From c5c772b45610b02cc3f7eb09a08fc02412f6adf7 Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Thu, 20 Jul 2023 08:27:54 -0600
Subject: [PATCH] better modbus action/result normalization,
 idaholab/Malcolm#225

---
 .../pipelines/zeek/13_zeek_normalize.conf     | 20 ++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/logstash/pipelines/zeek/13_zeek_normalize.conf b/logstash/pipelines/zeek/13_zeek_normalize.conf
index 3d24b1786..c2bc33f7c 100644
--- a/logstash/pipelines/zeek/13_zeek_normalize.conf
+++ b/logstash/pipelines/zeek/13_zeek_normalize.conf
@@ -825,16 +825,30 @@ filter {
                                                       merge => { "[event][result]" => "[zeek][ldap_search][result_code]" } } }
 
   if ([zeek][modbus]) {
-    # result comes from exception, but if exception is missing and we have a func, then assume success
     if ([zeek][modbus][exception]) {
+      # we have an exception, so set that as result
       mutate { id => "mutate_merge_normalize_zeek_modbus_exception"
-      merge => { "[event][result]" => "[zeek][modbus][exception]" } }
-    } else if ([zeek][modbus][func]) {
+               merge => { "[event][result]" => "[zeek][modbus][exception]" } }
+    } else if ([zeek][modbus][func]) and
+              (([zeek][modbus][network_direction] != "response") or (!([zeek][modbus][func] =~ /EXCEPTION$/))) {
+      # no exception, but... we have a func, so just assume "Success"
       mutate { id => "mutate_add_field_zeek_modbus_success"
                add_field => { "[@metadata][zeek_modbus_result]" => "Success" } }
       mutate { id => "mutate_merge_field_zeek_modbus_success"
                merge => { "[event][result]" => "[@metadata][zeek_modbus_result]" } }
     }
+    if ([zeek][modbus][network_direction] == "response") and ([zeek][modbus][func] =~ /EXCEPTION$/) {
+      # direction is "response" and func ends in EXCEPTION, so also set that as result
+      mutate { id => "mutate_merge_normalize_zeek_modbus_exception_func_response"
+               merge => { "[event][result]" => "[zeek][modbus][func]" } }
+      # and, for cross-referencing purposes, store the part before _EXCEPTION in action as well
+      mutate { id => "mutate_merge_normalize_modbus_func_exception_meta"
+               merge => { "[@metadata][modbus_func_exception]" => "[zeek][modbus][func]" } }
+      mutate { id => "mutate_gsub_normalize_zeek_modbus_exception_as_action"
+               gsub => [ "[@metadata][modbus_func_exception]", "_?EXCEPTION", "" ] }
+      mutate { id => "mutate_merge_normalize_zeek_modbus_exception_as_action"
+               merge => { "[event][action]" => "[@metadata][modbus_func_exception]" } }
+    }
   }
 
   # result for zeek_mqtt_connect: connect_status.'Connection Accepted' -> 'Success', else connect_status