-
Notifications
You must be signed in to change notification settings - Fork 0
/
DVM.conf
executable file
·333 lines (327 loc) · 15.4 KB
/
DVM.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
filter {
clone {
clones => ["dvm"]
add_tag => ["dvm"]
}
}
filter {
if "dvm" in [tags] {
json {
source => "message"
target => "jsonMessage"
}
if [module] == "ossec" {
mutate {
add_field => {
"[jsonMessage][category]" => "%{module}"
"[jsonMessage][message]" => "%{[jsonMessage][location]}"
}
}
}
else if [module] == "suricata" {
mutate {
rename => { "[jsonMessage][alert][category]" => "[jsonMessage][rule_type]" }
rename => { "[jsonMessage][alert][rule]" => "[jsonMessage][rule]" }
rename => { "[jsonMessage][alert][signature]" => "[jsonMessage][signature]" }
rename => { "[jsonMessage][alert][severity]" => "[jsonMessage][severity]" }
rename => { "[jsonMessage][alert][action]" => "[jsonMessage][action]" }
rename => { "[jsonMessage][src_ip]" => "[jsonMessage][ip_src]" }
rename => { "[jsonMessage][dest_ip]" => "[jsonMessage][ip_dest]" }
rename => { "[jsonMessage][proto]" => "[jsonMessage][protocol]" }
rename => { "[jsonMessage][sid]" => "[jsonMessage][security_id]" }
gsub => [ "[jsonMessage][timestamp]", "\.\d{6}\+0000$", "+0000" ]
add_field => {
"[jsonMessage][category]" => "%{module}"
"[jsonMessage][message]" => "%{[jsonMessage][rule]} - %{[jsonMessage][action]}"
}
}
}
else {
if "dataset" {
mutate {
add_field => {
"[jsonMessage][category]" => "%{dataset}"
}
}
}
else {
mutate {
add_field => {
"[jsonMessage][category]" => "none"
}
}
}
}
mutate {
add_field => {
"[jsonMessage][hostname]" => "%{[host][name]}"
}
}
}
}
filter {
if "dvm" in [tags] {
mutate {
convert => { "[jsonMessage][ts]" => "integer" }
}
mutate {
convert => { "[jsonMessage][ts]" => "string" }
}
mutate {
rename => { "[jsonMessage][ts]" => "[jsonMessage][timestamp]" }
}
if [jsonMessage][category] == "files" {
mutate {
replace => { "[jsonMessage][ip_src]" => "%{[jsonMessage][tx_hosts]}" }
replace => { "[jsonMessage][ip_dest]" => "%{[jsonMessage][rx_hosts]}" }
}
mutate {
add_field => { "[jsonMessage][message]" => "%{[jsonMessage][category]} from %{[jsonMessage][ip_src]} to %{[jsonMessage][ip_dest]}" }
rename => { "[jsonMessage][conn_uids]" => "[jsonMessage][connection_uids]" }
rename => { "[jsonMessage][analyzers]" => "[jsonMessage][file_analyzers]" }
rename => { "[jsonMessage][mime_type]" => "[jsonMessage][file_mime_types]" }
rename => { "[jsonMessage][filename]" => "[jsonMessage][file_name]" }
rename => { "[jsonMessage][md5]" => "[jsonMessage][file_md5]" }
rename => { "[jsonMessage][timedout]" => "[jsonMessage][timed_out]" }
remove_field => [ "[jsonMessage][rx_hosts]", "[jsonMessage][tx_hosts]" ]
}
}
if [jsonMessage][category] in ["conn", "dns", "ssl", "http"] {
mutate {
rename => { "[jsonMessage][id.orig_h]" => "[jsonMessage][ip_src]" }
rename => { "[jsonMessage][id.orig_p]" => "[jsonMessage][src_port]" }
rename => { "[jsonMessage][id.resp_h]" => "[jsonMessage][ip_dest]" }
rename => { "[jsonMessage][id.resp_p]" => "[jsonMessage][dest_port]" }
rename => { "[jsonMessage][proto]" => "[jsonMessage][protocol]" }
}
}
if [jsonMessage][category] == "conn" {
if [jsonMessage][service] {
mutate {
add_field => { "[jsonMessage][message]" => "%{[jsonMessage][service]} connection from %{[jsonMessage][ip_src]} to %{[jsonMessage][ip_dest]}:%{[jsonMessage][dest_port]}" }
}
} else {
mutate {
add_field => { "[jsonMessage][message]" => "%{[jsonMessage][protocol]} connection from %{[jsonMessage][ip_src]} to %{[jsonMessage][ip_dest]}:%{[jsonMessage][dest_port]}" }
}
}
mutate {
rename => { "[jsonMessage][orig_bytes]" => "[jsonMessage][sent_bytes]" }
rename => { "[jsonMessage][resp_bytes]" => "[jsonMessage][received_bytes]" }
rename => { "[jsonMessage][conn_state]" => "[jsonMessage][connection_state]" }
rename => { "[jsonMessage][local_resp]" => "[jsonMessage][connection_respond]" }
rename => { "[jsonMessage][orig_pkts]" => "[jsonMessage][connection_sent_packets]" }
rename => { "[jsonMessage][orig_ip_bytes]" => "[jsonMessage][connection_sent_ip_bytes]" }
rename => { "[jsonMessage][resp_pkts]" => "[jsonMessage][connection_response_packets]" }
rename => { "[jsonMessage][resp_ip_bytes]" => "[jsonMessage][connection_response_ip_bytes]" }
rename => { "[jsonMessage][orig_cc]" => "[jsonMessage][src_country_code]" }
rename => { "[jsonMessage][resp_cc]" => "[jsonMessage][dest_country_code]" }
}
}
if [jsonMessage][category] == "dns" {
mutate {
add_field => { "[jsonMessage][message]" => "DNS query of \"%{[jsonMessage][query]}\"" }
}
mutate {
rename => { "[jsonMessage][qtype]" => "[jsonMessage][dns_qtype]" }
rename => { "[jsonMessage][qclass]" => "[jsonMessage][dns_qclass]" }
rename => { "[jsonMessage][qtype_name]" => "[jsonMessage][dns_qtype_name]" }
rename => { "[jsonMessage][qclass_name]" => "[jsonMessage][dns_qclass_name]" }
rename => { "[jsonMessage][query]" => "[jsonMessage][dns_query]" }
rename => { "[jsonMessage][RD]" => "[jsonMessage][dns_recursion_desired]" }
rename => { "[jsonMessage][RA]" => "[jsonMessage][dns_recursion_available]" }
rename => { "[jsonMessage][AA]" => "[jsonMessage][dns_authoritative]" }
rename => { "[jsonMessage][rejected]" => "[jsonMessage][dns_rejected]" }
rename => { "[jsonMessage][trans_id]" => "[jsonMessage][dns_transaction_id]" }
}
}
else if [jsonMessage][category] == "ssl" {
mutate {
add_field => { "[jsonMessage][message]" => "%{[jsonMessage][category]} from %{[jsonMessage][ip_src]} to %{[jsonMessage][ip_dest]}" }
}
mutate {
rename => { "[jsonMessage][cipher]" => "[jsonMessage][ssl_cipher]" }
rename => { "[jsonMessage][curve]" => "[jsonMessage][ssl_curve]" }
rename => { "[jsonMessage][subject]" => "[jsonMessage][ssl_subject]" }
rename => { "[jsonMessage][version]" => "[jsonMessage][ssl_version]" }
rename => { "[jsonMessage][issuer]" => "[jsonMessage][ssl_issuer]" }
rename => { "[jsonMessage][validation_status]" => "[jsonMessage][ssl_validation_status]" }
rename => { "[jsonMessage][established]" => "[jsonMessage][ssl_established]" }
rename => { "[jsonMessage][server_name]" => "[jsonMessage][ssl_server]" }
}
}
else if [jsonMessage][category] == "x509" {
mutate {
add_field => { "[jsonMessage][message]" => "SUBJECT: %{[jsonMessage][certificate.subject]} ISSUER: %{[jsonMessage][certificate.issuer]}" }
}
mutate {
rename => { "[jsonMessage][certificate.subject]" => "[jsonMessage][certificate_subject]" }
rename => { "[jsonMessage][certificate.issuer]" => "[jsonMessage][certificate_issuer]" }
rename => { "[jsonMessage][certificate.key_type]" => "[jsonMessage][certificate_key_type]" }
rename => { "[jsonMessage][certificate.key_length]" => "[jsonMessage][certificate_key_length]" }
rename => { "[jsonMessage][certificate.sig_alg]" => "[jsonMessage][certificate_signature_algorithm]" }
rename => { "[jsonMessage][certificate.not_valid_before]" => "[jsonMessage][certificate_not_valid_before]" }
rename => { "[jsonMessage][certificate.not_valid_after]" => "[jsonMessage][certificate_not_valid_after]" }
rename => { "[jsonMessage][certificate.not_valid_after]" => "[jsonMessage][certificate_not_valid_after]" }
rename => { "[jsonMessage][certificate.serial]" => "[jsonMessage][certificate_serial]" }
rename => { "[jsonMessage][certificate.version]" => "[jsonMessage][certificate_version]" }
}
}
else if [jsonMessage][category] == "http" {
if [jsonMessage][host] {
mutate {
add_field => { "[jsonMessage][message]" => "HTTP %{[jsonMessage][method]} request to %{[jsonMessage][host]}%{[jsonMessage][uri]} from %{[jsonMessage][ip_src]}" }
}
}
else {
mutate {
add_field => { "[jsonMessage][message]" => "HTTP %{[jsonMessage][method]} request to %{[jsonMessage][ip_dest]}%{[jsonMessage][uri]} from %{[jsonMessage][ip_src]}" }
}
}
mutate {
rename => { "[jsonMessage][user_agent]" => "[jsonMessage][http_user_agent]" }
rename => { "[jsonMessage][uri]" => "[jsonMessage][http_uri]" }
rename => { "[jsonMessage][status_code]" => "[jsonMessage][http_status_code]" }
rename => { "[jsonMessage][status_msg]" => "[jsonMessage][http_status_message]" }
rename => { "[jsonMessage][method]" => "[jsonMessage][http_method]" }
rename => { "[jsonMessage][request_body_len]" => "[jsonMessage][http_request_body_length]" }
rename => { "[jsonMessage][response_body_len]" => "[jsonMessage][http_response_body_length]" }
rename => { "[jsonMessage][version]" => "[jsonMessage][http_version]" }
rename => { "[jsonMessage][host]" => "[jsonMessage][http_host]" }
rename => { "[jsonMessage][tags]" => "[jsonMessage][http_tags]" }
rename => { "[jsonMessage][trans_depth]" => "[jsonMessage][http_transaction_depth]" }
}
}
else if [jsonMessage][category] == "notice" {
mutate {
rename => { "[jsonMessage][msg]" => "[jsonMessage][message]" }
rename => { "[jsonMessage][id.orig_h]" => "[jsonMessage][ip_src]" }
rename => { "[jsonMessage][id.orig_p]" => "[jsonMessage][src_port]" }
rename => { "[jsonMessage][id.resp_h]" => "[jsonMessage][ip_dest]" }
rename => { "[jsonMessage][id.resp_p]" => "[jsonMessage][dest_port]" }
rename => { "[jsonMessage][proto]" => "[jsonMessage][protocol]" }
}
}
else if [jsonMessage][category] == "weird" {
mutate {
add_field => { "[jsonMessage][message]" => "%{[jsonMessage][category]} - %{[jsonMessage][name]}" }
}
mutate {
rename => { "[jsonMessage][name]" => "[jsonMessage][event_name]" }
rename => { "[jsonMessage][certificate.issuer]" => "[jsonMessage][certificate_issuer]" }
}
}
else if [jsonMessage][category] == "dhcp" {
mutate {
add_field => { "[jsonMessage][message]" => "%{[jsonMessage][category]} - %{[jsonMessage][msg_types]}" }
}
mutate {
rename => { "[jsonMessage][name]" => "[jsonMessage][event_name]" }
rename => { "[jsonMessage][lease_time]" => "[jsonMessage][dhcp_lease_time]" }
rename => { "[jsonMessage][assigned_addr]" => "[jsonMessage][dhcp_assigned_ip]" }
rename => { "[jsonMessage][client_addr]" => "[jsonMessage][client_ip]" }
rename => { "[jsonMessage][server_addr]" => "[jsonMessage][server]" }
rename => { "[jsonMessage][host_name]" => "[jsonMessage][client_hostname]" }
rename => { "[jsonMessage][mac]" => "[jsonMessage][mac_address]" }
}
}
else if [jsonMessage][category] == "software" {
mutate {
add_field => { "[jsonMessage][message]" => "%{[jsonMessage][category]} - %{[jsonMessage][unparsed_version]}" }
}
mutate {
rename => { "[jsonMessage][name]" => "[jsonMessage][software_name]" }
rename => { "[jsonMessage][unparsed_version]" => "[jsonMessage][version]" }
rename => { "[jsonMessage][host]" => "[jsonMessage][client_ip]" }
}
}
else if [jsonMessage][category] in [ "snmp", "dpd" ] {
mutate {
add_field => { "[jsonMessage][message]" => "%{[jsonMessage][category]}" }
}
mutate {
rename => { "[jsonMessage][id.orig_h]" => "[jsonMessage][ip_src]" }
rename => { "[jsonMessage][id.orig_p]" => "[jsonMessage][src_port]" }
rename => { "[jsonMessage][id.resp_h]" => "[jsonMessage][ip_dest]" }
rename => { "[jsonMessage][id.resp_p]" => "[jsonMessage][dest_port]" }
rename => { "[jsonMessage][proto]" => "[jsonMessage][protocol]" }
}
}
else if [jsonMessage][category] == "tunnel" {
mutate {
add_field => { "[jsonMessage][message]" => "%{[jsonMessage][category]} - %{[jsonMessage][action]}" }
}
mutate {
rename => { "[jsonMessage][id.orig_h]" => "[jsonMessage][ip_src]" }
rename => { "[jsonMessage][id.orig_p]" => "[jsonMessage][src_port]" }
rename => { "[jsonMessage][id.resp_h]" => "[jsonMessage][ip_dest]" }
rename => { "[jsonMessage][id.resp_p]" => "[jsonMessage][dest_port]" }
}
}
else if [jsonMessage][category] == "smtp" {
mutate {
add_field => { "[jsonMessage][message]" => "%{[jsonMessage][category]}" }
}
mutate {
rename => { "[jsonMessage][id.orig_h]" => "[jsonMessage][ip_src]" }
rename => { "[jsonMessage][id.orig_p]" => "[jsonMessage][src_port]" }
rename => { "[jsonMessage][id.resp_h]" => "[jsonMessage][ip_dest]" }
rename => { "[jsonMessage][id.resp_p]" => "[jsonMessage][dest_port]" }
rename => { "[jsonMessage][last_reply]" => "[jsonMessage][smtp_last_reply]" }
rename => { "[jsonMessage][tls]" => "[jsonMessage][smtp_tls]" }
}
}
else if [jsonMessage][category] == "pe" {
mutate {
add_field => { "[jsonMessage][message]" => "%{[jsonMessage][category]}" }
}
mutate {
rename => { "[jsonMessage][os]" => "[jsonMessage][os_type]" }
}
}
else if [jsonMessage][category] == "ssh" {
mutate {
add_field => { "[jsonMessage][message]" => "%{[jsonMessage][category]}" }
}
mutate {
rename => { "[jsonMessage][server]" => "[jsonMessage][ssh_server]" }
rename => { "[jsonMessage][client]" => "[jsonMessage][ssh_client]" }
rename => { "[jsonMessage][version]" => "[jsonMessage][ssh_version]" }
rename => { "[jsonMessage][cipher_alg]" => "[jsonMessage][ssh_cipher_alg]" }
rename => { "[jsonMessage][auth_attempts]" => "[jsonMessage][ssh_attempts]" }
rename => { "[jsonMessage][host_key_alg]" => "[jsonMessage][ssh_host_key_alg]" }
rename => { "[jsonMessage][host_key]" => "[jsonMessage][ssh_host_key]" }
rename => { "[jsonMessage][compression_alg]" => "[jsonMessage][ssh_compression_alg]" }
rename => { "[jsonMessage][id.orig_h]" => "[jsonMessage][ip_src]" }
rename => { "[jsonMessage][id.orig_p]" => "[jsonMessage][src_port]" }
rename => { "[jsonMessage][id.resp_h]" => "[jsonMessage][ip_dest]" }
rename => { "[jsonMessage][id.resp_p]" => "[jsonMessage][dest_port]" }
}
}
else if [jsonMessage][category] == "file" {
mutate {
add_field => { "[jsonMessage][message]" => "%{[jsonMessage][request][client]}" }
}
mutate {
rename => { "[jsonMessage][os]" => "[jsonMessage][os_type]" }
}
}
}
}
filter {
if "dvm" in [tags] {
mutate {
update => { "message" => "%{jsonMessage}" }
}
}
}
output {
if "dvm" in [tags] {
syslog {
host => "DVM_IP"
port => "516"
protocol => "tcp"
rfc => "rfc5424"
}
}
}