better modbus action/result normalization, idaholab#225

mmguero-dev · Jul 20, 2023 · c5c772b · c5c772b
1 parent 6548042
commit c5c772b
Showing 1 changed file with 17 additions and 3 deletions.
diff --git a/logstash/pipelines/zeek/13_zeek_normalize.conf b/logstash/pipelines/zeek/13_zeek_normalize.conf
@@ -825,16 +825,30 @@ filter {
                                                       merge => { "[event][result]" => "[zeek][ldap_search][result_code]" } } }
 
   if ([zeek][modbus]) {
-    # result comes from exception, but if exception is missing and we have a func, then assume success
     if ([zeek][modbus][exception]) {
+      # we have an exception, so set that as result
       mutate { id => "mutate_merge_normalize_zeek_modbus_exception"
-      merge => { "[event][result]" => "[zeek][modbus][exception]" } }
-    } else if ([zeek][modbus][func]) {
+               merge => { "[event][result]" => "[zeek][modbus][exception]" } }
+    } else if ([zeek][modbus][func]) and
+              (([zeek][modbus][network_direction] != "response") or (!([zeek][modbus][func] =~ /EXCEPTION$/))) {
+      # no exception, but... we have a func, so just assume "Success"
       mutate { id => "mutate_add_field_zeek_modbus_success"
                add_field => { "[@metadata][zeek_modbus_result]" => "Success" } }
       mutate { id => "mutate_merge_field_zeek_modbus_success"
                merge => { "[event][result]" => "[@metadata][zeek_modbus_result]" } }
     }
+    if ([zeek][modbus][network_direction] == "response") and ([zeek][modbus][func] =~ /EXCEPTION$/) {
+      # direction is "response" and func ends in EXCEPTION, so also set that as result
+      mutate { id => "mutate_merge_normalize_zeek_modbus_exception_func_response"
+               merge => { "[event][result]" => "[zeek][modbus][func]" } }
+      # and, for cross-referencing purposes, store the part before _EXCEPTION in action as well
+      mutate { id => "mutate_merge_normalize_modbus_func_exception_meta"
+               merge => { "[@metadata][modbus_func_exception]" => "[zeek][modbus][func]" } }
+      mutate { id => "mutate_gsub_normalize_zeek_modbus_exception_as_action"
+               gsub => [ "[@metadata][modbus_func_exception]", "_?EXCEPTION", "" ] }
+      mutate { id => "mutate_merge_normalize_zeek_modbus_exception_as_action"
+               merge => { "[event][action]" => "[@metadata][modbus_func_exception]" } }
+    }
   }
 
   # result for zeek_mqtt_connect: connect_status.'Connection Accepted' -> 'Success', else connect_status