From 515c1702b76e40689e068db107f7e528253eb528 Mon Sep 17 00:00:00 2001 From: SG Date: Mon, 10 Oct 2022 13:32:24 -0600 Subject: [PATCH] add s7comm upload/download log support --- arkime/etc/config.ini | 13 ++ arkime/wise/source.zeeklogs.js | 9 ++ .../e76d05c0-eb9f-11e9-a384-0fcf32210194.json | 130 ++++++++++++++---- .../composable/component/zeek_ot.json | 29 ++-- logstash/maps/zeek_log_ecs_categories.yaml | 1 + logstash/pipelines/enrichment/11_lookups.conf | 3 +- logstash/pipelines/zeek/11_zeek_logs.conf | 41 ++++++ .../pipelines/zeek/12_zeek_normalize.conf | 23 +++- 8 files changed, 208 insertions(+), 41 deletions(-) diff --git a/arkime/etc/config.ini b/arkime/etc/config.ini index 674264697..e4b5ee36a 100644 --- a/arkime/etc/config.ini +++ b/arkime/etc/config.ini @@ -1181,6 +1181,18 @@ zeek.s7comm_read_szl.szl_index=db:zeek.s7comm_read_szl.szl_index;group:zeek_s7co zeek.s7comm_read_szl.return_code=db:zeek.s7comm_read_szl.return_code;group:zeek_s7comm_read_szl;kind:termfield;friendly:Return Code;help:Return Code zeek.s7comm_read_szl.return_code_name=db:zeek.s7comm_read_szl.return_code_name;group:zeek_s7comm_read_szl;kind:termfield;friendly:Return Message;help:Return Message +# s7comm_upload_download.log +# https://github.com/cisagov/icsnpp-s7comm +zeek.s7comm_upload_download.rosctr_name=db:zeek.s7comm_upload_download.rosctr_name;group:zeek_s7comm_upload_download;kind:termfield;friendly:Remote Operating Service Control Name;help:Remote Operating Service Control Name +zeek.s7comm_upload_download.function_name=db:zeek.s7comm_upload_download.function_name;group:zeek_s7comm_upload_download;kind:termfield;friendly:Function Name;help:Function Name +zeek.s7comm_upload_download.function_status=db:zeek.s7comm_upload_download.function_status;group:zeek_s7comm_upload_download;kind:termfield;friendly:Function Result;help:Function Result +zeek.s7comm_upload_download.session_id=db:zeek.s7comm_upload_download.session_id;group:zeek_s7comm_upload_download;kind:integer;friendly:Session ID;help:Session ID +zeek.s7comm_upload_download.blocklength=db:zeek.s7comm_upload_download.blocklength;group:zeek_s7comm_upload_download;kind:integer;friendly:Block Length;help:Block Length +zeek.s7comm_upload_download.filename=db:zeek.s7comm_upload_download.filename;group:zeek_s7comm_upload_download;kind:termfield;friendly:File Name;help:File Name +zeek.s7comm_upload_download.block_type=db:zeek.s7comm_upload_download.block_type;group:zeek_s7comm_upload_download;kind:termfield;friendly:Block Type;help:Block Type +zeek.s7comm_upload_download.block_number=db:zeek.s7comm_upload_download.block_number;group:zeek_s7comm_upload_download;kind:termfield;friendly:Block Number;help::Block Number +zeek.s7comm_upload_download.destination_filesystem=db:zeek.s7comm_upload_download.destination_filesystem;group:zeek_s7comm_upload_download;kind:termfield;friendly:Destination File System;help:Destination File System + # signatures.log zeek.signatures.note=db:zeek.signatures.note;group:zeek_signatures;kind:termfield;friendly:Note;help:Note zeek.signatures.signature_id=db:zeek.signatures.signature_id;group:zeek_signatures;kind:termfield;friendly:Signature ID;help:Signature ID @@ -2153,6 +2165,7 @@ zeek_rfb=require:zeek.rfb;title:Zeek rfb.log;fields:zeek.rfb.client_major_versio zeek_s7comm=require:zeek.s7comm;title:Zeek s7comm.log;fields:zeek.s7comm.rosctr_code,zeek.s7comm.rosctr_name,zeek.s7comm.pdu_reference,zeek.s7comm.function_code,zeek.s7comm.function_name,zeek.s7comm.subfunction_code,zeek.s7comm.subfunction_name,zeek.s7comm.error_class,zeek.s7comm.error_code zeek_s7comm_plus=require:zeek.s7comm_plus;title:Zeek s7comm_plus.log;fields:zeek.s7comm_plus.version,zeek.s7comm_plus.opcode,zeek.s7comm_plus.opcode_name,zeek.s7comm_plus.function_code,zeek.s7comm_plus.function_name zeek_s7comm_read_szl=require:zeek.s7comm_read_szl;title:Zeek s7comm_read_szl.log;fields:zeek.s7comm.pdu_reference,zeek.s7comm_read_szl.method,zeek.s7comm_read_szl.szl_id,zeek.s7comm_read_szl.szl_id_name,zeek.s7comm_read_szl.szl_index,zeek.s7comm_read_szl.return_code,zeek.s7comm_read_szl.return_code_name +zeek_s7comm_upload_download=require:zeek.s7comm_upload_download;title:Zeek s7comm_upload_download.log;fields:zeek.s7comm_upload_download.rosctr_name,zeek.s7comm.pdu_reference,zeek.s7comm_upload_download.function_name,zeek.s7comm_upload_download.function_status,zeek.s7comm_upload_download.session_id,zeek.s7comm_upload_download.blocklength,zeek.s7comm_upload_download.filename,zeek.s7comm_upload_download.block_type,zeek.s7comm_upload_download.block_number,zeek.s7comm_upload_download.destination_filesystem zeek_signatures=require:zeek.signatures;title:Zeek signatures.log;fields:event.module,rule.category,rule.name,vulnerability.category,vulnerability.enumeration,vulnerability.id,zeek.signatures.sub_message,zeek.signatures.signature_count,zeek.signatures.host_count zeek_sip=require:zeek.sip;title:Zeek sip.log;fields:zeek.sip.trans_depth,zeek.sip.method,zeek.sip.uri,zeek.sip.date,zeek.sip.request_from,zeek.sip.request_to,zeek.sip.response_from,zeek.sip.response_to,zeek.sip.reply_to,zeek.sip.call_id,zeek.sip.seq,zeek.sip.subject,zeek.sip.request_path,zeek.sip.response_path,zeek.sip.user_agent,zeek.sip.status_code,zeek.sip.status_msg,zeek.sip.warning,zeek.sip.request_body_len,zeek.sip.response_body_len,zeek.sip.content_type,zeek.sip.version zeek_smb_cmd=require:zeek.smb_cmd;title:Zeek smb_cmd.log;fields:zeek.smb_cmd.command,zeek.smb_cmd.sub_command,zeek.smb_cmd.argument,zeek.smb_cmd.status,zeek.smb_cmd.rtt,zeek.smb_cmd.version,zeek.smb_cmd.user,zeek.smb_cmd.tree,zeek.smb_cmd.tree_service diff --git a/arkime/wise/source.zeeklogs.js b/arkime/wise/source.zeeklogs.js index 0d4be5c13..b495c2ee0 100644 --- a/arkime/wise/source.zeeklogs.js +++ b/arkime/wise/source.zeeklogs.js @@ -1564,6 +1564,15 @@ class MalcolmSource extends WISESource { "zeek.s7comm_read_szl.szl_id", "zeek.s7comm_read_szl.szl_id_name", "zeek.s7comm_read_szl.szl_index", + "zeek.s7comm_upload_download.block_number", + "zeek.s7comm_upload_download.block_type", + "zeek.s7comm_upload_download.blocklength", + "zeek.s7comm_upload_download.destination_filesystem", + "zeek.s7comm_upload_download.filename", + "zeek.s7comm_upload_download.function_name", + "zeek.s7comm_upload_download.function_status", + "zeek.s7comm_upload_download.rosctr_name", + "zeek.s7comm_upload_download.session_id", "zeek.signatures.event_message", "zeek.signatures.hits.Capa", "zeek.signatures.hits.ClamAV", diff --git a/dashboards/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json b/dashboards/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json index 1df551a6c..0b2177eea 100644 --- a/dashboards/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json +++ b/dashboards/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json @@ -1,5 +1,5 @@ { - "version": "2.1.0", + "version": "2.3.0", "objects": [ { "id": "e76d05c0-eb9f-11e9-a384-0fcf32210194", @@ -7,18 +7,18 @@ "namespaces": [ "default" ], - "updated_at": "2022-08-10T15:34:25.353Z", - "version": "Wzg5OCwxXQ==", + "updated_at": "2022-10-10T19:24:43.925Z", + "version": "WzkwNiwxXQ==", "attributes": { "title": "S7comm / S7comm Plus", "hits": 0, "description": "", - "panelsJSON": "[{\"version\":\"2.1.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":31,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"2.1.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":20,\"i\":\"5716abc8-3472-485a-9fd9-492f775cc371\"},\"panelIndex\":\"5716abc8-3472-485a-9fd9-492f775cc371\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"2.1.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":20,\"i\":\"2a9754ed-092c-4afd-9712-203f13d1c369\"},\"panelIndex\":\"2a9754ed-092c-4afd-9712-203f13d1c369\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"2.1.0\",\"gridData\":{\"x\":8,\"y\":20,\"w\":18,\"h\":36,\"i\":\"13aac6f7-d251-4845-b5b6-3c1515132504\"},\"panelIndex\":\"13aac6f7-d251-4845-b5b6-3c1515132504\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"2.1.0\",\"gridData\":{\"x\":26,\"y\":20,\"w\":10,\"h\":18,\"i\":\"82ee0b2b-60d0-4271-9d3e-acbd5366e660\"},\"panelIndex\":\"82ee0b2b-60d0-4271-9d3e-acbd5366e660\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"2.1.0\",\"gridData\":{\"x\":36,\"y\":20,\"w\":12,\"h\":18,\"i\":\"4b9b201e-4f7c-4e17-a3a8-308fe4ec25e9\"},\"panelIndex\":\"4b9b201e-4f7c-4e17-a3a8-308fe4ec25e9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"2.1.0\",\"gridData\":{\"x\":0,\"y\":31,\"w\":8,\"h\":16,\"i\":\"a8447ab6-5810-43a6-a42c-97b6776203c0\"},\"panelIndex\":\"a8447ab6-5810-43a6-a42c-97b6776203c0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"2.1.0\",\"gridData\":{\"x\":26,\"y\":38,\"w\":22,\"h\":18,\"i\":\"4ed75bae-60f2-478f-b1d7-3954019d6340\"},\"panelIndex\":\"4ed75bae-60f2-478f-b1d7-3954019d6340\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"2.1.0\",\"gridData\":{\"x\":0,\"y\":56,\"w\":48,\"h\":32,\"i\":\"edae9dd1-a37e-420d-9154-7841a8c62098\"},\"panelIndex\":\"edae9dd1-a37e-420d-9154-7841a8c62098\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]", + "panelsJSON": "[{\"version\":\"2.3.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":37,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"2.3.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":20,\"i\":\"5716abc8-3472-485a-9fd9-492f775cc371\"},\"panelIndex\":\"5716abc8-3472-485a-9fd9-492f775cc371\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"2.3.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":20,\"i\":\"2a9754ed-092c-4afd-9712-203f13d1c369\"},\"panelIndex\":\"2a9754ed-092c-4afd-9712-203f13d1c369\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"2.3.0\",\"gridData\":{\"x\":8,\"y\":20,\"w\":13,\"h\":34,\"i\":\"13aac6f7-d251-4845-b5b6-3c1515132504\"},\"panelIndex\":\"13aac6f7-d251-4845-b5b6-3c1515132504\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"2.3.0\",\"gridData\":{\"x\":21,\"y\":20,\"w\":13,\"h\":17,\"i\":\"82ee0b2b-60d0-4271-9d3e-acbd5366e660\"},\"panelIndex\":\"82ee0b2b-60d0-4271-9d3e-acbd5366e660\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"2.3.0\",\"gridData\":{\"x\":34,\"y\":20,\"w\":14,\"h\":17,\"i\":\"4b9b201e-4f7c-4e17-a3a8-308fe4ec25e9\"},\"panelIndex\":\"4b9b201e-4f7c-4e17-a3a8-308fe4ec25e9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"2.3.0\",\"gridData\":{\"x\":0,\"y\":37,\"w\":8,\"h\":17,\"i\":\"a8447ab6-5810-43a6-a42c-97b6776203c0\"},\"panelIndex\":\"a8447ab6-5810-43a6-a42c-97b6776203c0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"2.3.0\",\"gridData\":{\"x\":21,\"y\":37,\"w\":13,\"h\":17,\"i\":\"7355f72d-16de-45d9-846d-4e1e9f35f897\"},\"panelIndex\":\"7355f72d-16de-45d9-846d-4e1e9f35f897\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"2.3.0\",\"gridData\":{\"x\":34,\"y\":37,\"w\":14,\"h\":17,\"i\":\"4ed75bae-60f2-478f-b1d7-3954019d6340\"},\"panelIndex\":\"4ed75bae-60f2-478f-b1d7-3954019d6340\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"},{\"version\":\"2.3.0\",\"gridData\":{\"x\":0,\"y\":54,\"w\":48,\"h\":32,\"i\":\"edae9dd1-a37e-420d-9154-7841a8c62098\"},\"panelIndex\":\"edae9dd1-a37e-420d-9154-7841a8c62098\",\"embeddableConfig\":{},\"panelRefName\":\"panel_9\"}]", "optionsJSON": "{\"useMargins\":true}", "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}" } }, "references": [ @@ -60,10 +60,15 @@ { "name": "panel_7", "type": "visualization", - "id": "39091f40-18c0-11ed-9abd-97fb0b4c6d6c" + "id": "c1a225a0-48d0-11ed-ac36-efb71d661952" }, { "name": "panel_8", + "type": "visualization", + "id": "39091f40-18c0-11ed-9abd-97fb0b4c6d6c" + }, + { + "name": "panel_9", "type": "search", "id": "a827b610-18b7-11ed-9815-dd8187ffaa35" } @@ -78,8 +83,8 @@ "namespaces": [ "default" ], - "updated_at": "2022-08-10T15:11:15.749Z", - "version": "WzgwMiwxXQ==", + "updated_at": "2022-10-10T18:59:19.274Z", + "version": "WzgwMSwxXQ==", "attributes": { "title": "Network Logs", "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[↪ Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) ● [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) ● [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) ● [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) ● [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) ● [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) ● [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) ● [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) ● [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) ● [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) ● [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) ● [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) ● [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) ● [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) ● [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) ● [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) ● [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) ● [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) ● [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) ● [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) ● [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) ● [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) ● [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) ● [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) ● [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) ● [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) ● [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) ● [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) ● [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) ● [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) ● [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) ● [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) ● [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) ● [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) ● [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) ● [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) ● [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) ● [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}", @@ -101,8 +106,8 @@ "namespaces": [ "default" ], - "updated_at": "2022-08-10T15:11:09.705Z", - "version": "Wzc0NCwxXQ==", + "updated_at": "2022-10-10T18:59:13.093Z", + "version": "Wzc0MiwxXQ==", "attributes": { "title": "S7comm - Log Count", "visState": "{\"title\":\"S7comm - Log Count\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"},\"schema\":\"group\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}}}", @@ -131,8 +136,8 @@ "namespaces": [ "default" ], - "updated_at": "2022-08-10T15:11:09.705Z", - "version": "Wzc0NSwxXQ==", + "updated_at": "2022-10-10T18:59:13.093Z", + "version": "Wzc0MywxXQ==", "attributes": { "title": "S7comm - Logs Over Time", "visState": "{\"title\":\"S7comm - Logs Over Time\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"},\"schema\":\"group\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}", @@ -161,8 +166,8 @@ "namespaces": [ "default" ], - "updated_at": "2022-08-10T15:23:15.472Z", - "version": "Wzg5MSwxXQ==", + "updated_at": "2022-10-10T18:59:13.093Z", + "version": "Wzc0NCwxXQ==", "attributes": { "title": "S7comm Operations", "visState": "{\"title\":\"S7comm Operations\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Action\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Result\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":25,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", @@ -191,8 +196,8 @@ "namespaces": [ "default" ], - "updated_at": "2022-08-10T15:28:09.832Z", - "version": "Wzg5NCwxXQ==", + "updated_at": "2022-10-10T18:59:13.093Z", + "version": "Wzc0NSwxXQ==", "attributes": { "title": "S7comm Source IP", "visState": "{\"title\":\"S7comm Source IP\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Protocol\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", @@ -221,8 +226,8 @@ "namespaces": [ "default" ], - "updated_at": "2022-08-10T15:31:25.316Z", - "version": "Wzg5NSwxXQ==", + "updated_at": "2022-10-10T18:59:13.093Z", + "version": "Wzc0NiwxXQ==", "attributes": { "title": "S7comm Destination IP", "visState": "{\"title\":\"S7comm Destination IP\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Protocol\"},\"schema\":\"bucket\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", @@ -251,8 +256,8 @@ "namespaces": [ "default" ], - "updated_at": "2022-08-10T15:32:42.356Z", - "version": "Wzg5NiwxXQ==", + "updated_at": "2022-10-10T18:59:13.093Z", + "version": "Wzc0NywxXQ==", "attributes": { "title": "S7comm Plus Version", "visState": "{\"title\":\"S7comm Plus Version\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.protocol_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Version\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}", @@ -275,14 +280,44 @@ "visualization": "7.10.0" } }, + { + "id": "c1a225a0-48d0-11ed-ac36-efb71d661952", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2022-10-10T19:21:35.736Z", + "version": "WzkwNSwxXQ==", + "attributes": { + "title": "S7comm - Upload/Download File Names", + "visState": "{\"title\":\"S7comm - Upload/Download File Names\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"file.path\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"\",\"customLabel\":\"File Name\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.s7comm_upload_download.destination_filesystem\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Destination Filesystem\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "cb95dda0-48cf-11ed-ac36-efb71d661952" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, { "id": "39091f40-18c0-11ed-9abd-97fb0b4c6d6c", "type": "visualization", "namespaces": [ "default" ], - "updated_at": "2022-08-10T15:22:18.804Z", - "version": "Wzg5MCwxXQ==", + "updated_at": "2022-10-10T18:59:13.093Z", + "version": "Wzc0OCwxXQ==", "attributes": { "title": "S7comm Read-SZL", "visState": "{\"title\":\"S7comm Read-SZL\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.s7comm_read_szl.szl_index\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"SZL Index\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Action\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Result\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", @@ -311,8 +346,8 @@ "namespaces": [ "default" ], - "updated_at": "2022-08-10T15:11:09.705Z", - "version": "Wzc0OCwxXQ==", + "updated_at": "2022-10-10T18:59:13.093Z", + "version": "Wzc0OSwxXQ==", "attributes": { "title": "S7comm and Related - Logs", "description": "", @@ -353,7 +388,7 @@ "namespaces": [ "default" ], - "updated_at": "2022-08-10T15:11:09.705Z", + "updated_at": "2022-10-10T18:59:13.093Z", "version": "Wzc1MCwxXQ==", "attributes": { "title": "S7comm Plus - Logs", @@ -387,14 +422,55 @@ "search": "7.9.3" } }, + { + "id": "cb95dda0-48cf-11ed-ac36-efb71d661952", + "type": "search", + "namespaces": [ + "default" + ], + "updated_at": "2022-10-10T19:14:42.936Z", + "version": "WzkwMywxXQ==", + "attributes": { + "title": "S7comm Upload/Download - Logs", + "description": "", + "hits": 0, + "columns": [ + "source.ip", + "source.port", + "destination.ip", + "destination.port", + "event.action", + "event.result", + "zeek.s7comm_upload_download.block_type", + "file.path", + "zeek.s7comm_upload_download.destination_filesystem", + "zeek.uid" + ], + "sort": [], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:s7comm_upload_download\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "arkime_sessions3-*" + } + ], + "migrationVersion": { + "search": "7.9.3" + } + }, { "id": "aa66bb80-18b5-11ed-9815-dd8187ffaa35", "type": "search", "namespaces": [ "default" ], - "updated_at": "2022-08-10T15:11:09.705Z", - "version": "Wzc0OSwxXQ==", + "updated_at": "2022-10-10T18:59:13.093Z", + "version": "Wzc1MSwxXQ==", "attributes": { "title": "S7comm Read-SZL - Logs", "description": "", diff --git a/dashboards/templates/composable/component/zeek_ot.json b/dashboards/templates/composable/component/zeek_ot.json index 920c020e1..8942c312d 100644 --- a/dashboards/templates/composable/component/zeek_ot.json +++ b/dashboards/templates/composable/component/zeek_ot.json @@ -512,26 +512,35 @@ "zeek.profinet_dce_rpc.packet_type": { "type": "keyword" }, "zeek.profinet_dce_rpc.server_boot_time": { "type": "integer" }, "zeek.profinet_dce_rpc.version": { "type": "integer" }, - "zeek.s7comm.rosctr_code": { "type": "integer" }, - "zeek.s7comm.rosctr_name": { "type": "keyword" }, - "zeek.s7comm.pdu_reference": { "type": "integer" }, + "zeek.s7comm.error_class": { "type": "keyword" }, + "zeek.s7comm.error_code": { "type": "keyword" }, "zeek.s7comm.function_code": { "type": "keyword" }, "zeek.s7comm.function_name": { "type": "keyword" }, + "zeek.s7comm.pdu_reference": { "type": "integer" }, + "zeek.s7comm.rosctr_code": { "type": "integer" }, + "zeek.s7comm.rosctr_name": { "type": "keyword" }, "zeek.s7comm.subfunction_code": { "type": "keyword" }, "zeek.s7comm.subfunction_name": { "type": "keyword" }, - "zeek.s7comm.error_class": { "type": "keyword" }, - "zeek.s7comm.error_code": { "type": "keyword" }, - "zeek.s7comm_plus.version": { "type": "integer" }, - "zeek.s7comm_plus.opcode": { "type": "keyword" }, - "zeek.s7comm_plus.opcode_name": { "type": "keyword" }, "zeek.s7comm_plus.function_code": { "type": "keyword" }, "zeek.s7comm_plus.function_name": { "type": "keyword" }, + "zeek.s7comm_plus.opcode": { "type": "keyword" }, + "zeek.s7comm_plus.opcode_name": { "type": "keyword" }, + "zeek.s7comm_plus.version": { "type": "integer" }, "zeek.s7comm_read_szl.method": { "type": "keyword"}, + "zeek.s7comm_read_szl.return_code": { "type": "keyword"}, + "zeek.s7comm_read_szl.return_code_name": { "type": "keyword"}, "zeek.s7comm_read_szl.szl_id": { "type": "keyword"}, "zeek.s7comm_read_szl.szl_id_name": { "type": "keyword"}, "zeek.s7comm_read_szl.szl_index": { "type": "keyword"}, - "zeek.s7comm_read_szl.return_code": { "type": "keyword"}, - "zeek.s7comm_read_szl.return_code_name": { "type": "keyword"} + "zeek.s7comm_upload_download.block_number": { "type": "keyword"}, + "zeek.s7comm_upload_download.block_type": { "type": "keyword"}, + "zeek.s7comm_upload_download.blocklength": { "type": "integer"}, + "zeek.s7comm_upload_download.destination_filesystem": { "type": "keyword"}, + "zeek.s7comm_upload_download.filename": { "type": "keyword"}, + "zeek.s7comm_upload_download.function_name": { "type": "keyword"}, + "zeek.s7comm_upload_download.function_status": { "type": "keyword"}, + "zeek.s7comm_upload_download.rosctr_name": { "type": "keyword"}, + "zeek.s7comm_upload_download.session_id": { "type": "long"} } } } diff --git a/logstash/maps/zeek_log_ecs_categories.yaml b/logstash/maps/zeek_log_ecs_categories.yaml index a857e8e6e..5c9cdcf55 100644 --- a/logstash/maps/zeek_log_ecs_categories.yaml +++ b/logstash/maps/zeek_log_ecs_categories.yaml @@ -66,6 +66,7 @@ "s7comm": ["ot", "network"] "s7comm_plus": ["ot", "network"] "s7comm_read_szl": ["ot", "network"] +"s7comm_upload_download": ["ot", "network"] "signatures": ["malware", "intrusion_detection", "network"] "sip": ["network"] "smb_cmd": ["network"] diff --git a/logstash/pipelines/enrichment/11_lookups.conf b/logstash/pipelines/enrichment/11_lookups.conf index b2f2d7dff..8a12e0e04 100644 --- a/logstash/pipelines/enrichment/11_lookups.conf +++ b/logstash/pipelines/enrichment/11_lookups.conf @@ -499,8 +499,7 @@ filter { ("profinet" in [network][protocol]) or ("profinet_dce_rpc" in [network][protocol]) or ("s7comm" in [network][protocol]) or - ("s7comm_plus" in [network][protocol]) or - ("s7comm_read_szl" in [network][protocol])) { + ("s7comm_plus" in [network][protocol])) { mutate { id => "mutate_add_tag_ics_from_network_protocol" add_tag => [ "ics" ] } } diff --git a/logstash/pipelines/zeek/11_zeek_logs.conf b/logstash/pipelines/zeek/11_zeek_logs.conf index 8dab967d9..66eada60d 100644 --- a/logstash/pipelines/zeek/11_zeek_logs.conf +++ b/logstash/pipelines/zeek/11_zeek_logs.conf @@ -3447,6 +3447,40 @@ filter { add_tag => [ "ics" ] } + } else if ([log_source] == "s7comm_upload_download") { + ############################################################################################################################# + # s7comm_upload_download.log + # https://github.com/cisagov/icsnpp-s7comm + + dissect { + id => "dissect_zeek_s7comm_upload_download" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + mapping => { + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][rosctr_name]} %{[zeek_cols][pdu_reference]} %{[zeek_cols][function_name]} %{[zeek_cols][function_status]} %{[zeek_cols][session_id]} %{[zeek_cols][blocklength]} %{[zeek_cols][filename]} %{[zeek_cols][block_type]} %{[zeek_cols][block_number]} %{[zeek_cols][destination_filesystem]}" + } + } + if ("_dissectfailure" in [tags]) { + mutate { + id => "mutate_split_zeek_s7comm_upload_download" + # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP + split => { "[message]" => " " } + } + ruby { + id => "ruby_zip_zeek_s7comm_upload_download" + init => "$zeek_s7comm_upload_download_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'rosctr_name', 'pdu_reference', 'function_name', 'function_status', 'session_id', 'blocklength', 'filename', 'block_type', 'block_number', 'destination_filesystem' ]" + code => "event.set('[zeek_cols]', $zeek_s7comm_upload_download_field_names.zip(event.get('[message]')).to_h)" + } + } + + mutate { + id => "mutate_add_fields_zeek_s7comm_upload_download" + add_field => { + "[zeek_cols][proto]" => "tcp" + "[zeek_cols][service]" => "s7comm" + } + add_tag => [ "ics" ] + } + } else if ([log_source] == "signatures") { ############################################################################################################################# # signatures.log @@ -5717,6 +5751,13 @@ filter { mutate { id => "mutate_rename_zeek_s7comm_read_szl_pdu_reference" rename => { "[zeek][s7comm_read_szl][pdu_reference]" => "[zeek][s7comm][pdu_reference]" } } + } else if ([log_source] == "s7comm_upload_download") { + ############################################################################################################################# + # s7comm_upload_download.log specific logic + + # so we can link s7comm and s7comm_upload_download by this field + mutate { id => "mutate_rename_zeek_s7comm_upload_download_pdu_reference" + rename => { "[zeek][s7comm_upload_download][pdu_reference]" => "[zeek][s7comm][pdu_reference]" } } } else if ([log_source] == "signatures") { ############################################################################################################################# diff --git a/logstash/pipelines/zeek/12_zeek_normalize.conf b/logstash/pipelines/zeek/12_zeek_normalize.conf index 125d3a264..2f1c78fca 100644 --- a/logstash/pipelines/zeek/12_zeek_normalize.conf +++ b/logstash/pipelines/zeek/12_zeek_normalize.conf @@ -438,6 +438,19 @@ filter { merge => { "[event][action]" => "[@metadata][s7comm_read_szl_action]" } } } + if ([zeek][s7comm_upload_download]) { + ruby { + # action = rosctr_name:function_name + id => "ruby_zeek_s7comm_upload_download_generate_action" + code => " + actions = Array.new unless (actions = event.get('[event][action]')) + action = [event.get('[zeek][s7comm_upload_download][rosctr_name]'), + event.get('[zeek][s7comm_upload_download][function_name]')].reject{ |e| e.nil? || e&.empty? }.join(':') + actions.append(action) unless action.nil? || action&.empty? + event.set('[event][action]', actions)" + } + } + if ([zeek][sip][method]) { mutate { id => "mutate_merge_normalize_zeek_sip_method" merge => { "[event][action]" => "[zeek][sip][method]" } } } @@ -890,6 +903,9 @@ filter { } } + if ([zeek][s7comm_upload_download][function_status]) { mutate { id => "mutate_merge_normalize_zeek_s7comm_upload_download_function_status" + merge => { "[event][result]" => "[zeek][s7comm_upload_download][function_status]" } } } + if ([zeek][sip][status_code]) { # normalized version of sip reply code (status_msg may be unpredictable) translate { @@ -1175,8 +1191,11 @@ filter { if ([zeek][http][resp_filenames]) { mutate { id => "mutate_merge_normalize_zeek_http_resp_filenames" merge => { "[file][path]" => "[zeek][http][resp_filenames]" } } } - if ([zeek][irc][dcc_file_name]) { mutate { id => "mutate_merge_normalize_zeek_irc_dcc_file_name" - merge => { "[file][path]" => "[zeek][irc][dcc_file_name]" } } } + if ([zeek][s7comm_upload_download][filename]) { mutate { id => "mutate_merge_normalize_zeek_s7comm_upload_download_filename" + merge => { "[file][path]" => "[zeek][s7comm_upload_download][filename]" } } } + + if ([zeek][tftp][fname]) { mutate { id => "mutate_merge_normalize_zeek_tftp_fname" + merge => { "[file][path]" => "[zeek][tftp][fname]" } } } if ([zeek][tftp][fname]) { mutate { id => "mutate_merge_normalize_zeek_tftp_fname" merge => { "[file][path]" => "[zeek][tftp][fname]" } } }