finished icsnpp-profinet-io-cm, idaholab#429

mmguero-dev · Feb 27, 2024 · 75a483e · 75a483e
1 parent 09cf72d
commit 75a483e
Show file tree

Hide file tree

Showing 6 changed files with 34 additions and 15 deletions.
diff --git a/arkime/etc/config.ini b/arkime/etc/config.ini
@@ -1506,8 +1506,7 @@ zeek.profinet_io_cm.object_uuid=db:zeek.profinet_io_cm.object_uuid;group:zeek_pr
 zeek.profinet_io_cm.interface_uuid=db:zeek.profinet_io_cm.interface_uuid;group:zeek_profinet_io_cm;kind:termfield;friendly:Interface UUID;help:Interface UUID
 zeek.profinet_io_cm.activity_uuid=db:zeek.profinet_io_cm.activity_uuid;group:zeek_profinet_io_cm;kind:termfield;friendly:Activity UUID;help:Activity UUID
 zeek.profinet_io_cm.server_boot_time=db:zeek.profinet_io_cm.server_boot_time;group:zeek_profinet_io_cm;kind:integer;friendly:Server boot time;help:Server boot time
-zeek.profinet_io_cm.interface_vers_major=db:zeek.profinet_io_cm.interface_vers_major;group:zeek_profinet_io_cm;kind:integer;friendly:Interface version major;help:Interface version major
-zeek.profinet_io_cm.interface_vers_minor=db:zeek.profinet_io_cm.interface_vers_minor;group:zeek_profinet_io_cm;kind:integer;friendly:Interface version minor;help:Interface version minor
+zeek.profinet_io_cm.interface_version=db:zeek.profinet_io_cm.interface_version;group:zeek_profinet_io_cm;kind:termfield;friendly:Interface version;help:Interface version
 zeek.profinet_io_cm.sequence_num=db:zeek.profinet_io_cm.sequence_num;group:zeek_profinet_io_cm;kind:integer;friendly:Activity sequence number;help:Activity sequence number
 zeek.profinet_io_cm.operation=db:zeek.profinet_io_cm.operation;group:zeek_profinet_io_cm;kind:termfield;friendly:PNIO operation;help:PNIO operation
 zeek.profinet_io_cm.interface_hint=db:zeek.profinet_io_cm.interface_hint;group:zeek_profinet_io_cm;kind:integer;friendly:Interface hint;help:Interface hint
@@ -2692,7 +2691,7 @@ o_zeek_ospf=require:zeek.ospf;title:Zeek ospf.log;fields:zeek.ospf.ospf_type,zee
 o_zeek_pe=require:zeek.pe;title:Zeek pe.log;fields:zeek.pe.machine,zeek.pe.compile_ts,zeek.pe.os,zeek.pe.subsystem,zeek.pe.is_exe,zeek.pe.is_64bit,zeek.pe.uses_aslr,zeek.pe.uses_dep,zeek.pe.uses_code_integrity,zeek.pe.uses_seh,zeek.pe.has_import_table,zeek.pe.has_export_table,zeek.pe.has_cert_table,zeek.pe.has_debug_data,zeek.pe.section_names
 o_zeek_profinet=require:zeek.profinet;title:Zeek profinet.log;fields:zeek.profinet.operation_type,zeek.profinet.block_version,zeek.profinet.slot_number,zeek.profinet.subslot_number,zeek.profinet.index
 o_zeek_profinet_dce_rpc=require:zeek.profinet_dce_rpc;title:Zeek profinet_dce_rpc.log;fields:zeek.profinet_dce_rpc.version,zeek.profinet_dce_rpc.packet_type,zeek.profinet_dce_rpc.object_uuid,zeek.profinet_dce_rpc.interface_uuid,zeek.profinet_dce_rpc.activity_uuid,zeek.profinet_dce_rpc.server_boot_time,zeek.profinet_dce_rpc.operation
-o_zeek_profinet_io_cm=require:zeek.profinet_io_cm;title:Zeek profinet_io_cm.log;fields:zeek.profinet_io_cm.rpc_version,zeek.profinet_io_cm.packet_type,zeek.profinet_io_cm.reserved_for_impl_1,zeek.profinet_io_cm.last_fragment,zeek.profinet_io_cm.fragment,zeek.profinet_io_cm.no_fragment_requested,zeek.profinet_io_cm.maybe,zeek.profinet_io_cm.idempotent,zeek.profinet_io_cm.broadcast,zeek.profinet_io_cm.reserved_for_impl_2,zeek.profinet_io_cm.cancel_was_pending_at_call_end,zeek.profinet_io_cm.integer_encoding,zeek.profinet_io_cm.character_encoding,zeek.profinet_io_cm.floating_point_encoding,zeek.profinet_io_cm.serial_high,zeek.profinet_io_cm.object_uuid,zeek.profinet_io_cm.interface_uuid,zeek.profinet_io_cm.activity_uuid,zeek.profinet_io_cm.server_boot_time,zeek.profinet_io_cm.interface_vers_major,zeek.profinet_io_cm.interface_vers_minor,zeek.profinet_io_cm.sequence_num,zeek.profinet_io_cm.operation,zeek.profinet_io_cm.interface_hint,zeek.profinet_io_cm.activity_hint,zeek.profinet_io_cm.len_of_body,zeek.profinet_io_cm.fragment_num,zeek.profinet_io_cm.auth_protocol,zeek.profinet_io_cm.serial_low,zeek.profinet_io_cm.vers_fack,zeek.profinet_io_cm.window_size,zeek.profinet_io_cm.max_tsdu,zeek.profinet_io_cm.max_frag_size,zeek.profinet_io_cm.serial_number,zeek.profinet_io_cm.sel_ack_len,zeek.profinet_io_cm.sel_ack
+o_zeek_profinet_io_cm=require:zeek.profinet_io_cm;title:Zeek profinet_io_cm.log;fields:zeek.profinet_io_cm.rpc_version,zeek.profinet_io_cm.packet_type,zeek.profinet_io_cm.reserved_for_impl_1,zeek.profinet_io_cm.last_fragment,zeek.profinet_io_cm.fragment,zeek.profinet_io_cm.no_fragment_requested,zeek.profinet_io_cm.maybe,zeek.profinet_io_cm.idempotent,zeek.profinet_io_cm.broadcast,zeek.profinet_io_cm.reserved_for_impl_2,zeek.profinet_io_cm.cancel_was_pending_at_call_end,zeek.profinet_io_cm.integer_encoding,zeek.profinet_io_cm.character_encoding,zeek.profinet_io_cm.floating_point_encoding,zeek.profinet_io_cm.serial_high,zeek.profinet_io_cm.object_uuid,zeek.profinet_io_cm.interface_uuid,zeek.profinet_io_cm.activity_uuid,zeek.profinet_io_cm.server_boot_time,zeek.profinet_io_cm.interface_version,zeek.profinet_io_cm.sequence_num,zeek.profinet_io_cm.operation,zeek.profinet_io_cm.interface_hint,zeek.profinet_io_cm.activity_hint,zeek.profinet_io_cm.len_of_body,zeek.profinet_io_cm.fragment_num,zeek.profinet_io_cm.auth_protocol,zeek.profinet_io_cm.serial_low,zeek.profinet_io_cm.vers_fack,zeek.profinet_io_cm.window_size,zeek.profinet_io_cm.max_tsdu,zeek.profinet_io_cm.max_frag_size,zeek.profinet_io_cm.serial_number,zeek.profinet_io_cm.sel_ack_len,zeek.profinet_io_cm.sel_ack
 o_zeek_radius=require:zeek.radius;title:Zeek radius.log;fields:zeek.radius.mac,zeek.radius.framed_addr,zeek.radius.tunnel_client,zeek.radius.connect_info,zeek.radius.reply_msg,zeek.radius.result,zeek.radius.ttl
 o_zeek_rdp=require:zeek.rdp;title:Zeek rdp.log;fields:zeek.rdp.cookie,zeek.rdp.result,zeek.rdp.security_protocol,zeek.rdp.client_channels,zeek.rdp.keyboard_layout,zeek.rdp.client_build,zeek.rdp.client_name,zeek.rdp.client_dig_product_id,zeek.rdp.desktop_width,zeek.rdp.desktop_height,zeek.rdp.requested_color_depth,zeek.rdp.cert_type,zeek.rdp.cert_count,zeek.rdp.cert_permanent,zeek.rdp.encryption_level,zeek.rdp.encryption_method
 o_zeek_rfb=require:zeek.rfb;title:Zeek rfb.log;fields:zeek.rfb.client_major_version,zeek.rfb.client_minor_version,zeek.rfb.server_major_version,zeek.rfb.server_minor_version,zeek.rfb.authentication_method,zeek.rfb.auth,zeek.rfb.share_flag,zeek.rfb.desktop_name,zeek.rfb.width,zeek.rfb.height

diff --git a/arkime/wise/source.zeeklogs.js b/arkime/wise/source.zeeklogs.js
@@ -1738,8 +1738,7 @@ class MalcolmSource extends WISESource {
       "zeek.profinet_io_cm.interface_uuid",
       "zeek.profinet_io_cm.activity_uuid",
       "zeek.profinet_io_cm.server_boot_time",
-      "zeek.profinet_io_cm.interface_vers_major",
-      "zeek.profinet_io_cm.interface_vers_minor",
+      "zeek.profinet_io_cm.interface_version",
       "zeek.profinet_io_cm.sequence_num",
       "zeek.profinet_io_cm.operation_num",
       "zeek.profinet_io_cm.interface_hint",

diff --git a/dashboards/templates/composable/component/zeek_ot.json b/dashboards/templates/composable/component/zeek_ot.json
@@ -710,8 +710,7 @@
         "zeek.profinet_io_cm.interface_uuid": { "type": "keyword" },
         "zeek.profinet_io_cm.activity_uuid": { "type": "keyword" },
         "zeek.profinet_io_cm.server_boot_time": { "type": "long" },
-        "zeek.profinet_io_cm.interface_vers_major": { "type": "long" },
-        "zeek.profinet_io_cm.interface_vers_minor": { "type": "long" },
+        "zeek.profinet_io_cm.interface_version": { "type": "keyword" },
         "zeek.profinet_io_cm.sequence_num": { "type": "long" },
         "zeek.profinet_io_cm.operation": { "type": "keyword" },
         "zeek.profinet_io_cm.interface_hint": { "type": "long" },

diff --git a/logstash/pipelines/zeek/11_zeek_parse.conf b/logstash/pipelines/zeek/11_zeek_parse.conf
@@ -2709,13 +2709,6 @@ filter {
                split => { "[zeek_cols][sel_ack]" => "," } }
     }
 
-    if ([zeek_cols][packet_type]) and ((![zeek_cols][operation])       or ([zeek_cols][operation] == '(empty)') or
-                                       ([zeek_cols][operation] == 'unknown') or ([zeek_cols][operation] == '-') or
-                                       ([zeek_cols][operation] == '')) {
-      mutate { id => "mutate_replace_zeek_profinet_io_cm_operation"
-               replace => { "[zeek_cols][operation]" => "%{[zeek_cols][packet_type]}" } }
-    }
-
     mutate {
       id => "mutate_add_fields_zeek_profinet_io_cm"
       add_field => {

diff --git a/logstash/pipelines/zeek/12_zeek_mutate.conf b/logstash/pipelines/zeek/12_zeek_mutate.conf
@@ -1380,6 +1380,32 @@ filter {
                add_field => { "[zeek][software][software_type]" => "OPCUA" } }
     }
 
+  } else if ([log_source] == "profinet_io_cm") {
+    #############################################################################################################################
+    # profinet_io_cm.log specific logic
+
+    if ([zeek][profinet_io_cm][packet_type]) and
+        ((![zeek][profinet_io_cm][operation])       or ([zeek][profinet_io_cm][operation] == '(empty)') or
+         ([zeek][profinet_io_cm][operation] == 'unknown') or ([zeek][profinet_io_cm][operation] == '-') or
+         ([zeek][profinet_io_cm][operation] == '')) {
+      mutate { id => "mutate_replace_zeek_profinet_io_cm_operation"
+               replace => { "[zeek][profinet_io_cm][operation]" => "%{[zeek][profinet_io_cm][packet_type]}" } }
+    }
+
+    if ([zeek][profinet_io_cm][interface_vers_major]) or ([zeek][profinet_io_cm][interface_vers_minor]) {
+      ruby {
+        id => "ruby_zeek_profinet_io_cm_interface_vers"
+        code => '
+          event.set("[zeek][profinet_io_cm][interface_version]",
+                    [event.get("[zeek][profinet_io_cm][interface_vers_major]").to_s,
+                     event.get("[zeek][profinet_io_cm][interface_vers_minor]").to_s].join("."))
+        '
+      }
+      mutate { id => "mutate_remove_fields_zeek_profinet_io_cm_interface_vers"
+               remove_field => [ "[zeek][profinet_io_cm][interface_vers_major]",
+                                 "[zeek][profinet_io_cm][interface_vers_minor]" ] }
+    }
+
   } else if ([log_source] == "radius") {
     #############################################################################################################################
     # radius.log specific logic

diff --git a/logstash/pipelines/zeek/13_zeek_normalize.conf b/logstash/pipelines/zeek/13_zeek_normalize.conf
@@ -115,9 +115,12 @@ filter {
   if ([zeek][profinet_dce_rpc][version])          { mutate { id => "mutate_merge_normalize_zeek_profinet_dce_rpc_version"
                                                              merge => { "[network][protocol_version]" => "[zeek][profinet_dce_rpc][version]" } } }
 
-  if ([zeek][profinet_io_cm][rpc_version])        { mutate { id => "mutate_merge_normalize_zeek_profinet_io_cm_version"
+  if ([zeek][profinet_io_cm][rpc_version])        { mutate { id => "mutate_merge_normalize_zeek_profinet_io_cm_rpc_version"
                                                              merge => { "[network][protocol_version]" => "[zeek][profinet_io_cm][rpc_version]" } } }
 
+  if ([zeek][profinet_io_cm][interface_version])  { mutate { id => "mutate_merge_normalize_zeek_profinet_io_interface_version"
+                                                             merge => { "[network][protocol_version]" => "[zeek][profinet_io_cm][interface_version]" } } }
+
   if ([zeek][rfb]) {
     ruby {
       id => "ruby_zeek_field_network_protocol_version_rfb"