-
Notifications
You must be signed in to change notification settings - Fork 4.9k
/
pipeline.json
160 lines (160 loc) · 5.75 KB
/
pipeline.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
{
"description": "Pipeline for normalizing Zeek conn.log",
"processors": [
{
"set": {
"field": "event.created",
"value": "{{_ingest.timestamp}}"
}
},
{
"date": {
"field": "zeek.connection.ts",
"formats": ["UNIX"]
}
},
{
"remove": {
"field": "zeek.connection.ts"
}
},
{
"set": {
"field": "event.id",
"value": "{{zeek.session_id}}",
"if": "ctx.zeek.session_id != null"
}
},
{
"script": {
"source": "ctx.event.duration = Math.round(ctx.temp.duration * params.scale)",
"params": {
"scale": 1000000000
},
"if": "ctx.temp?.duration != null"
}
},
{
"remove": {
"field": "temp.duration",
"ignore_missing": true
}
},
{
"script": {
"source": "if (ctx.zeek.connection.local_orig) ctx.tags.add(\"local_orig\");",
"if": "ctx.zeek.connection.local_orig != null"
}
},
{
"script": {
"source": "if (ctx.zeek.connection.local_resp) ctx.tags.add(\"local_resp\");",
"if": "ctx.zeek.connection.local_resp != null"
}
},
{
"set": {
"field": "source.ip",
"value": "{{source.address}}"
}
},
{
"set": {
"field": "destination.ip",
"value": "{{destination.address}}"
}
},
{
"script": {
"source": "ctx.network.packets = ctx.source.packets + ctx.destination.packets",
"ignore_failure": true
}
},
{
"script": {
"source": "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes",
"ignore_failure": true
}
},
{
"script": {
"source": "if (ctx.zeek.connection.local_orig == true && ctx.zeek.connection.local_resp == true) {ctx.network.direction = \"internal\"} else if (ctx.zeek.connection.local_orig == true && ctx.zeek.connection.local_resp == false) {ctx.network.direction = \"outbound\"} else if (ctx.zeek.connection.local_orig == false && ctx.zeek.connection.local_resp == true) {ctx.network.direction = \"inbound\"} else {ctx.network.direction = \"external\"}"
}
},
{
"geoip": {
"field": "destination.ip",
"target_field": "destination.geo"
}
},
{
"geoip": {
"field": "source.ip",
"target_field": "source.geo"
}
},
{
"geoip": {
"database_file": "GeoLite2-ASN.mmdb",
"field": "source.ip",
"target_field": "source.as",
"properties": [
"asn",
"organization_name"
],
"ignore_missing": true
}
},
{
"geoip": {
"database_file": "GeoLite2-ASN.mmdb",
"field": "destination.ip",
"target_field": "destination.as",
"properties": [
"asn",
"organization_name"
],
"ignore_missing": true
}
},
{
"rename": {
"field": "source.as.asn",
"target_field": "source.as.number",
"ignore_missing": true
}
},
{
"rename": {
"field": "source.as.organization_name",
"target_field": "source.as.organization.name",
"ignore_missing": true
}
},
{
"rename": {
"field": "destination.as.asn",
"target_field": "destination.as.number",
"ignore_missing": true
}
},
{
"rename": {
"field": "destination.as.organization_name",
"target_field": "destination.as.organization.name",
"ignore_missing": true
}
},
{
"script": {
"source": "if (ctx.zeek.connection.state.code == \"S0\") {ctx.zeek.connection.state.msg = \"Connection attempt seen, no reply.\"} else if (ctx.zeek.connection.state.code == \"S1\") {ctx.zeek.connection.state.msg = \"Connection established, not terminated.\"} else if (ctx.zeek.connection.state.code == \"SF\") {ctx.zeek.connection.state.msg = \"Normal establishment and termination.\"} else if (ctx.zeek.connection.state.code == \"REJ\") {ctx.zeek.connection.state.msg = \"Connection attempt rejected.\"} else if (ctx.zeek.connection.state.code == \"S2\") {ctx.zeek.connection.state.msg = \" Connection established and close attempt by originator seen (but no reply from responder).\"} else if (ctx.zeek.connection.state.code == \"S3\") {ctx.zeek.connection.state.msg = \"Connection established and close attempt by responder seen (but no reply from originator).\"} else if (ctx.zeek.connection.state.code == \"RSTO\") {ctx.zeek.connection.state.msg = \"Connection established, originator aborted (sent a RST).\"} else if (ctx.zeek.connection.state.code == \"RSTR\") {ctx.zeek.connection.state.msg = \"Responder sent a RST.\"} else if (ctx.zeek.connection.state.code == \"RSTOS0\") {ctx.zeek.connection.state.msg = \"Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder.\"} else if (ctx.zeek.connection.state.code == \"RSTRH\") {ctx.zeek.connection.state.msg = \"Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator.\"} else if (ctx.zeek.connection.state.code == \"SH\") {ctx.zeek.connection.state.msg = \"Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was 'half' open).\"} else if (ctx.zeek.connection.state.code == \"SHR\") {ctx.zeek.connection.state.msg = \"Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator.\"} else if (ctx.zeek.connection.state.code == \"OTH\") {ctx.zeek.connection.state.msg = \"No SYN seen, just midstream traffic (a 'partial connection' that was not later closed).\"}"
}
}
],
"on_failure" : [{
"set" : {
"field" : "error.message",
"value" : "{{ _ingest.on_failure_message }}"
}
}]
}