From 55eb7ac3bdae2ba71ec5cce68fdc2dccf32b000f Mon Sep 17 00:00:00 2001
From: SG <13872653+mmguero@users.noreply.github.com>
Date: Thu, 2 Sep 2021 10:28:24 -0600
Subject: [PATCH] work on idaholab/Malcolm#19, conn states

---
 logstash/maps/malcolm_severity.yaml           |  4 ++++
 .../pipelines/enrichment/19_severity.conf     | 20 +++++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/logstash/maps/malcolm_severity.yaml b/logstash/maps/malcolm_severity.yaml
index f7aa3bb60..713be4abe 100644
--- a/logstash/maps/malcolm_severity.yaml
+++ b/logstash/maps/malcolm_severity.yaml
@@ -8,6 +8,10 @@
 "VPN traffic": 30
 "High volume connection": 20
 "Long connection": 20
+"Connection aborted (originator)": 30
+"Connection aborted (responder)": 50
+"Connection attempt rejected": 40
+"Connection attempt, no reply": 20
 "Country of concern": 40
 "High entropy domain": 0
 "File transfer": 0
diff --git a/logstash/pipelines/enrichment/19_severity.conf b/logstash/pipelines/enrichment/19_severity.conf
index 8bf20deba..14a19a0dd 100644
--- a/logstash/pipelines/enrichment/19_severity.conf
+++ b/logstash/pipelines/enrichment/19_severity.conf
@@ -14,6 +14,26 @@ filter {
                add_field => { "[event][severity_tags]" => "Cross-segment traffic" } }
     }
 
+    # connection states of interest (see conn_states.yaml)
+    # https://docs.zeek.org/en/current/scripts/base/protocols/conn/main.zeek.html#type-Conn::Info
+    # https://docs.zeek.org/en/master/logs/conn.html
+    if ([zeek_conn][conn_state]) {
+      if ([zeek_conn][conn_state] == "S0") {
+        mutate { id => "mutate_add_field_severity_item_conn_s0"
+                 add_field => { "[event][severity_tags]" => "Connection attempt, no reply" } }
+      } else if ([zeek_conn][conn_state] == "REJ") {
+        mutate { id => "mutate_add_field_severity_item_conn_rej"
+                 add_field => { "[event][severity_tags]" => "Connection attempt rejected" } }
+      } else if ([zeek_conn][conn_state] == "RSTO") {
+        mutate { id => "mutate_add_field_severity_item_conn_rsto"
+                 add_field => { "[event][severity_tags]" => "Connection aborted (originator)" } }
+      } else if ([zeek_conn][conn_state] == "RSTR") {
+        mutate { id => "mutate_add_field_severity_item_conn_rstr"
+                 add_field => { "[event][severity_tags]" => "Connection aborted (responder)" } }
+      }
+    }
+
+
     # inbound/outbound/internal/external connection based on previously-populated tag
     if ([zeek][logType] != "files") {
       # files.log is excluded here because tx_hosts and tx_hosts doesn't really indicate