work in progress incorporating icsnpp-profinet-io-cm, idaholab#429

logstash/pipelines/zeek/11_zeek_parse.conf

@@ -107,18 +107,22 @@ filter {
 
     # normalize service string(s)
 
+    # For some reason, even in JSON, I have service strings like:
+    #   ...,"proto":"udp","service":"profinet,profinet_dce_rpc,spicy_profinet_io_cm,profinet",...
+    # so whatever reason it's not already an array. Split it here.
+    mutate { id => "mutate_split_zeek_conn_commas"
+             split => { "[zeek_cols][service]" => "," } }
+
     # some services are named like blah_udp/blah_tcp/blah_data, and we don't care about the suffix
     mutate { id => "mutate_gsub_field_zeek_conn_service_protocol_suffix"
              gsub => [ "[zeek_cols][service]", "[_-](tcp|udp|data)", "" ] }
 
-    if ([zeek_cols][service] =~ /spicy_/) {
-      # if it's coming from spicy, we don't care to have that in the service name
-      mutate { id => "mutate_gsub_field_zeek_conn_service_spicy_prefix"
-               gsub => [ "[zeek_cols][service]", "spicy_", "" ] }
+    # if it's coming from spicy, we don't care to have that in the service name
+    mutate { id => "mutate_gsub_field_zeek_conn_service_spicy_prefix"
+             gsub => [ "[zeek_cols][service]", "spicy_", "" ] }
 
-      mutate { id => "mutate_gsub_field_zeek_conn_service_spicy_cipher_suffix"
-               gsub => [ "[zeek_cols][service]", "(_hmac)?(_(sha|md)\d+)?$", "" ] }
-    }
+    mutate { id => "mutate_gsub_field_zeek_conn_service_spicy_cipher_suffix"
+             gsub => [ "[zeek_cols][service]", "(_hmac)?(_(sha|md)\d+)?$", "" ] }
 
     if ([zeek_cols][orig_ip_bytes]) and ([zeek_cols][orig_ip_bytes] != '-') and ([zeek_cols][orig_ip_bytes] != '(empty)') and ([zeek_cols][orig_ip_bytes] != '') {
       mutate { id => "mutate_add_field_zeek_srcBytes"