Skip to content

Commit

Permalink
sync with recent changes in zeek package (elastic#21155)
Browse files Browse the repository at this point in the history
- always attempt community_id processor
- dnp3 reorder pipeline to be same as package

(cherry picked from commit 1932f9f)
  • Loading branch information
leehinman committed Sep 18, 2020
1 parent 19590ba commit 79bc69a
Show file tree
Hide file tree
Showing 59 changed files with 9 additions and 122 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -657,6 +657,7 @@ field. You can revert this change by configuring tags for the module and omittin
- Improve Suricata Eve module with `x509` ECS mappings {pull}20973[20973]
- Added new module for Zoom webhooks {pull}20414[20414]
- Add type and sub_type to panw panos fileset {pull}20912[20912]
- Always attempt community_id processor on zeek module {pull}21155[21155]

*Heartbeat*

Expand Down
2 changes: 0 additions & 2 deletions x-pack/filebeat/module/zeek/connection/config/connection.yml
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,6 @@ processors:
kind: event
category:
- network
{{ if .community_id }}
- if:
equals.network.transport: icmp
then:
Expand All @@ -100,7 +99,6 @@ processors:
icmp_code: zeek.connection.icmp.code
else:
community_id:
{{ end }}
- add_fields:
target: ''
fields:
Expand Down
2 changes: 0 additions & 2 deletions x-pack/filebeat/module/zeek/connection/manifest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,6 @@ var:
- /usr/local/var/logs/current/conn.log
- name: tags
default: [zeek.connection]
- name: community_id
default: true

ingest_pipeline: ingest/pipeline.yml
input: config/connection.yml
Expand Down
2 changes: 0 additions & 2 deletions x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml
Original file line number Diff line number Diff line change
Expand Up @@ -54,9 +54,7 @@ processors:
- connection
- protocol
- info
{{ if .community_id }}
- community_id:
{{ end }}
- add_fields:
target: ''
fields:
Expand Down
2 changes: 0 additions & 2 deletions x-pack/filebeat/module/zeek/dce_rpc/manifest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,6 @@ var:
- /usr/local/var/logs/current/dce_rpc.log
- name: tags
default: [zeek.dce_rpc]
- name: community_id
default: true

ingest_pipeline: ingest/pipeline.yml
input: config/dce_rpc.yml
2 changes: 0 additions & 2 deletions x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml
Original file line number Diff line number Diff line change
Expand Up @@ -116,9 +116,7 @@ processors:
- connection
- protocol
- info
{{ if .community_id }}
- community_id:
{{ end }}
- add_fields:
target: ''
fields:
Expand Down
2 changes: 0 additions & 2 deletions x-pack/filebeat/module/zeek/dhcp/manifest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,6 @@ var:
- /usr/local/var/logs/current/dhcp.log
- name: tags
default: [zeek.dhcp]
- name: community_id
default: true

ingest_pipeline: ingest/pipeline.yml
input: config/dhcp.yml
2 changes: 0 additions & 2 deletions x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml
Original file line number Diff line number Diff line change
Expand Up @@ -64,9 +64,7 @@ processors:
- connection
- protocol
- info
{{ if .community_id }}
- community_id:
{{ end }}
- add_fields:
target: ''
fields:
Expand Down
16 changes: 8 additions & 8 deletions x-pack/filebeat/module/zeek/dnp3/ingest/pipeline.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,14 +23,6 @@ processors:
- lowercase:
field: event.action
ignore_missing: true
- append:
field: related.ip
value: '{{source.ip}}'
if: ctx?.source?.ip != null
- append:
field: related.ip
value: '{{destination.ip}}'
if: ctx?.destination?.ip != null
- geoip:
field: destination.ip
target_field: destination.geo
Expand Down Expand Up @@ -69,6 +61,14 @@ processors:
field: destination.as.organization_name
target_field: destination.as.organization.name
ignore_missing: true
- append:
field: related.ip
value: '{{source.ip}}'
if: ctx?.source?.ip != null
- append:
field: related.ip
value: '{{destination.ip}}'
if: ctx?.destination?.ip != null
on_failure:
- set:
field: error.message
Expand Down
2 changes: 0 additions & 2 deletions x-pack/filebeat/module/zeek/dnp3/manifest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,6 @@ var:
- /usr/local/var/logs/current/dnp3.log
- name: tags
default: [zeek.dnp3]
- name: community_id
default: true

ingest_pipeline: ingest/pipeline.yml
input: config/dnp3.yml
2 changes: 0 additions & 2 deletions x-pack/filebeat/module/zeek/dns/config/dns.yml
Original file line number Diff line number Diff line change
Expand Up @@ -193,9 +193,7 @@ processors:
- connection
- info
- protocol
{{ if .community_id }}
- community_id:
{{ end }}
- drop_fields:
ignore_missing: true
fields:
Expand Down
2 changes: 0 additions & 2 deletions x-pack/filebeat/module/zeek/dns/manifest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,6 @@ var:
- /usr/local/var/logs/current/dns.log
- name: tags
default: [zeek.dns]
- name: community_id
default: true

ingest_pipeline: ingest/pipeline.yml
input: config/dns.yml
Expand Down
2 changes: 0 additions & 2 deletions x-pack/filebeat/module/zeek/dpd/config/dpd.yml
Original file line number Diff line number Diff line change
Expand Up @@ -53,9 +53,7 @@ processors:
type:
- connection
- info
{{ if .community_id }}
- community_id:
{{ end }}
- add_fields:
target: ''
fields:
Expand Down
2 changes: 0 additions & 2 deletions x-pack/filebeat/module/zeek/dpd/manifest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,6 @@ var:
- /usr/local/var/logs/current/dpd.log
- name: tags
default: [zeek.dpd]
- name: community_id
default: true

ingest_pipeline: ingest/pipeline.yml
input: config/dpd.yml
2 changes: 0 additions & 2 deletions x-pack/filebeat/module/zeek/ftp/config/ftp.yml
Original file line number Diff line number Diff line change
Expand Up @@ -82,9 +82,7 @@ processors:
- connection
- info
- protocol
{{ if .community_id }}
- community_id:
{{ end }}
- add_fields:
target: ''
fields:
Expand Down
2 changes: 0 additions & 2 deletions x-pack/filebeat/module/zeek/ftp/manifest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,6 @@ var:
- /usr/local/var/logs/current/ftp.log
- name: tags
default: [zeek.ftp]
- name: community_id
default: true

ingest_pipeline: ingest/pipeline.yml
input: config/ftp.yml
2 changes: 0 additions & 2 deletions x-pack/filebeat/module/zeek/http/config/http.yml
Original file line number Diff line number Diff line change
Expand Up @@ -89,9 +89,7 @@ processors:
- connection
- info
- protocol
{{ if .community_id }}
- community_id:
{{ end }}
- add_fields:
target: ''
fields:
Expand Down
2 changes: 0 additions & 2 deletions x-pack/filebeat/module/zeek/http/manifest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,6 @@ var:
- /usr/local/var/logs/current/http.log
- name: tags
default: [zeek.http]
- name: community_id
default: true

ingest_pipeline: ingest/pipeline.yml
input: config/http.yml
Expand Down
2 changes: 0 additions & 2 deletions x-pack/filebeat/module/zeek/intel/config/intel.yml
Original file line number Diff line number Diff line change
Expand Up @@ -63,9 +63,7 @@ processors:
kind: alert
type:
- info
{{ if .community_id }}
- community_id:
{{ end }}
- add_fields:
target: ''
fields:
Expand Down
2 changes: 0 additions & 2 deletions x-pack/filebeat/module/zeek/intel/manifest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,6 @@ var:
- /usr/local/var/logs/current/intel.log
- name: tags
default: [zeek.intel]
- name: community_id
default: true

ingest_pipeline: ingest/pipeline.yml
input: config/intel.yml
Expand Down
2 changes: 0 additions & 2 deletions x-pack/filebeat/module/zeek/irc/config/irc.yml
Original file line number Diff line number Diff line change
Expand Up @@ -68,9 +68,7 @@ processors:
- connection
- protocol
- info
{{ if .community_id }}
- community_id:
{{ end }}
- add_fields:
target: ''
fields:
Expand Down
2 changes: 0 additions & 2 deletions x-pack/filebeat/module/zeek/irc/manifest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,6 @@ var:
- /usr/local/var/logs/current/irc.log
- name: tags
default: [zeek.irc]
- name: community_id
default: true

ingest_pipeline: ingest/pipeline.yml
input: config/irc.yml
2 changes: 0 additions & 2 deletions x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml
Original file line number Diff line number Diff line change
Expand Up @@ -100,9 +100,7 @@ processors:
tokenizer: "%{user.name}/%{user.domain}"
field: zeek.kerberos.client
target_prefix: ""
{{ if .community_id }}
- community_id:
{{ end }}
- add_fields:
target: ''
fields:
Expand Down
2 changes: 0 additions & 2 deletions x-pack/filebeat/module/zeek/kerberos/manifest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,6 @@ var:
- /usr/local/var/logs/current/kerberos.log
- name: tags
default: [zeek.kerberos]
- name: community_id
default: true

ingest_pipeline: ingest/pipeline.yml
input: config/kerberos.yml
Expand Down
2 changes: 0 additions & 2 deletions x-pack/filebeat/module/zeek/modbus/config/modbus.yml
Original file line number Diff line number Diff line change
Expand Up @@ -69,9 +69,7 @@ processors:
target: event
fields:
outcome: success
{{ if .community_id }}
- community_id:
{{ end }}
- add_fields:
target: ''
fields:
Expand Down
2 changes: 0 additions & 2 deletions x-pack/filebeat/module/zeek/modbus/manifest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,6 @@ var:
- /usr/local/var/logs/current/modbus.log
- name: tags
default: [zeek.modbus]
- name: community_id
default: true

ingest_pipeline: ingest/pipeline.yml
input: config/modbus.yml
2 changes: 0 additions & 2 deletions x-pack/filebeat/module/zeek/mysql/config/mysql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -68,9 +68,7 @@ processors:
target: event
fields:
outcome: failure
{{ if .community_id }}
- community_id:
{{ end }}
- add_fields:
target: ''
fields:
Expand Down
2 changes: 0 additions & 2 deletions x-pack/filebeat/module/zeek/mysql/manifest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,6 @@ var:
- /usr/local/var/logs/current/mysql.log
- name: tags
default: [zeek.mysql]
- name: community_id
default: true

ingest_pipeline: ingest/pipeline.yml
input: config/mysql.yml
2 changes: 0 additions & 2 deletions x-pack/filebeat/module/zeek/notice/config/notice.yml
Original file line number Diff line number Diff line change
Expand Up @@ -100,9 +100,7 @@ processors:
- intrusion_detection
type:
- info
{{ if .community_id }}
- community_id:
{{ end }}
- add_fields:
target: ''
fields:
Expand Down
2 changes: 0 additions & 2 deletions x-pack/filebeat/module/zeek/notice/manifest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,6 @@ var:
- /usr/local/var/logs/current/notice.log
- name: tags
default: [zeek.notice]
- name: community_id
default: true

ingest_pipeline: ingest/pipeline.yml
input: config/notice.yml
Expand Down
2 changes: 0 additions & 2 deletions x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml
Original file line number Diff line number Diff line change
Expand Up @@ -82,9 +82,7 @@ processors:
target: event
fields:
outcome: failure
{{ if .community_id }}
- community_id:
{{ end }}
- add_fields:
target: ''
fields:
Expand Down
2 changes: 0 additions & 2 deletions x-pack/filebeat/module/zeek/ntlm/manifest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,6 @@ var:
- /usr/local/var/logs/current/ntlm.log
- name: tags
default: [zeek.ntlm]
- name: community_id
default: true

ingest_pipeline: ingest/pipeline.yml
input: config/ntlm.yml
2 changes: 0 additions & 2 deletions x-pack/filebeat/module/zeek/radius/config/radius.yml
Original file line number Diff line number Diff line change
Expand Up @@ -54,9 +54,7 @@ processors:
type:
- info
- connection
{{ if .community_id }}
- community_id:
{{ end }}
- add_fields:
target: ''
fields:
Expand Down
2 changes: 0 additions & 2 deletions x-pack/filebeat/module/zeek/radius/manifest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,6 @@ var:
- /usr/local/var/logs/current/radius.log
- name: tags
default: [zeek.radius]
- name: community_id
default: true

ingest_pipeline: ingest/pipeline.yml
input: config/radius.yml
2 changes: 0 additions & 2 deletions x-pack/filebeat/module/zeek/rdp/config/rdp.yml
Original file line number Diff line number Diff line change
Expand Up @@ -84,9 +84,7 @@ processors:
type:
- protocol
- info
{{ if .community_id }}
- community_id:
{{ end }}
- add_fields:
target: ''
fields:
Expand Down
2 changes: 0 additions & 2 deletions x-pack/filebeat/module/zeek/rdp/manifest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,6 @@ var:
- /usr/local/var/logs/current/rdp.log
- name: tags
default: [zeek.rdp]
- name: community_id
default: true

ingest_pipeline: ingest/pipeline.yml
input: config/rdp.yml
2 changes: 0 additions & 2 deletions x-pack/filebeat/module/zeek/rfb/config/rfb.yml
Original file line number Diff line number Diff line change
Expand Up @@ -69,9 +69,7 @@ processors:
type:
- connection
- info
{{ if .community_id }}
- community_id:
{{ end }}
- add_fields:
target: ''
fields:
Expand Down
2 changes: 0 additions & 2 deletions x-pack/filebeat/module/zeek/rfb/manifest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,6 @@ var:
- /usr/local/var/logs/current/rfb.log
- name: tags
default: [zeek.rfb]
- name: community_id
default: true

ingest_pipeline: ingest/pipeline.yml
input: config/rfb.yml
2 changes: 0 additions & 2 deletions x-pack/filebeat/module/zeek/sip/config/sip.yml
Original file line number Diff line number Diff line change
Expand Up @@ -91,9 +91,7 @@ processors:
type:
- connection
- protocol
{{ if .community_id }}
- community_id:
{{ end }}
- add_fields:
target: ''
fields:
Expand Down
Loading

0 comments on commit 79bc69a

Please sign in to comment.