work on idaholab#19, conn states

logstash/maps/malcolm_severity.yaml

@@ -8,6 +8,10 @@
 "VPN traffic": 30
 "High volume connection": 20
 "Long connection": 20
+"Connection aborted (originator)": 30
+"Connection aborted (responder)": 50
+"Connection attempt rejected": 40
+"Connection attempt, no reply": 20
 "Country of concern": 40
 "High entropy domain": 0
 "File transfer": 0

logstash/pipelines/enrichment/19_severity.conf

@@ -14,6 +14,26 @@ filter {
                add_field => { "[event][severity_tags]" => "Cross-segment traffic" } }
     }
 
+    # connection states of interest (see conn_states.yaml)
+    # https://docs.zeek.org/en/current/scripts/base/protocols/conn/main.zeek.html#type-Conn::Info
+    # https://docs.zeek.org/en/master/logs/conn.html
+    if ([zeek_conn][conn_state]) {
+      if ([zeek_conn][conn_state] == "S0") {
+        mutate { id => "mutate_add_field_severity_item_conn_s0"
+                 add_field => { "[event][severity_tags]" => "Connection attempt, no reply" } }
+      } else if ([zeek_conn][conn_state] == "REJ") {
+        mutate { id => "mutate_add_field_severity_item_conn_rej"
+                 add_field => { "[event][severity_tags]" => "Connection attempt rejected" } }
+      } else if ([zeek_conn][conn_state] == "RSTO") {
+        mutate { id => "mutate_add_field_severity_item_conn_rsto"
+                 add_field => { "[event][severity_tags]" => "Connection aborted (originator)" } }
+      } else if ([zeek_conn][conn_state] == "RSTR") {
+        mutate { id => "mutate_add_field_severity_item_conn_rstr"
+                 add_field => { "[event][severity_tags]" => "Connection aborted (responder)" } }
+      }
+    }
+
+
     # inbound/outbound/internal/external connection based on previously-populated tag
     if ([zeek][logType] != "files") {
       # files.log is excluded here because tx_hosts and tx_hosts doesn't really indicate