a6c8c68d2..9c1694ce9f00 100644 --- a/x-pack/filebeat/module/snort/log/manifest.yml +++ b/x-pack/filebeat/module/snort/log/manifest.yml @@ -10,8 +10,6 @@ var: default: 9548 - name: input default: udp - - name: community_id - default: true - name: tz_offset default: local - name: rsa_fields diff --git a/x-pack/filebeat/module/snort/log/test/generated.log-expected.json b/x-pack/filebeat/module/snort/log/test/generated.log-expected.json index c2f15701738b..b3fee7eb7c0c 100644 --- a/x-pack/filebeat/module/snort/log/test/generated.log-expected.json +++ b/x-pack/filebeat/module/snort/log/test/generated.log-expected.json @@ -209,8 +209,8 @@ "itame189.domain" ], "related.ip": [ - "10.24.67.250", - "10.182.199.231" + "10.182.199.231", + "10.24.67.250" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "oei", @@ -873,8 +873,8 @@ "tper4341.lan" ], "related.ip": [ - "10.111.33.70", - "10.210.180.142" + "10.210.180.142", + "10.111.33.70" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "animi", @@ -1616,8 +1616,8 @@ "urau1660.www.lan" ], "related.ip": [ - "10.201.132.114", - "10.140.209.249" + "10.140.209.249", + "10.201.132.114" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "lor", @@ -2078,8 +2078,8 @@ "uovol2459.www5.invalid" ], "related.ip": [ - "10.28.105.106", - "10.60.137.215" + "10.60.137.215", + "10.28.105.106" ], "rsa.crypto.sig_type": "tionu", "rsa.internal.messageid": "5155", @@ -2272,8 +2272,8 @@ "emulla6625.www5.corp" ], "related.ip": [ - "10.237.43.87", - "10.82.180.46" + "10.82.180.46", + "10.237.43.87" ], "rsa.internal.messageid": "MALWARE", "rsa.misc.checksum": "oloremqu", @@ -2399,8 +2399,8 @@ "upta788.invalid" ], "related.ip": [ - "10.166.10.187", - "10.40.250.209" + "10.40.250.209", + "10.166.10.187" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "high-temUte", @@ -2818,8 +2818,8 @@ "Bonoru5658.mail.invalid" ], "related.ip": [ - "10.29.231.11", - "10.46.57.181" + "10.46.57.181", + "10.29.231.11" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "remape", diff --git a/x-pack/filebeat/module/sonicwall/firewall/config/input.yml b/x-pack/filebeat/module/sonicwall/firewall/config/input.yml index ff0b8145857c..af680a44f845 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/config/input.yml +++ b/x-pack/filebeat/module/sonicwall/firewall/config/input.yml @@ -36,15 +36,11 @@ processors: files: - ${path.home}/module/sonicwall/firewall/config/liblogparser.js - ${path.home}/module/sonicwall/firewall/config/pipeline.js -{{ if .community_id }} -- community_id: ~ -{{ end }} {{ if .internal_networks }} -- add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} +- add_fields: + target: _conf + fields: + internal_networks: {{ .internal_networks | tojson }} {{ end }} - registered_domain: ignore_missing: true diff --git a/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml index 0d5140dee4c5..d0b05776ead6 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml +++ b/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml @@ -10,6 +10,19 @@ processors: - user_agent: field: user_agent.original ignore_missing: true + # Network Direction + - network_direction: + source_ip: source.ip + destination_ip: destination.ip + target_field: network.direction + internal_networks_field: _conf.internal_networks + ignore_missing: true + - community_id: + ignore_missing: true + - remove: + field: + - _conf + ignore_missing: true # IP Geolocation Lookup - geoip: field: source.ip diff --git a/x-pack/filebeat/module/sonicwall/firewall/manifest.yml b/x-pack/filebeat/module/sonicwall/firewall/manifest.yml index 16e3130f2239..2d368d86749e 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/manifest.yml +++ b/x-pack/filebeat/module/sonicwall/firewall/manifest.yml @@ -10,8 +10,6 @@ var: default: 9536 - name: input default: udp - - name: community_id - default: true - name: tz_offset default: local - name: rsa_fields diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json index 7ce4d95ec2f9..fe3d491f0c58 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json +++ b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json @@ -57,8 +57,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.hosts": [ - "nostrud4819.mail.test", - "oreetdol1714.internal.corp" + "oreetdol1714.internal.corp", + "nostrud4819.mail.test" ], "related.ip": [ "10.49.111.67", @@ -297,8 +297,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.16.52.205", - "10.136.153.149" + "10.136.153.149", + "10.16.52.205" ], "rsa.internal.messageid": "139", "rsa.misc.action": [ @@ -487,8 +487,8 @@ "fugi4637.www.lan" ], "related.ip": [ - "10.241.178.107", - "10.30.196.102" + "10.30.196.102", + "10.241.178.107" ], "rsa.internal.messageid": "353", "rsa.internal.msg": "onproide", @@ -574,8 +574,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.153.136.222", - "10.206.136.206" + "10.206.136.206", + "10.153.136.222" ], "rsa.internal.messageid": "242", "rsa.internal.msg": "imidest", @@ -881,8 +881,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.162.172.28", - "10.237.163.139" + "10.237.163.139", + "10.162.172.28" ], "rsa.internal.messageid": "255", "rsa.internal.msg": "nre", @@ -1253,8 +1253,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.192.27.157", - "10.230.173.4" + "10.230.173.4", + "10.192.27.157" ], "rsa.internal.messageid": "140", "rsa.misc.action": [ @@ -1801,8 +1801,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.105.46.101", - "10.50.44.5" + "10.50.44.5", + "10.105.46.101" ], "rsa.internal.messageid": "237", "rsa.misc.action": [ @@ -2012,8 +2012,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.120.25.169", - "10.203.77.154" + "10.203.77.154", + "10.120.25.169" ], "rsa.internal.messageid": "199", "rsa.misc.action": [ @@ -2090,8 +2090,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.137.217.159", - "10.77.95.12" + "10.77.95.12", + "10.137.217.159" ], "rsa.internal.messageid": "195", "rsa.internal.msg": "rorsit", @@ -2304,8 +2304,8 @@ "ugitsedq5067.internal.test" ], "related.ip": [ - "10.107.216.138", - "10.132.171.15" + "10.132.171.15", + "10.107.216.138" ], "rsa.internal.messageid": "537", "rsa.misc.action": [ @@ -2390,8 +2390,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.142.120.198", - "10.22.244.71" + "10.22.244.71", + "10.142.120.198" ], "related.user": [ "usmo" @@ -2509,8 +2509,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.12.54.142", - "10.56.10.84" + "10.56.10.84", + "10.12.54.142" ], "rsa.internal.messageid": "658", "rsa.internal.msg": "osquirat", diff --git a/x-pack/filebeat/module/suricata/eve/config/eve.yml b/x-pack/filebeat/module/suricata/eve/config/eve.yml index 7ed6b3808c04..619a4cc60a28 100644 --- a/x-pack/filebeat/module/suricata/eve/config/eve.yml +++ b/x-pack/filebeat/module/suricata/eve/config/eve.yml @@ -40,15 +40,11 @@ processors: - drop_fields: fields: - suricata.eve.timestamp -{{ if .community_id }} - - community_id: -{{ end }} {{ if .internal_networks }} - - add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} + - add_fields: + target: _conf + fields: + internal_networks: {{ .internal_networks | tojson }} {{ end }} - registered_domain: when: diff --git a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml index e957d177f38f..07e710bb75fe 100644 --- a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml +++ b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml @@ -299,6 +299,19 @@ processors: field: suricata.eve.proto target_field: network.transport ignore_missing: true + # Network Direction + - network_direction: + source_ip: source.ip + destination_ip: destination.ip + target_field: network.direction + internal_networks_field: _conf.internal_networks + ignore_missing: true + - community_id: + ignore_missing: true + - remove: + field: + - _conf + ignore_missing: true - geoip: if: ctx?.source?.geo == null field: source.ip diff --git a/x-pack/filebeat/module/suricata/eve/manifest.yml b/x-pack/filebeat/module/suricata/eve/manifest.yml index ae3b99ba315f..1ca547f841fa 100644 --- a/x-pack/filebeat/module/suricata/eve/manifest.yml +++ b/x-pack/filebeat/module/suricata/eve/manifest.yml @@ -10,8 +10,6 @@ var: - 'c:/program files/suricata/log/eve.json' - name: tags default: [suricata] - - name: community_id - default: true - name: internal_networks default: [ private ] diff --git a/x-pack/filebeat/module/zeek/connection/config/connection.yml b/x-pack/filebeat/module/zeek/connection/config/connection.yml index c2fee6dca9e9..6e894df03a34 100644 --- a/x-pack/filebeat/module/zeek/connection/config/connection.yml +++ b/x-pack/filebeat/module/zeek/connection/config/connection.yml @@ -90,21 +90,18 @@ processors: kind: event category: - network - - if: - equals.network.transport: icmp - then: - community_id: - fields: - icmp_type: zeek.connection.icmp.type - icmp_code: zeek.connection.icmp.code - else: - community_id: + - copy_fields: + fields: + - from: zeek.connection.icmp.type + to: icmp.type + - from: zeek.connection.icmp.code + to: icmp.code + ignore_missing: true {{ if .internal_networks }} - - add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} + - add_fields: + target: _conf + fields: + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml index 93245720a06e..b2fad201dbf5 100644 --- a/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml @@ -70,6 +70,20 @@ processors: ctx.network.direction = "external"; return; } +# Network Direction +- network_direction: + source_ip: source.ip + destination_ip: destination.ip + target_field: network.direction + internal_networks_field: _conf.internal_networks + ignore_missing: true + if: ctx?.network?.direction == null +- community_id: + ignore_missing: true +- remove: + field: + - _conf + ignore_missing: true - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json b/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json index 088aee7aedf4..2afe9a05c58e 100644 --- a/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json @@ -191,6 +191,8 @@ "info" ], "fileset.name": "connection", + "icmp.code": 3, + "icmp.type": 3, "input.type": "log", "log.offset": 1180, "network.bytes": 107, diff --git a/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml b/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml index 95a0f810a04f..016ea4c0db59 100644 --- a/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml +++ b/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml @@ -54,13 +54,11 @@ processors: - connection - protocol - info - - community_id: {{ if .internal_networks }} - - add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} + - add_fields: + target: _conf + fields: + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/dce_rpc/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dce_rpc/ingest/pipeline.yml index f0a837709dcf..82b9c80837c1 100644 --- a/x-pack/filebeat/module/zeek/dce_rpc/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dce_rpc/ingest/pipeline.yml @@ -12,6 +12,19 @@ processors: - UNIX - remove: field: zeek.dce_rpc.ts +# Network Direction +- network_direction: + source_ip: source.ip + destination_ip: destination.ip + target_field: network.direction + internal_networks_field: _conf.internal_networks + ignore_missing: true +- community_id: + ignore_missing: true +- remove: + field: + - _conf + ignore_missing: true - append: field: related.ip value: '{{source.ip}}' diff --git a/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml b/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml index be8f090724c8..64b11d14013a 100644 --- a/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml +++ b/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml @@ -116,13 +116,11 @@ processors: - connection - protocol - info - - community_id: {{ if .internal_networks }} - - add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} + - add_fields: + target: _conf + fields: + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/dhcp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dhcp/ingest/pipeline.yml index 49216c077c27..5b34712a5b1a 100644 --- a/x-pack/filebeat/module/zeek/dhcp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dhcp/ingest/pipeline.yml @@ -24,6 +24,19 @@ processors: field: related.ip value: '{{destination.ip}}' if: 'ctx?.destination?.ip != null' +# Network Direction +- network_direction: + source_ip: source.ip + destination_ip: destination.ip + target_field: network.direction + internal_networks_field: _conf.internal_networks + ignore_missing: true +- community_id: + ignore_missing: true +- remove: + field: + - _conf + ignore_missing: true on_failure: - set: field: error.message diff --git a/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml b/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml index e342eb73731e..9a48dcd842f7 100644 --- a/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml +++ b/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml @@ -64,13 +64,11 @@ processors: - connection - protocol - info - - community_id: {{ if .internal_networks }} - - add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} + - add_fields: + target: _conf + fields: + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml index e104312e1e13..ca3229779420 100644 --- a/x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml @@ -23,6 +23,19 @@ processors: - lowercase: field: event.action ignore_missing: true +# Network Direction +- network_direction: + source_ip: source.ip + destination_ip: destination.ip + target_field: network.direction + internal_networks_field: _conf.internal_networks + ignore_missing: true +- community_id: + ignore_missing: true +- remove: + field: + - _conf + ignore_missing: true - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/dns/config/dns.yml b/x-pack/filebeat/module/zeek/dns/config/dns.yml index f11fcf957267..1b83c1a8b48b 100644 --- a/x-pack/filebeat/module/zeek/dns/config/dns.yml +++ b/x-pack/filebeat/module/zeek/dns/config/dns.yml @@ -204,13 +204,11 @@ processors: - connection - info - protocol - - community_id: {{ if .internal_networks }} - - add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} + - add_fields: + target: _conf + fields: + internal_networks: {{ .internal_networks | tojson }} {{ end }} - drop_fields: ignore_missing: true diff --git a/x-pack/filebeat/module/zeek/dns/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dns/ingest/pipeline.yml index 6d9ed369ea89..2875805c7152 100644 --- a/x-pack/filebeat/module/zeek/dns/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dns/ingest/pipeline.yml @@ -14,7 +14,19 @@ processors: - UNIX - remove: field: zeek.dns.ts - + # Network Direction + - network_direction: + source_ip: source.ip + destination_ip: destination.ip + target_field: network.direction + internal_networks_field: _conf.internal_networks + ignore_missing: true + - community_id: + ignore_missing: true + - remove: + field: + - _conf + ignore_missing: true # IP Geolocation Lookup - geoip: field: source.ip diff --git a/x-pack/filebeat/module/zeek/dpd/config/dpd.yml b/x-pack/filebeat/module/zeek/dpd/config/dpd.yml index 9bc5eda83bdb..8b1023ba0dd9 100644 --- a/x-pack/filebeat/module/zeek/dpd/config/dpd.yml +++ b/x-pack/filebeat/module/zeek/dpd/config/dpd.yml @@ -53,13 +53,11 @@ processors: type: - connection - info - - community_id: {{ if .internal_networks }} - - add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} + - add_fields: + target: _conf + fields: + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/dpd/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dpd/ingest/pipeline.yml index 32d1852c3e2c..ca89475e2896 100644 --- a/x-pack/filebeat/module/zeek/dpd/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dpd/ingest/pipeline.yml @@ -12,6 +12,19 @@ processors: - UNIX - remove: field: zeek.dpd.ts +# Network Direction +- network_direction: + source_ip: source.ip + destination_ip: destination.ip + target_field: network.direction + internal_networks_field: _conf.internal_networks + ignore_missing: true +- community_id: + ignore_missing: true +- remove: + field: + - _conf + ignore_missing: true - geoip: field: source.ip target_field: source.geo diff --git a/x-pack/filebeat/module/zeek/ftp/config/ftp.yml b/x-pack/filebeat/module/zeek/ftp/config/ftp.yml index a00617f21dd0..be97506f381f 100644 --- a/x-pack/filebeat/module/zeek/ftp/config/ftp.yml +++ b/x-pack/filebeat/module/zeek/ftp/config/ftp.yml @@ -82,13 +82,11 @@ processors: - connection - info - protocol - - community_id: {{ if .internal_networks }} - - add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} + - add_fields: + target: _conf + fields: + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/ftp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ftp/ingest/pipeline.yml index f1f7d0b4f522..8daead05efa2 100644 --- a/x-pack/filebeat/module/zeek/ftp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ftp/ingest/pipeline.yml @@ -15,6 +15,19 @@ processors: - dot_expander: field: data_channel.passive path: zeek.ftp +# Network Direction +- network_direction: + source_ip: source.ip + destination_ip: destination.ip + target_field: network.direction + internal_networks_field: _conf.internal_networks + ignore_missing: true +- community_id: + ignore_missing: true +- remove: + field: + - _conf + ignore_missing: true - append: field: related.ip value: "{{source.ip}}" diff --git a/x-pack/filebeat/module/zeek/http/config/http.yml b/x-pack/filebeat/module/zeek/http/config/http.yml index b22da788463a..548bd3070c40 100644 --- a/x-pack/filebeat/module/zeek/http/config/http.yml +++ b/x-pack/filebeat/module/zeek/http/config/http.yml @@ -91,13 +91,11 @@ processors: - connection - info - protocol - - community_id: {{ if .internal_networks }} - - add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} + - add_fields: + target: _conf + fields: + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/http/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/http/ingest/pipeline.yml index a2c4a85b9941..36c0b7ac4df8 100644 --- a/x-pack/filebeat/module/zeek/http/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/http/ingest/pipeline.yml @@ -12,6 +12,19 @@ processors: - UNIX - remove: field: zeek.http.ts +# Network Direction +- network_direction: + source_ip: source.ip + destination_ip: destination.ip + target_field: network.direction + internal_networks_field: _conf.internal_networks + ignore_missing: true +- community_id: + ignore_missing: true +- remove: + field: + - _conf + ignore_missing: true - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/intel/config/intel.yml b/x-pack/filebeat/module/zeek/intel/config/intel.yml index 45c703aa6920..92f0d64be2ed 100644 --- a/x-pack/filebeat/module/zeek/intel/config/intel.yml +++ b/x-pack/filebeat/module/zeek/intel/config/intel.yml @@ -63,13 +63,11 @@ processors: kind: alert type: - info - - community_id: {{ if .internal_networks }} - - add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} + - add_fields: + target: _conf + fields: + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/intel/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/intel/ingest/pipeline.yml index f70094311318..e636d30ca9e9 100644 --- a/x-pack/filebeat/module/zeek/intel/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/intel/ingest/pipeline.yml @@ -13,6 +13,19 @@ processors: - UNIX - remove: field: zeek.intel.ts + # Network Direction + - network_direction: + source_ip: source.ip + destination_ip: destination.ip + target_field: network.direction + internal_networks_field: _conf.internal_networks + ignore_missing: true + - community_id: + ignore_missing: true + - remove: + field: + - _conf + ignore_missing: true # IP Geolocation Lookup - geoip: if: ctx.source?.geo == null diff --git a/x-pack/filebeat/module/zeek/irc/config/irc.yml b/x-pack/filebeat/module/zeek/irc/config/irc.yml index 4509c1837861..c4fbde2de9ff 100644 --- a/x-pack/filebeat/module/zeek/irc/config/irc.yml +++ b/x-pack/filebeat/module/zeek/irc/config/irc.yml @@ -68,13 +68,11 @@ processors: - connection - protocol - info - - community_id: {{ if .internal_networks }} - - add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} + - add_fields: + target: _conf + fields: + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/irc/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/irc/ingest/pipeline.yml index dd1e37a7035e..64d7c1730a6b 100644 --- a/x-pack/filebeat/module/zeek/irc/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/irc/ingest/pipeline.yml @@ -12,6 +12,19 @@ processors: - UNIX - remove: field: zeek.irc.ts +# Network Direction +- network_direction: + source_ip: source.ip + destination_ip: destination.ip + target_field: network.direction + internal_networks_field: _conf.internal_networks + ignore_missing: true +- community_id: + ignore_missing: true +- remove: + field: + - _conf + ignore_missing: true - append: field: related.ip value: "{{source.ip}}" diff --git a/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml b/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml index f788b6abfb0e..d390cf198606 100644 --- a/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml +++ b/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml @@ -100,13 +100,11 @@ processors: tokenizer: "%{user.name}/%{user.domain}" field: zeek.kerberos.client target_prefix: "" - - community_id: {{ if .internal_networks }} - - add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} + - add_fields: + target: _conf + fields: + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/kerberos/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/kerberos/ingest/pipeline.yml index e0f45f715850..d1c35440db87 100644 --- a/x-pack/filebeat/module/zeek/kerberos/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/kerberos/ingest/pipeline.yml @@ -35,6 +35,19 @@ processors: field: event.outcome value: failure if: "ctx?.zeek?.kerberos?.success == false" +# Network Direction +- network_direction: + source_ip: source.ip + destination_ip: destination.ip + target_field: network.direction + internal_networks_field: _conf.internal_networks + ignore_missing: true +- community_id: + ignore_missing: true +- remove: + field: + - _conf + ignore_missing: true - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/modbus/config/modbus.yml b/x-pack/filebeat/module/zeek/modbus/config/modbus.yml index ba6e17b0610c..b80a40f3cc09 100644 --- a/x-pack/filebeat/module/zeek/modbus/config/modbus.yml +++ b/x-pack/filebeat/module/zeek/modbus/config/modbus.yml @@ -69,13 +69,11 @@ processors: target: event fields: outcome: success - - community_id: {{ if .internal_networks }} - - add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} + - add_fields: + target: _conf + fields: + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/modbus/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/modbus/ingest/pipeline.yml index d918b2de09a2..884bec52ac61 100644 --- a/x-pack/filebeat/module/zeek/modbus/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/modbus/ingest/pipeline.yml @@ -12,6 +12,19 @@ processors: - UNIX - remove: field: zeek.modbus.ts +# Network Direction +- network_direction: + source_ip: source.ip + destination_ip: destination.ip + target_field: network.direction + internal_networks_field: _conf.internal_networks + ignore_missing: true +- community_id: + ignore_missing: true +- remove: + field: + - _conf + ignore_missing: true - append: field: related.ip value: "{{source.ip}}" diff --git a/x-pack/filebeat/module/zeek/mysql/config/mysql.yml b/x-pack/filebeat/module/zeek/mysql/config/mysql.yml index 34f641fc8134..868012b0bade 100644 --- a/x-pack/filebeat/module/zeek/mysql/config/mysql.yml +++ b/x-pack/filebeat/module/zeek/mysql/config/mysql.yml @@ -68,13 +68,11 @@ processors: target: event fields: outcome: failure - - community_id: {{ if .internal_networks }} - - add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} + - add_fields: + target: _conf + fields: + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/mysql/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/mysql/ingest/pipeline.yml index d5552af6d29f..abfb17c7d84f 100644 --- a/x-pack/filebeat/module/zeek/mysql/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/mysql/ingest/pipeline.yml @@ -12,6 +12,19 @@ processors: - UNIX - remove: field: zeek.mysql.ts +# Network Direction +- network_direction: + source_ip: source.ip + destination_ip: destination.ip + target_field: network.direction + internal_networks_field: _conf.internal_networks + ignore_missing: true +- community_id: + ignore_missing: true +- remove: + field: + - _conf + ignore_missing: true - append: field: related.ip value: "{{source.ip}}" diff --git a/x-pack/filebeat/module/zeek/notice/config/notice.yml b/x-pack/filebeat/module/zeek/notice/config/notice.yml index 34c5cc5f4e56..19fa2616d1fa 100644 --- a/x-pack/filebeat/module/zeek/notice/config/notice.yml +++ b/x-pack/filebeat/module/zeek/notice/config/notice.yml @@ -100,13 +100,11 @@ processors: - intrusion_detection type: - info - - community_id: {{ if .internal_networks }} - - add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} + - add_fields: + target: _conf + fields: + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/notice/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/notice/ingest/pipeline.yml index c741d355361f..409bd14daeec 100644 --- a/x-pack/filebeat/module/zeek/notice/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/notice/ingest/pipeline.yml @@ -12,6 +12,19 @@ processors: - UNIX - remove: field: zeek.notice.ts +# Network Direction +- network_direction: + source_ip: source.ip + destination_ip: destination.ip + target_field: network.direction + internal_networks_field: _conf.internal_networks + ignore_missing: true +- community_id: + ignore_missing: true +- remove: + field: + - _conf + ignore_missing: true - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml b/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml index c121bd5afb80..6639f93e5732 100644 --- a/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml +++ b/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml @@ -82,13 +82,11 @@ processors: target: event fields: outcome: failure - - community_id: {{ if .internal_networks }} - - add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} + - add_fields: + target: _conf + fields: + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/ntlm/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ntlm/ingest/pipeline.yml index 690fd54a54ba..8fae9fd07c57 100644 --- a/x-pack/filebeat/module/zeek/ntlm/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ntlm/ingest/pipeline.yml @@ -12,6 +12,19 @@ processors: - UNIX - remove: field: zeek.ntlm.ts +# Network Direction +- network_direction: + source_ip: source.ip + destination_ip: destination.ip + target_field: network.direction + internal_networks_field: _conf.internal_networks + ignore_missing: true +- community_id: + ignore_missing: true +- remove: + field: + - _conf + ignore_missing: true - append: field: related.ip value: "{{source.ip}}" diff --git a/x-pack/filebeat/module/zeek/ntp/config/ntp.yml b/x-pack/filebeat/module/zeek/ntp/config/ntp.yml index 690315319a47..64ae979d85e6 100644 --- a/x-pack/filebeat/module/zeek/ntp/config/ntp.yml +++ b/x-pack/filebeat/module/zeek/ntp/config/ntp.yml @@ -50,13 +50,11 @@ processors: fields: protocol: ntp transport: udp - - community_id: {{ if .internal_networks }} - - add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} + - add_fields: + target: _conf + fields: + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/ntp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ntp/ingest/pipeline.yml index ed603292a3d3..d563f67b2b44 100644 --- a/x-pack/filebeat/module/zeek/ntp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ntp/ingest/pipeline.yml @@ -12,6 +12,19 @@ processors: - UNIX - remove: field: zeek.ntp.ts + # Network Direction + - network_direction: + source_ip: source.ip + destination_ip: destination.ip + target_field: network.direction + internal_networks_field: _conf.internal_networks + ignore_missing: true + - community_id: + ignore_missing: true + - remove: + field: + - _conf + ignore_missing: true # IP Geolocation Lookup - geoip: if: ctx.source?.geo == null diff --git a/x-pack/filebeat/module/zeek/radius/config/radius.yml b/x-pack/filebeat/module/zeek/radius/config/radius.yml index cbe891c9d2f8..adc1a1cff5b1 100644 --- a/x-pack/filebeat/module/zeek/radius/config/radius.yml +++ b/x-pack/filebeat/module/zeek/radius/config/radius.yml @@ -54,13 +54,11 @@ processors: type: - info - connection - - community_id: {{ if .internal_networks }} - - add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} + - add_fields: + target: _conf + fields: + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/radius/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/radius/ingest/pipeline.yml index acc7fad2f030..81633de0c42e 100644 --- a/x-pack/filebeat/module/zeek/radius/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/radius/ingest/pipeline.yml @@ -12,6 +12,19 @@ processors: - UNIX - remove: field: zeek.radius.ts +# Network Direction +- network_direction: + source_ip: source.ip + destination_ip: destination.ip + target_field: network.direction + internal_networks_field: _conf.internal_networks + ignore_missing: true +- community_id: + ignore_missing: true +- remove: + field: + - _conf + ignore_missing: true - append: field: related.ip value: "{{source.ip}}" diff --git a/x-pack/filebeat/module/zeek/rdp/config/rdp.yml b/x-pack/filebeat/module/zeek/rdp/config/rdp.yml index 66d984cc5fc9..fda80c87aa56 100644 --- a/x-pack/filebeat/module/zeek/rdp/config/rdp.yml +++ b/x-pack/filebeat/module/zeek/rdp/config/rdp.yml @@ -84,13 +84,11 @@ processors: type: - protocol - info - - community_id: {{ if .internal_networks }} - - add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} + - add_fields: + target: _conf + fields: + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/rdp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/rdp/ingest/pipeline.yml index bbe4abcee9fa..1f57f470e14b 100644 --- a/x-pack/filebeat/module/zeek/rdp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/rdp/ingest/pipeline.yml @@ -12,6 +12,19 @@ processors: - UNIX - remove: field: zeek.rdp.ts +# Network Direction +- network_direction: + source_ip: source.ip + destination_ip: destination.ip + target_field: network.direction + internal_networks_field: _conf.internal_networks + ignore_missing: true +- community_id: + ignore_missing: true +- remove: + field: + - _conf + ignore_missing: true - convert: field: zeek.rdp.ssl target_field: tls.established diff --git a/x-pack/filebeat/module/zeek/rfb/config/rfb.yml b/x-pack/filebeat/module/zeek/rfb/config/rfb.yml index 0b4391e4ccd2..3094eb33aaa9 100644 --- a/x-pack/filebeat/module/zeek/rfb/config/rfb.yml +++ b/x-pack/filebeat/module/zeek/rfb/config/rfb.yml @@ -69,13 +69,11 @@ processors: type: - connection - info - - community_id: {{ if .internal_networks }} - - add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} + - add_fields: + target: _conf + fields: + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/rfb/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/rfb/ingest/pipeline.yml index 2ce5fda4e16b..a7a43e99e809 100644 --- a/x-pack/filebeat/module/zeek/rfb/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/rfb/ingest/pipeline.yml @@ -12,6 +12,19 @@ processors: - UNIX - remove: field: zeek.rfb.ts +# Network Direction +- network_direction: + source_ip: source.ip + destination_ip: destination.ip + target_field: network.direction + internal_networks_field: _conf.internal_networks + ignore_missing: true +- community_id: + ignore_missing: true +- remove: + field: + - _conf + ignore_missing: true - append: field: related.ip value: "{{source.ip}}" diff --git a/x-pack/filebeat/module/zeek/signature/config/signature.yml b/x-pack/filebeat/module/zeek/signature/config/signature.yml index ff76140e6669..627b474d2404 100644 --- a/x-pack/filebeat/module/zeek/signature/config/signature.yml +++ b/x-pack/filebeat/module/zeek/signature/config/signature.yml @@ -43,13 +43,11 @@ processors: target: event fields: kind: alert - - community_id: {{ if .internal_networks }} - - add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} + - add_fields: + target: _conf + fields: + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/signature/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/signature/ingest/pipeline.yml index 539ea5d79121..b0d934097e51 100644 --- a/x-pack/filebeat/module/zeek/signature/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/signature/ingest/pipeline.yml @@ -13,6 +13,19 @@ processors: - UNIX - remove: field: zeek.signature.ts + # Network Direction + - network_direction: + source_ip: source.ip + destination_ip: destination.ip + target_field: network.direction + internal_networks_field: _conf.internal_networks + ignore_missing: true + - community_id: + ignore_missing: true + - remove: + field: + - _conf + ignore_missing: true # IP Geolocation Lookup - geoip: if: ctx.source?.geo == null diff --git a/x-pack/filebeat/module/zeek/sip/config/sip.yml b/x-pack/filebeat/module/zeek/sip/config/sip.yml index 459f64c9e772..b608b0083f3e 100644 --- a/x-pack/filebeat/module/zeek/sip/config/sip.yml +++ b/x-pack/filebeat/module/zeek/sip/config/sip.yml @@ -91,13 +91,11 @@ processors: type: - connection - protocol - - community_id: {{ if .internal_networks }} - - add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} + - add_fields: + target: _conf + fields: + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/sip/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/sip/ingest/pipeline.yml index 045d5afe760b..2e95daa29eda 100644 --- a/x-pack/filebeat/module/zeek/sip/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/sip/ingest/pipeline.yml @@ -12,6 +12,19 @@ processors: - UNIX - remove: field: zeek.sip.ts +# Network Direction +- network_direction: + source_ip: source.ip + destination_ip: destination.ip + target_field: network.direction + internal_networks_field: _conf.internal_networks + ignore_missing: true +- community_id: + ignore_missing: true +- remove: + field: + - _conf + ignore_missing: true - grok: field: zeek.sip.seq patterns: diff --git a/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml b/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml index 05acce04817d..1855780a0435 100644 --- a/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml +++ b/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml @@ -97,13 +97,11 @@ processors: type: - connection - protocol - - community_id: {{ if .internal_networks }} - - add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} + - add_fields: + target: _conf + fields: + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/smb_cmd/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/smb_cmd/ingest/pipeline.yml index 0a853104351e..cd06ec362059 100644 --- a/x-pack/filebeat/module/zeek/smb_cmd/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/smb_cmd/ingest/pipeline.yml @@ -15,6 +15,19 @@ processors: - remove: field: zeek.smb_cmd.referenced_file ignore_missing: true +# Network Direction +- network_direction: + source_ip: source.ip + destination_ip: destination.ip + target_field: network.direction + internal_networks_field: _conf.internal_networks + ignore_missing: true +- community_id: + ignore_missing: true +- remove: + field: + - _conf + ignore_missing: true - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml b/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml index 063854ccc142..10a8b1be2c3f 100644 --- a/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml +++ b/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml @@ -57,13 +57,11 @@ processors: type: - connection - protocol - - community_id: {{ if .internal_networks }} - - add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} + - add_fields: + target: _conf + fields: + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/smb_files/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/smb_files/ingest/pipeline.yml index b1c0d3a69920..40900afabbed 100644 --- a/x-pack/filebeat/module/zeek/smb_files/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/smb_files/ingest/pipeline.yml @@ -64,6 +64,19 @@ processors: field: file.mtime value: "{{zeek.smb_files.times.modified}}" if: "ctx?.zeek?.smb_files?.times?.modified != null" +# Network Direction +- network_direction: + source_ip: source.ip + destination_ip: destination.ip + target_field: network.direction + internal_networks_field: _conf.internal_networks + ignore_missing: true +- community_id: + ignore_missing: true +- remove: + field: + - _conf + ignore_missing: true - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml b/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml index 54414b0ac0cf..c75347829e2f 100644 --- a/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml +++ b/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml @@ -53,13 +53,11 @@ processors: type: - connection - protocol - - community_id: {{ if .internal_networks }} - - add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} + - add_fields: + target: _conf + fields: + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/smb_mapping/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/smb_mapping/ingest/pipeline.yml index e116e1bfb600..e0ddce63c84c 100644 --- a/x-pack/filebeat/module/zeek/smb_mapping/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/smb_mapping/ingest/pipeline.yml @@ -12,6 +12,19 @@ processors: - UNIX - remove: field: zeek.smb_mapping.ts +# Network Direction +- network_direction: + source_ip: source.ip + destination_ip: destination.ip + target_field: network.direction + internal_networks_field: _conf.internal_networks + ignore_missing: true +- community_id: + ignore_missing: true +- remove: + field: + - _conf + ignore_missing: true - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/smtp/config/smtp.yml b/x-pack/filebeat/module/zeek/smtp/config/smtp.yml index 866483510bc4..3d0f60abf328 100644 --- a/x-pack/filebeat/module/zeek/smtp/config/smtp.yml +++ b/x-pack/filebeat/module/zeek/smtp/config/smtp.yml @@ -63,13 +63,11 @@ processors: type: - connection - protocol - - community_id: {{ if .internal_networks }} - - add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} + - add_fields: + target: _conf + fields: + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/smtp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/smtp/ingest/pipeline.yml index 03e2ffb6a250..0a559b8c89ea 100644 --- a/x-pack/filebeat/module/zeek/smtp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/smtp/ingest/pipeline.yml @@ -18,6 +18,19 @@ processors: formats: - EEE, d MMM yyyy HH:mm:ss Z if: ctx.zeek.smtp.date != null +# Network Direction +- network_direction: + source_ip: source.ip + destination_ip: destination.ip + target_field: network.direction + internal_networks_field: _conf.internal_networks + ignore_missing: true +- community_id: + ignore_missing: true +- remove: + field: + - _conf + ignore_missing: true - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/snmp/config/snmp.yml b/x-pack/filebeat/module/zeek/snmp/config/snmp.yml index f60c520e942e..056364f6dd02 100644 --- a/x-pack/filebeat/module/zeek/snmp/config/snmp.yml +++ b/x-pack/filebeat/module/zeek/snmp/config/snmp.yml @@ -65,13 +65,11 @@ processors: type: - connection - protocol - - community_id: {{ if .internal_networks }} - - add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} + - add_fields: + target: _conf + fields: + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/snmp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/snmp/ingest/pipeline.yml index 1aefc539733d..56e977292a59 100644 --- a/x-pack/filebeat/module/zeek/snmp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/snmp/ingest/pipeline.yml @@ -18,6 +18,19 @@ processors: formats: - UNIX if: ctx.zeek.snmp.up_since != null +# Network Direction +- network_direction: + source_ip: source.ip + destination_ip: destination.ip + target_field: network.direction + internal_networks_field: _conf.internal_networks + ignore_missing: true +- community_id: + ignore_missing: true +- remove: + field: + - _conf + ignore_missing: true - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/socks/config/socks.yml b/x-pack/filebeat/module/zeek/socks/config/socks.yml index 37e98cf69e23..91bf4e3f2205 100644 --- a/x-pack/filebeat/module/zeek/socks/config/socks.yml +++ b/x-pack/filebeat/module/zeek/socks/config/socks.yml @@ -63,13 +63,11 @@ processors: type: - connection - protocol - - community_id: {{ if .internal_networks }} - - add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} + - add_fields: + target: _conf + fields: + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/socks/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/socks/ingest/pipeline.yml index e64c5ec9eb33..65de8b1d1468 100644 --- a/x-pack/filebeat/module/zeek/socks/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/socks/ingest/pipeline.yml @@ -15,6 +15,19 @@ processors: - dot_expander: field: bound.host path: zeek.socks +# Network Direction +- network_direction: + source_ip: source.ip + destination_ip: destination.ip + target_field: network.direction + internal_networks_field: _conf.internal_networks + ignore_missing: true +- community_id: + ignore_missing: true +- remove: + field: + - _conf + ignore_missing: true - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/ssh/config/ssh.yml b/x-pack/filebeat/module/zeek/ssh/config/ssh.yml index 93289dc87db1..aab0cfe1a2cb 100644 --- a/x-pack/filebeat/module/zeek/ssh/config/ssh.yml +++ b/x-pack/filebeat/module/zeek/ssh/config/ssh.yml @@ -72,13 +72,11 @@ processors: type: - connection - protocol - - community_id: {{ if .internal_networks }} - - add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} + - add_fields: + target: _conf + fields: + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/ssh/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ssh/ingest/pipeline.yml index 26980d26f3da..ed4554119290 100644 --- a/x-pack/filebeat/module/zeek/ssh/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ssh/ingest/pipeline.yml @@ -12,6 +12,19 @@ processors: - UNIX - remove: field: zeek.ssh.ts +# Network Direction +- network_direction: + source_ip: source.ip + destination_ip: destination.ip + target_field: network.direction + internal_networks_field: _conf.internal_networks + ignore_missing: true +- community_id: + ignore_missing: true +- remove: + field: + - _conf + ignore_missing: true - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/ssl/config/ssl.yml b/x-pack/filebeat/module/zeek/ssl/config/ssl.yml index 91d05b6824ff..53786a09e46f 100644 --- a/x-pack/filebeat/module/zeek/ssl/config/ssl.yml +++ b/x-pack/filebeat/module/zeek/ssl/config/ssl.yml @@ -90,13 +90,11 @@ processors: type: - connection - protocol - - community_id: {{ if .internal_networks }} - - add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} + - add_fields: + target: _conf + fields: + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml index 4a980be985a2..f6ebf0e46f65 100644 --- a/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml @@ -25,6 +25,19 @@ processors: target_field: tls.server.not_after formats: - UNIX +# Network Direction +- network_direction: + source_ip: source.ip + destination_ip: destination.ip + target_field: network.direction + internal_networks_field: _conf.internal_networks + ignore_missing: true +- community_id: + ignore_missing: true +- remove: + field: + - _conf + ignore_missing: true - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/syslog/config/syslog.yml b/x-pack/filebeat/module/zeek/syslog/config/syslog.yml index 6ce6d17373a3..657cc1d7da2f 100644 --- a/x-pack/filebeat/module/zeek/syslog/config/syslog.yml +++ b/x-pack/filebeat/module/zeek/syslog/config/syslog.yml @@ -53,13 +53,11 @@ processors: target: event fields: kind: event - - community_id: {{ if .internal_networks }} - - add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} + - add_fields: + target: _conf + fields: + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/syslog/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/syslog/ingest/pipeline.yml index 5f3432ec4888..20fb4b2cdad3 100644 --- a/x-pack/filebeat/module/zeek/syslog/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/syslog/ingest/pipeline.yml @@ -12,6 +12,19 @@ processors: - UNIX - remove: field: zeek.syslog.ts +# Network Direction +- network_direction: + source_ip: source.ip + destination_ip: destination.ip + target_field: network.direction + internal_networks_field: _conf.internal_networks + ignore_missing: true +- community_id: + ignore_missing: true +- remove: + field: + - _conf + ignore_missing: true - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml b/x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml index 1ed6932b02d9..7edf8b30ea34 100644 --- a/x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml +++ b/x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml @@ -35,11 +35,10 @@ processors: ignore_missing: true fail_on_error: false {{ if .internal_networks }} - - add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} + - add_fields: + target: _conf + fields: + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: event diff --git a/x-pack/filebeat/module/zeek/traceroute/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/traceroute/ingest/pipeline.yml index f4744c540d71..f667c0a6db1e 100644 --- a/x-pack/filebeat/module/zeek/traceroute/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/traceroute/ingest/pipeline.yml @@ -12,6 +12,17 @@ processors: - UNIX - remove: field: zeek.traceroute.ts +# Network Direction +- network_direction: + source_ip: source.ip + destination_ip: destination.ip + target_field: network.direction + internal_networks_field: _conf.internal_networks + ignore_missing: true +- remove: + field: + - _conf + ignore_missing: true - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml b/x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml index 94918403879f..2c9c52cc2190 100644 --- a/x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml +++ b/x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml @@ -46,11 +46,10 @@ processors: ignore_missing: true fail_on_error: false {{ if .internal_networks }} - - add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} + - add_fields: + target: _conf + fields: + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: event diff --git a/x-pack/filebeat/module/zeek/tunnel/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/tunnel/ingest/pipeline.yml index 9ca83da33051..3139fe0e5f76 100644 --- a/x-pack/filebeat/module/zeek/tunnel/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/tunnel/ingest/pipeline.yml @@ -12,6 +12,17 @@ processors: - UNIX - remove: field: zeek.tunnel.ts +# Network Direction +- network_direction: + source_ip: source.ip + destination_ip: destination.ip + target_field: network.direction + internal_networks_field: _conf.internal_networks + ignore_missing: true +- remove: + field: + - _conf + ignore_missing: true - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/weird/config/weird.yml b/x-pack/filebeat/module/zeek/weird/config/weird.yml index 7b3d2f5bcccf..586e0d296cc6 100644 --- a/x-pack/filebeat/module/zeek/weird/config/weird.yml +++ b/x-pack/filebeat/module/zeek/weird/config/weird.yml @@ -46,11 +46,10 @@ processors: ignore_missing: true fail_on_error: false {{ if .internal_networks }} - - add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} + - add_fields: + target: _conf + fields: + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: event diff --git a/x-pack/filebeat/module/zeek/weird/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/weird/ingest/pipeline.yml index d791eb77a09c..0a14f26b2ff9 100644 --- a/x-pack/filebeat/module/zeek/weird/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/weird/ingest/pipeline.yml @@ -12,6 +12,19 @@ processors: - UNIX - remove: field: zeek.weird.ts +# Network Direction +- network_direction: + source_ip: source.ip + destination_ip: destination.ip + target_field: network.direction + internal_networks_field: _conf.internal_networks + ignore_missing: true +- community_id: + ignore_missing: true +- remove: + field: + - _conf + ignore_missing: true - geoip: field: destination.ip target_field: destination.geo From 0966bf577827cec4a6f20b996629bca559d1bf39 Mon Sep 17 00:00:00 2001 From: Alex Resnick Date: Thu, 13 May 2021 17:10:07 +0000 Subject: [PATCH 5/9] Revert "use ES network_direction processor" This reverts commit 1c5722d9f1f6cd5370ef3f3d7a882e49731a4e3d. --- .../module/snort/log/config/input.yml | 12 +++-- .../module/snort/log/ingest/pipeline.yml | 13 ----- x-pack/filebeat/module/snort/log/manifest.yml | 2 + .../log/test/generated.log-expected.json | 22 ++++---- .../sonicwall/firewall/config/input.yml | 12 +++-- .../sonicwall/firewall/ingest/pipeline.yml | 13 ----- .../module/sonicwall/firewall/manifest.yml | 2 + .../firewall/test/generated.log-expected.json | 54 +++++++++---------- .../module/suricata/eve/config/eve.yml | 12 +++-- .../module/suricata/eve/ingest/pipeline.yml | 13 ----- .../filebeat/module/suricata/eve/manifest.yml | 2 + .../zeek/connection/config/connection.yml | 25 +++++---- .../zeek/connection/ingest/pipeline.yml | 14 ----- .../test/connection-json.log-expected.json | 2 - .../module/zeek/dce_rpc/config/dce_rpc.yml | 10 ++-- .../module/zeek/dce_rpc/ingest/pipeline.yml | 13 ----- .../filebeat/module/zeek/dhcp/config/dhcp.yml | 10 ++-- .../module/zeek/dhcp/ingest/pipeline.yml | 13 ----- .../filebeat/module/zeek/dnp3/config/dnp3.yml | 10 ++-- .../module/zeek/dnp3/ingest/pipeline.yml | 13 ----- .../filebeat/module/zeek/dns/config/dns.yml | 10 ++-- .../module/zeek/dns/ingest/pipeline.yml | 14 +---- .../filebeat/module/zeek/dpd/config/dpd.yml | 10 ++-- .../module/zeek/dpd/ingest/pipeline.yml | 13 ----- .../filebeat/module/zeek/ftp/config/ftp.yml | 10 ++-- .../module/zeek/ftp/ingest/pipeline.yml | 13 ----- .../filebeat/module/zeek/http/config/http.yml | 10 ++-- .../module/zeek/http/ingest/pipeline.yml | 13 ----- .../module/zeek/intel/config/intel.yml | 10 ++-- .../module/zeek/intel/ingest/pipeline.yml | 13 ----- .../filebeat/module/zeek/irc/config/irc.yml | 10 ++-- .../module/zeek/irc/ingest/pipeline.yml | 13 ----- .../module/zeek/kerberos/config/kerberos.yml | 10 ++-- .../module/zeek/kerberos/ingest/pipeline.yml | 13 ----- .../module/zeek/modbus/config/modbus.yml | 10 ++-- .../module/zeek/modbus/ingest/pipeline.yml | 13 ----- .../module/zeek/mysql/config/mysql.yml | 10 ++-- .../module/zeek/mysql/ingest/pipeline.yml | 13 ----- .../module/zeek/notice/config/notice.yml | 10 ++-- .../module/zeek/notice/ingest/pipeline.yml | 13 ----- .../filebeat/module/zeek/ntlm/config/ntlm.yml | 10 ++-- .../module/zeek/ntlm/ingest/pipeline.yml | 13 ----- .../filebeat/module/zeek/ntp/config/ntp.yml | 10 ++-- .../module/zeek/ntp/ingest/pipeline.yml | 13 ----- .../module/zeek/radius/config/radius.yml | 10 ++-- .../module/zeek/radius/ingest/pipeline.yml | 13 ----- .../filebeat/module/zeek/rdp/config/rdp.yml | 10 ++-- .../module/zeek/rdp/ingest/pipeline.yml | 13 ----- .../filebeat/module/zeek/rfb/config/rfb.yml | 10 ++-- .../module/zeek/rfb/ingest/pipeline.yml | 13 ----- .../zeek/signature/config/signature.yml | 10 ++-- .../module/zeek/signature/ingest/pipeline.yml | 13 ----- .../filebeat/module/zeek/sip/config/sip.yml | 10 ++-- .../module/zeek/sip/ingest/pipeline.yml | 13 ----- .../module/zeek/smb_cmd/config/smb_cmd.yml | 10 ++-- .../module/zeek/smb_cmd/ingest/pipeline.yml | 13 ----- .../zeek/smb_files/config/smb_files.yml | 10 ++-- .../module/zeek/smb_files/ingest/pipeline.yml | 13 ----- .../zeek/smb_mapping/config/smb_mapping.yml | 10 ++-- .../zeek/smb_mapping/ingest/pipeline.yml | 13 ----- .../filebeat/module/zeek/smtp/config/smtp.yml | 10 ++-- .../module/zeek/smtp/ingest/pipeline.yml | 13 ----- .../filebeat/module/zeek/snmp/config/snmp.yml | 10 ++-- .../module/zeek/snmp/ingest/pipeline.yml | 13 ----- .../module/zeek/socks/config/socks.yml | 10 ++-- .../module/zeek/socks/ingest/pipeline.yml | 13 ----- .../filebeat/module/zeek/ssh/config/ssh.yml | 10 ++-- .../module/zeek/ssh/ingest/pipeline.yml | 13 ----- .../filebeat/module/zeek/ssl/config/ssl.yml | 10 ++-- .../module/zeek/ssl/ingest/pipeline.yml | 13 ----- .../module/zeek/syslog/config/syslog.yml | 10 ++-- .../module/zeek/syslog/ingest/pipeline.yml | 13 ----- .../zeek/traceroute/config/traceroute.yml | 9 ++-- .../zeek/traceroute/ingest/pipeline.yml | 11 ---- .../module/zeek/tunnel/config/tunnel.yml | 9 ++-- .../module/zeek/tunnel/ingest/pipeline.yml | 11 ---- .../module/zeek/weird/config/weird.yml | 9 ++-- .../module/zeek/weird/ingest/pipeline.yml | 13 ----- 78 files changed, 272 insertions(+), 656 deletions(-) diff --git a/x-pack/filebeat/module/snort/log/config/input.yml b/x-pack/filebeat/module/snort/log/config/input.yml index d9e5fcf6706f..4d6ec8140bb5 100644 --- a/x-pack/filebeat/module/snort/log/config/input.yml +++ b/x-pack/filebeat/module/snort/log/config/input.yml @@ -36,11 +36,15 @@ processors: files: - ${path.home}/module/snort/log/config/liblogparser.js - ${path.home}/module/snort/log/config/pipeline.js +{{ if .community_id }} +- community_id: +{{ end }} {{ if .internal_networks }} -- add_fields: - target: _conf - fields: - internal_networks: {{ .internal_networks | tojson }} +- add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - registered_domain: ignore_missing: true diff --git a/x-pack/filebeat/module/snort/log/ingest/pipeline.yml b/x-pack/filebeat/module/snort/log/ingest/pipeline.yml index 341d5d696fe0..262bbcff330f 100644 --- a/x-pack/filebeat/module/snort/log/ingest/pipeline.yml +++ b/x-pack/filebeat/module/snort/log/ingest/pipeline.yml @@ -10,19 +10,6 @@ processors: - user_agent: field: user_agent.original ignore_missing: true - # Network Direction - - network_direction: - source_ip: source.ip - destination_ip: destination.ip - target_field: network.direction - internal_networks_field: _conf.internal_networks - ignore_missing: true - - community_id: - ignore_missing: true - - remove: - field: - - _conf - ignore_missing: true # IP Geolocation Lookup - geoip: field: source.ip diff --git a/x-pack/filebeat/module/snort/log/manifest.yml b/x-pack/filebeat/module/snort/log/manifest.yml index 9c1694ce9f00..e50a6c8c68d2 100644 --- a/x-pack/filebeat/module/snort/log/manifest.yml +++ b/x-pack/filebeat/module/snort/log/manifest.yml @@ -10,6 +10,8 @@ var: default: 9548 - name: input default: udp + - name: community_id + default: true - name: tz_offset default: local - name: rsa_fields diff --git a/x-pack/filebeat/module/snort/log/test/generated.log-expected.json b/x-pack/filebeat/module/snort/log/test/generated.log-expected.json index b3fee7eb7c0c..9148b90ac69f 100644 --- a/x-pack/filebeat/module/snort/log/test/generated.log-expected.json +++ b/x-pack/filebeat/module/snort/log/test/generated.log-expected.json @@ -873,8 +873,8 @@ "tper4341.lan" ], "related.ip": [ - "10.210.180.142", - "10.111.33.70" + "10.111.33.70", + "10.210.180.142" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "animi", @@ -2078,8 +2078,8 @@ "uovol2459.www5.invalid" ], "related.ip": [ - "10.60.137.215", - "10.28.105.106" + "10.28.105.106", + "10.60.137.215" ], "rsa.crypto.sig_type": "tionu", "rsa.internal.messageid": "5155", @@ -2272,8 +2272,8 @@ "emulla6625.www5.corp" ], "related.ip": [ - "10.82.180.46", - "10.237.43.87" + "10.237.43.87", + "10.82.180.46" ], "rsa.internal.messageid": "MALWARE", "rsa.misc.checksum": "oloremqu", @@ -2399,8 +2399,8 @@ "upta788.invalid" ], "related.ip": [ - "10.40.250.209", - "10.166.10.187" + "10.166.10.187", + "10.40.250.209" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "high-temUte", @@ -2818,8 +2818,8 @@ "Bonoru5658.mail.invalid" ], "related.ip": [ - "10.46.57.181", - "10.29.231.11" + "10.29.231.11", + "10.46.57.181" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "remape", @@ -3813,4 +3813,4 @@ "snort.log" ] } -] +] \ No newline at end of file diff --git a/x-pack/filebeat/module/sonicwall/firewall/config/input.yml b/x-pack/filebeat/module/sonicwall/firewall/config/input.yml index af680a44f845..ff0b8145857c 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/config/input.yml +++ b/x-pack/filebeat/module/sonicwall/firewall/config/input.yml @@ -36,11 +36,15 @@ processors: files: - ${path.home}/module/sonicwall/firewall/config/liblogparser.js - ${path.home}/module/sonicwall/firewall/config/pipeline.js +{{ if .community_id }} +- community_id: ~ +{{ end }} {{ if .internal_networks }} -- add_fields: - target: _conf - fields: - internal_networks: {{ .internal_networks | tojson }} +- add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - registered_domain: ignore_missing: true diff --git a/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml index d0b05776ead6..0d5140dee4c5 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml +++ b/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml @@ -10,19 +10,6 @@ processors: - user_agent: field: user_agent.original ignore_missing: true - # Network Direction - - network_direction: - source_ip: source.ip - destination_ip: destination.ip - target_field: network.direction - internal_networks_field: _conf.internal_networks - ignore_missing: true - - community_id: - ignore_missing: true - - remove: - field: - - _conf - ignore_missing: true # IP Geolocation Lookup - geoip: field: source.ip diff --git a/x-pack/filebeat/module/sonicwall/firewall/manifest.yml b/x-pack/filebeat/module/sonicwall/firewall/manifest.yml index 2d368d86749e..16e3130f2239 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/manifest.yml +++ b/x-pack/filebeat/module/sonicwall/firewall/manifest.yml @@ -10,6 +10,8 @@ var: default: 9536 - name: input default: udp + - name: community_id + default: true - name: tz_offset default: local - name: rsa_fields diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json index fe3d491f0c58..469624f3be76 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json +++ b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json @@ -57,8 +57,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.hosts": [ - "oreetdol1714.internal.corp", - "nostrud4819.mail.test" + "nostrud4819.mail.test", + "oreetdol1714.internal.corp" ], "related.ip": [ "10.49.111.67", @@ -487,8 +487,8 @@ "fugi4637.www.lan" ], "related.ip": [ - "10.30.196.102", - "10.241.178.107" + "10.241.178.107", + "10.30.196.102" ], "rsa.internal.messageid": "353", "rsa.internal.msg": "onproide", @@ -574,8 +574,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.206.136.206", - "10.153.136.222" + "10.153.136.222", + "10.206.136.206" ], "rsa.internal.messageid": "242", "rsa.internal.msg": "imidest", @@ -881,8 +881,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.237.163.139", - "10.162.172.28" + "10.162.172.28", + "10.237.163.139" ], "rsa.internal.messageid": "255", "rsa.internal.msg": "nre", @@ -1253,8 +1253,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.230.173.4", - "10.192.27.157" + "10.192.27.157", + "10.230.173.4" ], "rsa.internal.messageid": "140", "rsa.misc.action": [ @@ -1801,8 +1801,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.50.44.5", - "10.105.46.101" + "10.105.46.101", + "10.50.44.5" ], "rsa.internal.messageid": "237", "rsa.misc.action": [ @@ -1838,8 +1838,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.60.142.127", - "10.52.248.251" + "10.52.248.251", + "10.60.142.127" ], "rsa.internal.messageid": "328", "rsa.internal.msg": "squ", @@ -2012,8 +2012,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.203.77.154", - "10.120.25.169" + "10.120.25.169", + "10.203.77.154" ], "rsa.internal.messageid": "199", "rsa.misc.action": [ @@ -2090,8 +2090,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.77.95.12", - "10.137.217.159" + "10.137.217.159", + "10.77.95.12" ], "rsa.internal.messageid": "195", "rsa.internal.msg": "rorsit", @@ -2195,8 +2195,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.185.37.32", - "10.116.173.79" + "10.116.173.79", + "10.185.37.32" ], "rsa.internal.messageid": "178", "rsa.internal.msg": "ende", @@ -2304,8 +2304,8 @@ "ugitsedq5067.internal.test" ], "related.ip": [ - "10.132.171.15", - "10.107.216.138" + "10.107.216.138", + "10.132.171.15" ], "rsa.internal.messageid": "537", "rsa.misc.action": [ @@ -2390,8 +2390,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.22.244.71", - "10.142.120.198" + "10.142.120.198", + "10.22.244.71" ], "related.user": [ "usmo" @@ -2509,8 +2509,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.56.10.84", - "10.12.54.142" + "10.12.54.142", + "10.56.10.84" ], "rsa.internal.messageid": "658", "rsa.internal.msg": "osquirat", @@ -2775,4 +2775,4 @@ "sonicwall.firewall" ] } -] +] \ No newline at end of file diff --git a/x-pack/filebeat/module/suricata/eve/config/eve.yml b/x-pack/filebeat/module/suricata/eve/config/eve.yml index 619a4cc60a28..7ed6b3808c04 100644 --- a/x-pack/filebeat/module/suricata/eve/config/eve.yml +++ b/x-pack/filebeat/module/suricata/eve/config/eve.yml @@ -40,11 +40,15 @@ processors: - drop_fields: fields: - suricata.eve.timestamp +{{ if .community_id }} + - community_id: +{{ end }} {{ if .internal_networks }} - - add_fields: - target: _conf - fields: - internal_networks: {{ .internal_networks | tojson }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - registered_domain: when: diff --git a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml index 07e710bb75fe..e957d177f38f 100644 --- a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml +++ b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml @@ -299,19 +299,6 @@ processors: field: suricata.eve.proto target_field: network.transport ignore_missing: true - # Network Direction - - network_direction: - source_ip: source.ip - destination_ip: destination.ip - target_field: network.direction - internal_networks_field: _conf.internal_networks - ignore_missing: true - - community_id: - ignore_missing: true - - remove: - field: - - _conf - ignore_missing: true - geoip: if: ctx?.source?.geo == null field: source.ip diff --git a/x-pack/filebeat/module/suricata/eve/manifest.yml b/x-pack/filebeat/module/suricata/eve/manifest.yml index 1ca547f841fa..ae3b99ba315f 100644 --- a/x-pack/filebeat/module/suricata/eve/manifest.yml +++ b/x-pack/filebeat/module/suricata/eve/manifest.yml @@ -10,6 +10,8 @@ var: - 'c:/program files/suricata/log/eve.json' - name: tags default: [suricata] + - name: community_id + default: true - name: internal_networks default: [ private ] diff --git a/x-pack/filebeat/module/zeek/connection/config/connection.yml b/x-pack/filebeat/module/zeek/connection/config/connection.yml index 6e894df03a34..c2fee6dca9e9 100644 --- a/x-pack/filebeat/module/zeek/connection/config/connection.yml +++ b/x-pack/filebeat/module/zeek/connection/config/connection.yml @@ -90,18 +90,21 @@ processors: kind: event category: - network - - copy_fields: - fields: - - from: zeek.connection.icmp.type - to: icmp.type - - from: zeek.connection.icmp.code - to: icmp.code - ignore_missing: true + - if: + equals.network.transport: icmp + then: + community_id: + fields: + icmp_type: zeek.connection.icmp.type + icmp_code: zeek.connection.icmp.code + else: + community_id: {{ if .internal_networks }} - - add_fields: - target: _conf - fields: - internal_networks: {{ .internal_networks | tojson }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml index b2fad201dbf5..93245720a06e 100644 --- a/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml @@ -70,20 +70,6 @@ processors: ctx.network.direction = "external"; return; } -# Network Direction -- network_direction: - source_ip: source.ip - destination_ip: destination.ip - target_field: network.direction - internal_networks_field: _conf.internal_networks - ignore_missing: true - if: ctx?.network?.direction == null -- community_id: - ignore_missing: true -- remove: - field: - - _conf - ignore_missing: true - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json b/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json index 2afe9a05c58e..088aee7aedf4 100644 --- a/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json @@ -191,8 +191,6 @@ "info" ], "fileset.name": "connection", - "icmp.code": 3, - "icmp.type": 3, "input.type": "log", "log.offset": 1180, "network.bytes": 107, diff --git a/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml b/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml index 016ea4c0db59..95a0f810a04f 100644 --- a/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml +++ b/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml @@ -54,11 +54,13 @@ processors: - connection - protocol - info + - community_id: {{ if .internal_networks }} - - add_fields: - target: _conf - fields: - internal_networks: {{ .internal_networks | tojson }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/dce_rpc/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dce_rpc/ingest/pipeline.yml index 82b9c80837c1..f0a837709dcf 100644 --- a/x-pack/filebeat/module/zeek/dce_rpc/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dce_rpc/ingest/pipeline.yml @@ -12,19 +12,6 @@ processors: - UNIX - remove: field: zeek.dce_rpc.ts -# Network Direction -- network_direction: - source_ip: source.ip - destination_ip: destination.ip - target_field: network.direction - internal_networks_field: _conf.internal_networks - ignore_missing: true -- community_id: - ignore_missing: true -- remove: - field: - - _conf - ignore_missing: true - append: field: related.ip value: '{{source.ip}}' diff --git a/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml b/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml index 64b11d14013a..be8f090724c8 100644 --- a/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml +++ b/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml @@ -116,11 +116,13 @@ processors: - connection - protocol - info + - community_id: {{ if .internal_networks }} - - add_fields: - target: _conf - fields: - internal_networks: {{ .internal_networks | tojson }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/dhcp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dhcp/ingest/pipeline.yml index 5b34712a5b1a..49216c077c27 100644 --- a/x-pack/filebeat/module/zeek/dhcp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dhcp/ingest/pipeline.yml @@ -24,19 +24,6 @@ processors: field: related.ip value: '{{destination.ip}}' if: 'ctx?.destination?.ip != null' -# Network Direction -- network_direction: - source_ip: source.ip - destination_ip: destination.ip - target_field: network.direction - internal_networks_field: _conf.internal_networks - ignore_missing: true -- community_id: - ignore_missing: true -- remove: - field: - - _conf - ignore_missing: true on_failure: - set: field: error.message diff --git a/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml b/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml index 9a48dcd842f7..e342eb73731e 100644 --- a/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml +++ b/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml @@ -64,11 +64,13 @@ processors: - connection - protocol - info + - community_id: {{ if .internal_networks }} - - add_fields: - target: _conf - fields: - internal_networks: {{ .internal_networks | tojson }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml index ca3229779420..e104312e1e13 100644 --- a/x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml @@ -23,19 +23,6 @@ processors: - lowercase: field: event.action ignore_missing: true -# Network Direction -- network_direction: - source_ip: source.ip - destination_ip: destination.ip - target_field: network.direction - internal_networks_field: _conf.internal_networks - ignore_missing: true -- community_id: - ignore_missing: true -- remove: - field: - - _conf - ignore_missing: true - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/dns/config/dns.yml b/x-pack/filebeat/module/zeek/dns/config/dns.yml index 1b83c1a8b48b..f11fcf957267 100644 --- a/x-pack/filebeat/module/zeek/dns/config/dns.yml +++ b/x-pack/filebeat/module/zeek/dns/config/dns.yml @@ -204,11 +204,13 @@ processors: - connection - info - protocol + - community_id: {{ if .internal_networks }} - - add_fields: - target: _conf - fields: - internal_networks: {{ .internal_networks | tojson }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - drop_fields: ignore_missing: true diff --git a/x-pack/filebeat/module/zeek/dns/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dns/ingest/pipeline.yml index 2875805c7152..6d9ed369ea89 100644 --- a/x-pack/filebeat/module/zeek/dns/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dns/ingest/pipeline.yml @@ -14,19 +14,7 @@ processors: - UNIX - remove: field: zeek.dns.ts - # Network Direction - - network_direction: - source_ip: source.ip - destination_ip: destination.ip - target_field: network.direction - internal_networks_field: _conf.internal_networks - ignore_missing: true - - community_id: - ignore_missing: true - - remove: - field: - - _conf - ignore_missing: true + # IP Geolocation Lookup - geoip: field: source.ip diff --git a/x-pack/filebeat/module/zeek/dpd/config/dpd.yml b/x-pack/filebeat/module/zeek/dpd/config/dpd.yml index 8b1023ba0dd9..9bc5eda83bdb 100644 --- a/x-pack/filebeat/module/zeek/dpd/config/dpd.yml +++ b/x-pack/filebeat/module/zeek/dpd/config/dpd.yml @@ -53,11 +53,13 @@ processors: type: - connection - info + - community_id: {{ if .internal_networks }} - - add_fields: - target: _conf - fields: - internal_networks: {{ .internal_networks | tojson }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/dpd/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/dpd/ingest/pipeline.yml index ca89475e2896..32d1852c3e2c 100644 --- a/x-pack/filebeat/module/zeek/dpd/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/dpd/ingest/pipeline.yml @@ -12,19 +12,6 @@ processors: - UNIX - remove: field: zeek.dpd.ts -# Network Direction -- network_direction: - source_ip: source.ip - destination_ip: destination.ip - target_field: network.direction - internal_networks_field: _conf.internal_networks - ignore_missing: true -- community_id: - ignore_missing: true -- remove: - field: - - _conf - ignore_missing: true - geoip: field: source.ip target_field: source.geo diff --git a/x-pack/filebeat/module/zeek/ftp/config/ftp.yml b/x-pack/filebeat/module/zeek/ftp/config/ftp.yml index be97506f381f..a00617f21dd0 100644 --- a/x-pack/filebeat/module/zeek/ftp/config/ftp.yml +++ b/x-pack/filebeat/module/zeek/ftp/config/ftp.yml @@ -82,11 +82,13 @@ processors: - connection - info - protocol + - community_id: {{ if .internal_networks }} - - add_fields: - target: _conf - fields: - internal_networks: {{ .internal_networks | tojson }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/ftp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ftp/ingest/pipeline.yml index 8daead05efa2..f1f7d0b4f522 100644 --- a/x-pack/filebeat/module/zeek/ftp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ftp/ingest/pipeline.yml @@ -15,19 +15,6 @@ processors: - dot_expander: field: data_channel.passive path: zeek.ftp -# Network Direction -- network_direction: - source_ip: source.ip - destination_ip: destination.ip - target_field: network.direction - internal_networks_field: _conf.internal_networks - ignore_missing: true -- community_id: - ignore_missing: true -- remove: - field: - - _conf - ignore_missing: true - append: field: related.ip value: "{{source.ip}}" diff --git a/x-pack/filebeat/module/zeek/http/config/http.yml b/x-pack/filebeat/module/zeek/http/config/http.yml index 548bd3070c40..b22da788463a 100644 --- a/x-pack/filebeat/module/zeek/http/config/http.yml +++ b/x-pack/filebeat/module/zeek/http/config/http.yml @@ -91,11 +91,13 @@ processors: - connection - info - protocol + - community_id: {{ if .internal_networks }} - - add_fields: - target: _conf - fields: - internal_networks: {{ .internal_networks | tojson }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/http/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/http/ingest/pipeline.yml index 36c0b7ac4df8..a2c4a85b9941 100644 --- a/x-pack/filebeat/module/zeek/http/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/http/ingest/pipeline.yml @@ -12,19 +12,6 @@ processors: - UNIX - remove: field: zeek.http.ts -# Network Direction -- network_direction: - source_ip: source.ip - destination_ip: destination.ip - target_field: network.direction - internal_networks_field: _conf.internal_networks - ignore_missing: true -- community_id: - ignore_missing: true -- remove: - field: - - _conf - ignore_missing: true - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/intel/config/intel.yml b/x-pack/filebeat/module/zeek/intel/config/intel.yml index 92f0d64be2ed..45c703aa6920 100644 --- a/x-pack/filebeat/module/zeek/intel/config/intel.yml +++ b/x-pack/filebeat/module/zeek/intel/config/intel.yml @@ -63,11 +63,13 @@ processors: kind: alert type: - info + - community_id: {{ if .internal_networks }} - - add_fields: - target: _conf - fields: - internal_networks: {{ .internal_networks | tojson }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/intel/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/intel/ingest/pipeline.yml index e636d30ca9e9..f70094311318 100644 --- a/x-pack/filebeat/module/zeek/intel/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/intel/ingest/pipeline.yml @@ -13,19 +13,6 @@ processors: - UNIX - remove: field: zeek.intel.ts - # Network Direction - - network_direction: - source_ip: source.ip - destination_ip: destination.ip - target_field: network.direction - internal_networks_field: _conf.internal_networks - ignore_missing: true - - community_id: - ignore_missing: true - - remove: - field: - - _conf - ignore_missing: true # IP Geolocation Lookup - geoip: if: ctx.source?.geo == null diff --git a/x-pack/filebeat/module/zeek/irc/config/irc.yml b/x-pack/filebeat/module/zeek/irc/config/irc.yml index c4fbde2de9ff..4509c1837861 100644 --- a/x-pack/filebeat/module/zeek/irc/config/irc.yml +++ b/x-pack/filebeat/module/zeek/irc/config/irc.yml @@ -68,11 +68,13 @@ processors: - connection - protocol - info + - community_id: {{ if .internal_networks }} - - add_fields: - target: _conf - fields: - internal_networks: {{ .internal_networks | tojson }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/irc/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/irc/ingest/pipeline.yml index 64d7c1730a6b..dd1e37a7035e 100644 --- a/x-pack/filebeat/module/zeek/irc/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/irc/ingest/pipeline.yml @@ -12,19 +12,6 @@ processors: - UNIX - remove: field: zeek.irc.ts -# Network Direction -- network_direction: - source_ip: source.ip - destination_ip: destination.ip - target_field: network.direction - internal_networks_field: _conf.internal_networks - ignore_missing: true -- community_id: - ignore_missing: true -- remove: - field: - - _conf - ignore_missing: true - append: field: related.ip value: "{{source.ip}}" diff --git a/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml b/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml index d390cf198606..f788b6abfb0e 100644 --- a/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml +++ b/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml @@ -100,11 +100,13 @@ processors: tokenizer: "%{user.name}/%{user.domain}" field: zeek.kerberos.client target_prefix: "" + - community_id: {{ if .internal_networks }} - - add_fields: - target: _conf - fields: - internal_networks: {{ .internal_networks | tojson }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/kerberos/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/kerberos/ingest/pipeline.yml index d1c35440db87..e0f45f715850 100644 --- a/x-pack/filebeat/module/zeek/kerberos/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/kerberos/ingest/pipeline.yml @@ -35,19 +35,6 @@ processors: field: event.outcome value: failure if: "ctx?.zeek?.kerberos?.success == false" -# Network Direction -- network_direction: - source_ip: source.ip - destination_ip: destination.ip - target_field: network.direction - internal_networks_field: _conf.internal_networks - ignore_missing: true -- community_id: - ignore_missing: true -- remove: - field: - - _conf - ignore_missing: true - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/modbus/config/modbus.yml b/x-pack/filebeat/module/zeek/modbus/config/modbus.yml index b80a40f3cc09..ba6e17b0610c 100644 --- a/x-pack/filebeat/module/zeek/modbus/config/modbus.yml +++ b/x-pack/filebeat/module/zeek/modbus/config/modbus.yml @@ -69,11 +69,13 @@ processors: target: event fields: outcome: success + - community_id: {{ if .internal_networks }} - - add_fields: - target: _conf - fields: - internal_networks: {{ .internal_networks | tojson }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/modbus/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/modbus/ingest/pipeline.yml index 884bec52ac61..d918b2de09a2 100644 --- a/x-pack/filebeat/module/zeek/modbus/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/modbus/ingest/pipeline.yml @@ -12,19 +12,6 @@ processors: - UNIX - remove: field: zeek.modbus.ts -# Network Direction -- network_direction: - source_ip: source.ip - destination_ip: destination.ip - target_field: network.direction - internal_networks_field: _conf.internal_networks - ignore_missing: true -- community_id: - ignore_missing: true -- remove: - field: - - _conf - ignore_missing: true - append: field: related.ip value: "{{source.ip}}" diff --git a/x-pack/filebeat/module/zeek/mysql/config/mysql.yml b/x-pack/filebeat/module/zeek/mysql/config/mysql.yml index 868012b0bade..34f641fc8134 100644 --- a/x-pack/filebeat/module/zeek/mysql/config/mysql.yml +++ b/x-pack/filebeat/module/zeek/mysql/config/mysql.yml @@ -68,11 +68,13 @@ processors: target: event fields: outcome: failure + - community_id: {{ if .internal_networks }} - - add_fields: - target: _conf - fields: - internal_networks: {{ .internal_networks | tojson }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/mysql/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/mysql/ingest/pipeline.yml index abfb17c7d84f..d5552af6d29f 100644 --- a/x-pack/filebeat/module/zeek/mysql/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/mysql/ingest/pipeline.yml @@ -12,19 +12,6 @@ processors: - UNIX - remove: field: zeek.mysql.ts -# Network Direction -- network_direction: - source_ip: source.ip - destination_ip: destination.ip - target_field: network.direction - internal_networks_field: _conf.internal_networks - ignore_missing: true -- community_id: - ignore_missing: true -- remove: - field: - - _conf - ignore_missing: true - append: field: related.ip value: "{{source.ip}}" diff --git a/x-pack/filebeat/module/zeek/notice/config/notice.yml b/x-pack/filebeat/module/zeek/notice/config/notice.yml index 19fa2616d1fa..34c5cc5f4e56 100644 --- a/x-pack/filebeat/module/zeek/notice/config/notice.yml +++ b/x-pack/filebeat/module/zeek/notice/config/notice.yml @@ -100,11 +100,13 @@ processors: - intrusion_detection type: - info + - community_id: {{ if .internal_networks }} - - add_fields: - target: _conf - fields: - internal_networks: {{ .internal_networks | tojson }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/notice/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/notice/ingest/pipeline.yml index 409bd14daeec..c741d355361f 100644 --- a/x-pack/filebeat/module/zeek/notice/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/notice/ingest/pipeline.yml @@ -12,19 +12,6 @@ processors: - UNIX - remove: field: zeek.notice.ts -# Network Direction -- network_direction: - source_ip: source.ip - destination_ip: destination.ip - target_field: network.direction - internal_networks_field: _conf.internal_networks - ignore_missing: true -- community_id: - ignore_missing: true -- remove: - field: - - _conf - ignore_missing: true - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml b/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml index 6639f93e5732..c121bd5afb80 100644 --- a/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml +++ b/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml @@ -82,11 +82,13 @@ processors: target: event fields: outcome: failure + - community_id: {{ if .internal_networks }} - - add_fields: - target: _conf - fields: - internal_networks: {{ .internal_networks | tojson }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/ntlm/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ntlm/ingest/pipeline.yml index 8fae9fd07c57..690fd54a54ba 100644 --- a/x-pack/filebeat/module/zeek/ntlm/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ntlm/ingest/pipeline.yml @@ -12,19 +12,6 @@ processors: - UNIX - remove: field: zeek.ntlm.ts -# Network Direction -- network_direction: - source_ip: source.ip - destination_ip: destination.ip - target_field: network.direction - internal_networks_field: _conf.internal_networks - ignore_missing: true -- community_id: - ignore_missing: true -- remove: - field: - - _conf - ignore_missing: true - append: field: related.ip value: "{{source.ip}}" diff --git a/x-pack/filebeat/module/zeek/ntp/config/ntp.yml b/x-pack/filebeat/module/zeek/ntp/config/ntp.yml index 64ae979d85e6..690315319a47 100644 --- a/x-pack/filebeat/module/zeek/ntp/config/ntp.yml +++ b/x-pack/filebeat/module/zeek/ntp/config/ntp.yml @@ -50,11 +50,13 @@ processors: fields: protocol: ntp transport: udp + - community_id: {{ if .internal_networks }} - - add_fields: - target: _conf - fields: - internal_networks: {{ .internal_networks | tojson }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/ntp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ntp/ingest/pipeline.yml index d563f67b2b44..ed603292a3d3 100644 --- a/x-pack/filebeat/module/zeek/ntp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ntp/ingest/pipeline.yml @@ -12,19 +12,6 @@ processors: - UNIX - remove: field: zeek.ntp.ts - # Network Direction - - network_direction: - source_ip: source.ip - destination_ip: destination.ip - target_field: network.direction - internal_networks_field: _conf.internal_networks - ignore_missing: true - - community_id: - ignore_missing: true - - remove: - field: - - _conf - ignore_missing: true # IP Geolocation Lookup - geoip: if: ctx.source?.geo == null diff --git a/x-pack/filebeat/module/zeek/radius/config/radius.yml b/x-pack/filebeat/module/zeek/radius/config/radius.yml index adc1a1cff5b1..cbe891c9d2f8 100644 --- a/x-pack/filebeat/module/zeek/radius/config/radius.yml +++ b/x-pack/filebeat/module/zeek/radius/config/radius.yml @@ -54,11 +54,13 @@ processors: type: - info - connection + - community_id: {{ if .internal_networks }} - - add_fields: - target: _conf - fields: - internal_networks: {{ .internal_networks | tojson }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/radius/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/radius/ingest/pipeline.yml index 81633de0c42e..acc7fad2f030 100644 --- a/x-pack/filebeat/module/zeek/radius/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/radius/ingest/pipeline.yml @@ -12,19 +12,6 @@ processors: - UNIX - remove: field: zeek.radius.ts -# Network Direction -- network_direction: - source_ip: source.ip - destination_ip: destination.ip - target_field: network.direction - internal_networks_field: _conf.internal_networks - ignore_missing: true -- community_id: - ignore_missing: true -- remove: - field: - - _conf - ignore_missing: true - append: field: related.ip value: "{{source.ip}}" diff --git a/x-pack/filebeat/module/zeek/rdp/config/rdp.yml b/x-pack/filebeat/module/zeek/rdp/config/rdp.yml index fda80c87aa56..66d984cc5fc9 100644 --- a/x-pack/filebeat/module/zeek/rdp/config/rdp.yml +++ b/x-pack/filebeat/module/zeek/rdp/config/rdp.yml @@ -84,11 +84,13 @@ processors: type: - protocol - info + - community_id: {{ if .internal_networks }} - - add_fields: - target: _conf - fields: - internal_networks: {{ .internal_networks | tojson }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/rdp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/rdp/ingest/pipeline.yml index 1f57f470e14b..bbe4abcee9fa 100644 --- a/x-pack/filebeat/module/zeek/rdp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/rdp/ingest/pipeline.yml @@ -12,19 +12,6 @@ processors: - UNIX - remove: field: zeek.rdp.ts -# Network Direction -- network_direction: - source_ip: source.ip - destination_ip: destination.ip - target_field: network.direction - internal_networks_field: _conf.internal_networks - ignore_missing: true -- community_id: - ignore_missing: true -- remove: - field: - - _conf - ignore_missing: true - convert: field: zeek.rdp.ssl target_field: tls.established diff --git a/x-pack/filebeat/module/zeek/rfb/config/rfb.yml b/x-pack/filebeat/module/zeek/rfb/config/rfb.yml index 3094eb33aaa9..0b4391e4ccd2 100644 --- a/x-pack/filebeat/module/zeek/rfb/config/rfb.yml +++ b/x-pack/filebeat/module/zeek/rfb/config/rfb.yml @@ -69,11 +69,13 @@ processors: type: - connection - info + - community_id: {{ if .internal_networks }} - - add_fields: - target: _conf - fields: - internal_networks: {{ .internal_networks | tojson }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/rfb/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/rfb/ingest/pipeline.yml index a7a43e99e809..2ce5fda4e16b 100644 --- a/x-pack/filebeat/module/zeek/rfb/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/rfb/ingest/pipeline.yml @@ -12,19 +12,6 @@ processors: - UNIX - remove: field: zeek.rfb.ts -# Network Direction -- network_direction: - source_ip: source.ip - destination_ip: destination.ip - target_field: network.direction - internal_networks_field: _conf.internal_networks - ignore_missing: true -- community_id: - ignore_missing: true -- remove: - field: - - _conf - ignore_missing: true - append: field: related.ip value: "{{source.ip}}" diff --git a/x-pack/filebeat/module/zeek/signature/config/signature.yml b/x-pack/filebeat/module/zeek/signature/config/signature.yml index 627b474d2404..ff76140e6669 100644 --- a/x-pack/filebeat/module/zeek/signature/config/signature.yml +++ b/x-pack/filebeat/module/zeek/signature/config/signature.yml @@ -43,11 +43,13 @@ processors: target: event fields: kind: alert + - community_id: {{ if .internal_networks }} - - add_fields: - target: _conf - fields: - internal_networks: {{ .internal_networks | tojson }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/signature/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/signature/ingest/pipeline.yml index b0d934097e51..539ea5d79121 100644 --- a/x-pack/filebeat/module/zeek/signature/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/signature/ingest/pipeline.yml @@ -13,19 +13,6 @@ processors: - UNIX - remove: field: zeek.signature.ts - # Network Direction - - network_direction: - source_ip: source.ip - destination_ip: destination.ip - target_field: network.direction - internal_networks_field: _conf.internal_networks - ignore_missing: true - - community_id: - ignore_missing: true - - remove: - field: - - _conf - ignore_missing: true # IP Geolocation Lookup - geoip: if: ctx.source?.geo == null diff --git a/x-pack/filebeat/module/zeek/sip/config/sip.yml b/x-pack/filebeat/module/zeek/sip/config/sip.yml index b608b0083f3e..459f64c9e772 100644 --- a/x-pack/filebeat/module/zeek/sip/config/sip.yml +++ b/x-pack/filebeat/module/zeek/sip/config/sip.yml @@ -91,11 +91,13 @@ processors: type: - connection - protocol + - community_id: {{ if .internal_networks }} - - add_fields: - target: _conf - fields: - internal_networks: {{ .internal_networks | tojson }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/sip/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/sip/ingest/pipeline.yml index 2e95daa29eda..045d5afe760b 100644 --- a/x-pack/filebeat/module/zeek/sip/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/sip/ingest/pipeline.yml @@ -12,19 +12,6 @@ processors: - UNIX - remove: field: zeek.sip.ts -# Network Direction -- network_direction: - source_ip: source.ip - destination_ip: destination.ip - target_field: network.direction - internal_networks_field: _conf.internal_networks - ignore_missing: true -- community_id: - ignore_missing: true -- remove: - field: - - _conf - ignore_missing: true - grok: field: zeek.sip.seq patterns: diff --git a/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml b/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml index 1855780a0435..05acce04817d 100644 --- a/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml +++ b/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml @@ -97,11 +97,13 @@ processors: type: - connection - protocol + - community_id: {{ if .internal_networks }} - - add_fields: - target: _conf - fields: - internal_networks: {{ .internal_networks | tojson }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/smb_cmd/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/smb_cmd/ingest/pipeline.yml index cd06ec362059..0a853104351e 100644 --- a/x-pack/filebeat/module/zeek/smb_cmd/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/smb_cmd/ingest/pipeline.yml @@ -15,19 +15,6 @@ processors: - remove: field: zeek.smb_cmd.referenced_file ignore_missing: true -# Network Direction -- network_direction: - source_ip: source.ip - destination_ip: destination.ip - target_field: network.direction - internal_networks_field: _conf.internal_networks - ignore_missing: true -- community_id: - ignore_missing: true -- remove: - field: - - _conf - ignore_missing: true - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml b/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml index 10a8b1be2c3f..063854ccc142 100644 --- a/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml +++ b/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml @@ -57,11 +57,13 @@ processors: type: - connection - protocol + - community_id: {{ if .internal_networks }} - - add_fields: - target: _conf - fields: - internal_networks: {{ .internal_networks | tojson }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/smb_files/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/smb_files/ingest/pipeline.yml index 40900afabbed..b1c0d3a69920 100644 --- a/x-pack/filebeat/module/zeek/smb_files/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/smb_files/ingest/pipeline.yml @@ -64,19 +64,6 @@ processors: field: file.mtime value: "{{zeek.smb_files.times.modified}}" if: "ctx?.zeek?.smb_files?.times?.modified != null" -# Network Direction -- network_direction: - source_ip: source.ip - destination_ip: destination.ip - target_field: network.direction - internal_networks_field: _conf.internal_networks - ignore_missing: true -- community_id: - ignore_missing: true -- remove: - field: - - _conf - ignore_missing: true - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml b/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml index c75347829e2f..54414b0ac0cf 100644 --- a/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml +++ b/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml @@ -53,11 +53,13 @@ processors: type: - connection - protocol + - community_id: {{ if .internal_networks }} - - add_fields: - target: _conf - fields: - internal_networks: {{ .internal_networks | tojson }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/smb_mapping/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/smb_mapping/ingest/pipeline.yml index e0ddce63c84c..e116e1bfb600 100644 --- a/x-pack/filebeat/module/zeek/smb_mapping/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/smb_mapping/ingest/pipeline.yml @@ -12,19 +12,6 @@ processors: - UNIX - remove: field: zeek.smb_mapping.ts -# Network Direction -- network_direction: - source_ip: source.ip - destination_ip: destination.ip - target_field: network.direction - internal_networks_field: _conf.internal_networks - ignore_missing: true -- community_id: - ignore_missing: true -- remove: - field: - - _conf - ignore_missing: true - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/smtp/config/smtp.yml b/x-pack/filebeat/module/zeek/smtp/config/smtp.yml index 3d0f60abf328..866483510bc4 100644 --- a/x-pack/filebeat/module/zeek/smtp/config/smtp.yml +++ b/x-pack/filebeat/module/zeek/smtp/config/smtp.yml @@ -63,11 +63,13 @@ processors: type: - connection - protocol + - community_id: {{ if .internal_networks }} - - add_fields: - target: _conf - fields: - internal_networks: {{ .internal_networks | tojson }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/smtp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/smtp/ingest/pipeline.yml index 0a559b8c89ea..03e2ffb6a250 100644 --- a/x-pack/filebeat/module/zeek/smtp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/smtp/ingest/pipeline.yml @@ -18,19 +18,6 @@ processors: formats: - EEE, d MMM yyyy HH:mm:ss Z if: ctx.zeek.smtp.date != null -# Network Direction -- network_direction: - source_ip: source.ip - destination_ip: destination.ip - target_field: network.direction - internal_networks_field: _conf.internal_networks - ignore_missing: true -- community_id: - ignore_missing: true -- remove: - field: - - _conf - ignore_missing: true - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/snmp/config/snmp.yml b/x-pack/filebeat/module/zeek/snmp/config/snmp.yml index 056364f6dd02..f60c520e942e 100644 --- a/x-pack/filebeat/module/zeek/snmp/config/snmp.yml +++ b/x-pack/filebeat/module/zeek/snmp/config/snmp.yml @@ -65,11 +65,13 @@ processors: type: - connection - protocol + - community_id: {{ if .internal_networks }} - - add_fields: - target: _conf - fields: - internal_networks: {{ .internal_networks | tojson }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/snmp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/snmp/ingest/pipeline.yml index 56e977292a59..1aefc539733d 100644 --- a/x-pack/filebeat/module/zeek/snmp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/snmp/ingest/pipeline.yml @@ -18,19 +18,6 @@ processors: formats: - UNIX if: ctx.zeek.snmp.up_since != null -# Network Direction -- network_direction: - source_ip: source.ip - destination_ip: destination.ip - target_field: network.direction - internal_networks_field: _conf.internal_networks - ignore_missing: true -- community_id: - ignore_missing: true -- remove: - field: - - _conf - ignore_missing: true - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/socks/config/socks.yml b/x-pack/filebeat/module/zeek/socks/config/socks.yml index 91bf4e3f2205..37e98cf69e23 100644 --- a/x-pack/filebeat/module/zeek/socks/config/socks.yml +++ b/x-pack/filebeat/module/zeek/socks/config/socks.yml @@ -63,11 +63,13 @@ processors: type: - connection - protocol + - community_id: {{ if .internal_networks }} - - add_fields: - target: _conf - fields: - internal_networks: {{ .internal_networks | tojson }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/socks/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/socks/ingest/pipeline.yml index 65de8b1d1468..e64c5ec9eb33 100644 --- a/x-pack/filebeat/module/zeek/socks/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/socks/ingest/pipeline.yml @@ -15,19 +15,6 @@ processors: - dot_expander: field: bound.host path: zeek.socks -# Network Direction -- network_direction: - source_ip: source.ip - destination_ip: destination.ip - target_field: network.direction - internal_networks_field: _conf.internal_networks - ignore_missing: true -- community_id: - ignore_missing: true -- remove: - field: - - _conf - ignore_missing: true - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/ssh/config/ssh.yml b/x-pack/filebeat/module/zeek/ssh/config/ssh.yml index aab0cfe1a2cb..93289dc87db1 100644 --- a/x-pack/filebeat/module/zeek/ssh/config/ssh.yml +++ b/x-pack/filebeat/module/zeek/ssh/config/ssh.yml @@ -72,11 +72,13 @@ processors: type: - connection - protocol + - community_id: {{ if .internal_networks }} - - add_fields: - target: _conf - fields: - internal_networks: {{ .internal_networks | tojson }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/ssh/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ssh/ingest/pipeline.yml index ed4554119290..26980d26f3da 100644 --- a/x-pack/filebeat/module/zeek/ssh/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ssh/ingest/pipeline.yml @@ -12,19 +12,6 @@ processors: - UNIX - remove: field: zeek.ssh.ts -# Network Direction -- network_direction: - source_ip: source.ip - destination_ip: destination.ip - target_field: network.direction - internal_networks_field: _conf.internal_networks - ignore_missing: true -- community_id: - ignore_missing: true -- remove: - field: - - _conf - ignore_missing: true - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/ssl/config/ssl.yml b/x-pack/filebeat/module/zeek/ssl/config/ssl.yml index 53786a09e46f..91d05b6824ff 100644 --- a/x-pack/filebeat/module/zeek/ssl/config/ssl.yml +++ b/x-pack/filebeat/module/zeek/ssl/config/ssl.yml @@ -90,11 +90,13 @@ processors: type: - connection - protocol + - community_id: {{ if .internal_networks }} - - add_fields: - target: _conf - fields: - internal_networks: {{ .internal_networks | tojson }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml index f6ebf0e46f65..4a980be985a2 100644 --- a/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml @@ -25,19 +25,6 @@ processors: target_field: tls.server.not_after formats: - UNIX -# Network Direction -- network_direction: - source_ip: source.ip - destination_ip: destination.ip - target_field: network.direction - internal_networks_field: _conf.internal_networks - ignore_missing: true -- community_id: - ignore_missing: true -- remove: - field: - - _conf - ignore_missing: true - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/syslog/config/syslog.yml b/x-pack/filebeat/module/zeek/syslog/config/syslog.yml index 657cc1d7da2f..6ce6d17373a3 100644 --- a/x-pack/filebeat/module/zeek/syslog/config/syslog.yml +++ b/x-pack/filebeat/module/zeek/syslog/config/syslog.yml @@ -53,11 +53,13 @@ processors: target: event fields: kind: event + - community_id: {{ if .internal_networks }} - - add_fields: - target: _conf - fields: - internal_networks: {{ .internal_networks | tojson }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: '' diff --git a/x-pack/filebeat/module/zeek/syslog/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/syslog/ingest/pipeline.yml index 20fb4b2cdad3..5f3432ec4888 100644 --- a/x-pack/filebeat/module/zeek/syslog/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/syslog/ingest/pipeline.yml @@ -12,19 +12,6 @@ processors: - UNIX - remove: field: zeek.syslog.ts -# Network Direction -- network_direction: - source_ip: source.ip - destination_ip: destination.ip - target_field: network.direction - internal_networks_field: _conf.internal_networks - ignore_missing: true -- community_id: - ignore_missing: true -- remove: - field: - - _conf - ignore_missing: true - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml b/x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml index 7edf8b30ea34..1ed6932b02d9 100644 --- a/x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml +++ b/x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml @@ -35,10 +35,11 @@ processors: ignore_missing: true fail_on_error: false {{ if .internal_networks }} - - add_fields: - target: _conf - fields: - internal_networks: {{ .internal_networks | tojson }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: event diff --git a/x-pack/filebeat/module/zeek/traceroute/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/traceroute/ingest/pipeline.yml index f667c0a6db1e..f4744c540d71 100644 --- a/x-pack/filebeat/module/zeek/traceroute/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/traceroute/ingest/pipeline.yml @@ -12,17 +12,6 @@ processors: - UNIX - remove: field: zeek.traceroute.ts -# Network Direction -- network_direction: - source_ip: source.ip - destination_ip: destination.ip - target_field: network.direction - internal_networks_field: _conf.internal_networks - ignore_missing: true -- remove: - field: - - _conf - ignore_missing: true - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml b/x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml index 2c9c52cc2190..94918403879f 100644 --- a/x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml +++ b/x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml @@ -46,10 +46,11 @@ processors: ignore_missing: true fail_on_error: false {{ if .internal_networks }} - - add_fields: - target: _conf - fields: - internal_networks: {{ .internal_networks | tojson }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: event diff --git a/x-pack/filebeat/module/zeek/tunnel/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/tunnel/ingest/pipeline.yml index 3139fe0e5f76..9ca83da33051 100644 --- a/x-pack/filebeat/module/zeek/tunnel/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/tunnel/ingest/pipeline.yml @@ -12,17 +12,6 @@ processors: - UNIX - remove: field: zeek.tunnel.ts -# Network Direction -- network_direction: - source_ip: source.ip - destination_ip: destination.ip - target_field: network.direction - internal_networks_field: _conf.internal_networks - ignore_missing: true -- remove: - field: - - _conf - ignore_missing: true - geoip: field: destination.ip target_field: destination.geo diff --git a/x-pack/filebeat/module/zeek/weird/config/weird.yml b/x-pack/filebeat/module/zeek/weird/config/weird.yml index 586e0d296cc6..7b3d2f5bcccf 100644 --- a/x-pack/filebeat/module/zeek/weird/config/weird.yml +++ b/x-pack/filebeat/module/zeek/weird/config/weird.yml @@ -46,10 +46,11 @@ processors: ignore_missing: true fail_on_error: false {{ if .internal_networks }} - - add_fields: - target: _conf - fields: - internal_networks: {{ .internal_networks | tojson }} + - add_network_direction: + source: source.ip + destination: destination.ip + target: network.direction + internal_networks: {{ .internal_networks | tojson }} {{ end }} - add_fields: target: event diff --git a/x-pack/filebeat/module/zeek/weird/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/weird/ingest/pipeline.yml index 0a14f26b2ff9..d791eb77a09c 100644 --- a/x-pack/filebeat/module/zeek/weird/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/weird/ingest/pipeline.yml @@ -12,19 +12,6 @@ processors: - UNIX - remove: field: zeek.weird.ts -# Network Direction -- network_direction: - source_ip: source.ip - destination_ip: destination.ip - target_field: network.direction - internal_networks_field: _conf.internal_networks - ignore_missing: true -- community_id: - ignore_missing: true -- remove: - field: - - _conf - ignore_missing: true - geoip: field: destination.ip target_field: destination.geo From 7a4381cb205c867c64cc0da2dad03c8c06f943fb Mon Sep 17 00:00:00 2001 From: Alex Resnick Date: Tue, 18 May 2021 02:03:52 +0000 Subject: [PATCH 6/9] update docs with new variable --- CHANGELOG.next.asciidoc | 1 - filebeat/docs/modules/snort.asciidoc | 9 + filebeat/docs/modules/sonicwall.asciidoc | 9 + filebeat/docs/modules/suricata.asciidoc | 9 + filebeat/docs/modules/zeek.asciidoc | 746 ++++++++++++++++++ .../filebeat/module/snort/_meta/docs.asciidoc | 9 + .../module/sonicwall/_meta/docs.asciidoc | 9 + .../module/suricata/_meta/docs.asciidoc | 9 + .../filebeat/module/zeek/_meta/docs.asciidoc | 746 ++++++++++++++++++ 9 files changed, 1546 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index e1561118e354..c1433af08f35 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -857,7 +857,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add new grok pattern for iptables module for Ubiquiti UDM {issue}25615[25615] {pull}25616[25616] - Add multiline support to aws-s3 input. {issue}25249[25249] {pull}25710[25710] - Add monitoring metrics to the `aws-s3` input. {pull}25711[25711] -- Added `network.direction` fields to Zeek and Suricata module using the `add_network_direction` processor {pull}24620[24620] - Added `network.direction` fields to Zeek, Suricata, Snort, Sonicwall modules using the `add_network_direction` processor {pull}24620[24620] *Heartbeat* diff --git a/filebeat/docs/modules/snort.asciidoc b/filebeat/docs/modules/snort.asciidoc index ff9d5809ae8e..02214e352d7b 100644 --- a/filebeat/docs/modules/snort.asciidoc +++ b/filebeat/docs/modules/snort.asciidoc @@ -63,6 +63,15 @@ which causes both ECS and custom fields under `rsa` to be added. Flag to control the addition of the raw parser fields to the event. This fields will be found under `rsa.raw`. The default is false. +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + :has-dashboards!: :fileset_ex!: diff --git a/filebeat/docs/modules/sonicwall.asciidoc b/filebeat/docs/modules/sonicwall.asciidoc index 3994e7d36e49..d76ecc165d03 100644 --- a/filebeat/docs/modules/sonicwall.asciidoc +++ b/filebeat/docs/modules/sonicwall.asciidoc @@ -63,6 +63,15 @@ which causes both ECS and custom fields under `rsa` to be added. Flag to control the addition of the raw parser fields to the event. This fields will be found under `rsa.raw`. The default is false. +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + :has-dashboards!: :fileset_ex!: diff --git a/filebeat/docs/modules/suricata.asciidoc b/filebeat/docs/modules/suricata.asciidoc index 0e7348b291da..4426a8f2cc48 100644 --- a/filebeat/docs/modules/suricata.asciidoc +++ b/filebeat/docs/modules/suricata.asciidoc @@ -51,6 +51,15 @@ A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`. +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + [float] === Example dashboard diff --git a/filebeat/docs/modules/zeek.asciidoc b/filebeat/docs/modules/zeek.asciidoc index 3fbb1a27b945..1d73f24d3e12 100644 --- a/filebeat/docs/modules/zeek.asciidoc +++ b/filebeat/docs/modules/zeek.asciidoc @@ -30,6 +30,752 @@ with newer versions of Zeek. Zeek requires a Unix-like platform, and it currently supports Linux, FreeBSD, and Mac OS X. +[float] +==== `capture_loss` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +[float] +==== `connection` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `dce_rpc` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `dhcp` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `dnp3` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `dns` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `dpd` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `files` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +[float] +==== `ftp` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `files` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `http` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `intel` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `irc` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `kerberos` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `modbus` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `mysql` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `notice` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `ntls` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `ntp` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `ocsp` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +[float] +==== `pe` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +[float] +==== `radius` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `rdp` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `rfb` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `signature` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `sip` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `smb_cmd` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `smb_files` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `smb_mapping` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `smtp` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `snmp` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `socks` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `ssh` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `ssl` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `stats` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +[float] +==== `syslog` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `traceroute` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `tunnel` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `weird` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `x509` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + [float] === Example dashboard diff --git a/x-pack/filebeat/module/snort/_meta/docs.asciidoc b/x-pack/filebeat/module/snort/_meta/docs.asciidoc index f2ae38f00433..49171bcf88be 100644 --- a/x-pack/filebeat/module/snort/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/snort/_meta/docs.asciidoc @@ -58,6 +58,15 @@ which causes both ECS and custom fields under `rsa` to be added. Flag to control the addition of the raw parser fields to the event. This fields will be found under `rsa.raw`. The default is false. +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + :has-dashboards!: :fileset_ex!: diff --git a/x-pack/filebeat/module/sonicwall/_meta/docs.asciidoc b/x-pack/filebeat/module/sonicwall/_meta/docs.asciidoc index 9b6620f4e774..cc842fabcee8 100644 --- a/x-pack/filebeat/module/sonicwall/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/sonicwall/_meta/docs.asciidoc @@ -58,6 +58,15 @@ which causes both ECS and custom fields under `rsa` to be added. Flag to control the addition of the raw parser fields to the event. This fields will be found under `rsa.raw`. The default is false. +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + :has-dashboards!: :fileset_ex!: diff --git a/x-pack/filebeat/module/suricata/_meta/docs.asciidoc b/x-pack/filebeat/module/suricata/_meta/docs.asciidoc index 08d5feb61cb2..27a5acab512b 100644 --- a/x-pack/filebeat/module/suricata/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/suricata/_meta/docs.asciidoc @@ -46,6 +46,15 @@ A list of tags to include in events. Including `forwarded` indicates that the events did not originate on this host and causes `host.name` to not be added to events. Defaults to `[suricata]`. +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + [float] === Example dashboard diff --git a/x-pack/filebeat/module/zeek/_meta/docs.asciidoc b/x-pack/filebeat/module/zeek/_meta/docs.asciidoc index aaef3f7803ed..a597a61bdc6f 100644 --- a/x-pack/filebeat/module/zeek/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/zeek/_meta/docs.asciidoc @@ -25,6 +25,752 @@ with newer versions of Zeek. Zeek requires a Unix-like platform, and it currently supports Linux, FreeBSD, and Mac OS X. +[float] +==== `capture_loss` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +[float] +==== `connection` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `dce_rpc` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `dhcp` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `dnp3` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `dns` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `dpd` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `files` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +[float] +==== `ftp` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `files` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `http` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `intel` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `irc` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `kerberos` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `modbus` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `mysql` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `notice` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `ntls` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `ntp` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `ocsp` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +[float] +==== `pe` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +[float] +==== `radius` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `rdp` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `rfb` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `signature` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `sip` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `smb_cmd` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `smb_files` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `smb_mapping` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `smtp` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `snmp` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `socks` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `ssh` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `ssl` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `stats` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +[float] +==== `syslog` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `traceroute` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `tunnel` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `weird` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + +`var.internal_networks`:: + +A list of CIDR ranges describing the IP addresses that +you consider internal. This is used in determining the value of +`network.direction`. The values +can be either a CIDR value or one of the named ranges supported by the +<> condition. The default value is `[private]` +which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. + +[float] +==== `x509` log fileset settings + +include::../include/var-paths.asciidoc[] + +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + [float] === Example dashboard From 0ae35f01c9ad7a798be5230371f493e0f0ecd734 Mon Sep 17 00:00:00 2001 From: Alex Resnick Date: Fri, 25 Jun 2021 11:54:42 +0000 Subject: [PATCH 7/9] Removed Snort and Sonicwall --- CHANGELOG.next.asciidoc | 2 +- .../module/snort/log/config/input.yml | 9 +- .../module/snort/log/config/liblogparser.js | 4 +- x-pack/filebeat/module/snort/log/manifest.yml | 2 - .../log/test/generated.log-expected.json | 160 ++++++---- .../sonicwall/firewall/config/input.yml | 7 - .../sonicwall/firewall/config/liblogparser.js | 8 +- .../module/sonicwall/firewall/manifest.yml | 2 - .../firewall/test/general.log-expected.json | 40 ++- .../firewall/test/generated.log-expected.json | 292 ++++++++++++------ .../test/connection-json.log-expected.json | 4 +- 11 files changed, 331 insertions(+), 199 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index be4a4aeee8b6..bb0a5deb315e 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -809,7 +809,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add new grok pattern for iptables module for Ubiquiti UDM {issue}25615[25615] {pull}25616[25616] - Add multiline support to aws-s3 input. {issue}25249[25249] {pull}25710[25710] - Add monitoring metrics to the `aws-s3` input. {pull}25711[25711] -- Added `network.direction` fields to Zeek, Suricata, Snort, Sonicwall modules using the `add_network_direction` processor {pull}24620[24620] +- Added `network.direction` fields to Zeek and Suricata modules using the `add_network_direction` processor {pull}24620[24620] - Add Content-Type override to aws-s3 input. {issue}25697[25697] {pull}25772[25772] - In Cisco Umbrella fileset add users from cisco.umbrella.identities to related.user. {pull}25776[25776] - Add fingerprint processor to generate fixed ids for `google_workspace` events. {pull}25841[25841] diff --git a/x-pack/filebeat/module/snort/log/config/input.yml b/x-pack/filebeat/module/snort/log/config/input.yml index c30362069f42..57939bc94d41 100644 --- a/x-pack/filebeat/module/snort/log/config/input.yml +++ b/x-pack/filebeat/module/snort/log/config/input.yml @@ -37,14 +37,7 @@ processors: - ${path.home}/module/snort/log/config/liblogparser.js - ${path.home}/module/snort/log/config/pipeline.js {{ if .community_id }} -- community_id: -{{ end }} -{{ if .internal_networks }} -- add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} +- community_id: ~ {{ end }} - registered_domain: ignore_missing: true diff --git a/x-pack/filebeat/module/snort/log/config/liblogparser.js b/x-pack/filebeat/module/snort/log/config/liblogparser.js index 935bed305a8e..5cf4cfee1ae7 100644 --- a/x-pack/filebeat/module/snort/log/config/liblogparser.js +++ b/x-pack/filebeat/module/snort/log/config/liblogparser.js @@ -1007,8 +1007,8 @@ var ecs_mappings = { "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, diff --git a/x-pack/filebeat/module/snort/log/manifest.yml b/x-pack/filebeat/module/snort/log/manifest.yml index e50a6c8c68d2..ae467072b222 100644 --- a/x-pack/filebeat/module/snort/log/manifest.yml +++ b/x-pack/filebeat/module/snort/log/manifest.yml @@ -20,8 +20,6 @@ var: default: false - name: debug default: false - - name: internal_networks - default: [ private ] ingest_pipeline: ingest/pipeline.yml input: config/input.yml diff --git a/x-pack/filebeat/module/snort/log/test/generated.log-expected.json b/x-pack/filebeat/module/snort/log/test/generated.log-expected.json index 9148b90ac69f..6ccdfda7860d 100644 --- a/x-pack/filebeat/module/snort/log/test/generated.log-expected.json +++ b/x-pack/filebeat/module/snort/log/test/generated.log-expected.json @@ -38,7 +38,9 @@ }, { "destination.bytes": 3676, - "destination.ip": "10.212.11.114", + "destination.ip": [ + "10.212.11.114" + ], "destination.port": 3716, "event.action": "deny", "event.code": "NGIPS_events", @@ -51,7 +53,6 @@ "log.level": "medium", "log.offset": 135, "network.application": "nsequat", - "network.direction": "internal", "network.protocol": "igmp", "observer.egress.interface.name": "eth4091", "observer.product": "IDS", @@ -186,7 +187,9 @@ }, { "destination.bytes": 3365, - "destination.ip": "10.24.67.250", + "destination.ip": [ + "10.24.67.250" + ], "destination.port": 2026, "event.action": "block", "event.code": "NGIPS_events", @@ -199,7 +202,6 @@ "log.level": "low", "log.offset": 1016, "network.application": "dol", - "network.direction": "internal", "network.protocol": "ipv6-icmp", "observer.egress.interface.name": "enp0s5361", "observer.product": "IDS", @@ -307,7 +309,9 @@ }, { "destination.geo.country_name": "eeufugia", - "destination.ip": "10.157.18.252", + "destination.ip": [ + "10.157.18.252" + ], "destination.port": 5300, "event.code": "5979", "event.dataset": "snort.log", @@ -318,7 +322,6 @@ "input.type": "log", "log.level": "oremeu", "log.offset": 1748, - "network.direction": "internal", "network.protocol": "ipv6", "observer.product": "IDS", "observer.type": "IDS", @@ -799,7 +802,9 @@ "user.name": "smodtem" }, { - "destination.ip": "10.9.200.197", + "destination.ip": [ + "10.9.200.197" + ], "event.code": "27813", "event.dataset": "snort.log", "event.module": "snort", @@ -809,7 +814,6 @@ "input.type": "log", "log.level": "dolor", "log.offset": 5841, - "network.direction": "internal", "network.protocol": "icmp", "observer.product": "IDS", "observer.type": "IDS", @@ -850,7 +854,9 @@ }, { "destination.bytes": 3813, - "destination.ip": "10.111.33.70", + "destination.ip": [ + "10.111.33.70" + ], "destination.port": 3758, "event.action": "allow", "event.code": "NGIPS_events", @@ -863,7 +869,6 @@ "log.level": "medium", "log.offset": 6066, "network.application": "num", - "network.direction": "internal", "network.protocol": "tcp", "observer.egress.interface.name": "enp0s6049", "observer.product": "IDS", @@ -933,7 +938,9 @@ ] }, { - "destination.ip": "10.222.183.123", + "destination.ip": [ + "10.222.183.123" + ], "event.code": "MALWARE", "event.dataset": "snort.log", "event.module": "snort", @@ -942,7 +949,6 @@ "host.name": "cidu921.internal.lan", "input.type": "log", "log.offset": 6746, - "network.direction": "internal", "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", @@ -970,7 +976,9 @@ ] }, { - "destination.ip": "10.238.223.171", + "destination.ip": [ + "10.238.223.171" + ], "event.code": "16539", "event.dataset": "snort.log", "event.module": "snort", @@ -980,7 +988,6 @@ "input.type": "log", "log.level": "uisautei", "log.offset": 6886, - "network.direction": "internal", "network.protocol": "rdp", "observer.product": "IDS", "observer.type": "IDS", @@ -1019,7 +1026,9 @@ ] }, { - "destination.ip": "10.160.178.109", + "destination.ip": [ + "10.160.178.109" + ], "destination.port": 1934, "event.code": "26992", "event.dataset": "snort.log", @@ -1030,7 +1039,6 @@ "input.type": "log", "log.level": "onsec", "log.offset": 7109, - "network.direction": "internal", "network.protocol": "udp", "observer.product": "IDS", "observer.type": "IDS", @@ -1168,7 +1176,9 @@ ] }, { - "destination.ip": "10.213.100.153", + "destination.ip": [ + "10.213.100.153" + ], "event.code": "11634", "event.dataset": "snort.log", "event.module": "snort", @@ -1178,7 +1188,6 @@ "input.type": "log", "log.level": "dexer", "log.offset": 7690, - "network.direction": "internal", "network.protocol": "igmp", "observer.product": "IDS", "observer.type": "IDS", @@ -1449,7 +1458,9 @@ }, { "destination.bytes": 4902, - "destination.ip": "10.251.159.118", + "destination.ip": [ + "10.251.159.118" + ], "destination.port": 2795, "event.action": "cancel", "event.code": "NGIPS_events", @@ -1462,7 +1473,6 @@ "log.level": "high", "log.offset": 9801, "network.application": "ipi", - "network.direction": "internal", "network.protocol": "ipv6-icmp", "observer.egress.interface.name": "lo6367", "observer.product": "IDS", @@ -1593,7 +1603,9 @@ }, { "destination.bytes": 5413, - "destination.ip": "10.201.132.114", + "destination.ip": [ + "10.201.132.114" + ], "destination.port": 639, "event.action": "cancel", "event.code": "NGIPS_events", @@ -1606,7 +1618,6 @@ "log.level": "low", "log.offset": 10685, "network.application": "icta", - "network.direction": "internal", "network.protocol": "igmp", "observer.egress.interface.name": "lo3580", "observer.product": "IDS", @@ -1680,7 +1691,9 @@ }, { "destination.geo.country_name": "ariatu", - "destination.ip": "10.36.122.169", + "destination.ip": [ + "10.36.122.169" + ], "destination.port": 6751, "event.code": "13228", "event.dataset": "snort.log", @@ -1691,7 +1704,6 @@ "input.type": "log", "log.level": "onev", "log.offset": 11356, - "network.direction": "internal", "network.protocol": "ipv6", "observer.product": "IDS", "observer.type": "IDS", @@ -1730,7 +1742,9 @@ }, { "destination.bytes": 6430, - "destination.ip": "10.144.162.122", + "destination.ip": [ + "10.144.162.122" + ], "destination.port": 2080, "event.action": "block", "event.code": "NGIPS_events", @@ -1743,7 +1757,6 @@ "log.level": "medium", "log.offset": 11593, "network.application": "rehende", - "network.direction": "internal", "network.protocol": "icmp", "observer.egress.interface.name": "lo5079", "observer.product": "IDS", @@ -2057,7 +2070,9 @@ }, { "destination.geo.country_name": "icons", - "destination.ip": "10.60.137.215", + "destination.ip": [ + "10.60.137.215" + ], "destination.port": 3266, "event.code": "5155", "event.dataset": "snort.log", @@ -2068,7 +2083,6 @@ "input.type": "log", "log.level": "umqua", "log.offset": 15504, - "network.direction": "internal", "network.protocol": "tcp", "observer.product": "IDS", "observer.type": "IDS", @@ -2169,7 +2183,9 @@ ] }, { - "destination.ip": "10.49.190.163", + "destination.ip": [ + "10.49.190.163" + ], "destination.nat.ip": "10.20.167.114", "destination.nat.port": 6975, "destination.port": 4220, @@ -2181,7 +2197,6 @@ "host.name": "Loremips5368.www5.corp", "input.type": "log", "log.offset": 17035, - "network.direction": "internal", "observer.egress.interface.name": "enp0s484", "observer.ingress.interface.name": "lo7626", "observer.product": "IDS", @@ -2218,7 +2233,9 @@ ] }, { - "destination.ip": "10.162.128.87", + "destination.ip": [ + "10.162.128.87" + ], "event.code": "MALWARE", "event.dataset": "snort.log", "event.module": "snort", @@ -2227,7 +2244,6 @@ "host.name": "mexer1548.www5.example", "input.type": "log", "log.offset": 17238, - "network.direction": "internal", "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", @@ -2255,7 +2271,9 @@ ] }, { - "destination.ip": "10.82.180.46", + "destination.ip": [ + "10.82.180.46" + ], "event.code": "MALWARE", "event.dataset": "snort.log", "event.module": "snort", @@ -2264,7 +2282,6 @@ "host.name": "emulla6625.www5.corp", "input.type": "log", "log.offset": 17380, - "network.direction": "internal", "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", @@ -2293,7 +2310,9 @@ }, { "destination.geo.country_name": "quovol", - "destination.ip": "10.180.28.156", + "destination.ip": [ + "10.180.28.156" + ], "destination.port": 4665, "event.code": "5315", "event.dataset": "snort.log", @@ -2304,7 +2323,6 @@ "input.type": "log", "log.level": "aturQui", "log.offset": 17526, - "network.direction": "internal", "network.protocol": "icmp", "observer.product": "IDS", "observer.type": "IDS", @@ -2376,7 +2394,9 @@ }, { "destination.bytes": 4280, - "destination.ip": "10.166.10.187", + "destination.ip": [ + "10.166.10.187" + ], "destination.port": 793, "event.action": "block", "event.code": "NGIPS_events", @@ -2389,7 +2409,6 @@ "log.level": "very", "log.offset": 17884, "network.application": "tuserror", - "network.direction": "internal", "network.protocol": "igmp", "observer.egress.interface.name": "lo2032", "observer.product": "IDS", @@ -2462,7 +2481,9 @@ ] }, { - "destination.ip": "10.78.180.219", + "destination.ip": [ + "10.78.180.219" + ], "event.code": "MALWARE", "event.dataset": "snort.log", "event.module": "snort", @@ -2471,7 +2492,6 @@ "host.name": "ita7851.localhost", "input.type": "log", "log.offset": 19724, - "network.direction": "internal", "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", @@ -2500,7 +2520,9 @@ }, { "destination.geo.country_name": "maccusan", - "destination.ip": "10.232.67.182", + "destination.ip": [ + "10.232.67.182" + ], "destination.port": 2086, "event.code": "26152", "event.dataset": "snort.log", @@ -2511,7 +2533,6 @@ "input.type": "log", "log.level": "ionu", "log.offset": 19864, - "network.direction": "internal", "network.interface.name": "enp0s2413", "network.protocol": "ggp", "observer.product": "IDS", @@ -2552,7 +2573,9 @@ ] }, { - "destination.ip": "10.95.152.78", + "destination.ip": [ + "10.95.152.78" + ], "destination.port": 1267, "event.code": "9193", "event.dataset": "snort.log", @@ -2563,7 +2586,6 @@ "input.type": "log", "log.level": "periam", "log.offset": 20125, - "network.direction": "internal", "network.protocol": "ggp", "observer.product": "IDS", "observer.type": "IDS", @@ -2706,7 +2728,9 @@ ] }, { - "destination.ip": "10.216.14.36", + "destination.ip": [ + "10.216.14.36" + ], "event.code": "MALWARE", "event.dataset": "snort.log", "event.module": "snort", @@ -2715,7 +2739,6 @@ "host.name": "essequ121.localdomain", "input.type": "log", "log.offset": 21841, - "network.direction": "internal", "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", @@ -2743,7 +2766,9 @@ ] }, { - "destination.ip": "10.231.10.63", + "destination.ip": [ + "10.231.10.63" + ], "event.code": "10329", "event.dataset": "snort.log", "event.module": "snort", @@ -2753,7 +2778,6 @@ "input.type": "log", "log.level": "upt", "log.offset": 21984, - "network.direction": "internal", "network.protocol": "ggp", "observer.product": "IDS", "observer.type": "IDS", @@ -2795,7 +2819,9 @@ }, { "destination.bytes": 560, - "destination.ip": "10.29.231.11", + "destination.ip": [ + "10.29.231.11" + ], "destination.port": 2231, "event.action": "cancel", "event.code": "NGIPS_events", @@ -2808,7 +2834,6 @@ "log.level": "high", "log.offset": 22224, "network.application": "atat", - "network.direction": "internal", "network.protocol": "tcp", "observer.egress.interface.name": "eth1891", "observer.product": "IDS", @@ -2949,7 +2974,9 @@ }, { "destination.bytes": 1881, - "destination.ip": "10.135.250.25", + "destination.ip": [ + "10.135.250.25" + ], "destination.port": 1306, "event.action": "block", "event.code": "NGIPS_events", @@ -2962,7 +2989,6 @@ "log.level": "low", "log.offset": 24183, "network.application": "tlabor", - "network.direction": "internal", "network.protocol": "ggp", "observer.egress.interface.name": "lo3342", "observer.product": "IDS", @@ -3066,7 +3092,9 @@ "user.name": "iscing" }, { - "destination.ip": "10.5.88.183", + "destination.ip": [ + "10.5.88.183" + ], "destination.port": 7518, "event.code": "FTD_events", "event.dataset": "snort.log", @@ -3076,7 +3104,6 @@ "host.name": "onsecte5119.www.invalid", "input.type": "log", "log.offset": 24956, - "network.direction": "internal", "network.protocol": "icmp", "observer.ingress.interface.name": "enp0s3923", "observer.product": "IDS", @@ -3315,7 +3342,9 @@ }, { "destination.bytes": 4560, - "destination.ip": "10.186.68.87", + "destination.ip": [ + "10.186.68.87" + ], "destination.port": 2129, "event.action": "allow", "event.code": "NGIPS_events", @@ -3328,7 +3357,6 @@ "log.level": "medium", "log.offset": 28227, "network.application": "labo", - "network.direction": "internal", "network.protocol": "ipv6-icmp", "observer.egress.interface.name": "eth2658", "observer.product": "IDS", @@ -3369,7 +3397,9 @@ }, { "destination.bytes": 584, - "destination.ip": "10.67.211.63", + "destination.ip": [ + "10.67.211.63" + ], "destination.port": 7478, "event.action": "allow", "event.code": "NGIPS_events", @@ -3382,7 +3412,6 @@ "log.level": "medium", "log.offset": 28825, "network.application": "Ciceroin", - "network.direction": "internal", "network.protocol": "udp", "observer.egress.interface.name": "eth3613", "observer.product": "IDS", @@ -3553,7 +3582,9 @@ "user.name": "uptate" }, { - "destination.ip": "10.179.27.185", + "destination.ip": [ + "10.179.27.185" + ], "event.code": "MALWARE", "event.dataset": "snort.log", "event.module": "snort", @@ -3562,7 +3593,6 @@ "host.name": "cididu3187.home", "input.type": "log", "log.offset": 29815, - "network.direction": "internal", "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", @@ -3728,7 +3758,9 @@ "user.name": "ctobea" }, { - "destination.ip": "10.118.103.185", + "destination.ip": [ + "10.118.103.185" + ], "destination.nat.ip": "10.240.77.10", "destination.nat.port": 2226, "destination.port": 1333, @@ -3740,7 +3772,6 @@ "host.name": "erunt3957.internal.lan", "input.type": "log", "log.offset": 30328, - "network.direction": "internal", "observer.egress.interface.name": "lo2571", "observer.ingress.interface.name": "lo5895", "observer.product": "IDS", @@ -3777,7 +3808,9 @@ ] }, { - "destination.ip": "10.111.130.177", + "destination.ip": [ + "10.111.130.177" + ], "event.code": "MALWARE", "event.dataset": "snort.log", "event.module": "snort", @@ -3786,7 +3819,6 @@ "host.name": "ntNe7144.api.lan", "input.type": "log", "log.offset": 30540, - "network.direction": "internal", "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", diff --git a/x-pack/filebeat/module/sonicwall/firewall/config/input.yml b/x-pack/filebeat/module/sonicwall/firewall/config/input.yml index 514b033f62ad..55c3bcaf817a 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/config/input.yml +++ b/x-pack/filebeat/module/sonicwall/firewall/config/input.yml @@ -39,13 +39,6 @@ processors: {{ if .community_id }} - community_id: ~ {{ end }} -{{ if .internal_networks }} -- add_network_direction: - source: source.ip - destination: destination.ip - target: network.direction - internal_networks: {{ .internal_networks | tojson }} -{{ end }} - registered_domain: ignore_missing: true ignore_failure: true diff --git a/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js b/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js index 935bed305a8e..cec99a043e86 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js +++ b/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js @@ -1007,8 +1007,8 @@ var ecs_mappings = { "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, @@ -1088,8 +1088,8 @@ var ecs_mappings = { "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, diff --git a/x-pack/filebeat/module/sonicwall/firewall/manifest.yml b/x-pack/filebeat/module/sonicwall/firewall/manifest.yml index 16e3130f2239..f9949f03fd52 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/manifest.yml +++ b/x-pack/filebeat/module/sonicwall/firewall/manifest.yml @@ -20,8 +20,6 @@ var: default: false - name: debug default: false - - name: internal_networks - default: [ private ] ingest_pipeline: ingest/pipeline.yml input: config/input.yml diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json index fca66478545a..5f03c23e5dad 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json +++ b/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json @@ -29,7 +29,9 @@ "source.geo.country_name": "France", "source.geo.location.lat": 48.8582, "source.geo.location.lon": 2.3387, - "source.ip": "2.2.2.2", + "source.ip": [ + "2.2.2.2" + ], "source.port": 36701, "tags": [ "forwarded", @@ -93,7 +95,9 @@ "source.geo.country_name": "France", "source.geo.location.lat": 48.8582, "source.geo.location.lon": 2.3387, - "source.ip": "2.2.2.2", + "source.ip": [ + "2.2.2.2" + ], "source.port": 36702, "tags": [ "forwarded", @@ -242,7 +246,9 @@ "source.geo.country_name": "France", "source.geo.location.lat": 48.8582, "source.geo.location.lon": 2.3387, - "source.ip": "2.2.2.2", + "source.ip": [ + "2.2.2.2" + ], "source.port": 36703, "tags": [ "forwarded", @@ -306,7 +312,9 @@ "source.geo.country_name": "France", "source.geo.location.lat": 48.8582, "source.geo.location.lon": 2.3387, - "source.ip": "2.2.2.2", + "source.ip": [ + "2.2.2.2" + ], "source.port": 36704, "tags": [ "forwarded", @@ -342,7 +350,9 @@ "source.geo.country_name": "New Zealand", "source.geo.location.lat": -41.0, "source.geo.location.lon": 174.0, - "source.ip": "219.89.19.223", + "source.ip": [ + "219.89.19.223" + ], "source.port": 1026, "tags": [ "forwarded", @@ -429,7 +439,9 @@ "source.geo.country_name": "Australia", "source.geo.location.lat": -33.494, "source.geo.location.lon": 143.2104, - "source.ip": "1.1.1.1", + "source.ip": [ + "1.1.1.1" + ], "source.port": 500, "tags": [ "forwarded", @@ -479,7 +491,9 @@ "rsa.network.sinterface": "WAN dst=192.168.5.10:53:LAN proto=tcp/dns", "rsa.time.event_time": "2007-01-03T16:48:15.000Z", "service.type": "sonicwall", - "source.ip": "192.168.115.10", + "source.ip": [ + "192.168.115.10" + ], "source.port": 11549, "tags": [ "forwarded", @@ -509,7 +523,9 @@ "rsa.network.sinterface": "LAN dst=192.168.1.100:445:WAN proto=tcp/445", "rsa.time.event_time": "2007-01-03T16:48:17.000Z", "service.type": "sonicwall", - "source.ip": "192.168.5.64", + "source.ip": [ + "192.168.5.64" + ], "source.port": 3182, "tags": [ "forwarded", @@ -595,7 +611,9 @@ "rsa.network.sinterface": "WAN dst=192.168.5.10:3582:LAN proto=udp/3582", "rsa.time.event_time": "2007-01-03T16:48:20.000Z", "service.type": "sonicwall", - "source.ip": "192.168.125.75", + "source.ip": [ + "192.168.125.75" + ], "source.port": 524, "tags": [ "forwarded", @@ -625,7 +643,9 @@ "rsa.network.sinterface": "WAN dst=192.168.5.10:53:LAN proto=tcp/dns", "rsa.time.event_time": "2007-01-03T16:48:21.000Z", "service.type": "sonicwall", - "source.ip": "192.168.6.10", + "source.ip": [ + "192.168.6.10" + ], "source.port": 28503, "tags": [ "forwarded", diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json index 469624f3be76..296004b2c9d0 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json +++ b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json @@ -1,7 +1,9 @@ [ { "@timestamp": "2016-01-29T08:09:59.000Z", - "destination.ip": "10.208.15.216", + "destination.ip": [ + "10.208.15.216" + ], "destination.port": 4257, "event.code": "1197", "event.dataset": "sonicwall.firewall", @@ -11,7 +13,6 @@ "input.type": "log", "log.offset": 0, "log.original": "itv", - "network.direction": "internal", "network.protocol": "udp", "observer.egress.interface.name": "lo6125", "observer.ingress.interface.name": "eth5722", @@ -30,7 +31,9 @@ "rsa.time.date": "2016/01/29", "rsa.time.event_time": "2016-01-29T08:09:59.000Z", "service.type": "sonicwall", - "source.ip": "10.20.234.169", + "source.ip": [ + "10.20.234.169" + ], "source.port": 1001, "tags": [ "forwarded", @@ -101,7 +104,9 @@ }, { "@timestamp": "2016-03-12T05:17:42.000Z", - "destination.ip": "10.227.15.1", + "destination.ip": [ + "10.227.15.1" + ], "destination.mac": "01:00:5e:f7:a9:ff", "destination.port": 410, "event.action": "allow", @@ -114,7 +119,6 @@ "input.type": "log", "log.level": "medium", "log.offset": 538, - "network.direction": "internal", "network.protocol": "rdp", "observer.egress.interface.name": "eth1977", "observer.ingress.interface.name": "eth6183", @@ -140,7 +144,9 @@ "rsa.time.date": "2016-3-12", "rsa.time.event_time": "2016-03-12T05:17:42.000Z", "service.type": "sonicwall", - "source.ip": "10.150.156.22", + "source.ip": [ + "10.150.156.22" + ], "source.mac": "01:00:5e:84:66:6c", "source.port": 6378, "tags": [ @@ -191,7 +197,9 @@ }, { "@timestamp": "2016-04-24T02:25:25.000Z", - "destination.ip": "10.13.70.213", + "destination.ip": [ + "10.13.70.213" + ], "event.code": "372", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -200,7 +208,6 @@ "input.type": "log", "log.offset": 1033, "log.original": "llu", - "network.direction": "internal", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", @@ -213,7 +220,9 @@ "rsa.time.date": "2016/04/24", "rsa.time.event_time": "2016-04-24T02:25:25.000Z", "service.type": "sonicwall", - "source.ip": "10.95.245.65", + "source.ip": [ + "10.95.245.65" + ], "tags": [ "forwarded", "sonicwall.firewall" @@ -282,7 +291,9 @@ }, { "@timestamp": "2016-06-20T06:35:42.000Z", - "destination.ip": "10.16.52.205", + "destination.ip": [ + "10.16.52.205" + ], "event.action": "accept", "event.code": "139", "event.dataset": "sonicwall.firewall", @@ -291,7 +302,6 @@ "fileset.name": "firewall", "input.type": "log", "log.offset": 1567, - "network.direction": "internal", "observer.ingress.interface.name": "enp0s2489", "observer.product": "Firewalls", "observer.type": "Firewall", @@ -307,7 +317,9 @@ "rsa.network.sinterface": "enp0s2489", "rsa.time.event_time": "2016-06-20T06:35:42.000Z", "service.type": "sonicwall", - "source.ip": "10.136.153.149", + "source.ip": [ + "10.136.153.149" + ], "source.port": 3788, "tags": [ "forwarded", @@ -559,7 +571,9 @@ }, { "@timestamp": "2016-11-24T12:03:59.000Z", - "destination.ip": "10.206.136.206", + "destination.ip": [ + "10.206.136.206" + ], "destination.port": 4108, "event.code": "242", "event.dataset": "sonicwall.firewall", @@ -569,7 +583,6 @@ "input.type": "log", "log.offset": 3028, "log.original": "imidest", - "network.direction": "internal", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", @@ -582,7 +595,9 @@ "rsa.time.date": "2016/11/24", "rsa.time.event_time": "2016-11-24T12:03:59.000Z", "service.type": "sonicwall", - "source.ip": "10.153.136.222", + "source.ip": [ + "10.153.136.222" + ], "tags": [ "forwarded", "sonicwall.firewall" @@ -590,7 +605,9 @@ }, { "@timestamp": "2016-12-08T19:06:33.000Z", - "destination.ip": "10.239.201.234", + "destination.ip": [ + "10.239.201.234" + ], "event.code": "87", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -599,7 +616,6 @@ "input.type": "log", "log.offset": 3184, "log.original": "Loremip", - "network.direction": "internal", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", @@ -612,7 +628,9 @@ "rsa.time.date": "2016/12/08", "rsa.time.event_time": "2016-12-08T19:06:33.000Z", "service.type": "sonicwall", - "source.ip": "10.204.11.20", + "source.ip": [ + "10.204.11.20" + ], "tags": [ "forwarded", "sonicwall.firewall" @@ -620,7 +638,9 @@ }, { "@timestamp": "2016-12-23T14:09:07.000Z", - "destination.ip": "10.219.116.137", + "destination.ip": [ + "10.219.116.137" + ], "destination.mac": "01:00:5e:e1:73:47", "destination.port": 3452, "event.action": "accept", @@ -633,7 +653,6 @@ "input.type": "log", "log.level": "very-high", "log.offset": 3331, - "network.direction": "internal", "network.protocol": "icmp", "observer.egress.interface.name": "enp0s3611", "observer.ingress.interface.name": "eth4059", @@ -659,7 +678,9 @@ "rsa.time.date": "2016-12-23", "rsa.time.event_time": "2016-12-23T14:09:07.000Z", "service.type": "sonicwall", - "source.ip": "10.245.200.97", + "source.ip": [ + "10.245.200.97" + ], "source.mac": "01:00:5e:1a:ec:91", "source.port": 3768, "tags": [ @@ -669,7 +690,9 @@ }, { "@timestamp": "2017-01-06T09:11:41.000Z", - "destination.ip": "10.252.122.195", + "destination.ip": [ + "10.252.122.195" + ], "event.code": "401", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -678,7 +701,6 @@ "input.type": "log", "log.offset": 3587, "log.original": "inesci", - "network.direction": "internal", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", @@ -692,7 +714,9 @@ "rsa.time.date": "2017/01/06", "rsa.time.event_time": "2017-01-06T09:11:41.000Z", "service.type": "sonicwall", - "source.ip": "10.118.80.140", + "source.ip": [ + "10.118.80.140" + ], "tags": [ "forwarded", "sonicwall.firewall" @@ -784,7 +808,9 @@ }, { "@timestamp": "2017-03-18T08:24:33.000Z", - "destination.ip": "10.30.153.159", + "destination.ip": [ + "10.30.153.159" + ], "destination.port": 6843, "event.action": "cancel", "event.code": "794", @@ -794,7 +820,6 @@ "fileset.name": "firewall", "input.type": "log", "log.offset": 4257, - "network.direction": "internal", "network.protocol": "icmp", "observer.egress.interface.name": "enp0s6487", "observer.ingress.interface.name": "lo6501", @@ -816,7 +841,9 @@ "rsa.time.date": "2017-3-18", "rsa.time.event_time": "2017-03-18T08:24:33.000Z", "service.type": "sonicwall", - "source.ip": "10.86.101.235", + "source.ip": [ + "10.86.101.235" + ], "source.port": 3266, "tags": [ "forwarded", @@ -867,7 +894,9 @@ }, { "@timestamp": "2017-04-30T17:32:16.000Z", - "destination.ip": "10.162.172.28", + "destination.ip": [ + "10.162.172.28" + ], "event.code": "255", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -876,7 +905,6 @@ "input.type": "log", "log.offset": 4750, "log.original": "nre", - "network.direction": "internal", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", @@ -888,7 +916,9 @@ "rsa.internal.msg": "nre", "rsa.time.event_time": "2017-04-30T17:32:16.000Z", "service.type": "sonicwall", - "source.ip": "10.237.163.139", + "source.ip": [ + "10.237.163.139" + ], "tags": [ "forwarded", "sonicwall.firewall" @@ -921,7 +951,9 @@ "rsa.network.sinterface": "eth4488", "rsa.time.event_time": "2017-05-15T00:34:50.000Z", "service.type": "sonicwall", - "source.ip": "10.191.23.41", + "source.ip": [ + "10.191.23.41" + ], "source.port": 1493, "tags": [ "forwarded", @@ -1030,7 +1062,9 @@ }, { "@timestamp": "2017-07-25T11:47:41.000Z", - "destination.ip": "10.131.61.13", + "destination.ip": [ + "10.131.61.13" + ], "event.action": "accept", "event.code": "538", "event.dataset": "sonicwall.firewall", @@ -1039,7 +1073,6 @@ "fileset.name": "firewall", "input.type": "log", "log.offset": 5613, - "network.direction": "internal", "observer.ingress.interface.name": "lo3470", "observer.product": "Firewalls", "observer.type": "Firewall", @@ -1056,7 +1089,9 @@ "rsa.time.date": "2017/07/25", "rsa.time.event_time": "2017-07-25T11:47:41.000Z", "service.type": "sonicwall", - "source.ip": "10.143.76.137", + "source.ip": [ + "10.143.76.137" + ], "source.port": 1414, "tags": [ "forwarded", @@ -1238,7 +1273,9 @@ }, { "@timestamp": "2017-11-16T20:08:15.000Z", - "destination.ip": "10.192.27.157", + "destination.ip": [ + "10.192.27.157" + ], "event.action": "accept", "event.code": "140", "event.dataset": "sonicwall.firewall", @@ -1247,7 +1284,6 @@ "fileset.name": "firewall", "input.type": "log", "log.offset": 6746, - "network.direction": "internal", "observer.ingress.interface.name": "enp0s5632", "observer.product": "Firewalls", "observer.type": "Firewall", @@ -1263,7 +1299,9 @@ "rsa.network.sinterface": "enp0s5632", "rsa.time.event_time": "2017-11-16T20:08:15.000Z", "service.type": "sonicwall", - "source.ip": "10.230.173.4", + "source.ip": [ + "10.230.173.4" + ], "source.port": 2631, "tags": [ "forwarded", @@ -1315,7 +1353,9 @@ { "@timestamp": "2017-12-29T17:15:58.000Z", "destination.bytes": 6587, - "destination.ip": "10.190.175.158", + "destination.ip": [ + "10.190.175.158" + ], "destination.port": 7005, "event.code": "195", "event.dataset": "sonicwall.firewall", @@ -1325,7 +1365,6 @@ "input.type": "log", "log.offset": 7140, "log.original": "taevita", - "network.direction": "internal", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", @@ -1338,7 +1377,9 @@ "rsa.time.date": "2017/12/29", "rsa.time.event_time": "2017-12-29T17:15:58.000Z", "service.type": "sonicwall", - "source.ip": "10.227.15.253", + "source.ip": [ + "10.227.15.253" + ], "source.port": 271, "tags": [ "forwarded", @@ -1368,7 +1409,9 @@ }, { "@timestamp": "2018-01-27T07:21:06.000Z", - "destination.ip": "10.15.97.155", + "destination.ip": [ + "10.15.97.155" + ], "destination.port": 5935, "event.action": "block", "event.code": "616", @@ -1378,7 +1421,6 @@ "fileset.name": "firewall", "input.type": "log", "log.offset": 7426, - "network.direction": "internal", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", @@ -1393,7 +1435,9 @@ "rsa.time.date": "2018/01/27", "rsa.time.event_time": "2018-01-27T07:21:06.000Z", "service.type": "sonicwall", - "source.ip": "10.29.155.171", + "source.ip": [ + "10.29.155.171" + ], "source.port": 1871, "tags": [ "forwarded", @@ -1468,7 +1512,9 @@ }, { "@timestamp": "2018-03-25T11:31:24.000Z", - "destination.ip": "10.25.32.107", + "destination.ip": [ + "10.25.32.107" + ], "event.code": "261", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -1477,7 +1523,6 @@ "input.type": "log", "log.offset": 7907, "log.original": "lor", - "network.direction": "internal", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", @@ -1493,7 +1538,9 @@ "rsa.time.date": "2018/03/25", "rsa.time.event_time": "2018-03-25T11:31:24.000Z", "service.type": "sonicwall", - "source.ip": "10.18.204.87", + "source.ip": [ + "10.18.204.87" + ], "tags": [ "forwarded", "sonicwall.firewall" @@ -1502,7 +1549,9 @@ }, { "@timestamp": "2018-04-08T06:33:58.000Z", - "destination.ip": "10.246.0.167", + "destination.ip": [ + "10.246.0.167" + ], "destination.mac": "01:00:5e:2c:22:06", "destination.port": 2189, "event.action": "block", @@ -1515,7 +1564,6 @@ "input.type": "log", "log.level": "medium", "log.offset": 8059, - "network.direction": "internal", "network.protocol": "icmp", "observer.egress.interface.name": "eth2632", "observer.ingress.interface.name": "lo3856", @@ -1541,7 +1589,9 @@ "rsa.time.date": "2018-4-8", "rsa.time.event_time": "2018-04-08T06:33:58.000Z", "service.type": "sonicwall", - "source.ip": "10.71.238.250", + "source.ip": [ + "10.71.238.250" + ], "source.mac": "01:00:5e:7c:42:0b", "source.port": 41, "tags": [ @@ -1551,7 +1601,9 @@ }, { "@timestamp": "2018-04-22T13:36:32.000Z", - "destination.ip": "10.176.209.227", + "destination.ip": [ + "10.176.209.227" + ], "destination.port": 6362, "event.action": "allow", "event.code": "794", @@ -1561,7 +1613,6 @@ "fileset.name": "firewall", "input.type": "log", "log.offset": 8303, - "network.direction": "internal", "network.protocol": "ipv6", "observer.egress.interface.name": "eth7037", "observer.ingress.interface.name": "enp0s5411", @@ -1583,7 +1634,9 @@ "rsa.time.date": "2018-4-22", "rsa.time.event_time": "2018-04-22T13:36:32.000Z", "service.type": "sonicwall", - "source.ip": "10.13.66.97", + "source.ip": [ + "10.13.66.97" + ], "source.port": 2000, "tags": [ "forwarded", @@ -1643,7 +1696,9 @@ }, { "@timestamp": "2018-06-04T22:44:15.000Z", - "destination.ip": "10.187.210.173", + "destination.ip": [ + "10.187.210.173" + ], "event.code": "255", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -1652,7 +1707,6 @@ "input.type": "log", "log.offset": 8821, "log.original": "quamnih", - "network.direction": "internal", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", @@ -1665,7 +1719,9 @@ "rsa.time.date": "2018/06/04", "rsa.time.event_time": "2018-06-04T22:44:15.000Z", "service.type": "sonicwall", - "source.ip": "10.44.150.31", + "source.ip": [ + "10.44.150.31" + ], "tags": [ "forwarded", "sonicwall.firewall" @@ -1673,7 +1729,9 @@ }, { "@timestamp": "2018-06-19T05:46:49.000Z", - "destination.ip": "10.251.248.228", + "destination.ip": [ + "10.251.248.228" + ], "destination.mac": "01:00:5e:c3:ed:55", "destination.port": 6909, "event.action": "deny", @@ -1686,7 +1744,6 @@ "input.type": "log", "log.level": "low", "log.offset": 8976, - "network.direction": "internal", "network.protocol": "udp", "observer.ingress.interface.name": "eth163", "observer.product": "Firewalls", @@ -1710,7 +1767,9 @@ "rsa.time.date": "2018-6-19", "rsa.time.event_time": "2018-06-19T05:46:49.000Z", "service.type": "sonicwall", - "source.ip": "10.113.100.237", + "source.ip": [ + "10.113.100.237" + ], "source.mac": "01:00:5e:8b:c1:b4", "source.port": 3887, "tags": [ @@ -1784,7 +1843,9 @@ }, { "@timestamp": "2018-08-15T09:57:06.000Z", - "destination.ip": "10.50.44.5", + "destination.ip": [ + "10.50.44.5" + ], "destination.port": 7668, "event.action": "block", "event.code": "237", @@ -1794,7 +1855,6 @@ "fileset.name": "firewall", "input.type": "log", "log.offset": 9550, - "network.direction": "internal", "observer.egress.interface.name": "lo1441", "observer.ingress.interface.name": "enp0s382", "observer.product": "Firewalls", @@ -1812,7 +1872,9 @@ "rsa.network.sinterface": "enp0s382", "rsa.time.event_time": "2018-08-15T09:57:06.000Z", "service.type": "sonicwall", - "source.ip": "10.105.46.101", + "source.ip": [ + "10.105.46.101" + ], "source.port": 3346, "tags": [ "forwarded", @@ -1821,7 +1883,9 @@ }, { "@timestamp": "2018-08-29T16:59:40.000Z", - "destination.ip": "10.52.248.251", + "destination.ip": [ + "10.52.248.251" + ], "destination.port": 5776, "event.code": "328", "event.dataset": "sonicwall.firewall", @@ -1831,7 +1895,6 @@ "input.type": "log", "log.offset": 9729, "log.original": "squ", - "network.direction": "internal", "observer.egress.interface.name": "lo2241", "observer.ingress.interface.name": "eth6291", "observer.product": "Firewalls", @@ -1848,7 +1911,9 @@ "rsa.time.date": "2018/08/29", "rsa.time.event_time": "2018-08-29T16:59:40.000Z", "service.type": "sonicwall", - "source.ip": "10.60.142.127", + "source.ip": [ + "10.60.142.127" + ], "source.port": 1081, "tags": [ "forwarded", @@ -1914,7 +1979,9 @@ }, { "@timestamp": "2018-10-11T14:07:23.000Z", - "destination.ip": "10.115.38.80", + "destination.ip": [ + "10.115.38.80" + ], "event.code": "441", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -1923,7 +1990,6 @@ "input.type": "log", "log.offset": 10161, "log.original": "labor", - "network.direction": "internal", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", @@ -1936,7 +2002,9 @@ "rsa.time.date": "2018/10/11", "rsa.time.event_time": "2018-10-11T14:07:23.000Z", "service.type": "sonicwall", - "source.ip": "10.240.54.28", + "source.ip": [ + "10.240.54.28" + ], "tags": [ "forwarded", "sonicwall.firewall" @@ -1965,7 +2033,9 @@ }, { "@timestamp": "2018-11-09T04:12:32.000Z", - "destination.ip": "10.104.49.142", + "destination.ip": [ + "10.104.49.142" + ], "event.code": "252", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -1974,7 +2044,6 @@ "input.type": "log", "log.offset": 10428, "log.original": "eprehend", - "network.direction": "internal", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", @@ -1987,7 +2056,9 @@ "rsa.time.date": "2018/11/09", "rsa.time.event_time": "2018-11-09T04:12:32.000Z", "service.type": "sonicwall", - "source.ip": "10.102.166.19", + "source.ip": [ + "10.102.166.19" + ], "tags": [ "forwarded", "sonicwall.firewall" @@ -1995,7 +2066,9 @@ }, { "@timestamp": "2018-11-23T11:15:06.000Z", - "destination.ip": "10.120.25.169", + "destination.ip": [ + "10.120.25.169" + ], "destination.port": 1965, "event.action": "block", "event.code": "199", @@ -2005,7 +2078,6 @@ "fileset.name": "firewall", "input.type": "log", "log.offset": 10577, - "network.direction": "internal", "observer.egress.interface.name": "lo4527", "observer.ingress.interface.name": "lo4991", "observer.product": "Firewalls", @@ -2024,7 +2096,9 @@ "rsa.time.date": "2018/11/23", "rsa.time.event_time": "2018-11-23T11:15:06.000Z", "service.type": "sonicwall", - "source.ip": "10.203.77.154", + "source.ip": [ + "10.203.77.154" + ], "source.port": 3916, "tags": [ "forwarded", @@ -2075,7 +2149,9 @@ { "@timestamp": "2019-01-05T08:22:49.000Z", "destination.bytes": 1629, - "destination.ip": "10.137.217.159", + "destination.ip": [ + "10.137.217.159" + ], "destination.port": 563, "event.code": "195", "event.dataset": "sonicwall.firewall", @@ -2085,7 +2161,6 @@ "input.type": "log", "log.offset": 10985, "log.original": "rorsit", - "network.direction": "internal", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", @@ -2098,7 +2173,9 @@ "rsa.time.date": "2019/01/05", "rsa.time.event_time": "2019-01-05T08:22:49.000Z", "service.type": "sonicwall", - "source.ip": "10.77.95.12", + "source.ip": [ + "10.77.95.12" + ], "source.port": 2310, "tags": [ "forwarded", @@ -2245,7 +2322,9 @@ }, { "@timestamp": "2019-04-01T02:38:14.000Z", - "destination.ip": "10.88.244.209", + "destination.ip": [ + "10.88.244.209" + ], "destination.port": 6953, "event.code": "97", "event.dataset": "sonicwall.firewall", @@ -2254,7 +2333,6 @@ "fileset.name": "firewall", "input.type": "log", "log.offset": 11885, - "network.direction": "internal", "network.protocol": "ipv6-icmp", "observer.egress.interface.name": "enp0s2460", "observer.ingress.interface.name": "enp0s3423", @@ -2273,7 +2351,9 @@ "rsa.time.event_time": "2019-04-01T02:38:14.000Z", "service.type": "sonicwall", "source.bytes": 5835, - "source.ip": "10.152.35.175", + "source.ip": [ + "10.152.35.175" + ], "source.port": 2737, "tags": [ "forwarded", @@ -2284,7 +2364,9 @@ "@timestamp": "2019-04-15T09:40:49.000Z", "destination.address": "ugitsedq5067.internal.test", "destination.bytes": 1635, - "destination.ip": "10.107.216.138", + "destination.ip": [ + "10.107.216.138" + ], "destination.port": 3147, "event.action": "accept", "event.code": "537", @@ -2294,7 +2376,6 @@ "fileset.name": "firewall", "input.type": "log", "log.offset": 12100, - "network.direction": "internal", "network.protocol": "rdp", "observer.egress.interface.name": "lo5057", "observer.product": "Firewalls", @@ -2316,7 +2397,9 @@ "rsa.time.event_time": "2019-04-15T09:40:49.000Z", "service.type": "sonicwall", "source.bytes": 5943, - "source.ip": "10.132.171.15", + "source.ip": [ + "10.132.171.15" + ], "tags": [ "forwarded", "sonicwall.firewall" @@ -2345,7 +2428,9 @@ }, { "@timestamp": "2019-05-13T23:45:57.000Z", - "destination.ip": "10.195.223.82", + "destination.ip": [ + "10.195.223.82" + ], "event.code": "351", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -2354,7 +2439,6 @@ "input.type": "log", "log.offset": 12443, "log.original": "CSe", - "network.direction": "internal", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", @@ -2367,7 +2451,9 @@ "rsa.time.date": "2019/05/13", "rsa.time.event_time": "2019-05-13T23:45:57.000Z", "service.type": "sonicwall", - "source.ip": "10.135.70.159", + "source.ip": [ + "10.135.70.159" + ], "tags": [ "forwarded", "sonicwall.firewall" @@ -2375,7 +2461,9 @@ }, { "@timestamp": "2019-05-28T06:48:31.000Z", - "destination.ip": "10.142.120.198", + "destination.ip": [ + "10.142.120.198" + ], "event.code": "261", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", @@ -2384,7 +2472,6 @@ "input.type": "log", "log.offset": 12591, "log.original": "rsitvolu", - "network.direction": "internal", "observer.ingress.interface.name": "eth3249", "observer.product": "Firewalls", "observer.type": "Firewall", @@ -2402,7 +2489,9 @@ "rsa.time.date": "2019/05/28", "rsa.time.event_time": "2019-05-28T06:48:31.000Z", "service.type": "sonicwall", - "source.ip": "10.22.244.71", + "source.ip": [ + "10.22.244.71" + ], "source.port": 1865, "tags": [ "forwarded", @@ -2528,7 +2617,9 @@ { "@timestamp": "2019-08-22T01:03:57.000Z", "destination.bytes": 7416, - "destination.ip": "10.117.63.181", + "destination.ip": [ + "10.117.63.181" + ], "destination.port": 6863, "event.code": "195", "event.dataset": "sonicwall.firewall", @@ -2538,7 +2629,6 @@ "input.type": "log", "log.offset": 13364, "log.original": "magnaal", - "network.direction": "internal", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", @@ -2551,7 +2641,9 @@ "rsa.time.date": "2019/08/21", "rsa.time.event_time": "2019-08-22T01:03:57.000Z", "service.type": "sonicwall", - "source.ip": "10.222.169.140", + "source.ip": [ + "10.222.169.140" + ], "source.port": 5299, "tags": [ "forwarded", @@ -2604,7 +2696,9 @@ }, { "@timestamp": "2019-10-03T10:11:40.000Z", - "destination.ip": "10.200.122.184", + "destination.ip": [ + "10.200.122.184" + ], "destination.port": 1176, "event.action": "allow", "event.code": "794", @@ -2614,7 +2708,6 @@ "fileset.name": "firewall", "input.type": "log", "log.offset": 13775, - "network.direction": "internal", "network.protocol": "rdp", "observer.egress.interface.name": "eth5397", "observer.ingress.interface.name": "lo1325", @@ -2636,7 +2729,9 @@ "rsa.time.date": "2019-10-3", "rsa.time.event_time": "2019-10-03T10:11:40.000Z", "service.type": "sonicwall", - "source.ip": "10.57.255.4", + "source.ip": [ + "10.57.255.4" + ], "source.port": 239, "tags": [ "forwarded", @@ -2718,7 +2813,9 @@ }, { "@timestamp": "2019-11-30T02:21:57.000Z", - "destination.ip": "10.119.4.120", + "destination.ip": [ + "10.119.4.120" + ], "destination.port": 3822, "event.code": "520", "event.dataset": "sonicwall.firewall", @@ -2728,7 +2825,6 @@ "input.type": "log", "log.offset": 14380, "log.original": "itse", - "network.direction": "internal", "observer.egress.interface.name": "enp0s234", "observer.ingress.interface.name": "lo5561", "observer.product": "Firewalls", @@ -2745,7 +2841,9 @@ "rsa.time.date": "2019/11/30", "rsa.time.event_time": "2019-11-30T02:21:57.000Z", "service.type": "sonicwall", - "source.ip": "10.167.9.200", + "source.ip": [ + "10.167.9.200" + ], "source.port": 4003, "tags": [ "forwarded", diff --git a/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json b/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json index ee6333827868..611d4b41bdac 100644 --- a/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json @@ -263,8 +263,8 @@ "source.packets": 0, "source.port": 46408, "tags": [ - "zeek.connection", - "local_orig" + "local_orig", + "zeek.connection" ], "zeek.connection.history": "C", "zeek.connection.local_orig": true, From 6b8ad368950b7b59d9b1f1a043f7918deccd34af Mon Sep 17 00:00:00 2001 From: Alex Resnick Date: Fri, 25 Jun 2021 11:58:40 +0000 Subject: [PATCH 8/9] update docs --- filebeat/docs/modules/snort.asciidoc | 9 --------- filebeat/docs/modules/sonicwall.asciidoc | 9 --------- x-pack/filebeat/module/snort/_meta/docs.asciidoc | 9 --------- x-pack/filebeat/module/sonicwall/_meta/docs.asciidoc | 9 --------- 4 files changed, 36 deletions(-) diff --git a/filebeat/docs/modules/snort.asciidoc b/filebeat/docs/modules/snort.asciidoc index 02214e352d7b..ff9d5809ae8e 100644 --- a/filebeat/docs/modules/snort.asciidoc +++ b/filebeat/docs/modules/snort.asciidoc @@ -63,15 +63,6 @@ which causes both ECS and custom fields under `rsa` to be added. Flag to control the addition of the raw parser fields to the event. This fields will be found under `rsa.raw`. The default is false. -`var.internal_networks`:: - -A list of CIDR ranges describing the IP addresses that -you consider internal. This is used in determining the value of -`network.direction`. The values -can be either a CIDR value or one of the named ranges supported by the -<> condition. The default value is `[private]` -which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. - :has-dashboards!: :fileset_ex!: diff --git a/filebeat/docs/modules/sonicwall.asciidoc b/filebeat/docs/modules/sonicwall.asciidoc index d76ecc165d03..3994e7d36e49 100644 --- a/filebeat/docs/modules/sonicwall.asciidoc +++ b/filebeat/docs/modules/sonicwall.asciidoc @@ -63,15 +63,6 @@ which causes both ECS and custom fields under `rsa` to be added. Flag to control the addition of the raw parser fields to the event. This fields will be found under `rsa.raw`. The default is false. -`var.internal_networks`:: - -A list of CIDR ranges describing the IP addresses that -you consider internal. This is used in determining the value of -`network.direction`. The values -can be either a CIDR value or one of the named ranges supported by the -<> condition. The default value is `[private]` -which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. - :has-dashboards!: :fileset_ex!: diff --git a/x-pack/filebeat/module/snort/_meta/docs.asciidoc b/x-pack/filebeat/module/snort/_meta/docs.asciidoc index 49171bcf88be..f2ae38f00433 100644 --- a/x-pack/filebeat/module/snort/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/snort/_meta/docs.asciidoc @@ -58,15 +58,6 @@ which causes both ECS and custom fields under `rsa` to be added. Flag to control the addition of the raw parser fields to the event. This fields will be found under `rsa.raw`. The default is false. -`var.internal_networks`:: - -A list of CIDR ranges describing the IP addresses that -you consider internal. This is used in determining the value of -`network.direction`. The values -can be either a CIDR value or one of the named ranges supported by the -<> condition. The default value is `[private]` -which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. - :has-dashboards!: :fileset_ex!: diff --git a/x-pack/filebeat/module/sonicwall/_meta/docs.asciidoc b/x-pack/filebeat/module/sonicwall/_meta/docs.asciidoc index cc842fabcee8..9b6620f4e774 100644 --- a/x-pack/filebeat/module/sonicwall/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/sonicwall/_meta/docs.asciidoc @@ -58,15 +58,6 @@ which causes both ECS and custom fields under `rsa` to be added. Flag to control the addition of the raw parser fields to the event. This fields will be found under `rsa.raw`. The default is false. -`var.internal_networks`:: - -A list of CIDR ranges describing the IP addresses that -you consider internal. This is used in determining the value of -`network.direction`. The values -can be either a CIDR value or one of the named ranges supported by the -<> condition. The default value is `[private]` -which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal. - :has-dashboards!: :fileset_ex!: From 28e08cc4a554b938656f00678f76a3a30ed121bc Mon Sep 17 00:00:00 2001 From: Alex Resnick Date: Fri, 25 Jun 2021 14:18:32 +0000 Subject: [PATCH 9/9] missed one --- .../module/snort/log/config/liblogparser.js | 4 +- .../log/test/generated.log-expected.json | 128 +++++++++++++----- 2 files changed, 98 insertions(+), 34 deletions(-) diff --git a/x-pack/filebeat/module/snort/log/config/liblogparser.js b/x-pack/filebeat/module/snort/log/config/liblogparser.js index 5cf4cfee1ae7..cec99a043e86 100644 --- a/x-pack/filebeat/module/snort/log/config/liblogparser.js +++ b/x-pack/filebeat/module/snort/log/config/liblogparser.js @@ -1088,8 +1088,8 @@ var ecs_mappings = { "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, diff --git a/x-pack/filebeat/module/snort/log/test/generated.log-expected.json b/x-pack/filebeat/module/snort/log/test/generated.log-expected.json index 6ccdfda7860d..eb5036f51901 100644 --- a/x-pack/filebeat/module/snort/log/test/generated.log-expected.json +++ b/x-pack/filebeat/module/snort/log/test/generated.log-expected.json @@ -84,7 +84,9 @@ "rule.name": "iatisu", "service.type": "snort", "source.bytes": 4512, - "source.ip": "10.38.77.13", + "source.ip": [ + "10.38.77.13" + ], "source.port": 3971, "tags": [ "forwarded", @@ -233,7 +235,9 @@ "rule.name": "doloremi", "service.type": "snort", "source.bytes": 651, - "source.ip": "10.182.199.231", + "source.ip": [ + "10.182.199.231" + ], "source.port": 4478, "tags": [ "forwarded", @@ -353,7 +357,9 @@ "rsa.time.event_time_str": "May 22 14:30:33 2016 UTC", "rsa.time.month": "May", "service.type": "snort", - "source.ip": "10.110.31.190", + "source.ip": [ + "10.110.31.190" + ], "tags": [ "forwarded", "snort.log" @@ -845,7 +851,9 @@ "rsa.time.month": "Dec", "service.type": "snort", "source.geo.country_name": "tur", - "source.ip": "10.182.213.195", + "source.ip": [ + "10.182.213.195" + ], "source.port": 7119, "tags": [ "forwarded", @@ -900,7 +908,9 @@ "rule.name": "eriam", "service.type": "snort", "source.bytes": 3465, - "source.ip": "10.210.180.142", + "source.ip": [ + "10.210.180.142" + ], "source.port": 3015, "tags": [ "forwarded", @@ -969,7 +979,9 @@ "rsa.time.day": "20", "rsa.time.month": "Jan", "service.type": "snort", - "source.ip": "10.165.33.19", + "source.ip": [ + "10.165.33.19" + ], "tags": [ "forwarded", "snort.log" @@ -1018,7 +1030,9 @@ "rsa.time.event_time_str": "Feb 3 21:16:50 2017 UTC", "rsa.time.month": "Feb", "service.type": "snort", - "source.ip": "10.52.190.18", + "source.ip": [ + "10.52.190.18" + ], "source.port": 4411, "tags": [ "forwarded", @@ -1070,7 +1084,9 @@ "rsa.time.event_time_str": "Feb 18 04:19:24 2017 UTC", "rsa.time.month": "Feb", "service.type": "snort", - "source.ip": "10.68.233.163", + "source.ip": [ + "10.68.233.163" + ], "tags": [ "forwarded", "snort.log" @@ -1219,7 +1235,9 @@ "rsa.time.event_time_str": "Apr 16 08:29:41 2017 UTC", "rsa.time.month": "Apr", "service.type": "snort", - "source.ip": "10.116.175.84", + "source.ip": [ + "10.116.175.84" + ], "tags": [ "forwarded", "snort.log" @@ -1504,7 +1522,9 @@ "rule.name": "emagnam", "service.type": "snort", "source.bytes": 1580, - "source.ip": "10.240.144.78", + "source.ip": [ + "10.240.144.78" + ], "source.port": 2998, "tags": [ "forwarded", @@ -1649,7 +1669,9 @@ "rule.name": "temse", "service.type": "snort", "source.bytes": 470, - "source.ip": "10.140.209.249", + "source.ip": [ + "10.140.209.249" + ], "source.port": 1801, "tags": [ "forwarded", @@ -1734,7 +1756,9 @@ "rsa.time.event_time_str": "Nov 2 11:05:41 2017 UTC", "rsa.time.month": "Nov", "service.type": "snort", - "source.ip": "10.198.44.231", + "source.ip": [ + "10.198.44.231" + ], "tags": [ "forwarded", "snort.log" @@ -1788,7 +1812,9 @@ "rule.name": "ffici", "service.type": "snort", "source.bytes": 3273, - "source.ip": "10.77.86.215", + "source.ip": [ + "10.77.86.215" + ], "source.port": 5913, "tags": [ "forwarded", @@ -2113,7 +2139,9 @@ "rsa.time.event_time_str": "Mar 25 09:31:24 2018 UTC", "rsa.time.month": "Mar", "service.type": "snort", - "source.ip": "10.28.105.106", + "source.ip": [ + "10.28.105.106" + ], "tags": [ "forwarded", "snort.log" @@ -2223,7 +2251,9 @@ "rsa.time.day": "7", "rsa.time.month": "May", "service.type": "snort", - "source.ip": "10.166.40.137", + "source.ip": [ + "10.166.40.137" + ], "source.nat.ip": "10.65.144.119", "source.nat.port": 6233, "source.port": 5279, @@ -2264,7 +2294,9 @@ "rsa.time.day": "21", "rsa.time.month": "May", "service.type": "snort", - "source.ip": "10.104.78.147", + "source.ip": [ + "10.104.78.147" + ], "tags": [ "forwarded", "snort.log" @@ -2302,7 +2334,9 @@ "rsa.time.day": "4", "rsa.time.month": "Jun", "service.type": "snort", - "source.ip": "10.237.43.87", + "source.ip": [ + "10.237.43.87" + ], "tags": [ "forwarded", "snort.log" @@ -2355,7 +2389,9 @@ "rsa.time.month": "Jun", "service.type": "snort", "source.geo.country_name": "eos", - "source.ip": "10.234.234.205", + "source.ip": [ + "10.234.234.205" + ], "source.port": 5714, "tags": [ "forwarded", @@ -2440,7 +2476,9 @@ "rule.name": "iconseq", "service.type": "snort", "source.bytes": 1259, - "source.ip": "10.40.250.209", + "source.ip": [ + "10.40.250.209" + ], "source.port": 3941, "tags": [ "forwarded", @@ -2512,7 +2550,9 @@ "rsa.time.day": "15", "rsa.time.month": "Aug", "service.type": "snort", - "source.ip": "10.198.202.72", + "source.ip": [ + "10.198.202.72" + ], "tags": [ "forwarded", "snort.log" @@ -2566,7 +2606,9 @@ "rsa.time.event_time_str": "Aug 29 14:59:40 2018 UTC", "rsa.time.month": "Aug", "service.type": "snort", - "source.ip": "10.147.155.100", + "source.ip": [ + "10.147.155.100" + ], "tags": [ "forwarded", "snort.log" @@ -2617,7 +2659,9 @@ "rsa.time.event_time_str": "Sep 12 22:02:15 2018 UTC", "rsa.time.month": "Sep", "service.type": "snort", - "source.ip": "10.4.147.70", + "source.ip": [ + "10.4.147.70" + ], "source.port": 3210, "tags": [ "forwarded", @@ -2759,7 +2803,9 @@ "rsa.time.day": "9", "rsa.time.month": "Nov", "service.type": "snort", - "source.ip": "10.224.250.83", + "source.ip": [ + "10.224.250.83" + ], "tags": [ "forwarded", "snort.log" @@ -2810,7 +2856,9 @@ "rsa.time.month": "Nov", "service.type": "snort", "source.geo.country_name": "ipi", - "source.ip": "10.38.22.60", + "source.ip": [ + "10.38.22.60" + ], "source.port": 653, "tags": [ "forwarded", @@ -2865,7 +2913,9 @@ "rule.name": "tlab", "service.type": "snort", "source.bytes": 42, - "source.ip": "10.46.57.181", + "source.ip": [ + "10.46.57.181" + ], "source.port": 3760, "tags": [ "forwarded", @@ -3020,7 +3070,9 @@ "rule.name": "Secti", "service.type": "snort", "source.bytes": 4673, - "source.ip": "10.107.144.80", + "source.ip": [ + "10.107.144.80" + ], "source.port": 703, "tags": [ "forwarded", @@ -3126,7 +3178,9 @@ "rsa.time.day": "17", "rsa.time.month": "Mar", "service.type": "snort", - "source.ip": "10.198.207.31", + "source.ip": [ + "10.198.207.31" + ], "source.port": 579, "tags": [ "forwarded", @@ -3388,7 +3442,9 @@ "rule.name": "itsed", "service.type": "snort", "source.bytes": 2005, - "source.ip": "10.154.87.98", + "source.ip": [ + "10.154.87.98" + ], "source.port": 2632, "tags": [ "forwarded", @@ -3443,7 +3499,9 @@ "rule.name": "dantiu", "service.type": "snort", "source.bytes": 4338, - "source.ip": "10.35.59.140", + "source.ip": [ + "10.35.59.140" + ], "source.port": 1832, "tags": [ "forwarded", @@ -3613,7 +3671,9 @@ "rsa.time.day": "19", "rsa.time.month": "Sep", "service.type": "snort", - "source.ip": "10.14.46.141", + "source.ip": [ + "10.14.46.141" + ], "tags": [ "forwarded", "snort.log" @@ -3798,7 +3858,9 @@ "rsa.time.day": "30", "rsa.time.month": "Nov", "service.type": "snort", - "source.ip": "10.125.130.61", + "source.ip": [ + "10.125.130.61" + ], "source.nat.ip": "10.32.195.34", "source.nat.port": 135, "source.port": 6154, @@ -3839,7 +3901,9 @@ "rsa.time.day": "14", "rsa.time.month": "Dec", "service.type": "snort", - "source.ip": "10.188.88.133", + "source.ip": [ + "10.188.88.133" + ], "tags": [ "forwarded", "snort.log"