for adjust modbus dashboard, idaholab#225

mmguero-dev · Jul 20, 2023 · 6548042 · 6548042
1 parent 0b9a604
commit 6548042
Show file tree

Hide file tree

Showing 6 changed files with 37 additions and 22 deletions.
diff --git a/arkime/etc/config.ini b/arkime/etc/config.ini
@@ -676,11 +676,10 @@ zeek.modbus.func=db:zeek.modbus.func;group:zeek_modbus;kind:termfield;friendly:F
 zeek.modbus.exception=db:zeek.modbus.exception;group:zeek_modbus;kind:termfield;friendly:Exception;help:Exception
 zeek.modbus.unit_id=db:zeek.modbus.unit_id;group:zeek_modbus;kind:integer;friendly:Unit/Server ID;help:Unit/Server ID
 zeek.modbus.trans_id=db:zeek.modbus.trans_id;group:zeek_modbus;kind:integer;friendly:Transaction ID;help:Transaction ID
-zeek.modbus.pdu_type=db:zeek.modbus.pdu_type;group:zeek_modbus;kind:termfield;friendly:PDU Type;help:PDU Type
+zeek.modbus.network_direction=db:zeek.modbus.network_direction;group:zeek_modbus;kind:termfield;friendly:PDU Type;help:Request or Response
 
 # modbus_detailed.log
 # https://github.com/cisagov/ICSNPP
-zeek.modbus_detailed.network_direction=db:zeek.modbus_detailed.network_direction;group:zeek_modbus;kind:termfield;friendly:Request or Response;help:Request or Response
 zeek.modbus_detailed.address=db:zeek.modbus_detailed.address;group:zeek_modbus;kind:integer;friendly:Starting Memory Address;help:Starting Memory Address
 zeek.modbus_detailed.quantity=db:zeek.modbus_detailed.quantity;group:zeek_modbus;kind:integer;friendly:Number of Values;help:Number of Values
 zeek.modbus_detailed.values=db:zeek.modbus_detailed.values;group:zeek_modbus;kind:termfield;friendly:Values;help:Values
@@ -2603,8 +2602,8 @@ o_zeek_known_modbus=require:zeek.known_modbus;title:Zeek zeek.known_modbus.log;f
 o_zeek_ldap=require:zeek.ldap;title:Zeek ldap.log;fields:zeek.ldap.message_id,zeek.ldap.version,zeek.ldap.operation,zeek.ldap.result_code,zeek.ldap.result_message,zeek.ldap.object,zeek.ldap.argument
 o_zeek_ldap_search=require:zeek.ldap_search;title:Zeek ldap_search.log;fields:zeek.ldap_search.message_id,zeek.ldap_search.filter,zeek.ldap_search.attributes,zeek.ldap_search.scope,zeek.ldap_search.deref,zeek.ldap_search.base_object,zeek.ldap_search.result_count,zeek.ldap_search.result_code,zeek.ldap_search.result_message
 o_zeek_login=require:zeek.login;title:Zeek login.log;fields:zeek.login.client_user,zeek.login.confused,zeek.login.success
-o_zeek_modbus=require:zeek.modbus;title:Zeek modbus.log;fields:zeek.modbus.trans_id,zeek.modbus.unit_id,zeek.modbus.pdu_type,zeek.modbus.func,zeek.modbus.exception
-o_zeek_modbus_detailed=require:zeek.modbus_detailed;title:Zeek modbus_detailed.log;fields:zeek.modbus.unit_id,zeek.modbus.func,zeek.modbus_detailed.network_direction,zeek.modbus_detailed.address,zeek.modbus_detailed.quantity,zeek.modbus_detailed.values
+o_zeek_modbus=require:zeek.modbus;title:Zeek modbus.log;fields:zeek.modbus.trans_id,zeek.modbus.unit_id,zeek.modbus.network_direction,zeek.modbus.func,zeek.modbus.exception
+o_zeek_modbus_detailed=require:zeek.modbus_detailed;title:Zeek modbus_detailed.log;fields:zeek.modbus.unit_id,zeek.modbus.func,zeek.modbus.network_direction,zeek.modbus_detailed.address,zeek.modbus_detailed.quantity,zeek.modbus_detailed.values
 o_zeek_modbus_mask_write_register=require:zeek.modbus_mask_write_register;title:Zeek modbus_mask_write_register.log;fields:zeek.modbus_detailed.unit_id,zeek.modbus.func,zeek.modbus_detailed.network_direction,zeek.modbus_detailed.address,zeek.modbus_mask_write_register.and_mask,zeek.modbus_mask_write_register.or_mask
 o_zeek_modbus_read_write_multiple_registers=require:zeek.modbus_read_write_multiple_registers;title:Zeek modbus_read_write_multiple_registers.log;fields:zeek.modbus_detailed.unit_id,zeek.modbus.func,zeek.modbus_detailed.network_direction,zeek.modbus_read_write_multiple_registers.write_start_address,zeek.modbus_read_write_multiple_registers.write_registers,zeek.modbus_read_write_multiple_registers.read_start_address,zeek.modbus_read_write_multiple_registers.read_quantity,zeek.modbus_read_write_multiple_registers.read_registers
 o_zeek_mqtt_connect=require:zeek.mqtt_connect;title:Zeek mqtt_connect.log;fields:zeek.mqtt_connect.proto_name,zeek.mqtt_connect.proto_version,zeek.mqtt_connect.client_id,zeek.mqtt_connect.connect_status,zeek.mqtt_connect.will_topic,zeek.mqtt_connect.will_payload

diff --git a/arkime/wise/source.zeeklogs.js b/arkime/wise/source.zeeklogs.js
@@ -1116,11 +1116,10 @@ class MalcolmSource extends WISESource {
       "zeek.login.success",
       "zeek.modbus.exception",
       "zeek.modbus.func",
-      "zeek.modbus.pdu_type",
+      "zeek.modbus.network_direction",
       "zeek.modbus.trans_id",
       "zeek.modbus.unit_id",
       "zeek.modbus_detailed.address",
-      "zeek.modbus_detailed.network_direction",
       "zeek.modbus_detailed.quantity",
       "zeek.modbus_detailed.values",
       "zeek.modbus_mask_write_register.and_mask",

diff --git a/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json b/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json
@@ -146,7 +146,7 @@
           "source.ip",
           "destination.ip",
           "destination.port",
-          "zeek.modbus.pdu_type",
+          "zeek.modbus.network_direction",
           "event.action",
           "event.result",
           "zeek.modbus.unit_id",
@@ -393,7 +393,7 @@
       "version": "WzE0NSwxXQ==",
       "attributes": {
         "title": "Modbus Detailed - Request and Response",
-        "visState": "{\"title\":\"Modbus Detailed - Request and Response\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"zeek.modbus_detailed.network_direction: Descending\",\"aggType\":\"terms\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Function\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.modbus_detailed.network_direction\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}",
+        "visState": "{\"title\":\"Modbus Detailed - Request and Response\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"drilldown\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Unknown\"}},\"params\":{},\"label\":\"zeek.modbus.network_direction: Descending\",\"aggType\":\"terms\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Function\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"zeek.modbus.network_direction\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}",
         "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
         "description": "",
         "version": 1,
@@ -428,7 +428,7 @@
         "description": "Modbus read holding registers, input registers, discrete inputs, and coils overview from modbus_detailed.log",
         "version": 1,
         "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"query\":{\"query\":\"zeek.modbus_detailed.network_direction:(\\\"response\\\") AND event.action:(\\\"READ_DISCRETE_INPUTS\\\" OR \\\"READ_COILS\\\" OR \\\"READ_HOLDING_REGISTERS\\\" OR \\\"READ_INPUT_REGISTERS\\\")\",\"language\":\"lucene\"},\"filter\":[]}"
+          "searchSourceJSON": "{\"query\":{\"query\":\"zeek.modbus.network_direction:(\\\"response\\\") AND event.action:(\\\"READ_DISCRETE_INPUTS\\\" OR \\\"READ_COILS\\\" OR \\\"READ_HOLDING_REGISTERS\\\" OR \\\"READ_INPUT_REGISTERS\\\")\",\"language\":\"lucene\"},\"filter\":[]}"
         },
         "savedSearchRefName": "search_0"
       },
@@ -458,7 +458,7 @@
         "description": "Modbus write register and write coil overview from modbus_detailed.log",
         "version": 1,
         "kibanaSavedObjectMeta": {
-          "searchSourceJSON": "{\"query\":{\"query\":\"zeek.modbus_detailed.network_direction:(\\\"request\\\")\",\"language\":\"lucene\"},\"filter\":[]}"
+          "searchSourceJSON": "{\"query\":{\"query\":\"zeek.modbus.network_direction:(\\\"request\\\")\",\"language\":\"lucene\"},\"filter\":[]}"
         },
         "savedSearchRefName": "search_0"
       },
@@ -519,7 +519,7 @@
           "source.ip",
           "destination.ip",
           "event.action",
-          "zeek.modbus_detailed.network_direction",
+          "zeek.modbus.network_direction",
           "zeek.modbus.unit_id",
           "zeek.modbus_detailed.address",
           "zeek.modbus_detailed.quantity",
@@ -562,7 +562,7 @@
         "columns": [
           "source.ip",
           "destination.ip",
-          "zeek.modbus_detailed.network_direction",
+          "zeek.modbus.network_direction",
           "event.action",
           "zeek.modbus.unit_id",
           "zeek.modbus_detailed.address",
@@ -606,7 +606,7 @@
         "columns": [
           "source.ip",
           "destination.ip",
-          "zeek.modbus_detailed.network_direction",
+          "zeek.modbus.network_direction",
           "event.action",
           "zeek.modbus.unit_id",
           "zeek.modbus_read_write_multiple_registers.write_start_address",
@@ -694,7 +694,7 @@
           "destination.port",
           "event.action",
           "event.result",
-          "zeek.modbus_detailed.network_direction",
+          "zeek.modbus.network_direction",
           "zeek.modbus.unit_id",
           "event.id"
         ],

diff --git a/dashboards/templates/composable/component/zeek_ot.json b/dashboards/templates/composable/component/zeek_ot.json
@@ -201,11 +201,10 @@
         "zeek.known_modbus.device_type": { "type": "keyword" },
         "zeek.modbus.exception": { "type": "keyword" },
         "zeek.modbus.func": { "type": "keyword" },
-        "zeek.modbus.pdu_type": { "type": "keyword" },
+        "zeek.modbus.network_direction": { "type": "keyword" },
         "zeek.modbus.trans_id": { "type": "integer" },
         "zeek.modbus.unit_id": { "type": "integer" },
         "zeek.modbus_detailed.address": { "type": "integer" },
-        "zeek.modbus_detailed.network_direction": { "type": "keyword" },
         "zeek.modbus_detailed.quantity": { "type": "integer" },
         "zeek.modbus_detailed.values": { "type": "keyword" },
         "zeek.modbus_mask_write_register.address": { "type": "integer" },

diff --git a/logstash/pipelines/zeek/11_zeek_parse.conf b/logstash/pipelines/zeek/11_zeek_parse.conf
@@ -1907,7 +1907,7 @@ filter {
       id => "dissect_zeek_modbus"
       # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
       mapping => {
-        "[message]" => "%{[zeek_cols][ts]}	%{[zeek_cols][uid]}	%{[zeek_cols][orig_h]}	%{[zeek_cols][orig_p]}	%{[zeek_cols][resp_h]}	%{[zeek_cols][resp_p]}	%{[zeek_cols][trans_id]}	%{[zeek_cols][unit_id]}	%{[zeek_cols][func]}	%{[zeek_cols][pdu_type]}	%{[zeek_cols][exception]}"
+        "[message]" => "%{[zeek_cols][ts]}	%{[zeek_cols][uid]}	%{[zeek_cols][orig_h]}	%{[zeek_cols][orig_p]}	%{[zeek_cols][resp_h]}	%{[zeek_cols][resp_p]}	%{[zeek_cols][trans_id]}	%{[zeek_cols][unit_id]}	%{[zeek_cols][func]}	%{[zeek_cols][network_direction]}	%{[zeek_cols][exception]}"
       }
     }
     if ("_dissectfailure" in [tags]) {
@@ -1918,7 +1918,7 @@ filter {
       }
       ruby {
         id => "ruby_zip_zeek_modbus"
-        init => "$zeek_modbus_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'pdu_type', 'exception' ]"
+        init => "$zeek_modbus_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_id', 'unit_id', 'func', 'network_direction', 'exception' ]"
         code => "event.set('[zeek_cols]', $zeek_modbus_field_names.zip(event.get('[message]')).to_h)"
       }
     }

diff --git a/logstash/pipelines/zeek/12_zeek_mutate.conf b/logstash/pipelines/zeek/12_zeek_mutate.conf
@@ -982,6 +982,23 @@ filter {
       }
     }
 
+  } else if ([log_source] == "modbus") {
+    #############################################################################################################################
+    # modbus.log specific logic
+
+    # normalize network_direction to match modbus_details.log
+    if ([zeek][modbus][network_direction]) {
+      translate {
+        id => "translate_zeek_modbus_network_direction"
+        source => "[zeek][modbus][network_direction]"
+        target => "[zeek][modbus][network_direction]"
+        dictionary => {
+          "REQ" => "request"
+          "RESP" => "response"
+        }
+      }
+    }
+
   } else if ([log_source] == "modbus_detailed") {
     #############################################################################################################################
     # modbus_detailed.log specific logic
@@ -996,6 +1013,7 @@ filter {
       id => "mutate_rename_modbus_detailed_fields"
       rename => { "[zeek][modbus_detailed][func]" => "[zeek][modbus][func]" }
       rename => { "[zeek][modbus_detailed][unit_id]" => "[zeek][modbus][unit_id]" }
+      rename => { "[zeek][modbus_detailed][network_direction]" => "[zeek][modbus][network_direction]" }
     }
 
   } else if ([log_source] == "modbus_mask_write_register") {
@@ -1005,10 +1023,10 @@ filter {
     # rename a to make correlating modbus easier between logs
     mutate {
       id => "mutate_rename_modbus_mask_write_register_fields"
-      rename => { "[zeek][modbus_mask_write_register][network_direction]" => "[zeek][modbus_detailed][network_direction]" }
-      rename => { "[zeek][modbus_mask_write_register][unit_id]" => "[zeek][modbus_detailed][unit_id]" }
       rename => { "[zeek][modbus_mask_write_register][address]" => "[zeek][modbus_detailed][address]" }
       rename => { "[zeek][modbus_mask_write_register][func]" => "[zeek][modbus][func]" }
+      rename => { "[zeek][modbus_mask_write_register][network_direction]" => "[zeek][modbus][network_direction]" }
+      rename => { "[zeek][modbus_mask_write_register][unit_id]" => "[zeek][modbus][unit_id]" }
     }
 
   } else if ([log_source] == "modbus_read_write_multiple_registers") {
@@ -1028,8 +1046,8 @@ filter {
     # rename a to make correlating modbus easier between logs
     mutate {
       id => "mutate_rename_modbus_read_write_multiple_registers_fields"
-      rename => { "[zeek][modbus_read_write_multiple_registers][network_direction]" => "[zeek][modbus_detailed][network_direction]" }
-      rename => { "[zeek][modbus_read_write_multiple_registers][unit_id]" => "[zeek][modbus_detailed][unit_id]" }
+      rename => { "[zeek][modbus_read_write_multiple_registers][network_direction]" => "[zeek][modbus][network_direction]" }
+      rename => { "[zeek][modbus_read_write_multiple_registers][unit_id]" => "[zeek][modbus][unit_id]" }
       rename => { "[zeek][modbus_read_write_multiple_registers][func]" => "[zeek][modbus][func]" }
     }