From 7be8ada011f7b038f27a8e428156c7e70dc8f880 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Mon, 21 Nov 2022 09:03:12 -0700
Subject: [PATCH] Fix idaholab/Malcolm#126, suricata logs show up in Arkime as
 'notip' for protocol

---
 .../pipelines/suricata/11_suricata_logs.conf  | 20 ++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/logstash/pipelines/suricata/11_suricata_logs.conf b/logstash/pipelines/suricata/11_suricata_logs.conf
index 6ba71c6fe..6fbd8b175 100644
--- a/logstash/pipelines/suricata/11_suricata_logs.conf
+++ b/logstash/pipelines/suricata/11_suricata_logs.conf
@@ -110,7 +110,7 @@ filter {
                  rename => { "[suricata][dest_port]" => "[destination][port]" }
                  rename => { "[suricata][src_ip]" => "[source][ip]" }
                  rename => { "[suricata][src_port]" => "[source][port]" }
-                 rename => { "[suricata][proto]" => "[ipProtocol]" }
+                 rename => { "[suricata][proto]" => "[network][transport]" }
                  rename => { "[suricata][event_type]" => "[event][dataset]" }
                  rename => { "[suricata][vlan]" => "[network][vlan][id]" }
         }
@@ -119,21 +119,23 @@ filter {
         # network protocol stuff
 
         # transport protocol (e.g., udp, tcp, etc.)
-        if ([ipProtocol]) {
+        if ([network][transport]) {
+          mutate { id => "mutate_lowercase_suricata_network_transport"
+                   lowercase => [ "[network][transport]" ] }
           translate {
             id => "translate_suricata_proto"
-            source => "[ipProtocol]"
-            target => "[network][transport]"
-            dictionary_path => "/etc/ip_protocol_number_to_name.yaml"
+            source => "[network][transport]"
+            target => "[ipProtocol]"
+            dictionary_path => "/etc/ip_protocol_name_to_number.yaml"
           }
+          mutate { id => "mutate_merge_suricata_proto"
+                   merge => { "[protocol]" => "[network][transport]" } }
+        }
+        if ([ipProtocol]) {
           # ECS - ipProtocol -> network.iana_number
           mutate { id => "mutate_add_field_suricata_ecs_network_iana_number"
                    add_field => { "[network][iana_number]" => "%{[ipProtocol]}" } }
         }
-        if ([network][transport]) {
-          mutate { id => "mutate_merge_suricata_proto"
-                   merge => { "[protocol]" => "[network][transport]" } }
-        }
 
         # network (application) protocol
         if ([suricata][app_proto_orig]) {