Skip to content

Commit

Permalink
work on idaholab#19, use more friendly labels
Browse files Browse the repository at this point in the history
  • Loading branch information
@mmguero
mmguero committed Aug 20, 2021
1 parent 6a44943 commit 12baf85
Show file tree
Hide file tree
Showing 2 changed files with 57 additions and 56 deletions.
57 changes: 29 additions & 28 deletions logstash/maps/malcolm_severity.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,28 +1,29 @@
"CONNECTION_CROSS_SEGMENT": 20
"CONNECTION_EXTERNAL": 20
"CONNECTION_INBOUND": 50
"CONNECTION_INTERNAL": 0
"CONNECTION_OUTBOUND": 20
"CONNECTION_TUNNEL": 10
"CONNECTION_VPN": 30
"CONNECTION_SIZE": 20
"CONNECTION_DURATION": 20
"QUESTIONABLE_COUNTRY": 40
"DOMAIN_HIGH_ENTROPY": 0
"FILE_TYPE": 0
"FILE_TYPE_HIGH": 75
"FILE_TYPE_MEDIUM": 50
"NOTICE_MITRE_ATTACK": 80
"NOTICE_OTHER": 60
"NOTICE_PROTOCOL": 60
"NOTICE_SCAN": 60
"NOTICE_VULN": 90
"PASSWORD_CLEARTEXT": 90
"PROTOCOL_OUTDATED_OR_INSECURE": 60
"SIGNATURES_CAPA": 50
"SIGNATURES_CLAMAV": 90
"SIGNATURES_MALASS": 90
"SIGNATURES_OTHER": 75
"SIGNATURES_VIRUSTOTAL": 90
"SIGNATURES_YARA": 90
"WEIRD_OTHER": 30
# keys should match the event.severity_tags values set in 19_severity.conf
"Cross-segment traffic": 20
"External traffic": 20
"Inbound traffic": 50
"Internal traffic": 0
"Outbound traffic": 20
"Tunneled traffic": 10
"VPN traffic": 30
"High volume connection": 20
"Long connection": 20
"Country of concern": 40
"High entropy domain": 0
"File transfer": 0
"File transfer (high concern)": 75
"File transfer (medium concern)": 50
"MITRE ATT&CK framework technique": 80
"Notice (other)": 60
"Notice (protocol)": 60
"Notice (scan)": 60
"Notice (vulnerability)": 90
"Cleartext password": 90
"Insecure or outdated protocol": 60
"File scan (capa)": 50
"File scan (ClamAV)": 90
"File scan (Malass)": 90
"Signature": 75
"File scan (VirusTotal)": 90
"File scan (YARA)": 90
"Weird": 30
56 changes: 28 additions & 28 deletions logstash/pipelines/enrichment/19_severity.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ filter {
# identify cross-segment traffic based on previously-populated tag
if ("cross_segment" in [tags]) {
mutate { id => "mutate_add_field_severity_item_cross_segment"
add_field => { "[event][severity_tags]" => "CONNECTION_CROSS_SEGMENT" } }
add_field => { "[event][severity_tags]" => "Cross-segment traffic" } }
}

# inbound/outbound/internal/external connection based on previously-populated tag
Expand All @@ -20,16 +20,16 @@ filter {
# the direction of the connection itself
if ("internal_source" in [tags]) and ("internal_destination" in [tags]) {
mutate { id => "mutate_add_field_severity_item_internal"
add_field => { "[event][severity_tags]" => "CONNECTION_INTERNAL" } }
add_field => { "[event][severity_tags]" => "Internal traffic" } }
} else if ("external_source" in [tags]) and ("external_destination" in [tags]) {
mutate { id => "mutate_add_field_severity_item_external"
add_field => { "[event][severity_tags]" => "CONNECTION_EXTERNAL" } }
add_field => { "[event][severity_tags]" => "External traffic" } }
} else if ("internal_source" in [tags]) and ("external_destination" in [tags]) {
mutate { id => "mutate_add_field_severity_item_outbound"
add_field => { "[event][severity_tags]" => "CONNECTION_OUTBOUND" } }
add_field => { "[event][severity_tags]" => "Outbound traffic" } }
} else if ("external_source" in [tags]) and ("internal_destination" in [tags]) {
mutate { id => "mutate_add_field_severity_item_inbound"
add_field => { "[event][severity_tags]" => "CONNECTION_INBOUND" } }
add_field => { "[event][severity_tags]" => "Inbound traffic" } }
}
}

Expand All @@ -52,7 +52,7 @@ filter {
newtags.push(sevtags)
sevtags = newtags
end
sevtags.push('QUESTIONABLE_COUNTRY')
sevtags.push('Country of concern')
event.set('[event][severity_tags]', sevtags)
end"
}
Expand All @@ -61,15 +61,15 @@ filter {
# tunneled/VPN traffic
if ([zeek][logType] == "tunnel") {
mutate { id => "mutate_add_field_severity_item_tunnel"
add_field => { "[event][severity_tags]" => "CONNECTION_TUNNEL" } }
add_field => { "[event][severity_tags]" => "Tunneled traffic" } }
}
if (("ipsec" in [zeek][service]) or
("openvpn" in [zeek][service]) or
("wireguard" in [zeek][service]) or
("l2tp" in [zeek][service]) or
("sstp" in [zeek][service])) {
mutate { id => "mutate_add_field_severity_item_vpn"
add_field => { "[event][severity_tags]" => "CONNECTION_VPN" } }
add_field => { "[event][severity_tags]" => "VPN traffic" } }
}

# these (high/medium) file types pulled from extractor_override.interesting.zeek
Expand All @@ -91,7 +91,7 @@ filter {
("application/x-sh" in [zeek][filetype]) or
("text/vbscript" in [zeek][filetype])) {
mutate { id => "mutate_add_field_severity_file_type_high"
add_field => { "[event][severity_tags]" => "FILE_TYPE_HIGH" } }
add_field => { "[event][severity_tags]" => "File transfer (high concern)" } }

# "medium" severity files are everything else in the "interesting" list
} else if (("application/binary" in [zeek][filetype]) or
Expand Down Expand Up @@ -177,51 +177,51 @@ filter {
("text/jscript" in [zeek][filetype]) or
("text/rtf" in [zeek][filetype])) {
mutate { id => "mutate_add_field_severity_file_type_medium"
add_field => { "[event][severity_tags]" => "FILE_TYPE_MEDIUM" } }
add_field => { "[event][severity_tags]" => "File transfer (medium concern)" } }

# "low" severity files are other file transfers
} else {
mutate { id => "mutate_add_field_severity_file_type"
add_field => { "[event][severity_tags]" => "FILE_TYPE" } }
add_field => { "[event][severity_tags]" => "File transfer" } }
}
}

# assign severity to notice based on category
if ([zeek_notice]) {
if ([zeek_notice][category] == "ATTACK") {
mutate { id => "mutate_add_field_severity_notice_mitre_attack"
add_field => { "[event][severity_tags]" => "NOTICE_MITRE_ATTACK" } }
add_field => { "[event][severity_tags]" => "MITRE ATT&CK framework technique" } }
} else if ([zeek_notice][category] == "Scan") {
mutate { id => "mutate_add_field_severity_notice_scan"
add_field => { "[event][severity_tags]" => "NOTICE_SCAN" } }
add_field => { "[event][severity_tags]" => "Notice (scan)" } }
} else if (([zeek_notice][category] == "FTP") or
([zeek_notice][category] == "HTTP") or
([zeek_notice][category] == "HTTPATTACKS") or
([zeek_notice][category] == "SSL")) {
mutate { id => "mutate_add_field_severity_notice_protocol"
add_field => { "[event][severity_tags]" => "NOTICE_PROTOCOL" } }
add_field => { "[event][severity_tags]" => "Notice (protocol)" } }
} else if (([zeek_notice][category] =~ /^CVE/) or
([zeek_notice][category] == "EternalSafety") or
([zeek_notice][category] == "Ripple20") or
([zeek_notice][category] == "Zerologon")) {
mutate { id => "mutate_add_field_severity_notice_vuln"
add_field => { "[event][severity_tags]" => "NOTICE_VULN" } }
add_field => { "[event][severity_tags]" => "Notice (vulnerability)" } }
} else {
mutate { id => "mutate_add_field_severity_notice_other"
add_field => { "[event][severity_tags]" => "NOTICE_OTHER" } }
add_field => { "[event][severity_tags]" => "Notice (other)" } }
}
}

# weird logs get one score at the moment
if ([zeek_weird]) {
mutate { id => "mutate_add_field_severity_weird_other"
add_field => { "[event][severity_tags]" => "WEIRD_OTHER" } }
add_field => { "[event][severity_tags]" => "Weird" } }
}

# if zeek.password exists, it's assumed to be in cleartext
if ([zeek][password]) {
mutate { id => "mutate_add_field_severity_password_exists"
add_field => { "[event][severity_tags]" => "PASSWORD_CLEARTEXT" } }
add_field => { "[event][severity_tags]" => "Cleartext password" } }
}

# check for high-entropy domain names for non-internal connections
Expand All @@ -241,7 +241,7 @@ filter {
newtags.push(sevtags)
sevtags = newtags
end
sevtags.push('DOMAIN_HIGH_ENTROPY')
sevtags.push('High entropy domain')
event.set('[event][severity_tags]', sevtags)
end"
}
Expand All @@ -264,7 +264,7 @@ filter {
newtags.push(sevtags)
sevtags = newtags
end
sevtags.push('CONNECTION_SIZE')
sevtags.push('High volume connection')
event.set('[event][severity_tags]', sevtags)
end"
}
Expand All @@ -283,7 +283,7 @@ filter {
newtags.push(sevtags)
sevtags = newtags
end
sevtags.push('CONNECTION_DURATION')
sevtags.push('Long connection')
event.set('[event][severity_tags]', sevtags)
end"
}
Expand All @@ -293,22 +293,22 @@ filter {
if ([zeek_signatures]) {
if ([zeek_signatures][engine] == 'capa') {
mutate { id => "mutate_add_field_severity_signatures_capa"
add_field => { "[event][severity_tags]" => "SIGNATURES_CAPA" } }
add_field => { "[event][severity_tags]" => "File scan (capa)" } }
} else if ([zeek_signatures][engine] == 'clamav') {
mutate { id => "mutate_add_field_severity_signatures_clamav"
add_field => { "[event][severity_tags]" => "SIGNATURES_CLAMAV" } }
add_field => { "[event][severity_tags]" => "File scan (ClamAV)" } }
} else if ([zeek_signatures][engine] == 'malass') {
mutate { id => "mutate_add_field_severity_signatures_malass"
add_field => { "[event][severity_tags]" => "SIGNATURES_MALASS" } }
add_field => { "[event][severity_tags]" => "File scan (Malass)" } }
} else if ([zeek_signatures][engine] == 'virustotal') {
mutate { id => "mutate_add_field_severity_signatures_virustotal"
add_field => { "[event][severity_tags]" => "SIGNATURES_VIRUSTOTAL" } }
add_field => { "[event][severity_tags]" => "File scan (VirusTotal)" } }
} else if ([zeek_signatures][engine] == 'yara') {
mutate { id => "mutate_add_field_severity_signatures_yara"
add_field => { "[event][severity_tags]" => "SIGNATURES_YARA" } }
add_field => { "[event][severity_tags]" => "File scan (YARA)" } }
} else {
mutate { id => "mutate_add_field_severity_signatures_other"
add_field => { "[event][severity_tags]" => "SIGNATURES_OTHER" } }
add_field => { "[event][severity_tags]" => "Signature" } }
}
}

Expand Down Expand Up @@ -371,7 +371,7 @@ filter {
sevtags = newtags
end
if found > 0 then
sevtags.push('PROTOCOL_OUTDATED_OR_INSECURE')
sevtags.push('Insecure or outdated protocol')
end
sevtags.push(*service.map{|x| 'PROTOCOL_' + x.upcase})
event.set('[event][severity_tags]', sevtags)
Expand Down

0 comments on commit 12baf85

Please sign in to comment.