diff --git a/.dockerignore b/.dockerignore
index f2f88aa93..7d719ba41 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -10,8 +10,9 @@
**/.ldap_config_defaults
**/htpasswd
**/malcolm_*images.tar.gz
-.envrc
-.direnv
+**/.envrc
+**/.direnv
+**/.opensearch*.curlrc
.trigger_workflow_build
.tmp
docker-compose*yml
@@ -23,5 +24,6 @@ arkime-raw
nginx/nginx_ldap.conf
pcap
scripts
+!scripts/malcolm_common.py
zeek-logs
suricata-logs
diff --git a/.gitignore b/.gitignore
index 721b6a4c1..4387c2e8b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,6 +7,7 @@
# auth-related
/.ldap_config_defaults
/auth.env
+/.opensearch*.curlrc
/logstash/certs
/filebeat/certs
/nginx/certs
diff --git a/Dockerfiles/api.Dockerfile b/Dockerfiles/api.Dockerfile
index 80945ff25..66097d670 100644
--- a/Dockerfiles/api.Dockerfile
+++ b/Dockerfiles/api.Dockerfile
@@ -12,10 +12,11 @@ RUN apt-get update -q \
&& python3 -m pip install flake8
COPY ./api /usr/src/app/
+COPY scripts/malcolm_common.py /usr/src/app/
WORKDIR /usr/src/app
RUN python3 -m pip wheel --no-cache-dir --no-deps --wheel-dir /usr/src/app/wheels -r requirements.txt \
- && flake8 --ignore=E501,F401
+ && flake8 --ignore=E501,F401,W503
FROM python:3-slim
@@ -48,6 +49,7 @@ ARG ARKIME_INDEX_PATTERN="arkime_sessions3-*"
ARG ARKIME_INDEX_TIME_FIELD="firstPacket"
ARG DASHBOARDS_URL="http://dashboards:5601/dashboards"
ARG OPENSEARCH_URL="http://opensearch:9200"
+ARG OPENSEARCH_LOCAL=true
ARG RESULT_SET_LIMIT="500"
ENV HOME=/malcolm
@@ -60,6 +62,7 @@ ENV ARKIME_INDEX_PATTERN $ARKIME_INDEX_PATTERN
ENV ARKIME_INDEX_TIME_FIELD $ARKIME_INDEX_TIME_FIELD
ENV DASHBOARDS_URL $DASHBOARDS_URL
ENV OPENSEARCH_URL $OPENSEARCH_URL
+ENV OPENSEARCH_LOCAL $OPENSEARCH_LOCAL
ENV RESULT_SET_LIMIT $RESULT_SET_LIMIT
WORKDIR "${APP_HOME}"
@@ -67,6 +70,7 @@ WORKDIR "${APP_HOME}"
COPY --from=builder /usr/src/app/wheels /wheels
COPY --from=builder /usr/src/app/requirements.txt .
COPY ./api "${APP_HOME}"
+COPY scripts/malcolm_common.py "${APP_HOME}"/
COPY shared/bin/opensearch_status.sh "${APP_HOME}"/
ADD shared/bin/docker-uid-gid-setup.sh /usr/local/bin/
diff --git a/Dockerfiles/arkime.Dockerfile b/Dockerfiles/arkime.Dockerfile
index 319033ffc..e53887750 100644
--- a/Dockerfiles/arkime.Dockerfile
+++ b/Dockerfiles/arkime.Dockerfile
@@ -5,16 +5,16 @@ FROM debian:11-slim AS build
ENV DEBIAN_FRONTEND noninteractive
ENV ARKIME_VERSION "3.4.2"
-ENV ARKIMEDIR "/opt/arkime"
+ENV ARKIME_DIR "/opt/arkime"
ENV ARKIME_URL "https://github.com/arkime/arkime.git"
ENV ARKIME_LOCALELASTICSEARCH no
ENV ARKIME_INET yes
ADD arkime/scripts/bs4_remove_div.py /opt/
ADD arkime/patch/* /opt/patches/
-ADD README.md $ARKIMEDIR/doc/
-ADD docs/doc.css $ARKIMEDIR/doc/
-ADD docs/images $ARKIMEDIR/doc/images/
+ADD README.md $ARKIME_DIR/doc/
+ADD docs/doc.css $ARKIME_DIR/doc/
+ADD docs/images $ARKIME_DIR/doc/images/
RUN apt-get -q update && \
apt-get -y -q --no-install-recommends upgrade && \
@@ -56,24 +56,24 @@ RUN apt-get -q update && \
wget \
zlib1g-dev && \
pip3 install --no-cache-dir beautifulsoup4 && \
- cd $ARKIMEDIR/doc/images && \
+ cd $ARKIME_DIR/doc/images && \
find . -name "*.png" -exec bash -c 'convert "{}" -fuzz 2% -transparent white -background white -alpha remove -strip -interlace Plane -quality 85% "{}.jpg" && rename "s/\.png//" "{}.jpg"' \; && \
- cd $ARKIMEDIR/doc && \
+ cd $ARKIME_DIR/doc && \
sed -i "s/^# Malcolm$//" README.md && \
sed -i '/./,$!d' README.md && \
sed -i "s/.png/.jpg/g" README.md && \
sed -i "s@docs/images@images@g" README.md && \
sed -i 's/\!\[.*\](.*\/badge.svg)//g' README.md && \
- pandoc -s --self-contained --metadata title="Malcolm README" --css $ARKIMEDIR/doc/doc.css -o $ARKIMEDIR/doc/README.html $ARKIMEDIR/doc/README.md && \
+ pandoc -s --self-contained --metadata title="Malcolm README" --css $ARKIME_DIR/doc/doc.css -o $ARKIME_DIR/doc/README.html $ARKIME_DIR/doc/README.md && \
cd /opt && \
git clone --depth=1 --single-branch --recurse-submodules --shallow-submodules --no-tags --branch="v$ARKIME_VERSION" "$ARKIME_URL" "./arkime-"$ARKIME_VERSION && \
cd "./arkime-"$ARKIME_VERSION && \
bash -c 'for i in /opt/patches/*; do patch -p 1 -r - --no-backup-if-mismatch < $i || true; done' && \
- find $ARKIMEDIR/doc/images/screenshots -name "*.png" -delete && \
- export PATH="$ARKIMEDIR/bin:${PATH}" && \
- ln -sfr $ARKIMEDIR/bin/npm /usr/local/bin/npm && \
- ln -sfr $ARKIMEDIR/bin/node /usr/local/bin/node && \
- ln -sfr $ARKIMEDIR/bin/npx /usr/local/bin/npx && \
+ find $ARKIME_DIR/doc/images/screenshots -name "*.png" -delete && \
+ export PATH="$ARKIME_DIR/bin:${PATH}" && \
+ ln -sfr $ARKIME_DIR/bin/npm /usr/local/bin/npm && \
+ ln -sfr $ARKIME_DIR/bin/node /usr/local/bin/node && \
+ ln -sfr $ARKIME_DIR/bin/npx /usr/local/bin/npx && \
python3 /opt/bs4_remove_div.py -i ./viewer/vueapp/src/components/users/Users.vue -o ./viewer/vueapp/src/components/users/Users.new -c "new-user-form" && \
mv -vf ./viewer/vueapp/src/components/users/Users.new ./viewer/vueapp/src/components/users/Users.vue && \
sed -i 's/v-if.*password.*"/v-if="false"/g' ./viewer/vueapp/src/components/settings/Settings.vue && \
@@ -84,8 +84,8 @@ RUN apt-get -q update && \
npm -g config set user root && \
make install && \
npm cache clean --force && \
- rm -f ${ARKIMEDIR}/wiseService/source.* && \
- bash -c "file ${ARKIMEDIR}/bin/* ${ARKIMEDIR}/node-v*/bin/* | grep 'ELF 64-bit' | sed 's/:.*//' | xargs -l -r strip -v --strip-unneeded"
+ rm -f ${ARKIME_DIR}/wiseService/source.* && \
+ bash -c "file ${ARKIME_DIR}/bin/* ${ARKIME_DIR}/node-v*/bin/* | grep 'ELF 64-bit' | sed 's/:.*//' | xargs -l -r strip -v --strip-unneeded"
FROM debian:11-slim
@@ -109,8 +109,8 @@ ENV PUSER_PRIV_DROP true
ENV DEBIAN_FRONTEND noninteractive
ENV TERM xterm
-ARG OS_HOST=opensearch
-ARG OS_PORT=9200
+ARG OPENSEARCH_URL="http://opensearch:9200"
+ARG OPENSEARCH_LOCAL=true
ARG MALCOLM_USERNAME=admin
ARG ARKIME_ECS_PROVIDER=arkime
ARG ARKIME_ECS_DATASET=session
@@ -128,16 +128,15 @@ ARG PCAP_MONITOR_HOST=pcap-monitor
ARG MAXMIND_GEOIP_DB_LICENSE_KEY=""
# Declare envs vars for each arg
-ENV OS_HOST $OS_HOST
-ENV OS_PORT $OS_PORT
-ENV ARKIME_ELASTICSEARCH "http://"$OS_HOST":"$OS_PORT
+ENV OPENSEARCH_URL $OPENSEARCH_URL
+ENV OPENSEARCH_LOCAL $OPENSEARCH_LOCAL
ENV ARKIME_INTERFACE $ARKIME_INTERFACE
ENV MALCOLM_USERNAME $MALCOLM_USERNAME
# this needs to be present, but is unused as nginx is going to handle auth for us
ENV ARKIME_PASSWORD "ignored"
ENV ARKIME_ECS_PROVIDER $ARKIME_ECS_PROVIDER
ENV ARKIME_ECS_DATASET $ARKIME_ECS_DATASET
-ENV ARKIMEDIR "/opt/arkime"
+ENV ARKIME_DIR "/opt/arkime"
ENV ARKIME_ANALYZE_PCAP_THREADS $ARKIME_ANALYZE_PCAP_THREADS
ENV WISE $WISE
ENV VIEWER $VIEWER
@@ -147,7 +146,7 @@ ENV PCAP_PIPELINE_DEBUG $PCAP_PIPELINE_DEBUG
ENV PCAP_PIPELINE_DEBUG_EXTRA $PCAP_PIPELINE_DEBUG_EXTRA
ENV PCAP_MONITOR_HOST $PCAP_MONITOR_HOST
-COPY --from=build $ARKIMEDIR $ARKIMEDIR
+COPY --from=build $ARKIME_DIR $ARKIME_DIR
RUN sed -i "s/bullseye main/bullseye main contrib non-free/g" /etc/apt/sources.list && \
apt-get -q update && \
@@ -181,9 +180,9 @@ RUN sed -i "s/bullseye main/bullseye main contrib non-free/g" /etc/apt/sources.l
wget \
tar gzip unzip cpio bzip2 lzma xz-utils p7zip-full unrar zlib1g && \
pip3 install --no-cache-dir beautifulsoup4 pyzmq && \
- ln -sfr $ARKIMEDIR/bin/npm /usr/local/bin/npm && \
- ln -sfr $ARKIMEDIR/bin/node /usr/local/bin/node && \
- ln -sfr $ARKIMEDIR/bin/npx /usr/local/bin/npx && \
+ ln -sfr $ARKIME_DIR/bin/npm /usr/local/bin/npm && \
+ ln -sfr $ARKIME_DIR/bin/node /usr/local/bin/node && \
+ ln -sfr $ARKIME_DIR/bin/npx /usr/local/bin/npx && \
apt-get -q -y --purge remove gcc gcc-10 cpp cpp-10 libssl-dev && \
apt-get -q -y autoremove && \
apt-get clean && \
@@ -194,9 +193,10 @@ ADD shared/bin/docker-uid-gid-setup.sh /usr/local/bin/
ADD arkime/scripts /opt/
ADD shared/bin/pcap_processor.py /opt/
ADD shared/bin/pcap_utils.py /opt/
+ADD scripts/malcolm_common.py /opt/
ADD shared/bin/opensearch_status.sh /opt/
-ADD arkime/etc $ARKIMEDIR/etc/
-ADD arkime/wise/source.*.js $ARKIMEDIR/wiseService/
+ADD arkime/etc $ARKIME_DIR/etc/
+ADD arkime/wise/source.*.js $ARKIME_DIR/wiseService/
ADD arkime/supervisord.conf /etc/supervisord.conf
# MaxMind now requires a (free) license key to download the free versions of
@@ -208,29 +208,30 @@ RUN [ ${#MAXMIND_GEOIP_DB_LICENSE_KEY} -gt 1 ] && for DB in ASN Country City; do
cd /tmp && \
curl -s -S -L -o "GeoLite2-$DB.mmdb.tar.gz" "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-$DB&license_key=$MAXMIND_GEOIP_DB_LICENSE_KEY&suffix=tar.gz" && \
tar xf "GeoLite2-$DB.mmdb.tar.gz" --wildcards --no-anchored '*.mmdb' --strip=1 && \
- mkdir -p $ARKIMEDIR/etc/ $ARKIMEDIR/logs/ && \
- mv -v "GeoLite2-$DB.mmdb" $ARKIMEDIR/etc/; \
+ mkdir -p $ARKIME_DIR/etc/ $ARKIME_DIR/logs/ && \
+ mv -v "GeoLite2-$DB.mmdb" $ARKIME_DIR/etc/; \
rm -f "GeoLite2-$DB*"; \
done; \
- curl -s -S -L -o $ARKIMEDIR/etc/ipv4-address-space.csv "https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.csv" && \
- curl -s -S -L -o $ARKIMEDIR/etc/oui.txt "https://raw.githubusercontent.com/wireshark/wireshark/master/manuf"
+ curl -s -S -L -o $ARKIME_DIR/etc/ipv4-address-space.csv "https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.csv" && \
+ curl -s -S -L -o $ARKIME_DIR/etc/oui.txt "https://raw.githubusercontent.com/wireshark/wireshark/master/manuf"
RUN groupadd --gid $DEFAULT_GID $PGROUP && \
- useradd -M --uid $DEFAULT_UID --gid $DEFAULT_GID --home $ARKIMEDIR $PUSER && \
+ useradd -M --uid $DEFAULT_UID --gid $DEFAULT_GID --home $ARKIME_DIR $PUSER && \
usermod -a -G tty $PUSER && \
chmod 755 /opt/*.sh && \
ln -sfr /opt/pcap_processor.py /opt/pcap_arkime_processor.py && \
- cp -f /opt/arkime_update_geo.sh $ARKIMEDIR/bin/arkime_update_geo.sh && \
- chmod u+s $ARKIMEDIR/bin/capture && \
+ cp -f /opt/arkime_update_geo.sh $ARKIME_DIR/bin/arkime_update_geo.sh && \
+ mv $ARKIME_DIR/etc/config.ini $ARKIME_DIR/etc/config.orig.ini && \
+ chmod u+s $ARKIME_DIR/bin/capture && \
mkdir -p /var/run/arkime && \
- chown -R $PUSER:$PGROUP $ARKIMEDIR/etc $ARKIMEDIR/logs /var/run/arkime
+ chown -R $PUSER:$PGROUP $ARKIME_DIR/etc $ARKIME_DIR/logs /var/run/arkime
#Update Path
-ENV PATH="/opt:$ARKIMEDIR/bin:${PATH}"
+ENV PATH="/opt:$ARKIME_DIR/bin:${PATH}"
EXPOSE 8000 8005 8081
-WORKDIR $ARKIMEDIR
+WORKDIR $ARKIME_DIR
-ENTRYPOINT ["/usr/local/bin/docker-uid-gid-setup.sh"]
+ENTRYPOINT ["/usr/local/bin/docker-uid-gid-setup.sh", "/opt/docker_entrypoint.sh"]
CMD ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf", "-n"]
diff --git a/Dockerfiles/dashboards-helper.Dockerfile b/Dockerfiles/dashboards-helper.Dockerfile
index e1e4ff587..e33a09288 100644
--- a/Dockerfiles/dashboards-helper.Dockerfile
+++ b/Dockerfiles/dashboards-helper.Dockerfile
@@ -25,6 +25,7 @@ ARG ARKIME_INDEX_PATTERN_ID="arkime_sessions3-*"
ARG ARKIME_INDEX_TIME_FIELD="firstPacket"
ARG CREATE_OS_ARKIME_SESSION_INDEX="true"
ARG OPENSEARCH_URL="http://opensearch:9200"
+ARG OPENSEARCH_LOCAL=true
ARG ISM_SNAPSHOT_COMPRESSED=false
ARG ISM_SNAPSHOT_REPO=logs
ARG OFFLINE_REGION_MAPS_PORT="28991"
@@ -36,6 +37,7 @@ ENV ARKIME_INDEX_PATTERN_ID $ARKIME_INDEX_PATTERN_ID
ENV ARKIME_INDEX_TIME_FIELD $ARKIME_INDEX_TIME_FIELD
ENV CREATE_OS_ARKIME_SESSION_INDEX $CREATE_OS_ARKIME_SESSION_INDEX
ENV OPENSEARCH_URL $OPENSEARCH_URL
+ENV OPENSEARCH_LOCAL $OPENSEARCH_LOCAL
ENV ISM_SNAPSHOT_COMPRESSED $ISM_SNAPSHOT_COMPRESSED
ENV ISM_SNAPSHOT_REPO $ISM_SNAPSHOT_REPO
ENV OFFLINE_REGION_MAPS_PORT $OFFLINE_REGION_MAPS_PORT
@@ -63,10 +65,11 @@ ADD shared/bin/docker-uid-gid-setup.sh /usr/local/bin/
ADD shared/bin/opensearch_status.sh /data/
ADD shared/bin/opensearch_index_size_prune.py /data/
ADD shared/bin/opensearch_read_only.py /data/
+ADD scripts/malcolm_common.py /data/
RUN apk update --no-cache && \
apk upgrade --no-cache && \
- apk --no-cache add bash python3 py3-pip curl procps psmisc npm shadow jq && \
+ apk --no-cache add bash python3 py3-pip curl openssl procps psmisc npm shadow jq && \
npm install -g http-server && \
pip3 install supervisor humanfriendly requests && \
curl -fsSLO "$SUPERCRONIC_URL" && \
diff --git a/Dockerfiles/dashboards.Dockerfile b/Dockerfiles/dashboards.Dockerfile
index d001144e5..8f1da5051 100644
--- a/Dockerfiles/dashboards.Dockerfile
+++ b/Dockerfiles/dashboards.Dockerfile
@@ -14,10 +14,10 @@ ENV PGROUP "dashboarder"
ENV TERM xterm
-ARG OPENSEARCH_VERSION="2.1.0"
+ARG OPENSEARCH_VERSION="2.2.1"
ENV OPENSEARCH_VERSION $OPENSEARCH_VERSION
-ARG OPENSEARCH_DASHBOARDS_VERSION="2.1.0"
+ARG OPENSEARCH_DASHBOARDS_VERSION="2.2.1"
ENV OPENSEARCH_DASHBOARDS_VERSION $OPENSEARCH_DASHBOARDS_VERSION
# base system dependencies for checking out and building plugins
@@ -68,7 +68,7 @@ RUN eval "$(nodenv init -)" && \
# runtime ##################################################################
-FROM opensearchproject/opensearch-dashboards:2.1.0
+FROM opensearchproject/opensearch-dashboards:2.2.1
LABEL maintainer="malcolm@inl.gov"
LABEL org.opencontainers.image.authors='malcolm@inl.gov'
@@ -90,6 +90,7 @@ ENV PUSER_PRIV_DROP true
ENV TERM xterm
ARG OPENSEARCH_URL="http://opensearch:9200"
+ARG OPENSEARCH_LOCAL="true"
ARG CREATE_OS_ARKIME_SESSION_INDEX="true"
ARG ARKIME_INDEX_PATTERN="arkime_sessions3-*"
ARG ARKIME_INDEX_PATTERN_ID="arkime_sessions3-*"
@@ -104,6 +105,7 @@ ENV ARKIME_INDEX_TIME_FIELD $ARKIME_INDEX_TIME_FIELD
ENV OPENSEARCH_DEFAULT_DASHBOARD $OPENSEARCH_DEFAULT_DASHBOARD
ENV PATH="/data:${PATH}"
ENV OPENSEARCH_URL $OPENSEARCH_URL
+ENV OPENSEARCH_LOCAL $OPENSEARCH_LOCAL
ENV NODE_OPTIONS $NODE_OPTIONS
USER root
@@ -111,7 +113,7 @@ USER root
COPY --from=build /usr/share/opensearch-dashboards/plugins/sankey_vis/build/kbnSankeyVis.zip /tmp/kbnSankeyVis.zip
RUN yum upgrade -y && \
- yum install -y curl psmisc util-linux zip unzip && \
+ yum install -y curl psmisc util-linux openssl python3 zip unzip && \
usermod -a -G tty ${PUSER} && \
# Malcolm manages authentication and encryption via NGINX reverse proxy
/usr/share/opensearch-dashboards/bin/opensearch-dashboards-plugin remove securityDashboards --allow-root && \
@@ -121,8 +123,10 @@ RUN yum upgrade -y && \
yum clean all && \
rm -rf /var/cache/yum
-ADD dashboards/opensearch_dashboards.yml /usr/share/opensearch-dashboards/config/opensearch_dashboards.yml
+ADD dashboards/opensearch_dashboards.yml /usr/share/opensearch-dashboards/config/opensearch_dashboards.orig.yml
ADD shared/bin/docker-uid-gid-setup.sh /usr/local/bin/
+ADD dashboards/scripts/docker_entrypoint.sh /usr/local/bin/
+ADD scripts/malcolm_common.py /usr/local/bin/
# Yeah, I know about https://opensearch.org/docs/latest/dashboards/branding ... but I can't figure out a way
# to specify the entries in the opensearch_dashboards.yml such that they are valid BOTH from the
@@ -138,7 +142,7 @@ ADD docs/images/favicon/favicon32.png /usr/share/opensearch-dashboards/src/core/
ADD docs/images/favicon/apple-touch-icon-precomposed.png /usr/share/opensearch-dashboards/src/core/server/core_app/assets/favicons/apple-touch-icon.png
-ENTRYPOINT ["/usr/local/bin/docker-uid-gid-setup.sh"]
+ENTRYPOINT ["/usr/local/bin/docker-uid-gid-setup.sh", "/usr/local/bin/docker_entrypoint.sh"]
CMD ["/usr/share/opensearch-dashboards/opensearch-dashboards-docker-entrypoint.sh"]
diff --git a/Dockerfiles/file-monitor.Dockerfile b/Dockerfiles/file-monitor.Dockerfile
index df51fef88..c58ff360f 100644
--- a/Dockerfiles/file-monitor.Dockerfile
+++ b/Dockerfiles/file-monitor.Dockerfile
@@ -75,12 +75,12 @@ ENV EXTRACTED_FILE_ENABLE_CAPA $EXTRACTED_FILE_ENABLE_CAPA
ENV EXTRACTED_FILE_CAPA_VERBOSE $EXTRACTED_FILE_CAPA_VERBOSE
ENV SRC_BASE_DIR "/usr/local/src"
ENV CLAMAV_RULES_DIR "/var/lib/clamav"
-ENV YARA_VERSION "4.2.2"
+ENV YARA_VERSION "4.2.3"
ENV YARA_URL "https://github.com/VirusTotal/yara/archive/v${YARA_VERSION}.tar.gz"
ENV YARA_RULES_URL "https://github.com/Neo23x0/signature-base"
ENV YARA_RULES_DIR "/yara-rules"
ENV YARA_RULES_SRC_DIR "$SRC_BASE_DIR/signature-base"
-ENV CAPA_VERSION "3.2.0"
+ENV CAPA_VERSION "4.0.1"
ENV CAPA_URL "https://github.com/fireeye/capa/releases/download/v${CAPA_VERSION}/capa-v${CAPA_VERSION}-linux.zip"
ENV CAPA_DIR "/opt/capa"
ENV CAPA_BIN "${CAPA_DIR}/capa"
diff --git a/Dockerfiles/filebeat.Dockerfile b/Dockerfiles/filebeat.Dockerfile
index 172b0aa1a..d80e5c426 100644
--- a/Dockerfiles/filebeat.Dockerfile
+++ b/Dockerfiles/filebeat.Dockerfile
@@ -39,6 +39,8 @@ ARG FILEBEAT_NGINX_LOG_PATH="/nginx"
ARG LOG_CLEANUP_MINUTES=0
ARG ZIP_CLEANUP_MINUTES=0
ARG NGINX_LOG_ACCESS_AND_ERRORS=false
+ARG OPENSEARCH_URL="http://opensearch:9200"
+ARG OPENSEARCH_LOCAL=true
ARG FILEBEAT_TCP_LISTEN=false
ARG FILEBEAT_TCP_PORT=5045
ARG FILEBEAT_TCP_LOG_FORMAT="raw"
@@ -64,7 +66,7 @@ USER root
RUN yum install -y epel-release && \
yum upgrade -y && \
- yum install -y curl inotify-tools file psmisc tar gzip unzip cpio bzip2 lzma xz p7zip p7zip-plugins unar python3-setuptools python3-pip && \
+ yum install -y curl inotify-tools file psmisc tar gzip unzip cpio bzip2 lzma xz openssl p7zip p7zip-plugins unar python3-setuptools python3-pip && \
yum clean all && \
ln -sr /usr/sbin/fuser /bin/fuser && \
python3 -m pip install patool entrypoint2 pyunpack python-magic ordered-set supervisor && \
@@ -79,6 +81,7 @@ ADD filebeat/filebeat.yml /usr/share/filebeat/filebeat.yml
ADD filebeat/filebeat-nginx.yml /usr/share/filebeat-nginx/filebeat-nginx.yml
ADD filebeat/filebeat-tcp.yml /usr/share/filebeat-tcp/filebeat-tcp.yml
ADD filebeat/scripts /usr/local/bin/
+ADD scripts/malcolm_common.py /usr/local/bin/
ADD shared/bin/opensearch_status.sh /usr/local/bin/
ADD filebeat/supervisord.conf /etc/supervisord.conf
RUN for INPUT in nginx tcp; do \
@@ -107,6 +110,8 @@ ENV FILEBEAT_ZEEK_LOG_LIVE_PATH $FILEBEAT_ZEEK_LOG_LIVE_PATH
ENV FILEBEAT_SURICATA_LOG_PATH $FILEBEAT_SURICATA_LOG_PATH
ENV FILEBEAT_NGINX_LOG_PATH $FILEBEAT_NGINX_LOG_PATH
ENV NGINX_LOG_ACCESS_AND_ERRORS $NGINX_LOG_ACCESS_AND_ERRORS
+ENV OPENSEARCH_URL $OPENSEARCH_URL
+ENV OPENSEARCH_LOCAL $OPENSEARCH_LOCAL
ENV FILEBEAT_TCP_LISTEN $FILEBEAT_TCP_LISTEN
ENV FILEBEAT_TCP_PORT $FILEBEAT_TCP_PORT
ENV FILEBEAT_TCP_LOG_FORMAT $FILEBEAT_TCP_LOG_FORMAT
diff --git a/Dockerfiles/logstash.Dockerfile b/Dockerfiles/logstash.Dockerfile
index 63a485051..b28be1137 100644
--- a/Dockerfiles/logstash.Dockerfile
+++ b/Dockerfiles/logstash.Dockerfile
@@ -105,6 +105,7 @@ ADD logstash/pipelines/ /usr/share/logstash/malcolm-pipelines/
ADD logstash/patterns/ /usr/share/logstash/malcolm-patterns/
ADD logstash/ruby/ /usr/share/logstash/malcolm-ruby/
ADD logstash/scripts /usr/local/bin/
+ADD scripts/malcolm_common.py /usr/local/bin/
ADD logstash/supervisord.conf /etc/supervisord.conf
RUN bash -c "chmod --silent 755 /usr/local/bin/*.sh /usr/local/bin/*.py || true" && \
diff --git a/Dockerfiles/name-map-ui.Dockerfile b/Dockerfiles/name-map-ui.Dockerfile
index 042620386..2c832f4d2 100644
--- a/Dockerfiles/name-map-ui.Dockerfile
+++ b/Dockerfiles/name-map-ui.Dockerfile
@@ -28,7 +28,7 @@ RUN apk update --no-cache && \
apk upgrade --no-cache && \
apk --no-cache add bash php8 php8-fpm php8-mysqli php8-json php8-openssl php8-curl php8-fileinfo \
php8-zlib php8-xml php8-phar php8-intl php8-dom php8-xmlreader php8-ctype php8-session \
- php8-mbstring php8-gd nginx supervisor curl inotify-tools file psmisc shadow
+ php8-mbstring php8-gd nginx supervisor curl inotify-tools file psmisc shadow openssl
COPY name-map-ui/config/nginx.conf /etc/nginx/nginx.conf
COPY name-map-ui/config/fpm-pool.conf /etc/php8/php-fpm.d/www.conf
diff --git a/Dockerfiles/opensearch.Dockerfile b/Dockerfiles/opensearch.Dockerfile
index 11b4a15bb..74c5b757e 100644
--- a/Dockerfiles/opensearch.Dockerfile
+++ b/Dockerfiles/opensearch.Dockerfile
@@ -1,4 +1,4 @@
-FROM opensearchproject/opensearch:2.1.0
+FROM opensearchproject/opensearch:2.2.1
# Copyright (c) 2022 Battelle Energy Alliance, LLC. All rights reserved.
LABEL maintainer="malcolm@inl.gov"
@@ -21,6 +21,9 @@ ENV PUSER_PRIV_DROP true
ENV TERM xterm
+ARG OPENSEARCH_LOCAL=true
+ENV OPENSEARCH_LOCAL $OPENSEARCH_LOCAL
+
ARG MALCOLM_API_URL="http://api:5000/event"
ENV MALCOLM_API_URL $MALCOLM_API_URL
@@ -40,19 +43,19 @@ RUN yum install -y openssl util-linux procps && \
echo -e 'cluster.name: "docker-cluster"\nnetwork.host: 0.0.0.0\nbootstrap.memory_lock: true' > /usr/share/opensearch/config/opensearch.yml && \
sed -i "s/#[[:space:]]*\([0-9]*-[0-9]*:-XX:-\(UseConcMarkSweepGC\|UseCMSInitiatingOccupancyOnly\)\)/\1/" /usr/share/opensearch/config/jvm.options && \
sed -i "s/^[0-9][0-9]*\(-:-XX:\(+UseG1GC\|G1ReservePercent\|InitiatingHeapOccupancyPercent\)\)/$($OPENSEARCH_JAVA_HOME/bin/java -version 2>&1 | grep version | awk '{print $3}' | tr -d '\"' | cut -d. -f1)\1/" /usr/share/opensearch/config/jvm.options && \
- mkdir -p /usr/share/opensearch/ca-trust && \
- chown -R $PUSER:$PGROUP /usr/share/opensearch/config/opensearch.yml /usr/share/opensearch/ca-trust && \
+ mkdir -p /var/local/ca-trust && \
+ chown -R $PUSER:$PGROUP /usr/share/opensearch/config/opensearch.yml /var/local/ca-trust && \
sed -i "s/^\([[:space:]]*\)\([^#].*performance-analyzer-agent-cli\)/\1# \2/" /usr/share/opensearch/opensearch-docker-entrypoint.sh && \
sed -i '/^[[:space:]]*[^#].*runOpensearch.*/i /usr/local/bin/jdk-cacerts-auto-import.sh || true' /usr/share/opensearch/opensearch-docker-entrypoint.sh
-# just used for initial keystore creation
ADD shared/bin/docker-uid-gid-setup.sh /usr/local/bin/
ADD shared/bin/jdk-cacerts-auto-import.sh /usr/local/bin/
+ADD shared/bin/service_check_passthrough.sh /usr/local/bin/docker-entrypoint.sh
-VOLUME ["/usr/share/opensearch/ca-trust"]
+VOLUME ["/var/local/ca-trust"]
-ENTRYPOINT ["/usr/local/bin/docker-uid-gid-setup.sh"]
+ENTRYPOINT ["/usr/local/bin/docker-uid-gid-setup.sh", "/usr/local/bin/docker-entrypoint.sh"]
CMD ["/usr/share/opensearch/opensearch-docker-entrypoint.sh"]
diff --git a/Dockerfiles/pcap-capture.Dockerfile b/Dockerfiles/pcap-capture.Dockerfile
index c179313d9..2b948b650 100644
--- a/Dockerfiles/pcap-capture.Dockerfile
+++ b/Dockerfiles/pcap-capture.Dockerfile
@@ -65,6 +65,7 @@ RUN apt-get -q update && \
ethtool \
libcap2-bin \
netsniff-ng \
+ openssl \
procps \
psmisc \
supervisor \
diff --git a/Dockerfiles/pcap-monitor.Dockerfile b/Dockerfiles/pcap-monitor.Dockerfile
index 434cac0af..e1422505d 100644
--- a/Dockerfiles/pcap-monitor.Dockerfile
+++ b/Dockerfiles/pcap-monitor.Dockerfile
@@ -25,6 +25,7 @@ ENV DEBIAN_FRONTEND noninteractive
ENV TERM xterm
ARG OPENSEARCH_URL="http://opensearch:9200"
+ARG OPENSEARCH_LOCAL=true
ARG PCAP_PATH=/pcap
ARG PCAP_PIPELINE_DEBUG=false
ARG PCAP_PIPELINE_DEBUG_EXTRA=false
@@ -33,6 +34,7 @@ ARG PCAP_NODE_NAME=malcolm
ARG ZEEK_PATH=/zeek
ENV OPENSEARCH_URL $OPENSEARCH_URL
+ENV OPENSEARCH_LOCAL $OPENSEARCH_LOCAL
ENV PCAP_PATH $PCAP_PATH
ENV PCAP_PIPELINE_DEBUG $PCAP_PIPELINE_DEBUG
ENV PCAP_PIPELINE_DEBUG_EXTRA $PCAP_PIPELINE_DEBUG_EXTRA
@@ -65,6 +67,7 @@ ADD pcap-monitor/supervisord.conf /etc/supervisord.conf
ADD pcap-monitor/scripts/ /usr/local/bin/
ADD shared/bin/pcap_watcher.py /usr/local/bin/
ADD shared/bin/pcap_utils.py /usr/local/bin/
+ADD scripts/malcolm_common.py /usr/local/bin/
EXPOSE 30441
diff --git a/Dockerfiles/zeek.Dockerfile b/Dockerfiles/zeek.Dockerfile
index 9abe3ccbf..39f6c287a 100644
--- a/Dockerfiles/zeek.Dockerfile
+++ b/Dockerfiles/zeek.Dockerfile
@@ -31,7 +31,7 @@ ENV PUSER_PRIV_DROP false
# for download and install
ARG ZEEK_LTS=
-ARG ZEEK_VERSION=5.0.0-0
+ARG ZEEK_VERSION=5.0.1-0
ENV ZEEK_LTS $ZEEK_LTS
ENV ZEEK_VERSION $ZEEK_VERSION
@@ -164,7 +164,7 @@ ADD shared/bin/nic-capture-setup.sh /usr/local/bin/
# sanity checks to make sure the plugins installed and copied over correctly
# these ENVs should match the number of third party scripts/plugins installed by zeek_install_plugins.sh
ENV ZEEK_THIRD_PARTY_PLUGINS_COUNT 22
-ENV ZEEK_THIRD_PARTY_PLUGINS_GREP "(Zeek::Spicy|ANALYZER_SPICY_DHCP|ANALYZER_SPICY_DNS|ANALYZER_SPICY_HTTP|ANALYZER_SPICY__OSPF|ANALYZER_SPICY_OPENVPN_UDP\b|ANALYZER_SPICY_IPSEC_UDP\b|ANALYZER_SPICY_TFTP|ANALYZER_SPICY_WIREGUARD|ANALYZER_SPICY_LDAP_TCP|ANALYZER_SPICY_GENISYS_TCP|Corelight::CommunityID|Corelight::PE_XOR|ICSNPP::BACnet|ICSNPP::BSAP|ICSNPP::ENIP|ICSNPP::ETHERCAT|ICSNPP::OPCUA_Binary|Salesforce::GQUIC|Zeek::PROFINET|Zeek::S7comm|Zeek::TDS)"
+ENV ZEEK_THIRD_PARTY_PLUGINS_GREP "(Zeek::Spicy|ANALYZER_SPICY_DHCP|ANALYZER_SPICY_DNS|ANALYZER_SPICY_HTTP|ANALYZER_SPICY__OSPF|ANALYZER_SPICY_OPENVPN_UDP\b|ANALYZER_SPICY_IPSEC_UDP\b|ANALYZER_SPICY_TFTP|ANALYZER_SPICY_WIREGUARD|ANALYZER_SPICY_LDAP_TCP|ANALYZER_SPICY_GENISYS_TCP|ANALYZER_S7COMM_TCP|Corelight::CommunityID|Corelight::PE_XOR|ICSNPP::BACnet|ICSNPP::BSAP|ICSNPP::ENIP|ICSNPP::ETHERCAT|ICSNPP::OPCUA_Binary|Salesforce::GQUIC|Zeek::PROFINET|Zeek::TDS)"
ENV ZEEK_THIRD_PARTY_SCRIPTS_COUNT 22
ENV ZEEK_THIRD_PARTY_SCRIPTS_GREP "(bzar/main|callstranger-detector/callstranger|cve-2020-0601/cve-2020-0601|cve-2020-13777/cve-2020-13777|CVE-2020-16898/CVE-2020-16898|CVE-2021-38647/omigod|CVE-2021-31166/detect|CVE-2021-41773/CVE_2021_41773|CVE-2021-42292/main|cve-2021-44228/CVE_2021_44228|cve-2022-22954/main|cve-2022-26809/main|hassh/hassh|http-more-files-names/main|ja3/ja3|pingback/detect|ripple20/ripple20|SIGRed/CVE-2020-1350|zeek-EternalSafety/main|zeek-httpattacks/main|zeek-sniffpass/__load__|zerologon/main)\.(zeek|bro)"
diff --git a/README.md b/README.md
index bdec9b11a..d77187a4b 100644
--- a/README.md
+++ b/README.md
@@ -39,6 +39,8 @@ You can help steer Malcolm's development by sharing your ideas and feedback. Ple
* [macOS host system configuration](#HostSystemConfigMac)
* [Windows host system configuration](#HostSystemConfigWindows)
* [Running Malcolm](#Running)
+ * [OpenSearch instances](#OpenSearchInstance)
+ * [Authentication and authorization for remote OpenSearch clusters](#OpenSearchAuth)
* [Configure authentication](#AuthSetup)
* [Local account management](#AuthBasicAccountManagement)
* [Lightweight Directory Access Protocol (LDAP) authentication](#AuthLDAP)
@@ -95,6 +97,7 @@ You can help steer Malcolm's development by sharing your ideas and feedback. Ple
- ["Best Guess" Fingerprinting for ICS Protocols](#ICSBestGuess)
- [API](#API)
+ [Examples](#APIExamples)
+* [Ingesting Third-party Logs](#ThirdPartyLogs)
* [Malcolm installer ISO](#ISO)
* [Installation](#ISOInstallation)
* [Generating the ISO](#ISOBuild)
@@ -181,23 +184,23 @@ You can then observe that the images have been retrieved by running `docker imag
```
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
-malcolmnetsec/api 6.2.0 xxxxxxxxxxxx 3 days ago 158MB
-malcolmnetsec/arkime 6.2.0 xxxxxxxxxxxx 3 days ago 816MB
-malcolmnetsec/dashboards 6.2.0 xxxxxxxxxxxx 3 days ago 1.02GB
-malcolmnetsec/dashboards-helper 6.2.0 xxxxxxxxxxxx 3 days ago 184MB
-malcolmnetsec/filebeat-oss 6.2.0 xxxxxxxxxxxx 3 days ago 624MB
-malcolmnetsec/file-monitor 6.2.0 xxxxxxxxxxxx 3 days ago 588MB
-malcolmnetsec/file-upload 6.2.0 xxxxxxxxxxxx 3 days ago 259MB
-malcolmnetsec/freq 6.2.0 xxxxxxxxxxxx 3 days ago 132MB
-malcolmnetsec/htadmin 6.2.0 xxxxxxxxxxxx 3 days ago 242MB
-malcolmnetsec/logstash-oss 6.2.0 xxxxxxxxxxxx 3 days ago 1.35GB
-malcolmnetsec/name-map-ui 6.2.0 xxxxxxxxxxxx 3 days ago 143MB
-malcolmnetsec/nginx-proxy 6.2.0 xxxxxxxxxxxx 3 days ago 121MB
-malcolmnetsec/opensearch 6.2.0 xxxxxxxxxxxx 3 days ago 1.17GB
-malcolmnetsec/pcap-capture 6.2.0 xxxxxxxxxxxx 3 days ago 121MB
-malcolmnetsec/pcap-monitor 6.2.0 xxxxxxxxxxxx 3 days ago 213MB
-malcolmnetsec/suricata 6.2.0 xxxxxxxxxxxx 3 days ago 278MB
-malcolmnetsec/zeek 6.2.0 xxxxxxxxxxxx 3 days ago 1GB
+malcolmnetsec/api 6.3.0 xxxxxxxxxxxx 3 days ago 158MB
+malcolmnetsec/arkime 6.3.0 xxxxxxxxxxxx 3 days ago 816MB
+malcolmnetsec/dashboards 6.3.0 xxxxxxxxxxxx 3 days ago 1.02GB
+malcolmnetsec/dashboards-helper 6.3.0 xxxxxxxxxxxx 3 days ago 184MB
+malcolmnetsec/filebeat-oss 6.3.0 xxxxxxxxxxxx 3 days ago 624MB
+malcolmnetsec/file-monitor 6.3.0 xxxxxxxxxxxx 3 days ago 588MB
+malcolmnetsec/file-upload 6.3.0 xxxxxxxxxxxx 3 days ago 259MB
+malcolmnetsec/freq 6.3.0 xxxxxxxxxxxx 3 days ago 132MB
+malcolmnetsec/htadmin 6.3.0 xxxxxxxxxxxx 3 days ago 242MB
+malcolmnetsec/logstash-oss 6.3.0 xxxxxxxxxxxx 3 days ago 1.35GB
+malcolmnetsec/name-map-ui 6.3.0 xxxxxxxxxxxx 3 days ago 143MB
+malcolmnetsec/nginx-proxy 6.3.0 xxxxxxxxxxxx 3 days ago 121MB
+malcolmnetsec/opensearch 6.3.0 xxxxxxxxxxxx 3 days ago 1.17GB
+malcolmnetsec/pcap-capture 6.3.0 xxxxxxxxxxxx 3 days ago 121MB
+malcolmnetsec/pcap-monitor 6.3.0 xxxxxxxxxxxx 3 days ago 213MB
+malcolmnetsec/suricata 6.3.0 xxxxxxxxxxxx 3 days ago 278MB
+malcolmnetsec/zeek 6.3.0 xxxxxxxxxxxx 3 days ago 1GB
```
#### Import from pre-packaged tarballs
@@ -327,7 +330,7 @@ Malcolm uses [Zeek](https://docs.zeek.org/en/stable/script-reference/proto-analy
|Remote Authentication Dial-In User Service (RADIUS)|[๐](https://en.wikipedia.org/wiki/RADIUS)|[๐](https://tools.ietf.org/html/rfc2865)|[โ](https://github.com/arkime/arkime/blob/master/capture/parsers/radius.c)|[โ](https://docs.zeek.org/en/stable/scripts/base/protocols/radius/main.zeek.html#type-RADIUS::Info)|
|Remote Desktop Protocol (RDP)|[๐](https://en.wikipedia.org/wiki/Remote_Desktop_Protocol)|[๐](https://docs.microsoft.com/en-us/windows/win32/termserv/remote-desktop-protocol?redirectedfrom=MSDN)||[โ](https://docs.zeek.org/en/stable/scripts/base/protocols/rdp/main.zeek.html#type-RDP::Info)|
|Remote Framebuffer (RFB)|[๐](https://en.wikipedia.org/wiki/RFB_protocol)|[๐](https://tools.ietf.org/html/rfc6143)||[โ](https://docs.zeek.org/en/stable/scripts/base/protocols/rfb/main.zeek.html#type-RFB::Info)|
-|S7comm / Connection Oriented Transport Protocol (COTP)|[๐](https://wiki.wireshark.org/S7comm) [๐](https://wiki.wireshark.org/COTP)|[๐](https://support.industry.siemens.com/cs/document/26483647/what-properties-advantages-and-special-features-does-the-s7-protocol-offer-?dti=0&lc=en-WW) [๐](https://www.ietf.org/rfc/rfc0905.txt)||[โ](https://github.com/amzn/zeek-plugin-s7comm/blob/master/scripts/main.zeek)|
+|S7comm / Connection Oriented Transport Protocol (COTP)|[๐](https://wiki.wireshark.org/S7comm) [๐](https://wiki.wireshark.org/COTP)|[๐](https://support.industry.siemens.com/cs/document/26483647/what-properties-advantages-and-special-features-does-the-s7-protocol-offer-?dti=0&lc=en-WW) [๐](https://www.ietf.org/rfc/rfc0905.txt)||[โ](https://github.com/cisagov/icsnpp-s7comm)|
|Secure Shell (SSH)|[๐](https://en.wikipedia.org/wiki/Secure_Shell)|[๐](https://tools.ietf.org/html/rfc4253)|[โ](https://github.com/arkime/arkime/blob/master/capture/parsers/ssh.c)|[โ](https://docs.zeek.org/en/stable/scripts/base/protocols/ssh/main.zeek.html#type-SSH::Info)|
|Secure Sockets Layer (SSL) / Transport Layer Security (TLS)|[๐](https://en.wikipedia.org/wiki/Transport_Layer_Security)|[๐](https://tools.ietf.org/html/rfc5246)|[โ](https://github.com/arkime/arkime/blob/master/capture/parsers/socks.c)|[โ](https://docs.zeek.org/en/stable/scripts/base/protocols/ssl/main.zeek.html#type-SSL::Info)|
|Session Initiation Protocol (SIP)|[๐](https://en.wikipedia.org/wiki/Session_Initiation_Protocol)|[๐](https://tools.ietf.org/html/rfc3261)||[โ](https://docs.zeek.org/en/stable/scripts/base/protocols/sip/main.zeek.html#type-SIP::Info)|
@@ -436,19 +439,21 @@ Alternately, if you have forked Malcolm on GitHub, [workflow files](./.github/wo
$ ./scripts/malcolm_appliance_packager.sh
You must set a username and password for Malcolm, and self-signed X.509 certificates will be generated
-Store administrator username/password for local Malcolm access? (Y/n):
+Store administrator username/password for local Malcolm access? (Y/n): y
Administrator username: analyst
-analyst password:
-analyst password (again):
+analyst password:
+analyst password (again):
+
+(Re)generate self-signed certificates for HTTPS access (Y/n): y
-(Re)generate self-signed certificates for HTTPS access (Y/n):
+(Re)generate self-signed certificates for a remote log forwarder (Y/n): y
-(Re)generate self-signed certificates for a remote log forwarder (Y/n):
+Store username/password for primary remote OpenSearch instance? (y/N): n
-Store username/password for forwarding Logstash events to a secondary, external OpenSearch instance (y/N):
+Store username/password for secondary remote OpenSearch instance? (y/N): n
-Store username/password for email alert sender account (y/N):
+Store username/password for email alert sender account? (y/N): n
Packaged Malcolm to "/home/user/tmp/malcolm_20190513_101117_f0d052c.tar.gz"
@@ -529,7 +534,7 @@ Various other environment variables inside of `docker-compose.yml` can be tweake
* `ARKIME_ANALYZE_PCAP_THREADS` โ the number of threads available to Arkime for analyzing PCAP files (default `1`)
* `AUTO_TAG` โ if set to `true`, Malcolm will automatically create Arkime sessions and Zeek logs with tags based on the filename, as described in [Tagging](#Tagging) (default `true`)
-* `BEATS_SSL` โ if set to `true`, Logstash will use require encrypted communications for any external [Beats](https://www.elastic.co/guide/en/logstash/current/plugins-inputs-beats.html)-based forwarders from which it will accept logs; if Malcolm is being used as a standalone tool then this can safely be set to `false`, but if external log feeds are to be accepted then setting it to true is recommended (default `false`)
+* `BEATS_SSL` โ if set to `true`, Logstash will use require encrypted communications for any external [Beats](https://www.elastic.co/guide/en/logstash/current/plugins-inputs-beats.html)-based forwarders from which it will accept logs (default `true`)
* `CONNECTION_SECONDS_SEVERITY_THRESHOLD` - when [severity scoring](#Severity) is enabled, this variable indicates the duration threshold (in seconds) for assigning severity to long connections (default `3600`)
* `EXTRACTED_FILE_CAPA_VERBOSE` โ if set to `true`, all Capa rule hits will be logged; otherwise (`false`) only [MITRE ATT&CKยฎ technique](https://attack.mitre.org/techniques) classifications will be logged
* `EXTRACTED_FILE_ENABLE_CAPA` โ if set to `true`, [Zeek-extracted files](#ZeekFileExtraction) that are determined to be PE (portable executable) files will be scanned with [Capa](https://github.com/fireeye/capa)
@@ -549,12 +554,15 @@ Various other environment variables inside of `docker-compose.yml` can be tweake
* `LOGSTASH_SEVERITY_SCORING` - if set to `true`, Logstash will perform [severity scoring](#Severity) when analyzing Zeek logs (default `true`)
* `MANAGE_PCAP_FILES` โ if set to `true`, all PCAP files imported into Malcolm will be marked as available for deletion by Arkime if available storage space becomes too low (default `false`)
* `MAXMIND_GEOIP_DB_LICENSE_KEY` - Malcolm uses MaxMind's free GeoLite2 databases for GeoIP lookups. As of December 30, 2019, these databases are [no longer available](https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/) for download via a public URL. Instead, they must be downloaded using a MaxMind license key (available without charge [from MaxMind](https://www.maxmind.com/en/geolite2/signup)). The license key can be specified here for GeoIP database downloads during build- and run-time.
+* `OPENSEARCH_LOCAL` - if set to `true`, Malcolm will use its own internal [OpenSearch instance](#OpenSearchInstance) (default `true`)
+* `OPENSEARCH_URL` - when using Malcolm's internal OpenSearch instance (i.e., `OPENSEARCH_LOCAL` is `true`) this should be `http://opensearch:9200`, otherwise this value specifies the primary remote instance URL in the format `protocol://host:port` (default `http://opensearch:9200`)
+* `OPENSEARCH_SSL_CERTIFICATE_VERIFICATION` - if set to `true`, connections to the primary remote OpenSearch instance will require full TLS certificate validation (this may fail if using self-signed certificates) (default `false`)
+* `OPENSEARCH_SECONDARY` - if set to `true`, Malcolm will forward logs to a secondary remote OpenSearch instance in addition to the primary (local or remote) OpenSearch instance (default `false`)
+* `OPENSEARCH_SECONDARY_URL` - when forwarding to a secondary remote OpenSearch instance (i.e., `OPENSEARCH_SECONDARY` is `true`) this value specifies the secondary remote instance URL in the format `protocol://host:port`
+* `OPENSEARCH_SECONDARY_SSL_CERTIFICATE_VERIFICATION` - if set to `true`, connections to the secondary remote OpenSearch instance will require full TLS certificate validation (this may fail if using self-signed certificates) (default `false`)
* `NGINX_BASIC_AUTH` - if set to `true`, use [TLS-encrypted HTTP basic](#AuthBasicAccountManagement) authentication (default); if set to `false`, use [Lightweight Directory Access Protocol (LDAP)](#AuthLDAP) authentication
* `NGINX_LOG_ACCESS_AND_ERRORS` - if set to `true`, all access to Malcolm via its [web interfaces](#UserInterfaceURLs) will be logged to OpenSearch (default `false`)
* `NGINX_SSL` - if set to `true`, require HTTPS connections to Malcolm's `nginx-proxy` container (default); if set to `false`, use unencrypted HTTP connections (using unsecured HTTP connections is **NOT** recommended unless you are running Malcolm behind another reverse proxy like Traefik, Caddy, etc.)
-* `OS_EXTERNAL_HOSTS` โ if specified (in the format `'10.0.0.123:9200'`), logs received by Logstash will be forwarded on to another external OpenSearch instance in addition to the one maintained locally by Malcolm
-* `OS_EXTERNAL_SSL_CERTIFICATE_VERIFICATION` โ if set to `true`, Logstash will require full TLS certificate validation; this may fail if using self-signed certificates (default `false`)
-* `OS_EXTERNAL_SSL` โ if set to `true`, Logstash will use HTTPS for the connection to external OpenSearch instances specified in `OS_EXTERNAL_HOSTS`
* `PCAP_ENABLE_NETSNIFF` โ if set to `true`, Malcolm will capture network traffic on the local network interface(s) indicated in `PCAP_IFACE` using [netsniff-ng](http://netsniff-ng.org/)
* `PCAP_ENABLE_TCPDUMP` โ if set to `true`, Malcolm will capture network traffic on the local network interface(s) indicated in `PCAP_IFACE` using [tcpdump](https://www.tcpdump.org/); there is no reason to enable *both* `PCAP_ENABLE_NETSNIFF` and `PCAP_ENABLE_TCPDUMP`
* `PCAP_FILTER` โ specifies a tcpdump-style filter expression for local packet capture; leave blank to capture all traffic
@@ -564,7 +572,7 @@ Various other environment variables inside of `docker-compose.yml` can be tweake
* `PCAP_ROTATE_MINUTES` โ used to specify a time interval (in minutes) after which a locally-captured PCAP file will be closed for processing and a new PCAP file created
* `pipeline.workers`, `pipeline.batch.size` and `pipeline.batch.delay` - these settings are used to tune the performance and resource utilization of the the `logstash` container; see [Tuning and Profiling Logstash Performance](https://www.elastic.co/guide/en/logstash/current/tuning-logstash.html), [`logstash.yml`](https://www.elastic.co/guide/en/logstash/current/logstash-settings-file.html) and [Multiple Pipelines](https://www.elastic.co/guide/en/logstash/current/multiple-pipelines.html)
* `PUID` and `PGID` - Docker runs all of its containers as the privileged `root` user by default. For better security, Malcolm immediately drops to non-privileged user accounts for executing internal processes wherever possible. The `PUID` (**p**rocess **u**ser **ID**) and `PGID` (**p**rocess **g**roup **ID**) environment variables allow Malcolm to map internal non-privileged user accounts to a corresponding [user account](https://en.wikipedia.org/wiki/User_identifier) on the host.
-* `QUESTIONABLE_COUNTRY_CODES` - when [severity scoring](#Severity) is enabled, this variable defines a comma-separated list of countries of concern (using [ISO 3166-1 alpha-2 codes](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Current_codes)) (default `'CN,IR,KP,RU,UA'`)
+* `SENSITIVE_COUNTRY_CODES` - when [severity scoring](#Severity) is enabled, this variable defines a comma-separated list of sensitive countries (using [ISO 3166-1 alpha-2 codes](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Current_codes)) (default `'AM,AZ,BY,CN,CU,DZ,GE,HK,IL,IN,IQ,IR,KG,KP,KZ,LY,MD,MO,PK,RU,SD,SS,SY,TJ,TM,TW,UA,UZ'`, taken from the U.S. Department of Energy Sensitive Country List)
* `SURICATA_AUTO_ANALYZE_PCAP_FILES` โ if set to `true`, all PCAP files imported into Malcolm will automatically be analyzed by Suricata, and the resulting logs will also be imported (default `false`)
* `SURICATA_AUTO_ANALYZE_PCAP_THREADS` โ the number of threads available to Malcolm for analyzing Suricata logs (default `1`)
* `SURICATA_CUSTOM_RULES_ONLY` โ if set to `true`, Malcolm will bypass the default [Suricata ruleset](https://github.com/OISF/suricata/tree/master/rules) and use only user-defined rules (`./suricata/rules/*.rules`).
@@ -576,7 +584,7 @@ Various other environment variables inside of `docker-compose.yml` can be tweake
* `VTOT_API2_KEY` โ used to specify a [VirusTotal Public API v.20](https://www.virustotal.com/en/documentation/public-api/) key, which, if specified, will be used to submit hashes of [Zeek-extracted files](#ZeekFileExtraction) to VirusTotal
* `ZEEK_AUTO_ANALYZE_PCAP_FILES` โ if set to `true`, all PCAP files imported into Malcolm will automatically be analyzed by Zeek, and the resulting logs will also be imported (default `false`)
* `ZEEK_AUTO_ANALYZE_PCAP_THREADS` โ the number of threads available to Malcolm for analyzing Zeek logs (default `1`)
-* `ZEEK_DISABLE_...` - if set to any non-blank value, each of these variables can be used to disable a certain Zeek function when it analyzes PCAP files (for example, setting `ZEEK_DISABLE_LOG_PASSWORDS` to `true` to disable logging of cleartext passwords)
+* `ZEEK_DISABLE_โฆ` - if set to any non-blank value, each of these variables can be used to disable a certain Zeek function when it analyzes PCAP files (for example, setting `ZEEK_DISABLE_LOG_PASSWORDS` to `true` to disable logging of cleartext passwords)
* `ZEEK_DISABLE_BEST_GUESS_ICS` - see ["Best Guess" Fingerprinting for ICS Protocols](#ICSBestGuess)
* `ZEEK_EXTRACTOR_MODE` โ determines the file extraction behavior for file transfers detected by Zeek; see [Automatic file extraction and scanning](#ZeekFileExtraction) for more details
* `ZEEK_INTEL_FEED_SINCE` - when querying a [TAXII](#ZeekIntelSTIX) or [MISP](#ZeekIntelMISP) feed, only process threat indicators that have been created or modified since the time represented by this value; it may be either a fixed date/time (`01/01/2021`) or relative interval (`30 days ago`)
@@ -673,7 +681,7 @@ blockdev --setra 512 /dev/sda
* Change the I/O scheduler to `deadline` or `noop`. Again, this can be done in a variety of ways. The simplest is to add `elevator=deadline` to the arguments in `GRUB_CMDLINE_LINUX` in `/etc/default/grub`, then running `sudo update-grub2`
-* If you are planning on using very large data sets, consider formatting the drive containing `opensearch` volume as XFS.
+* If you are planning on using very large data sets, consider formatting the drive containing the `opensearch` volume as XFS.
After making all of these changes, do a reboot for good measure!
@@ -733,6 +741,85 @@ Once Docker is installed, configured and running as described in the previous se
## Running Malcolm
+### OpenSearch instances
+
+Malcolm's default standalone configuration is to use a local [OpenSearch](https://opensearch.org/) instance in a Docker container to index and search network traffic metadata. OpenSearch can also run as a [cluster](https://opensearch.org/docs/latest/opensearch/cluster/) with instances distributed across multiple nodes with dedicated [roles](https://opensearch.org/docs/latest/opensearch/cluster/#nodes) like cluster manager, data node, ingest node, etc.
+
+As the permutations of OpenSearch cluster configurations are numerous, it is beyond Malcolm's scope to set up multi-node clusters. However, Malcolm can be configured to use a remote OpenSearch cluster rather than its own internal instance.
+
+The `OPENSEARCH_โฆ` [environment variables in `docker-compose.yml`](#DockerComposeYml) control whether Malcolm uses its own local OpenSearch instance or a remote OpenSearch instance as its primary data store. The configuration portion of Malcolm install script ([`./scripts/install.py --configure`](#ConfigAndTuning)) can help you configure these options.
+
+For example, to use the default standalone configuration, answer `Y` when prompted `Should Malcolm use and maintain its own OpenSearch instance?`.
+
+Or, to use a remote OpenSearch cluster:
+
+```
+โฆ
+Should Malcolm use and maintain its own OpenSearch instance? (Y/n): n
+
+Enter primary remote OpenSearch connection URL (e.g., https://192.168.1.123:9200): https://192.168.1.123:9200
+
+Require SSL certificate validation for communication with primary OpenSearch instance? (y/N): n
+
+You must run auth_setup after install.py to store OpenSearch connection credentials.
+โฆ
+```
+
+Whether the primary OpenSearch instance is a locally maintained single-node instance or is a remote cluster, Malcolm can be configured additionally forward logs to a secondary remote OpenSearch instance. The `OPENSEARCH_SECONDARY_โฆ` [environment variables in `docker-compose.yml`](#DockerComposeYml) control this behavior. Configuration of a remote secondary OpenSearch instance is similar to that of a remote primary OpenSearch instance:
+
+
+```
+โฆ
+Forward Logstash logs to a secondary remote OpenSearch instance? (y/N): y
+
+Enter secondary remote OpenSearch connection URL (e.g., https://192.168.1.123:9200): https://192.168.1.124:9200
+
+Require SSL certificate validation for communication with secondary OpenSearch instance? (y/N): n
+
+You must run auth_setup after install.py to store OpenSearch connection credentials.
+โฆ
+```
+
+#### Authentication and authorization for remote OpenSearch clusters
+
+In addition to setting the environment variables in [`docker-compose.yml`](#DockerComposeYml) as described above, you must provide Malcolm with credentials for it to be able to communicate with remote OpenSearch instances. These credentials are stored in the Malcolm installation directory as `.opensearch.primary.curlrc` and `.opensearch.secondary.curlrc` for the primary and secondary OpenSearch connections, respectively, and are bind mounted into the Docker containers which need to communicate with OpenSearch. These [cURL-formatted](https://everything.curl.dev/cmdline/configfile) config files can be generated for you by the [`auth_setup`](#AuthSetup) script as illustrated:
+
+```
+$ ./scripts/auth_setup
+
+โฆ
+
+Store username/password for primary remote OpenSearch instance? (y/N): y
+
+OpenSearch username: servicedb
+servicedb password:
+servicedb password (again):
+
+Require SSL certificate validation for OpenSearch communication? (Y/n): n
+
+Store username/password for secondary remote OpenSearch instance? (y/N): y
+
+OpenSearch username: remotedb
+remotedb password:
+remotedb password (again):
+
+Require SSL certificate validation for OpenSearch communication? (Y/n): n
+
+โฆ
+```
+
+These files are created with permissions such that only the user account running Malcolm can access them:
+
+```
+$ ls -la .opensearch.*.curlrc
+-rw------- 1 user user 36 Aug 22 14:17 .opensearch.primary.curlrc
+-rw------- 1 user user 35 Aug 22 14:18 .opensearch.secondary.curlrc
+```
+
+One caveat with Malcolm using a remote OpenSearch cluster as its primary document store is that the accounts used to access Malcolm's [web interfaces](#UserInterfaceURLs), particularly [OpenSearch Dashboards](#Dashboards), are in some instance passed directly through to OpenSearch itself. For this reason, both Malcolm and the remote primary OpenSearch instance must have the same account information. The easiest way to accomplish this is to use an Active Directory/LDAP server that both [Malcolm](#AuthLDAP) and [OpenSearch](https://opensearch.org/docs/latest/security-plugin/configuration/ldap/) use as a common authentication backend.
+
+See the OpenSearch documentation on [access control](https://opensearch.org/docs/latest/security-plugin/access-control/index/) for more information.
+
### Configure authentication
Malcolm requires authentication to access the [user interface](#UserInterfaceURLs). [Nginx](https://nginx.org/) can authenticate users with either local TLS-encrypted HTTP basic authentication or using a remote Lightweight Directory Access Protocol (LDAP) authentication server.
@@ -751,8 +838,6 @@ In either case, you **must** run `./scripts/auth_setup` before starting Malcolm
* specify whether or not to (re)generate the self-signed certificates used by a remote log forwarder (see the `BEATS_SSL` environment variable above)
* certificate authority, certificate, and key files for Malcolm's Logstash instance are located in the `logstash/certs/` directory
* certificate authority, certificate, and key files to be copied to and used by the remote log forwarder are located in the `filebeat/certs/` directory; if using [Hedgehog Linux](#Hedgehog), these certificates should be copied to the `/opt/sensor/sensor_ctl/logstash-client-certificates` directory on the sensor
-* specify whether or not to store the username/password for forwarding Logstash events to a secondary, external OpenSearch instance (see the `OS_EXTERNAL_HOSTS`, `OS_EXTERNAL_SSL`, and `OS_EXTERNAL_SSL_CERTIFICATE_VERIFICATION` environment variables above)
- * these parameters are stored securely in the Logstash keystore file `logstash/certs/logstash.keystore`
* specify whether or not to [store the username/password](https://opensearch.org/docs/latest/monitoring-plugins/alerting/monitors/#authenticate-sender-account) for [email alert senders](https://opensearch.org/docs/latest/monitoring-plugins/alerting/monitors/#create-destinations)
* these parameters are stored securely in the OpenSearch keystore file `opensearch/opensearch.keystore`
@@ -1241,11 +1326,11 @@ OpenSearch Dashboards supports two query syntaxes: the legacy [Lucene](https://w
| Field does not exist |`event.dataset != EXISTS!`|`NOT _exists_:event.dataset`|`NOT event.dataset:*`|
| Field matches a value |`port.dst == 22`|`destination.port:22`|`destination.port:22`|
| Field does not match a value |`port.dst != 22`|`NOT destination.port:22`|`NOT destination.port:22`|
-| Field matches at least one of a list of values |`tags == [external_source, external_destination]`|`tags:(external_source OR external_destination)`|`tags:(external_source or external_destination)`|
+| Field matches at least one of a list of values |`tags == [foo, bar]`|`tags:(foo OR bar)`|`tags:(foo or bar)`|
| Field range (inclusive) |`http.statuscode >= 200 && http.statuscode <= 300`|`http.statuscode:[200 TO 300]`|`http.statuscode >= 200 and http.statuscode <= 300`|
| Field range (exclusive) |`http.statuscode > 200 && http.statuscode < 300`|`http.statuscode:{200 TO 300}`|`http.statuscode > 200 and http.statuscode < 300`|
| Field range (mixed exclusivity) |`http.statuscode >= 200 && http.statuscode < 300`|`http.statuscode:[200 TO 300}`|`http.statuscode >= 200 and http.statuscode < 300`|
-| Match all search terms (AND) |`(tags == [external_source, external_destination]) && (http.statuscode == 401)`|`tags:(external_source OR external_destination) AND http.statuscode:401`|`tags:(external_source or external_destination) and http.statuscode:401`|
+| Match all search terms (AND) |`(tags == [foo, bar]) && (http.statuscode == 401)`|`tags:(foo OR bar) AND http.statuscode:401`|`tags:(foo or bar) and http.statuscode:401`|
| Match any search terms (OR) |`(zeek.ftp.password == EXISTS!) || (zeek.http.password == EXISTS!) || (related.user == "anonymous")`|`_exists_:zeek.ftp.password OR _exists_:zeek.http.password OR related.user:"anonymous"`|`zeek.ftp.password:* or zeek.http.password:* or related.user:"anonymous"`|
| Global string search (anywhere in the document) |all Arkime search expressions are field-based|`microsoft`|`microsoft`|
| Wildcards|`host.dns == "*micro?oft*"` (`?` for single character, `*` for any characters)|`dns.host:*micro?oft*` (`?` for single character, `*` for any characters)|`dns.host:*micro*ft*` (`*` for any characters)|
@@ -1335,7 +1420,7 @@ The `EXTRACTED_FILE_PRESERVATION` [environment variable in `docker-compose.yml`]
* `all`: preserve flagged files in `./zeek-logs/extract_files/quarantine` and all other extracted files in `./zeek-logs/extract_files/preserved`
* `none`: preserve no extracted files
-The `EXTRACTED_FILE_HTTP_SERVER_...` [environment variables in `docker-compose.yml`](#DockerComposeYml) configure access to the Zeek-extracted files path through the means of a simple HTTPS directory server. Beware that Zeek-extracted files may contain malware. As such, the files may be optionally encrypted upon download.
+The `EXTRACTED_FILE_HTTP_SERVER_โฆ` [environment variables in `docker-compose.yml`](#DockerComposeYml) configure access to the Zeek-extracted files path through the means of a simple HTTPS directory server. Beware that Zeek-extracted files may contain malware. As such, the files may be optionally encrypted upon download.
### Automatic host and subnet name assignment
@@ -1440,8 +1525,8 @@ As Zeek logs are parsed and enriched prior to indexing, a severity score up to `
* cross-segment network traffic (if [network subnets were defined](#HostAndSubnetNaming))
* connection origination and destination (e.g., inbound, outbound, external, internal)
-* traffic to or from countries of concern
- - The comma-separated list of countries (by [ISO 3166-1 alpha-2 code](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Current_codes)) can be customized by setting the `QUESTIONABLE_COUNTRY_CODES` environment variable in [`docker-compose.yml`](#DockerComposeYml).
+* traffic to or from sensitive countries
+ - The comma-separated list of countries (by [ISO 3166-1 alpha-2 code](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Current_codes)) can be customized by setting the `SENSITIVE_COUNTRY_CODES` environment variable in [`docker-compose.yml`](#DockerComposeYml).
* domain names (from DNS queries and SSL server names) with high entropy as calculated by [freq](https://github.com/MarkBaggett/freq)
- The entropy threshold for this condition to trigger can be adjusted by setting the `FREQ_SEVERITY_THRESHOLD` environment variable in [`docker-compose.yml`](#DockerComposeYml). A lower value will only assign severity scores to fewer domain names with higher entropy (e.g., `2.0` for `NQZHTFHRMYMTVBQJE.COM`), while a higher value will assign severity scores to more domain names with lower entropy (e.g., `7.5` for `naturallanguagedomain.example.org`).
* file transfers (categorized by mime type)
@@ -1570,11 +1655,11 @@ Store administrator username/password for local Malcolm access? (Y/n): n
(Re)generate self-signed certificates for a remote log forwarder (Y/n): n
-Store username/password for forwarding Logstash events to a secondary, external OpenSearch instance (y/N): n
+Store username/password for primary remote OpenSearch instance? (y/N): n
-Store username/password for email alert sender account (y/N): y
+Store username/password for secondary remote OpenSearch instance? (y/N): n
-OpenSearch alerting destination name: destination_alpha
+Store username/password for email alert sender account? (y/N): y
Email account username: analyst@example.org
analyst@example.org password:
@@ -3252,7 +3337,7 @@ $ curl -k -u username -L -XPOST -H 'Content-Type: application/json' \
},
{
"doc_count": 1985,
- "key": "Country of concern"
+ "key": "Sensitive country"
},
{
"doc_count": 760,
@@ -3396,6 +3481,22 @@ A webhook that accepts alert data to be reindexed into OpenSearch as session rec
```
+## Ingesting Third-Party Logs
+
+Malcolm uses [OpenSearch](https://opensearch.org/) and [OpenSearch Dashboards](https://opensearch.org/docs/latest/dashboards/index/) for data storage, search and visualization, and [Logstash](https://www.elastic.co/logstash/) for log processing. Because these tools are data agnostic, Malcolm can be configured to accept various host logs and other third-party logs sent from log forwaders such as [Fluent Bit](https://fluentbit.io/) and [Beats](https://www.elastic.co/beats/). Some examples of the types of logs these forwarders might send include:
+
+* System resource utilization metrics (CPU, memory, disk, network, etc.)
+* System temperatures
+* Linux system logs
+* Windows event logs
+* Process or service health status
+* Logs appended to textual log files (e.g., `tail`-ing a log file)
+* The output of an external script or program
+* Messages in the form of MQTT control packets
+* many moreโฆ
+
+Refer to [**Forwarding Third-Party Logs to Malcolm**](./scripts/third-party-logs/README.md) for more information.
+
## Malcolm installer ISO
Malcolm's Docker-based deployment model makes Malcolm able to run on a variety of platforms. However, in some circumstances (for example, as a long-running appliance as part of a security operations center, or inside of a virtual machine) it may be desirable to install Malcolm as a dedicated standalone installation.
@@ -3433,7 +3534,7 @@ Building the ISO may take 30 minutes or more depending on your system. As the bu
```
โฆ
-Finished, created "/malcolm-build/malcolm-iso/malcolm-6.2.0.iso"
+Finished, created "/malcolm-build/malcolm-iso/malcolm-6.3.0.iso"
โฆ
```
@@ -3706,6 +3807,10 @@ Now that any necessary system configuration changes have been made, the local Ma
```
Malcolm processes will run as UID 1000 and GID 1000. Is this OK? (Y/n): y
+Should Malcolm use and maintain its own OpenSearch instance? (Y/n): y
+
+Forward Logstash logs to a secondary remote OpenSearch instance? (y/N): n
+
Setting 10g for OpenSearch and 3g for Logstash. Is this OK? (Y/n): y
Setting 3 workers for Logstash pipelines. Is this OK? (Y/n): y
@@ -3747,9 +3852,18 @@ Expose OpenSearch port to external hosts? (y/N): n
Expose Logstash port to external hosts? (y/N): n
-Forward Logstash logs to external OpenSearch instance? (y/N): n
+Expose Filebeat TCP port to external hosts? (y/N): y
+1: json
+2: raw
+Select log format for messages sent to Filebeat TCP listener (json): 1
+
+Source field to parse for messages sent to Filebeat TCP listener (message): message
-Expose Filebeat TCP port to external hosts? (y/N): n
+Target field under which to store decoded JSON fields for messages sent to Filebeat TCP listener (miscbeat): miscbeat
+
+Field to drop from events sent to Filebeat TCP listener (message): message
+
+Tag to apply to messages sent to Filebeat TCP listener (_malcolm_beats): _malcolm_beats
Expose SFTP server (for PCAP upload) to external hosts? (y/N): n
@@ -3807,13 +3921,15 @@ Administrator username: analyst
analyst password:
analyst password (again):
-(Re)generate self-signed certificates for HTTPS access (Y/n): y
+(Re)generate self-signed certificates for HTTPS access (Y/n): y
(Re)generate self-signed certificates for a remote log forwarder (Y/n): y
-Store username/password for forwarding Logstash events to a secondary, external OpenSearch instance (y/N): n
+Store username/password for primary remote OpenSearch instance? (y/N): n
+
+Store username/password for secondary remote OpenSearch instance? (y/N): n
-Store username/password for email alert sender account (see https://opensearch.org/docs/latest/monitoring-plugins/alerting/monitors/#authenticate-sender-account) (y/N): n
+Store username/password for email alert sender account? (y/N): n
```
For now, rather than [build Malcolm from scratch](#Build), we'll pull images from [Docker Hub](https://hub.docker.com/u/malcolmnetsec):
@@ -3839,23 +3955,23 @@ Pulling zeek ... done
user@host:~/Malcolm$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
-malcolmnetsec/api 6.2.0 xxxxxxxxxxxx 3 days ago 158MB
-malcolmnetsec/arkime 6.2.0 xxxxxxxxxxxx 3 days ago 816MB
-malcolmnetsec/dashboards 6.2.0 xxxxxxxxxxxx 3 days ago 1.02GB
-malcolmnetsec/dashboards-helper 6.2.0 xxxxxxxxxxxx 3 days ago 184MB
-malcolmnetsec/filebeat-oss 6.2.0 xxxxxxxxxxxx 3 days ago 624MB
-malcolmnetsec/file-monitor 6.2.0 xxxxxxxxxxxx 3 days ago 588MB
-malcolmnetsec/file-upload 6.2.0 xxxxxxxxxxxx 3 days ago 259MB
-malcolmnetsec/freq 6.2.0 xxxxxxxxxxxx 3 days ago 132MB
-malcolmnetsec/htadmin 6.2.0 xxxxxxxxxxxx 3 days ago 242MB
-malcolmnetsec/logstash-oss 6.2.0 xxxxxxxxxxxx 3 days ago 1.35GB
-malcolmnetsec/name-map-ui 6.2.0 xxxxxxxxxxxx 3 days ago 143MB
-malcolmnetsec/nginx-proxy 6.2.0 xxxxxxxxxxxx 3 days ago 121MB
-malcolmnetsec/opensearch 6.2.0 xxxxxxxxxxxx 3 days ago 1.17GB
-malcolmnetsec/pcap-capture 6.2.0 xxxxxxxxxxxx 3 days ago 121MB
-malcolmnetsec/pcap-monitor 6.2.0 xxxxxxxxxxxx 3 days ago 213MB
-malcolmnetsec/suricata 6.2.0 xxxxxxxxxxxx 3 days ago 278MB
-malcolmnetsec/zeek 6.2.0 xxxxxxxxxxxx 3 days ago 1GB
+malcolmnetsec/api 6.3.0 xxxxxxxxxxxx 3 days ago 158MB
+malcolmnetsec/arkime 6.3.0 xxxxxxxxxxxx 3 days ago 816MB
+malcolmnetsec/dashboards 6.3.0 xxxxxxxxxxxx 3 days ago 1.02GB
+malcolmnetsec/dashboards-helper 6.3.0 xxxxxxxxxxxx 3 days ago 184MB
+malcolmnetsec/filebeat-oss 6.3.0 xxxxxxxxxxxx 3 days ago 624MB
+malcolmnetsec/file-monitor 6.3.0 xxxxxxxxxxxx 3 days ago 588MB
+malcolmnetsec/file-upload 6.3.0 xxxxxxxxxxxx 3 days ago 259MB
+malcolmnetsec/freq 6.3.0 xxxxxxxxxxxx 3 days ago 132MB
+malcolmnetsec/htadmin 6.3.0 xxxxxxxxxxxx 3 days ago 242MB
+malcolmnetsec/logstash-oss 6.3.0 xxxxxxxxxxxx 3 days ago 1.35GB
+malcolmnetsec/name-map-ui 6.3.0 xxxxxxxxxxxx 3 days ago 143MB
+malcolmnetsec/nginx-proxy 6.3.0 xxxxxxxxxxxx 3 days ago 121MB
+malcolmnetsec/opensearch 6.3.0 xxxxxxxxxxxx 3 days ago 1.17GB
+malcolmnetsec/pcap-capture 6.3.0 xxxxxxxxxxxx 3 days ago 121MB
+malcolmnetsec/pcap-monitor 6.3.0 xxxxxxxxxxxx 3 days ago 213MB
+malcolmnetsec/suricata 6.3.0 xxxxxxxxxxxx 3 days ago 278MB
+malcolmnetsec/zeek 6.3.0 xxxxxxxxxxxx 3 days ago 1GB
```
Finally, we can start Malcolm. When Malcolm starts it will stream informational and debug messages to the console. If you wish, you can safely close the console or use `Ctrl+C` to stop these messages; Malcolm will continue running in the background.
diff --git a/api/project/__init__.py b/api/project/__init__.py
index c45a10d50..0cf5aeb85 100644
--- a/api/project/__init__.py
+++ b/api/project/__init__.py
@@ -1,5 +1,6 @@
import dateparser
import json
+import malcolm_common
import opensearch_dsl
import opensearchpy
import os
@@ -9,12 +10,15 @@
import requests
import string
import traceback
+import urllib3
import warnings
from collections import defaultdict
from collections.abc import Iterable
from datetime import datetime
from flask import Flask, jsonify, request
+from requests.auth import HTTPBasicAuth
+from urllib.parse import urlparse
# map categories of field names to OpenSearch dashboards
@@ -93,7 +97,7 @@
fields_to_urls.append([r'^zeek\.rfb\.', ['DASH:f77bf097-18a8-465c-b634-eb2acc7a4f26']])
fields_to_urls.append(
[
- r'^zeek\.(s7comm|iso_cotp)\.',
+ r'^zeek\.(s7comm.*|(iso_)?cotp)\.',
['DASH:e76d05c0-eb9f-11e9-a384-0fcf32210194', 'DASH:4a4bde20-4760-11ea-949c-bbb5a9feecbf'],
]
)
@@ -141,7 +145,7 @@
field_type_map['time'] = 'date'
field_type_map['timestamp'] = 'date'
-
+urllib3.disable_warnings()
warnings.filterwarnings(
"ignore",
message="The localize method is no longer necessary, as this time zone supports the fold attribute",
@@ -150,9 +154,33 @@
app = Flask(__name__)
app.url_map.strict_slashes = False
app.config.from_object("project.config.Config")
-opensearch_dsl.connections.create_connection(hosts=[app.config["OPENSEARCH_URL"]])
+
debugApi = app.config["MALCOLM_API_DEBUG"] == "true"
+opensearchUrl = app.config["OPENSEARCH_URL"]
+dashboardsUrl = app.config["DASHBOARDS_URL"]
+opensearchLocal = (app.config["OPENSEARCH_LOCAL"] == "true") or (opensearchUrl == 'http://opensearch:9200')
+opensearchSslVerify = app.config["OPENSEARCH_SSL_CERTIFICATE_VERIFICATION"] == "true"
+opensearchCreds = (
+ malcolm_common.ParseCurlFile(app.config["OPENSEARCH_CREDS_CONFIG_FILE"])
+ if (not opensearchLocal)
+ else defaultdict(lambda: None)
+)
+if opensearchCreds['user'] is not None:
+ opensearchDslHttpAuth = f"{opensearchCreds['user']}:{opensearchCreds['password']}"
+ opensearchReqHttpAuth = HTTPBasicAuth(opensearchCreds['user'], opensearchCreds['password'])
+else:
+ opensearchDslHttpAuth = None
+ opensearchReqHttpAuth = None
+
+opensearch_dsl.connections.create_connection(
+ hosts=[opensearchUrl],
+ http_auth=opensearchDslHttpAuth,
+ verify_certs=opensearchSslVerify,
+ ssl_assert_hostname=False,
+ ssl_show_warn=False,
+)
+
def deep_get(d, keys, default=None):
assert type(keys) is list
@@ -491,7 +519,7 @@ def document(index):
Returns
-------
filter
- dict containing the filters, e.g., {"_id":"210301-Cgnjsc2Tkdl38g25D6-iso_cotp-5485"}
+ dict containing the filters, e.g., {"_id":"210301-Cgnjsc2Tkdl38g25D6-cotp-5485"}
results
array of the documents retrieved (up to 'limit')
"""
@@ -522,7 +550,13 @@ def indices():
indices
The output of _cat/indices?format=json from the OpenSearch API
"""
- return jsonify(indices=requests.get(f'{app.config["OPENSEARCH_URL"]}/_cat/indices?format=json').json())
+ return jsonify(
+ indices=requests.get(
+ f'{opensearchUrl}/_cat/indices?format=json',
+ auth=opensearchReqHttpAuth,
+ verify=opensearchSslVerify,
+ ).json()
+ )
@app.route("/fields", methods=['GET'])
@@ -553,7 +587,7 @@ def fields():
# get fields from Arkime's field's table
s = opensearch_dsl.Search(
using=opensearch_dsl.connections.get_connection(), index=app.config["ARKIME_FIELDS_INDEX"]
- ).extra(size=3000)
+ ).extra(size=5000)
for hit in [x['_source'] for x in s.execute().to_dict()['hits']['hits']]:
if (fieldname := deep_get(hit, ['dbField2'])) and (fieldname not in fields):
if debugApi:
@@ -570,7 +604,11 @@ def fields():
# get fields from OpenSearch template (and descendant components)
try:
- getTemplateResponseJson = requests.get(f'{app.config["OPENSEARCH_URL"]}/_index_template/{templateName}').json()
+ getTemplateResponseJson = requests.get(
+ f'{opensearchUrl}/_index_template/{templateName}',
+ auth=opensearchReqHttpAuth,
+ verify=opensearchSslVerify,
+ ).json()
for template in deep_get(getTemplateResponseJson, ["index_templates"]):
# top-level fields
@@ -588,7 +626,9 @@ def fields():
# descendant component fields
for componentName in get_iterable(deep_get(template, ["index_template", "composed_of"])):
getComponentResponseJson = requests.get(
- f'{app.config["OPENSEARCH_URL"]}/_component_template/{componentName}'
+ f'{opensearchUrl}/_component_template/{componentName}',
+ auth=opensearchReqHttpAuth,
+ verify=opensearchSslVerify,
).json()
for component in get_iterable(deep_get(getComponentResponseJson, ["component_templates"])):
for fieldname, fieldinfo in deep_get(
@@ -609,11 +649,13 @@ def fields():
# get fields from OpenSearch dashboards
try:
for field in requests.get(
- f"{app.config['DASHBOARDS_URL']}/api/index_patterns/_fields_for_wildcard",
+ f"{dashboardsUrl}/api/index_patterns/_fields_for_wildcard",
params={
'pattern': pattern,
'meta_fields': ["_source", "_id", "_type", "_index", "_score"],
},
+ auth=opensearchReqHttpAuth,
+ verify=opensearchSslVerify,
).json()['fields']:
if fieldname := deep_get(field, ['name']):
if debugApi:
@@ -659,7 +701,11 @@ def version():
version=app.config["MALCOLM_VERSION"],
built=app.config["BUILD_DATE"],
sha=app.config["VCS_REVISION"],
- opensearch=requests.get(app.config["OPENSEARCH_URL"]).json(),
+ opensearch=requests.get(
+ opensearchUrl,
+ auth=opensearchReqHttpAuth,
+ verify=opensearchSslVerify,
+ ).json(),
opensearch_health=opensearch_dsl.connections.get_connection().cluster.health(),
)
diff --git a/api/project/config.py b/api/project/config.py
index c9b7ab85a..644495da6 100644
--- a/api/project/config.py
+++ b/api/project/config.py
@@ -14,5 +14,8 @@ class Config(object):
MALCOLM_TEMPLATE = f"{os.getenv('MALCOLM_TEMPLATE', 'malcolm_template')}"
MALCOLM_VERSION = f"{os.getenv('MALCOLM_VERSION', 'unknown')}"
OPENSEARCH_URL = f"{os.getenv('OPENSEARCH_URL', 'http://opensearch:9200')}"
+ OPENSEARCH_LOCAL = f"{os.getenv('OPENSEARCH_LOCAL', 'true')}"
+ OPENSEARCH_SSL_CERTIFICATE_VERIFICATION = f"{os.getenv('OPENSEARCH_SSL_CERTIFICATE_VERIFICATION', 'false')}"
+ OPENSEARCH_CREDS_CONFIG_FILE = f"{os.getenv('OPENSEARCH_CREDS_CONFIG_FILE', '/var/local/opensearch.primary.curlrc')}"
RESULT_SET_LIMIT = int(f"{os.getenv('RESULT_SET_LIMIT', '500')}")
VCS_REVISION = f"{os.getenv('VCS_REVISION', 'unknown')}"
diff --git a/arkime/arkime_regression_test_harness/Dockerfiles/arkime.Dockerfile b/arkime/arkime_regression_test_harness/Dockerfiles/arkime.Dockerfile
index b1fc50c65..890787325 100644
--- a/arkime/arkime_regression_test_harness/Dockerfiles/arkime.Dockerfile
+++ b/arkime/arkime_regression_test_harness/Dockerfiles/arkime.Dockerfile
@@ -4,8 +4,8 @@ ENV DEBIAN_FRONTEND noninteractive
ENV GITHUB_URL "https://github.com/arkime/arkime/"
ENV GITHUB_BRANCH "master"
-ENV ARKIMEDIR "/opt/arkime"
-ENV ARKIMEUSER "arkime"
+ENV ARKIME_DIR "/opt/arkime"
+ENV ARKIME_USER "arkime"
USER root
@@ -44,30 +44,30 @@ RUN apt-get -q update && \
zlib1g-dev
RUN mkdir /opt && \
- groupadd --gid 1000 $ARKIMEUSER && \
- useradd -M --uid 1000 --gid 1000 --home $ARKIMEDIR --no-create-home $ARKIMEUSER && \
- chown -R $ARKIMEUSER:$ARKIMEUSER /opt && \
- usermod -aG sudo $ARKIMEUSER && \
+ groupadd --gid 1000 $ARKIME_USER && \
+ useradd -M --uid 1000 --gid 1000 --home $ARKIME_DIR --no-create-home $ARKIME_USER && \
+ chown -R $ARKIME_USER:$ARKIME_USER /opt && \
+ usermod -aG sudo $ARKIME_USER && \
sed -i /etc/sudoers -re 's/^%sudo.*/%sudo ALL=(ALL:ALL) NOPASSWD: ALL/g' && \
sed -i /etc/sudoers -re 's/^root.*/root ALL=(ALL:ALL) NOPASSWD: ALL/g'
-USER $ARKIMEUSER
+USER $ARKIME_USER
-RUN git clone --recursive --depth=1 --single-branch -b "$GITHUB_BRANCH" "$GITHUB_URL" "$ARKIMEDIR" && \
- cd "$ARKIMEDIR" && \
+RUN git clone --recursive --depth=1 --single-branch -b "$GITHUB_BRANCH" "$GITHUB_URL" "$ARKIME_DIR" && \
+ cd "$ARKIME_DIR" && \
bash -c 'for i in /opt/patches/*; do patch -p 1 -r - --no-backup-if-mismatch < $i || true; done' && \
- export PATH="$ARKIMEDIR/bin:$ARKIMEDIR/node-v10.21.0-linux-x64/bin:${PATH}" && \
- sudo ln -sfr $ARKIMEDIR/bin/npm /usr/local/bin/npm && \
- sudo ln -sfr $ARKIMEDIR/bin/node /usr/local/bin/node && \
- sudo ln -sfr $ARKIMEDIR/bin/npx /usr/local/bin/npx && \
+ export PATH="$ARKIME_DIR/bin:$ARKIME_DIR/node-v10.21.0-linux-x64/bin:${PATH}" && \
+ sudo ln -sfr $ARKIME_DIR/bin/npm /usr/local/bin/npm && \
+ sudo ln -sfr $ARKIME_DIR/bin/node /usr/local/bin/node && \
+ sudo ln -sfr $ARKIME_DIR/bin/npx /usr/local/bin/npx && \
./easybutton-build.sh && \
(make check || true) && \
sudo npm -g install jison
-ENV PATH="/opt:$ARKIMEDIR/bin:$ARKIMEDIR/node-v10.21.0-linux-x64/bin:${PATH}"
+ENV PATH="/opt:$ARKIME_DIR/bin:$ARKIME_DIR/node-v10.21.0-linux-x64/bin:${PATH}"
EXPOSE 8000 8005 8081
-WORKDIR $ARKIMEDIR/tests
+WORKDIR $ARKIME_DIR/tests
CMD bash
diff --git a/arkime/etc/config.ini b/arkime/etc/config.ini
index 3c7225e01..674264697 100644
--- a/arkime/etc/config.ini
+++ b/arkime/etc/config.ini
@@ -67,6 +67,7 @@ valueAutoComplete=false
# id information
zeek.uid=db:zeek.uid;kind:termfield;friendly:Zeek Connection ID;help:Zeek Connection ID
+network.is_orig=db:network.is_orig;kind:termfield;friendly:Is Originator;help:Is Originator
event.provider=db:event.provider;group:malcolm;kind:termfield;friendly:Data Source;help:Data Source
event.dataset=db:event.dataset;group:malcolm;kind:termfield;friendly:Log Type;help:Log Type
event.module=db:event.module;group:malcolm;kind:termfield;friendly:Data Source Module;help:Data Source Module
@@ -91,6 +92,7 @@ event.risk_score=db:event.risk_score;group:malcolm;kind:float;friendly:Risk Scor
event.risk_score_norm=db:event.risk_score_norm;group:malcolm;kind:float;friendly:Risk Score (Normalized);help:Risk Score (Normalized)
event.severity=db:event.severity;group:malcolm;kind:integer;friendly:Severity;help:Severity
event.severity_tags=db:event.severity_tags;group:malcolm;kind:termfield;friendly:Severity Tags;help:Severity Tags
+network.direction=db:network.direction;group:malcolm;kind:termfield;friendly:Direction;help:Direction
network.inner.vlan.id=db:network.inner.vlan.id;group:malcolm;kind:integer;friendly:Inner VLAN ID;help:Inner VLAN ID
network.protocol=db:network.protocol;group:malcolm;kind:termfield;friendly:Service;help:Service
network.protocol_version=db:network.protocol_version;group:malcolm;kind:termfield;friendly:Service Version;help:Service Version
@@ -156,29 +158,29 @@ zeek.conn.inner_vlan=db:zeek.conn.inner_vlan;group:zeek_conn;kind:integer;friend
# bacnet.log
# https://github.com/cisagov/ICSNPP
zeek.bacnet.bvlc_function=db:zeek.bacnet.bvlc_function;group:zeek_bacnet;kind:termfield;friendly:BVLC Function;help:BVLC Function
-zeek.bacnet.pdu_type=db:zeek.bacnet.pdu_type;group:zeek_bacnet;kind:termfield;friendly:APDU Service Type;help:APDU Service Type
-zeek.bacnet.pdu_service=db:zeek.bacnet.pdu_service;group:zeek_bacnet;kind:termfield;friendly:APDU Service Choice;help:APDU Service Choice
zeek.bacnet.invoke_id=db:zeek.bacnet.invoke_id;group:zeek_bacnet;kind:integer;friendly:Invoke ID;help:Invoke ID
+zeek.bacnet.pdu_service=db:zeek.bacnet.pdu_service;group:zeek_bacnet;kind:termfield;friendly:APDU Service Choice;help:APDU Service Choice
+zeek.bacnet.pdu_type=db:zeek.bacnet.pdu_type;group:zeek_bacnet;kind:termfield;friendly:APDU Service Type;help:APDU Service Type
zeek.bacnet.result_code=db:zeek.bacnet.result_code;group:zeek_bacnet;kind:termfield;friendly:Result Code;help:Result Code
# bacnet_discovery.log
# https://github.com/cisagov/ICSNPP
-zeek.bacnet_discovery.pdu_service=db:zeek.bacnet_discovery.pdu_service;group:zeek_bacnet;kind:termfield;friendly:APDU Service;help:APDU Service
-zeek.bacnet_discovery.object_type=db:zeek.bacnet_discovery.object_type;group:zeek_bacnet;kind:termfield;friendly:Object Type;help:Object Type
zeek.bacnet_discovery.instance_number=db:zeek.bacnet_discovery.instance_number;group:zeek_bacnet;kind:integer;friendly:Instance Number;help:Instance Number
-zeek.bacnet_discovery.vendor=db:zeek.bacnet_discovery.vendor;group:zeek_bacnet;kind:termfield;friendly:Vendor Name;help:Vendor Name
+zeek.bacnet_discovery.object_name=db:zeek.bacnet_discovery.object_name;group:zeek_bacnet;kind:termfield;friendly:Object Name;help:Object Name
+zeek.bacnet_discovery.object_type=db:zeek.bacnet_discovery.object_type;group:zeek_bacnet;kind:termfield;friendly:Object Type;help:Object Type
+zeek.bacnet_discovery.pdu_service=db:zeek.bacnet_discovery.pdu_service;group:zeek_bacnet;kind:termfield;friendly:APDU Service;help:APDU Service
zeek.bacnet_discovery.range=db:zeek.bacnet_discovery.range;group:zeek_bacnet;kind:termfield;friendly:Range;help:Range
-zeek.bacnet_discovery.range_low=db:zeek.bacnet_discovery.range_low;group:zeek_bacnet;kind:integer;friendly:Range Low;help:Range Low
zeek.bacnet_discovery.range_high=db:zeek.bacnet_discovery.range_high;group:zeek_bacnet;kind:integer;friendly:Range High;help:Range High
-zeek.bacnet_discovery.object_name=db:zeek.bacnet_discovery.object_name;group:zeek_bacnet;kind:termfield;friendly:Object Name;help:Object Name
+zeek.bacnet_discovery.range_low=db:zeek.bacnet_discovery.range_low;group:zeek_bacnet;kind:integer;friendly:Range Low;help:Range Low
+zeek.bacnet_discovery.vendor=db:zeek.bacnet_discovery.vendor;group:zeek_bacnet;kind:termfield;friendly:Vendor Name;help:Vendor Name
# bacnet_property.log
# https://github.com/cisagov/ICSNPP
-zeek.bacnet_property.pdu_service=db:zeek.bacnet_property.pdu_service;group:zeek_bacnet;kind:termfield;friendly:APDU Service;help:APDU Service
-zeek.bacnet_property.object_type=db:zeek.bacnet_property.object_type;group:zeek_bacnet;kind:termfield;friendly:Object Type;help:Object Type
+zeek.bacnet_property.array_index=db:zeek.bacnet_property.array_index;group:zeek_bacnet;kind:integer;friendly:Array Index;help:Array Index
zeek.bacnet_property.instance_number=db:zeek.bacnet_property.instance_number;group:zeek_bacnet;kind:integer;friendly:Instance Number;help:Instance Number
+zeek.bacnet_property.object_type=db:zeek.bacnet_property.object_type;group:zeek_bacnet;kind:termfield;friendly:Object Type;help:Object Type
+zeek.bacnet_property.pdu_service=db:zeek.bacnet_property.pdu_service;group:zeek_bacnet;kind:termfield;friendly:APDU Service;help:APDU Service
zeek.bacnet_property.property=db:zeek.bacnet_property.property;group:zeek_bacnet;kind:termfield;friendly:Property Type;help:Property Type
-zeek.bacnet_property.array_index=db:zeek.bacnet_property.array_index;group:zeek_bacnet;kind:integer;friendly:Array Index;help:Array Index
zeek.bacnet_property.value=db:zeek.bacnet_property.value;group:zeek_bacnet;kind:termfield;friendly:Value;help:Value
# bestguess.log
@@ -233,15 +235,15 @@ zeek.bsap_serial_rdb_ext.sfun=db:zeek.bsap_serial_rdb_ext.sfun;group:zeek_bsap;k
# cip.log
# https://github.com/cisagov/ICSNPP
+zeek.cip.attribute_id=db:zeek.cip.attribute_id;group:zeek_cip;kind:termfield;friendly:Attribute ID;help:Attribute ID
zeek.cip.cip_sequence_count=db:zeek.cip.cip_sequence_count;group:zeek_cip;kind:integer;friendly:CIP Sequence Number;help:CIP Sequence Number
-zeek.cip.direction=db:zeek.cip.direction;group:zeek_cip;kind:termfield;friendly:Direction;help:Direction
zeek.cip.cip_service=db:zeek.cip.cip_service;group:zeek_cip;kind:termfield;friendly:CIP Service;help:CIP Service
zeek.cip.cip_service_code=db:zeek.cip.cip_service_code;group:zeek_cip;kind:termfield;friendly:CIP Service Code;help:CIP Service Code
zeek.cip.cip_status=db:zeek.cip.cip_status;group:zeek_cip;kind:termfield;friendly:CIP Status;help:CIP Status
zeek.cip.class_id=db:zeek.cip.class_id;group:zeek_cip;kind:termfield;friendly:Class ID;help:Class ID
zeek.cip.class_name=db:zeek.cip.class_name;group:zeek_cip;kind:termfield;friendly:Class Name;help:Class Name
+zeek.cip.direction=db:zeek.cip.direction;group:zeek_cip;kind:termfield;friendly:Direction;help:Direction
zeek.cip.instance_id=db:zeek.cip.instance_id;group:zeek_cip;kind:termfield;friendly:Instance ID;help:Instance ID
-zeek.cip.attribute_id=db:zeek.cip.attribute_id;group:zeek_cip;kind:termfield;friendly:Attribute ID;help:Attribute ID
# cip_identity.log
# https://github.com/cisagov/ICSNPP
@@ -265,9 +267,9 @@ zeek.cip_identity.device_state=db:zeek.cip_identity.device_state;group:zeek_cip;
# cip_io.log
# https://github.com/cisagov/ICSNPP
zeek.cip_io.connection_id=db:zeek.cip_io.connection_id;group:zeek_cip;kind:termfield;friendly:Connection ID;help:Connection ID
-zeek.cip_io.sequence_number=db:zeek.cip_io.sequence_number;group:zeek_cip;kind:integer;friendly:Sequence Number;help:Sequence Number
zeek.cip_io.data_length=db:zeek.cip_io.data_length;group:zeek_cip;kind:integer;friendly:Data Length;help:Data Length
zeek.cip_io.io_data=db:zeek.cip_io.io_data;group:zeek_cip;kind:termfield;friendly:Transport Data;help:Transport Data
+zeek.cip_io.sequence_number=db:zeek.cip_io.sequence_number;group:zeek_cip;kind:integer;friendly:Sequence Number;help:Sequence Number
# dce_rpc.log
# https://docs.zeek.org/en/stable/scripts/base/protocols/dce-rpc/main.zeek.html#type-DCE_RPC::Info
@@ -349,11 +351,11 @@ zeek.dpd.failure_reason=db:zeek.dpd.failure_reason;group:zeek_dpd;kind:termfield
# https://github.com/cisagov/ICSNPP
zeek.enip.enip_command=db:zeek.enip.enip_command;group:zeek_enip;kind:termfield;friendly:EthernetIP Command;help:EthernetIP Command
zeek.enip.enip_command_code=db:zeek.enip.enip_command_code;group:zeek_enip;kind:termfield;friendly:EthernetIP Command Code;help:EthernetIP Command Code
-zeek.enip.length=db:zeek.enip.length;group:zeek_enip;kind:integer;friendly:Packet Length;help:Packet Length
-zeek.enip.session_handle=db:zeek.enip.session_handle;group:zeek_enip;kind:termfield;friendly:Session Number;help:Session Number
zeek.enip.enip_status=db:zeek.enip.enip_status;group:zeek_enip;kind:termfield;friendly:EthernetIP Status;help:EthernetIP Status
-zeek.enip.sender_context=db:zeek.enip.sender_context;group:zeek_enip;kind:termfield;friendly:Sender Context;help:Sender Context
+zeek.enip.length=db:zeek.enip.length;group:zeek_enip;kind:integer;friendly:Packet Length;help:Packet Length
zeek.enip.options=db:zeek.enip.options;group:zeek_enip;kind:termfield;friendly:Options;help:Options
+zeek.enip.sender_context=db:zeek.enip.sender_context;group:zeek_enip;kind:termfield;friendly:Sender Context;help:Sender Context
+zeek.enip.session_handle=db:zeek.enip.session_handle;group:zeek_enip;kind:termfield;friendly:Session Number;help:Session Number
# ecat_registers.log
# https://github.com/cisagov/ICSNPP
@@ -437,7 +439,6 @@ zeek.files.filename=db:zeek.files.filename;group:zeek_files;kind:termfield;frien
zeek.files.ftime=db:zeek.files.ftime;group:zeek_files;kind:termfield;friendly:File Timestamp;help:File Timestamp
zeek.files.duration=db:zeek.files.duration;group:zeek_files;kind:termfield;friendly:Analysis Duration;help:Analysis Duration
zeek.files.local_orig=db:zeek.files.local_orig;group:zeek_files;kind:termfield;friendly:Local Originator;help:Local Originator
-zeek.files.is_orig=db:zeek.files.is_orig;group:zeek_files;kind:termfield;friendly:Originator is Transmitter;help:Originator is Transmitter
zeek.files.seen_bytes=db:zeek.files.seen_bytes;group:zeek_files;kind:integer;friendly:Bytes Analyzed;help:Bytes Analyzed
zeek.files.total_bytes=db:zeek.files.total_bytes;group:zeek_files;kind:integer;friendly:Total Bytes;help:Total Bytes
zeek.files.missing_bytes=db:zeek.files.missing_bytes;group:zeek_files;kind:integer;friendly:Missed Bytes;help:Missed Bytes
@@ -529,7 +530,6 @@ zeek.intel.cif_lastseen=db:zeek.intel.cif_lastseen;group:zeek_intel;kind:termfie
# ipsec.log
# https://github.com/corelight/zeek-spicy-ipsec/blob/master/analyzer/main.zeek
-zeek.ipsec.is_orig=db:zeek.ipsec.is_orig;group:zeek_ipsec;kind:termfield;friendly:Is Originator;help:Is Originator
zeek.ipsec.initiator_spi=db:zeek.ipsec.initiator_spi;group:zeek_ipsec;kind:termfield;friendly:Initiator SPI;help:Initiator SPI
zeek.ipsec.responder_spi=db:zeek.ipsec.responder_spi;group:zeek_ipsec;kind:termfield;friendly:Responder SPI;help:Responder SPI
zeek.ipsec.maj_ver=db:zeek.ipsec.maj_ver;group:zeek_ipsec;kind:integer;friendly:Major Version;help:Major Version
@@ -566,9 +566,10 @@ zeek.irc.dcc_file_name=db:zeek.irc.dcc_file_name;group:zeek_irc;kind:termfield;f
zeek.irc.dcc_file_size=db:zeek.irc.dcc_file_size;group:zeek_irc;kind:integer;friendly:DCC File Size;help:DCC File Size
zeek.irc.dcc_mime_type=db:zeek.irc.dcc_mime_type;group:zeek_irc;kind:termfield;friendly:DCC File Magic;help:DCC File Magic
-# iso_cotp.log
-# https://github.com/amzn/zeek-plugin-s7comm/blob/master/scripts/main.zeek
-zeek.iso_cotp.pdu_type=db:zeek.iso_cotp.pdu_type;group:zeek_iso_cotp;kind:termfield;friendly:PDU Type;help:PDU Type
+# cotp.log
+# https://github.com/cisagov/icsnpp-s7comm
+zeek.cotp.pdu_code=db:zeek.cotp.pdu_code;group:zeek_cotp;kind:termfield;friendly:PDU Code;help:PDU Code
+zeek.cotp.pdu_name=db:zeek.cotp.pdu_name;group:zeek_cotp;kind:termfield;friendly:PDU Name;help:PDU Name
# kerberos.log
# https://docs.zeek.org/en/stable/scripts/base/protocols/krb/main.zeek.html#type-KRB::Info
@@ -676,7 +677,7 @@ zeek.mqtt_publish.status=db:zeek.mqtt_publish.status;group:zeek_mqtt;kind:termfi
zeek.mqtt_publish.topic=db:zeek.mqtt_publish.topic;group:zeek_mqtt;kind:termfield;friendly:Topic;help:Topic
zeek.mqtt_publish.payload=db:zeek.mqtt_publish.payload;group:zeek_mqtt;kind:termfield;friendly:Payload;help:Payload
zeek.mqtt_publish.payload_len=db:zeek.mqtt_publish.payload_len;group:zeek_mqtt;kind:integer;friendly:Payload Length;help:Payload Length
-zeek.mqtt_publish.payload_dict.messageType=db:zeek.mqtt_publish.payload_dict.messageType;group:zeek_mqtt;kind:keyword;friendly:Message Type;help:Message Type
+zeek.mqtt_publish.payload_dict.messageType=db:zeek.mqtt_publish.payload_dict.messageType;group:zeek_mqtt;kind:termfield;friendly:Message Type;help:Message Type
# mqtt_subscribe.log
# https://docs.zeek.org/en/stable/scripts/policy/protocols/mqtt/main.zeek.html#type-MQTT::SubscribeInfo
@@ -742,145 +743,295 @@ zeek.ntp.rec_time=db:zeek.ntp.rec_time;group:zeek_ntp;kind:termfield;friendly:Re
zeek.ntp.xmt_time=db:zeek.ntp.xmt_time;group:zeek_ntp;kind:termfield;friendly:Transmit Timestamp;help:Transmit Timestamp
zeek.ntp.num_exts=db:zeek.ntp.num_exts;group:zeek_ntp;kind:integer;friendly:Extension Fields;help:Extension Fields
-# opcua-binary.log
-# https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/types.zeek
-zeek.opcua_binary.encoding_mask=db:zeek.opcua_binary.encoding_mask;group:zeek_opcua_binary;kind:integer;friendly:encoding mask;help:encoding mask
-zeek.opcua_binary.endpoint_url=db:zeek.opcua_binary.endpoint_url;group:zeek_opcua_binary;kind:termfield;friendly:endpoint URL;help:endpoint URL
-zeek.opcua_binary.error=db:zeek.opcua_binary.error;group:zeek_opcua_binary;kind:integer;friendly:error;help:error
-zeek.opcua_binary.identifier=db:zeek.opcua_binary.identifier;group:zeek_opcua_binary;kind:integer;friendly:identifier;help:identifier
-zeek.opcua_binary.identifier_str=db:zeek.opcua_binary.identifier_str;group:zeek_opcua_binary;kind:termfield;friendly:identifier str;help:identifier str
-zeek.opcua_binary.is_final=db:zeek.opcua_binary.is_final;group:zeek_opcua_binary;kind:termfield;friendly:is final;help:is final
-zeek.opcua_binary.max_chunk_cnt=db:zeek.opcua_binary.max_chunk_cnt;group:zeek_opcua_binary;kind:integer;friendly:max chunk cnt;help:max chunk cnt
-zeek.opcua_binary.max_msg_size=db:zeek.opcua_binary.max_msg_size;group:zeek_opcua_binary;kind:integer;friendly:max msg size;help:max msg size
-zeek.opcua_binary.msg_size=db:zeek.opcua_binary.msg_size;group:zeek_opcua_binary;kind:integer;friendly:msg size;help:msg size
-zeek.opcua_binary.msg_type=db:zeek.opcua_binary.msg_type;group:zeek_opcua_binary;kind:termfield;friendly:msg type;help:msg type
-zeek.opcua_binary.namespace_idx=db:zeek.opcua_binary.namespace_idx;group:zeek_opcua_binary;kind:integer;friendly:namespace idx;help:namespace idx
-zeek.opcua_binary.opcua_id=db:zeek.opcua_binary.opcua_id;group:zeek_opcua_binary;kind:termfield;friendly:OPCUA ID;help:OPCUA ID
-zeek.opcua_binary.rcv_buf_size=db:zeek.opcua_binary.rcv_buf_size;group:zeek_opcua_binary;kind:integer;friendly:rcv buf size;help:rcv buf size
-zeek.opcua_binary.rcv_cert=db:zeek.opcua_binary.rcv_cert;group:zeek_opcua_binary;kind:termfield;friendly:rcv cert;help:rcv cert
-zeek.opcua_binary.rcv_cert_len=db:zeek.opcua_binary.rcv_cert_len;group:zeek_opcua_binary;kind:integer;friendly:rcv cert len;help:rcv cert len
-zeek.opcua_binary.reason=db:zeek.opcua_binary.reason;group:zeek_opcua_binary;kind:termfield;friendly:reason;help:reason
-zeek.opcua_binary.req_hdr_add_hdr_enc_mask=db:zeek.opcua_binary.req_hdr_add_hdr_enc_mask;group:zeek_opcua_binary;kind:integer;friendly:req hdr add hdr enc mask;help:req hdr add hdr enc mask
-zeek.opcua_binary.req_hdr_add_hdr_type_id=db:zeek.opcua_binary.req_hdr_add_hdr_type_id;group:zeek_opcua_binary;kind:integer;friendly:req add hdr type ID;help:req hdr add hdr type ID
-zeek.opcua_binary.req_hdr_audit_entry_id=db:zeek.opcua_binary.req_hdr_audit_entry_id;group:zeek_opcua_binary;kind:termfield;friendly:req hdr audit entry ID;help:req hdr audit entry ID
-zeek.opcua_binary.req_hdr_node_id_guid=db:zeek.opcua_binary.req_hdr_node_id_guid;group:zeek_opcua_binary;kind:termfield;friendly:req hdr node ID guid;help:req hdr node ID guid
-zeek.opcua_binary.req_hdr_node_id_namespace_idx=db:zeek.opcua_binary.req_hdr_node_id_namespace_idx;group:zeek_opcua_binary;kind:integer;friendly:req hdr node ID namespace idx;help:req hdr node ID namespace idx
-zeek.opcua_binary.req_hdr_node_id_numeric=db:zeek.opcua_binary.req_hdr_node_id_numeric;group:zeek_opcua_binary;kind:integer;friendly:req hdr node ID numeric;help:req hdr node ID numeric
-zeek.opcua_binary.req_hdr_node_id_opaque=db:zeek.opcua_binary.req_hdr_node_id_opaque;group:zeek_opcua_binary;kind:termfield;friendly:req hdr node ID opaque;help:req hdr node ID opaque
-zeek.opcua_binary.req_hdr_node_id_string=db:zeek.opcua_binary.req_hdr_node_id_string;group:zeek_opcua_binary;kind:termfield;friendly:req hdr node ID string;help:req hdr node ID string
-zeek.opcua_binary.req_hdr_node_id_type=db:zeek.opcua_binary.req_hdr_node_id_type;group:zeek_opcua_binary;kind:termfield;friendly:req hdr node ID type;help:req hdr node ID type
-zeek.opcua_binary.req_hdr_request_handle=db:zeek.opcua_binary.req_hdr_request_handle;group:zeek_opcua_binary;kind:integer;friendly:req hdr request handle;help:req hdr request handle
-zeek.opcua_binary.req_hdr_return_diag=db:zeek.opcua_binary.req_hdr_return_diag;group:zeek_opcua_binary;kind:integer;friendly:req hdr return diag;help:req hdr return diag
-zeek.opcua_binary.req_hdr_timeout_hint=db:zeek.opcua_binary.req_hdr_timeout_hint;group:zeek_opcua_binary;kind:termfield;friendly:req hdr timeout hint;help:req hdr timeout hint
-zeek.opcua_binary.req_hdr_timestamp=db:zeek.opcua_binary.req_hdr_timestamp;group:zeek_opcua_binary;kind:termfield;friendly:req hdr timestamp;help:req hdr timestamp
-zeek.opcua_binary.request_id=db:zeek.opcua_binary.request_id;group:zeek_opcua_binary;kind:integer;friendly:request ID;help:request ID
-zeek.opcua_binary.res_hdr_add_hdr_enc_mask=db:zeek.opcua_binary.res_hdr_add_hdr_enc_mask;group:zeek_opcua_binary;kind:integer;friendly:res hdr add hdr enc mask;help:res hdr add hdr enc mask
-zeek.opcua_binary.res_hdr_add_hdr_type_id=db:zeek.opcua_binary.res_hdr_add_hdr_type_id;group:zeek_opcua_binary;kind:integer;friendly:res hdr add hdr type ID;help:res hdr add hdr type ID
-zeek.opcua_binary.res_hdr_request_handle=db:zeek.opcua_binary.res_hdr_request_handle;group:zeek_opcua_binary;kind:integer;friendly:res hdr request handle;help:res hdr request handle
-zeek.opcua_binary.res_hdr_service_diag_encoding=db:zeek.opcua_binary.res_hdr_service_diag_encoding;group:zeek_opcua_binary;kind:integer;friendly:res hdr service diag encoding;help:res hdr service diag encoding
-zeek.opcua_binary.res_hdr_service_result=db:zeek.opcua_binary.res_hdr_service_result;group:zeek_opcua_binary;kind:integer;friendly:res hdr service result;help:res hdr service result
-zeek.opcua_binary.res_hdr_timestamp=db:zeek.opcua_binary.res_hdr_timestamp;group:zeek_opcua_binary;kind:termfield;friendly:res hdr timestamp;help:res hdr timestamp
-zeek.opcua_binary.sec_channel_id=db:zeek.opcua_binary.sec_channel_id;group:zeek_opcua_binary;kind:integer;friendly:sec channel ID;help:sec channel ID
-zeek.opcua_binary.sec_policy_uri=db:zeek.opcua_binary.sec_policy_uri;group:zeek_opcua_binary;kind:termfield;friendly:sec policy URI;help:sec policy URI
-zeek.opcua_binary.sec_policy_uri_len=db:zeek.opcua_binary.sec_policy_uri_len;group:zeek_opcua_binary;kind:integer;friendly:sec policy URI len;help:sec policy URI len
-zeek.opcua_binary.seq_number=db:zeek.opcua_binary.seq_number;group:zeek_opcua_binary;kind:integer;friendly:seq number;help:seq number
-zeek.opcua_binary.snd_buf_size=db:zeek.opcua_binary.snd_buf_size;group:zeek_opcua_binary;kind:integer;friendly:snd buf size;help:snd buf size
-zeek.opcua_binary.snd_cert=db:zeek.opcua_binary.snd_cert;group:zeek_opcua_binary;kind:termfield;friendly:snd cert;help:snd cert
-zeek.opcua_binary.snd_cert_len=db:zeek.opcua_binary.snd_cert_len;group:zeek_opcua_binary;kind:integer;friendly:snd cert len;help:snd cert len
-zeek.opcua_binary.version=db:zeek.opcua_binary.version;group:zeek_opcua_binary;kind:integer;friendly:version;help:version
-
-# opcua-binary-diag-info-detail.log
-# https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/types.zeek
-zeek.opcua_binary_diag_info_detail.addl_info=db:zeek.opcua_binary_diag_info_detail.addl_info;group:zeek_opcua_binary_diag_info_detail;kind:termfield;friendly:addl info;help:addl info
-zeek.opcua_binary_diag_info_detail.has_addl_info=db:zeek.opcua_binary_diag_info_detail.has_addl_info;group:zeek_opcua_binary_diag_info_detail;kind:termfield;friendly:has addl info;help:has addl info
-zeek.opcua_binary_diag_info_detail.has_inner_diag_info=db:zeek.opcua_binary_diag_info_detail.has_inner_diag_info;group:zeek_opcua_binary_diag_info_detail;kind:termfield;friendly:has inner diag info;help:has inner diag info
-zeek.opcua_binary_diag_info_detail.has_inner_stat_code=db:zeek.opcua_binary_diag_info_detail.has_inner_stat_code;group:zeek_opcua_binary_diag_info_detail;kind:termfield;friendly:has inner stat code;help:has inner stat code
-zeek.opcua_binary_diag_info_detail.has_locale=db:zeek.opcua_binary_diag_info_detail.has_locale;group:zeek_opcua_binary_diag_info_detail;kind:termfield;friendly:has locale;help:has locale
-zeek.opcua_binary_diag_info_detail.has_locale_txt=db:zeek.opcua_binary_diag_info_detail.has_locale_txt;group:zeek_opcua_binary_diag_info_detail;kind:termfield;friendly:has locale txt;help:has locale txt
-zeek.opcua_binary_diag_info_detail.has_namespace_uri=db:zeek.opcua_binary_diag_info_detail.has_namespace_uri;group:zeek_opcua_binary_diag_info_detail;kind:termfield;friendly:has namespace URI;help:has namespace URI
-zeek.opcua_binary_diag_info_detail.has_symbolic_id=db:zeek.opcua_binary_diag_info_detail.has_symbolic_id;group:zeek_opcua_binary_diag_info_detail;kind:termfield;friendly:has symbolic ID;help:has symbolic ID
-zeek.opcua_binary_diag_info_detail.inner_diag_level=db:zeek.opcua_binary_diag_info_detail.inner_diag_level;group:zeek_opcua_binary_diag_info_detail;kind:integer;friendly:inner diag level;help:inner diag level
-zeek.opcua_binary_diag_info_detail.inner_stat_code=db:zeek.opcua_binary_diag_info_detail.inner_stat_code;group:zeek_opcua_binary_diag_info_detail;kind:termfield;friendly:inner stat code;help:inner stat code
-zeek.opcua_binary_diag_info_detail.locale=db:zeek.opcua_binary_diag_info_detail.locale;group:zeek_opcua_binary_diag_info_detail;kind:integer;friendly:locale;help:locale
-zeek.opcua_binary_diag_info_detail.locale_str=db:zeek.opcua_binary_diag_info_detail.locale_str;group:zeek_opcua_binary_diag_info_detail;kind:termfield;friendly:locale str;help:locale str
-zeek.opcua_binary_diag_info_detail.locale_txt=db:zeek.opcua_binary_diag_info_detail.locale_txt;group:zeek_opcua_binary_diag_info_detail;kind:integer;friendly:locale txt;help:locale txt
-zeek.opcua_binary_diag_info_detail.locale_txt_str=db:zeek.opcua_binary_diag_info_detail.locale_txt_str;group:zeek_opcua_binary_diag_info_detail;kind:termfield;friendly:locale txt str;help:locale txt str
-zeek.opcua_binary_diag_info_detail.namespace_uri=db:zeek.opcua_binary_diag_info_detail.namespace_uri;group:zeek_opcua_binary_diag_info_detail;kind:integer;friendly:namespace URI;help:namespace URI
-zeek.opcua_binary_diag_info_detail.namespace_uri_str=db:zeek.opcua_binary_diag_info_detail.namespace_uri_str;group:zeek_opcua_binary_diag_info_detail;kind:termfield;friendly:namespace URI str;help:namespace URI str
-zeek.opcua_binary_diag_info_detail.symbolic_id=db:zeek.opcua_binary_diag_info_detail.symbolic_id;group:zeek_opcua_binary_diag_info_detail;kind:integer;friendly:symbolic ID;help:symbolic ID
-zeek.opcua_binary_diag_info_detail.symbolic_id_str=db:zeek.opcua_binary_diag_info_detail.symbolic_id_str;group:zeek_opcua_binary_diag_info_detail;kind:termfield;friendly:symbolic ID str;help:symbolic ID str
-
-# opcua-binary-get-endpoints.log
-# https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/types.zeek
-zeek.opcua_binary_get_endpoints.application_type=db:zeek.opcua_binary_get_endpoints.application_type;group:zeek_opcua_binary_get_endpoints;kind:integer;friendly:application type;help:application type
-zeek.opcua_binary_get_endpoints.application_uri=db:zeek.opcua_binary_get_endpoints.application_uri;group:zeek_opcua_binary_get_endpoints;kind:termfield;friendly:application URI;help:application URI
-zeek.opcua_binary_get_endpoints.cert_size=db:zeek.opcua_binary_get_endpoints.cert_size;group:zeek_opcua_binary_get_endpoints;kind:integer;friendly:cert size;help:cert size
-zeek.opcua_binary_get_endpoints.discovery_profile_id=db:zeek.opcua_binary_get_endpoints.discovery_profile_id;group:zeek_opcua_binary_get_endpoints;kind:termfield;friendly:discovery profile ID;help:discovery profile ID
-zeek.opcua_binary_get_endpoints.encoding_mask=db:zeek.opcua_binary_get_endpoints.encoding_mask;group:zeek_opcua_binary_get_endpoints;kind:integer;friendly:encoding mask;help:encoding mask
-zeek.opcua_binary_get_endpoints.endpoint_url=db:zeek.opcua_binary_get_endpoints.endpoint_url;group:zeek_opcua_binary_get_endpoints;kind:termfield;friendly:endpoint URL;help:endpoint URL
-zeek.opcua_binary_get_endpoints.gateway_server_uri=db:zeek.opcua_binary_get_endpoints.gateway_server_uri;group:zeek_opcua_binary_get_endpoints;kind:termfield;friendly:gateway server URI;help:gateway server URI
-zeek.opcua_binary_get_endpoints.locale=db:zeek.opcua_binary_get_endpoints.locale;group:zeek_opcua_binary_get_endpoints;kind:termfield;friendly:locale;help:locale
-zeek.opcua_binary_get_endpoints.locale_id=db:zeek.opcua_binary_get_endpoints.locale_id;group:zeek_opcua_binary_get_endpoints;kind:termfield;friendly:locale ID;help:locale ID
-zeek.opcua_binary_get_endpoints.message_security_mode=db:zeek.opcua_binary_get_endpoints.message_security_mode;group:zeek_opcua_binary_get_endpoints;kind:integer;friendly:message security mode;help:message security mode
-zeek.opcua_binary_get_endpoints.product_uri=db:zeek.opcua_binary_get_endpoints.product_uri;group:zeek_opcua_binary_get_endpoints;kind:termfield;friendly:product URI;help:product URI
-zeek.opcua_binary_get_endpoints.profile_uri=db:zeek.opcua_binary_get_endpoints.profile_uri;group:zeek_opcua_binary_get_endpoints;kind:termfield;friendly:profile URI;help:profile URI
-zeek.opcua_binary_get_endpoints.security_level=db:zeek.opcua_binary_get_endpoints.security_level;group:zeek_opcua_binary_get_endpoints;kind:integer;friendly:security level;help:security level
-zeek.opcua_binary_get_endpoints.security_policy_uri=db:zeek.opcua_binary_get_endpoints.security_policy_uri;group:zeek_opcua_binary_get_endpoints;kind:termfield;friendly:security policy URI;help:security policy URI
-zeek.opcua_binary_get_endpoints.server_cert=db:zeek.opcua_binary_get_endpoints.server_cert;group:zeek_opcua_binary_get_endpoints;kind:termfield;friendly:server cert;help:server cert
-zeek.opcua_binary_get_endpoints.text=db:zeek.opcua_binary_get_endpoints.text;group:zeek_opcua_binary_get_endpoints;kind:termfield;friendly:text;help:text
-zeek.opcua_binary_get_endpoints.transport_profile_uri=db:zeek.opcua_binary_get_endpoints.transport_profile_uri;group:zeek_opcua_binary_get_endpoints;kind:termfield;friendly:transport profile URI;help:transport profile URI
-zeek.opcua_binary_get_endpoints.user_token_id=db:zeek.opcua_binary_get_endpoints.user_token_id;group:zeek_opcua_binary_get_endpoints;kind:termfield;friendly:user token ID;help:user token ID
-
-# opcua-binary-get-endpoints-discovery.log
-# https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/types.zeek
-zeek.opcua_binary_get_endpoints_discovery.discovery_profile_id=db:zeek.opcua_binary_get_endpoints_discovery.discovery_profile_id;group:zeek_opcua_binary_get_endpoints_discovery;kind:termfield;friendly:discovery profile ID;help:discovery profile ID
-zeek.opcua_binary_get_endpoints_discovery.discovery_profile_uri=db:zeek.opcua_binary_get_endpoints_discovery.discovery_profile_uri;group:zeek_opcua_binary_get_endpoints_discovery;kind:termfield;friendly:discovery profile URI;help:discovery profile URI
-zeek.opcua_binary_get_endpoints_discovery.discovery_profile_url=db:zeek.opcua_binary_get_endpoints_discovery.discovery_profile_url;group:zeek_opcua_binary_get_endpoints_discovery;kind:termfield;friendly:discovery profile URL;help:discovery profile URL
-
-# opcua-binary-get-endpoints-user-token.log
-# https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/types.zeek
-zeek.opcua_binary_get_endpoints_user_token.user_token_endpoint_url=db:zeek.opcua_binary_get_endpoints_user_token.user_token_endpoint_url;group:zeek_opcua_binary_get_endpoints_user_token;kind:termfield;friendly:user token endpoint URL;help:user token endpoint URL
-zeek.opcua_binary_get_endpoints_user_token.user_token_id=db:zeek.opcua_binary_get_endpoints_user_token.user_token_id;group:zeek_opcua_binary_get_endpoints_user_token;kind:termfield;friendly:user token ID;help:user token ID
-zeek.opcua_binary_get_endpoints_user_token.user_token_issued_type=db:zeek.opcua_binary_get_endpoints_user_token.user_token_issued_type;group:zeek_opcua_binary_get_endpoints_user_token;kind:termfield;friendly:user token issued type;help:user token issued type
-zeek.opcua_binary_get_endpoints_user_token.user_token_policy_id=db:zeek.opcua_binary_get_endpoints_user_token.user_token_policy_id;group:zeek_opcua_binary_get_endpoints_user_token;kind:termfield;friendly:user token policy ID;help:user token policy ID
-zeek.opcua_binary_get_endpoints_user_token.user_token_sec_policy_uri=db:zeek.opcua_binary_get_endpoints_user_token.user_token_sec_policy_uri;group:zeek_opcua_binary_get_endpoints_user_token;kind:termfield;friendly:user token sec policy URI;help:user token sec policy URI
-zeek.opcua_binary_get_endpoints_user_token.user_token_type=db:zeek.opcua_binary_get_endpoints_user_token.user_token_type;group:zeek_opcua_binary_get_endpoints_user_token;kind:integer;friendly:user token type;help:user token type
-
-# opcua-binary-opensecure-channel.log
-# https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/types.zeek
-zeek.opcua_binary_opensecure_channel.client_nonce=db:zeek.opcua_binary_opensecure_channel.client_nonce;group:zeek_opcua_binary_opensecure_channel;kind:termfield;friendly:client nonce;help:client nonce
-zeek.opcua_binary_opensecure_channel.client_proto_ver=db:zeek.opcua_binary_opensecure_channel.client_proto_ver;group:zeek_opcua_binary_opensecure_channel;kind:integer;friendly:client proto ver;help:client proto ver
-zeek.opcua_binary_opensecure_channel.message_security_mode=db:zeek.opcua_binary_opensecure_channel.message_security_mode;group:zeek_opcua_binary_opensecure_channel;kind:integer;friendly:message security mode;help:message security mode
-zeek.opcua_binary_opensecure_channel.req_lifetime=db:zeek.opcua_binary_opensecure_channel.req_lifetime;group:zeek_opcua_binary_opensecure_channel;kind:integer;friendly:req lifetime;help:req lifetime
-zeek.opcua_binary_opensecure_channel.sec_token_created_at=db:zeek.opcua_binary_opensecure_channel.sec_token_created_at;group:zeek_opcua_binary_opensecure_channel;kind:termfield;friendly:sec token created at;help:sec token created at
-zeek.opcua_binary_opensecure_channel.sec_token_id=db:zeek.opcua_binary_opensecure_channel.sec_token_id;group:zeek_opcua_binary_opensecure_channel;kind:integer;friendly:sec token ID;help:sec token ID
-zeek.opcua_binary_opensecure_channel.sec_token_request_type=db:zeek.opcua_binary_opensecure_channel.sec_token_request_type;group:zeek_opcua_binary_opensecure_channel;kind:integer;friendly:sec token request type;help:sec token request type
-zeek.opcua_binary_opensecure_channel.sec_token_revised_time=db:zeek.opcua_binary_opensecure_channel.sec_token_revised_time;group:zeek_opcua_binary_opensecure_channel;kind:integer;friendly:sec token revised time;help:sec token revised time
-zeek.opcua_binary_opensecure_channel.sec_token_sec_channel_id=db:zeek.opcua_binary_opensecure_channel.sec_token_sec_channel_id;group:zeek_opcua_binary_opensecure_channel;kind:integer;friendly:sec token sec channel ID;help:sec token sec channel ID
-zeek.opcua_binary_opensecure_channel.server_nonce=db:zeek.opcua_binary_opensecure_channel.server_nonce;group:zeek_opcua_binary_opensecure_channel;kind:termfield;friendly:server nonce;help:server nonce
-zeek.opcua_binary_opensecure_channel.server_proto_ver=db:zeek.opcua_binary_opensecure_channel.server_proto_ver;group:zeek_opcua_binary_opensecure_channel;kind:integer;friendly:server proto ver;help:server proto ver
-
-# opcua-binary-status-code-detail.log
-# https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/types.zeek
-zeek.opcua_binary_status_code_detail.historian_bits=db:zeek.opcua_binary_status_code_detail.historian_bits;group:zeek_opcua_binary_status_code_detail;kind:integer;friendly:historian bits;help:historian bits
-zeek.opcua_binary_status_code_detail.historian_bits_str=db:zeek.opcua_binary_status_code_detail.historian_bits_str;group:zeek_opcua_binary_status_code_detail;kind:termfield;friendly:historian bits str;help:historian bits str
-zeek.opcua_binary_status_code_detail.historianExtraData=db:zeek.opcua_binary_status_code_detail.historianExtraData;group:zeek_opcua_binary_status_code_detail;kind:termfield;friendly:historianExtraData;help:historianExtraData
-zeek.opcua_binary_status_code_detail.historianMultiValue=db:zeek.opcua_binary_status_code_detail.historianMultiValue;group:zeek_opcua_binary_status_code_detail;kind:termfield;friendly:historianMultiValue;help:historianMultiValue
-zeek.opcua_binary_status_code_detail.historianPartial=db:zeek.opcua_binary_status_code_detail.historianPartial;group:zeek_opcua_binary_status_code_detail;kind:termfield;friendly:historianPartial;help:historianPartial
-zeek.opcua_binary_status_code_detail.info_type=db:zeek.opcua_binary_status_code_detail.info_type;group:zeek_opcua_binary_status_code_detail;kind:integer;friendly:info type;help:info type
-zeek.opcua_binary_status_code_detail.info_type_str=db:zeek.opcua_binary_status_code_detail.info_type_str;group:zeek_opcua_binary_status_code_detail;kind:termfield;friendly:info type str;help:info type str
-zeek.opcua_binary_status_code_detail.limit_bits=db:zeek.opcua_binary_status_code_detail.limit_bits;group:zeek_opcua_binary_status_code_detail;kind:integer;friendly:limit bits;help:limit bits
-zeek.opcua_binary_status_code_detail.limit_bits_str=db:zeek.opcua_binary_status_code_detail.limit_bits_str;group:zeek_opcua_binary_status_code_detail;kind:termfield;friendly:limit bits str;help:limit bits str
-zeek.opcua_binary_status_code_detail.overflow=db:zeek.opcua_binary_status_code_detail.overflow;group:zeek_opcua_binary_status_code_detail;kind:termfield;friendly:overflow;help:overflow
-zeek.opcua_binary_status_code_detail.semantics_changed=db:zeek.opcua_binary_status_code_detail.semantics_changed;group:zeek_opcua_binary_status_code_detail;kind:termfield;friendly:semantics changed;help:semantics changed
-zeek.opcua_binary_status_code_detail.severity=db:zeek.opcua_binary_status_code_detail.severity;group:zeek_opcua_binary_status_code_detail;kind:integer;friendly:severity;help:severity
-zeek.opcua_binary_status_code_detail.severity_str=db:zeek.opcua_binary_status_code_detail.severity_str;group:zeek_opcua_binary_status_code_detail;kind:termfield;friendly:severity str;help:severity str
-zeek.opcua_binary_status_code_detail.source=db:zeek.opcua_binary_status_code_detail.source;group:zeek_opcua_binary_status_code_detail;kind:integer;friendly:source;help:source
-zeek.opcua_binary_status_code_detail.source_str=db:zeek.opcua_binary_status_code_detail.source_str;group:zeek_opcua_binary_status_code_detail;kind:termfield;friendly:source str;help:source str
-zeek.opcua_binary_status_code_detail.status_code=db:zeek.opcua_binary_status_code_detail.status_code;group:zeek_opcua_binary_status_code_detail;kind:termfield;friendly:status code;help:status code
-zeek.opcua_binary_status_code_detail.structure_changed=db:zeek.opcua_binary_status_code_detail.structure_changed;group:zeek_opcua_binary_status_code_detail;kind:termfield;friendly:structure changed;help:structure changed
-zeek.opcua_binary_status_code_detail.sub_code=db:zeek.opcua_binary_status_code_detail.sub_code;group:zeek_opcua_binary_status_code_detail;kind:integer;friendly:sub code;help:sub code
-zeek.opcua_binary_status_code_detail.sub_code_str=db:zeek.opcua_binary_status_code_detail.sub_code_str;group:zeek_opcua_binary_status_code_detail;kind:termfield;friendly:sub code str;help:sub code str
+# ocpua-binary and related logs
+# https://github.com/cisagov/icsnpp-opcua-binary
+zeek.opcua_binary.encoding_mask=db:zeek.opcua_binary.encoding_mask;group:zeek_opcua;kind:integer;friendly:encoding_mask;help:encoding_mask
+zeek.opcua_binary.endpoint_url=db:zeek.opcua_binary.endpoint_url;group:zeek_opcua;kind:termfield;friendly:endpoint_url;help:endpoint_url
+zeek.opcua_binary.error=db:zeek.opcua_binary.error;group:zeek_opcua;kind:integer;friendly:error;help:error
+zeek.opcua_binary.identifier=db:zeek.opcua_binary.identifier;group:zeek_opcua;kind:integer;friendly:identifier;help:identifier
+zeek.opcua_binary.identifier_str=db:zeek.opcua_binary.identifier_str;group:zeek_opcua;kind:termfield;friendly:identifier_str;help:identifier_str
+zeek.opcua_binary.is_final=db:zeek.opcua_binary.is_final;group:zeek_opcua;kind:termfield;friendly:is_final;help:is_final
+zeek.opcua_binary.log_types=db:zeek.opcua_binary.log_types;group:zeek_opcua;kind:integer;friendly:log_types;help:log_types
+zeek.opcua_binary.max_chunk_cnt=db:zeek.opcua_binary.max_chunk_cnt;group:zeek_opcua;kind:integer;friendly:max_chunk_cnt;help:max_chunk_cnt
+zeek.opcua_binary.max_msg_size=db:zeek.opcua_binary.max_msg_size;group:zeek_opcua;kind:integer;friendly:max_msg_size;help:max_msg_size
+zeek.opcua_binary.msg_size=db:zeek.opcua_binary.msg_size;group:zeek_opcua;kind:integer;friendly:msg_size;help:msg_size
+zeek.opcua_binary.msg_type=db:zeek.opcua_binary.msg_type;group:zeek_opcua;kind:termfield;friendly:msg_type;help:msg_type
+zeek.opcua_binary.namespace_idx=db:zeek.opcua_binary.namespace_idx;group:zeek_opcua;kind:integer;friendly:namespace_idx;help:namespace_idx
+zeek.opcua_binary.opcua_link_id=db:zeek.opcua_binary.opcua_link_id;group:zeek_opcua;kind:termfield;friendly:opcua_link_id;help:opcua_link_id
+zeek.opcua_binary.rcv_buf_size=db:zeek.opcua_binary.rcv_buf_size;group:zeek_opcua;kind:integer;friendly:rcv_buf_size;help:rcv_buf_size
+zeek.opcua_binary.rcv_cert=db:zeek.opcua_binary.rcv_cert;group:zeek_opcua;kind:termfield;friendly:rcv_cert;help:rcv_cert
+zeek.opcua_binary.rcv_cert_len=db:zeek.opcua_binary.rcv_cert_len;group:zeek_opcua;kind:integer;friendly:rcv_cert_len;help:rcv_cert_len
+zeek.opcua_binary.reason=db:zeek.opcua_binary.reason;group:zeek_opcua;kind:termfield;friendly:reason;help:reason
+zeek.opcua_binary.req_hdr_add_hdr_enc_mask=db:zeek.opcua_binary.req_hdr_add_hdr_enc_mask;group:zeek_opcua;kind:integer;friendly:req_hdr_add_hdr_enc_mask;help:req_hdr_add_hdr_enc_mask
+zeek.opcua_binary.req_hdr_add_hdr_type_id=db:zeek.opcua_binary.req_hdr_add_hdr_type_id;group:zeek_opcua;kind:integer;friendly:req_hdr_add_hdr_type_id;help:req_hdr_add_hdr_type_id
+zeek.opcua_binary.req_hdr_audit_entry_id=db:zeek.opcua_binary.req_hdr_audit_entry_id;group:zeek_opcua;kind:termfield;friendly:req_hdr_audit_entry_id;help:req_hdr_audit_entry_id
+zeek.opcua_binary.req_hdr_node_id_guid=db:zeek.opcua_binary.req_hdr_node_id_guid;group:zeek_opcua;kind:termfield;friendly:req_hdr_node_id_guid;help:req_hdr_node_id_guid
+zeek.opcua_binary.req_hdr_node_id_namespace_idx=db:zeek.opcua_binary.req_hdr_node_id_namespace_idx;group:zeek_opcua;kind:integer;friendly:req_hdr_node_id_namespace_idx;help:req_hdr_node_id_namespace_idx
+zeek.opcua_binary.req_hdr_node_id_numeric=db:zeek.opcua_binary.req_hdr_node_id_numeric;group:zeek_opcua;kind:integer;friendly:req_hdr_node_id_numeric;help:req_hdr_node_id_numeric
+zeek.opcua_binary.req_hdr_node_id_opaque=db:zeek.opcua_binary.req_hdr_node_id_opaque;group:zeek_opcua;kind:termfield;friendly:req_hdr_node_id_opaque;help:req_hdr_node_id_opaque
+zeek.opcua_binary.req_hdr_node_id_string=db:zeek.opcua_binary.req_hdr_node_id_string;group:zeek_opcua;kind:termfield;friendly:req_hdr_node_id_string;help:req_hdr_node_id_string
+zeek.opcua_binary.req_hdr_node_id_type=db:zeek.opcua_binary.req_hdr_node_id_type;group:zeek_opcua;kind:termfield;friendly:req_hdr_node_id_type;help:req_hdr_node_id_type
+zeek.opcua_binary.req_hdr_request_handle=db:zeek.opcua_binary.req_hdr_request_handle;group:zeek_opcua;kind:integer;friendly:req_hdr_request_handle;help:req_hdr_request_handle
+zeek.opcua_binary.req_hdr_return_diag=db:zeek.opcua_binary.req_hdr_return_diag;group:zeek_opcua;kind:integer;friendly:req_hdr_return_diag;help:req_hdr_return_diag
+zeek.opcua_binary.req_hdr_timeout_hint=db:zeek.opcua_binary.req_hdr_timeout_hint;group:zeek_opcua;kind:integer;friendly:req_hdr_timeout_hint;help:req_hdr_timeout_hint
+zeek.opcua_binary.req_hdr_timestamp=db:zeek.opcua_binary.req_hdr_timestamp;group:zeek_opcua;kind:termfield;friendly:req_hdr_timestamp;help:req_hdr_timestamp
+zeek.opcua_binary.request_id=db:zeek.opcua_binary.request_id;group:zeek_opcua;kind:integer;friendly:request_id;help:request_id
+zeek.opcua_binary.res_hdr_add_hdr_enc_mask=db:zeek.opcua_binary.res_hdr_add_hdr_enc_mask;group:zeek_opcua;kind:integer;friendly:res_hdr_add_hdr_enc_mask;help:res_hdr_add_hdr_enc_mask
+zeek.opcua_binary.res_hdr_add_hdr_type_id=db:zeek.opcua_binary.res_hdr_add_hdr_type_id;group:zeek_opcua;kind:integer;friendly:res_hdr_add_hdr_type_id;help:res_hdr_add_hdr_type_id
+zeek.opcua_binary.res_hdr_request_handle=db:zeek.opcua_binary.res_hdr_request_handle;group:zeek_opcua;kind:integer;friendly:res_hdr_request_handle;help:res_hdr_request_handle
+zeek.opcua_binary.res_hdr_service_diag_encoding=db:zeek.opcua_binary.res_hdr_service_diag_encoding;group:zeek_opcua;kind:integer;friendly:res_hdr_service_diag_encoding;help:res_hdr_service_diag_encoding
+zeek.opcua_binary.res_hdr_timestamp=db:zeek.opcua_binary.res_hdr_timestamp;group:zeek_opcua;kind:termfield;friendly:res_hdr_timestamp;help:res_hdr_timestamp
+zeek.opcua_binary.sec_channel_id=db:zeek.opcua_binary.sec_channel_id;group:zeek_opcua;kind:integer;friendly:sec_channel_id;help:sec_channel_id
+zeek.opcua_binary.sec_policy_uri=db:zeek.opcua_binary.sec_policy_uri;group:zeek_opcua;kind:termfield;friendly:sec_policy_uri;help:sec_policy_uri
+zeek.opcua_binary.sec_policy_uri_len=db:zeek.opcua_binary.sec_policy_uri_len;group:zeek_opcua;kind:integer;friendly:sec_policy_uri_len;help:sec_policy_uri_len
+zeek.opcua_binary.seq_number=db:zeek.opcua_binary.seq_number;group:zeek_opcua;kind:integer;friendly:seq_number;help:seq_number
+zeek.opcua_binary.snd_buf_size=db:zeek.opcua_binary.snd_buf_size;group:zeek_opcua;kind:integer;friendly:snd_buf_size;help:snd_buf_size
+zeek.opcua_binary.snd_cert=db:zeek.opcua_binary.snd_cert;group:zeek_opcua;kind:termfield;friendly:snd_cert;help:snd_cert
+zeek.opcua_binary.snd_cert_len=db:zeek.opcua_binary.snd_cert_len;group:zeek_opcua;kind:integer;friendly:snd_cert_len;help:snd_cert_len
+zeek.opcua_binary.version=db:zeek.opcua_binary.version;group:zeek_opcua;kind:integer;friendly:version;help:version
+zeek.opcua_binary_activate_session.client_algorithm=db:zeek.opcua_binary_activate_session.client_algorithm;group:zeek_opcua;kind:termfield;friendly:client_algorithm;help:client_algorithm
+zeek.opcua_binary_activate_session.client_signature=db:zeek.opcua_binary_activate_session.client_signature;group:zeek_opcua;kind:termfield;friendly:client_signature;help:client_signature
+zeek.opcua_binary_activate_session.ext_obj_certificate_data=db:zeek.opcua_binary_activate_session.ext_obj_certificate_data;group:zeek_opcua;kind:termfield;friendly:ext_obj_certificate_data;help:ext_obj_certificate_data
+zeek.opcua_binary_activate_session.ext_obj_encoding=db:zeek.opcua_binary_activate_session.ext_obj_encoding;group:zeek_opcua;kind:termfield;friendly:ext_obj_encoding;help:ext_obj_encoding
+zeek.opcua_binary_activate_session.ext_obj_encryption_algorithom=db:zeek.opcua_binary_activate_session.ext_obj_encryption_algorithom;group:zeek_opcua;kind:termfield;friendly:ext_obj_encryption_algorithom;help:ext_obj_encryption_algorithom
+zeek.opcua_binary_activate_session.ext_obj_password=db:zeek.opcua_binary_activate_session.ext_obj_password;group:zeek_opcua;kind:termfield;friendly:ext_obj_password;help:ext_obj_password
+zeek.opcua_binary_activate_session.ext_obj_policy_id=db:zeek.opcua_binary_activate_session.ext_obj_policy_id;group:zeek_opcua;kind:termfield;friendly:ext_obj_policy_id;help:ext_obj_policy_id
+zeek.opcua_binary_activate_session.ext_obj_token_data=db:zeek.opcua_binary_activate_session.ext_obj_token_data;group:zeek_opcua;kind:termfield;friendly:ext_obj_token_data;help:ext_obj_token_data
+zeek.opcua_binary_activate_session.ext_obj_type_id_encoding_mask=db:zeek.opcua_binary_activate_session.ext_obj_type_id_encoding_mask;group:zeek_opcua;kind:termfield;friendly:ext_obj_type_id_encoding_mask;help:ext_obj_type_id_encoding_mask
+zeek.opcua_binary_activate_session.ext_obj_type_id_guid=db:zeek.opcua_binary_activate_session.ext_obj_type_id_guid;group:zeek_opcua;kind:termfield;friendly:ext_obj_type_id_guid;help:ext_obj_type_id_guid
+zeek.opcua_binary_activate_session.ext_obj_type_id_namespace_idx=db:zeek.opcua_binary_activate_session.ext_obj_type_id_namespace_idx;group:zeek_opcua;kind:integer;friendly:ext_obj_type_id_namespace_idx;help:ext_obj_type_id_namespace_idx
+zeek.opcua_binary_activate_session.ext_obj_type_id_numeric=db:zeek.opcua_binary_activate_session.ext_obj_type_id_numeric;group:zeek_opcua;kind:integer;friendly:ext_obj_type_id_numeric;help:ext_obj_type_id_numeric
+zeek.opcua_binary_activate_session.ext_obj_type_id_opaque=db:zeek.opcua_binary_activate_session.ext_obj_type_id_opaque;group:zeek_opcua;kind:termfield;friendly:ext_obj_type_id_opaque;help:ext_obj_type_id_opaque
+zeek.opcua_binary_activate_session.ext_obj_type_id_str=db:zeek.opcua_binary_activate_session.ext_obj_type_id_str;group:zeek_opcua;kind:termfield;friendly:ext_obj_type_id_str;help:ext_obj_type_id_str
+zeek.opcua_binary_activate_session.ext_obj_type_id_string=db:zeek.opcua_binary_activate_session.ext_obj_type_id_string;group:zeek_opcua;kind:termfield;friendly:ext_obj_type_id_string;help:ext_obj_type_id_string
+zeek.opcua_binary_activate_session.ext_obj_user_name=db:zeek.opcua_binary_activate_session.ext_obj_user_name;group:zeek_opcua;kind:termfield;friendly:ext_obj_user_name;help:ext_obj_user_name
+zeek.opcua_binary_activate_session.server_nonce=db:zeek.opcua_binary_activate_session.server_nonce;group:zeek_opcua;kind:termfield;friendly:server_nonce;help:server_nonce
+zeek.opcua_binary_activate_session.user_token_algorithm=db:zeek.opcua_binary_activate_session.user_token_algorithm;group:zeek_opcua;kind:termfield;friendly:user_token_algorithm;help:user_token_algorithm
+zeek.opcua_binary_activate_session.user_token_signature=db:zeek.opcua_binary_activate_session.user_token_signature;group:zeek_opcua;kind:termfield;friendly:user_token_signature;help:user_token_signature
+zeek.opcua_binary_activate_session_client_software_cert.cert_data=db:zeek.opcua_binary_activate_session_client_software_cert.cert_data;group:zeek_opcua;kind:termfield;friendly:cert_data;help:cert_data
+zeek.opcua_binary_activate_session_client_software_cert.cert_signature=db:zeek.opcua_binary_activate_session_client_software_cert.cert_signature;group:zeek_opcua;kind:termfield;friendly:cert_signature;help:cert_signature
+zeek.opcua_binary_activate_session_client_software_cert.client_software_cert_id=db:zeek.opcua_binary_activate_session_client_software_cert.client_software_cert_id;group:zeek_opcua;kind:termfield;friendly:client_software_cert_id;help:client_software_cert_id
+zeek.opcua_binary_activate_session_diagnostic_info.activate_session_diag_info_link_id=db:zeek.opcua_binary_activate_session_diagnostic_info.activate_session_diag_info_link_id;group:zeek_opcua;kind:termfield;friendly:activate_session_diag_info_link_id;help:activate_session_diag_info_link_id
+zeek.opcua_binary_activate_session_locale_id.locale_id=db:zeek.opcua_binary_activate_session_locale_id.locale_id;group:zeek_opcua;kind:termfield;friendly:locale_id;help:locale_id
+zeek.opcua_binary_activate_session_locale_id.locale_link_id=db:zeek.opcua_binary_activate_session_locale_id.locale_link_id;group:zeek_opcua;kind:termfield;friendly:locale_link_id;help:locale_link_id
+zeek.opcua_binary_browse.browse_next_release_continuation_point=db:zeek.opcua_binary_browse.browse_next_release_continuation_point;group:zeek_opcua;kind:termfield;friendly:browse_next_release_continuation_point;help:browse_next_release_continuation_point
+zeek.opcua_binary_browse.browse_service_type=db:zeek.opcua_binary_browse.browse_service_type;group:zeek_opcua;kind:termfield;friendly:browse_service_type;help:browse_service_type
+zeek.opcua_binary_browse.browse_view_description_timestamp=db:zeek.opcua_binary_browse.browse_view_description_timestamp;group:zeek_opcua;kind:termfield;friendly:browse_view_description_timestamp;help:browse_view_description_timestamp
+zeek.opcua_binary_browse.browse_view_description_view_version=db:zeek.opcua_binary_browse.browse_view_description_view_version;group:zeek_opcua;kind:integer;friendly:browse_view_description_view_version;help:browse_view_description_view_version
+zeek.opcua_binary_browse.browse_view_id_encoding_mask=db:zeek.opcua_binary_browse.browse_view_id_encoding_mask;group:zeek_opcua;kind:termfield;friendly:browse_view_id_encoding_mask;help:browse_view_id_encoding_mask
+zeek.opcua_binary_browse.browse_view_id_guid=db:zeek.opcua_binary_browse.browse_view_id_guid;group:zeek_opcua;kind:termfield;friendly:browse_view_id_guid;help:browse_view_id_guid
+zeek.opcua_binary_browse.browse_view_id_namespace_idx=db:zeek.opcua_binary_browse.browse_view_id_namespace_idx;group:zeek_opcua;kind:integer;friendly:browse_view_id_namespace_idx;help:browse_view_id_namespace_idx
+zeek.opcua_binary_browse.browse_view_id_numeric=db:zeek.opcua_binary_browse.browse_view_id_numeric;group:zeek_opcua;kind:integer;friendly:browse_view_id_numeric;help:browse_view_id_numeric
+zeek.opcua_binary_browse.browse_view_id_opaque=db:zeek.opcua_binary_browse.browse_view_id_opaque;group:zeek_opcua;kind:termfield;friendly:browse_view_id_opaque;help:browse_view_id_opaque
+zeek.opcua_binary_browse.browse_view_id_string=db:zeek.opcua_binary_browse.browse_view_id_string;group:zeek_opcua;kind:termfield;friendly:browse_view_id_string;help:browse_view_id_string
+zeek.opcua_binary_browse.req_max_ref_nodes=db:zeek.opcua_binary_browse.req_max_ref_nodes;group:zeek_opcua;kind:integer;friendly:req_max_ref_nodes;help:req_max_ref_nodes
+zeek.opcua_binary_browse_description.browse_description_encoding_mask=db:zeek.opcua_binary_browse_description.browse_description_encoding_mask;group:zeek_opcua;kind:termfield;friendly:browse_description_encoding_mask;help:browse_description_encoding_mask
+zeek.opcua_binary_browse_description.browse_description_guid=db:zeek.opcua_binary_browse_description.browse_description_guid;group:zeek_opcua;kind:termfield;friendly:browse_description_guid;help:browse_description_guid
+zeek.opcua_binary_browse_description.browse_description_include_subtypes=db:zeek.opcua_binary_browse_description.browse_description_include_subtypes;group:zeek_opcua;kind:termfield;friendly:browse_description_include_subtypes;help:browse_description_include_subtypes
+zeek.opcua_binary_browse_description.browse_description_link_id=db:zeek.opcua_binary_browse_description.browse_description_link_id;group:zeek_opcua;kind:termfield;friendly:browse_description_link_id;help:browse_description_link_id
+zeek.opcua_binary_browse_description.browse_description_namespace_idx=db:zeek.opcua_binary_browse_description.browse_description_namespace_idx;group:zeek_opcua;kind:integer;friendly:browse_description_namespace_idx;help:browse_description_namespace_idx
+zeek.opcua_binary_browse_description.browse_description_numeric=db:zeek.opcua_binary_browse_description.browse_description_numeric;group:zeek_opcua;kind:integer;friendly:browse_description_numeric;help:browse_description_numeric
+zeek.opcua_binary_browse_description.browse_description_opaque=db:zeek.opcua_binary_browse_description.browse_description_opaque;group:zeek_opcua;kind:termfield;friendly:browse_description_opaque;help:browse_description_opaque
+zeek.opcua_binary_browse_description.browse_description_ref_encoding_mask=db:zeek.opcua_binary_browse_description.browse_description_ref_encoding_mask;group:zeek_opcua;kind:termfield;friendly:browse_description_ref_encoding_mask;help:browse_description_ref_encoding_mask
+zeek.opcua_binary_browse_description.browse_description_ref_guid=db:zeek.opcua_binary_browse_description.browse_description_ref_guid;group:zeek_opcua;kind:termfield;friendly:browse_description_ref_guid;help:browse_description_ref_guid
+zeek.opcua_binary_browse_description.browse_description_ref_namespace_idx=db:zeek.opcua_binary_browse_description.browse_description_ref_namespace_idx;group:zeek_opcua;kind:integer;friendly:browse_description_ref_namespace_idx;help:browse_description_ref_namespace_idx
+zeek.opcua_binary_browse_description.browse_description_ref_numeric=db:zeek.opcua_binary_browse_description.browse_description_ref_numeric;group:zeek_opcua;kind:integer;friendly:browse_description_ref_numeric;help:browse_description_ref_numeric
+zeek.opcua_binary_browse_description.browse_description_ref_opaque=db:zeek.opcua_binary_browse_description.browse_description_ref_opaque;group:zeek_opcua;kind:termfield;friendly:browse_description_ref_opaque;help:browse_description_ref_opaque
+zeek.opcua_binary_browse_description.browse_description_ref_string=db:zeek.opcua_binary_browse_description.browse_description_ref_string;group:zeek_opcua;kind:termfield;friendly:browse_description_ref_string;help:browse_description_ref_string
+zeek.opcua_binary_browse_description.browse_description_string=db:zeek.opcua_binary_browse_description.browse_description_string;group:zeek_opcua;kind:termfield;friendly:browse_description_string;help:browse_description_string
+zeek.opcua_binary_browse_description.browse_direction=db:zeek.opcua_binary_browse_description.browse_direction;group:zeek_opcua;kind:termfield;friendly:browse_direction;help:browse_direction
+zeek.opcua_binary_browse_description.browse_node_class_mask=db:zeek.opcua_binary_browse_description.browse_node_class_mask;group:zeek_opcua;kind:termfield;friendly:browse_node_class_mask;help:browse_node_class_mask
+zeek.opcua_binary_browse_description.browse_result_mask=db:zeek.opcua_binary_browse_description.browse_result_mask;group:zeek_opcua;kind:termfield;friendly:browse_result_mask;help:browse_result_mask
+zeek.opcua_binary_browse_diagnostic_info.browse_diag_info_link_id=db:zeek.opcua_binary_browse_diagnostic_info.browse_diag_info_link_id;group:zeek_opcua;kind:termfield;friendly:browse_diag_info_link_id;help:browse_diag_info_link_id
+zeek.opcua_binary_browse_request_continuation_point.browse_next_link_id=db:zeek.opcua_binary_browse_request_continuation_point.browse_next_link_id;group:zeek_opcua;kind:termfield;friendly:browse_next_link_id;help:browse_next_link_id
+zeek.opcua_binary_browse_request_continuation_point.continuation_point=db:zeek.opcua_binary_browse_request_continuation_point.continuation_point;group:zeek_opcua;kind:termfield;friendly:continuation_point;help:continuation_point
+zeek.opcua_binary_browse_response_references.browse_reference_link_id=db:zeek.opcua_binary_browse_response_references.browse_reference_link_id;group:zeek_opcua;kind:termfield;friendly:browse_reference_link_id;help:browse_reference_link_id
+zeek.opcua_binary_browse_response_references.browse_response_display_name_locale=db:zeek.opcua_binary_browse_response_references.browse_response_display_name_locale;group:zeek_opcua;kind:termfield;friendly:browse_response_display_name_locale;help:browse_response_display_name_locale
+zeek.opcua_binary_browse_response_references.browse_response_display_name_mask=db:zeek.opcua_binary_browse_response_references.browse_response_display_name_mask;group:zeek_opcua;kind:termfield;friendly:browse_response_display_name_mask;help:browse_response_display_name_mask
+zeek.opcua_binary_browse_response_references.browse_response_display_name_text=db:zeek.opcua_binary_browse_response_references.browse_response_display_name_text;group:zeek_opcua;kind:termfield;friendly:browse_response_display_name_text;help:browse_response_display_name_text
+zeek.opcua_binary_browse_response_references.browse_response_is_forward=db:zeek.opcua_binary_browse_response_references.browse_response_is_forward;group:zeek_opcua;kind:termfield;friendly:browse_response_is_forward;help:browse_response_is_forward
+zeek.opcua_binary_browse_response_references.browse_response_node_class=db:zeek.opcua_binary_browse_response_references.browse_response_node_class;group:zeek_opcua;kind:termfield;friendly:browse_response_node_class;help:browse_response_node_class
+zeek.opcua_binary_browse_response_references.browse_response_ref_encoding_mask=db:zeek.opcua_binary_browse_response_references.browse_response_ref_encoding_mask;group:zeek_opcua;kind:termfield;friendly:browse_response_ref_encoding_mask;help:browse_response_ref_encoding_mask
+zeek.opcua_binary_browse_response_references.browse_response_ref_guid=db:zeek.opcua_binary_browse_response_references.browse_response_ref_guid;group:zeek_opcua;kind:termfield;friendly:browse_response_ref_guid;help:browse_response_ref_guid
+zeek.opcua_binary_browse_response_references.browse_response_ref_name=db:zeek.opcua_binary_browse_response_references.browse_response_ref_name;group:zeek_opcua;kind:termfield;friendly:browse_response_ref_name;help:browse_response_ref_name
+zeek.opcua_binary_browse_response_references.browse_response_ref_name_idx=db:zeek.opcua_binary_browse_response_references.browse_response_ref_name_idx;group:zeek_opcua;kind:integer;friendly:browse_response_ref_name_idx;help:browse_response_ref_name_idx
+zeek.opcua_binary_browse_response_references.browse_response_ref_namespace_idx=db:zeek.opcua_binary_browse_response_references.browse_response_ref_namespace_idx;group:zeek_opcua;kind:integer;friendly:browse_response_ref_namespace_idx;help:browse_response_ref_namespace_idx
+zeek.opcua_binary_browse_response_references.browse_response_ref_numeric=db:zeek.opcua_binary_browse_response_references.browse_response_ref_numeric;group:zeek_opcua;kind:integer;friendly:browse_response_ref_numeric;help:browse_response_ref_numeric
+zeek.opcua_binary_browse_response_references.browse_response_ref_opaque=db:zeek.opcua_binary_browse_response_references.browse_response_ref_opaque;group:zeek_opcua;kind:termfield;friendly:browse_response_ref_opaque;help:browse_response_ref_opaque
+zeek.opcua_binary_browse_response_references.browse_response_ref_string=db:zeek.opcua_binary_browse_response_references.browse_response_ref_string;group:zeek_opcua;kind:termfield;friendly:browse_response_ref_string;help:browse_response_ref_string
+zeek.opcua_binary_browse_response_references.browse_response_ref_type_encoding_mask=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_encoding_mask;group:zeek_opcua;kind:termfield;friendly:browse_response_ref_type_encoding_mask;help:browse_response_ref_type_encoding_mask
+zeek.opcua_binary_browse_response_references.browse_response_ref_type_guid=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_guid;group:zeek_opcua;kind:termfield;friendly:browse_response_ref_type_guid;help:browse_response_ref_type_guid
+zeek.opcua_binary_browse_response_references.browse_response_ref_type_namespace_idx=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_namespace_idx;group:zeek_opcua;kind:integer;friendly:browse_response_ref_type_namespace_idx;help:browse_response_ref_type_namespace_idx
+zeek.opcua_binary_browse_response_references.browse_response_ref_type_namespace_uri=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_namespace_uri;group:zeek_opcua;kind:termfield;friendly:browse_response_ref_type_namespace_uri;help:browse_response_ref_type_namespace_uri
+zeek.opcua_binary_browse_response_references.browse_response_ref_type_numeric=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_numeric;group:zeek_opcua;kind:integer;friendly:browse_response_ref_type_numeric;help:browse_response_ref_type_numeric
+zeek.opcua_binary_browse_response_references.browse_response_ref_type_opaque=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_opaque;group:zeek_opcua;kind:termfield;friendly:browse_response_ref_type_opaque;help:browse_response_ref_type_opaque
+zeek.opcua_binary_browse_response_references.browse_response_ref_type_server_idx=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_server_idx;group:zeek_opcua;kind:integer;friendly:browse_response_ref_type_server_idx;help:browse_response_ref_type_server_idx
+zeek.opcua_binary_browse_response_references.browse_response_ref_type_string=db:zeek.opcua_binary_browse_response_references.browse_response_ref_type_string;group:zeek_opcua;kind:termfield;friendly:browse_response_ref_type_string;help:browse_response_ref_type_string
+zeek.opcua_binary_browse_response_references.browse_response_type_def_encoding_mask=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_encoding_mask;group:zeek_opcua;kind:termfield;friendly:browse_response_type_def_encoding_mask;help:browse_response_type_def_encoding_mask
+zeek.opcua_binary_browse_response_references.browse_response_type_def_guid=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_guid;group:zeek_opcua;kind:termfield;friendly:browse_response_type_def_guid;help:browse_response_type_def_guid
+zeek.opcua_binary_browse_response_references.browse_response_type_def_namespace_idx=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_namespace_idx;group:zeek_opcua;kind:integer;friendly:browse_response_type_def_namespace_idx;help:browse_response_type_def_namespace_idx
+zeek.opcua_binary_browse_response_references.browse_response_type_def_namespace_uri=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_namespace_uri;group:zeek_opcua;kind:termfield;friendly:browse_response_type_def_namespace_uri;help:browse_response_type_def_namespace_uri
+zeek.opcua_binary_browse_response_references.browse_response_type_def_numeric=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_numeric;group:zeek_opcua;kind:integer;friendly:browse_response_type_def_numeric;help:browse_response_type_def_numeric
+zeek.opcua_binary_browse_response_references.browse_response_type_def_opaque=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_opaque;group:zeek_opcua;kind:termfield;friendly:browse_response_type_def_opaque;help:browse_response_type_def_opaque
+zeek.opcua_binary_browse_response_references.browse_response_type_def_server_idx=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_server_idx;group:zeek_opcua;kind:integer;friendly:browse_response_type_def_server_idx;help:browse_response_type_def_server_idx
+zeek.opcua_binary_browse_response_references.browse_response_type_def_string=db:zeek.opcua_binary_browse_response_references.browse_response_type_def_string;group:zeek_opcua;kind:termfield;friendly:browse_response_type_def_string;help:browse_response_type_def_string
+zeek.opcua_binary_browse_response_references.browse_result_link_id=db:zeek.opcua_binary_browse_response_references.browse_result_link_id;group:zeek_opcua;kind:termfield;friendly:browse_result_link_id;help:browse_result_link_id
+zeek.opcua_binary_browse_result.browse_resp_link_id=db:zeek.opcua_binary_browse_result.browse_resp_link_id;group:zeek_opcua;kind:termfield;friendly:browse_resp_link_id;help:browse_resp_link_id
+zeek.opcua_binary_browse_result.browse_response_link_id=db:zeek.opcua_binary_browse_result.browse_response_link_id;group:zeek_opcua;kind:termfield;friendly:browse_response_link_id;help:browse_response_link_id
+zeek.opcua_binary_browse_result.browse_result_continuation_point=db:zeek.opcua_binary_browse_result.browse_result_continuation_point;group:zeek_opcua;kind:termfield;friendly:browse_result_continuation_point;help:browse_result_continuation_point
+zeek.opcua_binary_create_session.algorithm=db:zeek.opcua_binary_create_session.algorithm;group:zeek_opcua;kind:termfield;friendly:algorithm;help:algorithm
+zeek.opcua_binary_create_session.application_type=db:zeek.opcua_binary_create_session.application_type;group:zeek_opcua;kind:integer;friendly:application_type;help:application_type
+zeek.opcua_binary_create_session.application_uri=db:zeek.opcua_binary_create_session.application_uri;group:zeek_opcua;kind:termfield;friendly:application_uri;help:application_uri
+zeek.opcua_binary_create_session.auth_token_encoding_mask=db:zeek.opcua_binary_create_session.auth_token_encoding_mask;group:zeek_opcua;kind:termfield;friendly:auth_token_encoding_mask;help:auth_token_encoding_mask
+zeek.opcua_binary_create_session.auth_token_guid=db:zeek.opcua_binary_create_session.auth_token_guid;group:zeek_opcua;kind:termfield;friendly:auth_token_guid;help:auth_token_guid
+zeek.opcua_binary_create_session.auth_token_namespace_idx=db:zeek.opcua_binary_create_session.auth_token_namespace_idx;group:zeek_opcua;kind:integer;friendly:auth_token_namespace_idx;help:auth_token_namespace_idx
+zeek.opcua_binary_create_session.auth_token_numeric=db:zeek.opcua_binary_create_session.auth_token_numeric;group:zeek_opcua;kind:integer;friendly:auth_token_numeric;help:auth_token_numeric
+zeek.opcua_binary_create_session.auth_token_opaque=db:zeek.opcua_binary_create_session.auth_token_opaque;group:zeek_opcua;kind:termfield;friendly:auth_token_opaque;help:auth_token_opaque
+zeek.opcua_binary_create_session.auth_token_string=db:zeek.opcua_binary_create_session.auth_token_string;group:zeek_opcua;kind:termfield;friendly:auth_token_string;help:auth_token_string
+zeek.opcua_binary_create_session.client_cert=db:zeek.opcua_binary_create_session.client_cert;group:zeek_opcua;kind:termfield;friendly:client_cert;help:client_cert
+zeek.opcua_binary_create_session.client_cert_size=db:zeek.opcua_binary_create_session.client_cert_size;group:zeek_opcua;kind:integer;friendly:client_cert_size;help:client_cert_size
+zeek.opcua_binary_create_session.client_nonce=db:zeek.opcua_binary_create_session.client_nonce;group:zeek_opcua;kind:termfield;friendly:client_nonce;help:client_nonce
+zeek.opcua_binary_create_session.discovery_profile_uri=db:zeek.opcua_binary_create_session.discovery_profile_uri;group:zeek_opcua;kind:termfield;friendly:discovery_profile_uri;help:discovery_profile_uri
+zeek.opcua_binary_create_session.encoding_mask=db:zeek.opcua_binary_create_session.encoding_mask;group:zeek_opcua;kind:integer;friendly:encoding_mask;help:encoding_mask
+zeek.opcua_binary_create_session.endpoint_url=db:zeek.opcua_binary_create_session.endpoint_url;group:zeek_opcua;kind:termfield;friendly:endpoint_url;help:endpoint_url
+zeek.opcua_binary_create_session.gateway_server_uri=db:zeek.opcua_binary_create_session.gateway_server_uri;group:zeek_opcua;kind:termfield;friendly:gateway_server_uri;help:gateway_server_uri
+zeek.opcua_binary_create_session.locale=db:zeek.opcua_binary_create_session.locale;group:zeek_opcua;kind:termfield;friendly:locale;help:locale
+zeek.opcua_binary_create_session.max_req_msg_size=db:zeek.opcua_binary_create_session.max_req_msg_size;group:zeek_opcua;kind:integer;friendly:max_req_msg_size;help:max_req_msg_size
+zeek.opcua_binary_create_session.max_res_msg_size=db:zeek.opcua_binary_create_session.max_res_msg_size;group:zeek_opcua;kind:integer;friendly:max_res_msg_size;help:max_res_msg_size
+zeek.opcua_binary_create_session.product_uri=db:zeek.opcua_binary_create_session.product_uri;group:zeek_opcua;kind:termfield;friendly:product_uri;help:product_uri
+zeek.opcua_binary_create_session.req_session_timeout=db:zeek.opcua_binary_create_session.req_session_timeout;group:zeek_opcua;kind:integer;friendly:req_session_timeout;help:req_session_timeout
+zeek.opcua_binary_create_session.revised_session_timeout=db:zeek.opcua_binary_create_session.revised_session_timeout;group:zeek_opcua;kind:integer;friendly:revised_session_timeout;help:revised_session_timeout
+zeek.opcua_binary_create_session.server_cert=db:zeek.opcua_binary_create_session.server_cert;group:zeek_opcua;kind:termfield;friendly:server_cert;help:server_cert
+zeek.opcua_binary_create_session.server_cert_size=db:zeek.opcua_binary_create_session.server_cert_size;group:zeek_opcua;kind:integer;friendly:server_cert_size;help:server_cert_size
+zeek.opcua_binary_create_session.server_nonce=db:zeek.opcua_binary_create_session.server_nonce;group:zeek_opcua;kind:termfield;friendly:server_nonce;help:server_nonce
+zeek.opcua_binary_create_session.server_uri=db:zeek.opcua_binary_create_session.server_uri;group:zeek_opcua;kind:termfield;friendly:server_uri;help:server_uri
+zeek.opcua_binary_create_session.session_id_encoding_mask=db:zeek.opcua_binary_create_session.session_id_encoding_mask;group:zeek_opcua;kind:termfield;friendly:session_id_encoding_mask;help:session_id_encoding_mask
+zeek.opcua_binary_create_session.session_id_guid=db:zeek.opcua_binary_create_session.session_id_guid;group:zeek_opcua;kind:termfield;friendly:session_id_guid;help:session_id_guid
+zeek.opcua_binary_create_session.session_id_namespace_idx=db:zeek.opcua_binary_create_session.session_id_namespace_idx;group:zeek_opcua;kind:integer;friendly:session_id_namespace_idx;help:session_id_namespace_idx
+zeek.opcua_binary_create_session.session_id_numeric=db:zeek.opcua_binary_create_session.session_id_numeric;group:zeek_opcua;kind:integer;friendly:session_id_numeric;help:session_id_numeric
+zeek.opcua_binary_create_session.session_id_opaque=db:zeek.opcua_binary_create_session.session_id_opaque;group:zeek_opcua;kind:termfield;friendly:session_id_opaque;help:session_id_opaque
+zeek.opcua_binary_create_session.session_id_string=db:zeek.opcua_binary_create_session.session_id_string;group:zeek_opcua;kind:termfield;friendly:session_id_string;help:session_id_string
+zeek.opcua_binary_create_session.session_name=db:zeek.opcua_binary_create_session.session_name;group:zeek_opcua;kind:termfield;friendly:session_name;help:session_name
+zeek.opcua_binary_create_session.signature=db:zeek.opcua_binary_create_session.signature;group:zeek_opcua;kind:termfield;friendly:signature;help:signature
+zeek.opcua_binary_create_session.text=db:zeek.opcua_binary_create_session.text;group:zeek_opcua;kind:termfield;friendly:text;help:text
+zeek.opcua_binary_create_session_discovery.discovery_profile_link_id=db:zeek.opcua_binary_create_session_discovery.discovery_profile_link_id;group:zeek_opcua;kind:termfield;friendly:discovery_profile_link_id;help:discovery_profile_link_id
+zeek.opcua_binary_create_session_discovery.discovery_profile_uri=db:zeek.opcua_binary_create_session_discovery.discovery_profile_uri;group:zeek_opcua;kind:termfield;friendly:discovery_profile_uri;help:discovery_profile_uri
+zeek.opcua_binary_create_session_discovery.discovery_profile_url=db:zeek.opcua_binary_create_session_discovery.discovery_profile_url;group:zeek_opcua;kind:termfield;friendly:discovery_profile_url;help:discovery_profile_url
+zeek.opcua_binary_create_session_endpoints.application_type=db:zeek.opcua_binary_create_session_endpoints.application_type;group:zeek_opcua;kind:integer;friendly:application_type;help:application_type
+zeek.opcua_binary_create_session_endpoints.application_uri=db:zeek.opcua_binary_create_session_endpoints.application_uri;group:zeek_opcua;kind:termfield;friendly:application_uri;help:application_uri
+zeek.opcua_binary_create_session_endpoints.cert_size=db:zeek.opcua_binary_create_session_endpoints.cert_size;group:zeek_opcua;kind:integer;friendly:cert_size;help:cert_size
+zeek.opcua_binary_create_session_endpoints.discovery_profile_id=db:zeek.opcua_binary_create_session_endpoints.discovery_profile_id;group:zeek_opcua;kind:termfield;friendly:discovery_profile_id;help:discovery_profile_id
+zeek.opcua_binary_create_session_endpoints.discovery_profile_uri=db:zeek.opcua_binary_create_session_endpoints.discovery_profile_uri;group:zeek_opcua;kind:termfield;friendly:discovery_profile_uri;help:discovery_profile_uri
+zeek.opcua_binary_create_session_endpoints.encoding_mask=db:zeek.opcua_binary_create_session_endpoints.encoding_mask;group:zeek_opcua;kind:integer;friendly:encoding_mask;help:encoding_mask
+zeek.opcua_binary_create_session_endpoints.endpoint_link_id=db:zeek.opcua_binary_create_session_endpoints.endpoint_link_id;group:zeek_opcua;kind:termfield;friendly:endpoint_link_id;help:endpoint_link_id
+zeek.opcua_binary_create_session_endpoints.endpoint_url=db:zeek.opcua_binary_create_session_endpoints.endpoint_url;group:zeek_opcua;kind:termfield;friendly:endpoint_url;help:endpoint_url
+zeek.opcua_binary_create_session_endpoints.gateway_server_uri=db:zeek.opcua_binary_create_session_endpoints.gateway_server_uri;group:zeek_opcua;kind:termfield;friendly:gateway_server_uri;help:gateway_server_uri
+zeek.opcua_binary_create_session_endpoints.locale=db:zeek.opcua_binary_create_session_endpoints.locale;group:zeek_opcua;kind:termfield;friendly:locale;help:locale
+zeek.opcua_binary_create_session_endpoints.message_security_mode=db:zeek.opcua_binary_create_session_endpoints.message_security_mode;group:zeek_opcua;kind:integer;friendly:message_security_mode;help:message_security_mode
+zeek.opcua_binary_create_session_endpoints.product_uri=db:zeek.opcua_binary_create_session_endpoints.product_uri;group:zeek_opcua;kind:termfield;friendly:product_uri;help:product_uri
+zeek.opcua_binary_create_session_endpoints.security_level=db:zeek.opcua_binary_create_session_endpoints.security_level;group:zeek_opcua;kind:integer;friendly:security_level;help:security_level
+zeek.opcua_binary_create_session_endpoints.security_policy_uri=db:zeek.opcua_binary_create_session_endpoints.security_policy_uri;group:zeek_opcua;kind:termfield;friendly:security_policy_uri;help:security_policy_uri
+zeek.opcua_binary_create_session_endpoints.server_cert=db:zeek.opcua_binary_create_session_endpoints.server_cert;group:zeek_opcua;kind:termfield;friendly:server_cert;help:server_cert
+zeek.opcua_binary_create_session_endpoints.text=db:zeek.opcua_binary_create_session_endpoints.text;group:zeek_opcua;kind:termfield;friendly:text;help:text
+zeek.opcua_binary_create_session_endpoints.transport_profile_uri=db:zeek.opcua_binary_create_session_endpoints.transport_profile_uri;group:zeek_opcua;kind:termfield;friendly:transport_profile_uri;help:transport_profile_uri
+zeek.opcua_binary_create_session_user_token.user_token_endpoint_url=db:zeek.opcua_binary_create_session_user_token.user_token_endpoint_url;group:zeek_opcua;kind:termfield;friendly:user_token_endpoint_url;help:user_token_endpoint_url
+zeek.opcua_binary_create_session_user_token.user_token_issued_type=db:zeek.opcua_binary_create_session_user_token.user_token_issued_type;group:zeek_opcua;kind:termfield;friendly:user_token_issued_type;help:user_token_issued_type
+zeek.opcua_binary_create_session_user_token.user_token_link_id=db:zeek.opcua_binary_create_session_user_token.user_token_link_id;group:zeek_opcua;kind:termfield;friendly:user_token_link_id;help:user_token_link_id
+zeek.opcua_binary_create_session_user_token.user_token_policy_id=db:zeek.opcua_binary_create_session_user_token.user_token_policy_id;group:zeek_opcua;kind:termfield;friendly:user_token_policy_id;help:user_token_policy_id
+zeek.opcua_binary_create_session_user_token.user_token_sec_policy_uri=db:zeek.opcua_binary_create_session_user_token.user_token_sec_policy_uri;group:zeek_opcua;kind:termfield;friendly:user_token_sec_policy_uri;help:user_token_sec_policy_uri
+zeek.opcua_binary_create_session_user_token.user_token_type=db:zeek.opcua_binary_create_session_user_token.user_token_type;group:zeek_opcua;kind:integer;friendly:user_token_type;help:user_token_type
+zeek.opcua_binary_create_subscription.max_notifications_per_publish=db:zeek.opcua_binary_create_subscription.max_notifications_per_publish;group:zeek_opcua;kind:integer;friendly:max_notifications_per_publish;help:max_notifications_per_publish
+zeek.opcua_binary_create_subscription.priority=db:zeek.opcua_binary_create_subscription.priority;group:zeek_opcua;kind:integer;friendly:priority;help:priority
+zeek.opcua_binary_create_subscription.publishing_enabled=db:zeek.opcua_binary_create_subscription.publishing_enabled;group:zeek_opcua;kind:termfield;friendly:publishing_enabled;help:publishing_enabled
+zeek.opcua_binary_create_subscription.requested_lifetime_count=db:zeek.opcua_binary_create_subscription.requested_lifetime_count;group:zeek_opcua;kind:integer;friendly:requested_lifetime_count;help:requested_lifetime_count
+zeek.opcua_binary_create_subscription.requested_max_keep_alive_count=db:zeek.opcua_binary_create_subscription.requested_max_keep_alive_count;group:zeek_opcua;kind:integer;friendly:requested_max_keep_alive_count;help:requested_max_keep_alive_count
+zeek.opcua_binary_create_subscription.requested_publishing_interval=db:zeek.opcua_binary_create_subscription.requested_publishing_interval;group:zeek_opcua;kind:integer;friendly:requested_publishing_interval;help:requested_publishing_interval
+zeek.opcua_binary_create_subscription.revised_lifetime_count=db:zeek.opcua_binary_create_subscription.revised_lifetime_count;group:zeek_opcua;kind:integer;friendly:revised_lifetime_count;help:revised_lifetime_count
+zeek.opcua_binary_create_subscription.revised_max_keep_alive_count=db:zeek.opcua_binary_create_subscription.revised_max_keep_alive_count;group:zeek_opcua;kind:integer;friendly:revised_max_keep_alive_count;help:revised_max_keep_alive_count
+zeek.opcua_binary_create_subscription.revised_publishing_interval=db:zeek.opcua_binary_create_subscription.revised_publishing_interval;group:zeek_opcua;kind:integer;friendly:revised_publishing_interval;help:revised_publishing_interval
+zeek.opcua_binary_create_subscription.subscription_id=db:zeek.opcua_binary_create_subscription.subscription_id;group:zeek_opcua;kind:integer;friendly:subscription_id;help:subscription_id
+zeek.opcua_binary_diag_info_detail.addl_info=db:zeek.opcua_binary_diag_info_detail.addl_info;group:zeek_opcua;kind:termfield;friendly:addl_info;help:addl_info
+zeek.opcua_binary_diag_info_detail.diag_info_link_id=db:zeek.opcua_binary_diag_info_detail.diag_info_link_id;group:zeek_opcua;kind:termfield;friendly:diag_info_link_id;help:diag_info_link_id
+zeek.opcua_binary_diag_info_detail.has_addl_info=db:zeek.opcua_binary_diag_info_detail.has_addl_info;group:zeek_opcua;kind:termfield;friendly:has_addl_info;help:has_addl_info
+zeek.opcua_binary_diag_info_detail.has_inner_diag_info=db:zeek.opcua_binary_diag_info_detail.has_inner_diag_info;group:zeek_opcua;kind:termfield;friendly:has_inner_diag_info;help:has_inner_diag_info
+zeek.opcua_binary_diag_info_detail.has_inner_stat_code=db:zeek.opcua_binary_diag_info_detail.has_inner_stat_code;group:zeek_opcua;kind:termfield;friendly:has_inner_stat_code;help:has_inner_stat_code
+zeek.opcua_binary_diag_info_detail.has_locale=db:zeek.opcua_binary_diag_info_detail.has_locale;group:zeek_opcua;kind:termfield;friendly:has_locale;help:has_locale
+zeek.opcua_binary_diag_info_detail.has_locale_txt=db:zeek.opcua_binary_diag_info_detail.has_locale_txt;group:zeek_opcua;kind:termfield;friendly:has_locale_txt;help:has_locale_txt
+zeek.opcua_binary_diag_info_detail.has_namespace_uri=db:zeek.opcua_binary_diag_info_detail.has_namespace_uri;group:zeek_opcua;kind:termfield;friendly:has_namespace_uri;help:has_namespace_uri
+zeek.opcua_binary_diag_info_detail.has_symbolic_id=db:zeek.opcua_binary_diag_info_detail.has_symbolic_id;group:zeek_opcua;kind:termfield;friendly:has_symbolic_id;help:has_symbolic_id
+zeek.opcua_binary_diag_info_detail.inner_diag_level=db:zeek.opcua_binary_diag_info_detail.inner_diag_level;group:zeek_opcua;kind:integer;friendly:inner_diag_level;help:inner_diag_level
+zeek.opcua_binary_diag_info_detail.inner_stat_code=db:zeek.opcua_binary_diag_info_detail.inner_stat_code;group:zeek_opcua;kind:termfield;friendly:inner_stat_code;help:inner_stat_code
+zeek.opcua_binary_diag_info_detail.locale=db:zeek.opcua_binary_diag_info_detail.locale;group:zeek_opcua;kind:integer;friendly:locale;help:locale
+zeek.opcua_binary_diag_info_detail.locale_str=db:zeek.opcua_binary_diag_info_detail.locale_str;group:zeek_opcua;kind:termfield;friendly:locale_str;help:locale_str
+zeek.opcua_binary_diag_info_detail.locale_txt=db:zeek.opcua_binary_diag_info_detail.locale_txt;group:zeek_opcua;kind:integer;friendly:locale_txt;help:locale_txt
+zeek.opcua_binary_diag_info_detail.locale_txt_str=db:zeek.opcua_binary_diag_info_detail.locale_txt_str;group:zeek_opcua;kind:termfield;friendly:locale_txt_str;help:locale_txt_str
+zeek.opcua_binary_diag_info_detail.namespace_uri=db:zeek.opcua_binary_diag_info_detail.namespace_uri;group:zeek_opcua;kind:integer;friendly:namespace_uri;help:namespace_uri
+zeek.opcua_binary_diag_info_detail.namespace_uri_str=db:zeek.opcua_binary_diag_info_detail.namespace_uri_str;group:zeek_opcua;kind:termfield;friendly:namespace_uri_str;help:namespace_uri_str
+zeek.opcua_binary_diag_info_detail.source=db:zeek.opcua_binary_diag_info_detail.source;group:zeek_opcua;kind:integer;friendly:source;help:source
+zeek.opcua_binary_diag_info_detail.source_str=db:zeek.opcua_binary_diag_info_detail.source_str;group:zeek_opcua;kind:termfield;friendly:source_str;help:source_str
+zeek.opcua_binary_diag_info_detail.symbolic_id=db:zeek.opcua_binary_diag_info_detail.symbolic_id;group:zeek_opcua;kind:integer;friendly:symbolic_id;help:symbolic_id
+zeek.opcua_binary_diag_info_detail.symbolic_id_str=db:zeek.opcua_binary_diag_info_detail.symbolic_id_str;group:zeek_opcua;kind:termfield;friendly:symbolic_id_str;help:symbolic_id_str
+zeek.opcua_binary_get_endpoints.endpoint_url=db:zeek.opcua_binary_get_endpoints.endpoint_url;group:zeek_opcua;kind:termfield;friendly:endpoint_url;help:endpoint_url
+zeek.opcua_binary_get_endpoints_description.application_type=db:zeek.opcua_binary_get_endpoints_description.application_type;group:zeek_opcua;kind:integer;friendly:application_type;help:application_type
+zeek.opcua_binary_get_endpoints_description.application_uri=db:zeek.opcua_binary_get_endpoints_description.application_uri;group:zeek_opcua;kind:termfield;friendly:application_uri;help:application_uri
+zeek.opcua_binary_get_endpoints_description.cert_size=db:zeek.opcua_binary_get_endpoints_description.cert_size;group:zeek_opcua;kind:integer;friendly:cert_size;help:cert_size
+zeek.opcua_binary_get_endpoints_description.discovery_profile_uri=db:zeek.opcua_binary_get_endpoints_description.discovery_profile_uri;group:zeek_opcua;kind:termfield;friendly:discovery_profile_uri;help:discovery_profile_uri
+zeek.opcua_binary_get_endpoints_description.encoding_mask=db:zeek.opcua_binary_get_endpoints_description.encoding_mask;group:zeek_opcua;kind:integer;friendly:encoding_mask;help:encoding_mask
+zeek.opcua_binary_get_endpoints_description.endpoint_description_link_id=db:zeek.opcua_binary_get_endpoints_description.endpoint_description_link_id;group:zeek_opcua;kind:termfield;friendly:endpoint_description_link_id;help:endpoint_description_link_id
+zeek.opcua_binary_get_endpoints_description.endpoint_uri=db:zeek.opcua_binary_get_endpoints_description.endpoint_uri;group:zeek_opcua;kind:termfield;friendly:endpoint_uri;help:endpoint_uri
+zeek.opcua_binary_get_endpoints_description.gateway_server_uri=db:zeek.opcua_binary_get_endpoints_description.gateway_server_uri;group:zeek_opcua;kind:termfield;friendly:gateway_server_uri;help:gateway_server_uri
+zeek.opcua_binary_get_endpoints_description.locale=db:zeek.opcua_binary_get_endpoints_description.locale;group:zeek_opcua;kind:termfield;friendly:locale;help:locale
+zeek.opcua_binary_get_endpoints_description.message_security_mode=db:zeek.opcua_binary_get_endpoints_description.message_security_mode;group:zeek_opcua;kind:integer;friendly:message_security_mode;help:message_security_mode
+zeek.opcua_binary_get_endpoints_description.product_uri=db:zeek.opcua_binary_get_endpoints_description.product_uri;group:zeek_opcua;kind:termfield;friendly:product_uri;help:product_uri
+zeek.opcua_binary_get_endpoints_description.security_level=db:zeek.opcua_binary_get_endpoints_description.security_level;group:zeek_opcua;kind:integer;friendly:security_level;help:security_level
+zeek.opcua_binary_get_endpoints_description.security_policy_uri=db:zeek.opcua_binary_get_endpoints_description.security_policy_uri;group:zeek_opcua;kind:termfield;friendly:security_policy_uri;help:security_policy_uri
+zeek.opcua_binary_get_endpoints_description.server_cert=db:zeek.opcua_binary_get_endpoints_description.server_cert;group:zeek_opcua;kind:termfield;friendly:server_cert;help:server_cert
+zeek.opcua_binary_get_endpoints_description.text=db:zeek.opcua_binary_get_endpoints_description.text;group:zeek_opcua;kind:termfield;friendly:text;help:text
+zeek.opcua_binary_get_endpoints_description.transport_profile_uri=db:zeek.opcua_binary_get_endpoints_description.transport_profile_uri;group:zeek_opcua;kind:termfield;friendly:transport_profile_uri;help:transport_profile_uri
+zeek.opcua_binary_get_endpoints_discovery.discovery_profile_link_id=db:zeek.opcua_binary_get_endpoints_discovery.discovery_profile_link_id;group:zeek_opcua;kind:termfield;friendly:discovery_profile_link_id;help:discovery_profile_link_id
+zeek.opcua_binary_get_endpoints_discovery.discovery_profile_url=db:zeek.opcua_binary_get_endpoints_discovery.discovery_profile_url;group:zeek_opcua;kind:termfield;friendly:discovery_profile_url;help:discovery_profile_url
+zeek.opcua_binary_get_endpoints_locale_id.locale_id=db:zeek.opcua_binary_get_endpoints_locale_id.locale_id;group:zeek_opcua;kind:termfield;friendly:locale_id;help:locale_id
+zeek.opcua_binary_get_endpoints_locale_id.locale_link_id=db:zeek.opcua_binary_get_endpoints_locale_id.locale_link_id;group:zeek_opcua;kind:termfield;friendly:locale_link_id;help:locale_link_id
+zeek.opcua_binary_get_endpoints_profile_uri.profile_uri=db:zeek.opcua_binary_get_endpoints_profile_uri.profile_uri;group:zeek_opcua;kind:termfield;friendly:profile_uri;help:profile_uri
+zeek.opcua_binary_get_endpoints_profile_uri.profile_uri_link_id=db:zeek.opcua_binary_get_endpoints_profile_uri.profile_uri_link_id;group:zeek_opcua;kind:termfield;friendly:profile_uri_link_id;help:profile_uri_link_id
+zeek.opcua_binary_get_endpoints_user_token.user_token_endpoint_url=db:zeek.opcua_binary_get_endpoints_user_token.user_token_endpoint_url;group:zeek_opcua;kind:termfield;friendly:user_token_endpoint_url;help:user_token_endpoint_url
+zeek.opcua_binary_get_endpoints_user_token.user_token_issued_type=db:zeek.opcua_binary_get_endpoints_user_token.user_token_issued_type;group:zeek_opcua;kind:termfield;friendly:user_token_issued_type;help:user_token_issued_type
+zeek.opcua_binary_get_endpoints_user_token.user_token_link_id=db:zeek.opcua_binary_get_endpoints_user_token.user_token_link_id;group:zeek_opcua;kind:termfield;friendly:user_token_link_id;help:user_token_link_id
+zeek.opcua_binary_get_endpoints_user_token.user_token_policy_id=db:zeek.opcua_binary_get_endpoints_user_token.user_token_policy_id;group:zeek_opcua;kind:termfield;friendly:user_token_policy_id;help:user_token_policy_id
+zeek.opcua_binary_get_endpoints_user_token.user_token_sec_policy_uri=db:zeek.opcua_binary_get_endpoints_user_token.user_token_sec_policy_uri;group:zeek_opcua;kind:termfield;friendly:user_token_sec_policy_uri;help:user_token_sec_policy_uri
+zeek.opcua_binary_get_endpoints_user_token.user_token_type=db:zeek.opcua_binary_get_endpoints_user_token.user_token_type;group:zeek_opcua;kind:integer;friendly:user_token_type;help:user_token_type
+zeek.opcua_binary_opensecure_channel.client_nonce=db:zeek.opcua_binary_opensecure_channel.client_nonce;group:zeek_opcua;kind:termfield;friendly:client_nonce;help:client_nonce
+zeek.opcua_binary_opensecure_channel.client_proto_ver=db:zeek.opcua_binary_opensecure_channel.client_proto_ver;group:zeek_opcua;kind:integer;friendly:client_proto_ver;help:client_proto_ver
+zeek.opcua_binary_opensecure_channel.message_security_mode=db:zeek.opcua_binary_opensecure_channel.message_security_mode;group:zeek_opcua;kind:integer;friendly:message_security_mode;help:message_security_mode
+zeek.opcua_binary_opensecure_channel.req_lifetime=db:zeek.opcua_binary_opensecure_channel.req_lifetime;group:zeek_opcua;kind:integer;friendly:req_lifetime;help:req_lifetime
+zeek.opcua_binary_opensecure_channel.sec_token_created_at=db:zeek.opcua_binary_opensecure_channel.sec_token_created_at;group:zeek_opcua;kind:termfield;friendly:sec_token_created_at;help:sec_token_created_at
+zeek.opcua_binary_opensecure_channel.sec_token_id=db:zeek.opcua_binary_opensecure_channel.sec_token_id;group:zeek_opcua;kind:integer;friendly:sec_token_id;help:sec_token_id
+zeek.opcua_binary_opensecure_channel.sec_token_request_type=db:zeek.opcua_binary_opensecure_channel.sec_token_request_type;group:zeek_opcua;kind:integer;friendly:sec_token_request_type;help:sec_token_request_type
+zeek.opcua_binary_opensecure_channel.sec_token_revised_time=db:zeek.opcua_binary_opensecure_channel.sec_token_revised_time;group:zeek_opcua;kind:integer;friendly:sec_token_revised_time;help:sec_token_revised_time
+zeek.opcua_binary_opensecure_channel.sec_token_sec_channel_id=db:zeek.opcua_binary_opensecure_channel.sec_token_sec_channel_id;group:zeek_opcua;kind:integer;friendly:sec_token_sec_channel_id;help:sec_token_sec_channel_id
+zeek.opcua_binary_opensecure_channel.server_nonce=db:zeek.opcua_binary_opensecure_channel.server_nonce;group:zeek_opcua;kind:termfield;friendly:server_nonce;help:server_nonce
+zeek.opcua_binary_opensecure_channel.server_proto_ver=db:zeek.opcua_binary_opensecure_channel.server_proto_ver;group:zeek_opcua;kind:integer;friendly:server_proto_ver;help:server_proto_ver
+zeek.opcua_binary_status_code_detail.historian_bits=db:zeek.opcua_binary_status_code_detail.historian_bits;group:zeek_opcua;kind:integer;friendly:historian_bits;help:historian_bits
+zeek.opcua_binary_status_code_detail.historian_bits_str=db:zeek.opcua_binary_status_code_detail.historian_bits_str;group:zeek_opcua;kind:termfield;friendly:historian_bits_str;help:historian_bits_str
+zeek.opcua_binary_status_code_detail.historianExtraData=db:zeek.opcua_binary_status_code_detail.historianExtraData;group:zeek_opcua;kind:termfield;friendly:historianExtraData;help:historianExtraData
+zeek.opcua_binary_status_code_detail.historianMultiValue=db:zeek.opcua_binary_status_code_detail.historianMultiValue;group:zeek_opcua;kind:termfield;friendly:historianMultiValue;help:historianMultiValue
+zeek.opcua_binary_status_code_detail.historianPartial=db:zeek.opcua_binary_status_code_detail.historianPartial;group:zeek_opcua;kind:termfield;friendly:historianPartial;help:historianPartial
+zeek.opcua_binary_status_code_detail.info_type=db:zeek.opcua_binary_status_code_detail.info_type;group:zeek_opcua;kind:integer;friendly:info_type;help:info_type
+zeek.opcua_binary_status_code_detail.info_type_str=db:zeek.opcua_binary_status_code_detail.info_type_str;group:zeek_opcua;kind:termfield;friendly:info_type_str;help:info_type_str
+zeek.opcua_binary_status_code_detail.limit_bits=db:zeek.opcua_binary_status_code_detail.limit_bits;group:zeek_opcua;kind:integer;friendly:limit_bits;help:limit_bits
+zeek.opcua_binary_status_code_detail.limit_bits_str=db:zeek.opcua_binary_status_code_detail.limit_bits_str;group:zeek_opcua;kind:termfield;friendly:limit_bits_str;help:limit_bits_str
+zeek.opcua_binary_status_code_detail.overflow=db:zeek.opcua_binary_status_code_detail.overflow;group:zeek_opcua;kind:termfield;friendly:overflow;help:overflow
+zeek.opcua_binary_status_code_detail.semantics_changed=db:zeek.opcua_binary_status_code_detail.semantics_changed;group:zeek_opcua;kind:termfield;friendly:semantics_changed;help:semantics_changed
+zeek.opcua_binary_status_code_detail.severity=db:zeek.opcua_binary_status_code_detail.severity;group:zeek_opcua;kind:integer;friendly:severity;help:severity
+zeek.opcua_binary_status_code_detail.severity_str=db:zeek.opcua_binary_status_code_detail.severity_str;group:zeek_opcua;kind:termfield;friendly:severity_str;help:severity_str
+zeek.opcua_binary_status_code_detail.source=db:zeek.opcua_binary_status_code_detail.source;group:zeek_opcua;kind:integer;friendly:source;help:source
+zeek.opcua_binary_status_code_detail.source_level=db:zeek.opcua_binary_status_code_detail.source_level;group:zeek_opcua;kind:integer;friendly:source_level;help:source_level
+zeek.opcua_binary_status_code_detail.source_str=db:zeek.opcua_binary_status_code_detail.source_str;group:zeek_opcua;kind:termfield;friendly:source_str;help:source_str
+zeek.opcua_binary_status_code_detail.status_code=db:zeek.opcua_binary_status_code_detail.status_code;group:zeek_opcua;kind:termfield;friendly:status_code;help:status_code
+zeek.opcua_binary_status_code_detail.status_code_link_id=db:zeek.opcua_binary_status_code_detail.status_code_link_id;group:zeek_opcua;kind:termfield;friendly:status_code_link_id;help:status_code_link_id
+zeek.opcua_binary_status_code_detail.structure_changed=db:zeek.opcua_binary_status_code_detail.structure_changed;group:zeek_opcua;kind:termfield;friendly:structure_changed;help:structure_changed
+zeek.opcua_binary_status_code_detail.sub_code=db:zeek.opcua_binary_status_code_detail.sub_code;group:zeek_opcua;kind:integer;friendly:sub_code;help:sub_code
+zeek.opcua_binary_status_code_detail.sub_code_str=db:zeek.opcua_binary_status_code_detail.sub_code_str;group:zeek_opcua;kind:termfield;friendly:sub_code_str;help:sub_code_str
# ocsp.log
# https://docs.zeek.org/en/stable/scripts/policy/files/x509/log-ocsp.zeek.html#type-OCSP::Info
@@ -1002,17 +1153,33 @@ zeek.rfb.width=db:zeek.rfb.width;group:zeek_rfb;kind:integer;friendly:Desktop Wi
zeek.rfb.height=db:zeek.rfb.height;group:zeek_rfb;kind:integer;friendly:Desktop Height;help:Desktop Height
# s7comm.log
-# https://github.com/amzn/zeek-plugin-s7comm/blob/master/scripts/main.zeek
-zeek.s7comm.rosctr=db:zeek.s7comm.rosctr;group:zeek_s7comm;kind:termfield;friendly:Message Type;help:Message Type
-zeek.s7comm.parameter=db:zeek.s7comm.parameter;group:zeek_s7comm;kind:termfield;friendly:Parameters;help:Parameters
-zeek.s7comm.parameters.class=db:zeek.s7comm.parameters.class;group:zeek_s7comm;kind:termfield;friendly:Class;help:Class
-zeek.s7comm.parameters.code=db:zeek.s7comm.parameters.code;group:zeek_s7comm;kind:termfield;friendly:Code;help:Code
-zeek.s7comm.parameters.group=db:zeek.s7comm.parameters.group;group:zeek_s7comm;kind:termfield;friendly:Group;help:Group
-zeek.s7comm.parameters.mode=db:zeek.s7comm.parameters.mode;group:zeek_s7comm;kind:termfield;friendly:Mode;help:Mode
-zeek.s7comm.parameters.sub=db:zeek.s7comm.parameters.sub;group:zeek_s7comm;kind:termfield;friendly:Sub;help:Sub
-zeek.s7comm.parameters.type=db:zeek.s7comm.parameters.type;group:zeek_s7comm;kind:termfield;friendly:Type;help:Type
-zeek.s7comm.item_count=db:zeek.s7comm.item_count;group:zeek_s7comm;kind:integer;friendly:Data Entries;help:Total number of data entries
-zeek.s7comm.data_info=db:zeek.s7comm.data_info;group:zeek_s7comm;kind:termfield;friendly:Data Entry;help:Data of first entry
+# https://github.com/cisagov/icsnpp-s7comm
+zeek.s7comm.error_class=db:zeek.s7comm.error_class;group:zeek_s7comm;kind:termfield;friendly:Error Class;help:Error Class
+zeek.s7comm.error_code=db:zeek.s7comm.error_code;group:zeek_s7comm;kind:termfield;friendly:Error Code;help:Error Code
+zeek.s7comm.function_code=db:zeek.s7comm.function_code;group:zeek_s7comm;kind:termfield;friendly:Parameter Function Code;help:Parameter Function Code
+zeek.s7comm.function_name=db:zeek.s7comm.function_name;group:zeek_s7comm;kind:termfield;friendly:Parameter Function Name;help:Parameter Function Name
+zeek.s7comm.pdu_reference=db:zeek.s7comm.pdu_reference;group:zeek_s7comm;kind:integer;friendly:Reference ID;help:Reference ID
+zeek.s7comm.rosctr_code=db:zeek.s7comm.rosctr_code;group:zeek_s7comm;kind:integer;friendly:Remote Operating Service Control Code;help:Remote Operating Service Control Code
+zeek.s7comm.rosctr_name=db:zeek.s7comm.rosctr_name;group:zeek_s7comm;kind:termfield;friendly:Remote Operating Service Control Name;help:Remote Operating Service Control Name
+zeek.s7comm.subfunction_code=db:zeek.s7comm.subfunction_code;group:zeek_s7comm;kind:termfield;friendly:User Data Subfunction Code;help:User Data Subfunction Code
+zeek.s7comm.subfunction_name=db:zeek.s7comm.subfunction_name;group:zeek_s7comm;kind:termfield;friendly:User Data Subfunction Name;help:User Data Subfunction Name
+
+# s7comm_plus.log
+# https://github.com/cisagov/icsnpp-s7comm
+zeek.s7comm_plus.function_code=db:zeek.s7comm_plus.function_code;group:zeek_s7comm_plus;kind:termfield;friendly:Function Code;help:Function Code
+zeek.s7comm_plus.function_name=db:zeek.s7comm_plus.function_name;group:zeek_s7comm_plus;kind:termfield;friendly:Function Name;help:Function Name
+zeek.s7comm_plus.opcode=db:zeek.s7comm_plus.opcode;group:zeek_s7comm_plus;kind:termfield;friendly:Operation Code;help:Operation Code
+zeek.s7comm_plus.opcode_name=db:zeek.s7comm_plus.opcode_name;group:zeek_s7comm_plus;kind:termfield;friendly:Operation Name;help:Operation Name
+zeek.s7comm_plus.version=db:zeek.s7comm_plus.version;group:zeek_s7comm_plus;kind:integer;friendly:Version;help:Version
+
+# s7comm_read_szl.log
+# https://github.com/cisagov/icsnpp-s7comm
+zeek.s7comm_read_szl.method=db:zeek.s7comm_read_szl.method;group:zeek_s7comm_read_szl;kind:termfield;friendly:Method;help:Method
+zeek.s7comm_read_szl.szl_id=db:zeek.s7comm_read_szl.szl_id;group:zeek_s7comm_read_szl;kind:termfield;friendly:SZL ID;help:SZL ID
+zeek.s7comm_read_szl.szl_id_name=db:zeek.s7comm_read_szl.szl_id_name;group:zeek_s7comm_read_szl;kind:termfield;friendly:SZL ID Name;help:SZL ID Name
+zeek.s7comm_read_szl.szl_index=db:zeek.s7comm_read_szl.szl_index;group:zeek_s7comm_read_szl;kind:termfield;friendly:SZL Index;help:SZL Index
+zeek.s7comm_read_szl.return_code=db:zeek.s7comm_read_szl.return_code;group:zeek_s7comm_read_szl;kind:termfield;friendly:Return Code;help:Return Code
+zeek.s7comm_read_szl.return_code_name=db:zeek.s7comm_read_szl.return_code_name;group:zeek_s7comm_read_szl;kind:termfield;friendly:Return Message;help:Return Message
# signatures.log
zeek.signatures.note=db:zeek.signatures.note;group:zeek_signatures;kind:termfield;friendly:Note;help:Note
@@ -1254,13 +1421,11 @@ tls.server.ja3s_description=db:tls.server.ja3s_description;group:zeek_ssl;kind:t
# stun.log and stun_nat.log
# https://github.com/corelight/zeek-spicy-stun/blob/master/analyzer/main.zeek
-zeek.stun.is_orig=db:zeek.stun.is_orig;group:zeek_stun;kind:termfield;friendly:Is Originator;help:Is Originator
zeek.stun.trans_id=db:zeek.stun.trans_id;group:zeek_stun;kind:termfield;friendly:Transaction ID;help:Transaction ID
zeek.stun.method=db:zeek.stun.method;group:zeek_stun;kind:termfield;friendly:STUN Method;help:STUN Method
zeek.stun.class=db:zeek.stun.class;group:zeek_stun;kind:termfield;friendly:STUN Class;help:STUN Class
zeek.stun.attr_type=db:zeek.stun.attr_type;group:zeek_stun;kind:termfield;friendly:Attribute Type;help:Attribute Type
zeek.stun.attr_val=db:zeek.stun.attr_val;group:zeek_stun;kind:termfield;friendly:Attribute Value;help:Attribute Value
-zeek.stun_nat.is_orig=db:zeek.stun_nat.is_orig;group:zeek_stun;kind:termfield;friendly:Is Originator;help:Is Originator
zeek.stun_nat.wan_addr=db:zeek.stun_nat.wan_addr;group:zeek_stun;kind:termfield;friendly:WAN Address;help:WAN Address
zeek.stun_nat.wan_port=db:zeek.stun_nat.wan_port;group:zeek_stun;kind:integer;friendly:Mapped Port;help:Mapped Port
zeek.stun_nat.lan_addr=db:zeek.stun_nat.lan_addr;group:zeek_stun;kind:termfield;friendly:NAT LAN Address;help:NAT LAN Address
@@ -1950,15 +2115,15 @@ zeek_ecat_foe_info=require:zeek.ecat_foe_info;title:Zeek ecat_foe_info.log;field
zeek_ecat_soe_info=require:zeek.ecat_soe_info;title:Zeek ecat_soe_info.log;fields:zeek.ecat_soe_info.opcode,zeek.ecat_soe_info.incomplete,zeek.ecat_soe_info.error,zeek.ecat_soe_info.drive_num,zeek.ecat_soe_info.element,zeek.ecat_soe_info.index
zeek_ecat_arp_info=require:zeek.ecat_arp_info;title:Zeek ecat_arp_info.log;fields:zeek.ecat_arp_info.arp_type,zeek.ecat_arp_info.orig_proto_addr,zeek.ecat_arp_info.orig_hw_addr,zeek.ecat_arp_info.resp_proto_addr,zeek.ecat_arp_info.resp_hw_addr
zeek_enip=require:zeek.enip;title:Zeek enip.log;fields:zeek.enip.enip_command,zeek.enip.enip_command_code,zeek.enip.length,zeek.enip.session_handle,zeek.enip.enip_status,zeek.enip.sender_context,zeek.enip.options
-zeek_files=require:zeek.files;title:Zeek files.log;fields:zeek.files.tx_hosts,zeek.files.rx_hosts,zeek.files.conn_uids,zeek.files.source,zeek.files.depth,zeek.files.analyzers,zeek.files.mime_type,zeek.files.filename,zeek.files.ftime,zeek.files.duration,zeek.files.local_orig,zeek.files.is_orig,zeek.files.seen_bytes,zeek.files.total_bytes,zeek.files.missing_bytes,zeek.files.overflow_bytes,zeek.files.timedout,zeek.files.parent_fuid,zeek.files.md5,zeek.files.sha1,zeek.files.sha256,zeek.files.extracted,zeek.files.extracted_cutoff,zeek.files.extracted_size
+zeek_files=require:zeek.files;title:Zeek files.log;fields:zeek.files.tx_hosts,zeek.files.rx_hosts,zeek.files.conn_uids,zeek.files.source,zeek.files.depth,zeek.files.analyzers,zeek.files.mime_type,zeek.files.filename,zeek.files.ftime,zeek.files.duration,zeek.files.local_orig,zeek.files.seen_bytes,zeek.files.total_bytes,zeek.files.missing_bytes,zeek.files.overflow_bytes,zeek.files.timedout,zeek.files.parent_fuid,zeek.files.md5,zeek.files.sha1,zeek.files.sha256,zeek.files.extracted,zeek.files.extracted_cutoff,zeek.files.extracted_size
zeek_ftp=require:zeek.ftp;title:Zeek ftp.log;fields:zeek.ftp.command,zeek.ftp.arg,zeek.ftp.mime_type,zeek.ftp.file_size,zeek.ftp.reply_code,zeek.ftp.reply_msg,zeek.ftp.data_channel_passive,zeek.ftp.data_channel_orig_h,zeek.ftp.data_channel_resp_h,zeek.ftp.data_channel_resp_p
zeek_genisys=require:zeek.genisys;title:Zeek genisys.log;fields:zeek.genisys.header,zeek.genisys.server,zeek.genisys.direction,zeek.genisys.crc_transmitted,zeek.genisys.crc_calculated,zeek.genisys.payload.address,zeek.genisys.payload.data
zeek_gquic=require:zeek.gquic;title:Zeek gquic.log;fields:zeek.gquic.version,zeek.gquic.server_name,zeek.gquic.user_agent,zeek.gquic.tag_count,zeek.gquic.cyu,zeek.gquic.cyutags
zeek_http=require:zeek.http;title:Zeek http.log;fields:zeek.http.trans_depth,zeek.http.method,zeek.http.host,zeek.http.uri,zeek.http.origin,zeek.http.post_password_plain,zeek.http.post_username,zeek.http.referrer,zeek.http.version,zeek.http.user_agent,zeek.http.request_body_len,zeek.http.response_body_len,zeek.http.status_code,zeek.http.status_msg,zeek.http.info_code,zeek.http.info_msg,zeek.http.tags,zeek.http.proxied,zeek.http.orig_fuids,zeek.http.orig_filenames,zeek.http.orig_mime_types,zeek.http.resp_fuids,zeek.http.resp_filenames,zeek.http.resp_mime_types
zeek_intel=require:zeek.intel;title:Zeek intel.log;fields:zeek.intel.cif_tags,zeek.intel.cif_confidence,zeek.intel.cif_source,zeek.intel.cif_description,zeek.intel.cif_firstseen,zeek.intel.cif_lastseen,zeek.intel.seen_indicator,zeek.intel.seen_indicator_type,zeek.intel.seen_where,zeek.intel.seen_node,zeek.intel.matched,zeek.intel.sources,zeek.intel.file_mime_type,zeek.intel.file_description
-zeek_ipsec=require:zeek.ipsec;title:Zeek ipsec.log;fields:zeek.ipsec.is_orig,zeek.ipsec.initiator_spi,zeek.ipsec.responder_spi,zeek.ipsec.maj_ver,zeek.ipsec.min_ver,zeek.ipsec.exchange_type,zeek.ipsec.doi,zeek.ipsec.flag_e,zeek.ipsec.flag_c,zeek.ipsec.flag_a,zeek.ipsec.flag_i,zeek.ipsec.flag_v,zeek.ipsec.flag_r,zeek.ipsec.flags,zeek.ipsec.message_id,zeek.ipsec.vendor_ids,zeek.ipsec.notify_messages,zeek.ipsec.transforms,zeek.ipsec.ke_dh_groups,zeek.ipsec.proposals,zeek.ipsec.protocol_id,zeek.ipsec.certificates,zeek.ipsec.situation,zeek.ipsec.transform_attributes,zeek.ipsec.length,zeek.ipsec.hash
+zeek_ipsec=require:zeek.ipsec;title:Zeek ipsec.log;fields:zeek.ipsec.initiator_spi,zeek.ipsec.responder_spi,zeek.ipsec.maj_ver,zeek.ipsec.min_ver,zeek.ipsec.exchange_type,zeek.ipsec.doi,zeek.ipsec.flag_e,zeek.ipsec.flag_c,zeek.ipsec.flag_a,zeek.ipsec.flag_i,zeek.ipsec.flag_v,zeek.ipsec.flag_r,zeek.ipsec.flags,zeek.ipsec.message_id,zeek.ipsec.vendor_ids,zeek.ipsec.notify_messages,zeek.ipsec.transforms,zeek.ipsec.ke_dh_groups,zeek.ipsec.proposals,zeek.ipsec.protocol_id,zeek.ipsec.certificates,zeek.ipsec.situation,zeek.ipsec.transform_attributes,zeek.ipsec.length,zeek.ipsec.hash
zeek_irc=require:zeek.irc;title:Zeek irc.log;fields:zeek.irc.nick,zeek.irc.command,zeek.irc.value,zeek.irc.addl,zeek.irc.dcc_file_name,zeek.irc.dcc_file_size,zeek.irc.dcc_mime_type
-zeek_iso_cotp=require:zeek.iso_cotp;title:Zeek iso_cotp.log;fields:zeek.iso_cotp.pdu_type
+zeek_cotp=require:zeek.cotp;title:Zeek cotp.log;fields:zeek.cotp.pdu_code,zeek.cotp.pdu_name
zeek_kerberos=require:zeek.kerberos;title:Zeek kerberos.log;fields:zeek.kerberos.cname,zeek.kerberos.sname,zeek.kerberos.success,zeek.kerberos.error_msg,zeek.kerberos.from,zeek.kerberos.till,zeek.kerberos.cipher,zeek.kerberos.forwardable,zeek.kerberos.renewable,zeek.kerberos.request_type,zeek.kerberos.client_cert_subject,zeek.kerberos.client_cert_fuid,zeek.kerberos.server_cert_subject,zeek.kerberos.server_cert_fuid
zeek_known_certs=require:zeek.known_certs;title:Zeek known_certs.log;fields:zeek.known_certs.subject,zeek.known_certs.issuer_subject,zeek.known_certs.serial
zeek_known_modbus=require:zeek.known_modbus;title:Zeek zeek.known_modbus.log;fields:zeek.known_modbus.device_type
@@ -1976,13 +2141,7 @@ zeek_mysql=require:zeek.mysql;title:Zeek mysql.log;fields:zeek.mysql.cmd,zeek.my
zeek_notice=require:zeek.notice;title:Zeek notice.log;fields:rule.category,rule.name,zeek.notice.file_mime_type,zeek.notice.file_desc,zeek.notice.note,zeek.notice.msg,zeek.notice.sub,zeek.notice.src,zeek.notice.dst,zeek.notice.p,zeek.notice.n,zeek.notice.peer_descr,zeek.notice.actions,zeek.notice.suppress_for,zeek.notice.dropped,zeek.notice.remote_location_country_code,zeek.notice.remote_location_region,zeek.notice.remote_location_latitude,zeek.notice.remote_location_longitude
zeek_ntlm=require:zeek.ntlm;title:Zeek ntlm.log;fields:zeek.ntlm.host,zeek.ntlm.domain,zeek.ntlm.success,zeek.ntlm.status,zeek.ntlm.server_nb_computer,zeek.ntlm.server_dns_computer,zeek.ntlm.server_tree
zeek_ntp=require:zeek.ntp;title:Zeek ntp.log;fields:zeek.ntp.version,zeek.ntp.mode,zeek.ntp.mode_str,zeek.ntp.stratum,zeek.ntp.poll,zeek.ntp.precision,zeek.ntp.root_delay,zeek.ntp.root_disp,zeek.ntp.ref_id,zeek.ntp.ref_time,zeek.ntp.org_time,zeek.ntp.rec_time,zeek.ntp.xmt_time,zeek.ntp.num_exts
-zeek_opcua_binary=require:zeek.opcua_binary;title:Zeek opcua-binary.log;fields:zeek.opcua_binary.encoding_mask,zeek.opcua_binary.endpoint_url,zeek.opcua_binary.error,zeek.opcua_binary.identifier,zeek.opcua_binary.identifier_str,zeek.opcua_binary.is_final,zeek.opcua_binary.max_chunk_cnt,zeek.opcua_binary.max_msg_size,zeek.opcua_binary.msg_size,zeek.opcua_binary.msg_type,zeek.opcua_binary.namespace_idx,zeek.opcua_binary.opcua_id,zeek.opcua_binary.rcv_buf_size,zeek.opcua_binary.rcv_cert,zeek.opcua_binary.rcv_cert_len,zeek.opcua_binary.reason,zeek.opcua_binary.req_hdr_add_hdr_enc_mask,zeek.opcua_binary.req_hdr_add_hdr_type_id,zeek.opcua_binary.req_hdr_audit_entry_id,zeek.opcua_binary.req_hdr_node_id_guid,zeek.opcua_binary.req_hdr_node_id_namespace_idx,zeek.opcua_binary.req_hdr_node_id_numeric,zeek.opcua_binary.req_hdr_node_id_opaque,zeek.opcua_binary.req_hdr_node_id_string,zeek.opcua_binary.req_hdr_node_id_type,zeek.opcua_binary.req_hdr_request_handle,zeek.opcua_binary.req_hdr_return_diag,zeek.opcua_binary.req_hdr_timeout_hint,zeek.opcua_binary.req_hdr_timestamp,zeek.opcua_binary.request_id,zeek.opcua_binary.res_hdr_add_hdr_enc_mask,zeek.opcua_binary.res_hdr_add_hdr_type_id,zeek.opcua_binary.res_hdr_request_handle,zeek.opcua_binary.res_hdr_service_diag_encoding,zeek.opcua_binary.res_hdr_service_result,zeek.opcua_binary.res_hdr_timestamp,zeek.opcua_binary.sec_channel_id,zeek.opcua_binary.sec_policy_uri,zeek.opcua_binary.sec_policy_uri_len,zeek.opcua_binary.seq_number,zeek.opcua_binary.snd_buf_size,zeek.opcua_binary.snd_cert,zeek.opcua_binary.snd_cert_len,zeek.opcua_binary.version
-zeek_opcua_binary_diag_info_detail=require:zeek.opcua_binary_diag_info_detail;title:Zeek opcua-binary-diag-info-detail.log;fields: zeek.opcua_binary_diag_info_detail.addl_info,zeek.opcua_binary_diag_info_detail.has_addl_info,zeek.opcua_binary_diag_info_detail.has_inner_diag_info,zeek.opcua_binary_diag_info_detail.has_inner_stat_code,zeek.opcua_binary_diag_info_detail.has_locale,zeek.opcua_binary_diag_info_detail.has_locale_txt,zeek.opcua_binary_diag_info_detail.has_namespace_uri,zeek.opcua_binary_diag_info_detail.has_symbolic_id,zeek.opcua_binary_diag_info_detail.inner_diag_level,zeek.opcua_binary_diag_info_detail.inner_stat_code,zeek.opcua_binary_diag_info_detail.locale,zeek.opcua_binary_diag_info_detail.locale_str,zeek.opcua_binary_diag_info_detail.locale_txt,zeek.opcua_binary_diag_info_detail.locale_txt_str,zeek.opcua_binary_diag_info_detail.namespace_uri,zeek.opcua_binary_diag_info_detail.namespace_uri_str,zeek.opcua_binary_diag_info_detail.symbolic_id,zeek.opcua_binary_diag_info_detail.symbolic_id_str
-zeek_opcua_binary_get_endpoints=require:zeek.opcua_binary_get_endpoints;title:Zeek opcua-binary-get-endpoints.log;fields:zeek.opcua_binary_get_endpoints.application_type,zeek.opcua_binary_get_endpoints.application_uri,zeek.opcua_binary_get_endpoints.cert_size,zeek.opcua_binary_get_endpoints.discovery_profile_id,zeek.opcua_binary_get_endpoints.encoding_mask,zeek.opcua_binary_get_endpoints.endpoint_url,zeek.opcua_binary_get_endpoints.gateway_server_uri,zeek.opcua_binary_get_endpoints.locale,zeek.opcua_binary_get_endpoints.locale_id,zeek.opcua_binary_get_endpoints.message_security_mode,zeek.opcua_binary_get_endpoints.product_uri,zeek.opcua_binary_get_endpoints.profile_uri,zeek.opcua_binary_get_endpoints.security_level,zeek.opcua_binary_get_endpoints.security_policy_uri,zeek.opcua_binary_get_endpoints.server_cert,zeek.opcua_binary_get_endpoints.text,zeek.opcua_binary_get_endpoints.transport_profile_uri,zeek.opcua_binary_get_endpoints.user_token_id
-zeek_opcua_binary_get_endpoints_discovery=require:zeek.opcua_binary_get_endpoints_discovery;title:Zeek opcua-binary-get-endpoints-discovery.log;fields:zeek.opcua_binary_get_endpoints_discovery.discovery_profile_id,zeek.opcua_binary_get_endpoints_discovery.discovery_profile_uri,zeek.opcua_binary_get_endpoints_discovery.discovery_profile_url
-zeek_opcua_binary_get_endpoints_user_token=require:zeek.opcua_binary_get_endpoints_user_token;title:Zeek opcua-binary-get-endpoints-user-token.log;fields:zeek.opcua_binary_get_endpoints_user_token.user_token_endpoint_url,zeek.opcua_binary_get_endpoints_user_token.user_token_id,zeek.opcua_binary_get_endpoints_user_token.user_token_issued_type,zeek.opcua_binary_get_endpoints_user_token.user_token_policy_id,zeek.opcua_binary_get_endpoints_user_token.user_token_sec_policy_uri,zeek.opcua_binary_get_endpoints_user_token.user_token_type
-zeek_opcua_binary_opensecure_channel=require:zeek.opcua_binary_opensecure_channel;title:Zeek opcua-binary-opensecure-channel.log;fields:zeek.opcua_binary_opensecure_channel.client_nonce,zeek.opcua_binary_opensecure_channel.client_proto_ver,zeek.opcua_binary_opensecure_channel.message_security_mode,zeek.opcua_binary_opensecure_channel.req_lifetime,zeek.opcua_binary_opensecure_channel.sec_token_created_at,zeek.opcua_binary_opensecure_channel.sec_token_id,zeek.opcua_binary_opensecure_channel.sec_token_request_type,zeek.opcua_binary_opensecure_channel.sec_token_revised_time,zeek.opcua_binary_opensecure_channel.sec_token_sec_channel_id,zeek.opcua_binary_opensecure_channel.server_nonce,zeek.opcua_binary_opensecure_channel.server_proto_ver
-zeek_opcua_binary_status_code_detail=require:zeek.opcua_binary_status_code_detail;title:Zeek opcua-binary-status-code-detail.log;fields:zeek.opcua_binary_status_code_detail.historian_bits,zeek.opcua_binary_status_code_detail.historian_bits_str,zeek.opcua_binary_status_code_detail.historianExtraData,zeek.opcua_binary_status_code_detail.historianMultiValue,zeek.opcua_binary_status_code_detail.historianPartial,zeek.opcua_binary_status_code_detail.info_type,zeek.opcua_binary_status_code_detail.info_type_str,zeek.opcua_binary_status_code_detail.limit_bits,zeek.opcua_binary_status_code_detail.limit_bits_str,zeek.opcua_binary_status_code_detail.overflow,zeek.opcua_binary_status_code_detail.semantics_changed,zeek.opcua_binary_status_code_detail.severity,zeek.opcua_binary_status_code_detail.severity_str,zeek.opcua_binary_status_code_detail.source,zeek.opcua_binary_status_code_detail.source_str,zeek.opcua_binary_status_code_detail.status_code,zeek.opcua_binary_status_code_detail.structure_changed,zeek.opcua_binary_status_code_detail.sub_code,zeek.opcua_binary_status_code_detail.sub_code_str
+zeek_opcua=require:zeek.opcua_binary;title:Zeek OPC UA Binary logs;fields:zeek.opcua_binary_activate_session.client_algorithm,zeek.opcua_binary_activate_session.client_signature,zeek.opcua_binary_activate_session_client_software_cert.cert_data,zeek.opcua_binary_activate_session_client_software_cert.cert_signature,zeek.opcua_binary_activate_session_client_software_cert.client_software_cert_id,zeek.opcua_binary_activate_session_diagnostic_info.activate_session_diag_info_link_id,zeek.opcua_binary_activate_session.ext_obj_certificate_data,zeek.opcua_binary_activate_session.ext_obj_encoding,zeek.opcua_binary_activate_session.ext_obj_encryption_algorithom,zeek.opcua_binary_activate_session.ext_obj_password,zeek.opcua_binary_activate_session.ext_obj_policy_id,zeek.opcua_binary_activate_session.ext_obj_token_data,zeek.opcua_binary_activate_session.ext_obj_type_id_encoding_mask,zeek.opcua_binary_activate_session.ext_obj_type_id_guid,zeek.opcua_binary_activate_session.ext_obj_type_id_namespace_idx,zeek.opcua_binary_activate_session.ext_obj_type_id_numeric,zeek.opcua_binary_activate_session.ext_obj_type_id_opaque,zeek.opcua_binary_activate_session.ext_obj_type_id_str,zeek.opcua_binary_activate_session.ext_obj_type_id_string,zeek.opcua_binary_activate_session.ext_obj_user_name,zeek.opcua_binary_activate_session_locale_id.locale_id,zeek.opcua_binary_activate_session_locale_id.locale_link_id,zeek.opcua_binary_activate_session.server_nonce,zeek.opcua_binary_activate_session.user_token_algorithm,zeek.opcua_binary_activate_session.user_token_signature,zeek.opcua_binary_browse.browse_next_release_continuation_point,zeek.opcua_binary_browse.browse_service_type,zeek.opcua_binary_browse.browse_view_description_timestamp,zeek.opcua_binary_browse.browse_view_description_view_version,zeek.opcua_binary_browse.browse_view_id_encoding_mask,zeek.opcua_binary_browse.browse_view_id_guid,zeek.opcua_binary_browse.browse_view_id_namespace_idx,zeek.opcua_binary_browse.browse_view_id_numeric,zeek.opcua_binary_browse.browse_view_id_opaque,zeek.opcua_binary_browse.browse_view_id_string,zeek.opcua_binary_browse_description.browse_description_encoding_mask,zeek.opcua_binary_browse_description.browse_description_guid,zeek.opcua_binary_browse_description.browse_description_include_subtypes,zeek.opcua_binary_browse_description.browse_description_link_id,zeek.opcua_binary_browse_description.browse_description_namespace_idx,zeek.opcua_binary_browse_description.browse_description_numeric,zeek.opcua_binary_browse_description.browse_description_opaque,zeek.opcua_binary_browse_description.browse_description_ref_encoding_mask,zeek.opcua_binary_browse_description.browse_description_ref_guid,zeek.opcua_binary_browse_description.browse_description_ref_namespace_idx,zeek.opcua_binary_browse_description.browse_description_ref_numeric,zeek.opcua_binary_browse_description.browse_description_ref_opaque,zeek.opcua_binary_browse_description.browse_description_ref_string,zeek.opcua_binary_browse_description.browse_description_string,zeek.opcua_binary_browse_description.browse_direction,zeek.opcua_binary_browse_description.browse_node_class_mask,zeek.opcua_binary_browse_description.browse_result_mask,zeek.opcua_binary_browse_diagnostic_info.browse_diag_info_link_id,zeek.opcua_binary_browse.req_max_ref_nodes,zeek.opcua_binary_browse_request_continuation_point.browse_next_link_id,zeek.opcua_binary_browse_request_continuation_point.continuation_point,zeek.opcua_binary_browse_response_references.browse_reference_link_id,zeek.opcua_binary_browse_response_references.browse_response_display_name_locale,zeek.opcua_binary_browse_response_references.browse_response_display_name_mask,zeek.opcua_binary_browse_response_references.browse_response_display_name_text,zeek.opcua_binary_browse_response_references.browse_response_is_forward,zeek.opcua_binary_browse_response_references.browse_response_node_class,zeek.opcua_binary_browse_response_references.browse_response_ref_encoding_mask,zeek.opcua_binary_browse_response_references.browse_response_ref_guid,zeek.opcua_binary_browse_response_references.browse_response_ref_name,zeek.opcua_binary_browse_response_references.browse_response_ref_name_idx,zeek.opcua_binary_browse_response_references.browse_response_ref_namespace_idx,zeek.opcua_binary_browse_response_references.browse_response_ref_numeric,zeek.opcua_binary_browse_response_references.browse_response_ref_opaque,zeek.opcua_binary_browse_response_references.browse_response_ref_string,zeek.opcua_binary_browse_response_references.browse_response_ref_type_encoding_mask,zeek.opcua_binary_browse_response_references.browse_response_ref_type_guid,zeek.opcua_binary_browse_response_references.browse_response_ref_type_namespace_idx,zeek.opcua_binary_browse_response_references.browse_response_ref_type_namespace_uri,zeek.opcua_binary_browse_response_references.browse_response_ref_type_numeric,zeek.opcua_binary_browse_response_references.browse_response_ref_type_opaque,zeek.opcua_binary_browse_response_references.browse_response_ref_type_server_idx,zeek.opcua_binary_browse_response_references.browse_response_ref_type_string,zeek.opcua_binary_browse_response_references.browse_response_type_def_encoding_mask,zeek.opcua_binary_browse_response_references.browse_response_type_def_guid,zeek.opcua_binary_browse_response_references.browse_response_type_def_namespace_idx,zeek.opcua_binary_browse_response_references.browse_response_type_def_namespace_uri,zeek.opcua_binary_browse_response_references.browse_response_type_def_numeric,zeek.opcua_binary_browse_response_references.browse_response_type_def_opaque,zeek.opcua_binary_browse_response_references.browse_response_type_def_server_idx,zeek.opcua_binary_browse_response_references.browse_response_type_def_string,zeek.opcua_binary_browse_response_references.browse_result_link_id,zeek.opcua_binary_browse_result.browse_resp_link_id,zeek.opcua_binary_browse_result.browse_response_link_id,zeek.opcua_binary_browse_result.browse_result_continuation_point,zeek.opcua_binary_create_session.algorithm,zeek.opcua_binary_create_session.application_type,zeek.opcua_binary_create_session.application_uri,zeek.opcua_binary_create_session.auth_token_encoding_mask,zeek.opcua_binary_create_session.auth_token_guid,zeek.opcua_binary_create_session.auth_token_namespace_idx,zeek.opcua_binary_create_session.auth_token_numeric,zeek.opcua_binary_create_session.auth_token_opaque,zeek.opcua_binary_create_session.auth_token_string,zeek.opcua_binary_create_session.client_cert,zeek.opcua_binary_create_session.client_cert_size,zeek.opcua_binary_create_session.client_nonce,zeek.opcua_binary_create_session_discovery.discovery_profile_link_id,zeek.opcua_binary_create_session_discovery.discovery_profile_uri,zeek.opcua_binary_create_session_discovery.discovery_profile_url,zeek.opcua_binary_create_session.discovery_profile_uri,zeek.opcua_binary_create_session.encoding_mask,zeek.opcua_binary_create_session_endpoints.application_type,zeek.opcua_binary_create_session_endpoints.application_uri,zeek.opcua_binary_create_session_endpoints.cert_size,zeek.opcua_binary_create_session_endpoints.discovery_profile_id,zeek.opcua_binary_create_session_endpoints.discovery_profile_uri,zeek.opcua_binary_create_session_endpoints.encoding_mask,zeek.opcua_binary_create_session_endpoints.endpoint_link_id,zeek.opcua_binary_create_session_endpoints.endpoint_url,zeek.opcua_binary_create_session_endpoints.gateway_server_uri,zeek.opcua_binary_create_session_endpoints.locale,zeek.opcua_binary_create_session_endpoints.message_security_mode,zeek.opcua_binary_create_session_endpoints.product_uri,zeek.opcua_binary_create_session_endpoints.security_level,zeek.opcua_binary_create_session_endpoints.security_policy_uri,zeek.opcua_binary_create_session_endpoints.server_cert,zeek.opcua_binary_create_session_endpoints.text,zeek.opcua_binary_create_session_endpoints.transport_profile_uri,zeek.opcua_binary_create_session.endpoint_url,zeek.opcua_binary_create_session.gateway_server_uri,zeek.opcua_binary_create_session.locale,zeek.opcua_binary_create_session.max_req_msg_size,zeek.opcua_binary_create_session.max_res_msg_size,zeek.opcua_binary_create_session.product_uri,zeek.opcua_binary_create_session.req_session_timeout,zeek.opcua_binary_create_session.revised_session_timeout,zeek.opcua_binary_create_session.server_cert,zeek.opcua_binary_create_session.server_cert_size,zeek.opcua_binary_create_session.server_nonce,zeek.opcua_binary_create_session.server_uri,zeek.opcua_binary_create_session.session_id_encoding_mask,zeek.opcua_binary_create_session.session_id_guid,zeek.opcua_binary_create_session.session_id_namespace_idx,zeek.opcua_binary_create_session.session_id_numeric,zeek.opcua_binary_create_session.session_id_opaque,zeek.opcua_binary_create_session.session_id_string,zeek.opcua_binary_create_session.session_name,zeek.opcua_binary_create_session.signature,zeek.opcua_binary_create_session.text,zeek.opcua_binary_create_session_user_token.user_token_endpoint_url,zeek.opcua_binary_create_session_user_token.user_token_issued_type,zeek.opcua_binary_create_session_user_token.user_token_link_id,zeek.opcua_binary_create_session_user_token.user_token_policy_id,zeek.opcua_binary_create_session_user_token.user_token_sec_policy_uri,zeek.opcua_binary_create_session_user_token.user_token_type,zeek.opcua_binary_create_subscription.max_notifications_per_publish,zeek.opcua_binary_create_subscription.priority,zeek.opcua_binary_create_subscription.publishing_enabled,zeek.opcua_binary_create_subscription.requested_lifetime_count,zeek.opcua_binary_create_subscription.requested_max_keep_alive_count,zeek.opcua_binary_create_subscription.requested_publishing_interval,zeek.opcua_binary_create_subscription.revised_lifetime_count,zeek.opcua_binary_create_subscription.revised_max_keep_alive_count,zeek.opcua_binary_create_subscription.revised_publishing_interval,zeek.opcua_binary_create_subscription.subscription_id,zeek.opcua_binary_diag_info_detail.addl_info,zeek.opcua_binary_diag_info_detail.diag_info_link_id,zeek.opcua_binary_diag_info_detail.has_addl_info,zeek.opcua_binary_diag_info_detail.has_inner_diag_info,zeek.opcua_binary_diag_info_detail.has_inner_stat_code,zeek.opcua_binary_diag_info_detail.has_locale,zeek.opcua_binary_diag_info_detail.has_locale_txt,zeek.opcua_binary_diag_info_detail.has_namespace_uri,zeek.opcua_binary_diag_info_detail.has_symbolic_id,zeek.opcua_binary_diag_info_detail.inner_diag_level,zeek.opcua_binary_diag_info_detail.inner_stat_code,zeek.opcua_binary_diag_info_detail.locale,zeek.opcua_binary_diag_info_detail.locale_str,zeek.opcua_binary_diag_info_detail.locale_txt,zeek.opcua_binary_diag_info_detail.locale_txt_str,zeek.opcua_binary_diag_info_detail.namespace_uri,zeek.opcua_binary_diag_info_detail.namespace_uri_str,zeek.opcua_binary_diag_info_detail.source,zeek.opcua_binary_diag_info_detail.source_str,zeek.opcua_binary_diag_info_detail.symbolic_id,zeek.opcua_binary_diag_info_detail.symbolic_id_str,zeek.opcua_binary.encoding_mask,zeek.opcua_binary.endpoint_url,zeek.opcua_binary.error,zeek.opcua_binary_get_endpoints_description.application_type,zeek.opcua_binary_get_endpoints_description.application_uri,zeek.opcua_binary_get_endpoints_description.cert_size,zeek.opcua_binary_get_endpoints_description.discovery_profile_uri,zeek.opcua_binary_get_endpoints_description.encoding_mask,zeek.opcua_binary_get_endpoints_description.endpoint_description_link_id,zeek.opcua_binary_get_endpoints_description.endpoint_uri,zeek.opcua_binary_get_endpoints_description.gateway_server_uri,zeek.opcua_binary_get_endpoints_description.locale,zeek.opcua_binary_get_endpoints_description.message_security_mode,zeek.opcua_binary_get_endpoints_description.product_uri,zeek.opcua_binary_get_endpoints_description.security_level,zeek.opcua_binary_get_endpoints_description.security_policy_uri,zeek.opcua_binary_get_endpoints_description.server_cert,zeek.opcua_binary_get_endpoints_description.text,zeek.opcua_binary_get_endpoints_description.transport_profile_uri,zeek.opcua_binary_get_endpoints_discovery.discovery_profile_link_id,zeek.opcua_binary_get_endpoints_discovery.discovery_profile_url,zeek.opcua_binary_get_endpoints.endpoint_url,zeek.opcua_binary_get_endpoints_locale_id.locale_id,zeek.opcua_binary_get_endpoints_locale_id.locale_link_id,zeek.opcua_binary_get_endpoints_profile_uri.profile_uri,zeek.opcua_binary_get_endpoints_profile_uri.profile_uri_link_id,zeek.opcua_binary_get_endpoints_user_token.user_token_endpoint_url,zeek.opcua_binary_get_endpoints_user_token.user_token_issued_type,zeek.opcua_binary_get_endpoints_user_token.user_token_link_id,zeek.opcua_binary_get_endpoints_user_token.user_token_policy_id,zeek.opcua_binary_get_endpoints_user_token.user_token_sec_policy_uri,zeek.opcua_binary_get_endpoints_user_token.user_token_type,zeek.opcua_binary.identifier,zeek.opcua_binary.identifier_str,zeek.opcua_binary.is_final,zeek.opcua_binary.log_types,zeek.opcua_binary.max_chunk_cnt,zeek.opcua_binary.max_msg_size,zeek.opcua_binary.msg_size,zeek.opcua_binary.msg_type,zeek.opcua_binary.namespace_idx,zeek.opcua_binary.opcua_link_id,zeek.opcua_binary_opensecure_channel.client_nonce,zeek.opcua_binary_opensecure_channel.client_proto_ver,zeek.opcua_binary_opensecure_channel.message_security_mode,zeek.opcua_binary_opensecure_channel.req_lifetime,zeek.opcua_binary_opensecure_channel.sec_token_created_at,zeek.opcua_binary_opensecure_channel.sec_token_id,zeek.opcua_binary_opensecure_channel.sec_token_request_type,zeek.opcua_binary_opensecure_channel.sec_token_revised_time,zeek.opcua_binary_opensecure_channel.sec_token_sec_channel_id,zeek.opcua_binary_opensecure_channel.server_nonce,zeek.opcua_binary_opensecure_channel.server_proto_ver,zeek.opcua_binary.rcv_buf_size,zeek.opcua_binary.rcv_cert,zeek.opcua_binary.rcv_cert_len,zeek.opcua_binary.reason,zeek.opcua_binary.req_hdr_add_hdr_enc_mask,zeek.opcua_binary.req_hdr_add_hdr_type_id,zeek.opcua_binary.req_hdr_audit_entry_id,zeek.opcua_binary.req_hdr_node_id_guid,zeek.opcua_binary.req_hdr_node_id_namespace_idx,zeek.opcua_binary.req_hdr_node_id_numeric,zeek.opcua_binary.req_hdr_node_id_opaque,zeek.opcua_binary.req_hdr_node_id_string,zeek.opcua_binary.req_hdr_node_id_type,zeek.opcua_binary.req_hdr_request_handle,zeek.opcua_binary.req_hdr_return_diag,zeek.opcua_binary.req_hdr_timeout_hint,zeek.opcua_binary.req_hdr_timestamp,zeek.opcua_binary.request_id,zeek.opcua_binary.res_hdr_add_hdr_enc_mask,zeek.opcua_binary.res_hdr_add_hdr_type_id,zeek.opcua_binary.res_hdr_request_handle,zeek.opcua_binary.res_hdr_service_diag_encoding,zeek.opcua_binary.res_hdr_timestamp,zeek.opcua_binary.sec_channel_id,zeek.opcua_binary.sec_policy_uri,zeek.opcua_binary.sec_policy_uri_len,zeek.opcua_binary.seq_number,zeek.opcua_binary.snd_buf_size,zeek.opcua_binary.snd_cert,zeek.opcua_binary.snd_cert_len,zeek.opcua_binary_status_code_detail.historian_bits,zeek.opcua_binary_status_code_detail.historian_bits_str,zeek.opcua_binary_status_code_detail.historianExtraData,zeek.opcua_binary_status_code_detail.historianMultiValue,zeek.opcua_binary_status_code_detail.historianPartial,zeek.opcua_binary_status_code_detail.info_type,zeek.opcua_binary_status_code_detail.info_type_str,zeek.opcua_binary_status_code_detail.limit_bits,zeek.opcua_binary_status_code_detail.limit_bits_str,zeek.opcua_binary_status_code_detail.overflow,zeek.opcua_binary_status_code_detail.semantics_changed,zeek.opcua_binary_status_code_detail.severity,zeek.opcua_binary_status_code_detail.severity_str,zeek.opcua_binary_status_code_detail.source,zeek.opcua_binary_status_code_detail.source_level,zeek.opcua_binary_status_code_detail.source_str,zeek.opcua_binary_status_code_detail.status_code,zeek.opcua_binary_status_code_detail.status_code_link_id,zeek.opcua_binary_status_code_detail.structure_changed,zeek.opcua_binary_status_code_detail.sub_code,zeek.opcua_binary_status_code_detail.sub_code_str,zeek.opcua_binary.version
zeek_ocsp=require:zeek.ocsp;title:Zeek ocsp.log;fields:zeek.ocsp.hashAlgorithm,zeek.ocsp.issuerNameHash,zeek.ocsp.issuerKeyHash,zeek.ocsp.serialNumber,zeek.ocsp.certStatus,zeek.ocsp.revoketime,zeek.ocsp.revokereason,zeek.ocsp.thisUpdate,zeek.ocsp.nextUpdate
zeek_ospf=require:zeek.ospf;title:Zeek ospf.log;fields:zeek.ospf.ospf_type,zeek.ospf.version,zeek.ospf.router_id,zeek.ospf.area_id,zeek.ospf.interface_id,zeek.ospf.netmask,zeek.ospf.desig_router,zeek.ospf.backup_router,zeek.ospf.neighbors,zeek.ospf.lsa_type,zeek.ospf.link_state_id,zeek.ospf.advert_router,zeek.ospf.routers,zeek.ospf.link_id,zeek.ospf.link_data,zeek.ospf.link_type,zeek.ospf.neighbor_router_id,zeek.ospf.metrics,zeek.ospf.fwd_addrs,zeek.ospf.route_tags,zeek.ospf.neighbor_interface_id,zeek.ospf.prefix,zeek.ospf.metric,zeek.ospf.dest_router_id,zeek.ospf.link_prefixes,zeek.ospf.intra_prefixes
zeek_pe=require:zeek.pe;title:Zeek pe.log;fields:zeek.pe.machine,zeek.pe.compile_ts,zeek.pe.os,zeek.pe.subsystem,zeek.pe.is_exe,zeek.pe.is_64bit,zeek.pe.uses_aslr,zeek.pe.uses_dep,zeek.pe.uses_code_integrity,zeek.pe.uses_seh,zeek.pe.has_import_table,zeek.pe.has_export_table,zeek.pe.has_cert_table,zeek.pe.has_debug_data,zeek.pe.section_names
@@ -1991,7 +2150,9 @@ zeek_profinet_dce_rpc=require:zeek.profinet_dce_rpc;title:Zeek profinet_dce_rpc.
zeek_radius=require:zeek.radius;title:Zeek radius.log;fields:zeek.radius.mac,zeek.radius.framed_addr,zeek.radius.tunnel_client,zeek.radius.connect_info,zeek.radius.reply_msg,zeek.radius.result,zeek.radius.ttl
zeek_rdp=require:zeek.rdp;title:Zeek rdp.log;fields:zeek.rdp.cookie,zeek.rdp.result,zeek.rdp.security_protocol,zeek.rdp.client_channels,zeek.rdp.keyboard_layout,zeek.rdp.client_build,zeek.rdp.client_name,zeek.rdp.client_dig_product_id,zeek.rdp.desktop_width,zeek.rdp.desktop_height,zeek.rdp.requested_color_depth,zeek.rdp.cert_type,zeek.rdp.cert_count,zeek.rdp.cert_permanent,zeek.rdp.encryption_level,zeek.rdp.encryption_method
zeek_rfb=require:zeek.rfb;title:Zeek rfb.log;fields:zeek.rfb.client_major_version,zeek.rfb.client_minor_version,zeek.rfb.server_major_version,zeek.rfb.server_minor_version,zeek.rfb.authentication_method,zeek.rfb.auth,zeek.rfb.share_flag,zeek.rfb.desktop_name,zeek.rfb.width,zeek.rfb.height
-zeek_s7comm=require:zeek.s7comm;title:Zeek s7comm.log;fields:zeek.s7comm.rosctr,zeek.s7comm.parameter,zeek.s7comm.parameters.class,zeek.s7comm.parameters.code,zeek.s7comm.parameters.group,zeek.s7comm.parameters.mode,zeek.s7comm.parameters.sub,zeek.s7comm.parameters.type,zeek.s7comm.item_count,zeek.s7comm.data_info
+zeek_s7comm=require:zeek.s7comm;title:Zeek s7comm.log;fields:zeek.s7comm.rosctr_code,zeek.s7comm.rosctr_name,zeek.s7comm.pdu_reference,zeek.s7comm.function_code,zeek.s7comm.function_name,zeek.s7comm.subfunction_code,zeek.s7comm.subfunction_name,zeek.s7comm.error_class,zeek.s7comm.error_code
+zeek_s7comm_plus=require:zeek.s7comm_plus;title:Zeek s7comm_plus.log;fields:zeek.s7comm_plus.version,zeek.s7comm_plus.opcode,zeek.s7comm_plus.opcode_name,zeek.s7comm_plus.function_code,zeek.s7comm_plus.function_name
+zeek_s7comm_read_szl=require:zeek.s7comm_read_szl;title:Zeek s7comm_read_szl.log;fields:zeek.s7comm.pdu_reference,zeek.s7comm_read_szl.method,zeek.s7comm_read_szl.szl_id,zeek.s7comm_read_szl.szl_id_name,zeek.s7comm_read_szl.szl_index,zeek.s7comm_read_szl.return_code,zeek.s7comm_read_szl.return_code_name
zeek_signatures=require:zeek.signatures;title:Zeek signatures.log;fields:event.module,rule.category,rule.name,vulnerability.category,vulnerability.enumeration,vulnerability.id,zeek.signatures.sub_message,zeek.signatures.signature_count,zeek.signatures.host_count
zeek_sip=require:zeek.sip;title:Zeek sip.log;fields:zeek.sip.trans_depth,zeek.sip.method,zeek.sip.uri,zeek.sip.date,zeek.sip.request_from,zeek.sip.request_to,zeek.sip.response_from,zeek.sip.response_to,zeek.sip.reply_to,zeek.sip.call_id,zeek.sip.seq,zeek.sip.subject,zeek.sip.request_path,zeek.sip.response_path,zeek.sip.user_agent,zeek.sip.status_code,zeek.sip.status_msg,zeek.sip.warning,zeek.sip.request_body_len,zeek.sip.response_body_len,zeek.sip.content_type,zeek.sip.version
zeek_smb_cmd=require:zeek.smb_cmd;title:Zeek smb_cmd.log;fields:zeek.smb_cmd.command,zeek.smb_cmd.sub_command,zeek.smb_cmd.argument,zeek.smb_cmd.status,zeek.smb_cmd.rtt,zeek.smb_cmd.version,zeek.smb_cmd.user,zeek.smb_cmd.tree,zeek.smb_cmd.tree_service
@@ -2003,8 +2164,8 @@ zeek_socks=require:zeek.socks;title:Zeek socks.log;fields:zeek.socks.version,zee
zeek_software=require:zeek.software;title:Zeek software.log;fields:zeek.software.software_type,zeek.software.name,zeek.software.version_major,zeek.software.version_minor,zeek.software.version_minor2,zeek.software.version_minor3,zeek.software.version_addl,zeek.software.unparsed_version
zeek_ssh=require:zeek.ssh;title:Zeek ssh.log;fields:zeek.ssh.version,zeek.ssh.auth_success,zeek.ssh.auth_attempts,zeek.ssh.direction,zeek.ssh.client,zeek.ssh.server,zeek.ssh.cipher_alg,zeek.ssh.mac_alg,zeek.ssh.compression_alg,zeek.ssh.kex_alg,zeek.ssh.host_key_alg,zeek.ssh.host_key,zeek.ssh.remote_location_country_code,zeek.ssh.remote_location_region,zeek.ssh.remote_location_city,zeek.ssh.remote_location_latitude,zeek.ssh.remote_location_longitude,zeek.ssh.hassh,zeek.ssh.hasshServer,zeek.ssh.hasshAlgorithms,zeek.ssh.hasshServerAlgorithms,zeek.ssh.cshka,zeek.ssh.sshka
zeek_ssl=require:zeek.ssl;title:Zeek ssl.log;fields:zeek.ssl.ssl_version,zeek.ssl.ssl_history,zeek.ssl.sni_matches_cert,zeek.ssl.cipher,zeek.ssl.curve,zeek.ssl.server_name,zeek.ssl.resumed,zeek.ssl.last_alert,zeek.ssl.next_protocol,zeek.ssl.established,tls.client.ja3,tls.client.ja3_description,tls.server.ja3s,tls.server.ja3s_description,zeek.ssl.cert_chain_fuids,zeek.ssl.cert_chain_fps,zeek.ssl.client_cert_chain_fuids,zeek.ssl.client_cert_chain_fps,zeek.ssl.subject.CN,zeek.ssl.subject.C,zeek.ssl.subject.O,zeek.ssl.subject.OU,zeek.ssl.subject.ST,zeek.ssl.subject.SN,zeek.ssl.subject.L,zeek.ssl.subject.GN,zeek.ssl.subject.pseudonym,zeek.ssl.subject.serialNumber,zeek.ssl.subject.title,zeek.ssl.subject.initials,zeek.ssl.subject.emailAddress,zeek.ssl.subject.description,zeek.ssl.subject.postalCode,zeek.ssl.subject.street,zeek.ssl.client_subject.CN,zeek.ssl.client_subject.C,zeek.ssl.client_subject.O,zeek.ssl.client_subject.OU,zeek.ssl.client_subject.ST,zeek.ssl.client_subject.SN,zeek.ssl.client_subject.L,zeek.ssl.client_subject.GN,zeek.ssl.client_subject.pseudonym,zeek.ssl.client_subject.serialNumber,zeek.ssl.client_subject.title,zeek.ssl.client_subject.initials,zeek.ssl.client_subject.emailAddress,zeek.ssl.issuer.CN,zeek.ssl.issuer.C,zeek.ssl.issuer.O,zeek.ssl.issuer.OU,zeek.ssl.issuer.ST,zeek.ssl.issuer.SN,zeek.ssl.issuer.L,zeek.ssl.issuer.DC,zeek.ssl.issuer.GN,zeek.ssl.issuer.pseudonym,zeek.ssl.issuer.serialNumber,zeek.ssl.issuer.title,zeek.ssl.issuer.initials,zeek.ssl.issuer.emailAddress,zeek.ssl.client_issuer.CN,zeek.ssl.client_issuer.C,zeek.ssl.client_issuer.O,zeek.ssl.client_issuer.OU,zeek.ssl.client_issuer.ST,zeek.ssl.client_issuer.SN,zeek.ssl.client_issuer.L,zeek.ssl.client_issuer.DC,zeek.ssl.client_issuer.GN,zeek.ssl.client_issuer.pseudonym,zeek.ssl.client_issuer.serialNumber,zeek.ssl.client_issuer.title,zeek.ssl.client_issuer.initials,zeek.ssl.client_issuer.emailAddress,zeek.ssl.validation_status
-zeek_stun=require:zeek.stun;title:Zeek stun.log;fields:zeek.stun.is_orig,zeek.stun.trans_id,zeek.stun.method,zeek.stun.class,zeek.stun.attr_type,zeek.stun.attr_val
-zeek_stun_nat=require:zeek.stun_nat;title:Zeek stun_nat.log;fields:zeek.stun_nat.is_orig,zeek.stun_nat.wan_addr,zeek.stun_nat.wan_port,zeek.stun_nat.lan_addr
+zeek_stun=require:zeek.stun;title:Zeek stun.log;fields:zeek.stun.trans_id,zeek.stun.method,zeek.stun.class,zeek.stun.attr_type,zeek.stun.attr_val
+zeek_stun_nat=require:zeek.stun_nat;title:Zeek stun_nat.log;fields:zeek.stun_nat.wan_addr,zeek.stun_nat.wan_port,zeek.stun_nat.lan_addr
zeek_syslog=require:zeek.syslog;title:Zeek syslog.log;fields:zeek.syslog.facility,zeek.syslog.severity,zeek.syslog.message
zeek_tds=require:zeek.tds;title:Zeek tds.log;fields:zeek.tds.command
zeek_tds_rpc=require:zeek.tds_rpc;title:Zeek tds_rpc.log;fields:zeek.tds_rpc.procedure_name,zeek.tds_rpc.parameters
diff --git a/arkime/patch/db_pl_quiet_backup_warning.patch b/arkime/patch/db_pl_quiet_backup_warning.patch
new file mode 100644
index 000000000..4e43ebb2f
--- /dev/null
+++ b/arkime/patch/db_pl_quiet_backup_warning.patch
@@ -0,0 +1,13 @@
+diff --git a/db/db.pl b/db/db.pl
+index 1b24b6a1..c8034ec4 100755
+--- a/db/db.pl
++++ b/db/db.pl
+@@ -7111,7 +7111,7 @@ my $health = dbCheckHealth();
+
+ my $nodes = esGet("/_nodes");
+ $main::numberOfNodes = dataNodes($nodes->{nodes});
+-logmsg "It is STRONGLY recommended that you stop ALL Arkime captures and viewers before proceeding. Use 'db.pl ${main::elasticsearch} backup' to backup db first.\n\n";
++# logmsg "It is STRONGLY recommended that you stop ALL Arkime captures and viewers before proceeding. Use 'db.pl ${main::elasticsearch} backup' to backup db first.\n\n";
+ if ($main::numberOfNodes == 1) {
+ logmsg "There is $main::numberOfNodes elastic search data node, if you expect more please fix first before proceeding.\n\n";
+ } else {
diff --git a/arkime/patch/field_best_priority.patch b/arkime/patch/field_best_priority.patch
new file mode 100644
index 000000000..799be8d9e
--- /dev/null
+++ b/arkime/patch/field_best_priority.patch
@@ -0,0 +1,13 @@
+diff --git a/capture/db.c b/capture/db.c
+index c1350507..b29a41ac 100644
+--- a/capture/db.c
++++ b/capture/db.c
+@@ -2411,7 +2411,7 @@ void moloch_db_add_field(char *group, char *kind, char *expression, char *friend
+ }
+
+ BSB_EXPORT_u08(bsb, '}');
+- moloch_http_schedule(esServer, "POST", key, key_len, json, BSB_LENGTH(bsb), NULL, MOLOCH_HTTP_PRIORITY_NORMAL, NULL, NULL);
++ moloch_http_schedule(esServer, "POST", key, key_len, json, BSB_LENGTH(bsb), NULL, MOLOCH_HTTP_PRIORITY_BEST, NULL, NULL);
+ }
+ /******************************************************************************/
+ void moloch_db_update_field(char *expression, char *name, char *value)
diff --git a/arkime/patch/fields_db_max_3000.patch b/arkime/patch/fields_db_max_5000.patch
similarity index 66%
rename from arkime/patch/fields_db_max_3000.patch
rename to arkime/patch/fields_db_max_5000.patch
index a68e76f9c..b4799e580 100644
--- a/arkime/patch/fields_db_max_3000.patch
+++ b/arkime/patch/fields_db_max_5000.patch
@@ -1,8 +1,8 @@
diff --git a/capture/db.c b/capture/db.c
-index 5bfe0f48..5ea65753 100644
+index c1350507..1ae57143 100644
--- a/capture/db.c
+++ b/capture/db.c
-@@ -2309,7 +2309,7 @@ LOCAL void moloch_db_load_fields()
+@@ -2325,7 +2325,7 @@ LOCAL void moloch_db_load_fields()
char key[100];
int key_len;
@@ -12,15 +12,15 @@ index 5bfe0f48..5ea65753 100644
if (!data) {
diff --git a/capture/moloch.h b/capture/moloch.h
-index f3419c15..0005d58a 100644
+index 2a63d913..4b7dc4f0 100644
--- a/capture/moloch.h
+++ b/capture/moloch.h
-@@ -352,7 +352,7 @@ enum MolochRotate {
+@@ -357,7 +357,7 @@ enum MolochRotate {
*/
#define MOLOCH_FIELD_NOT_FOUND -1
-#define MOLOCH_FIELDS_DB_MAX 512
-+#define MOLOCH_FIELDS_DB_MAX 3000
++#define MOLOCH_FIELDS_DB_MAX 5000
#define MOLOCH_FIELDS_CNT_MIN MOLOCH_FIELDS_DB_MAX
#define MOLOCH_FIELDS_CNT_MAX (MOLOCH_FIELDS_DB_MAX*2)
#define MOLOCH_FIELD_EXSPECIAL_START (MOLOCH_FIELDS_CNT_MAX)
@@ -37,3 +37,16 @@ index 2f98ebe1..0e7b4002 100644
typedef struct wiserequest {
BSB bsb;
WiseItem_t *items[WISE_MAX_REQUEST_ITEMS];
+diff --git a/viewer/db.js b/viewer/db.js
+index 1eebc559..2046f17b 100644
+--- a/viewer/db.js
++++ b/viewer/db.js
+@@ -1835,7 +1835,7 @@ exports.sid2Index = function (id, options) {
+ };
+
+ exports.loadFields = async () => {
+- return exports.search('fields', 'field', { size: 3000 });
++ return exports.search('fields', 'field', { size: 5000 });
+ };
+
+ exports.getIndices = async (startTime, stopTime, bounding, rotateIndex) => {
diff --git a/arkime/patch/footer_links.patch b/arkime/patch/footer_links.patch
index 0c1b2a39e..b89cf4e4d 100644
--- a/arkime/patch/footer_links.patch
+++ b/arkime/patch/footer_links.patch
@@ -1,13 +1,18 @@
diff --git a/viewer/vueapp/src/components/utils/Footer.vue b/viewer/vueapp/src/components/utils/Footer.vue
-index 50e30c99..d54542dc 100644
+index 50e30c99..d67dfb36 100644
--- a/viewer/vueapp/src/components/utils/Footer.vue
+++ b/viewer/vueapp/src/components/utils/Footer.vue
-@@ -5,6 +5,8 @@
+@@ -4,9 +4,11 @@
+
Arkime v{{molochVersion}} |
- arkime.com
-+ | Malcolm
-+ | Dashboards
+- arkime.com
++ arkime.com ๐ฆ
++ | Malcโฆฟlm ๐
++ | Dashboards ๐
- | {{ responseTime | commaString }}ms
+- | {{ responseTime | commaString }}ms
++ | {{ responseTime | commaString }}ms โฑ๏ธ
+
+ |
diff --git a/arkime/scripts/arkime-needs-upgrade.sh b/arkime/scripts/arkime-needs-upgrade.sh
index 95990af98..6bd5e474d 100755
--- a/arkime/scripts/arkime-needs-upgrade.sh
+++ b/arkime/scripts/arkime-needs-upgrade.sh
@@ -2,6 +2,18 @@
# Copyright (c) 2022 Battelle Energy Alliance, LLC. All rights reserved.
+OPENSEARCH_URL=${OPENSEARCH_URL:-"http://opensearch:9200"}
+OPENSEARCH_LOCAL=${OPENSEARCH_LOCAL:-"true"}
+OPENSEARCH_CREDS_CONFIG_FILE=${OPENSEARCH_CREDS_CONFIG_FILE:-"/var/local/opensearch.primary.curlrc"}
+if [[ "$OPENSEARCH_LOCAL" == "false" ]] && [[ -r "$OPENSEARCH_CREDS_CONFIG_FILE" ]]; then
+ CURL_CONFIG_PARAMS=(
+ --config
+ "$OPENSEARCH_CREDS_CONFIG_FILE"
+ )
+else
+ CURL_CONFIG_PARAMS=()
+fi
+
# this script returns:
# 0 - an UPGRADE IS NEEDED for Arkime indices
# 1 - an UPGRADE IS NOT NEEDED for Arkime indices
@@ -39,6 +51,6 @@ while read INDEX_NAME; do
fi # compare INDEX_NAME vs. INDEX_PREFIX
done # loop over ARKIME_INDEX_CURRENT_VERSIONS
-done <<<$(curl -fsS -H"Content-Type: application/json" -XGET "http://$OS_HOST:$OS_PORT/_cat/indices?v" | tail -n +2 | awk '{print $3}')
+done <<<$(curl "${CURL_CONFIG_PARAMS[@]}" -fsS -H"Content-Type: application/json" -XGET "${OPENSEARCH_URL}/_cat/indices?v" | tail -n +2 | awk '{print $3}')
exit $RETURN_CODE
diff --git a/arkime/scripts/arkime_update_geo.sh b/arkime/scripts/arkime_update_geo.sh
index 48268e3a3..5c704d23e 100755
--- a/arkime/scripts/arkime_update_geo.sh
+++ b/arkime/scripts/arkime_update_geo.sh
@@ -2,7 +2,7 @@
# Copyright (c) 2022 Battelle Energy Alliance, LLC. All rights reserved.
-cd "${ARKIMEDIR:-/opt/arkime}"/etc
+cd "${ARKIME_DIR:-/opt/arkime}"/etc
wget -nv --no-check-certificate -O ipv4-address-space.csv_new https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.csv && \
mv -f ipv4-address-space.csv_new ipv4-address-space.csv || \
diff --git a/arkime/scripts/docker_entrypoint.sh b/arkime/scripts/docker_entrypoint.sh
new file mode 100755
index 000000000..a43e8f3c0
--- /dev/null
+++ b/arkime/scripts/docker_entrypoint.sh
@@ -0,0 +1,53 @@
+#!/bin/bash
+
+function urlencodeall() {
+ local length="${#1}"
+ for (( i = 0; i < length; i++ )); do
+ local c="${1:i:1}"
+ printf '%%%02X' "'$c"
+ done
+}
+
+ARKIME_DIR=${ARKIME_DIR:-"/opt/arkime"}
+
+OPENSEARCH_URL_FINAL=${OPENSEARCH_URL:-"http://opensearch:9200"}
+OPENSEARCH_LOCAL=${OPENSEARCH_LOCAL:-"true"}
+OPENSEARCH_CREDS_CONFIG_FILE=${OPENSEARCH_CREDS_CONFIG_FILE:-"/var/local/opensearch.primary.curlrc"}
+if [[ "$OPENSEARCH_LOCAL" == "false" ]] && [[ -r "$OPENSEARCH_CREDS_CONFIG_FILE" ]]; then
+ # need to build the opensearch URL (including username/password) by combining
+ # OPENSEARCH_URL and parameters from OPENSEARCH_CREDS_CONFIG_FILE
+
+ # get the new username/password from the curl file (I already wrote python code to do this, so sue me)
+ pushd "$(dirname $(realpath -e "${BASH_SOURCE[0]}"))" >/dev/null 2>&1
+ NEW_USER_PASSWORD="$(python3 -c "import malcolm_common; result=malcolm_common.ParseCurlFile('$OPENSEARCH_CREDS_CONFIG_FILE'); print(result['user']+'|'+result['password']);")"
+ NEW_USER="$(echo "$NEW_USER_PASSWORD" | cut -d'|' -f1)"
+ NEW_PASSWORD="$(urlencodeall "$(echo "$NEW_USER_PASSWORD" | cut -d'|' -f2-)")"
+ popd >/dev/null 2>&1
+
+ # extract the other stuff from OPENSEARCH_URL_FINAL
+ # extract the protocol
+ PROTOCOL=$(echo "$OPENSEARCH_URL_FINAL" | grep "://" | sed -e's,^\(.*://\).*,\1,g')
+ # Remove the PROTOCOL
+ URL_NO_PROTOCOL=$(echo "${OPENSEARCH_URL_FINAL/$PROTOCOL/}")
+ # Use tr: Make the PROTOCOL lower-case for easy string compare
+ PROTOCOL=$(echo "$PROTOCOL" | tr '[:upper:]' '[:lower:]')
+
+ # Extract the old user and password (if any)
+ USERPASS=$(echo "$URL_NO_PROTOCOL" | grep "@" | cut -d"/" -f1 | rev | cut -d"@" -f2- | rev)
+
+ # Extract the host
+ HOSTPORT=$(echo "${URL_NO_PROTOCOL/$USERPASS@/}" | cut -d"/" -f1)
+
+ # smoosh them all together for the new URL
+ OPENSEARCH_URL_FINAL="${PROTOCOL}${NEW_USER}:${NEW_PASSWORD}@${HOSTPORT}"
+fi
+
+if [[ -r "${ARKIME_DIR}"/etc/config.orig.ini ]]; then
+ cp "${ARKIME_DIR}"/etc/config.orig.ini "${ARKIME_DIR}"/etc/config.ini
+ sed -i "s|^\(elasticsearch=\).*|\1"${OPENSEARCH_URL_FINAL}"|" "${ARKIME_DIR}"/etc/config.ini
+ chmod 600 "${ARKIME_DIR}"/etc/config.ini
+fi
+unset OPENSEARCH_URL_FINAL
+
+# start supervisor or whatever the default command is
+exec "$@"
diff --git a/arkime/scripts/initarkime.sh b/arkime/scripts/initarkime.sh
index ab2302acb..a0a0fea64 100755
--- a/arkime/scripts/initarkime.sh
+++ b/arkime/scripts/initarkime.sh
@@ -2,20 +2,35 @@
# Copyright (c) 2022 Battelle Energy Alliance, LLC. All rights reserved.
+OPENSEARCH_URL=${OPENSEARCH_URL:-"http://opensearch:9200"}
+OPENSEARCH_LOCAL=${OPENSEARCH_LOCAL:-"true"}
+OPENSEARCH_SSL_CERTIFICATE_VERIFICATION=${OPENSEARCH_SSL_CERTIFICATE_VERIFICATION:-"false"}
+OPENSEARCH_CREDS_CONFIG_FILE=${OPENSEARCH_CREDS_CONFIG_FILE:-"/var/local/opensearch.primary.curlrc"}
+if [[ "$OPENSEARCH_LOCAL" == "false" ]] && [[ -r "$OPENSEARCH_CREDS_CONFIG_FILE" ]]; then
+ CURL_CONFIG_PARAMS=(
+ --config
+ "$OPENSEARCH_CREDS_CONFIG_FILE"
+ )
+else
+ CURL_CONFIG_PARAMS=()
+fi
+[[ "$OPENSEARCH_SSL_CERTIFICATE_VERIFICATION" != "true" ]] && DB_SSL_FLAG="--insecure" || DB_SSL_FLAG=""
+OPENSEARCH_URL_FULL="$(grep -Pi '^elasticsearch\s*=' $ARKIME_DIR/etc/config.ini | cut -d'=' -f2-)"
+
rm -f /var/run/arkime/initialized /var/run/arkime/runwise
echo "Giving OpenSearch time to start..."
/opt/opensearch_status.sh 2>&1 && echo "OpenSearch is running!"
# download and/or update geo updates
-$ARKIMEDIR/bin/arkime_update_geo.sh
+$ARKIME_DIR/bin/arkime_update_geo.sh
# start and wait patiently for WISE
if [[ "$WISE" = "on" ]] ; then
touch /var/run/arkime/runwise
echo "Giving WISE time to start..."
sleep 5
- until curl -sSf --output /dev/null "http://127.0.0.1:8081/fields?ver=1"
+ until curl -fsS --output /dev/null "http://127.0.0.1:8081/fields?ver=1"
do
echo "Waiting for WISE to start"
sleep 1
@@ -25,27 +40,27 @@ if [[ "$WISE" = "on" ]] ; then
fi
# initialize the contents of the OpenSearch database if it has never been initialized (ie., the users_v# table hasn't been created)
-if [[ $(curl -fs -XGET -H'Content-Type: application/json' "http://$OS_HOST:$OS_PORT/_cat/indices/arkime_users_v*" | wc -l) < 1 ]]; then
+if [[ $(curl "${CURL_CONFIG_PARAMS[@]}" -fs -XGET -H'Content-Type: application/json' "${OPENSEARCH_URL}/_cat/indices/arkime_users_v*" | wc -l) < 1 ]]; then
echo "Initializing OpenSearch database..."
- $ARKIMEDIR/db/db.pl http://$OS_HOST:$OS_PORT initnoprompt
+ $ARKIME_DIR/db/db.pl $DB_SSL_FLAG "${OPENSEARCH_URL_FULL}" initnoprompt
echo "Creating default user..."
# this password isn't going to be used by Arkime, nginx will do the auth instead
- $ARKIMEDIR/bin/arkime_add_user.sh "${MALCOLM_USERNAME}" "${MALCOLM_USERNAME}" "ignored" --admin --webauthonly --webauth
+ $ARKIME_DIR/bin/arkime_add_user.sh "${MALCOLM_USERNAME}" "${MALCOLM_USERNAME}" "ignored" --admin --webauthonly --webauth $DB_SSL_FLAG
echo "Initializing fields..."
# this is a hacky way to get all of the Arkime-parseable field definitions put into E.S.
touch /tmp/not_a_packet.pcap
- $ARKIMEDIR/bin/capture --packetcnt 0 -r /tmp/not_a_packet.pcap >/dev/null 2>&1
+ $ARKIME_DIR/bin/capture $DB_SSL_FLAG --packetcnt 0 -r /tmp/not_a_packet.pcap >/dev/null 2>&1
rm -f /tmp/not_a_packet.pcap
echo "Setting defaults..."
- curl -sS -H'Content-Type: application/json' -XPOST http://$OS_HOST:$OS_PORT/arkime_users/_update/$MALCOLM_USERNAME -d "@$ARKIMEDIR/etc/user_settings.json"
+ curl "${CURL_CONFIG_PARAMS[@]}" -sS -H'Content-Type: application/json' -XPOST "${OPENSEARCH_URL}/arkime_users/_update/$MALCOLM_USERNAME" -d "@$ARKIME_DIR/etc/user_settings.json"
echo -e "\nOpenSearch database initialized!\n"
@@ -55,7 +70,7 @@ else
if /opt/arkime-needs-upgrade.sh 2>&1; then
echo "OpenSearch database needs to be upgraded for $ARKIME_VERSION!"
- $ARKIMEDIR/db/db.pl http://$OS_HOST:$OS_PORT upgradenoprompt
+ $ARKIME_DIR/db/db.pl $DB_SSL_FLAG "${OPENSEARCH_URL_FULL}" upgradenoprompt
echo "OpenSearch database upgrade complete!"
echo
@@ -67,13 +82,13 @@ else
fi # if/else OpenSearch database initialized
# increase OpenSearch max shards per node from default if desired
-if [[ -n $OS_MAX_SHARDS_PER_NODE ]]; then
+if [[ -n $OPENSEARCH_MAX_SHARDS_PER_NODE ]]; then
# see https://github.com/elastic/elasticsearch/issues/40803
- curl -sS -H'Content-Type: application/json' -XPUT http://$OS_HOST:$OS_PORT/_cluster/settings -d "{ \"persistent\": { \"cluster.max_shards_per_node\": \"$OS_MAX_SHARDS_PER_NODE\" } }"
+ curl "${CURL_CONFIG_PARAMS[@]}" -sS -H'Content-Type: application/json' -XPUT "${OPENSEARCH_URL}/_cluster/settings" -d "{ \"persistent\": { \"cluster.max_shards_per_node\": \"$OPENSEARCH_MAX_SHARDS_PER_NODE\" } }"
fi
# before running viewer, call _refresh to make sure everything is available for search first
-curl -sS -XPOST http://$OS_HOST:$OS_PORT/_refresh
+curl "${CURL_CONFIG_PARAMS[@]}" -sS -XPOST "${OPENSEARCH_URL}/_refresh"
touch /var/run/arkime/initialized
diff --git a/arkime/scripts/viewer_service.sh b/arkime/scripts/viewer_service.sh
index 21422ac82..8fdbdfcf0 100755
--- a/arkime/scripts/viewer_service.sh
+++ b/arkime/scripts/viewer_service.sh
@@ -6,8 +6,8 @@
while true; do
if [[ -f /var/run/arkime/initialized && "$VIEWER" == "on" ]]; then
echo "Launch viewer..."
- cd $ARKIMEDIR/viewer
- $ARKIMEDIR/bin/node viewer.js -c $ARKIMEDIR/etc/config.ini | tee -a $ARKIMEDIR/logs/viewer.log 2>&1
+ cd $ARKIME_DIR/viewer
+ $ARKIME_DIR/bin/node viewer.js --insecure -c $ARKIME_DIR/etc/config.ini | tee -a $ARKIME_DIR/logs/viewer.log 2>&1
fi
sleep 5
done
diff --git a/arkime/scripts/wipearkime.sh b/arkime/scripts/wipearkime.sh
index 672ab0a9e..6ae18be64 100755
--- a/arkime/scripts/wipearkime.sh
+++ b/arkime/scripts/wipearkime.sh
@@ -2,14 +2,16 @@
# Copyright (c) 2022 Battelle Energy Alliance, LLC. All rights reserved.
+[[ ${OPENSEARCH_SSL_CERTIFICATE_VERIFICATION:-"false"} != "true" ]] && DB_SSL_FLAG="--insecure" || DB_SSL_FLAG=""
+OPENSEARCH_URL_FULL="$(grep -Pi '^elasticsearch\s*=' $ARKIME_DIR/etc/config.ini | cut -d'=' -f2-)"
echo "Checking OpenSearch..."
/opt/opensearch_status.sh 2>&1 && echo "OpenSearch is running!"
#Wipe is the same initalize except it keeps users intact
-echo WIPE | /opt/arkime/db/db.pl http://$OS_HOST:$OS_PORT wipe
+echo WIPE | /opt/arkime/db/db.pl $DB_SSL_FLAG "${OPENSEARCH_URL_FULL}" wipe
#this is a hacky way to get all of the parseable field definitions put into O.S.
touch /tmp/not_a_packet.pcap
-$ARKIMEDIR/bin/capture --packetcnt 0 -r /tmp/not_a_packet.pcap >/dev/null 2>&1
+$ARKIME_DIR/bin/capture --insecure --packetcnt 0 -r /tmp/not_a_packet.pcap >/dev/null 2>&1
rm -f /tmp/not_a_packet.pcap
diff --git a/arkime/scripts/wise_service.sh b/arkime/scripts/wise_service.sh
index 5d0d2fa4a..a9e8c94fe 100755
--- a/arkime/scripts/wise_service.sh
+++ b/arkime/scripts/wise_service.sh
@@ -4,10 +4,10 @@
while true; do
- if [[ ("$WISE" == "on") && (-f /var/run/arkime/runwise) && (-f $ARKIMEDIR/etc/wise.ini) ]]; then
+ if [[ ("$WISE" == "on") && (-f /var/run/arkime/runwise) && (-f $ARKIME_DIR/etc/wise.ini) ]]; then
echo "Launch wise..."
- pushd $ARKIMEDIR/wiseService >/dev/null 2>&1
- $ARKIMEDIR/bin/node wiseService.js -c $ARKIMEDIR/etc/wise.ini
+ pushd $ARKIME_DIR/wiseService >/dev/null 2>&1
+ $ARKIME_DIR/bin/node wiseService.js --insecure -c $ARKIME_DIR/etc/wise.ini
popd >/dev/null 2>&1
fi
sleep 5
diff --git a/arkime/supervisord.conf b/arkime/supervisord.conf
index 97fe4cf09..2bb98ec8b 100644
--- a/arkime/supervisord.conf
+++ b/arkime/supervisord.conf
@@ -23,7 +23,7 @@ startretries=0
autorestart=false
stopasgroup=true
killasgroup=true
-directory=%(ENV_ARKIMEDIR)s
+directory=%(ENV_ARKIME_DIR)s
stdout_logfile=/dev/fd/1
stdout_logfile_maxbytes=0
redirect_stderr=true
@@ -34,8 +34,8 @@ startsecs=0
startretries=0
stopasgroup=true
killasgroup=true
-directory=%(ENV_ARKIMEDIR)s/wiseService
-stdout_logfile=%(ENV_ARKIMEDIR)s/logs/wise.log
+directory=%(ENV_ARKIME_DIR)s/wiseService
+stdout_logfile=%(ENV_ARKIME_DIR)s/logs/wise.log
redirect_stderr=true
[program:viewer]
@@ -44,7 +44,7 @@ startsecs=0
startretries=0
stopasgroup=true
killasgroup=true
-directory=%(ENV_ARKIMEDIR)s
+directory=%(ENV_ARKIME_DIR)s
stdout_logfile=/dev/fd/1
stdout_logfile_maxbytes=0
redirect_stderr=true
@@ -65,14 +65,14 @@ startsecs=15
startretries=1
stopasgroup=true
killasgroup=true
-directory=%(ENV_ARKIMEDIR)s
+directory=%(ENV_ARKIME_DIR)s
stdout_logfile=/dev/fd/1
stdout_logfile_maxbytes=0
redirect_stderr=true
[program:readme]
command=python3 -m http.server 8000
-directory=%(ENV_ARKIMEDIR)s/doc
+directory=%(ENV_ARKIME_DIR)s/doc
stopasgroup=true
killasgroup=true
stdout_logfile=/dev/fd/1
diff --git a/arkime/wise/source.zeeklogs.js b/arkime/wise/source.zeeklogs.js
index 2c236732f..962dc3bd6 100644
--- a/arkime/wise/source.zeeklogs.js
+++ b/arkime/wise/source.zeeklogs.js
@@ -118,6 +118,7 @@ class MalcolmSource extends WISESource {
"network.direction",
"network.iana_number",
"network.inner.vlan.id",
+ "network.is_orig",
"network.name",
"network.packets",
"network.protocol",
@@ -813,6 +814,8 @@ class MalcolmSource extends WISESource {
"zeek.conn.resp_pkts",
"zeek.conn.tunnel_parents",
"zeek.conn.vlan",
+ "zeek.cotp.pdu_code",
+ "zeek.cotp.pdu_name",
"zeek.dce_rpc.endpoint",
"zeek.dce_rpc.named_pipe",
"zeek.dce_rpc.operation",
@@ -930,7 +933,6 @@ class MalcolmSource extends WISESource {
"zeek.files.extracted_size",
"zeek.files.filename",
"zeek.files.ftime",
- "zeek.files.is_orig",
"zeek.files.local_orig",
"zeek.files.md5",
"zeek.files.mime_type",
@@ -1018,7 +1020,6 @@ class MalcolmSource extends WISESource {
"zeek.ipsec.flags",
"zeek.ipsec.hash",
"zeek.ipsec.initiator_spi",
- "zeek.ipsec.is_orig",
"zeek.ipsec.ke_dh_groups",
"zeek.ipsec.length",
"zeek.ipsec.maj_ver",
@@ -1039,7 +1040,6 @@ class MalcolmSource extends WISESource {
"zeek.irc.dcc_mime_type",
"zeek.irc.nick",
"zeek.irc.value",
- "zeek.iso_cotp.pdu_type",
"zeek.kerberos.cipher",
"zeek.kerberos.client_cert_fuid",
"zeek.kerberos.client_cert_subject",
@@ -1177,12 +1177,13 @@ class MalcolmSource extends WISESource {
"zeek.opcua_binary.identifier",
"zeek.opcua_binary.identifier_str",
"zeek.opcua_binary.is_final",
+ "zeek.opcua_binary.log_types",
"zeek.opcua_binary.max_chunk_cnt",
"zeek.opcua_binary.max_msg_size",
"zeek.opcua_binary.msg_size",
"zeek.opcua_binary.msg_type",
"zeek.opcua_binary.namespace_idx",
- "zeek.opcua_binary.opcua_id",
+ "zeek.opcua_binary.opcua_link_id",
"zeek.opcua_binary.rcv_buf_size",
"zeek.opcua_binary.rcv_cert",
"zeek.opcua_binary.rcv_cert_len",
@@ -1205,7 +1206,6 @@ class MalcolmSource extends WISESource {
"zeek.opcua_binary.res_hdr_add_hdr_type_id",
"zeek.opcua_binary.res_hdr_request_handle",
"zeek.opcua_binary.res_hdr_service_diag_encoding",
- "zeek.opcua_binary.res_hdr_service_result",
"zeek.opcua_binary.res_hdr_timestamp",
"zeek.opcua_binary.sec_channel_id",
"zeek.opcua_binary.sec_policy_uri",
@@ -1215,7 +1215,169 @@ class MalcolmSource extends WISESource {
"zeek.opcua_binary.snd_cert",
"zeek.opcua_binary.snd_cert_len",
"zeek.opcua_binary.version",
+ "zeek.opcua_binary_activate_session.client_algorithm",
+ "zeek.opcua_binary_activate_session.client_signature",
+ "zeek.opcua_binary_activate_session.ext_obj_certificate_data",
+ "zeek.opcua_binary_activate_session.ext_obj_encoding",
+ "zeek.opcua_binary_activate_session.ext_obj_encryption_algorithom",
+ "zeek.opcua_binary_activate_session.ext_obj_password",
+ "zeek.opcua_binary_activate_session.ext_obj_policy_id",
+ "zeek.opcua_binary_activate_session.ext_obj_token_data",
+ "zeek.opcua_binary_activate_session.ext_obj_type_id_encoding_mask",
+ "zeek.opcua_binary_activate_session.ext_obj_type_id_guid",
+ "zeek.opcua_binary_activate_session.ext_obj_type_id_namespace_idx",
+ "zeek.opcua_binary_activate_session.ext_obj_type_id_numeric",
+ "zeek.opcua_binary_activate_session.ext_obj_type_id_opaque",
+ "zeek.opcua_binary_activate_session.ext_obj_type_id_str",
+ "zeek.opcua_binary_activate_session.ext_obj_type_id_string",
+ "zeek.opcua_binary_activate_session.ext_obj_user_name",
+ "zeek.opcua_binary_activate_session.server_nonce",
+ "zeek.opcua_binary_activate_session.user_token_algorithm",
+ "zeek.opcua_binary_activate_session.user_token_signature",
+ "zeek.opcua_binary_activate_session_client_software_cert.cert_data",
+ "zeek.opcua_binary_activate_session_client_software_cert.cert_signature",
+ "zeek.opcua_binary_activate_session_client_software_cert.client_software_cert_id",
+ "zeek.opcua_binary_activate_session_diagnostic_info.activate_session_diag_info_link_id",
+ "zeek.opcua_binary_activate_session_locale_id.locale_id",
+ "zeek.opcua_binary_activate_session_locale_id.locale_link_id",
+ "zeek.opcua_binary_browse.browse_next_release_continuation_point",
+ "zeek.opcua_binary_browse.browse_service_type",
+ "zeek.opcua_binary_browse.browse_view_description_timestamp",
+ "zeek.opcua_binary_browse.browse_view_description_view_version",
+ "zeek.opcua_binary_browse.browse_view_id_encoding_mask",
+ "zeek.opcua_binary_browse.browse_view_id_guid",
+ "zeek.opcua_binary_browse.browse_view_id_namespace_idx",
+ "zeek.opcua_binary_browse.browse_view_id_numeric",
+ "zeek.opcua_binary_browse.browse_view_id_opaque",
+ "zeek.opcua_binary_browse.browse_view_id_string",
+ "zeek.opcua_binary_browse.req_max_ref_nodes",
+ "zeek.opcua_binary_browse_description.browse_description_encoding_mask",
+ "zeek.opcua_binary_browse_description.browse_description_guid",
+ "zeek.opcua_binary_browse_description.browse_description_include_subtypes",
+ "zeek.opcua_binary_browse_description.browse_description_link_id",
+ "zeek.opcua_binary_browse_description.browse_description_namespace_idx",
+ "zeek.opcua_binary_browse_description.browse_description_numeric",
+ "zeek.opcua_binary_browse_description.browse_description_opaque",
+ "zeek.opcua_binary_browse_description.browse_description_ref_encoding_mask",
+ "zeek.opcua_binary_browse_description.browse_description_ref_guid",
+ "zeek.opcua_binary_browse_description.browse_description_ref_namespace_idx",
+ "zeek.opcua_binary_browse_description.browse_description_ref_numeric",
+ "zeek.opcua_binary_browse_description.browse_description_ref_opaque",
+ "zeek.opcua_binary_browse_description.browse_description_ref_string",
+ "zeek.opcua_binary_browse_description.browse_description_string",
+ "zeek.opcua_binary_browse_description.browse_direction",
+ "zeek.opcua_binary_browse_description.browse_node_class_mask",
+ "zeek.opcua_binary_browse_description.browse_result_mask",
+ "zeek.opcua_binary_browse_diagnostic_info.browse_diag_info_link_id",
+ "zeek.opcua_binary_browse_request_continuation_point.browse_next_link_id",
+ "zeek.opcua_binary_browse_request_continuation_point.continuation_point",
+ "zeek.opcua_binary_browse_response_references.browse_reference_link_id",
+ "zeek.opcua_binary_browse_response_references.browse_response_display_name_locale",
+ "zeek.opcua_binary_browse_response_references.browse_response_display_name_mask",
+ "zeek.opcua_binary_browse_response_references.browse_response_display_name_text",
+ "zeek.opcua_binary_browse_response_references.browse_response_is_forward",
+ "zeek.opcua_binary_browse_response_references.browse_response_node_class",
+ "zeek.opcua_binary_browse_response_references.browse_response_ref_encoding_mask",
+ "zeek.opcua_binary_browse_response_references.browse_response_ref_guid",
+ "zeek.opcua_binary_browse_response_references.browse_response_ref_name",
+ "zeek.opcua_binary_browse_response_references.browse_response_ref_name_idx",
+ "zeek.opcua_binary_browse_response_references.browse_response_ref_namespace_idx",
+ "zeek.opcua_binary_browse_response_references.browse_response_ref_numeric",
+ "zeek.opcua_binary_browse_response_references.browse_response_ref_opaque",
+ "zeek.opcua_binary_browse_response_references.browse_response_ref_string",
+ "zeek.opcua_binary_browse_response_references.browse_response_ref_type_encoding_mask",
+ "zeek.opcua_binary_browse_response_references.browse_response_ref_type_guid",
+ "zeek.opcua_binary_browse_response_references.browse_response_ref_type_namespace_idx",
+ "zeek.opcua_binary_browse_response_references.browse_response_ref_type_namespace_uri",
+ "zeek.opcua_binary_browse_response_references.browse_response_ref_type_numeric",
+ "zeek.opcua_binary_browse_response_references.browse_response_ref_type_opaque",
+ "zeek.opcua_binary_browse_response_references.browse_response_ref_type_server_idx",
+ "zeek.opcua_binary_browse_response_references.browse_response_ref_type_string",
+ "zeek.opcua_binary_browse_response_references.browse_response_type_def_encoding_mask",
+ "zeek.opcua_binary_browse_response_references.browse_response_type_def_guid",
+ "zeek.opcua_binary_browse_response_references.browse_response_type_def_namespace_idx",
+ "zeek.opcua_binary_browse_response_references.browse_response_type_def_namespace_uri",
+ "zeek.opcua_binary_browse_response_references.browse_response_type_def_numeric",
+ "zeek.opcua_binary_browse_response_references.browse_response_type_def_opaque",
+ "zeek.opcua_binary_browse_response_references.browse_response_type_def_server_idx",
+ "zeek.opcua_binary_browse_response_references.browse_response_type_def_string",
+ "zeek.opcua_binary_browse_response_references.browse_result_link_id",
+ "zeek.opcua_binary_browse_result.browse_resp_link_id",
+ "zeek.opcua_binary_browse_result.browse_response_link_id",
+ "zeek.opcua_binary_browse_result.browse_result_continuation_point",
+ "zeek.opcua_binary_create_session.algorithm",
+ "zeek.opcua_binary_create_session.application_type",
+ "zeek.opcua_binary_create_session.application_uri",
+ "zeek.opcua_binary_create_session.auth_token_encoding_mask",
+ "zeek.opcua_binary_create_session.auth_token_guid",
+ "zeek.opcua_binary_create_session.auth_token_namespace_idx",
+ "zeek.opcua_binary_create_session.auth_token_numeric",
+ "zeek.opcua_binary_create_session.auth_token_opaque",
+ "zeek.opcua_binary_create_session.auth_token_string",
+ "zeek.opcua_binary_create_session.client_cert",
+ "zeek.opcua_binary_create_session.client_cert_size",
+ "zeek.opcua_binary_create_session.client_nonce",
+ "zeek.opcua_binary_create_session.discovery_profile_uri",
+ "zeek.opcua_binary_create_session.encoding_mask",
+ "zeek.opcua_binary_create_session.endpoint_url",
+ "zeek.opcua_binary_create_session.gateway_server_uri",
+ "zeek.opcua_binary_create_session.locale",
+ "zeek.opcua_binary_create_session.max_req_msg_size",
+ "zeek.opcua_binary_create_session.max_res_msg_size",
+ "zeek.opcua_binary_create_session.product_uri",
+ "zeek.opcua_binary_create_session.req_session_timeout",
+ "zeek.opcua_binary_create_session.revised_session_timeout",
+ "zeek.opcua_binary_create_session.server_cert",
+ "zeek.opcua_binary_create_session.server_cert_size",
+ "zeek.opcua_binary_create_session.server_nonce",
+ "zeek.opcua_binary_create_session.server_uri",
+ "zeek.opcua_binary_create_session.session_id_encoding_mask",
+ "zeek.opcua_binary_create_session.session_id_guid",
+ "zeek.opcua_binary_create_session.session_id_namespace_idx",
+ "zeek.opcua_binary_create_session.session_id_numeric",
+ "zeek.opcua_binary_create_session.session_id_opaque",
+ "zeek.opcua_binary_create_session.session_id_string",
+ "zeek.opcua_binary_create_session.session_name",
+ "zeek.opcua_binary_create_session.signature",
+ "zeek.opcua_binary_create_session.text",
+ "zeek.opcua_binary_create_session_discovery.discovery_profile_link_id",
+ "zeek.opcua_binary_create_session_discovery.discovery_profile_uri",
+ "zeek.opcua_binary_create_session_discovery.discovery_profile_url",
+ "zeek.opcua_binary_create_session_endpoints.application_type",
+ "zeek.opcua_binary_create_session_endpoints.application_uri",
+ "zeek.opcua_binary_create_session_endpoints.cert_size",
+ "zeek.opcua_binary_create_session_endpoints.discovery_profile_id",
+ "zeek.opcua_binary_create_session_endpoints.discovery_profile_uri",
+ "zeek.opcua_binary_create_session_endpoints.encoding_mask",
+ "zeek.opcua_binary_create_session_endpoints.endpoint_link_id",
+ "zeek.opcua_binary_create_session_endpoints.endpoint_url",
+ "zeek.opcua_binary_create_session_endpoints.gateway_server_uri",
+ "zeek.opcua_binary_create_session_endpoints.locale",
+ "zeek.opcua_binary_create_session_endpoints.message_security_mode",
+ "zeek.opcua_binary_create_session_endpoints.product_uri",
+ "zeek.opcua_binary_create_session_endpoints.security_level",
+ "zeek.opcua_binary_create_session_endpoints.security_policy_uri",
+ "zeek.opcua_binary_create_session_endpoints.server_cert",
+ "zeek.opcua_binary_create_session_endpoints.text",
+ "zeek.opcua_binary_create_session_endpoints.transport_profile_uri",
+ "zeek.opcua_binary_create_session_user_token.user_token_endpoint_url",
+ "zeek.opcua_binary_create_session_user_token.user_token_issued_type",
+ "zeek.opcua_binary_create_session_user_token.user_token_link_id",
+ "zeek.opcua_binary_create_session_user_token.user_token_policy_id",
+ "zeek.opcua_binary_create_session_user_token.user_token_sec_policy_uri",
+ "zeek.opcua_binary_create_session_user_token.user_token_type",
+ "zeek.opcua_binary_create_subscription.max_notifications_per_publish",
+ "zeek.opcua_binary_create_subscription.priority",
+ "zeek.opcua_binary_create_subscription.publishing_enabled",
+ "zeek.opcua_binary_create_subscription.requested_lifetime_count",
+ "zeek.opcua_binary_create_subscription.requested_max_keep_alive_count",
+ "zeek.opcua_binary_create_subscription.requested_publishing_interval",
+ "zeek.opcua_binary_create_subscription.revised_lifetime_count",
+ "zeek.opcua_binary_create_subscription.revised_max_keep_alive_count",
+ "zeek.opcua_binary_create_subscription.revised_publishing_interval",
+ "zeek.opcua_binary_create_subscription.subscription_id",
"zeek.opcua_binary_diag_info_detail.addl_info",
+ "zeek.opcua_binary_diag_info_detail.diag_info_link_id",
"zeek.opcua_binary_diag_info_detail.has_addl_info",
"zeek.opcua_binary_diag_info_detail.has_inner_diag_info",
"zeek.opcua_binary_diag_info_detail.has_inner_stat_code",
@@ -1231,32 +1393,36 @@ class MalcolmSource extends WISESource {
"zeek.opcua_binary_diag_info_detail.locale_txt_str",
"zeek.opcua_binary_diag_info_detail.namespace_uri",
"zeek.opcua_binary_diag_info_detail.namespace_uri_str",
+ "zeek.opcua_binary_diag_info_detail.source",
+ "zeek.opcua_binary_diag_info_detail.source_str",
"zeek.opcua_binary_diag_info_detail.symbolic_id",
"zeek.opcua_binary_diag_info_detail.symbolic_id_str",
- "zeek.opcua_binary_get_endpoints.application_type",
- "zeek.opcua_binary_get_endpoints.application_uri",
- "zeek.opcua_binary_get_endpoints.cert_size",
- "zeek.opcua_binary_get_endpoints.discovery_profile_id",
- "zeek.opcua_binary_get_endpoints.encoding_mask",
"zeek.opcua_binary_get_endpoints.endpoint_url",
- "zeek.opcua_binary_get_endpoints.gateway_server_uri",
- "zeek.opcua_binary_get_endpoints.locale",
- "zeek.opcua_binary_get_endpoints.locale_id",
- "zeek.opcua_binary_get_endpoints.message_security_mode",
- "zeek.opcua_binary_get_endpoints.product_uri",
- "zeek.opcua_binary_get_endpoints.profile_uri",
- "zeek.opcua_binary_get_endpoints.security_level",
- "zeek.opcua_binary_get_endpoints.security_policy_uri",
- "zeek.opcua_binary_get_endpoints.server_cert",
- "zeek.opcua_binary_get_endpoints.text",
- "zeek.opcua_binary_get_endpoints.transport_profile_uri",
- "zeek.opcua_binary_get_endpoints.user_token_id",
- "zeek.opcua_binary_get_endpoints_discovery.discovery_profile_id",
- "zeek.opcua_binary_get_endpoints_discovery.discovery_profile_uri",
+ "zeek.opcua_binary_get_endpoints_description.application_type",
+ "zeek.opcua_binary_get_endpoints_description.application_uri",
+ "zeek.opcua_binary_get_endpoints_description.cert_size",
+ "zeek.opcua_binary_get_endpoints_description.discovery_profile_uri",
+ "zeek.opcua_binary_get_endpoints_description.encoding_mask",
+ "zeek.opcua_binary_get_endpoints_description.endpoint_description_link_id",
+ "zeek.opcua_binary_get_endpoints_description.endpoint_uri",
+ "zeek.opcua_binary_get_endpoints_description.gateway_server_uri",
+ "zeek.opcua_binary_get_endpoints_description.locale",
+ "zeek.opcua_binary_get_endpoints_description.message_security_mode",
+ "zeek.opcua_binary_get_endpoints_description.product_uri",
+ "zeek.opcua_binary_get_endpoints_description.security_level",
+ "zeek.opcua_binary_get_endpoints_description.security_policy_uri",
+ "zeek.opcua_binary_get_endpoints_description.server_cert",
+ "zeek.opcua_binary_get_endpoints_description.text",
+ "zeek.opcua_binary_get_endpoints_description.transport_profile_uri",
+ "zeek.opcua_binary_get_endpoints_discovery.discovery_profile_link_id",
"zeek.opcua_binary_get_endpoints_discovery.discovery_profile_url",
+ "zeek.opcua_binary_get_endpoints_locale_id.locale_id",
+ "zeek.opcua_binary_get_endpoints_locale_id.locale_link_id",
+ "zeek.opcua_binary_get_endpoints_profile_uri.profile_uri",
+ "zeek.opcua_binary_get_endpoints_profile_uri.profile_uri_link_id",
"zeek.opcua_binary_get_endpoints_user_token.user_token_endpoint_url",
- "zeek.opcua_binary_get_endpoints_user_token.user_token_id",
"zeek.opcua_binary_get_endpoints_user_token.user_token_issued_type",
+ "zeek.opcua_binary_get_endpoints_user_token.user_token_link_id",
"zeek.opcua_binary_get_endpoints_user_token.user_token_policy_id",
"zeek.opcua_binary_get_endpoints_user_token.user_token_sec_policy_uri",
"zeek.opcua_binary_get_endpoints_user_token.user_token_type",
@@ -1285,8 +1451,10 @@ class MalcolmSource extends WISESource {
"zeek.opcua_binary_status_code_detail.severity",
"zeek.opcua_binary_status_code_detail.severity_str",
"zeek.opcua_binary_status_code_detail.source",
+ "zeek.opcua_binary_status_code_detail.source_level",
"zeek.opcua_binary_status_code_detail.source_str",
"zeek.opcua_binary_status_code_detail.status_code",
+ "zeek.opcua_binary_status_code_detail.status_code_link_id",
"zeek.opcua_binary_status_code_detail.structure_changed",
"zeek.opcua_binary_status_code_detail.sub_code",
"zeek.opcua_binary_status_code_detail.sub_code_str",
@@ -1376,16 +1544,26 @@ class MalcolmSource extends WISESource {
"zeek.rfb.server_minor_version",
"zeek.rfb.share_flag",
"zeek.rfb.width",
- "zeek.s7comm.data_info",
- "zeek.s7comm.item_count",
- "zeek.s7comm.parameter",
- "zeek.s7comm.parameters.class",
- "zeek.s7comm.parameters.code",
- "zeek.s7comm.parameters.group",
- "zeek.s7comm.parameters.mode",
- "zeek.s7comm.parameters.sub",
- "zeek.s7comm.parameters.type",
- "zeek.s7comm.rosctr",
+ "zeek.s7comm.error_class",
+ "zeek.s7comm.error_code",
+ "zeek.s7comm.function_code",
+ "zeek.s7comm.function_name",
+ "zeek.s7comm.pdu_reference",
+ "zeek.s7comm.rosctr_code",
+ "zeek.s7comm.rosctr_name",
+ "zeek.s7comm.subfunction_code",
+ "zeek.s7comm.subfunction_name",
+ "zeek.s7comm_plus.function_code",
+ "zeek.s7comm_plus.function_name",
+ "zeek.s7comm_plus.opcode",
+ "zeek.s7comm_plus.opcode_name",
+ "zeek.s7comm_plus.version",
+ "zeek.s7comm_read_szl.method",
+ "zeek.s7comm_read_szl.return_code",
+ "zeek.s7comm_read_szl.return_code_name",
+ "zeek.s7comm_read_szl.szl_id",
+ "zeek.s7comm_read_szl.szl_id_name",
+ "zeek.s7comm_read_szl.szl_index",
"zeek.signatures.event_message",
"zeek.signatures.hits.Capa",
"zeek.signatures.hits.ClamAV",
@@ -1595,10 +1773,8 @@ class MalcolmSource extends WISESource {
"zeek.stun.attr_type",
"zeek.stun.attr_val",
"zeek.stun.class",
- "zeek.stun.is_orig",
"zeek.stun.method",
"zeek.stun.trans_id",
- "zeek.stun_nat.is_orig",
"zeek.stun_nat.lan_addr",
"zeek.stun_nat.wan_addr",
"zeek.stun_nat.wan_port",
@@ -1787,6 +1963,8 @@ class MalcolmSource extends WISESource {
" +arrayList(session.vulnerability, 'category', 'Vulnerability Category', 'vulnerability.category')\n" +
" +arrayList(session.vulnerability, 'enumeration', 'Vulnerability Enumeration', 'vulnerability.enumeration')\n" +
" +arrayList(session.vulnerability, 'id', 'Vulnerability ID', 'vulnerability.id')\n" +
+ " +arrayList(session.network, 'direction', 'Direction', 'network.direction')\n" +
+ " +arrayList(session.network, 'is_orig', 'Is Originator', 'network.is_orig')\n" +
" +arrayList(session.source, 'ip', 'Originating Host', 'source.ip')\n" +
" +arrayList(session.source, 'port', 'Originating Port', 'source.port')\n" +
" +arrayList(session.source, 'mac', 'Originating MAC', 'source.mac')\n" +
diff --git a/dashboards/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json b/dashboards/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json
index fb454a3d0..c05cd1b5e 100644
--- a/dashboards/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json
+++ b/dashboards/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
}
},
"references": [
@@ -513,7 +513,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:x509\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:x509\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -551,7 +551,7 @@
"sort": [],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:ocsp\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"event.dataset:ocsp\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -593,7 +593,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.provider:zeek AND event.dataset:notice\",\"default_field\":\"*\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.provider:zeek AND event.dataset:notice\",\"default_field\":\"*\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/03207c00-d07e-11ec-b4a7-d1b4003706b7.json b/dashboards/dashboards/03207c00-d07e-11ec-b4a7-d1b4003706b7.json
index 0bf36f707..e5a010bee 100644
--- a/dashboards/dashboards/03207c00-d07e-11ec-b4a7-d1b4003706b7.json
+++ b/dashboards/dashboards/03207c00-d07e-11ec-b4a7-d1b4003706b7.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}"
}
},
"references": [
@@ -366,7 +366,7 @@
"sort": [],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.provider:zeek AND event.dataset:genisys\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"event.provider:zeek AND event.dataset:genisys\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/05e3e000-f118-11e9-acda-83a8e29e1a24.json b/dashboards/dashboards/05e3e000-f118-11e9-acda-83a8e29e1a24.json
index 567b6b929..6ec273500 100644
--- a/dashboards/dashboards/05e3e000-f118-11e9-acda-83a8e29e1a24.json
+++ b/dashboards/dashboards/05e3e000-f118-11e9-acda-83a8e29e1a24.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
@@ -167,7 +167,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:\\\"ldap\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"event.dataset:\\\"ldap\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -418,7 +418,7 @@
"sort": [],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:\\\"ldap_search\\\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"event.dataset:\\\"ldap_search\\\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -463,7 +463,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"NOT event.provider:arkime\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":\"NOT event.provider:arkime\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b.json b/dashboards/dashboards/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b.json
index a5c138c02..d3a7a7859 100644
--- a/dashboards/dashboards/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b.json
+++ b/dashboards/dashboards/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
@@ -367,7 +367,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:ftp\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:ftp\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json b/dashboards/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json
index 5bced79fd..1240abd75 100644
--- a/dashboards/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json
+++ b/dashboards/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
}
},
"references": [
@@ -334,7 +334,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.provider:zeek AND event.dataset:signatures AND event.module:Capa\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.provider:zeek AND event.dataset:signatures AND event.module:Capa\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -374,7 +374,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:pe\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:pe\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/0ad3d7c2-3441-485e-9dfe-dbb22e84e576.json b/dashboards/dashboards/0ad3d7c2-3441-485e-9dfe-dbb22e84e576.json
index 7f2d44e6f..26cf8a587 100644
--- a/dashboards/dashboards/0ad3d7c2-3441-485e-9dfe-dbb22e84e576.json
+++ b/dashboards/dashboards/0ad3d7c2-3441-485e-9dfe-dbb22e84e576.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
@@ -367,7 +367,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"NOT event.provider:arkime\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":\"NOT event.provider:arkime\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -411,7 +411,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -452,7 +452,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:dns\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:dns\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0.json b/dashboards/dashboards/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0.json
index 19d71507f..07bc5c686 100644
--- a/dashboards/dashboards/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0.json
+++ b/dashboards/dashboards/0aed0e23-c8ac-4f2b-9f68-d04b6e7666b0.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"
+ "searchSourceJSON": "{\"filter\":[],\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"
}
},
"references": [
@@ -192,7 +192,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa.json b/dashboards/dashboards/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa.json
index e0343d164..4ab6e1bcf 100644
--- a/dashboards/dashboards/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa.json
+++ b/dashboards/dashboards/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [
@@ -509,7 +509,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:sip\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:sip\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json b/dashboards/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json
index e71244ba2..8d1d2067b 100644
--- a/dashboards/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json
+++ b/dashboards/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
}
},
"references": [
@@ -334,7 +334,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:tunnel\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:tunnel\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json b/dashboards/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json
index 34e61ced2..428b0b9ed 100644
--- a/dashboards/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json
+++ b/dashboards/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
}
},
"references": [
@@ -158,7 +158,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:gquic\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:gquic\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/12e3a130-d83b-11eb-a0b0-f328ce09b0b7.json b/dashboards/dashboards/12e3a130-d83b-11eb-a0b0-f328ce09b0b7.json
index f2bf0f040..af48a83c8 100644
--- a/dashboards/dashboards/12e3a130-d83b-11eb-a0b0-f328ce09b0b7.json
+++ b/dashboards/dashboards/12e3a130-d83b-11eb-a0b0-f328ce09b0b7.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}"
}
},
"references": [
@@ -323,7 +323,7 @@
"sort": [],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"tags:ics_best_guess\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"tags:ics_best_guess\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json b/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json
index 2afd54fc5..bc133e566 100644
--- a/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json
+++ b/dashboards/dashboards/152f29dc-51a2-4f53-93e9-6e92765567b8.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
@@ -188,7 +188,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:(\\\"modbus\\\")\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"event.dataset:(\\\"modbus\\\")\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -530,7 +530,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:\\\"modbus_detailed\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"event.dataset:\\\"modbus_detailed\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -574,7 +574,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:\\\"modbus_mask_write_register\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"event.dataset:\\\"modbus_mask_write_register\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -619,7 +619,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:\\\"modbus_read_write_multiple_registers\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"event.dataset:\\\"modbus_read_write_multiple_registers\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -661,7 +661,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:modbus\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:modbus\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -700,7 +700,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"event.dataset:\\\"known_modbus\\\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"event.dataset:\\\"known_modbus\\\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0.json b/dashboards/dashboards/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0.json
index f70e8f3fe..912245544 100644
--- a/dashboards/dashboards/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0.json
+++ b/dashboards/dashboards/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
@@ -404,7 +404,7 @@
"sort": [],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.provider:zeek AND event.dataset:ospf\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"event.provider:zeek AND event.dataset:ospf\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/1ce42250-3f99-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/1ce42250-3f99-11e9-a58e-8bdedb0915e8.json
index 90b3ed12f..63e4725c3 100644
--- a/dashboards/dashboards/1ce42250-3f99-11e9-a58e-8bdedb0915e8.json
+++ b/dashboards/dashboards/1ce42250-3f99-11e9-a58e-8bdedb0915e8.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}"
+ "searchSourceJSON": "{\"filter\":[],\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}"
}
},
"references": [
@@ -192,7 +192,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json b/dashboards/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json
index 011f5b715..b85ba1041 100644
--- a/dashboards/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json
+++ b/dashboards/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}},\"filter\":[]}"
}
},
"references": [
@@ -263,7 +263,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:weird\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:weird\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json b/dashboards/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json
index cecf6585a..b5fe73394 100644
--- a/dashboards/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json
+++ b/dashboards/dashboards/29a1b290-eb98-11e9-a384-0fcf32210194.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
@@ -368,6 +368,7 @@
"destination.ip",
"event.action",
"event.result",
+ "network.is_orig",
"zeek.cip.direction",
"zeek.cip.cip_sequence_count",
"zeek.cip.class_id",
@@ -382,7 +383,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:cip\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:cip\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -425,7 +426,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:cip_identity\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:cip_identity\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -456,6 +457,7 @@
"destination.ip",
"event.action",
"event.result",
+ "network.is_orig",
"zeek.enip.options",
"zeek.enip.sender_context",
"zeek.enip.session_handle",
@@ -469,7 +471,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:enip\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:enip\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -498,6 +500,7 @@
"columns": [
"source.ip",
"destination.ip",
+ "network.is_orig",
"zeek.cip_io.connection_id",
"zeek.cip_io.sequence_number",
"zeek.cip_io.data_length",
@@ -511,7 +514,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:cip_io\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:cip_io\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json b/dashboards/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json
index f52e5bd8b..3036a9857 100644
--- a/dashboards/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json
+++ b/dashboards/dashboards/2bec1490-eb94-11e9-a384-0fcf32210194.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
@@ -431,6 +431,7 @@
"columns": [
"source.ip",
"destination.ip",
+ "network.is_orig",
"zeek.bacnet.bvlc_function",
"zeek.bacnet.pdu_type",
"zeek.bacnet.pdu_service",
@@ -444,7 +445,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:bacnet\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:bacnet\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -473,6 +474,7 @@
"columns": [
"source.ip",
"destination.ip",
+ "network.is_orig",
"zeek.bacnet_property.pdu_service",
"zeek.bacnet_property.object_type",
"zeek.bacnet_property.instance_number",
@@ -487,7 +489,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:bacnet_property\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:bacnet_property\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -516,6 +518,7 @@
"columns": [
"source.ip",
"destination.ip",
+ "network.is_orig",
"zeek.bacnet_discovery.pdu_service",
"zeek.bacnet_discovery.object_type",
"zeek.bacnet_discovery.instance_number",
@@ -529,7 +532,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:bacnet_discovery\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:bacnet_discovery\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json b/dashboards/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json
index e08c9a851..53ab82479 100644
--- a/dashboards/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json
+++ b/dashboards/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
}
},
"references": [
@@ -507,7 +507,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:dns\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:dns\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/2d98bb8e-214c-4374-837b-20e1bcd63a5e.json b/dashboards/dashboards/2d98bb8e-214c-4374-837b-20e1bcd63a5e.json
index dafd3e1f2..4a0edf773 100644
--- a/dashboards/dashboards/2d98bb8e-214c-4374-837b-20e1bcd63a5e.json
+++ b/dashboards/dashboards/2d98bb8e-214c-4374-837b-20e1bcd63a5e.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"
+ "searchSourceJSON": "{\"filter\":[],\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"
}
},
"references": [
@@ -371,7 +371,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:dhcp\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:dhcp\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/32587740-ef88-11e9-b38a-2db3ee640e88.json b/dashboards/dashboards/32587740-ef88-11e9-b38a-2db3ee640e88.json
index 8f115d229..e48ac531f 100644
--- a/dashboards/dashboards/32587740-ef88-11e9-b38a-2db3ee640e88.json
+++ b/dashboards/dashboards/32587740-ef88-11e9-b38a-2db3ee640e88.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
@@ -113,7 +113,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"event.dataset:\\\"tds_rpc\\\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"event.dataset:\\\"tds_rpc\\\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json b/dashboards/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json
index ed03abc86..674d30ab9 100644
--- a/dashboards/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json
+++ b/dashboards/dashboards/36ed695f-edcc-47c1-b0ec-50d20c93ce0f.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
@@ -370,7 +370,7 @@
"title": "Intel - Logs",
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:intel\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:intel\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
},
"columns": [
"source.ip",
diff --git a/dashboards/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json b/dashboards/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json
index 03c937cb2..8a8dcc983 100644
--- a/dashboards/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json
+++ b/dashboards/dashboards/37041ee1-79c0-4684-a436-3173b0e89876.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
@@ -215,7 +215,7 @@
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"file.mime_type:\\\"application/x-dosexec\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"file.mime_type:\\\"application/x-dosexec\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -648,7 +648,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:http\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:http\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/39abfe30-3f99-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/39abfe30-3f99-11e9-a58e-8bdedb0915e8.json
index 11da20257..36677709a 100644
--- a/dashboards/dashboards/39abfe30-3f99-11e9-a58e-8bdedb0915e8.json
+++ b/dashboards/dashboards/39abfe30-3f99-11e9-a58e-8bdedb0915e8.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}"
+ "searchSourceJSON": "{\"filter\":[],\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}"
}
},
"references": [
@@ -192,7 +192,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/42e831b9-41a9-4f35-8b7d-e1566d368773.json b/dashboards/dashboards/42e831b9-41a9-4f35-8b7d-e1566d368773.json
index 32bef175b..ac835abc5 100644
--- a/dashboards/dashboards/42e831b9-41a9-4f35-8b7d-e1566d368773.json
+++ b/dashboards/dashboards/42e831b9-41a9-4f35-8b7d-e1566d368773.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [
@@ -474,7 +474,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:smb*\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"event.dataset:smb*\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -516,7 +516,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.provider:zeek AND event.dataset:notice\",\"default_field\":\"*\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.provider:zeek AND event.dataset:notice\",\"default_field\":\"*\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json b/dashboards/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json
index b10e42f88..5f1f03f3e 100644
--- a/dashboards/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json
+++ b/dashboards/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
}
},
"references": [
@@ -439,7 +439,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:dce_rpc\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:dce_rpc\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/4a073440-b286-11eb-a4d4-09fa12a6ebd4.json b/dashboards/dashboards/4a073440-b286-11eb-a4d4-09fa12a6ebd4.json
index 9abfc3449..c61f2a06a 100644
--- a/dashboards/dashboards/4a073440-b286-11eb-a4d4-09fa12a6ebd4.json
+++ b/dashboards/dashboards/4a073440-b286-11eb-a4d4-09fa12a6ebd4.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
@@ -300,7 +300,7 @@
"sort": [],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:ecat_registers\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"event.dataset:ecat_registers\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -337,7 +337,7 @@
"sort": [],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:ecat*\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:ecat*\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/4a4bde20-4760-11ea-949c-bbb5a9feecbf.json b/dashboards/dashboards/4a4bde20-4760-11ea-949c-bbb5a9feecbf.json
index 69a8d7375..1de6a4af9 100644
--- a/dashboards/dashboards/4a4bde20-4760-11ea-949c-bbb5a9feecbf.json
+++ b/dashboards/dashboards/4a4bde20-4760-11ea-949c-bbb5a9feecbf.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}}}"
+ "searchSourceJSON": "{\"filter\":[],\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Denver\"}}}}"
}
},
"references": [
@@ -180,7 +180,7 @@
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"query\":{\"query\":\"tags:(external_source OR external_destination)\",\"language\":\"kuery\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"query\":{\"query\":\"network.direction:(outbound OR inbound OR external)\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
@@ -403,7 +403,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"tags:(ics OR ics_best_guess)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"tags:(ics OR ics_best_guess)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -447,7 +447,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -489,7 +489,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:files\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:files\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json b/dashboards/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json
index 48133e0c3..ac0f6b348 100644
--- a/dashboards/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json
+++ b/dashboards/dashboards/4e5f106e-c60a-4226-8f64-d534abb912ab.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [
@@ -369,7 +369,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:snmp\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:snmp\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json b/dashboards/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json
index fc3754418..df244251c 100644
--- a/dashboards/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json
+++ b/dashboards/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
}
},
"references": [
@@ -228,7 +228,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:mysql\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:mysql\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json b/dashboards/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json
index 31e570285..4d4f912fb 100644
--- a/dashboards/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json
+++ b/dashboards/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
}
},
"references": [
@@ -441,7 +441,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:ntlm\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:ntlm\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/55e332d0-3f99-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/55e332d0-3f99-11e9-a58e-8bdedb0915e8.json
index 3a123678e..25fe6b95f 100644
--- a/dashboards/dashboards/55e332d0-3f99-11e9-a58e-8bdedb0915e8.json
+++ b/dashboards/dashboards/55e332d0-3f99-11e9-a58e-8bdedb0915e8.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"
+ "searchSourceJSON": "{\"filter\":[],\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"
}
},
"references": [
@@ -120,7 +120,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/5694ca60-cbdf-11ec-a50a-5fedd672f5c5.json b/dashboards/dashboards/5694ca60-cbdf-11ec-a50a-5fedd672f5c5.json
index bc35e77c9..7e58dc941 100644
--- a/dashboards/dashboards/5694ca60-cbdf-11ec-a50a-5fedd672f5c5.json
+++ b/dashboards/dashboards/5694ca60-cbdf-11ec-a50a-5fedd672f5c5.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
@@ -180,7 +180,7 @@
"version": "WzIzMjgsMV0=",
"attributes": {
"title": "Alerts - Tags",
- "visState": "{\"title\":\"Alerts - Tags\",\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"tags\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"exclude\":\"external_destination|internal_source|internal_destination|external_source\"},\"schema\":\"segment\"}],\"params\":{\"scale\":\"square root\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":48,\"showLabel\":false}}",
+ "visState": "{\"title\":\"Alerts - Tags\",\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"tags\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"schema\":\"segment\"}],\"params\":{\"scale\":\"square root\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":48,\"showLabel\":false}}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
@@ -434,7 +434,7 @@
"sort": [],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.provider:suricata AND event.dataset:alert\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"event.provider:suricata AND event.dataset:alert\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/60d78fbd-471c-4f59-a9e3-189b33a13644.json b/dashboards/dashboards/60d78fbd-471c-4f59-a9e3-189b33a13644.json
index f487919b2..0c8cccbdb 100644
--- a/dashboards/dashboards/60d78fbd-471c-4f59-a9e3-189b33a13644.json
+++ b/dashboards/dashboards/60d78fbd-471c-4f59-a9e3-189b33a13644.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}"
+ "searchSourceJSON": "{\"filter\":[],\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}"
}
},
"references": [
@@ -192,7 +192,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/665d1610-523d-11e9-a30e-e3576242f3ed.json b/dashboards/dashboards/665d1610-523d-11e9-a30e-e3576242f3ed.json
index 2b34fbc91..632c0fd9e 100644
--- a/dashboards/dashboards/665d1610-523d-11e9-a30e-e3576242f3ed.json
+++ b/dashboards/dashboards/665d1610-523d-11e9-a30e-e3576242f3ed.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
@@ -176,7 +176,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"event.provider:zeek AND event.dataset:signatures\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"event.provider:zeek AND event.dataset:signatures\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/76f2f912-80da-44cd-ab66-6a73c8344cc3.json b/dashboards/dashboards/76f2f912-80da-44cd-ab66-6a73c8344cc3.json
index ba2b4f1d7..481dd18a4 100644
--- a/dashboards/dashboards/76f2f912-80da-44cd-ab66-6a73c8344cc3.json
+++ b/dashboards/dashboards/76f2f912-80da-44cd-ab66-6a73c8344cc3.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"
+ "searchSourceJSON": "{\"filter\":[],\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"
}
},
"references": [
@@ -334,7 +334,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:irc\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:irc\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/77fc9960-3f99-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/77fc9960-3f99-11e9-a58e-8bdedb0915e8.json
index 3dc4d42be..3fbaef087 100644
--- a/dashboards/dashboards/77fc9960-3f99-11e9-a58e-8bdedb0915e8.json
+++ b/dashboards/dashboards/77fc9960-3f99-11e9-a58e-8bdedb0915e8.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}"
+ "searchSourceJSON": "{\"filter\":[],\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}"
}
},
"references": [
@@ -192,7 +192,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json b/dashboards/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json
index e61fd9583..8308d59fa 100644
--- a/dashboards/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json
+++ b/dashboards/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
}
},
"references": [
@@ -406,7 +406,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:rdp\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:rdp\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb.json b/dashboards/dashboards/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb.json
index 24fe6a0a8..36516ff5a 100644
--- a/dashboards/dashboards/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb.json
+++ b/dashboards/dashboards/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
}
},
"references": [
@@ -651,7 +651,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:ssl\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:ssl\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -693,7 +693,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.provider:zeek AND event.dataset:notice\",\"default_field\":\"*\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.provider:zeek AND event.dataset:notice\",\"default_field\":\"*\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/82da3101-2a9c-4ae2-bb61-d447a3fbe673.json b/dashboards/dashboards/82da3101-2a9c-4ae2-bb61-d447a3fbe673.json
index ad1872a61..f066760fe 100644
--- a/dashboards/dashboards/82da3101-2a9c-4ae2-bb61-d447a3fbe673.json
+++ b/dashboards/dashboards/82da3101-2a9c-4ae2-bb61-d447a3fbe673.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
@@ -509,7 +509,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:kerberos\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:kerberos\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/870a5862-6c26-4a08-99fd-0c06cda85ba3.json b/dashboards/dashboards/870a5862-6c26-4a08-99fd-0c06cda85ba3.json
index 3e2a91172..29c4a80d1 100644
--- a/dashboards/dashboards/870a5862-6c26-4a08-99fd-0c06cda85ba3.json
+++ b/dashboards/dashboards/870a5862-6c26-4a08-99fd-0c06cda85ba3.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+ "searchSourceJSON": "{\"filter\":[],\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
}
},
"references": [
@@ -412,7 +412,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:dnp3\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:dnp3\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -454,7 +454,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:dnp3_control\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:dnp3_control\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -497,7 +497,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:dnp3_objects\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:dnp3_objects\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/87a32f90-ef58-11e9-974e-9d600036d105.json b/dashboards/dashboards/87a32f90-ef58-11e9-974e-9d600036d105.json
index 1f655732b..e8bc7998f 100644
--- a/dashboards/dashboards/87a32f90-ef58-11e9-974e-9d600036d105.json
+++ b/dashboards/dashboards/87a32f90-ef58-11e9-974e-9d600036d105.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}"
+ "searchSourceJSON": "{\"filter\":[],\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}"
}
},
"references": [
@@ -402,7 +402,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:(\\\"mqtt_connect\\\" OR \\\"mqtt_publish\\\" OR \\\"mqtt_subscribe\\\")\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"event.dataset:(\\\"mqtt_connect\\\" OR \\\"mqtt_publish\\\" OR \\\"mqtt_subscribe\\\")\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -445,7 +445,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:\\\"mqtt_connect\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"event.dataset:\\\"mqtt_connect\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -488,7 +488,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:\\\"mqtt_subscribe\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"event.dataset:\\\"mqtt_subscribe\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -531,7 +531,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"event.dataset:\\\"mqtt_publish\\\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"event.dataset:\\\"mqtt_publish\\\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85.json b/dashboards/dashboards/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85.json
index 6e52e83e2..7499060e2 100644
--- a/dashboards/dashboards/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85.json
+++ b/dashboards/dashboards/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"
+ "searchSourceJSON": "{\"filter\":[],\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"
}
},
"references": [
@@ -192,7 +192,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:software\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:software\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json b/dashboards/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json
index fa2cdb947..ad6169c4a 100644
--- a/dashboards/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json
+++ b/dashboards/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
}
},
"references": [
@@ -369,7 +369,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:syslog\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:syslog\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/95479950-41f2-11ea-88fa-7151df485405.json b/dashboards/dashboards/95479950-41f2-11ea-88fa-7151df485405.json
index ff5b9e4fd..b8cb60079 100644
--- a/dashboards/dashboards/95479950-41f2-11ea-88fa-7151df485405.json
+++ b/dashboards/dashboards/95479950-41f2-11ea-88fa-7151df485405.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
@@ -277,7 +277,7 @@
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"query\":{\"query\":\"network.protocol:(ssh OR rdp OR rfb OR telnet OR rlogin OR rsh OR openvpn OR ipsec OR wireguard) AND tags:(external_source OR external_destination)\",\"language\":\"kuery\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"query\":{\"query\":\"network.protocol:(ssh OR rdp OR rfb OR telnet OR rlogin OR rsh OR openvpn OR ipsec OR wireguard) AND network.direction:(inbound OR outbound)\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
@@ -307,7 +307,7 @@
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"query\":{\"query\":\"tags:internal_source AND tags:external_destination\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"query\":{\"query\":\"network.direction:outbound\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -336,7 +336,7 @@
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"query\":{\"query\":\"tags:external_source AND tags:internal_destination\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"query\":{\"query\":\"network.direction:inbound\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -466,7 +466,7 @@
"sort": [],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"(event.provider:zeek AND event.dataset:(notice OR signatures OR weird)) OR (event.provider:suricata AND event.dataset:alert)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"(event.provider:zeek AND event.dataset:(notice OR signatures OR weird)) OR (event.provider:suricata AND event.dataset:alert)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -510,7 +510,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -551,7 +551,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:dns\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:dns\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/9ee51f94-3316-4fc5-bd89-93a52af69714.json b/dashboards/dashboards/9ee51f94-3316-4fc5-bd89-93a52af69714.json
index d9f8b67a6..b355bfa20 100644
--- a/dashboards/dashboards/9ee51f94-3316-4fc5-bd89-93a52af69714.json
+++ b/dashboards/dashboards/9ee51f94-3316-4fc5-bd89-93a52af69714.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
@@ -366,7 +366,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:files\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:files\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/a16110b0-3f99-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/a16110b0-3f99-11e9-a58e-8bdedb0915e8.json
index 5957f25a2..e2d1f32e2 100644
--- a/dashboards/dashboards/a16110b0-3f99-11e9-a58e-8bdedb0915e8.json
+++ b/dashboards/dashboards/a16110b0-3f99-11e9-a58e-8bdedb0915e8.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}"
+ "searchSourceJSON": "{\"filter\":[],\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}"
}
},
"references": [
@@ -192,7 +192,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json b/dashboards/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json
index d7d56f87c..37424577d 100644
--- a/dashboards/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json
+++ b/dashboards/dashboards/a33e0a50-afcd-11ea-993f-b7d8522a8bed.json
@@ -296,7 +296,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"NOT event.provider:arkime\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":\"NOT event.provider:arkime\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json b/dashboards/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json
index e0e398c3c..c3499f5d9 100644
--- a/dashboards/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json
+++ b/dashboards/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"
+ "searchSourceJSON": "{\"filter\":[],\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"
}
},
"references": [
@@ -198,7 +198,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:(profinet OR profinet_dce_rpc)\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"event.dataset:(profinet OR profinet_dce_rpc)\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -422,7 +422,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:profinet\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"event.dataset:profinet\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -465,7 +465,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:profinet_dce_rpc\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"event.dataset:profinet_dce_rpc\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/abdd7550-2c7c-40dc-947e-f6d186a158c4.json b/dashboards/dashboards/abdd7550-2c7c-40dc-947e-f6d186a158c4.json
index 004a82b15..b233724e7 100644
--- a/dashboards/dashboards/abdd7550-2c7c-40dc-947e-f6d186a158c4.json
+++ b/dashboards/dashboards/abdd7550-2c7c-40dc-947e-f6d186a158c4.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
@@ -923,7 +923,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/ae79b7d1-4281-4095-b2f6-fa7eafda9970.json b/dashboards/dashboards/ae79b7d1-4281-4095-b2f6-fa7eafda9970.json
index b428f70fc..9716e7ca9 100644
--- a/dashboards/dashboards/ae79b7d1-4281-4095-b2f6-fa7eafda9970.json
+++ b/dashboards/dashboards/ae79b7d1-4281-4095-b2f6-fa7eafda9970.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
@@ -370,7 +370,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:radius\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:radius\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/af5df620-eeb6-11e9-bdef-65a192b7f586.json b/dashboards/dashboards/af5df620-eeb6-11e9-bdef-65a192b7f586.json
index ffe4e0f9a..df3b7a4d7 100644
--- a/dashboards/dashboards/af5df620-eeb6-11e9-bdef-65a192b7f586.json
+++ b/dashboards/dashboards/af5df620-eeb6-11e9-bdef-65a192b7f586.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
@@ -130,7 +130,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"event.dataset:ntp\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"event.dataset:ntp\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/b50c8d17-6ed3-4de6-aed4-5181032810b2.json b/dashboards/dashboards/b50c8d17-6ed3-4de6-aed4-5181032810b2.json
index f006cc314..f543ec046 100644
--- a/dashboards/dashboards/b50c8d17-6ed3-4de6-aed4-5181032810b2.json
+++ b/dashboards/dashboards/b50c8d17-6ed3-4de6-aed4-5181032810b2.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}"
+ "searchSourceJSON": "{\"filter\":[],\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}"
}
},
"references": [
@@ -192,7 +192,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/b9f247c0-3f99-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/b9f247c0-3f99-11e9-a58e-8bdedb0915e8.json
index a45b173e8..9817bdacb 100644
--- a/dashboards/dashboards/b9f247c0-3f99-11e9-a58e-8bdedb0915e8.json
+++ b/dashboards/dashboards/b9f247c0-3f99-11e9-a58e-8bdedb0915e8.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}"
+ "searchSourceJSON": "{\"filter\":[],\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}"
}
},
"references": [
@@ -192,7 +192,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/bb827f8e-639e-468c-93c8-9f5bc132eb8f.json b/dashboards/dashboards/bb827f8e-639e-468c-93c8-9f5bc132eb8f.json
index 6d4a1f2dd..a122ec746 100644
--- a/dashboards/dashboards/bb827f8e-639e-468c-93c8-9f5bc132eb8f.json
+++ b/dashboards/dashboards/bb827f8e-639e-468c-93c8-9f5bc132eb8f.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"},\"filter\":[]}"
}
},
"references": [
@@ -509,7 +509,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:smtp\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:smtp\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/bed185a0-ef82-11e9-b38a-2db3ee640e88.json b/dashboards/dashboards/bed185a0-ef82-11e9-b38a-2db3ee640e88.json
index cd01a5ba1..94094997f 100644
--- a/dashboards/dashboards/bed185a0-ef82-11e9-b38a-2db3ee640e88.json
+++ b/dashboards/dashboards/bed185a0-ef82-11e9-b38a-2db3ee640e88.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
@@ -113,7 +113,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:(\\\"tds\\\" OR \\\"tds_rpc\\\" OR \\\"tds_sql_batch\\\")\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"event.dataset:(\\\"tds\\\" OR \\\"tds_rpc\\\" OR \\\"tds_sql_batch\\\")\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -304,7 +304,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:\\\"tds\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"event.dataset:\\\"tds\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48.json b/dashboards/dashboards/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48.json
index ae6795cf8..be4d83caa 100644
--- a/dashboards/dashboards/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48.json
+++ b/dashboards/dashboards/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}"
+ "searchSourceJSON": "{\"filter\":[],\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}"
}
},
"references": [
@@ -336,7 +336,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:tftp\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"event.dataset:tftp\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2.json b/dashboards/dashboards/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2.json
index 775b29bec..af9d6c227 100644
--- a/dashboards/dashboards/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2.json
+++ b/dashboards/dashboards/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
}
},
"references": [
@@ -300,7 +300,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:login\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:login\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/ca5799a0-56b5-11eb-b749-576de068f8ad.json b/dashboards/dashboards/ca5799a0-56b5-11eb-b749-576de068f8ad.json
index 1e172674b..f583537cb 100644
--- a/dashboards/dashboards/ca5799a0-56b5-11eb-b749-576de068f8ad.json
+++ b/dashboards/dashboards/ca5799a0-56b5-11eb-b749-576de068f8ad.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}"
+ "searchSourceJSON": "{\"filter\":[],\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}"
}
},
"references": [
@@ -346,7 +346,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:bsap_ip_*\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:bsap_ip_*\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -393,7 +393,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:bsap_serial_*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"event.dataset:bsap_serial_*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -468,7 +468,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"NOT event.provider:arkime\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":\"NOT event.provider:arkime\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json b/dashboards/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json
index 84be5a3fe..6de1bf536 100644
--- a/dashboards/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json
+++ b/dashboards/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/Boise\"}}},\"filter\":[]}"
}
},
"references": [
@@ -475,7 +475,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:ssh\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event.dataset:ssh\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/d2dd0180-06b1-11ec-8c6b-353266ade330.json b/dashboards/dashboards/d2dd0180-06b1-11ec-8c6b-353266ade330.json
index 100538b71..d6c42aac2 100644
--- a/dashboards/dashboards/d2dd0180-06b1-11ec-8c6b-353266ade330.json
+++ b/dashboards/dashboards/d2dd0180-06b1-11ec-8c6b-353266ade330.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"event.severity:*\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"event.severity:*\"},\"filter\":[]}"
}
},
"references": [
@@ -541,7 +541,7 @@
"sort": [],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.severity:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"event.severity:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -586,7 +586,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"NOT event.provider:arkime\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":\"NOT event.provider:arkime\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -628,7 +628,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.provider:zeek AND event.dataset:notice\",\"default_field\":\"*\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.provider:zeek AND event.dataset:notice\",\"default_field\":\"*\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -670,7 +670,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:files\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:files\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/d41fe630-3f98-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/d41fe630-3f98-11e9-a58e-8bdedb0915e8.json
index ac0c85cb7..c450e7604 100644
--- a/dashboards/dashboards/d41fe630-3f98-11e9-a58e-8bdedb0915e8.json
+++ b/dashboards/dashboards/d41fe630-3f98-11e9-a58e-8bdedb0915e8.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}"
+ "searchSourceJSON": "{\"filter\":[],\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}"
}
},
"references": [
@@ -192,7 +192,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/d4fd6afd-15cb-42bf-8a25-03dd8e59b327.json b/dashboards/dashboards/d4fd6afd-15cb-42bf-8a25-03dd8e59b327.json
index cdd9ef865..92a042054 100644
--- a/dashboards/dashboards/d4fd6afd-15cb-42bf-8a25-03dd8e59b327.json
+++ b/dashboards/dashboards/d4fd6afd-15cb-42bf-8a25-03dd8e59b327.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"
+ "searchSourceJSON": "{\"filter\":[],\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"
}
},
"references": [
@@ -192,7 +192,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/dd87edd0-796a-11ec-9ce6-b395c1ff58f4.json b/dashboards/dashboards/dd87edd0-796a-11ec-9ce6-b395c1ff58f4.json
index a63792da1..6efa22433 100644
--- a/dashboards/dashboards/dd87edd0-796a-11ec-9ce6-b395c1ff58f4.json
+++ b/dashboards/dashboards/dd87edd0-796a-11ec-9ce6-b395c1ff58f4.json
@@ -1,655 +1,526 @@
-{
- "version": "1.2.0",
- "objects": [
- {
- "id": "dd87edd0-796a-11ec-9ce6-b395c1ff58f4",
- "type": "dashboard",
- "namespaces": [
- "default"
- ],
- "updated_at": "2022-01-19T21:53:31.158Z",
- "version": "WzE1MzksMV0=",
- "attributes": {
- "title": "OPCUA Binary",
- "hits": 0,
- "description": "",
- "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":29,\"i\":\"2\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"version\":\"1.2.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":29,\"i\":\"886cdf48-973d-47e6-9838-02080dbe6c02\",\"w\":10,\"x\":8,\"y\":0},\"panelIndex\":\"886cdf48-973d-47e6-9838-02080dbe6c02\",\"version\":\"1.2.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":11,\"i\":\"28e2dbd3-5a7d-4a76-bc34-6b6de8254690\",\"w\":30,\"x\":18,\"y\":0},\"panelIndex\":\"28e2dbd3-5a7d-4a76-bc34-6b6de8254690\",\"version\":\"1.2.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"a2d62e63-70cd-4835-8cb1-68c84a273f99\",\"w\":9,\"x\":18,\"y\":11},\"panelIndex\":\"a2d62e63-70cd-4835-8cb1-68c84a273f99\",\"version\":\"1.2.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"5cecf8c4-270e-4376-839e-ffc43feee2a8\",\"w\":8,\"x\":27,\"y\":11},\"panelIndex\":\"5cecf8c4-270e-4376-839e-ffc43feee2a8\",\"version\":\"1.2.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":36,\"i\":\"e9ef651a-fafc-46d8-a020-e1159a91e9a3\",\"w\":13,\"x\":35,\"y\":11},\"panelIndex\":\"e9ef651a-fafc-46d8-a020-e1159a91e9a3\",\"version\":\"1.2.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"844fa8b7-fc4b-4f2f-9ad7-390f0ea501df\",\"w\":9,\"x\":0,\"y\":29},\"panelIndex\":\"844fa8b7-fc4b-4f2f-9ad7-390f0ea501df\",\"version\":\"1.2.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"3776f460-c4a9-4dca-82b7-8f7fdff39d4e\",\"w\":9,\"x\":9,\"y\":29},\"panelIndex\":\"3776f460-c4a9-4dca-82b7-8f7fdff39d4e\",\"version\":\"1.2.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"b5c46334-c593-4b2e-8382-80cdd2774540\",\"w\":17,\"x\":18,\"y\":29},\"panelIndex\":\"b5c46334-c593-4b2e-8382-80cdd2774540\",\"version\":\"1.2.0\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":22,\"i\":\"af0495c3-f385-47ea-901b-b43bbf9694e4\",\"w\":48,\"x\":0,\"y\":47},\"panelIndex\":\"af0495c3-f385-47ea-901b-b43bbf9694e4\",\"version\":\"1.2.0\",\"panelRefName\":\"panel_9\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":23,\"i\":\"353dcc1d-a7f4-4f08-baae-4f4f1429106e\",\"w\":48,\"x\":0,\"y\":69},\"panelIndex\":\"353dcc1d-a7f4-4f08-baae-4f4f1429106e\",\"version\":\"1.2.0\",\"panelRefName\":\"panel_10\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":22,\"i\":\"7e187ed0-e7a2-40fc-8119-f2b8bea0eab2\",\"w\":48,\"x\":0,\"y\":92},\"panelIndex\":\"7e187ed0-e7a2-40fc-8119-f2b8bea0eab2\",\"version\":\"1.2.0\",\"panelRefName\":\"panel_11\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":23,\"i\":\"ab328ba8-00f2-493d-8f77-2f37061cd349\",\"w\":48,\"x\":0,\"y\":114},\"panelIndex\":\"ab328ba8-00f2-493d-8f77-2f37061cd349\",\"version\":\"1.2.0\",\"panelRefName\":\"panel_12\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":22,\"i\":\"df0f20ac-a10d-494e-b1f0-e2559af5c73e\",\"w\":48,\"x\":0,\"y\":137},\"panelIndex\":\"df0f20ac-a10d-494e-b1f0-e2559af5c73e\",\"version\":\"1.2.0\",\"panelRefName\":\"panel_13\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":23,\"i\":\"6b1b98b1-fd9e-41f3-942f-5b41d52c96e3\",\"w\":48,\"x\":0,\"y\":159},\"panelIndex\":\"6b1b98b1-fd9e-41f3-942f-5b41d52c96e3\",\"version\":\"1.2.0\",\"panelRefName\":\"panel_14\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":23,\"i\":\"bb6fde48-b1a9-462e-bf7a-ce8c5f5ba128\",\"w\":48,\"x\":0,\"y\":182},\"panelIndex\":\"bb6fde48-b1a9-462e-bf7a-ce8c5f5ba128\",\"version\":\"1.2.0\",\"panelRefName\":\"panel_15\"}]",
- "optionsJSON": "{\"useMargins\":true}",
- "version": 1,
- "timeRestore": false,
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
- }
- },
- "references": [
- {
- "name": "panel_0",
- "type": "visualization",
- "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
- },
- {
- "name": "panel_1",
- "type": "visualization",
- "id": "fce8f5b0-796b-11ec-9ce6-b395c1ff58f4"
- },
- {
- "name": "panel_2",
- "type": "visualization",
- "id": "d3963c30-796c-11ec-9ce6-b395c1ff58f4"
- },
- {
- "name": "panel_3",
- "type": "visualization",
- "id": "8e858040-796e-11ec-9ce6-b395c1ff58f4"
- },
- {
- "name": "panel_4",
- "type": "visualization",
- "id": "42113f00-796f-11ec-9ce6-b395c1ff58f4"
- },
- {
- "name": "panel_5",
- "type": "visualization",
- "id": "ce63a3d0-796f-11ec-9ce6-b395c1ff58f4"
- },
- {
- "name": "panel_6",
- "type": "visualization",
- "id": "56cceef0-796d-11ec-9ce6-b395c1ff58f4"
- },
- {
- "name": "panel_7",
- "type": "visualization",
- "id": "b9478130-796d-11ec-9ce6-b395c1ff58f4"
- },
- {
- "name": "panel_8",
- "type": "visualization",
- "id": "5e25be80-7971-11ec-9ce6-b395c1ff58f4"
- },
- {
- "name": "panel_9",
- "type": "search",
- "id": "015ef1a0-7965-11ec-9ce6-b395c1ff58f4"
- },
- {
- "name": "panel_10",
- "type": "search",
- "id": "78f74cd0-796a-11ec-9ce6-b395c1ff58f4"
- },
- {
- "name": "panel_11",
- "type": "search",
- "id": "8cdde460-7966-11ec-9ce6-b395c1ff58f4"
- },
- {
- "name": "panel_12",
- "type": "search",
- "id": "64309d30-7968-11ec-9ce6-b395c1ff58f4"
- },
- {
- "name": "panel_13",
- "type": "search",
- "id": "b8ca0610-7968-11ec-9ce6-b395c1ff58f4"
- },
- {
- "name": "panel_14",
- "type": "search",
- "id": "f2ecb990-7969-11ec-9ce6-b395c1ff58f4"
- },
- {
- "name": "panel_15",
- "type": "search",
- "id": "e229f0e0-7965-11ec-9ce6-b395c1ff58f4"
- }
- ],
- "migrationVersion": {
- "dashboard": "7.9.3"
- }
- },
- {
- "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
- "type": "visualization",
- "namespaces": [
- "default"
- ],
- "updated_at": "2022-01-19T19:53:14.682Z",
- "version": "Wzc2OSwxXQ==",
- "attributes": {
- "title": "Network Logs",
- "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[โช Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) โ [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) โ [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) โ [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) โ [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) โ [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) โ [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) โ [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) โ [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) โ [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) โ [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) โ [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) โ [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) โ [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) โ [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) โ [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) โ [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) โ [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) โ [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) โ [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) โ [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) โ [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) โ [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) โ [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) โ [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) โ [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) โ [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) โ [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) โ [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) โ [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) โ [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) โ [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) โ [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) โ [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) โ [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) โ [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) โ [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) โ [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
- "uiStateJSON": "{}",
- "description": "",
- "version": 1,
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
- }
- },
- "references": [],
- "migrationVersion": {
- "visualization": "7.10.0"
- }
- },
- {
- "id": "fce8f5b0-796b-11ec-9ce6-b395c1ff58f4",
- "type": "visualization",
- "namespaces": [
- "default"
- ],
- "updated_at": "2022-01-19T21:09:35.927Z",
- "version": "WzExOTYsMV0=",
- "attributes": {
- "title": "OPCUA - Log Count",
- "visState": "{\"title\":\"OPCUA - Log Count\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.dataset\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":32}}}}",
- "uiStateJSON": "{}",
- "description": "",
- "version": 1,
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:opcua*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
- }
- },
- "references": [
- {
- "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
- "type": "index-pattern",
- "id": "arkime_sessions3-*"
- }
- ],
- "migrationVersion": {
- "visualization": "7.10.0"
- }
- },
- {
- "id": "d3963c30-796c-11ec-9ce6-b395c1ff58f4",
- "type": "visualization",
- "namespaces": [
- "default"
- ],
- "updated_at": "2022-01-19T21:14:45.491Z",
- "version": "WzEyMTMsMV0=",
- "attributes": {
- "title": "OPCUA Binary - Traffic Over Time",
- "visState": "{\"title\":\"OPCUA Binary - Traffic Over Time\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-26y\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\" \"},\"schema\":\"segment\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}",
- "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
- "description": "",
- "version": 1,
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
- },
- "savedSearchRefName": "search_0"
- },
- "references": [
- {
- "name": "search_0",
- "type": "search",
- "id": "015ef1a0-7965-11ec-9ce6-b395c1ff58f4"
- }
- ],
- "migrationVersion": {
- "visualization": "7.10.0"
- }
- },
- {
- "id": "8e858040-796e-11ec-9ce6-b395c1ff58f4",
- "type": "visualization",
- "namespaces": [
- "default"
- ],
- "updated_at": "2022-01-19T21:27:08.612Z",
- "version": "WzEzMDgsMV0=",
- "attributes": {
- "title": "OPCUA Binary - Actions",
- "visState": "{\"title\":\"OPCUA Binary - Actions\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Action\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
- "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}",
- "description": "",
- "version": 1,
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:opcua*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
- }
- },
- "references": [
- {
- "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
- "type": "index-pattern",
- "id": "arkime_sessions3-*"
- }
- ],
- "migrationVersion": {
- "visualization": "7.10.0"
- }
- },
- {
- "id": "42113f00-796f-11ec-9ce6-b395c1ff58f4",
- "type": "visualization",
- "namespaces": [
- "default"
- ],
- "updated_at": "2022-01-19T21:33:28.203Z",
- "version": "WzEzNTgsMV0=",
- "attributes": {
- "title": "OPCUA Binary - Results",
- "visState": "{\"title\":\"OPCUA Binary - Results\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Result\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
- "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}",
- "description": "",
- "version": 1,
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:opcua*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
- }
- },
- "references": [
- {
- "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
- "type": "index-pattern",
- "id": "arkime_sessions3-*"
- }
- ],
- "migrationVersion": {
- "visualization": "7.10.0"
- }
- },
- {
- "id": "ce63a3d0-796f-11ec-9ce6-b395c1ff58f4",
- "type": "visualization",
- "namespaces": [
- "default"
- ],
- "updated_at": "2022-01-19T21:52:05.199Z",
- "version": "WzE1MjAsMV0=",
- "attributes": {
- "title": "OPCUA Binary - URLs and URIs",
- "visState": "{\"title\":\"OPCUA Binary - URLs and URIs\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"url.original\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"URL or URI\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":25,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
- "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}",
- "description": "",
- "version": 1,
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:opcua*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
- }
- },
- "references": [
- {
- "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
- "type": "index-pattern",
- "id": "arkime_sessions3-*"
- }
- ],
- "migrationVersion": {
- "visualization": "7.10.0"
- }
- },
- {
- "id": "56cceef0-796d-11ec-9ce6-b395c1ff58f4",
- "type": "visualization",
- "namespaces": [
- "default"
- ],
- "updated_at": "2022-01-19T21:18:25.631Z",
- "version": "WzEyMzQsMV0=",
- "attributes": {
- "title": "OPCUA Binary - Source",
- "visState": "{\"title\":\"OPCUA Binary - Source\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source Port\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
- "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
- "description": "",
- "version": 1,
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
- },
- "savedSearchRefName": "search_0"
- },
- "references": [
- {
- "name": "search_0",
- "type": "search",
- "id": "015ef1a0-7965-11ec-9ce6-b395c1ff58f4"
- }
- ],
- "migrationVersion": {
- "visualization": "7.10.0"
- }
- },
- {
- "id": "b9478130-796d-11ec-9ce6-b395c1ff58f4",
- "type": "visualization",
- "namespaces": [
- "default"
- ],
- "updated_at": "2022-01-19T21:21:10.851Z",
- "version": "WzEyNjYsMV0=",
- "attributes": {
- "title": "OPCUA Binary - Destination",
- "visState": "{\"title\":\"OPCUA Binary - Destination\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
- "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
- "description": "",
- "version": 1,
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
- },
- "savedSearchRefName": "search_0"
- },
- "references": [
- {
- "name": "search_0",
- "type": "search",
- "id": "015ef1a0-7965-11ec-9ce6-b395c1ff58f4"
- }
- ],
- "migrationVersion": {
- "visualization": "7.10.0"
- }
- },
- {
- "id": "5e25be80-7971-11ec-9ce6-b395c1ff58f4",
- "type": "visualization",
- "namespaces": [
- "default"
- ],
- "updated_at": "2022-01-19T21:48:43.146Z",
- "version": "WzE0NzEsMV0=",
- "attributes": {
- "title": "OPCUA Binary - Get Endpoints Text",
- "visState": "{\"title\":\"OPCUA Binary - Get Endpoints Text\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.opcua_binary_get_endpoints.text\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Get Endpoints Text\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
- "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}",
- "description": "",
- "version": 1,
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
- },
- "savedSearchRefName": "search_0"
- },
- "references": [
- {
- "name": "search_0",
- "type": "search",
- "id": "64309d30-7968-11ec-9ce6-b395c1ff58f4"
- }
- ],
- "migrationVersion": {
- "visualization": "7.10.0"
- }
- },
- {
- "id": "015ef1a0-7965-11ec-9ce6-b395c1ff58f4",
- "type": "search",
- "namespaces": [
- "default"
- ],
- "updated_at": "2022-01-19T20:59:37.718Z",
- "version": "WzExNDQsMV0=",
- "attributes": {
- "title": "OPCUA Binary - Logs",
- "description": "",
- "hits": 0,
- "columns": [
- "source.ip",
- "source.port",
- "destination.ip",
- "destination.port",
- "network.protocol_version",
- "event.action",
- "url.original",
- "zeek.opcua_binary.seq_number",
- "zeek.opcua_binary.request_id",
- "zeek.opcua_binary.opcua_id",
- "zeek.uid"
- ],
- "sort": [],
- "version": 1,
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.provider:zeek AND event.dataset:opcua_binary\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
- }
- },
- "references": [
- {
- "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
- "type": "index-pattern",
- "id": "arkime_sessions3-*"
- }
- ],
- "migrationVersion": {
- "search": "7.9.3"
- }
- },
- {
- "id": "78f74cd0-796a-11ec-9ce6-b395c1ff58f4",
- "type": "search",
- "namespaces": [
- "default"
- ],
- "updated_at": "2022-01-19T20:57:54.461Z",
- "version": "WzExMzksMV0=",
- "attributes": {
- "title": "OPCUA Binary Status Code Details - Logs",
- "description": "",
- "hits": 0,
- "columns": [
- "source.ip",
- "source.port",
- "destination.ip",
- "destination.port",
- "zeek.opcua_binary_status_code_detail.source_str",
- "zeek.opcua_binary_status_code_detail.status_code",
- "zeek.opcua_binary_status_code_detail.sub_code_str",
- "zeek.opcua_binary_status_code_detail.severity_str",
- "zeek.opcua_binary.opcua_id",
- "zeek.uid"
- ],
- "sort": [],
- "version": 1,
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.provider:zeek AND event.dataset:opcua_binary_status_code_detail\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
- }
- },
- "references": [
- {
- "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
- "type": "index-pattern",
- "id": "arkime_sessions3-*"
- }
- ],
- "migrationVersion": {
- "search": "7.9.3"
- }
- },
- {
- "id": "8cdde460-7966-11ec-9ce6-b395c1ff58f4",
- "type": "search",
- "namespaces": [
- "default"
- ],
- "updated_at": "2022-01-19T20:29:49.862Z",
- "version": "WzEwNTksMV0=",
- "attributes": {
- "title": "OPCUA Binary Get Endpoints Discovery - Logs",
- "description": "",
- "hits": 0,
- "columns": [
- "source.ip",
- "source.port",
- "destination.ip",
- "destination.port",
- "zeek.opcua_binary_get_endpoints_discovery.discovery_profile_uri",
- "zeek.opcua_binary_get_endpoints_discovery.discovery_profile_url",
- "zeek.opcua_binary_get_endpoints_discovery.discovery_profile_id",
- "zeek.uid"
- ],
- "sort": [],
- "version": 1,
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.provider:zeek AND event.dataset:opcua_binary_get_endpoints_discovery\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
- }
- },
- "references": [
- {
- "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
- "type": "index-pattern",
- "id": "arkime_sessions3-*"
- }
- ],
- "migrationVersion": {
- "search": "7.9.3"
- }
- },
- {
- "id": "64309d30-7968-11ec-9ce6-b395c1ff58f4",
- "type": "search",
- "namespaces": [
- "default"
- ],
- "updated_at": "2022-01-19T20:43:00.610Z",
- "version": "WzEwOTIsMV0=",
- "attributes": {
- "title": "OPCUA Binary Get Endpoints - Log",
- "description": "",
- "hits": 0,
- "columns": [
- "source.ip",
- "source.port",
- "destination.ip",
- "destination.port",
- "url.original",
- "zeek.opcua_binary_get_endpoints.text",
- "zeek.opcua_binary.opcua_id",
- "zeek.uid"
- ],
- "sort": [],
- "version": 1,
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.provider:zeek AND event.dataset:opcua_binary_get_endpoints\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
- }
- },
- "references": [
- {
- "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
- "type": "index-pattern",
- "id": "arkime_sessions3-*"
- }
- ],
- "migrationVersion": {
- "search": "7.9.3"
- }
- },
- {
- "id": "b8ca0610-7968-11ec-9ce6-b395c1ff58f4",
- "type": "search",
- "namespaces": [
- "default"
- ],
- "updated_at": "2022-01-19T20:45:22.545Z",
- "version": "WzExMDcsMV0=",
- "attributes": {
- "title": "OPCUA Binary Get Endpoints User Token - Logs",
- "description": "",
- "hits": 0,
- "columns": [
- "source.ip",
- "source.port",
- "destination.ip",
- "destination.port",
- "zeek.opcua_binary_get_endpoints_user_token.user_token_policy_id",
- "zeek.opcua_binary_get_endpoints_user_token.user_token_type",
- "url.original",
- "zeek.opcua_binary_get_endpoints_user_token.user_token_id",
- "zeek.uid"
- ],
- "sort": [],
- "version": 1,
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.provider:zeek AND event.dataset:opcua_binary_get_endpoints_user_token\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
- }
- },
- "references": [
- {
- "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
- "type": "index-pattern",
- "id": "arkime_sessions3-*"
- }
- ],
- "migrationVersion": {
- "search": "7.9.3"
- }
- },
- {
- "id": "f2ecb990-7969-11ec-9ce6-b395c1ff58f4",
- "type": "search",
- "namespaces": [
- "default"
- ],
- "updated_at": "2022-01-19T20:54:09.577Z",
- "version": "WzExMzQsMV0=",
- "attributes": {
- "title": "OPCUA Binary OpenSecureChannel - Logs",
- "description": "",
- "hits": 0,
- "columns": [
- "source.ip",
- "source.port",
- "destination.ip",
- "destination.port",
- "network.protocol_version",
- "zeek.opcua_binary_opensecure_channel.sec_token_request_type",
- "zeek.opcua_binary_opensecure_channel.message_security_mode",
- "zeek.opcua_binary_opensecure_channel.sec_token_sec_channel_id",
- "zeek.opcua_binary_opensecure_channel.sec_token_id",
- "zeek.opcua_binary.opcua_id",
- "zeek.uid"
- ],
- "sort": [],
- "version": 1,
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.provider:zeek AND event.dataset:opcua_binary_opensecure_channel\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
- }
- },
- "references": [
- {
- "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
- "type": "index-pattern",
- "id": "arkime_sessions3-*"
- }
- ],
- "migrationVersion": {
- "search": "7.9.3"
- }
- },
- {
- "id": "e229f0e0-7965-11ec-9ce6-b395c1ff58f4",
- "type": "search",
- "namespaces": [
- "default"
- ],
- "updated_at": "2022-01-19T20:37:22.800Z",
- "version": "WzEwNzEsMV0=",
- "attributes": {
- "title": "OPCUA Binary Diagnostic Info Detail - Logs",
- "description": "",
- "hits": 0,
- "columns": [
- "source.ip",
- "source.port",
- "destination.ip",
- "destination.port",
- "zeek.opcua_binary_diag_info_detail.symbolic_id",
- "zeek.opcua_binary_diag_info_detail.symbolic_id_str",
- "zeek.opcua_binary_diag_info_detail.addl_info",
- "zeek.opcua_binary_diag_info_detail.inner_diag_level",
- "zeek.opcua_binary_diag_info_detail.inner_stat_code",
- "zeek.opcua_binary.opcua_id",
- "zeek.uid"
- ],
- "sort": [],
- "version": 1,
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"event.provider:zeek AND event.dataset:opcua_binary_diag_info_detail\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
- }
- },
- "references": [
- {
- "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
- "type": "index-pattern",
- "id": "arkime_sessions3-*"
- }
- ],
- "migrationVersion": {
- "search": "7.9.3"
- }
- }
- ]
+{
+ "version": "2.2.0",
+ "objects": [
+ {
+ "id": "dd87edd0-796a-11ec-9ce6-b395c1ff58f4",
+ "type": "dashboard",
+ "namespaces": [
+ "default"
+ ],
+ "updated_at": "2022-08-25T15:00:12.257Z",
+ "version": "Wzg4OSwxXQ==",
+ "attributes": {
+ "title": "OPCUA Binary",
+ "hits": 0,
+ "description": "",
+ "panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"h\":28,\"i\":\"2\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"2\",\"version\":\"2.2.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":28,\"i\":\"fc818c59-8306-4f6c-87c6-2386910c5f65\",\"w\":10,\"x\":8,\"y\":0},\"panelIndex\":\"fc818c59-8306-4f6c-87c6-2386910c5f65\",\"version\":\"2.2.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":11,\"i\":\"28e2dbd3-5a7d-4a76-bc34-6b6de8254690\",\"w\":30,\"x\":18,\"y\":0},\"panelIndex\":\"28e2dbd3-5a7d-4a76-bc34-6b6de8254690\",\"version\":\"2.2.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"a2d62e63-70cd-4835-8cb1-68c84a273f99\",\"w\":9,\"x\":18,\"y\":11},\"panelIndex\":\"a2d62e63-70cd-4835-8cb1-68c84a273f99\",\"version\":\"2.2.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"5cecf8c4-270e-4376-839e-ffc43feee2a8\",\"w\":9,\"x\":27,\"y\":11},\"panelIndex\":\"5cecf8c4-270e-4376-839e-ffc43feee2a8\",\"version\":\"2.2.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":29,\"i\":\"e9ef651a-fafc-46d8-a020-e1159a91e9a3\",\"w\":12,\"x\":36,\"y\":11},\"panelIndex\":\"e9ef651a-fafc-46d8-a020-e1159a91e9a3\",\"version\":\"2.2.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}},\"gridData\":{\"h\":18,\"i\":\"844fa8b7-fc4b-4f2f-9ad7-390f0ea501df\",\"w\":8,\"x\":0,\"y\":28},\"panelIndex\":\"844fa8b7-fc4b-4f2f-9ad7-390f0ea501df\",\"version\":\"2.2.0\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"3776f460-c4a9-4dca-82b7-8f7fdff39d4e\",\"w\":10,\"x\":8,\"y\":28},\"panelIndex\":\"3776f460-c4a9-4dca-82b7-8f7fdff39d4e\",\"version\":\"2.2.0\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":37,\"i\":\"76010cc4-9cfe-4fc7-95d2-2c68b26c377f\",\"w\":18,\"x\":18,\"y\":29},\"panelIndex\":\"76010cc4-9cfe-4fc7-95d2-2c68b26c377f\",\"version\":\"2.2.0\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"d6e83d77-8304-443a-8abf-d70a812d8192\",\"w\":12,\"x\":36,\"y\":40},\"panelIndex\":\"d6e83d77-8304-443a-8abf-d70a812d8192\",\"version\":\"2.2.0\",\"panelRefName\":\"panel_9\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":20,\"i\":\"77667538-5271-4f14-90ee-c18fd47014a3\",\"w\":18,\"x\":0,\"y\":46},\"panelIndex\":\"77667538-5271-4f14-90ee-c18fd47014a3\",\"version\":\"2.2.0\",\"panelRefName\":\"panel_10\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"b525948d-4ea2-4e09-b86a-4cfbed09ea95\",\"w\":12,\"x\":36,\"y\":48},\"panelIndex\":\"b525948d-4ea2-4e09-b86a-4cfbed09ea95\",\"version\":\"2.2.0\",\"panelRefName\":\"panel_11\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":35,\"i\":\"929431a5-fa23-4b30-9ea8-b2ee9517fb76\",\"w\":48,\"x\":0,\"y\":66},\"panelIndex\":\"929431a5-fa23-4b30-9ea8-b2ee9517fb76\",\"version\":\"2.2.0\",\"panelRefName\":\"panel_12\"}]",
+ "optionsJSON": "{\"useMargins\":true}",
+ "version": 1,
+ "timeRestore": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
+ }
+ },
+ "references": [
+ {
+ "name": "panel_0",
+ "type": "visualization",
+ "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3"
+ },
+ {
+ "name": "panel_1",
+ "type": "visualization",
+ "id": "92c65a40-2480-11ed-90af-d572007a83ed"
+ },
+ {
+ "name": "panel_2",
+ "type": "visualization",
+ "id": "d3963c30-796c-11ec-9ce6-b395c1ff58f4"
+ },
+ {
+ "name": "panel_3",
+ "type": "visualization",
+ "id": "8e858040-796e-11ec-9ce6-b395c1ff58f4"
+ },
+ {
+ "name": "panel_4",
+ "type": "visualization",
+ "id": "42113f00-796f-11ec-9ce6-b395c1ff58f4"
+ },
+ {
+ "name": "panel_5",
+ "type": "visualization",
+ "id": "ce63a3d0-796f-11ec-9ce6-b395c1ff58f4"
+ },
+ {
+ "name": "panel_6",
+ "type": "visualization",
+ "id": "56cceef0-796d-11ec-9ce6-b395c1ff58f4"
+ },
+ {
+ "name": "panel_7",
+ "type": "visualization",
+ "id": "b9478130-796d-11ec-9ce6-b395c1ff58f4"
+ },
+ {
+ "name": "panel_8",
+ "type": "visualization",
+ "id": "78512b80-2481-11ed-90af-d572007a83ed"
+ },
+ {
+ "name": "panel_9",
+ "type": "visualization",
+ "id": "2b4fa8f0-2483-11ed-90af-d572007a83ed"
+ },
+ {
+ "name": "panel_10",
+ "type": "visualization",
+ "id": "5cb9eaf0-2482-11ed-90af-d572007a83ed"
+ },
+ {
+ "name": "panel_11",
+ "type": "visualization",
+ "id": "c5848c20-2482-11ed-90af-d572007a83ed"
+ },
+ {
+ "name": "panel_12",
+ "type": "search",
+ "id": "2e1ab730-2480-11ed-90af-d572007a83ed"
+ }
+ ],
+ "migrationVersion": {
+ "dashboard": "7.9.3"
+ }
+ },
+ {
+ "id": "df9e399b-efa5-4e33-b0ac-a7668a8ac2b3",
+ "type": "visualization",
+ "namespaces": [
+ "default"
+ ],
+ "updated_at": "2022-08-25T14:45:15.248Z",
+ "version": "WzgwMSwxXQ==",
+ "attributes": {
+ "title": "Network Logs",
+ "visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[โช Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) โ [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) โ [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) โ [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) โ [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) โ [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) โ [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) โ [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) โ [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) โ [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) โ [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) โ [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) โ [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) โ [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) โ [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) โ [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) โ [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) โ [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) โ [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) โ [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) โ [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) โ [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) โ [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) โ [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) โ [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) โ [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) โ [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) โ [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) โ [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) โ [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) โ [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) โ [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) โ [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) โ [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) โ [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) โ [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) โ [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) โ [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
+ "uiStateJSON": "{}",
+ "description": "",
+ "version": 1,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"
+ }
+ },
+ "references": [],
+ "migrationVersion": {
+ "visualization": "7.10.0"
+ }
+ },
+ {
+ "id": "92c65a40-2480-11ed-90af-d572007a83ed",
+ "type": "visualization",
+ "namespaces": [
+ "default"
+ ],
+ "updated_at": "2022-08-25T14:45:07.172Z",
+ "version": "WzcyMSwxXQ==",
+ "attributes": {
+ "title": "OPCUA Binary - Log Count",
+ "visState": "{\"title\":\"OPCUA Binary - Log Count\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.dataset\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":20,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
+ "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}",
+ "description": "",
+ "version": 1,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0"
+ },
+ "references": [
+ {
+ "name": "search_0",
+ "type": "search",
+ "id": "2e1ab730-2480-11ed-90af-d572007a83ed"
+ }
+ ],
+ "migrationVersion": {
+ "visualization": "7.10.0"
+ }
+ },
+ {
+ "id": "d3963c30-796c-11ec-9ce6-b395c1ff58f4",
+ "type": "visualization",
+ "namespaces": [
+ "default"
+ ],
+ "updated_at": "2022-08-25T14:45:07.172Z",
+ "version": "WzcyMiwxXQ==",
+ "attributes": {
+ "title": "OPCUA Binary - Traffic Over Time",
+ "visState": "{\"title\":\"OPCUA Binary - Traffic Over Time\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-15y\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\" \"},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.dataset\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"},\"schema\":\"group\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
+ "description": "",
+ "version": 1,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"query\":{\"query\":\"event.provider:zeek AND event.dataset:opcua*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ }
+ },
+ "references": [
+ {
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern",
+ "id": "arkime_sessions3-*"
+ }
+ ],
+ "migrationVersion": {
+ "visualization": "7.10.0"
+ }
+ },
+ {
+ "id": "8e858040-796e-11ec-9ce6-b395c1ff58f4",
+ "type": "visualization",
+ "namespaces": [
+ "default"
+ ],
+ "updated_at": "2022-08-25T14:45:07.172Z",
+ "version": "WzcyMywxXQ==",
+ "attributes": {
+ "title": "OPCUA Binary - Actions",
+ "visState": "{\"title\":\"OPCUA Binary - Actions\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Action\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
+ "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}",
+ "description": "",
+ "version": 1,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:opcua*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ }
+ },
+ "references": [
+ {
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern",
+ "id": "arkime_sessions3-*"
+ }
+ ],
+ "migrationVersion": {
+ "visualization": "7.10.0"
+ }
+ },
+ {
+ "id": "42113f00-796f-11ec-9ce6-b395c1ff58f4",
+ "type": "visualization",
+ "namespaces": [
+ "default"
+ ],
+ "updated_at": "2022-08-25T14:45:07.172Z",
+ "version": "WzcyNCwxXQ==",
+ "attributes": {
+ "title": "OPCUA Binary - Results",
+ "visState": "{\"title\":\"OPCUA Binary - Results\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Result\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
+ "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}",
+ "description": "",
+ "version": 1,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:opcua*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ }
+ },
+ "references": [
+ {
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern",
+ "id": "arkime_sessions3-*"
+ }
+ ],
+ "migrationVersion": {
+ "visualization": "7.10.0"
+ }
+ },
+ {
+ "id": "ce63a3d0-796f-11ec-9ce6-b395c1ff58f4",
+ "type": "visualization",
+ "namespaces": [
+ "default"
+ ],
+ "updated_at": "2022-08-25T14:45:07.172Z",
+ "version": "WzcyNSwxXQ==",
+ "attributes": {
+ "title": "OPCUA Binary - URLs and URIs",
+ "visState": "{\"title\":\"OPCUA Binary - URLs and URIs\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"url.original\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"URL or URI\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":20,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
+ "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}",
+ "description": "",
+ "version": 1,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:opcua*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ }
+ },
+ "references": [
+ {
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern",
+ "id": "arkime_sessions3-*"
+ }
+ ],
+ "migrationVersion": {
+ "visualization": "7.10.0"
+ }
+ },
+ {
+ "id": "56cceef0-796d-11ec-9ce6-b395c1ff58f4",
+ "type": "visualization",
+ "namespaces": [
+ "default"
+ ],
+ "updated_at": "2022-08-25T14:45:07.172Z",
+ "version": "WzcyNiwxXQ==",
+ "attributes": {
+ "title": "OPCUA Binary - Source",
+ "visState": "{\"title\":\"OPCUA Binary - Source\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
+ "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
+ "description": "",
+ "version": 1,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0"
+ },
+ "references": [
+ {
+ "name": "search_0",
+ "type": "search",
+ "id": "015ef1a0-7965-11ec-9ce6-b395c1ff58f4"
+ }
+ ],
+ "migrationVersion": {
+ "visualization": "7.10.0"
+ }
+ },
+ {
+ "id": "b9478130-796d-11ec-9ce6-b395c1ff58f4",
+ "type": "visualization",
+ "namespaces": [
+ "default"
+ ],
+ "updated_at": "2022-08-25T14:45:07.172Z",
+ "version": "WzcyNywxXQ==",
+ "attributes": {
+ "title": "OPCUA Binary - Destination",
+ "visState": "{\"title\":\"OPCUA Binary - Destination\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":250,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
+ "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
+ "description": "",
+ "version": 1,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0"
+ },
+ "references": [
+ {
+ "name": "search_0",
+ "type": "search",
+ "id": "015ef1a0-7965-11ec-9ce6-b395c1ff58f4"
+ }
+ ],
+ "migrationVersion": {
+ "visualization": "7.10.0"
+ }
+ },
+ {
+ "id": "78512b80-2481-11ed-90af-d572007a83ed",
+ "type": "visualization",
+ "namespaces": [
+ "default"
+ ],
+ "updated_at": "2022-08-25T14:45:07.172Z",
+ "version": "WzcyOCwxXQ==",
+ "attributes": {
+ "title": "OPCUA Binary - User",
+ "visState": "{\"title\":\"OPCUA Binary - User\",\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"related.user\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"User\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
+ "description": "",
+ "version": 1,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0"
+ },
+ "references": [
+ {
+ "name": "search_0",
+ "type": "search",
+ "id": "2e1ab730-2480-11ed-90af-d572007a83ed"
+ }
+ ],
+ "migrationVersion": {
+ "visualization": "7.10.0"
+ }
+ },
+ {
+ "id": "2b4fa8f0-2483-11ed-90af-d572007a83ed",
+ "type": "visualization",
+ "namespaces": [
+ "default"
+ ],
+ "updated_at": "2022-08-25T14:45:07.172Z",
+ "version": "WzcyOSwxXQ==",
+ "attributes": {
+ "title": "OPCUA Binary - Password Count",
+ "visState": "{\"title\":\"OPCUA Binary - Password Count\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"params\":{\"field\":\"related.password\",\"customLabel\":\"Unique Passwords\"},\"schema\":\"metric\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}}}",
+ "uiStateJSON": "{}",
+ "description": "",
+ "version": 1,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0"
+ },
+ "references": [
+ {
+ "name": "search_0",
+ "type": "search",
+ "id": "2e1ab730-2480-11ed-90af-d572007a83ed"
+ }
+ ],
+ "migrationVersion": {
+ "visualization": "7.10.0"
+ }
+ },
+ {
+ "id": "5cb9eaf0-2482-11ed-90af-d572007a83ed",
+ "type": "visualization",
+ "namespaces": [
+ "default"
+ ],
+ "updated_at": "2022-08-25T14:45:07.172Z",
+ "version": "WzczMCwxXQ==",
+ "attributes": {
+ "title": "OPCUA Binary - Software",
+ "visState": "{\"title\":\"OPCUA Binary - Software\",\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.software.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Software Name\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
+ "description": "",
+ "version": 1,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0"
+ },
+ "references": [
+ {
+ "name": "search_0",
+ "type": "search",
+ "id": "2e1ab730-2480-11ed-90af-d572007a83ed"
+ }
+ ],
+ "migrationVersion": {
+ "visualization": "7.10.0"
+ }
+ },
+ {
+ "id": "c5848c20-2482-11ed-90af-d572007a83ed",
+ "type": "visualization",
+ "namespaces": [
+ "default"
+ ],
+ "updated_at": "2022-08-25T14:45:07.172Z",
+ "version": "WzczMSwxXQ==",
+ "attributes": {
+ "title": "OPCUA Binary - Protocol Version",
+ "visState": "{\"title\":\"OPCUA Binary - Protocol Version\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.protocol_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol Version\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100}}}",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
+ "description": "",
+ "version": 1,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
+ },
+ "savedSearchRefName": "search_0"
+ },
+ "references": [
+ {
+ "name": "search_0",
+ "type": "search",
+ "id": "2e1ab730-2480-11ed-90af-d572007a83ed"
+ }
+ ],
+ "migrationVersion": {
+ "visualization": "7.10.0"
+ }
+ },
+ {
+ "id": "2e1ab730-2480-11ed-90af-d572007a83ed",
+ "type": "search",
+ "namespaces": [
+ "default"
+ ],
+ "updated_at": "2022-08-25T14:45:07.172Z",
+ "version": "WzczMiwxXQ==",
+ "attributes": {
+ "title": "OPCUA Binary and Related - Logs",
+ "description": "",
+ "hits": 0,
+ "columns": [
+ "event.dataset",
+ "source.ip",
+ "destination.ip",
+ "destination.port",
+ "event.action",
+ "event.result",
+ "url.original",
+ "event.id"
+ ],
+ "sort": [],
+ "version": 1,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"event.provider:zeek AND event.dataset:opcua*\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ }
+ },
+ "references": [
+ {
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern",
+ "id": "arkime_sessions3-*"
+ }
+ ],
+ "migrationVersion": {
+ "search": "7.9.3"
+ }
+ },
+ {
+ "id": "015ef1a0-7965-11ec-9ce6-b395c1ff58f4",
+ "type": "search",
+ "namespaces": [
+ "default"
+ ],
+ "updated_at": "2022-08-25T14:45:07.172Z",
+ "version": "WzczMywxXQ==",
+ "attributes": {
+ "title": "OPCUA Binary - Logs",
+ "description": "",
+ "hits": 0,
+ "columns": [
+ "source.ip",
+ "source.port",
+ "destination.ip",
+ "destination.port",
+ "network.protocol_version",
+ "event.action",
+ "url.original",
+ "zeek.opcua_binary.seq_number",
+ "zeek.opcua_binary.request_id",
+ "zeek.opcua_binary.opcua_link_id",
+ "zeek.uid"
+ ],
+ "sort": [],
+ "version": 1,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"event.provider:zeek AND event.dataset:opcua_binary\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ }
+ },
+ "references": [
+ {
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern",
+ "id": "arkime_sessions3-*"
+ }
+ ],
+ "migrationVersion": {
+ "search": "7.9.3"
+ }
+ }
+ ]
}
\ No newline at end of file
diff --git a/dashboards/dashboards/e09a4b86-29b5-4256-bb3b-802ac9f90404.json b/dashboards/dashboards/e09a4b86-29b5-4256-bb3b-802ac9f90404.json
index 381d43400..86fb7534c 100644
--- a/dashboards/dashboards/e09a4b86-29b5-4256-bb3b-802ac9f90404.json
+++ b/dashboards/dashboards/e09a4b86-29b5-4256-bb3b-802ac9f90404.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"
+ "searchSourceJSON": "{\"filter\":[],\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"
}
},
"references": [
@@ -192,7 +192,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json b/dashboards/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json
index e4a8a6d5c..1df551a6c 100644
--- a/dashboards/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json
+++ b/dashboards/dashboards/e76d05c0-eb9f-11e9-a384-0fcf32210194.json
@@ -1,5 +1,5 @@
{
- "version": "7.10.0",
+ "version": "2.1.0",
"objects": [
{
"id": "e76d05c0-eb9f-11e9-a384-0fcf32210194",
@@ -7,18 +7,18 @@
"namespaces": [
"default"
],
- "updated_at": "2021-02-10T21:25:04.558Z",
- "version": "WzgyMCwxXQ==",
+ "updated_at": "2022-08-10T15:34:25.353Z",
+ "version": "Wzg5OCwxXQ==",
"attributes": {
- "title": "S7comm",
+ "title": "S7comm / S7comm Plus",
"hits": 0,
"description": "",
- "panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":51,\"i\":\"1\"},\"panelIndex\":\"1\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\",\"embeddableConfig\":{}},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":14,\"i\":\"2\"},\"panelIndex\":\"2\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":14,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":28,\"y\":34,\"w\":20,\"h\":17,\"i\":\"7\"},\"panelIndex\":\"7\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":34,\"w\":20,\"h\":17,\"i\":\"8\"},\"panelIndex\":\"8\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":8,\"y\":14,\"w\":20,\"h\":20,\"i\":\"10\"},\"panelIndex\":\"10\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":28,\"y\":14,\"w\":20,\"h\":20,\"i\":\"11\"},\"panelIndex\":\"11\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_6\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":24,\"y\":51,\"w\":24,\"h\":20,\"i\":\"13\"},\"panelIndex\":\"13\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_7\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":51,\"w\":24,\"h\":20,\"i\":\"14\"},\"panelIndex\":\"14\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_8\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":71,\"w\":48,\"h\":35,\"i\":\"15\"},\"panelIndex\":\"15\",\"version\":\"7.6.2\",\"panelRefName\":\"panel_9\"}]",
+ "panelsJSON": "[{\"version\":\"2.1.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":31,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"2.1.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":20,\"i\":\"5716abc8-3472-485a-9fd9-492f775cc371\"},\"panelIndex\":\"5716abc8-3472-485a-9fd9-492f775cc371\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"2.1.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":20,\"i\":\"2a9754ed-092c-4afd-9712-203f13d1c369\"},\"panelIndex\":\"2a9754ed-092c-4afd-9712-203f13d1c369\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"2.1.0\",\"gridData\":{\"x\":8,\"y\":20,\"w\":18,\"h\":36,\"i\":\"13aac6f7-d251-4845-b5b6-3c1515132504\"},\"panelIndex\":\"13aac6f7-d251-4845-b5b6-3c1515132504\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"2.1.0\",\"gridData\":{\"x\":26,\"y\":20,\"w\":10,\"h\":18,\"i\":\"82ee0b2b-60d0-4271-9d3e-acbd5366e660\"},\"panelIndex\":\"82ee0b2b-60d0-4271-9d3e-acbd5366e660\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"},{\"version\":\"2.1.0\",\"gridData\":{\"x\":36,\"y\":20,\"w\":12,\"h\":18,\"i\":\"4b9b201e-4f7c-4e17-a3a8-308fe4ec25e9\"},\"panelIndex\":\"4b9b201e-4f7c-4e17-a3a8-308fe4ec25e9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_5\"},{\"version\":\"2.1.0\",\"gridData\":{\"x\":0,\"y\":31,\"w\":8,\"h\":16,\"i\":\"a8447ab6-5810-43a6-a42c-97b6776203c0\"},\"panelIndex\":\"a8447ab6-5810-43a6-a42c-97b6776203c0\",\"embeddableConfig\":{},\"panelRefName\":\"panel_6\"},{\"version\":\"2.1.0\",\"gridData\":{\"x\":26,\"y\":38,\"w\":22,\"h\":18,\"i\":\"4ed75bae-60f2-478f-b1d7-3954019d6340\"},\"panelIndex\":\"4ed75bae-60f2-478f-b1d7-3954019d6340\",\"embeddableConfig\":{},\"panelRefName\":\"panel_7\"},{\"version\":\"2.1.0\",\"gridData\":{\"x\":0,\"y\":56,\"w\":48,\"h\":32,\"i\":\"edae9dd1-a37e-420d-9154-7841a8c62098\"},\"panelIndex\":\"edae9dd1-a37e-420d-9154-7841a8c62098\",\"embeddableConfig\":{},\"panelRefName\":\"panel_8\"}]",
"optionsJSON": "{\"useMargins\":true}",
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
@@ -30,47 +30,42 @@
{
"name": "panel_1",
"type": "visualization",
- "id": "24c75a10-eba0-11e9-a384-0fcf32210194"
+ "id": "20fb6ce0-18bc-11ed-beb5-43d854a8ab7d"
},
{
"name": "panel_2",
"type": "visualization",
- "id": "455369e0-eba0-11e9-a384-0fcf32210194"
+ "id": "8c7305a0-18bc-11ed-beb5-43d854a8ab7d"
},
{
"name": "panel_3",
"type": "visualization",
- "id": "739fdf30-eba1-11e9-a384-0fcf32210194"
+ "id": "57b998a0-18bd-11ed-beb5-43d854a8ab7d"
},
{
"name": "panel_4",
"type": "visualization",
- "id": "32d94580-eba2-11e9-a384-0fcf32210194"
+ "id": "0a43be80-18c1-11ed-9abd-97fb0b4c6d6c"
},
{
"name": "panel_5",
"type": "visualization",
- "id": "0b553f40-eba8-11e9-a384-0fcf32210194"
+ "id": "7ec83c40-18c1-11ed-9abd-97fb0b4c6d6c"
},
{
"name": "panel_6",
"type": "visualization",
- "id": "2b801c40-eba8-11e9-a384-0fcf32210194"
+ "id": "ca0be990-18bc-11ed-beb5-43d854a8ab7d"
},
{
"name": "panel_7",
"type": "visualization",
- "id": "a5ed7c10-eeb0-11e9-bdef-65a192b7f586"
+ "id": "39091f40-18c0-11ed-9abd-97fb0b4c6d6c"
},
{
"name": "panel_8",
- "type": "visualization",
- "id": "bb650520-eeb2-11e9-bdef-65a192b7f586"
- },
- {
- "name": "panel_9",
"type": "search",
- "id": "484253d0-eb9d-11e9-a384-0fcf32210194"
+ "id": "a827b610-18b7-11ed-9815-dd8187ffaa35"
}
],
"migrationVersion": {
@@ -83,8 +78,8 @@
"namespaces": [
"default"
],
- "updated_at": "2021-02-10T21:25:09.616Z",
- "version": "Wzg3MiwxXQ==",
+ "updated_at": "2022-08-10T15:11:15.749Z",
+ "version": "WzgwMiwxXQ==",
"attributes": {
"title": "Network Logs",
"visState": "{\"title\":\"Network Logs\",\"type\":\"markdown\",\"params\":{\"markdown\":\"### General\\n[Overview](/dashboards/app/dashboards#/view/0ad3d7c2-3441-485e-9dfe-dbb22e84e576) \\n[Security Overview](/dashboards/app/dashboards#/view/95479950-41f2-11ea-88fa-7151df485405) \\n[ICS/IoT Security Overview](/dashboards/app/dashboards#/view/4a4bde20-4760-11ea-949c-bbb5a9feecbf) \\n[Severity](/dashboards/app/dashboards#/view/d2dd0180-06b1-11ec-8c6b-353266ade330) \\n[Connections](/dashboards/app/dashboards#/view/abdd7550-2c7c-40dc-947e-f6d186a158c4) \\n[Actions and Results](/dashboards/app/dashboards#/view/a33e0a50-afcd-11ea-993f-b7d8522a8bed) \\n[Files](/dashboards/app/dashboards#/view/9ee51f94-3316-4fc5-bd89-93a52af69714) \\n[Executables](/dashboards/app/dashboards#/view/0a490422-0ce9-44bf-9a2d-19329ddde8c3) \\n[Software](/dashboards/app/dashboards#/view/87d990cc-9e0b-41e5-b8fe-b10ae1da0c85) \\n[Zeek Intelligence](/dashboards/app/dashboards#/view/36ed695f-edcc-47c1-b0ec-50d20c93ce0f) \\n[Zeek Notices](/dashboards/app/dashboards#/view/f1f09567-fc7f-450b-a341-19d2f2bb468b) \\n[Zeek Weird](/dashboards/app/dashboards#/view/1fff49f6-0199-4a0f-820b-721aff9ff1f1) \\n[Signatures](/dashboards/app/dashboards#/view/665d1610-523d-11e9-a30e-e3576242f3ed) \\n[Suricata Alerts](/dashboards/app/dashboards#/view/5694ca60-cbdf-11ec-a50a-5fedd672f5c5) \\n[โช Arkime](/sessions) \\n\\n### Common Protocols\\n[DCE/RPC](/dashboards/app/dashboards#/view/432af556-c5c0-4cc3-8166-b274b4e3a406) โ [DHCP](/dashboards/app/dashboards#/view/2d98bb8e-214c-4374-837b-20e1bcd63a5e) โ [DNS](/dashboards/app/dashboards#/view/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9) โ [FTP](/dashboards/app/dashboards#/view/078b9aa5-9bd4-4f02-ae5e-cf80fa6f887b) / [TFTP](/dashboards/app/dashboards#/view/bf5efbb0-60f1-11eb-9d60-dbf0411cfc48) โ [HTTP](/dashboards/app/dashboards#/view/37041ee1-79c0-4684-a436-3173b0e89876) โ [IRC](/dashboards/app/dashboards#/view/76f2f912-80da-44cd-ab66-6a73c8344cc3) โ [Kerberos](/dashboards/app/dashboards#/view/82da3101-2a9c-4ae2-bb61-d447a3fbe673) โ [LDAP](/dashboards/app/dashboards#/view/05e3e000-f118-11e9-acda-83a8e29e1a24) โ [MQTT](/dashboards/app/dashboards#/view/87a32f90-ef58-11e9-974e-9d600036d105) โ [MySQL](/dashboards/app/dashboards#/view/50ced171-1b10-4c3f-8b67-2db9635661a6) โ [NTLM](/dashboards/app/dashboards#/view/543118a9-02d7-43fe-b669-b8652177fc37) โ [NTP](/dashboards/app/dashboards#/view/af5df620-eeb6-11e9-bdef-65a192b7f586) โ [OSPF](/dashboards/app/dashboards#/view/1cc01ff0-5205-11ec-a62c-7bc80e88f3f0) โ [QUIC](/dashboards/app/dashboards#/view/11ddd980-e388-11e9-b568-cf17de8e860c) โ [RADIUS](/dashboards/app/dashboards#/view/ae79b7d1-4281-4095-b2f6-fa7eafda9970) โ [RDP](/dashboards/app/dashboards#/view/7f41913f-cba8-43f5-82a8-241b7ead03e0) โ [RFB](/dashboards/app/dashboards#/view/f77bf097-18a8-465c-b634-eb2acc7a4f26) โ [SIP](/dashboards/app/dashboards#/view/0b2354ae-0fe9-4fd9-b156-1c3870e5c7aa) โ [SMB](/dashboards/app/dashboards#/view/42e831b9-41a9-4f35-8b7d-e1566d368773) โ [SMTP](/dashboards/app/dashboards#/view/bb827f8e-639e-468c-93c8-9f5bc132eb8f) โ [SNMP](/dashboards/app/dashboards#/view/4e5f106e-c60a-4226-8f64-d534abb912ab) โ [SSH](/dashboards/app/dashboards#/view/caef3ade-d289-4d05-a511-149f3e97f238) โ [SSL](/dashboards/app/dashboards#/view/7f77b58a-df3e-4cc2-b782-fd7f8bad8ffb) / [X.509 Certificates](/dashboards/app/dashboards#/view/024062a6-48d6-498f-a91a-3bf2da3a3cd3) โ [STUN](/dashboards/app/dashboards#/view/fa477130-2b8a-11ec-a9f2-3911c8571bfd) โ [Syslog](/dashboards/app/dashboards#/view/92985909-dc29-4533-9e80-d3182a0ecf1d) โ [TDS](/dashboards/app/dashboards#/view/bed185a0-ef82-11e9-b38a-2db3ee640e88) / [TDS RPC](/dashboards/app/dashboards#/view/32587740-ef88-11e9-b38a-2db3ee640e88) / [TDS SQL](/dashboards/app/dashboards#/view/fa141950-ef89-11e9-b38a-2db3ee640e88) โ [Telnet / rlogin / rsh](/dashboards/app/dashboards#/view/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2) โ [Tunnels](/dashboards/app/dashboards#/view/11be6381-beef-40a7-bdce-88c5398392fc)\\n\\n### ICS/IoT Protocols\\n[BACnet](/dashboards/app/dashboards#/view/2bec1490-eb94-11e9-a384-0fcf32210194) โ [BSAP](/dashboards/app/dashboards#/view/ca5799a0-56b5-11eb-b749-576de068f8ad) โ [DNP3](/dashboards/app/dashboards#/view/870a5862-6c26-4a08-99fd-0c06cda85ba3) โ [EtherCAT](/dashboards/app/dashboards#/view/4a073440-b286-11eb-a4d4-09fa12a6ebd4) โ [EtherNet/IP](/dashboards/app/dashboards#/view/29a1b290-eb98-11e9-a384-0fcf32210194) โ [GENISYS](/dashboards/app/dashboards#/view/03207c00-d07e-11ec-b4a7-d1b4003706b7) โ [Modbus](/dashboards/app/dashboards#/view/152f29dc-51a2-4f53-93e9-6e92765567b8) โ [OPCUA Binary](/dashboards/app/dashboards#/view/dd87edd0-796a-11ec-9ce6-b395c1ff58f4) โ [PROFINET](/dashboards/app/dashboards#/view/a7514350-eba6-11e9-a384-0fcf32210194) โ [S7comm](/dashboards/app/dashboards#/view/e76d05c0-eb9f-11e9-a384-0fcf32210194) โ [Best Guess](/dashboards/app/dashboards#/view/12e3a130-d83b-11eb-a0b0-f328ce09b0b7)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}",
@@ -101,67 +96,29 @@
}
},
{
- "id": "24c75a10-eba0-11e9-a384-0fcf32210194",
+ "id": "20fb6ce0-18bc-11ed-beb5-43d854a8ab7d",
"type": "visualization",
"namespaces": [
"default"
],
- "updated_at": "2021-02-10T21:25:04.558Z",
- "version": "WzgyMiwxXQ==",
+ "updated_at": "2022-08-10T15:11:09.705Z",
+ "version": "Wzc0NCwxXQ==",
"attributes": {
"title": "S7comm - Log Count",
- "visState": "{\"title\":\"S7comm - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Log Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"event.dataset\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}",
+ "visState": "{\"title\":\"S7comm - Log Count\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"},\"schema\":\"group\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":36}}}}",
"uiStateJSON": "{}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"type\":\"phrases\",\"key\":\"event.dataset\",\"value\":\"s7comm, iso_cotp\",\"params\":[\"s7comm\",\"iso_cotp\"],\"negate\":false,\"disabled\":false,\"alias\":\"Zeek Log Type\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"bool\":{\"should\":[{\"match_phrase\":{\"event.dataset\":\"s7comm\"}},{\"match_phrase\":{\"event.dataset\":\"iso_cotp\"}}],\"minimum_should_match\":1}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
- }
- },
- "references": [
- {
- "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
- "type": "index-pattern",
- "id": "arkime_sessions3-*"
+ "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
- {
- "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
- "type": "index-pattern",
- "id": "arkime_sessions3-*"
- }
- ],
- "migrationVersion": {
- "visualization": "7.10.0"
- }
- },
- {
- "id": "455369e0-eba0-11e9-a384-0fcf32210194",
- "type": "visualization",
- "namespaces": [
- "default"
- ],
- "updated_at": "2021-02-10T21:25:04.558Z",
- "version": "WzgyMywxXQ==",
- "attributes": {
- "title": "S7comm - Logs Over Time",
- "visState": "{\"title\":\"S7comm - Logs Over Time\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\",\"mode\":\"relative\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\" \"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"event.dataset\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Log Type\"}}]}",
- "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}",
- "description": "",
- "version": 1,
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"type\":\"phrases\",\"key\":\"event.dataset\",\"value\":\"s7comm, iso_cotp\",\"params\":[\"s7comm\",\"iso_cotp\"],\"negate\":false,\"disabled\":false,\"alias\":\"Zeek Log Type\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"bool\":{\"should\":[{\"match_phrase\":{\"event.dataset\":\"s7comm\"}},{\"match_phrase\":{\"event.dataset\":\"iso_cotp\"}}],\"minimum_should_match\":1}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
- }
+ "savedSearchRefName": "search_0"
},
"references": [
{
- "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
- "type": "index-pattern",
- "id": "arkime_sessions3-*"
- },
- {
- "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
- "type": "index-pattern",
- "id": "arkime_sessions3-*"
+ "name": "search_0",
+ "type": "search",
+ "id": "a827b610-18b7-11ed-9815-dd8187ffaa35"
}
],
"migrationVersion": {
@@ -169,29 +126,29 @@
}
},
{
- "id": "739fdf30-eba1-11e9-a384-0fcf32210194",
+ "id": "8c7305a0-18bc-11ed-beb5-43d854a8ab7d",
"type": "visualization",
"namespaces": [
"default"
],
- "updated_at": "2021-02-10T21:25:04.558Z",
- "version": "WzgyNCwxXQ==",
+ "updated_at": "2022-08-10T15:11:09.705Z",
+ "version": "Wzc0NSwxXQ==",
"attributes": {
- "title": "S7comm - Message Type",
- "visState": "{\"title\":\"S7comm - Message Type\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.s7comm.rosctr\",\"size\":15,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Message Type\"}}]}",
- "uiStateJSON": "{}",
+ "title": "S7comm - Logs Over Time",
+ "visState": "{\"title\":\"S7comm - Logs Over Time\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"firstPacket\",\"timeRange\":{\"from\":\"now-25y\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"},\"schema\":\"group\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
- "type": "search",
"name": "search_0",
- "id": "484253d0-eb9d-11e9-a384-0fcf32210194"
+ "type": "search",
+ "id": "a827b610-18b7-11ed-9815-dd8187ffaa35"
}
],
"migrationVersion": {
@@ -199,29 +156,29 @@
}
},
{
- "id": "32d94580-eba2-11e9-a384-0fcf32210194",
+ "id": "57b998a0-18bd-11ed-beb5-43d854a8ab7d",
"type": "visualization",
"namespaces": [
"default"
],
- "updated_at": "2021-02-10T21:25:04.558Z",
- "version": "WzgyNSwxXQ==",
+ "updated_at": "2022-08-10T15:23:15.472Z",
+ "version": "Wzg5MSwxXQ==",
"attributes": {
- "title": "COTP - PDU Type",
- "visState": "{\"title\":\"COTP - PDU Type\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"zeek.iso_cotp.pdu_type\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"PDU Type\"}}]}",
- "uiStateJSON": "{}",
+ "title": "S7comm Operations",
+ "visState": "{\"title\":\"S7comm Operations\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Action\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Result\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":25,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
+ "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
- "type": "search",
"name": "search_0",
- "id": "9a78c670-eb9d-11e9-a384-0fcf32210194"
+ "type": "search",
+ "id": "a827b610-18b7-11ed-9815-dd8187ffaa35"
}
],
"migrationVersion": {
@@ -229,29 +186,29 @@
}
},
{
- "id": "0b553f40-eba8-11e9-a384-0fcf32210194",
+ "id": "0a43be80-18c1-11ed-9abd-97fb0b4c6d6c",
"type": "visualization",
"namespaces": [
"default"
],
- "updated_at": "2021-02-10T21:25:04.558Z",
- "version": "WzgyNiwxXQ==",
+ "updated_at": "2022-08-10T15:28:09.832Z",
+ "version": "Wzg5NCwxXQ==",
"attributes": {
- "title": "S7comm - Source IP",
- "visState": "{\"title\":\"S7comm - Source IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}",
- "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+ "title": "S7comm Source IP",
+ "visState": "{\"title\":\"S7comm Source IP\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Protocol\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
+ "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
- "type": "search",
"name": "search_0",
- "id": "81417210-eba2-11e9-a384-0fcf32210194"
+ "type": "search",
+ "id": "a827b610-18b7-11ed-9815-dd8187ffaa35"
}
],
"migrationVersion": {
@@ -259,29 +216,29 @@
}
},
{
- "id": "2b801c40-eba8-11e9-a384-0fcf32210194",
+ "id": "7ec83c40-18c1-11ed-9abd-97fb0b4c6d6c",
"type": "visualization",
"namespaces": [
"default"
],
- "updated_at": "2021-02-10T21:25:04.558Z",
- "version": "WzgyNywxXQ==",
+ "updated_at": "2022-08-10T15:31:25.316Z",
+ "version": "Wzg5NSwxXQ==",
"attributes": {
- "title": "S7comm - Destination IP",
- "visState": "{\"title\":\"S7comm - Destination IP\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"size\":250,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.port\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}",
- "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}",
+ "title": "S7comm Destination IP",
+ "visState": "{\"title\":\"S7comm Destination IP\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.protocol\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Protocol\"},\"schema\":\"bucket\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
+ "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
- "type": "search",
"name": "search_0",
- "id": "81417210-eba2-11e9-a384-0fcf32210194"
+ "type": "search",
+ "id": "a827b610-18b7-11ed-9815-dd8187ffaa35"
}
],
"migrationVersion": {
@@ -289,29 +246,29 @@
}
},
{
- "id": "a5ed7c10-eeb0-11e9-bdef-65a192b7f586",
+ "id": "ca0be990-18bc-11ed-beb5-43d854a8ab7d",
"type": "visualization",
"namespaces": [
"default"
],
- "updated_at": "2021-02-10T21:25:04.558Z",
- "version": "WzgyOCwxXQ==",
+ "updated_at": "2022-08-10T15:32:42.356Z",
+ "version": "Wzg5NiwxXQ==",
"attributes": {
- "title": "S7comm - User Data",
- "visState": "{\"title\":\"S7comm - User Data\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.s7comm.parameters.group\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function Group\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.s7comm.parameters.mode\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function Mode\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.s7comm.parameters.sub\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Sub Parameter\"}}]}",
- "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}",
+ "title": "S7comm Plus Version",
+ "visState": "{\"title\":\"S7comm Plus Version\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"network.protocol_version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Version\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}",
+ "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"query\":{\"query\":\"zeek.s7comm.rosctr:\\\"User Data\\\"\",\"language\":\"lucene\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
- "type": "search",
"name": "search_0",
- "id": "484253d0-eb9d-11e9-a384-0fcf32210194"
+ "type": "search",
+ "id": "3d7c6e00-18b7-11ed-9815-dd8187ffaa35"
}
],
"migrationVersion": {
@@ -319,29 +276,29 @@
}
},
{
- "id": "bb650520-eeb2-11e9-bdef-65a192b7f586",
+ "id": "39091f40-18c0-11ed-9abd-97fb0b4c6d6c",
"type": "visualization",
"namespaces": [
"default"
],
- "updated_at": "2021-02-10T21:25:04.558Z",
- "version": "WzgyOSwxXQ==",
+ "updated_at": "2022-08-10T15:22:18.804Z",
+ "version": "Wzg5MCwxXQ==",
"attributes": {
- "title": "S7comm - Job Request and Acknowledgement",
- "visState": "{\"title\":\"S7comm - Job Request and Acknowledgement\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"},\"totalFunc\":\"sum\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.s7comm.rosctr\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Message Type\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.s7comm.parameters.type\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Message\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.s7comm.parameters.class\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Error Class\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"zeek.s7comm.parameters.code\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Error Code\"}}]}",
- "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":\"desc\"}}}}",
+ "title": "S7comm Read-SZL",
+ "visState": "{\"title\":\"S7comm Read-SZL\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"zeek.s7comm_read_szl.szl_index\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"SZL Index\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Action\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.result\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Result\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}",
+ "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}",
"description": "",
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"zeek.s7comm.rosctr:(\\\"Acknowledge Data\\\" OR \\\"Job\\\")\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
},
"savedSearchRefName": "search_0"
},
"references": [
{
- "type": "search",
"name": "search_0",
- "id": "484253d0-eb9d-11e9-a384-0fcf32210194"
+ "type": "search",
+ "id": "aa66bb80-18b5-11ed-9815-dd8187ffaa35"
}
],
"migrationVersion": {
@@ -349,33 +306,34 @@
}
},
{
- "id": "484253d0-eb9d-11e9-a384-0fcf32210194",
+ "id": "a827b610-18b7-11ed-9815-dd8187ffaa35",
"type": "search",
"namespaces": [
"default"
],
- "updated_at": "2021-02-10T21:25:04.558Z",
- "version": "WzgzMCwxXQ==",
+ "updated_at": "2022-08-10T15:11:09.705Z",
+ "version": "Wzc0OCwxXQ==",
"attributes": {
- "title": "S7comm - Logs",
+ "title": "S7comm and Related - Logs",
"description": "",
"hits": 0,
"columns": [
+ "event.dataset",
+ "network.protocol",
"source.ip",
+ "source.port",
"destination.ip",
- "zeek.s7comm.rosctr",
- "zeek.s7comm.parameter",
- "event.id"
- ],
- "sort": [
- [
- "firstPacket",
- "desc"
- ]
+ "destination.port",
+ "network.is_orig",
+ "event.action",
+ "event.result",
+ "zeek.s7comm.pdu_reference",
+ "zeek.uid"
],
+ "sort": [],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"event.dataset:s7comm\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"event.dataset:(s7comm* OR cotp)\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -390,34 +348,32 @@
}
},
{
- "id": "9a78c670-eb9d-11e9-a384-0fcf32210194",
+ "id": "3d7c6e00-18b7-11ed-9815-dd8187ffaa35",
"type": "search",
"namespaces": [
"default"
],
- "updated_at": "2021-02-10T21:25:04.558Z",
- "version": "WzgzMSwxXQ==",
+ "updated_at": "2022-08-10T15:11:09.705Z",
+ "version": "Wzc1MCwxXQ==",
"attributes": {
- "title": "Connection-Oriented Transport Protocol - Logs",
+ "title": "S7comm Plus - Logs",
"description": "",
"hits": 0,
"columns": [
+ "network.protocol_version",
"source.ip",
"source.port",
"destination.ip",
"destination.port",
- "zeek.iso_cotp.pdu_type",
- "event.id"
- ],
- "sort": [
- [
- "firstPacket",
- "desc"
- ]
+ "network.is_orig",
+ "event.action",
+ "event.result",
+ "zeek.uid"
],
+ "sort": [],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:iso_cotp\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"event.dataset:s7comm_plus\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -432,35 +388,33 @@
}
},
{
- "id": "81417210-eba2-11e9-a384-0fcf32210194",
+ "id": "aa66bb80-18b5-11ed-9815-dd8187ffaa35",
"type": "search",
"namespaces": [
"default"
],
- "updated_at": "2021-02-10T21:25:04.558Z",
- "version": "WzgzMiwxXQ==",
+ "updated_at": "2022-08-10T15:11:09.705Z",
+ "version": "Wzc0OSwxXQ==",
"attributes": {
- "title": "S7comm and Related - Logs",
+ "title": "S7comm Read-SZL - Logs",
"description": "",
"hits": 0,
"columns": [
"source.ip",
+ "source.port",
"destination.ip",
- "zeek.iso_cotp.pdu_type",
- "zeek.s7comm.parameter",
- "zeek.s7comm.data_info",
- "zeek.s7comm.rosctr",
- "event.id"
- ],
- "sort": [
- [
- "firstPacket",
- "desc"
- ]
+ "destination.port",
+ "zeek.s7comm_read_szl.method",
+ "zeek.s7comm_read_szl.szl_index",
+ "event.action",
+ "event.result",
+ "zeek.s7comm.pdu_reference",
+ "zeek.uid"
],
+ "sort": [],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event.dataset:(iso_cotp OR s7comm)\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"event.dataset:s7comm_read_szl\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/ed8a6640-3f98-11e9-a58e-8bdedb0915e8.json b/dashboards/dashboards/ed8a6640-3f98-11e9-a58e-8bdedb0915e8.json
index 20186a72b..f36984613 100644
--- a/dashboards/dashboards/ed8a6640-3f98-11e9-a58e-8bdedb0915e8.json
+++ b/dashboards/dashboards/ed8a6640-3f98-11e9-a58e-8bdedb0915e8.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"
+ "searchSourceJSON": "{\"filter\":[],\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"
}
},
"references": [
@@ -120,7 +120,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/f1f09567-fc7f-450b-a341-19d2f2bb468b.json b/dashboards/dashboards/f1f09567-fc7f-450b-a341-19d2f2bb468b.json
index db5dd4c32..148205560 100644
--- a/dashboards/dashboards/f1f09567-fc7f-450b-a341-19d2f2bb468b.json
+++ b/dashboards/dashboards/f1f09567-fc7f-450b-a341-19d2f2bb468b.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
@@ -418,7 +418,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.provider:zeek AND event.dataset:notice\",\"default_field\":\"*\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.provider:zeek AND event.dataset:notice\",\"default_field\":\"*\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/f394057d-1b16-4174-b994-7045f423a416.json b/dashboards/dashboards/f394057d-1b16-4174-b994-7045f423a416.json
index 5f50f367c..057cc9b13 100644
--- a/dashboards/dashboards/f394057d-1b16-4174-b994-7045f423a416.json
+++ b/dashboards/dashboards/f394057d-1b16-4174-b994-7045f423a416.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"
+ "searchSourceJSON": "{\"filter\":[],\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"
}
},
"references": [
@@ -192,7 +192,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"(event.provider:zeek AND event.dataset:conn) OR (event.provider:suricata AND event.dataset:flow)\",\"analyze_wildcard\":true}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/f77bf097-18a8-465c-b634-eb2acc7a4f26.json b/dashboards/dashboards/f77bf097-18a8-465c-b634-eb2acc7a4f26.json
index 7739d025a..6ebbced5d 100644
--- a/dashboards/dashboards/f77bf097-18a8-465c-b634-eb2acc7a4f26.json
+++ b/dashboards/dashboards/f77bf097-18a8-465c-b634-eb2acc7a4f26.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
@@ -475,7 +475,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:rfb\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event.dataset:rfb\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/fa141950-ef89-11e9-b38a-2db3ee640e88.json b/dashboards/dashboards/fa141950-ef89-11e9-b38a-2db3ee640e88.json
index 64878c055..b93cf095b 100644
--- a/dashboards/dashboards/fa141950-ef89-11e9-b38a-2db3ee640e88.json
+++ b/dashboards/dashboards/fa141950-ef89-11e9-b38a-2db3ee640e88.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
@@ -118,7 +118,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:\\\"tds_sql_batch\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"event.dataset:\\\"tds_sql_batch\\\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/dashboards/fa477130-2b8a-11ec-a9f2-3911c8571bfd.json b/dashboards/dashboards/fa477130-2b8a-11ec-a9f2-3911c8571bfd.json
index 87b1dc7d1..0f0cc9f62 100644
--- a/dashboards/dashboards/fa477130-2b8a-11ec-a9f2-3911c8571bfd.json
+++ b/dashboards/dashboards/fa477130-2b8a-11ec-a9f2-3911c8571bfd.json
@@ -18,7 +18,7 @@
"version": 1,
"timeRestore": false,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[]}"
}
},
"references": [
@@ -432,7 +432,7 @@
"source.port",
"destination.ip",
"destination.port",
- "zeek.stun.is_orig",
+ "network.is_orig",
"zeek.stun.method",
"zeek.stun.class",
"zeek.stun.attr_type",
@@ -441,7 +441,7 @@
"sort": [],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:stun\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"event.dataset:stun\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -472,7 +472,7 @@
"source.port",
"destination.ip",
"destination.port",
- "zeek.stun_nat.is_orig",
+ "network.is_orig",
"zeek.stun_nat.wan_addr",
"zeek.stun_nat.wan_port",
"zeek.stun_nat.lan_addr",
@@ -481,7 +481,7 @@
"sort": [],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:stun_nat\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"event.dataset:stun_nat\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
@@ -526,7 +526,7 @@
],
"version": 1,
"kibanaSavedObjectMeta": {
- "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"NOT event.provider:arkime\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
+ "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"filter\":[],\"query\":{\"query\":\"NOT event.provider:arkime\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
diff --git a/dashboards/opensearch_dashboards.yml b/dashboards/opensearch_dashboards.yml
index 24a66bba5..27e64f494 100644
--- a/dashboards/opensearch_dashboards.yml
+++ b/dashboards/opensearch_dashboards.yml
@@ -7,6 +7,9 @@ server.basePath: "/dashboards"
server.rewriteBasePath: true
server.maxPayloadBytes: 8388608
opensearch.hosts: ["${OPENSEARCH_URL}"]
+opensearch.username: "_MALCOLM_DASHBOARDS_OPENSEARCH_USER_"
+opensearch.password: "_MALCOLM_DASHBOARDS_OPENSEARCH_PASSWORD_"
+opensearch.ssl.verificationMode: "_MALCOLM_DASHBOARDS_OPENSEARCH_SSL_VERIFICATION_MODE_"
opensearch.requestTimeout: 180000
opensearchDashboards.branding:
diff --git a/dashboards/scripts/create-arkime-sessions-index.sh b/dashboards/scripts/create-arkime-sessions-index.sh
index 4f645e6b9..305de3b63 100755
--- a/dashboards/scripts/create-arkime-sessions-index.sh
+++ b/dashboards/scripts/create-arkime-sessions-index.sh
@@ -5,14 +5,6 @@
set -euo pipefail
shopt -s nocasematch
-if [[ -n $OPENSEARCH_URL ]]; then
- OS_URL="$OPENSEARCH_URL"
-elif [[ -n $OS_HOST ]] && [[ -n $OS_PORT ]]; then
- OS_URL="http://$OS_HOST:$OS_PORT"
-else
- OS_URL="http://opensearch:9200"
-fi
-
if [[ -n $DASHBOARDS_URL ]]; then
DASHB_URL="$DASHBOARDS_URL"
elif [[ -n $DASHBOARDS_HOST ]] && [[ -n $DASHBOARDS_PORT ]]; then
@@ -40,174 +32,212 @@ if [[ "$CREATE_OS_ARKIME_SESSION_INDEX" = "true" ]] ; then
# give OpenSearch time to start before configuring dashboards
/data/opensearch_status.sh >/dev/null 2>&1
- # is the Dashboards process server up and responding to requests?
- if curl -L --silent --output /dev/null --fail -XGET "$DASHB_URL/api/status" ; then
+ for LOOP in primary secondary; do
+
+ if [[ "$LOOP" == "primary" ]]; then
+ OPENSEARCH_URL_TO_USE=${OPENSEARCH_URL:-"http://opensearch:9200"}
+ OPENSEARCH_LOCAL=${OPENSEARCH_LOCAL:-"true"}
+ OPENSEARCH_CREDS_CONFIG_FILE_TO_USE=${OPENSEARCH_CREDS_CONFIG_FILE:-"/var/local/opensearch.primary.curlrc"}
+ if [[ "$OPENSEARCH_LOCAL" == "false" ]] && [[ -r "$OPENSEARCH_CREDS_CONFIG_FILE_TO_USE" ]]; then
+ CURL_CONFIG_PARAMS=(
+ --config
+ "$OPENSEARCH_CREDS_CONFIG_FILE_TO_USE"
+ )
+ else
+ CURL_CONFIG_PARAMS=()
+ fi
- # have we not not already created the index pattern?
- if ! curl -L --silent --output /dev/null --fail -XGET "$DASHB_URL/api/saved_objects/index-pattern/$INDEX_PATTERN_ID" ; then
+ elif [[ "$LOOP" == "secondary" ]] && [[ "${OPENSEARCH_SECONDARY:-"false"}" == "true" ]] && [[ -n "${OPENSEARCH_SECONDARY_URL:-""}" ]]; then
+ OPENSEARCH_URL_TO_USE=$OPENSEARCH_SECONDARY_URL
+ OPENSEARCH_LOCAL=false
+ OPENSEARCH_CREDS_CONFIG_FILE_TO_USE=${OPENSEARCH_SECONDARY_CREDS_CONFIG_FILE:-"/var/local/opensearch.secondary.curlrc"}
+ if [[ -r "$OPENSEARCH_CREDS_CONFIG_FILE_TO_USE" ]]; then
+ CURL_CONFIG_PARAMS=(
+ --config
+ "$OPENSEARCH_CREDS_CONFIG_FILE_TO_USE"
+ )
+ else
+ CURL_CONFIG_PARAMS=()
+ fi
- echo "OpenSearch is running!"
+ else
+ continue
+ fi
- # register the repo name/path for opensearch snapshots
- echo "Registering index snapshot repository..."
- curl -w "\n" -H "Accept: application/json" \
- -H "Content-type: application/json" \
- -XPUT -fsSL "$OS_URL/_snapshot/$ISM_SNAPSHOT_REPO" \
- -d "{ \"type\": \"fs\", \"settings\": { \"location\": \"$ISM_SNAPSHOT_REPO\", \"compress\": $ISM_SNAPSHOT_COMPRESSED } }"
+ # is the Dashboards process server up and responding to requests?
+ if [[ "$LOOP" != "primary" ]] || curl "${CURL_CONFIG_PARAMS[@]}" -L --silent --output /dev/null --fail -XGET "$DASHB_URL/api/status" ; then
- if [[ -d /opt/ecs-templates/composable/component ]]; then
- echo "Importing ECS composable templates..."
- for i in /opt/ecs-templates/composable/component/*.json; do
- TEMP_BASENAME="$(basename "$i")"
- TEMP_FILENAME="${TEMP_BASENAME%.*}"
- echo "Importing ECS composable template $TEMP_FILENAME ..."
- curl -w "\n" -sSL --fail -XPOST -H "Content-Type: application/json" "$OS_URL/_component_template/ecs_$TEMP_FILENAME" -d "@$i" 2>&1 || true
- done
- fi
+ # have we not not already created the index pattern?
+ if [[ "$LOOP" != "primary" ]] || ! curl "${CURL_CONFIG_PARAMS[@]}" -L --silent --output /dev/null --fail -XGET "$DASHB_URL/api/saved_objects/index-pattern/$INDEX_PATTERN_ID" ; then
+
+ echo "OpenSearch ($LOOP) is running at \"${OPENSEARCH_URL_TO_USE}\"!"
+
+ # register the repo name/path for opensearch snapshots (but don't count this an unrecoverable failure)
+ if [[ "$LOOP" == "primary" ]] && [[ "$OPENSEARCH_LOCAL" == "true" ]]; then
+ echo "Registering index snapshot repository..."
+ curl "${CURL_CONFIG_PARAMS[@]}" -w "\n" -H "Accept: application/json" \
+ -H "Content-type: application/json" \
+ -XPUT -fsSL "$OPENSEARCH_URL_TO_USE/_snapshot/$ISM_SNAPSHOT_REPO" \
+ -d "{ \"type\": \"fs\", \"settings\": { \"location\": \"$ISM_SNAPSHOT_REPO\", \"compress\": $ISM_SNAPSHOT_COMPRESSED } }" \
+ || true
+ fi
+
+ if [[ -d /opt/ecs-templates/composable/component ]]; then
+ echo "Importing ECS composable templates..."
+ for i in /opt/ecs-templates/composable/component/*.json; do
+ TEMP_BASENAME="$(basename "$i")"
+ TEMP_FILENAME="${TEMP_BASENAME%.*}"
+ echo "Importing ECS composable template $TEMP_FILENAME ..."
+ curl "${CURL_CONFIG_PARAMS[@]}" -w "\n" -sSL --fail -XPOST -H "Content-Type: application/json" "$OPENSEARCH_URL_TO_USE/_component_template/ecs_$TEMP_FILENAME" -d "@$i" 2>&1 || true
+ done
+ fi
- if [[ -d "$MALCOLM_TEMPLATES_DIR"/composable/component ]]; then
- echo "Importing custom ECS composable templates..."
- for i in "$MALCOLM_TEMPLATES_DIR"/composable/component/*.json; do
+ if [[ -d "$MALCOLM_TEMPLATES_DIR"/composable/component ]]; then
+ echo "Importing custom ECS composable templates..."
+ for i in "$MALCOLM_TEMPLATES_DIR"/composable/component/*.json; do
+ TEMP_BASENAME="$(basename "$i")"
+ TEMP_FILENAME="${TEMP_BASENAME%.*}"
+ echo "Importing custom ECS composable template $TEMP_FILENAME ..."
+ curl "${CURL_CONFIG_PARAMS[@]}" -w "\n" -sSL --fail -XPOST -H "Content-Type: application/json" "$OPENSEARCH_URL_TO_USE/_component_template/custom_$TEMP_FILENAME" -d "@$i" 2>&1 || true
+ done
+ fi
+
+ echo "Importing malcolm_template..."
+
+ if [[ -f "$MALCOLM_TEMPLATE_FILE_ORIG" ]] && [[ ! -f "$MALCOLM_TEMPLATE_FILE" ]]; then
+ cp "$MALCOLM_TEMPLATE_FILE_ORIG" "$MALCOLM_TEMPLATE_FILE"
+ fi
+
+ # load malcolm_template containing malcolm data source field type mappings (merged from /opt/templates/malcolm_template.json to /data/init/malcolm_template.json in dashboard-helpers on startup)
+ curl "${CURL_CONFIG_PARAMS[@]}" -w "\n" -sSL --fail -XPOST -H "Content-Type: application/json" \
+ "$OPENSEARCH_URL_TO_USE/_index_template/malcolm_template" -d "@$MALCOLM_TEMPLATE_FILE" 2>&1
+
+ # import other templates as well (and get info for creating their index patterns)
+ OTHER_INDEX_PATTERNS=()
+ for i in "$MALCOLM_TEMPLATES_DIR"/*.json; do
TEMP_BASENAME="$(basename "$i")"
TEMP_FILENAME="${TEMP_BASENAME%.*}"
- echo "Importing custom ECS composable template $TEMP_FILENAME ..."
- curl -w "\n" -sSL --fail -XPOST -H "Content-Type: application/json" "$OS_URL/_component_template/custom_$TEMP_FILENAME" -d "@$i" 2>&1 || true
+ if [[ "$TEMP_FILENAME" != "malcolm_template" ]]; then
+ echo "Importing template \"$TEMP_FILENAME\"..."
+ if curl "${CURL_CONFIG_PARAMS[@]}" -w "\n" -sSL --fail -XPOST -H "Content-Type: application/json" "$OPENSEARCH_URL_TO_USE/_index_template/$TEMP_FILENAME" -d "@$i" 2>&1; then
+ for TEMPLATE_INDEX_PATTERN in $(jq '.index_patterns[]' "$i" | tr -d '"'); do
+ OTHER_INDEX_PATTERNS+=("$TEMPLATE_INDEX_PATTERN;$TEMPLATE_INDEX_PATTERN;@timestamp")
+ done
+ fi
+ fi
done
- fi
- echo "Importing malcolm_template..."
-
- if [[ -f "$MALCOLM_TEMPLATE_FILE_ORIG" ]] && [[ ! -f "$MALCOLM_TEMPLATE_FILE" ]]; then
- cp "$MALCOLM_TEMPLATE_FILE_ORIG" "$MALCOLM_TEMPLATE_FILE"
- fi
-
- # load malcolm_template containing malcolm data source field type mappings (merged from /opt/templates/malcolm_template.json to /data/init/malcolm_template.json in dashboard-helpers on startup)
- curl -w "\n" -sSL --fail -XPOST -H "Content-Type: application/json" \
- "$OS_URL/_index_template/malcolm_template" -d "@$MALCOLM_TEMPLATE_FILE" 2>&1
-
- # import other templates as well (and get info for creating their index patterns)
- OTHER_INDEX_PATTERNS=()
- for i in "$MALCOLM_TEMPLATES_DIR"/*.json; do
- TEMP_BASENAME="$(basename "$i")"
- TEMP_FILENAME="${TEMP_BASENAME%.*}"
- if [[ "$TEMP_FILENAME" != "malcolm_template" ]]; then
- echo "Importing template \"$TEMP_FILENAME\"..."
- if curl -w "\n" -sSL --fail -XPOST -H "Content-Type: application/json" "$OS_URL/_index_template/$TEMP_FILENAME" -d "@$i" 2>&1; then
- for TEMPLATE_INDEX_PATTERN in $(jq '.index_patterns[]' "$i" | tr -d '"'); do
- OTHER_INDEX_PATTERNS+=("$TEMPLATE_INDEX_PATTERN;$TEMPLATE_INDEX_PATTERN;@timestamp")
- done
+ if [[ "$LOOP" == "primary" ]]; then
+ echo "Importing index pattern..."
+
+ # From https://github.com/elastic/kibana/issues/3709
+ # Create index pattern
+ curl "${CURL_CONFIG_PARAMS[@]}" -w "\n" -sSL --fail -XPOST -H "Content-Type: application/json" -H "osd-xsrf: anything" \
+ "$DASHB_URL/api/saved_objects/index-pattern/$INDEX_PATTERN_ID" \
+ -d"{\"attributes\":{\"title\":\"$INDEX_PATTERN\",\"timeFieldName\":\"$INDEX_TIME_FIELD\"}}" 2>&1 || true
+
+ echo "Setting default index pattern..."
+
+ # Make it the default index
+ curl "${CURL_CONFIG_PARAMS[@]}" -w "\n" -sSL -XPOST -H "Content-Type: application/json" -H "osd-xsrf: anything" \
+ "$DASHB_URL/api/opensearch-dashboards/settings/defaultIndex" \
+ -d"{\"value\":\"$INDEX_PATTERN_ID\"}" || true
+
+ for i in ${OTHER_INDEX_PATTERNS[@]}; do
+ IDX_ID="$(echo "$i" | cut -d';' -f1)"
+ IDX_NAME="$(echo "$i" | cut -d';' -f2)"
+ IDX_TIME_FIELD="$(echo "$i" | cut -d';' -f3)"
+ echo "Creating index pattern \"$IDX_NAME\"..."
+ curl "${CURL_CONFIG_PARAMS[@]}" -w "\n" -sSL --fail -XPOST -H "Content-Type: application/json" -H "osd-xsrf: anything" \
+ "$DASHB_URL/api/saved_objects/index-pattern/$IDX_ID" \
+ -d"{\"attributes\":{\"title\":\"$IDX_NAME\",\"timeFieldName\":\"$IDX_TIME_FIELD\"}}" 2>&1 || true
+ done
+
+ echo "Importing OpenSearch Dashboards saved objects..."
+
+ # install default dashboards
+ for i in /opt/dashboards/*.json; do
+ curl "${CURL_CONFIG_PARAMS[@]}" -L --silent --output /dev/null --show-error -XPOST "$DASHB_URL/api/opensearch-dashboards/dashboards/import?force=true" -H 'osd-xsrf:true' -H 'Content-type:application/json' -d "@$i"
+ done
+
+ # beats will no longer import its dashbaords into OpenSearch
+ # (see opensearch-project/OpenSearch-Dashboards#656 and
+ # opensearch-project/OpenSearch-Dashboards#831). As such, we're going to
+ # manually add load our dashboards in /opt/dashboards/beats as well.
+ for i in /opt/dashboards/beats/*.json; do
+ curl "${CURL_CONFIG_PARAMS[@]}" -L --silent --output /dev/null --show-error -XPOST "$DASHB_URL/api/opensearch-dashboards/dashboards/import?force=true" -H 'osd-xsrf:true' -H 'Content-type:application/json' -d "@$i"
+ done
+
+ # set dark theme
+ curl "${CURL_CONFIG_PARAMS[@]}" -L --silent --output /dev/null --show-error -XPOST "$DASHB_URL/api/opensearch-dashboards/settings/theme:darkMode" -H 'osd-xsrf:true' -H 'Content-type:application/json' -d '{"value":true}'
+
+ # set default dashboard
+ curl "${CURL_CONFIG_PARAMS[@]}" -L --silent --output /dev/null --show-error -XPOST "$DASHB_URL/api/opensearch-dashboards/settings/defaultRoute" -H 'osd-xsrf:true' -H 'Content-type:application/json' -d "{\"value\":\"/app/dashboards#/view/${DEFAULT_DASHBOARD}\"}"
+
+ # set default query time range
+ curl "${CURL_CONFIG_PARAMS[@]}" -L --silent --output /dev/null --show-error -XPOST "$DASHB_URL/api/opensearch-dashboards/settings" -H 'osd-xsrf:true' -H 'Content-type:application/json' -d \
+ '{"changes":{"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\",\n \"mode\": \"quick\"}"}}'
+
+ # turn off telemetry
+ curl "${CURL_CONFIG_PARAMS[@]}" -L --silent --output /dev/null --show-error -XPOST "$DASHB_URL/api/telemetry/v2/optIn" -H 'osd-xsrf:true' -H 'Content-type:application/json' -d '{"enabled":false}'
+
+ # pin filters by default
+ curl "${CURL_CONFIG_PARAMS[@]}" -L --silent --output /dev/null --show-error -XPOST "$DASHB_URL/api/opensearch-dashboards/settings/filters:pinnedByDefault" -H 'osd-xsrf:true' -H 'Content-type:application/json' -d '{"value":true}'
+
+ echo "OpenSearch Dashboards saved objects import complete!"
+
+ # before we go on to create the anomaly detectors, we need to wait for actual arkime_sessions3-* documents
+ /data/opensearch_status.sh -w >/dev/null 2>&1
+ sleep 60
+
+ echo "Creating OpenSearch anomaly detectors..."
+
+ # Create anomaly detectors here
+ for i in /opt/anomaly_detectors/*.json; do
+ curl "${CURL_CONFIG_PARAMS[@]}" -L --silent --output /dev/null --show-error -XPOST "$OPENSEARCH_URL_TO_USE/_plugins/_anomaly_detection/detectors" -H 'osd-xsrf:true' -H 'Content-type:application/json' -d "@$i"
+ done
+
+ # trigger a start/stop for the dummy detector to make sure the .opendistro-anomaly-detection-state index gets created
+ # see:
+ # - https://github.com/opensearch-project/anomaly-detection-dashboards-plugin/issues/109
+ # - https://github.com/opensearch-project/anomaly-detection-dashboards-plugin/issues/155
+ # - https://github.com/opensearch-project/anomaly-detection-dashboards-plugin/issues/156
+ # - https://discuss.opendistrocommunity.dev/t/errors-opening-anomaly-detection-plugin-for-dashboards-after-creation-via-api/7711
+ set +e
+ DUMMY_DETECTOR_ID=""
+ until [[ -n "$DUMMY_DETECTOR_ID" ]]; do
+ sleep 5
+ DUMMY_DETECTOR_ID="$(curl "${CURL_CONFIG_PARAMS[@]}" -L --fail --silent --show-error -XPOST "$OPENSEARCH_URL_TO_USE/_plugins/_anomaly_detection/detectors/_search" -H 'osd-xsrf:true' -H 'Content-type:application/json' -d "{ \"query\": { \"match\": { \"name\": \"$DUMMY_DETECTOR_NAME\" } } }" | jq '.. | ._id? // empty' 2>/dev/null | head -n 1 | tr -d '"')"
+ done
+ set -e
+ if [[ -n "$DUMMY_DETECTOR_ID" ]]; then
+ curl "${CURL_CONFIG_PARAMS[@]}" -L --silent --output /dev/null --show-error -XPOST "$OPENSEARCH_URL_TO_USE/_plugins/_anomaly_detection/detectors/$DUMMY_DETECTOR_ID/_start" -H 'osd-xsrf:true' -H 'Content-type:application/json'
+ sleep 10
+ curl "${CURL_CONFIG_PARAMS[@]}" -L --silent --output /dev/null --show-error -XPOST "$OPENSEARCH_URL_TO_USE/_plugins/_anomaly_detection/detectors/$DUMMY_DETECTOR_ID/_stop" -H 'osd-xsrf:true' -H 'Content-type:application/json'
+ sleep 10
+ curl "${CURL_CONFIG_PARAMS[@]}" -L --silent --output /dev/null --show-error -XDELETE "$OPENSEARCH_URL_TO_USE/_plugins/_anomaly_detection/detectors/$DUMMY_DETECTOR_ID" -H 'osd-xsrf:true' -H 'Content-type:application/json'
fi
- fi
- done
-
- echo "Importing index pattern..."
-
- # From https://github.com/elastic/kibana/issues/3709
- # Create index pattern
- curl -w "\n" -sSL --fail -XPOST -H "Content-Type: application/json" -H "osd-xsrf: anything" \
- "$DASHB_URL/api/saved_objects/index-pattern/$INDEX_PATTERN_ID" \
- -d"{\"attributes\":{\"title\":\"$INDEX_PATTERN\",\"timeFieldName\":\"$INDEX_TIME_FIELD\"}}" 2>&1
-
- echo "Setting default index pattern..."
-
- # Make it the default index
- curl -w "\n" -sSL -XPOST -H "Content-Type: application/json" -H "osd-xsrf: anything" \
- "$DASHB_URL/api/opensearch-dashboards/settings/defaultIndex" \
- -d"{\"value\":\"$INDEX_PATTERN_ID\"}"
-
- for i in ${OTHER_INDEX_PATTERNS[@]}; do
- IDX_ID="$(echo "$i" | cut -d';' -f1)"
- IDX_NAME="$(echo "$i" | cut -d';' -f2)"
- IDX_TIME_FIELD="$(echo "$i" | cut -d';' -f3)"
- echo "Creating index pattern \"$IDX_NAME\"..."
- curl -w "\n" -sSL --fail -XPOST -H "Content-Type: application/json" -H "osd-xsrf: anything" \
- "$DASHB_URL/api/saved_objects/index-pattern/$IDX_ID" \
- -d"{\"attributes\":{\"title\":\"$IDX_NAME\",\"timeFieldName\":\"$IDX_TIME_FIELD\"}}" 2>&1
- done
-
- echo "Importing OpenSearch Dashboards saved objects..."
-
- # install default dashboards
- for i in /opt/dashboards/*.json; do
- curl -L --silent --output /dev/null --show-error -XPOST "$DASHB_URL/api/opensearch-dashboards/dashboards/import?force=true" -H 'osd-xsrf:true' -H 'Content-type:application/json' -d "@$i"
- done
-
- # beats will no longer import its dashbaords into OpenSearch
- # (see opensearch-project/OpenSearch-Dashboards#656 and
- # opensearch-project/OpenSearch-Dashboards#831). As such, we're going to
- # manually add load our dashboards in /opt/dashboards/beats as well.
- for i in /opt/dashboards/beats/*.json; do
- curl -L --silent --output /dev/null --show-error -XPOST "$DASHB_URL/api/opensearch-dashboards/dashboards/import?force=true" -H 'osd-xsrf:true' -H 'Content-type:application/json' -d "@$i"
- done
-
- # set dark theme
- curl -L --silent --output /dev/null --show-error -XPOST "$DASHB_URL/api/opensearch-dashboards/settings/theme:darkMode" -H 'osd-xsrf:true' -H 'Content-type:application/json' -d '{"value":true}'
-
- # set default dashboard
- curl -L --silent --output /dev/null --show-error -XPOST "$DASHB_URL/api/opensearch-dashboards/settings/defaultRoute" -H 'osd-xsrf:true' -H 'Content-type:application/json' -d "{\"value\":\"/app/dashboards#/view/${DEFAULT_DASHBOARD}\"}"
-
- # set default query time range
- curl -L --silent --output /dev/null --show-error -XPOST "$DASHB_URL/api/opensearch-dashboards/settings" -H 'osd-xsrf:true' -H 'Content-type:application/json' -d \
- '{"changes":{"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\",\n \"mode\": \"quick\"}"}}'
-
- # turn off telemetry
- curl -L --silent --output /dev/null --show-error -XPOST "$DASHB_URL/api/telemetry/v2/optIn" -H 'osd-xsrf:true' -H 'Content-type:application/json' -d '{"enabled":false}'
-
- # pin filters by default
- curl -L --silent --output /dev/null --show-error -XPOST "$DASHB_URL/api/opensearch-dashboards/settings/filters:pinnedByDefault" -H 'osd-xsrf:true' -H 'Content-type:application/json' -d '{"value":true}'
-
- echo "OpenSearch Dashboards saved objects import complete!"
-
- # before we go on to create the anomaly detectors, we need to wait for actual arkime_sessions3-* documents
- /data/opensearch_status.sh -w >/dev/null 2>&1
- sleep 60
-
- echo "Creating OpenSearch anomaly detectors..."
-
- # Create anomaly detectors here
- for i in /opt/anomaly_detectors/*.json; do
- curl -L --silent --output /dev/null --show-error -XPOST "$OS_URL/_plugins/_anomaly_detection/detectors" -H 'osd-xsrf:true' -H 'Content-type:application/json' -d "@$i"
- done
-
- # trigger a start/stop for the dummy detector to make sure the .opendistro-anomaly-detection-state index gets created
- # see:
- # - https://github.com/opensearch-project/anomaly-detection-dashboards-plugin/issues/109
- # - https://github.com/opensearch-project/anomaly-detection-dashboards-plugin/issues/155
- # - https://github.com/opensearch-project/anomaly-detection-dashboards-plugin/issues/156
- # - https://discuss.opendistrocommunity.dev/t/errors-opening-anomaly-detection-plugin-for-dashboards-after-creation-via-api/7711
- set +e
- DUMMY_DETECTOR_ID=""
- until [[ -n "$DUMMY_DETECTOR_ID" ]]; do
- sleep 5
- DUMMY_DETECTOR_ID="$(curl -L --fail --silent --show-error -XPOST "$OS_URL/_plugins/_anomaly_detection/detectors/_search" -H 'osd-xsrf:true' -H 'Content-type:application/json' -d "{ \"query\": { \"match\": { \"name\": \"$DUMMY_DETECTOR_NAME\" } } }" | jq '.. | ._id? // empty' 2>/dev/null | head -n 1 | tr -d '"')"
- done
- set -e
- if [[ -n "$DUMMY_DETECTOR_ID" ]]; then
- curl -L --silent --output /dev/null --show-error -XPOST "$OS_URL/_plugins/_anomaly_detection/detectors/$DUMMY_DETECTOR_ID/_start" -H 'osd-xsrf:true' -H 'Content-type:application/json'
- sleep 10
- curl -L --silent --output /dev/null --show-error -XPOST "$OS_URL/_plugins/_anomaly_detection/detectors/$DUMMY_DETECTOR_ID/_stop" -H 'osd-xsrf:true' -H 'Content-type:application/json'
- sleep 10
- curl -L --silent --output /dev/null --show-error -XDELETE "$OS_URL/_plugins/_anomaly_detection/detectors/$DUMMY_DETECTOR_ID" -H 'osd-xsrf:true' -H 'Content-type:application/json'
- fi
- echo "OpenSearch anomaly detectors creation complete!"
+ echo "OpenSearch anomaly detectors creation complete!"
- echo "Creating OpenSearch alerting objects..."
+ echo "Creating OpenSearch alerting objects..."
- # Create notification/alerting objects here
+ # Create notification/alerting objects here
- # notification channels
- for i in /opt/notifications/channels/*.json; do
- curl -L --silent --output /dev/null --show-error -XPOST "$OS_URL/_plugins/_notifications/configs" -H 'osd-xsrf:true' -H 'Content-type:application/json' -d "@$i"
- done
+ # notification channels
+ for i in /opt/notifications/channels/*.json; do
+ curl "${CURL_CONFIG_PARAMS[@]}" -L --silent --output /dev/null --show-error -XPOST "$OPENSEARCH_URL_TO_USE/_plugins/_notifications/configs" -H 'osd-xsrf:true' -H 'Content-type:application/json' -d "@$i"
+ done
- # monitors
- for i in /opt/alerting/monitors/*.json; do
- curl -L --silent --output /dev/null --show-error -XPOST "$OS_URL/_plugins/_alerting/monitors" -H 'osd-xsrf:true' -H 'Content-type:application/json' -d "@$i"
- done
+ # monitors
+ for i in /opt/alerting/monitors/*.json; do
+ curl "${CURL_CONFIG_PARAMS[@]}" -L --silent --output /dev/null --show-error -XPOST "$OPENSEARCH_URL_TO_USE/_plugins/_alerting/monitors" -H 'osd-xsrf:true' -H 'Content-type:application/json' -d "@$i"
+ done
- echo "OpenSearch alerting objects creation complete!"
+ echo "OpenSearch alerting objects creation complete!"
- fi
- fi
-fi
+ fi # stuff to only do for primary
+ fi # index pattern not already created check
+ fi # dashboards is running
+ done # primary vs. secondary
+fi # CREATE_OS_ARKIME_SESSION_INDEX is true
diff --git a/dashboards/scripts/docker_entrypoint.sh b/dashboards/scripts/docker_entrypoint.sh
new file mode 100755
index 000000000..7b41be316
--- /dev/null
+++ b/dashboards/scripts/docker_entrypoint.sh
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+# tweak some things in the opensearch_dashboards.yml file for opensearch output
+ORIG_YML=/usr/share/opensearch-dashboards/config/opensearch_dashboards.orig.yml
+FINAL_YML=/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml
+
+OPENSEARCH_SSL_CERTIFICATE_VERIFICATION=${OPENSEARCH_SSL_CERTIFICATE_VERIFICATION:-"false"}
+OPENSEARCH_LOCAL=${OPENSEARCH_LOCAL:-"true"}
+OPENSEARCH_CREDS_CONFIG_FILE=${OPENSEARCH_CREDS_CONFIG_FILE:-"/var/local/opensearch.primary.curlrc"}
+
+if [[ -f "$ORIG_YML" ]]; then
+ cp "$ORIG_YML" "$FINAL_YML"
+
+ # get the new username/password from the curl file (I already wrote python code to do this, so sue me)
+ OPENSSL_USER=
+ OPENSSL_PASSWORD=
+ if [[ "$OPENSEARCH_LOCAL" == "false" ]] && [[ -r "$OPENSEARCH_CREDS_CONFIG_FILE" ]]; then
+ pushd "$(dirname $(realpath -e "${BASH_SOURCE[0]}"))" >/dev/null 2>&1
+ NEW_USER_PASSWORD="$(python3 -c "import malcolm_common; result=malcolm_common.ParseCurlFile('$OPENSEARCH_CREDS_CONFIG_FILE'); print(result['user']+'|'+result['password']);")"
+ OPENSSL_USER="$(echo "$NEW_USER_PASSWORD" | cut -d'|' -f1)"
+ OPENSSL_PASSWORD="$(echo "$NEW_USER_PASSWORD" | cut -d'|' -f2-)"
+ popd >/dev/null 2>&1
+ fi
+
+ # replace things in the YML file for dashboards to use
+ [[ -n "$OPENSSL_USER" ]] && \
+ sed -i "s/_MALCOLM_DASHBOARDS_OPENSEARCH_USER_/$OPENSSL_USER/g" "$FINAL_YML" || \
+ sed -i '/_MALCOLM_DASHBOARDS_OPENSEARCH_USER_/d' "$FINAL_YML"
+
+ [[ -n "$OPENSSL_PASSWORD" ]] && \
+ sed -i "s/_MALCOLM_DASHBOARDS_OPENSEARCH_PASSWORD_/$OPENSSL_PASSWORD/g" "$FINAL_YML" || \
+ sed -i '/_MALCOLM_DASHBOARDS_OPENSEARCH_PASSWORD_/d' "$FINAL_YML"
+
+ [[ "$OPENSEARCH_SSL_CERTIFICATE_VERIFICATION" == "true" ]] && \
+ SSL_VERIFICATION_MODE=certificate || \
+ SSL_VERIFICATION_MODE=none
+
+ [[ "$OPENSEARCH_LOCAL" == "false" ]] && \
+ sed -i "s/_MALCOLM_DASHBOARDS_OPENSEARCH_SSL_VERIFICATION_MODE_/$SSL_VERIFICATION_MODE/g" "$FINAL_YML" || \
+ sed -i '/_MALCOLM_DASHBOARDS_OPENSEARCH_SSL_VERIFICATION_MODE_/d' "$FINAL_YML"
+
+ chmod 600 "$FINAL_YML"
+fi
+
+# start the default dashboards entrypoint
+exec "$@"
diff --git a/dashboards/scripts/index-refresh.py b/dashboards/scripts/index-refresh.py
index 723b75a10..3f4bb3518 100755
--- a/dashboards/scripts/index-refresh.py
+++ b/dashboards/scripts/index-refresh.py
@@ -3,10 +3,15 @@
import argparse
import json
+import malcolm_common
import re
import requests
import os
import sys
+import urllib3
+
+from collections import defaultdict
+from requests.auth import HTTPBasicAuth
GET_STATUS_API = 'api/status'
GET_INDEX_PATTERN_INFO_URI = 'api/saved_objects/_find'
@@ -22,6 +27,7 @@
scriptName = os.path.basename(__file__)
scriptPath = os.path.dirname(os.path.realpath(__file__))
origPath = os.getcwd()
+urllib3.disable_warnings()
###################################################################################################
# print to stderr
@@ -73,9 +79,36 @@ def main():
dest='opensearchUrl',
metavar='',
type=str,
- default=os.getenv('OPENSEARCH_URL', 'http://opensearch:9200'),
+ default=os.getenv('OPENSEARCH_URL', None),
help='OpenSearch URL',
)
+ parser.add_argument(
+ '-c',
+ '--opensearch-curlrc',
+ dest='opensearchCurlRcFile',
+ metavar='',
+ type=str,
+ default=os.getenv('OPENSEARCH_CREDS_CONFIG_FILE', '/var/local/opensearch.primary.curlrc'),
+ help='cURL.rc formatted file containing OpenSearch connection parameters',
+ )
+ parser.add_argument(
+ '--opensearch-ssl-verify',
+ dest='opensearchSslVerify',
+ type=str2bool,
+ nargs='?',
+ const=True,
+ default=str2bool(os.getenv('OPENSEARCH_SSL_CERTIFICATE_VERIFICATION', default='False')),
+ help="Verify SSL certificates for OpenSearch",
+ )
+ parser.add_argument(
+ '--opensearch-local',
+ dest='opensearchIsLocal',
+ type=str2bool,
+ nargs='?',
+ const=True,
+ default=str2bool(os.getenv('OPENSEARCH_LOCAL', default='True')),
+ help="Malcolm is using its local OpenSearch instance",
+ )
parser.add_argument(
'-t',
'--template',
@@ -113,15 +146,40 @@ def main():
else:
sys.tracebacklimit = 0
+ args.opensearchIsLocal = args.opensearchIsLocal or (args.opensearchUrl == 'http://opensearch:9200')
+ opensearchCreds = (
+ malcolm_common.ParseCurlFile(args.opensearchCurlRcFile)
+ if (not args.opensearchIsLocal)
+ else defaultdict(lambda: None)
+ )
+ if not args.opensearchUrl:
+ if args.opensearchIsLocal:
+ args.opensearchUrl = 'http://opensearch:9200'
+ elif 'url' in opensearchCreds:
+ args.opensearchUrl = opensearchCreds['url']
+ opensearchReqHttpAuth = (
+ HTTPBasicAuth(opensearchCreds['user'], opensearchCreds['password'])
+ if opensearchCreds['user'] is not None
+ else None
+ )
+
# get version number so Dashboards doesn't think we're doing a XSRF when we do the PUT
- statusInfoResponse = requests.get('{}/{}'.format(args.dashboardsUrl, GET_STATUS_API))
+ statusInfoResponse = requests.get(
+ '{}/{}'.format(args.dashboardsUrl, GET_STATUS_API),
+ auth=opensearchReqHttpAuth,
+ verify=args.opensearchSslVerify,
+ )
statusInfoResponse.raise_for_status()
statusInfo = statusInfoResponse.json()
dashboardsVersion = statusInfo['version']['number']
if debug:
eprint('OpenSearch Dashboards version is {}'.format(dashboardsVersion))
- opensearchInfoResponse = requests.get(args.opensearchUrl)
+ opensearchInfoResponse = requests.get(
+ args.opensearchUrl,
+ auth=opensearchReqHttpAuth,
+ verify=args.opensearchSslVerify,
+ )
opensearchInfo = opensearchInfoResponse.json()
opensearchVersion = opensearchInfo['version']['number']
if debug:
@@ -131,6 +189,8 @@ def main():
getIndexInfoResponse = requests.get(
'{}/{}'.format(args.dashboardsUrl, GET_INDEX_PATTERN_INFO_URI),
params={'type': 'index-pattern', 'fields': 'id', 'search': '"{}"'.format(args.index)},
+ auth=opensearchReqHttpAuth,
+ verify=args.opensearchSslVerify,
)
getIndexInfoResponse.raise_for_status()
getIndexInfo = getIndexInfoResponse.json()
@@ -144,6 +204,8 @@ def main():
getFieldsResponse = requests.get(
'{}/{}'.format(args.dashboardsUrl, GET_FIELDS_URI),
params={'pattern': args.index, 'meta_fields': ["_source", "_id", "_type", "_index", "_score"]},
+ auth=opensearchReqHttpAuth,
+ verify=args.opensearchSslVerify,
)
getFieldsResponse.raise_for_status()
getFieldsList = getFieldsResponse.json()['fields']
@@ -155,7 +217,9 @@ def main():
# request template from OpenSearch and pull the mappings/properties (field list) out
getTemplateResponse = requests.get(
- '{}/{}/{}'.format(args.opensearchUrl, OS_GET_INDEX_TEMPLATE_URI, args.template)
+ '{}/{}/{}'.format(args.opensearchUrl, OS_GET_INDEX_TEMPLATE_URI, args.template),
+ auth=opensearchReqHttpAuth,
+ verify=args.opensearchSslVerify,
)
getTemplateResponse.raise_for_status()
getTemplateResponseJson = getTemplateResponse.json()
@@ -173,7 +237,9 @@ def main():
)
for componentName in composedOfList:
getComponentResponse = requests.get(
- '{}/{}/{}'.format(args.opensearchUrl, OS_GET_COMPONENT_TEMPLATE_URI, componentName)
+ '{}/{}/{}'.format(args.opensearchUrl, OS_GET_COMPONENT_TEMPLATE_URI, componentName),
+ auth=opensearchReqHttpAuth,
+ verify=args.opensearchSslVerify,
)
getComponentResponse.raise_for_status()
getComponentResponseJson = getComponentResponse.json()
@@ -378,6 +444,8 @@ def main():
'osd-version': dashboardsVersion,
},
data=json.dumps(putIndexInfo),
+ auth=opensearchReqHttpAuth,
+ verify=args.opensearchSslVerify,
)
putResponse.raise_for_status()
@@ -390,10 +458,14 @@ def main():
else:
print("failure (could not find Index ID for {})".format(args.index))
- if args.fixUnassigned and not args.dryrun:
+ if args.opensearchIsLocal and args.fixUnassigned and not args.dryrun:
# set some configuration-related indexes (opensearch/opendistro) replica count to 0
# so we don't have yellow index state on those
- shardsResponse = requests.get('{}/{}'.format(args.opensearchUrl, GET_SHARDS_URL))
+ shardsResponse = requests.get(
+ '{}/{}'.format(args.opensearchUrl, GET_SHARDS_URL),
+ auth=opensearchReqHttpAuth,
+ verify=args.opensearchSslVerify,
+ )
for shardLine in shardsResponse.iter_lines():
shardInfo = shardLine.decode('utf-8').split()
if (shardInfo is not None) and (len(shardInfo) == 2) and (shardInfo[1] == SHARD_UNASSIGNED_STATUS):
@@ -404,6 +476,8 @@ def main():
'osd-xsrf': 'true',
},
data=json.dumps({'index': {'number_of_replicas': 0}}),
+ auth=opensearchReqHttpAuth,
+ verify=args.opensearchSslVerify,
)
putResponse.raise_for_status()
diff --git a/dashboards/supervisord.conf b/dashboards/supervisord.conf
index e07e680b4..56c0878d4 100644
--- a/dashboards/supervisord.conf
+++ b/dashboards/supervisord.conf
@@ -17,7 +17,7 @@ supervisor.rpcinterface_factory=supervisor.rpcinterface:make_main_rpcinterface
serverurl=unix:///tmp/supervisor.sock
[program:idxinit]
-command=bash -c "sleep 180 && /data/opensearch_status.sh -w && /data/index-refresh.py -v --dashboards \"%(ENV_DASHBOARDS_URL)s\" --opensearch \"%(ENV_OPENSEARCH_URL)s\" --template malcolm_template --unassigned"
+command=bash -c "sleep 180 && /data/opensearch_status.sh -w && /data/index-refresh.py -v --dashboards \"%(ENV_DASHBOARDS_URL)s\" --opensearch \"%(ENV_OPENSEARCH_URL)s\" --opensearch-curlrc \"%(ENV_OPENSEARCH_CREDS_CONFIG_FILE)s\" --opensearch-ssl-verify %(ENV_OPENSEARCH_SSL_CERTIFICATE_VERIFICATION)s --template malcolm_template --unassigned"
autostart=true
autorestart=false
startsecs=0
diff --git a/dashboards/templates/composable/component/miscbeat.json b/dashboards/templates/composable/component/miscbeat.json
index 9e2a958e9..62f272927 100644
--- a/dashboards/templates/composable/component/miscbeat.json
+++ b/dashboards/templates/composable/component/miscbeat.json
@@ -180,6 +180,52 @@
"type": { "type": "keyword"},
"uid": { "type": "keyword"}
}
+ },
+ "winlog": {
+ "properties": {
+ "ActivityID" : { "type": "keyword" },
+ "Computer" : { "type": "keyword" },
+ "Data" : { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
+ "EventRecordID" : { "type": "integer" },
+ "Keywords" : { "type": "keyword" },
+ "Level" : { "type": "integer" },
+ "Message" : { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
+ "Opcode" : { "type": "integer" },
+ "ProcessID" : { "type": "integer" },
+ "ProviderGuid" : { "type": "keyword" },
+ "ProviderName" : { "type": "keyword" },
+ "Qualifiers" : { "type": "integer" },
+ "RelatedActivityID" : { "type": "keyword" },
+ "Sid" : { "type": "keyword" },
+ "StringInserts" : { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
+ "Task" : { "type": "integer" },
+ "ThreadID" : { "type": "integer" },
+ "TimeGenerated" : { "type": "date" },
+ "TimeWritten" : { "type": "date" },
+ "UserID" : { "type": "keyword" },
+ "Version" : { "type": "integer" }
+ }
+ },
+ "winstat": {
+ "properties": {
+ "commit_limit" : { "type": "long" },
+ "commit_total" : { "type": "long" },
+ "cpu_idle" : { "type": "long" },
+ "cpu_kernel" : { "type": "long" },
+ "cpu_user" : { "type": "long" },
+ "cpu_utilization" : { "type": "float" },
+ "handles" : { "type": "integer" },
+ "kernel_nonpaged" : { "type": "long" },
+ "kernel_paged" : { "type": "long" },
+ "kernel_total" : { "type": "long" },
+ "physical_available" : { "type": "long" },
+ "physical_total" : { "type": "long" },
+ "physical_used" : { "type": "long" },
+ "processes" : { "type": "integer" },
+ "threads" : { "type": "integer" },
+ "uptime_human" : { "type": "keyword" },
+ "uptime_msec" : { "type": "integer" }
+ }
}
}
}
diff --git a/dashboards/templates/composable/component/zeek.json b/dashboards/templates/composable/component/zeek.json
index 6adb32c6c..ee6a176ca 100644
--- a/dashboards/templates/composable/component/zeek.json
+++ b/dashboards/templates/composable/component/zeek.json
@@ -64,7 +64,6 @@
"zeek.files.extracted_size": { "type": "long" },
"zeek.files.filename": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"zeek.files.ftime": { "type": "date" },
- "zeek.files.is_orig": { "type": "keyword" },
"zeek.files.local_orig": { "type": "keyword" },
"zeek.files.md5": { "type": "keyword" },
"zeek.files.mime_type": { "type": "keyword" },
@@ -145,7 +144,6 @@
"zeek.ipsec.flags": { "type": "keyword" },
"zeek.ipsec.hash": { "type": "keyword" },
"zeek.ipsec.initiator_spi": { "type": "keyword" },
- "zeek.ipsec.is_orig": { "type": "keyword" },
"zeek.ipsec.ke_dh_groups": { "type": "integer" },
"zeek.ipsec.length": { "type": "integer" },
"zeek.ipsec.maj_ver": { "type": "integer" },
@@ -166,7 +164,6 @@
"zeek.irc.dcc_mime_type": { "type": "keyword" },
"zeek.irc.nick": { "type": "keyword" },
"zeek.irc.value": { "type": "keyword" },
- "zeek.iso_cotp.pdu_type": { "type": "keyword" },
"zeek.kerberos.cipher": { "type": "keyword" },
"zeek.kerberos.client_cert_fuid": { "type": "keyword" },
"zeek.kerberos.client_cert_subject": { "type": "keyword" },
@@ -561,10 +558,8 @@
"zeek.stun.attr_type": { "type": "keyword" },
"zeek.stun.attr_val": { "type": "keyword", "ignore_above": 128, "fields": { "text": { "type": "text", "norms": false } } },
"zeek.stun.class": { "type": "keyword" },
- "zeek.stun.is_orig": { "type": "keyword" },
"zeek.stun.method": { "type": "keyword" },
"zeek.stun.trans_id": { "type": "keyword" },
- "zeek.stun_nat.is_orig": { "type": "keyword" },
"zeek.stun_nat.lan_addr": { "type": "keyword" },
"zeek.stun_nat.wan_addr": { "type": "ip" },
"zeek.stun_nat.wan_port": { "type": "integer" },
diff --git a/dashboards/templates/composable/component/zeek_ot.json b/dashboards/templates/composable/component/zeek_ot.json
index d333a723c..920c020e1 100644
--- a/dashboards/templates/composable/component/zeek_ot.json
+++ b/dashboards/templates/composable/component/zeek_ot.json
@@ -105,6 +105,8 @@
"zeek.cip_io.data_length": { "type": "integer" },
"zeek.cip_io.io_data": { "type": "keyword", "doc_values": false, "ignore_above": 8, "fields": { "text": { "type": "text", "norms": false } } },
"zeek.cip_io.sequence_number": { "type": "integer" },
+ "zeek.cotp.pdu_code": { "type": "keyword" },
+ "zeek.cotp.pdu_name": { "type": "keyword" },
"zeek.dnp3.fc_reply": { "type": "keyword" },
"zeek.dnp3.fc_request": { "type": "keyword" },
"zeek.dnp3.iin": { "type": "keyword" },
@@ -211,125 +213,293 @@
"zeek.modbus_read_write_multiple_registers.unit_id": { "type": "integer" },
"zeek.modbus_read_write_multiple_registers.write_registers": { "type": "keyword" },
"zeek.modbus_read_write_multiple_registers.write_start_address": { "type": "integer" },
- "zeek.opcua_binary.encoding_mask": { "type": "long" },
- "zeek.opcua_binary.endpoint_url": { "type": "keyword" },
- "zeek.opcua_binary.error": { "type": "long" },
- "zeek.opcua_binary.identifier": { "type": "long" },
- "zeek.opcua_binary.identifier_str": { "type": "keyword" },
- "zeek.opcua_binary.is_final": { "type": "keyword" },
- "zeek.opcua_binary.max_chunk_cnt": { "type": "long" },
- "zeek.opcua_binary.max_msg_size": { "type": "long" },
- "zeek.opcua_binary.msg_size": { "type": "long" },
- "zeek.opcua_binary.msg_type": { "type": "keyword" },
- "zeek.opcua_binary.namespace_idx": { "type": "long" },
- "zeek.opcua_binary.opcua_id": { "type": "keyword" },
- "zeek.opcua_binary.rcv_buf_size": { "type": "long" },
- "zeek.opcua_binary.rcv_cert": { "type": "keyword" },
- "zeek.opcua_binary.rcv_cert_len": { "type": "integer" },
- "zeek.opcua_binary.reason": { "type": "keyword" },
- "zeek.opcua_binary.req_hdr_add_hdr_enc_mask": { "type": "long" },
- "zeek.opcua_binary.req_hdr_add_hdr_type_id": { "type": "long" },
- "zeek.opcua_binary.req_hdr_audit_entry_id": { "type": "keyword" },
- "zeek.opcua_binary.req_hdr_node_id_guid": { "type": "keyword" },
- "zeek.opcua_binary.req_hdr_node_id_namespace_idx": { "type": "long" },
- "zeek.opcua_binary.req_hdr_node_id_numeric": { "type": "long" },
- "zeek.opcua_binary.req_hdr_node_id_opaque": { "type": "keyword" },
- "zeek.opcua_binary.req_hdr_node_id_string": { "type": "keyword" },
- "zeek.opcua_binary.req_hdr_node_id_type": { "type": "keyword" },
- "zeek.opcua_binary.req_hdr_request_handle": { "type": "long" },
- "zeek.opcua_binary.req_hdr_return_diag": { "type": "long" },
- "zeek.opcua_binary.req_hdr_timeout_hint": { "type": "date" },
- "zeek.opcua_binary.req_hdr_timestamp": { "type": "date" },
- "zeek.opcua_binary.request_id": { "type": "long" },
- "zeek.opcua_binary.res_hdr_add_hdr_enc_mask": { "type": "long" },
- "zeek.opcua_binary.res_hdr_add_hdr_type_id": { "type": "long" },
- "zeek.opcua_binary.res_hdr_request_handle": { "type": "long" },
- "zeek.opcua_binary.res_hdr_service_diag_encoding": { "type": "long" },
- "zeek.opcua_binary.res_hdr_service_result": { "type": "long" },
- "zeek.opcua_binary.res_hdr_timestamp": { "type": "date" },
- "zeek.opcua_binary.sec_channel_id": { "type": "long" },
- "zeek.opcua_binary.sec_policy_uri": { "type": "keyword" },
- "zeek.opcua_binary.sec_policy_uri_len": { "type": "integer" },
- "zeek.opcua_binary.seq_number": { "type": "long" },
- "zeek.opcua_binary.snd_buf_size": { "type": "long" },
- "zeek.opcua_binary.snd_cert": { "type": "keyword" },
- "zeek.opcua_binary.snd_cert_len": { "type": "integer" },
- "zeek.opcua_binary.version": { "type": "long" },
- "zeek.opcua_binary_diag_info_detail.addl_info": { "type": "keyword" },
- "zeek.opcua_binary_diag_info_detail.has_addl_info": { "type": "keyword" },
- "zeek.opcua_binary_diag_info_detail.has_inner_diag_info": { "type": "keyword" },
- "zeek.opcua_binary_diag_info_detail.has_inner_stat_code": { "type": "keyword" },
- "zeek.opcua_binary_diag_info_detail.has_locale": { "type": "keyword" },
- "zeek.opcua_binary_diag_info_detail.has_locale_txt": { "type": "keyword" },
- "zeek.opcua_binary_diag_info_detail.has_namespace_uri": { "type": "keyword" },
- "zeek.opcua_binary_diag_info_detail.has_symbolic_id": { "type": "keyword" },
- "zeek.opcua_binary_diag_info_detail.inner_diag_level": { "type": "long" },
- "zeek.opcua_binary_diag_info_detail.inner_stat_code": { "type": "keyword" },
- "zeek.opcua_binary_diag_info_detail.locale": { "type": "long" },
- "zeek.opcua_binary_diag_info_detail.locale_str": { "type": "keyword" },
- "zeek.opcua_binary_diag_info_detail.locale_txt": { "type": "long" },
- "zeek.opcua_binary_diag_info_detail.locale_txt_str": { "type": "keyword" },
- "zeek.opcua_binary_diag_info_detail.namespace_uri": { "type": "long" },
- "zeek.opcua_binary_diag_info_detail.namespace_uri_str": { "type": "keyword" },
- "zeek.opcua_binary_diag_info_detail.symbolic_id": { "type": "long" },
- "zeek.opcua_binary_diag_info_detail.symbolic_id_str": { "type": "keyword" },
- "zeek.opcua_binary_get_endpoints.application_type": { "type": "long" },
- "zeek.opcua_binary_get_endpoints.application_uri": { "type": "keyword" },
- "zeek.opcua_binary_get_endpoints.cert_size": { "type": "long" },
- "zeek.opcua_binary_get_endpoints.discovery_profile_id": { "type": "keyword" },
- "zeek.opcua_binary_get_endpoints.encoding_mask": { "type": "long" },
- "zeek.opcua_binary_get_endpoints.endpoint_url": { "type": "keyword" },
- "zeek.opcua_binary_get_endpoints.gateway_server_uri": { "type": "keyword" },
- "zeek.opcua_binary_get_endpoints.locale": { "type": "keyword" },
- "zeek.opcua_binary_get_endpoints.locale_id": { "type": "keyword" },
- "zeek.opcua_binary_get_endpoints.message_security_mode": { "type": "long" },
- "zeek.opcua_binary_get_endpoints.product_uri": { "type": "keyword" },
- "zeek.opcua_binary_get_endpoints.profile_uri": { "type": "keyword" },
- "zeek.opcua_binary_get_endpoints.security_level": { "type": "long" },
- "zeek.opcua_binary_get_endpoints.security_policy_uri": { "type": "keyword" },
- "zeek.opcua_binary_get_endpoints.server_cert": { "type": "keyword" },
- "zeek.opcua_binary_get_endpoints.text": { "type": "keyword" },
- "zeek.opcua_binary_get_endpoints.transport_profile_uri": { "type": "keyword" },
- "zeek.opcua_binary_get_endpoints.user_token_id": { "type": "keyword" },
- "zeek.opcua_binary_get_endpoints_discovery.discovery_profile_id": { "type": "keyword" },
- "zeek.opcua_binary_get_endpoints_discovery.discovery_profile_uri": { "type": "keyword" },
- "zeek.opcua_binary_get_endpoints_discovery.discovery_profile_url": { "type": "keyword" },
- "zeek.opcua_binary_get_endpoints_user_token.user_token_endpoint_url": { "type": "keyword" },
- "zeek.opcua_binary_get_endpoints_user_token.user_token_id": { "type": "keyword" },
- "zeek.opcua_binary_get_endpoints_user_token.user_token_issued_type": { "type": "keyword" },
- "zeek.opcua_binary_get_endpoints_user_token.user_token_policy_id": { "type": "keyword" },
- "zeek.opcua_binary_get_endpoints_user_token.user_token_sec_policy_uri": { "type": "keyword" },
- "zeek.opcua_binary_get_endpoints_user_token.user_token_type": { "type": "long" },
- "zeek.opcua_binary_opensecure_channel.client_nonce": { "type": "keyword" },
- "zeek.opcua_binary_opensecure_channel.client_proto_ver": { "type": "long" },
- "zeek.opcua_binary_opensecure_channel.message_security_mode": { "type": "long" },
- "zeek.opcua_binary_opensecure_channel.req_lifetime": { "type": "long" },
- "zeek.opcua_binary_opensecure_channel.sec_token_created_at": { "type": "date" },
- "zeek.opcua_binary_opensecure_channel.sec_token_id": { "type": "long" },
- "zeek.opcua_binary_opensecure_channel.sec_token_request_type": { "type": "long" },
- "zeek.opcua_binary_opensecure_channel.sec_token_revised_time": { "type": "long" },
- "zeek.opcua_binary_opensecure_channel.sec_token_sec_channel_id": { "type": "long" },
- "zeek.opcua_binary_opensecure_channel.server_nonce": { "type": "keyword" },
- "zeek.opcua_binary_opensecure_channel.server_proto_ver": { "type": "long" },
- "zeek.opcua_binary_status_code_detail.historian_bits": { "type": "long" },
- "zeek.opcua_binary_status_code_detail.historian_bits_str": { "type": "keyword" },
- "zeek.opcua_binary_status_code_detail.historianExtraData": { "type": "keyword" },
- "zeek.opcua_binary_status_code_detail.historianMultiValue": { "type": "keyword" },
- "zeek.opcua_binary_status_code_detail.historianPartial": { "type": "keyword" },
- "zeek.opcua_binary_status_code_detail.info_type": { "type": "long" },
- "zeek.opcua_binary_status_code_detail.info_type_str": { "type": "keyword" },
- "zeek.opcua_binary_status_code_detail.limit_bits": { "type": "long" },
- "zeek.opcua_binary_status_code_detail.limit_bits_str": { "type": "keyword" },
- "zeek.opcua_binary_status_code_detail.overflow": { "type": "keyword" },
- "zeek.opcua_binary_status_code_detail.semantics_changed": { "type": "keyword" },
- "zeek.opcua_binary_status_code_detail.severity": { "type": "long" },
- "zeek.opcua_binary_status_code_detail.severity_str": { "type": "keyword" },
- "zeek.opcua_binary_status_code_detail.source": { "type": "long" },
- "zeek.opcua_binary_status_code_detail.source_str": { "type": "keyword" },
- "zeek.opcua_binary_status_code_detail.status_code": { "type": "keyword" },
- "zeek.opcua_binary_status_code_detail.structure_changed": { "type": "keyword" },
- "zeek.opcua_binary_status_code_detail.sub_code": { "type": "long" },
- "zeek.opcua_binary_status_code_detail.sub_code_str": { "type": "keyword" },
+ "zeek.opcua_binary.encoding_mask" : { "type": "long" },
+ "zeek.opcua_binary.endpoint_url" : { "type": "keyword" },
+ "zeek.opcua_binary.error" : { "type": "long" },
+ "zeek.opcua_binary.identifier" : { "type": "long" },
+ "zeek.opcua_binary.identifier_str" : { "type": "keyword" },
+ "zeek.opcua_binary.is_final" : { "type": "keyword" },
+ "zeek.opcua_binary.log_types" : { "type": "integer" },
+ "zeek.opcua_binary.max_chunk_cnt" : { "type": "long" },
+ "zeek.opcua_binary.max_msg_size" : { "type": "long" },
+ "zeek.opcua_binary.msg_size" : { "type": "long" },
+ "zeek.opcua_binary.msg_type" : { "type": "keyword" },
+ "zeek.opcua_binary.namespace_idx" : { "type": "long" },
+ "zeek.opcua_binary.opcua_link_id" : { "type": "keyword" },
+ "zeek.opcua_binary.rcv_buf_size" : { "type": "long" },
+ "zeek.opcua_binary.rcv_cert" : { "type": "keyword" },
+ "zeek.opcua_binary.rcv_cert_len" : { "type": "integer" },
+ "zeek.opcua_binary.reason" : { "type": "keyword" },
+ "zeek.opcua_binary.req_hdr_add_hdr_enc_mask" : { "type": "long" },
+ "zeek.opcua_binary.req_hdr_add_hdr_type_id" : { "type": "long" },
+ "zeek.opcua_binary.req_hdr_audit_entry_id" : { "type": "keyword" },
+ "zeek.opcua_binary.req_hdr_node_id_guid" : { "type": "keyword" },
+ "zeek.opcua_binary.req_hdr_node_id_namespace_idx" : { "type": "long" },
+ "zeek.opcua_binary.req_hdr_node_id_numeric" : { "type": "long" },
+ "zeek.opcua_binary.req_hdr_node_id_opaque" : { "type": "keyword" },
+ "zeek.opcua_binary.req_hdr_node_id_string" : { "type": "keyword" },
+ "zeek.opcua_binary.req_hdr_node_id_type" : { "type": "keyword" },
+ "zeek.opcua_binary.req_hdr_request_handle" : { "type": "long" },
+ "zeek.opcua_binary.req_hdr_return_diag" : { "type": "long" },
+ "zeek.opcua_binary.req_hdr_timeout_hint" : { "type": "long" },
+ "zeek.opcua_binary.req_hdr_timestamp" : { "type": "date" },
+ "zeek.opcua_binary.request_id" : { "type": "long" },
+ "zeek.opcua_binary.res_hdr_add_hdr_enc_mask" : { "type": "long" },
+ "zeek.opcua_binary.res_hdr_add_hdr_type_id" : { "type": "long" },
+ "zeek.opcua_binary.res_hdr_request_handle" : { "type": "long" },
+ "zeek.opcua_binary.res_hdr_service_diag_encoding" : { "type": "long" },
+ "zeek.opcua_binary.res_hdr_timestamp" : { "type": "date" },
+ "zeek.opcua_binary.sec_channel_id" : { "type": "long" },
+ "zeek.opcua_binary.sec_policy_uri" : { "type": "keyword" },
+ "zeek.opcua_binary.sec_policy_uri_len" : { "type": "integer" },
+ "zeek.opcua_binary.seq_number" : { "type": "long" },
+ "zeek.opcua_binary.snd_buf_size" : { "type": "long" },
+ "zeek.opcua_binary.snd_cert" : { "type": "keyword" },
+ "zeek.opcua_binary.snd_cert_len" : { "type": "integer" },
+ "zeek.opcua_binary.version" : { "type": "long" },
+ "zeek.opcua_binary_activate_session.client_algorithm" : { "type": "keyword" },
+ "zeek.opcua_binary_activate_session.client_signature" : { "type": "keyword" },
+ "zeek.opcua_binary_activate_session.ext_obj_certificate_data" : { "type": "keyword" },
+ "zeek.opcua_binary_activate_session.ext_obj_encoding" : { "type": "keyword" },
+ "zeek.opcua_binary_activate_session.ext_obj_encryption_algorithom" : { "type": "keyword" },
+ "zeek.opcua_binary_activate_session.ext_obj_password" : { "type": "keyword" },
+ "zeek.opcua_binary_activate_session.ext_obj_policy_id" : { "type": "keyword" },
+ "zeek.opcua_binary_activate_session.ext_obj_token_data" : { "type": "keyword" },
+ "zeek.opcua_binary_activate_session.ext_obj_type_id_encoding_mask" : { "type": "keyword" },
+ "zeek.opcua_binary_activate_session.ext_obj_type_id_guid" : { "type": "keyword" },
+ "zeek.opcua_binary_activate_session.ext_obj_type_id_namespace_idx" : { "type": "long" },
+ "zeek.opcua_binary_activate_session.ext_obj_type_id_numeric" : { "type": "long" },
+ "zeek.opcua_binary_activate_session.ext_obj_type_id_opaque" : { "type": "keyword" },
+ "zeek.opcua_binary_activate_session.ext_obj_type_id_str" : { "type": "keyword" },
+ "zeek.opcua_binary_activate_session.ext_obj_type_id_string" : { "type": "keyword" },
+ "zeek.opcua_binary_activate_session.ext_obj_user_name" : { "type": "keyword" },
+ "zeek.opcua_binary_activate_session.server_nonce" : { "type": "keyword" },
+ "zeek.opcua_binary_activate_session.user_token_algorithm" : { "type": "keyword" },
+ "zeek.opcua_binary_activate_session.user_token_signature" : { "type": "keyword" },
+ "zeek.opcua_binary_activate_session_client_software_cert.cert_data" : { "type": "keyword" },
+ "zeek.opcua_binary_activate_session_client_software_cert.cert_signature" : { "type": "keyword" },
+ "zeek.opcua_binary_activate_session_client_software_cert.client_software_cert_id" : { "type": "keyword" },
+ "zeek.opcua_binary_activate_session_diagnostic_info.activate_session_diag_info_link_id" : { "type": "keyword" },
+ "zeek.opcua_binary_activate_session_locale_id.locale_id" : { "type": "keyword" },
+ "zeek.opcua_binary_activate_session_locale_id.locale_link_id" : { "type": "keyword" },
+ "zeek.opcua_binary_browse.browse_next_release_continuation_point" : { "type": "keyword" },
+ "zeek.opcua_binary_browse.browse_service_type" : { "type": "keyword" },
+ "zeek.opcua_binary_browse.browse_view_description_timestamp" : { "type": "date" },
+ "zeek.opcua_binary_browse.browse_view_description_view_version" : { "type": "long" },
+ "zeek.opcua_binary_browse.browse_view_id_encoding_mask" : { "type": "keyword" },
+ "zeek.opcua_binary_browse.browse_view_id_guid" : { "type": "keyword" },
+ "zeek.opcua_binary_browse.browse_view_id_namespace_idx" : { "type": "long" },
+ "zeek.opcua_binary_browse.browse_view_id_numeric" : { "type": "long" },
+ "zeek.opcua_binary_browse.browse_view_id_opaque" : { "type": "keyword" },
+ "zeek.opcua_binary_browse.browse_view_id_string" : { "type": "keyword" },
+ "zeek.opcua_binary_browse.req_max_ref_nodes" : { "type": "long" },
+ "zeek.opcua_binary_browse_description.browse_description_encoding_mask" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_description.browse_description_guid" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_description.browse_description_include_subtypes" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_description.browse_description_link_id" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_description.browse_description_namespace_idx" : { "type": "long" },
+ "zeek.opcua_binary_browse_description.browse_description_numeric" : { "type": "long" },
+ "zeek.opcua_binary_browse_description.browse_description_opaque" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_description.browse_description_ref_encoding_mask" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_description.browse_description_ref_guid" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_description.browse_description_ref_namespace_idx" : { "type": "long" },
+ "zeek.opcua_binary_browse_description.browse_description_ref_numeric" : { "type": "long" },
+ "zeek.opcua_binary_browse_description.browse_description_ref_opaque" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_description.browse_description_ref_string" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_description.browse_description_string" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_description.browse_direction" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_description.browse_node_class_mask" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_description.browse_result_mask" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_diagnostic_info.browse_diag_info_link_id" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_request_continuation_point.browse_next_link_id" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_request_continuation_point.continuation_point" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_response_references.browse_reference_link_id" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_response_references.browse_response_display_name_locale" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_response_references.browse_response_display_name_mask" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_response_references.browse_response_display_name_text" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_response_references.browse_response_is_forward" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_response_references.browse_response_node_class" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_response_references.browse_response_ref_encoding_mask" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_response_references.browse_response_ref_guid" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_response_references.browse_response_ref_name" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_response_references.browse_response_ref_name_idx" : { "type": "long" },
+ "zeek.opcua_binary_browse_response_references.browse_response_ref_namespace_idx" : { "type": "long" },
+ "zeek.opcua_binary_browse_response_references.browse_response_ref_numeric" : { "type": "long" },
+ "zeek.opcua_binary_browse_response_references.browse_response_ref_opaque" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_response_references.browse_response_ref_string" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_response_references.browse_response_ref_type_encoding_mask" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_response_references.browse_response_ref_type_guid" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_response_references.browse_response_ref_type_namespace_idx" : { "type": "long" },
+ "zeek.opcua_binary_browse_response_references.browse_response_ref_type_namespace_uri" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_response_references.browse_response_ref_type_numeric" : { "type": "long" },
+ "zeek.opcua_binary_browse_response_references.browse_response_ref_type_opaque" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_response_references.browse_response_ref_type_server_idx" : { "type": "long" },
+ "zeek.opcua_binary_browse_response_references.browse_response_ref_type_string" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_response_references.browse_response_type_def_encoding_mask" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_response_references.browse_response_type_def_guid" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_response_references.browse_response_type_def_namespace_idx" : { "type": "long" },
+ "zeek.opcua_binary_browse_response_references.browse_response_type_def_namespace_uri" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_response_references.browse_response_type_def_numeric" : { "type": "long" },
+ "zeek.opcua_binary_browse_response_references.browse_response_type_def_opaque" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_response_references.browse_response_type_def_server_idx" : { "type": "long" },
+ "zeek.opcua_binary_browse_response_references.browse_response_type_def_string" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_response_references.browse_result_link_id" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_result.browse_resp_link_id" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_result.browse_response_link_id" : { "type": "keyword" },
+ "zeek.opcua_binary_browse_result.browse_result_continuation_point" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session.algorithm" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session.application_type" : { "type": "long" },
+ "zeek.opcua_binary_create_session.application_uri" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session.auth_token_encoding_mask" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session.auth_token_guid" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session.auth_token_namespace_idx" : { "type": "long" },
+ "zeek.opcua_binary_create_session.auth_token_numeric" : { "type": "long" },
+ "zeek.opcua_binary_create_session.auth_token_opaque" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session.auth_token_string" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session.client_cert" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session.client_cert_size" : { "type": "long" },
+ "zeek.opcua_binary_create_session.client_nonce" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session.discovery_profile_uri" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session.encoding_mask" : { "type": "long" },
+ "zeek.opcua_binary_create_session.endpoint_url" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session.gateway_server_uri" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session.locale" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session.max_req_msg_size" : { "type": "long" },
+ "zeek.opcua_binary_create_session.max_res_msg_size" : { "type": "long" },
+ "zeek.opcua_binary_create_session.product_uri" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session.req_session_timeout" : { "type": "long" },
+ "zeek.opcua_binary_create_session.revised_session_timeout" : { "type": "long" },
+ "zeek.opcua_binary_create_session.server_cert" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session.server_cert_size" : { "type": "long" },
+ "zeek.opcua_binary_create_session.server_nonce" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session.server_uri" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session.session_id_encoding_mask" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session.session_id_guid" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session.session_id_namespace_idx" : { "type": "long" },
+ "zeek.opcua_binary_create_session.session_id_numeric" : { "type": "long" },
+ "zeek.opcua_binary_create_session.session_id_opaque" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session.session_id_string" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session.session_name" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session.signature" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session.text" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session_discovery.discovery_profile_link_id" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session_discovery.discovery_profile_uri" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session_discovery.discovery_profile_url" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session_endpoints.application_type" : { "type": "long" },
+ "zeek.opcua_binary_create_session_endpoints.application_uri" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session_endpoints.cert_size" : { "type": "long" },
+ "zeek.opcua_binary_create_session_endpoints.discovery_profile_id" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session_endpoints.discovery_profile_uri" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session_endpoints.encoding_mask" : { "type": "long" },
+ "zeek.opcua_binary_create_session_endpoints.endpoint_link_id" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session_endpoints.endpoint_url" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session_endpoints.gateway_server_uri" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session_endpoints.locale" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session_endpoints.message_security_mode" : { "type": "long" },
+ "zeek.opcua_binary_create_session_endpoints.product_uri" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session_endpoints.security_level" : { "type": "long" },
+ "zeek.opcua_binary_create_session_endpoints.security_policy_uri" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session_endpoints.server_cert" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session_endpoints.text" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session_endpoints.transport_profile_uri" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session_user_token.user_token_endpoint_url" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session_user_token.user_token_issued_type" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session_user_token.user_token_link_id" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session_user_token.user_token_policy_id" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session_user_token.user_token_sec_policy_uri" : { "type": "keyword" },
+ "zeek.opcua_binary_create_session_user_token.user_token_type" : { "type": "long" },
+ "zeek.opcua_binary_create_subscription.max_notifications_per_publish" : { "type": "long" },
+ "zeek.opcua_binary_create_subscription.priority" : { "type": "long" },
+ "zeek.opcua_binary_create_subscription.publishing_enabled" : { "type": "keyword" },
+ "zeek.opcua_binary_create_subscription.requested_lifetime_count" : { "type": "long" },
+ "zeek.opcua_binary_create_subscription.requested_max_keep_alive_count" : { "type": "long" },
+ "zeek.opcua_binary_create_subscription.requested_publishing_interval" : { "type": "long" },
+ "zeek.opcua_binary_create_subscription.revised_lifetime_count" : { "type": "long" },
+ "zeek.opcua_binary_create_subscription.revised_max_keep_alive_count" : { "type": "long" },
+ "zeek.opcua_binary_create_subscription.revised_publishing_interval" : { "type": "long" },
+ "zeek.opcua_binary_create_subscription.subscription_id" : { "type": "long" },
+ "zeek.opcua_binary_diag_info_detail.addl_info" : { "type": "keyword" },
+ "zeek.opcua_binary_diag_info_detail.diag_info_link_id" : { "type": "keyword" },
+ "zeek.opcua_binary_diag_info_detail.has_addl_info" : { "type": "keyword" },
+ "zeek.opcua_binary_diag_info_detail.has_inner_diag_info" : { "type": "keyword" },
+ "zeek.opcua_binary_diag_info_detail.has_inner_stat_code" : { "type": "keyword" },
+ "zeek.opcua_binary_diag_info_detail.has_locale" : { "type": "keyword" },
+ "zeek.opcua_binary_diag_info_detail.has_locale_txt" : { "type": "keyword" },
+ "zeek.opcua_binary_diag_info_detail.has_namespace_uri" : { "type": "keyword" },
+ "zeek.opcua_binary_diag_info_detail.has_symbolic_id" : { "type": "keyword" },
+ "zeek.opcua_binary_diag_info_detail.inner_diag_level" : { "type": "long" },
+ "zeek.opcua_binary_diag_info_detail.inner_stat_code" : { "type": "keyword" },
+ "zeek.opcua_binary_diag_info_detail.locale" : { "type": "long" },
+ "zeek.opcua_binary_diag_info_detail.locale_str" : { "type": "keyword" },
+ "zeek.opcua_binary_diag_info_detail.locale_txt" : { "type": "long" },
+ "zeek.opcua_binary_diag_info_detail.locale_txt_str" : { "type": "keyword" },
+ "zeek.opcua_binary_diag_info_detail.namespace_uri" : { "type": "long" },
+ "zeek.opcua_binary_diag_info_detail.namespace_uri_str" : { "type": "keyword" },
+ "zeek.opcua_binary_diag_info_detail.source" : { "type": "long" },
+ "zeek.opcua_binary_diag_info_detail.source_str" : { "type": "keyword" },
+ "zeek.opcua_binary_diag_info_detail.symbolic_id" : { "type": "long" },
+ "zeek.opcua_binary_diag_info_detail.symbolic_id_str" : { "type": "keyword" },
+ "zeek.opcua_binary_get_endpoints.endpoint_url" : { "type": "keyword" },
+ "zeek.opcua_binary_get_endpoints_description.application_type" : { "type": "long" },
+ "zeek.opcua_binary_get_endpoints_description.application_uri" : { "type": "keyword" },
+ "zeek.opcua_binary_get_endpoints_description.cert_size" : { "type": "long" },
+ "zeek.opcua_binary_get_endpoints_description.discovery_profile_uri" : { "type": "keyword" },
+ "zeek.opcua_binary_get_endpoints_description.encoding_mask" : { "type": "long" },
+ "zeek.opcua_binary_get_endpoints_description.endpoint_description_link_id" : { "type": "keyword" },
+ "zeek.opcua_binary_get_endpoints_description.endpoint_uri" : { "type": "keyword" },
+ "zeek.opcua_binary_get_endpoints_description.gateway_server_uri" : { "type": "keyword" },
+ "zeek.opcua_binary_get_endpoints_description.locale" : { "type": "keyword" },
+ "zeek.opcua_binary_get_endpoints_description.message_security_mode" : { "type": "long" },
+ "zeek.opcua_binary_get_endpoints_description.product_uri" : { "type": "keyword" },
+ "zeek.opcua_binary_get_endpoints_description.security_level" : { "type": "long" },
+ "zeek.opcua_binary_get_endpoints_description.security_policy_uri" : { "type": "keyword" },
+ "zeek.opcua_binary_get_endpoints_description.server_cert" : { "type": "keyword" },
+ "zeek.opcua_binary_get_endpoints_description.text" : { "type": "keyword" },
+ "zeek.opcua_binary_get_endpoints_description.transport_profile_uri" : { "type": "keyword" },
+ "zeek.opcua_binary_get_endpoints_discovery.discovery_profile_link_id" : { "type": "keyword" },
+ "zeek.opcua_binary_get_endpoints_discovery.discovery_profile_url" : { "type": "keyword" },
+ "zeek.opcua_binary_get_endpoints_locale_id.locale_id" : { "type": "keyword" },
+ "zeek.opcua_binary_get_endpoints_locale_id.locale_link_id" : { "type": "keyword" },
+ "zeek.opcua_binary_get_endpoints_profile_uri.profile_uri" : { "type": "keyword" },
+ "zeek.opcua_binary_get_endpoints_profile_uri.profile_uri_link_id" : { "type": "keyword" },
+ "zeek.opcua_binary_get_endpoints_user_token.user_token_endpoint_url" : { "type": "keyword" },
+ "zeek.opcua_binary_get_endpoints_user_token.user_token_issued_type" : { "type": "keyword" },
+ "zeek.opcua_binary_get_endpoints_user_token.user_token_link_id" : { "type": "keyword" },
+ "zeek.opcua_binary_get_endpoints_user_token.user_token_policy_id" : { "type": "keyword" },
+ "zeek.opcua_binary_get_endpoints_user_token.user_token_sec_policy_uri" : { "type": "keyword" },
+ "zeek.opcua_binary_get_endpoints_user_token.user_token_type" : { "type": "long" },
+ "zeek.opcua_binary_opensecure_channel.client_nonce" : { "type": "keyword" },
+ "zeek.opcua_binary_opensecure_channel.client_proto_ver" : { "type": "long" },
+ "zeek.opcua_binary_opensecure_channel.message_security_mode" : { "type": "long" },
+ "zeek.opcua_binary_opensecure_channel.req_lifetime" : { "type": "long" },
+ "zeek.opcua_binary_opensecure_channel.sec_token_created_at" : { "type": "date" },
+ "zeek.opcua_binary_opensecure_channel.sec_token_id" : { "type": "long" },
+ "zeek.opcua_binary_opensecure_channel.sec_token_request_type" : { "type": "long" },
+ "zeek.opcua_binary_opensecure_channel.sec_token_revised_time" : { "type": "long" },
+ "zeek.opcua_binary_opensecure_channel.sec_token_sec_channel_id" : { "type": "long" },
+ "zeek.opcua_binary_opensecure_channel.server_nonce" : { "type": "keyword" },
+ "zeek.opcua_binary_opensecure_channel.server_proto_ver" : { "type": "long" },
+ "zeek.opcua_binary_status_code_detail.historian_bits" : { "type": "long" },
+ "zeek.opcua_binary_status_code_detail.historian_bits_str" : { "type": "keyword" },
+ "zeek.opcua_binary_status_code_detail.historianExtraData" : { "type": "keyword" },
+ "zeek.opcua_binary_status_code_detail.historianMultiValue" : { "type": "keyword" },
+ "zeek.opcua_binary_status_code_detail.historianPartial" : { "type": "keyword" },
+ "zeek.opcua_binary_status_code_detail.info_type" : { "type": "long" },
+ "zeek.opcua_binary_status_code_detail.info_type_str" : { "type": "keyword" },
+ "zeek.opcua_binary_status_code_detail.limit_bits" : { "type": "long" },
+ "zeek.opcua_binary_status_code_detail.limit_bits_str" : { "type": "keyword" },
+ "zeek.opcua_binary_status_code_detail.overflow" : { "type": "keyword" },
+ "zeek.opcua_binary_status_code_detail.semantics_changed" : { "type": "keyword" },
+ "zeek.opcua_binary_status_code_detail.severity" : { "type": "long" },
+ "zeek.opcua_binary_status_code_detail.severity_str" : { "type": "keyword" },
+ "zeek.opcua_binary_status_code_detail.source" : { "type": "long" },
+ "zeek.opcua_binary_status_code_detail.source_level" : { "type": "long" },
+ "zeek.opcua_binary_status_code_detail.source_str" : { "type": "keyword" },
+ "zeek.opcua_binary_status_code_detail.status_code" : { "type": "keyword" },
+ "zeek.opcua_binary_status_code_detail.status_code_link_id" : { "type": "keyword" },
+ "zeek.opcua_binary_status_code_detail.structure_changed" : { "type": "keyword" },
+ "zeek.opcua_binary_status_code_detail.sub_code" : { "type": "long" },
+ "zeek.opcua_binary_status_code_detail.sub_code_str" : { "type": "keyword" },
"zeek.profinet.block_version": { "type": "keyword" },
"zeek.profinet.index": { "type": "keyword" },
"zeek.profinet.operation_type": { "type": "keyword" },
@@ -342,16 +512,26 @@
"zeek.profinet_dce_rpc.packet_type": { "type": "keyword" },
"zeek.profinet_dce_rpc.server_boot_time": { "type": "integer" },
"zeek.profinet_dce_rpc.version": { "type": "integer" },
- "zeek.s7comm.data_info": { "type": "keyword" },
- "zeek.s7comm.item_count": { "type": "integer" },
- "zeek.s7comm.parameter": { "type": "keyword", "doc_values": false, "ignore_above": 16384, "fields": { "text": { "type": "text", "norms": false } } },
- "zeek.s7comm.parameters.class": { "type": "keyword" },
- "zeek.s7comm.parameters.code": { "type": "keyword" },
- "zeek.s7comm.parameters.group": { "type": "keyword" },
- "zeek.s7comm.parameters.mode": { "type": "keyword" },
- "zeek.s7comm.parameters.sub": { "type": "keyword" },
- "zeek.s7comm.parameters.type": { "type": "keyword" },
- "zeek.s7comm.rosctr": { "type": "keyword" }
+ "zeek.s7comm.rosctr_code": { "type": "integer" },
+ "zeek.s7comm.rosctr_name": { "type": "keyword" },
+ "zeek.s7comm.pdu_reference": { "type": "integer" },
+ "zeek.s7comm.function_code": { "type": "keyword" },
+ "zeek.s7comm.function_name": { "type": "keyword" },
+ "zeek.s7comm.subfunction_code": { "type": "keyword" },
+ "zeek.s7comm.subfunction_name": { "type": "keyword" },
+ "zeek.s7comm.error_class": { "type": "keyword" },
+ "zeek.s7comm.error_code": { "type": "keyword" },
+ "zeek.s7comm_plus.version": { "type": "integer" },
+ "zeek.s7comm_plus.opcode": { "type": "keyword" },
+ "zeek.s7comm_plus.opcode_name": { "type": "keyword" },
+ "zeek.s7comm_plus.function_code": { "type": "keyword" },
+ "zeek.s7comm_plus.function_name": { "type": "keyword" },
+ "zeek.s7comm_read_szl.method": { "type": "keyword"},
+ "zeek.s7comm_read_szl.szl_id": { "type": "keyword"},
+ "zeek.s7comm_read_szl.szl_id_name": { "type": "keyword"},
+ "zeek.s7comm_read_szl.szl_index": { "type": "keyword"},
+ "zeek.s7comm_read_szl.return_code": { "type": "keyword"},
+ "zeek.s7comm_read_szl.return_code_name": { "type": "keyword"}
}
}
}
diff --git a/dashboards/templates/malcolm_template.json b/dashboards/templates/malcolm_template.json
index 967df32f7..79303f493 100644
--- a/dashboards/templates/malcolm_template.json
+++ b/dashboards/templates/malcolm_template.json
@@ -45,6 +45,7 @@
"event.result": { "type": "keyword" },
"event.severity_tags": { "type": "keyword" },
"file.source": { "type": "keyword" },
+ "network.is_orig": { "type": "keyword" },
"network.protocol_version": { "type": "keyword" },
"related.mac": { "type": "keyword" },
"related.oui": { "type": "keyword" },
diff --git a/docker-compose-standalone.yml b/docker-compose-standalone.yml
index 13d7376b1..6d041dbb2 100644
--- a/docker-compose-standalone.yml
+++ b/docker-compose-standalone.yml
@@ -18,24 +18,69 @@ x-auth-variables: &auth-variables
# and use stunnel to tunnel the connection.
NGINX_LDAP_TLS_STUNNEL : 'false'
# stunnel will require and verify certificates for StartTLS when one or more
- # trusted CA certificate files are placed in the ./nginx/ca-trust directory.
- # For additional security, hostname or IP address checking of the associated
- # CA certificate(s) can be enabled by providing these values.
+ # trusted CA certificate files are placed in the ./nginx/ca-trust directory.
+ # For additional security, hostname or IP address checking of the associated
+ # CA certificate(s) can be enabled by providing these values.
NGINX_LDAP_TLS_STUNNEL_CHECK_HOST : ''
NGINX_LDAP_TLS_STUNNEL_CHECK_IP : ''
NGINX_LDAP_TLS_STUNNEL_VERIFY_LEVEL : 2
x-nginx-variables: &nginx-variables
# Whether or not nginx should use HTTPS. This is almost CERTAINLY what you want.
- # The only case you may want to set this to false is if you're using another
- # reverse proxy in front of Malcolm. Even if set to 'false', NGINX will still
- # listen on port 443 (it just won't be encrypted). If you change this, you'll
- # probably want to change "0.0.0.0:443:443" to something like
- # "127.0.0.1:80:443" in the ports section for the nginx-proxy service.
+ # The only case you may want to set this to false is if you're using another
+ # reverse proxy in front of Malcolm. Even if set to 'false', NGINX will still
+ # listen on port 443 (it just won't be encrypted). If you change this, you'll
+ # probably want to change "0.0.0.0:443:443" to something like
+ # "127.0.0.1:80:443" in the ports section for the nginx-proxy service.
NGINX_SSL : 'true'
# Whether or not to write nginx's access.log and error.log to OpenSearch
NGINX_LOG_ACCESS_AND_ERRORS : 'false'
+x-ssl-variables: &ssl-variables
+ # When possible, docker containers will automatically add trusted CA certificate files
+ # found in the ./nginx/ca-trust directory (which is bind mounted to /ca-trust).
+ PUSER_CA_TRUST : '/var/local/ca-trust'
+
+x-opensearch-variables: &opensearch-variables
+ # Used in various services to define the connection to the OpenSearch document store.
+ # Whether or not Malcolm will start and use its own local OpenSearch instance as its
+ # primary data store. Set to 'false' if you're connecting to another OpenSearch
+ # cluster, in which case the other environment variables in this section must also
+ # be set with the connection parameters.
+ OPENSEARCH_LOCAL : 'true'
+ # URL for connecting to OpenSearch instance. When using Malcolm's internal instance
+ # of OpenSearch (i.e., OPENSEARCH_LOCAL is 'true') this should be
+ # 'http://opensearch:9200', otherwise specify the primary remote instance URL
+ # in the format 'protocol://host:port'.
+ OPENSEARCH_URL : 'http://opensearch:9200'
+ # Used when OPENSEARCH_LOCAL is 'false', the cURL-formatted config file contains login
+ # credentials for the primary OpenSearch instance. It can be generated for you by the
+ # ./scripts/auth_setup script. The notable parameters expected from this file would be
+ # user (with a "user:password" value) and "insecure" (if the certificate verification
+ # setting below is 'false'). See cURL config file format at
+ # https://everything.curl.dev/cmdline/configfile. This file is bind mounted locally
+ # from .opensearch.primary.curlrc as /var/local/opensearch.primary.curlrc
+ OPENSEARCH_CREDS_CONFIG_FILE : '/var/local/opensearch.primary.curlrc'
+ # Whether or not connections to the primary remote OpenSearch instance require full
+ # TLS certificate validation for the connection (this may fail if using self-signed
+ # certificates).
+ OPENSEARCH_SSL_CERTIFICATE_VERIFICATION : 'false'
+ # Whether or not Malcolm's Logstash instance will forward logs to a secondary remote
+ # OpenSearch instance in addition to the (local or remote) primary instance.
+ OPENSEARCH_SECONDARY : 'false'
+ # URL for connecting to the secondary remote OpenSearch instance, specified
+ # in the format 'protocol://host:port'.
+ OPENSEARCH_SECONDARY_URL : ''
+ # Used when OPENSEARCH_SECONDARY is 'true', the cURL-formatted config file contains login
+ # credentials for the secondary OpenSearch instance. The comments describing
+ # OPENSEARCH_CREDS_CONFIG_FILE above also apply here. This file is bind mounted locally
+ # from .opensearch.secondary.curlrc as /var/local/opensearch.secondary.curlrc
+ OPENSEARCH_SECONDARY_CREDS_CONFIG_FILE : '/var/local/opensearch.secondary.curlrc'
+ # Whether or not connections to the secondary remote OpenSearch instance require full
+ # TLS certificate validation for the connection (this may fail if using self-signed
+ # certificates).
+ OPENSEARCH_SECONDARY_SSL_CERTIFICATE_VERIFICATION : 'false'
+
x-arkime-variables: &arkime-variables
# Whether or not Arkime is allowed to delete uploaded/captured PCAP (see
# https://arkime.com/faq#pcap-deletion)
@@ -186,19 +231,6 @@ x-logstash-variables: &logstash-variables
LOGSTASH_SEVERITY_SCORING : 'true'
# Whether or not Logstash will perform a reverse DNS lookup for external IP addresses
LOGSTASH_REVERSE_DNS : 'false'
- # If specified (in the format '10.0.0.123:9200'), logs received by Logstash will be
- # forwarded on to another external OpenSearch instance in addition to the one
- # maintained locally by Malcolm
- OS_EXTERNAL_HOSTS : ''
- # Whether or not Logstash will use HTTPS for the connection to OS_EXTERNAL_HOSTS
- OS_EXTERNAL_SSL : 'true'
- # Whether or not Logstash will require full TLS certificate validation for the connection
- # to OS_EXTERNAL_HOSTS (this may fail if using self-signed certificates)
- OS_EXTERNAL_SSL_CERTIFICATE_VERIFICATION : 'false'
- # For security, OS_EXTERNAL_USER and OS_EXTERNAL_PASSWORD should be stored in Logstash keystore using ./scripts/auth_setup
- # See also volume mount for logstash.keystore below.
- # OS_EXTERNAL_USER : 'janedoe'
- # OS_EXTERNAL_PASSWORD : 'secret'
x-filebeat-variables: &filebeat-variables
# filebeat parameters used for monitoring log files containing network traffic metadata
@@ -266,13 +298,13 @@ x-common-lookup-variables: &common-lookup-variables
# for assigning severity to long connections
CONNECTION_SECONDS_SEVERITY_THRESHOLD : 3600
# When severity scoring is enabled, this variable defines a comma-separated list of
- # countries of concern (using ISO 3166-1 alpha-2 codes)
- QUESTIONABLE_COUNTRY_CODES : 'CN,IR,KP,RU,UA'
+ # sensitive countries (using ISO 3166-1 alpha-2 codes)
+ SENSITIVE_COUNTRY_CODES : 'AM,AZ,BY,CN,CU,DZ,GE,HK,IL,IN,IQ,IR,KG,KP,KZ,LY,MD,MO,PK,RU,SD,SS,SY,TJ,TM,TW,UA,UZ'
x-common-beats-variables: &common-beats-variables
# Whether or not Logstash will use require encrypted communications for any external
# Beats-based forwarders from which it will accept logs
- BEATS_SSL : 'false'
+ BEATS_SSL : 'true'
x-pcap-capture-variables: &pcap-capture-variables
# Whether or not netsniff-ng should create PCAP files from live traffic on a local
@@ -302,7 +334,7 @@ x-pcap-capture-variables: &pcap-capture-variables
services:
opensearch:
- image: malcolmnetsec/opensearch:6.2.0
+ image: malcolmnetsec/opensearch:6.3.0
restart: "no"
stdin_open: false
tty: true
@@ -311,6 +343,8 @@ services:
- default
environment:
<< : *process-variables
+ << : *ssl-variables
+ << : *opensearch-variables
logger.level : 'WARN'
bootstrap.memory_lock : 'true'
MAX_LOCKED_MEMORY : 'unlimited'
@@ -330,8 +364,10 @@ services:
cap_add:
- IPC_LOCK
volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
+ - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro
+ - ./.opensearch.secondary.curlrc:/var/local/opensearch.secondary.curlrc:ro
- ./opensearch/opensearch.keystore:/usr/share/opensearch/config/opensearch.keystore:rw
- - ./nginx/ca-trust:/usr/share/opensearch/ca-trust:ro
- ./opensearch:/usr/share/opensearch/data:delegated
- ./opensearch-backup:/opt/opensearch/backup:delegated
healthcheck:
@@ -341,7 +377,7 @@ services:
retries: 3
start_period: 180s
dashboards-helper:
- image: malcolmnetsec/dashboards-helper:6.2.0
+ image: malcolmnetsec/dashboards-helper:6.3.0
restart: "no"
stdin_open: false
tty: true
@@ -350,8 +386,9 @@ services:
- default
environment:
<< : *process-variables
+ << : *ssl-variables
+ << : *opensearch-variables
<< : *dashboards-helper-variables
- OPENSEARCH_URL : 'http://opensearch:9200'
DASHBOARDS_URL : 'http://dashboards:5601/dashboards'
VIRTUAL_HOST : 'dashboards-helper.malcolm.local'
ARKIME_INDEX_PATTERN : 'arkime_sessions3-*'
@@ -362,6 +399,10 @@ services:
- opensearch
expose:
- 28991
+ volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
+ - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro
+ - ./.opensearch.secondary.curlrc:/var/local/opensearch.secondary.curlrc:ro
healthcheck:
test: ["CMD", "supervisorctl", "status", "cron", "maps"]
interval: 60s
@@ -369,7 +410,7 @@ services:
retries: 3
start_period: 30s
dashboards:
- image: malcolmnetsec/dashboards:6.2.0
+ image: malcolmnetsec/dashboards:6.3.0
restart: "no"
stdin_open: false
tty: true
@@ -378,13 +419,17 @@ services:
- default
environment:
<< : *process-variables
- OPENSEARCH_URL : 'http://opensearch:9200'
+ << : *ssl-variables
+ << : *opensearch-variables
VIRTUAL_HOST : 'dashboards.malcolm.local'
depends_on:
- opensearch
- dashboards-helper
expose:
- 5601
+ volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
+ - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro
healthcheck:
test: ["CMD", "curl", "--silent", "--fail", "http://localhost:5601/dashboards/api/status"]
interval: 30s
@@ -392,7 +437,7 @@ services:
retries: 3
start_period: 210s
logstash:
- image: malcolmnetsec/logstash-oss:6.2.0
+ image: malcolmnetsec/logstash-oss:6.3.0
restart: "no"
stdin_open: false
tty: true
@@ -407,10 +452,11 @@ services:
- IPC_LOCK
environment:
<< : *process-variables
+ << : *ssl-variables
+ << : *opensearch-variables
<< : *logstash-variables
<< : *common-beats-variables
<< : *common-lookup-variables
- OS_HOSTS : 'opensearch:9200'
LS_JAVA_OPTS : '-server -Xms2g -Xmx2g -Xss1536k -XX:-HeapDumpOnOutOfMemoryError -Djava.security.egd=file:/dev/./urandom -Dlog4j.formatMsgNoLookups=true'
depends_on:
- opensearch
@@ -421,9 +467,10 @@ services:
ports:
- "127.0.0.1:5044:5044"
volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
+ - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro
+ - ./.opensearch.secondary.curlrc:/var/local/opensearch.secondary.curlrc:ro
- ./logstash/maps/malcolm_severity.yaml:/etc/malcolm_severity.yaml:ro
- - ./logstash/certs/logstash.keystore:/usr/share/logstash/config/logstash.keystore:rw
- - ./nginx/ca-trust:/usr/share/logstash/ca-trust:ro
- ./logstash/certs/ca.crt:/certs/ca.crt:ro
- ./logstash/certs/server.crt:/certs/server.crt:ro
- ./logstash/certs/server.key:/certs/server.key:ro
@@ -437,7 +484,7 @@ services:
retries: 3
start_period: 600s
filebeat:
- image: malcolmnetsec/filebeat-oss:6.2.0
+ image: malcolmnetsec/filebeat-oss:6.3.0
restart: "no"
stdin_open: false
tty: true
@@ -446,7 +493,9 @@ services:
- default
environment:
<< : *process-variables
+ << : *ssl-variables
<< : *nginx-variables
+ << : *opensearch-variables
<< : *filebeat-variables
<< : *common-upload-variables
<< : *common-beats-variables
@@ -461,6 +510,8 @@ services:
ports:
- "127.0.0.1:5045:5045"
volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
+ - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro
- nginx-log-path:/nginx:ro
- ./zeek-logs:/zeek
- ./suricata-logs:/suricata
@@ -474,7 +525,7 @@ services:
retries: 3
start_period: 60s
arkime:
- image: malcolmnetsec/arkime:6.2.0
+ image: malcolmnetsec/arkime:6.3.0
restart: "no"
stdin_open: false
tty: true
@@ -485,12 +536,12 @@ services:
- ./auth.env
environment:
<< : *process-variables
+ << : *ssl-variables
+ << : *opensearch-variables
<< : *common-upload-variables
<< : *arkime-variables
VIRTUAL_HOST : 'arkime.malcolm.local'
- OS_HOST : 'opensearch'
- OS_PORT : 9200
- OS_MAX_SHARDS_PER_NODE : 2500
+ OPENSEARCH_MAX_SHARDS_PER_NODE : 2500
VIEWER : 'on'
WISE : 'on'
ulimits:
@@ -504,6 +555,8 @@ services:
- 8005
- 8081
volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
+ - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro
- ./pcap:/data/pcap
- ./arkime-logs:/opt/arkime/logs
- ./arkime-raw:/opt/arkime/raw
@@ -514,7 +567,7 @@ services:
retries: 3
start_period: 210s
zeek:
- image: malcolmnetsec/zeek:6.2.0
+ image: malcolmnetsec/zeek:6.3.0
restart: "no"
stdin_open: false
tty: true
@@ -532,6 +585,7 @@ services:
- SYS_ADMIN
environment:
<< : *process-variables
+ << : *ssl-variables
<< : *common-upload-variables
<< : *zeek-variables
<< : *zeek-offline-variables
@@ -540,6 +594,7 @@ services:
depends_on:
- opensearch
volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
- ./pcap:/pcap
- ./zeek-logs/upload:/zeek/upload
- ./zeek-logs/extract_files:/zeek/extract_files
@@ -551,7 +606,7 @@ services:
retries: 3
start_period: 60s
zeek-live:
- image: malcolmnetsec/zeek:6.2.0
+ image: malcolmnetsec/zeek:6.3.0
restart: "no"
stdin_open: false
tty: true
@@ -567,6 +622,7 @@ services:
- SYS_ADMIN
environment:
<< : *process-variables
+ << : *ssl-variables
<< : *common-upload-variables
<< : *zeek-variables
<< : *zeek-live-variables
@@ -577,11 +633,12 @@ services:
ZEEK_INTEL_PATH : '/opt/zeek/share/zeek/site/intel'
EXTRACT_FILES_PATH : '/zeek/extract_files'
volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
- ./zeek-logs/live:/zeek/live
- ./zeek-logs/extract_files:/zeek/extract_files
- ./zeek/intel:/opt/zeek/share/zeek/site/intel
suricata:
- image: malcolmnetsec/suricata:6.2.0
+ image: malcolmnetsec/suricata:6.3.0
restart: "no"
stdin_open: false
tty: true
@@ -599,6 +656,7 @@ services:
- SYS_ADMIN
environment:
<< : *process-variables
+ << : *ssl-variables
<< : *common-upload-variables
<< : *suricata-variables
<< : *suricata-offline-variables
@@ -606,6 +664,7 @@ services:
depends_on:
- logstash
volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
- ./suricata-logs:/var/log/suricata
- ./pcap:/data/pcap
- ./suricata/rules:/opt/suricata/rules:ro
@@ -616,7 +675,7 @@ services:
retries: 3
start_period: 120s
suricata-live:
- image: malcolmnetsec/suricata:6.2.0
+ image: malcolmnetsec/suricata:6.3.0
restart: "no"
stdin_open: false
tty: true
@@ -632,16 +691,18 @@ services:
- SYS_ADMIN
environment:
<< : *process-variables
+ << : *ssl-variables
<< : *common-upload-variables
<< : *suricata-variables
<< : *suricata-live-variables
<< : *pcap-capture-variables
SURICATA_PCAP_PROCESSOR : 'false'
volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
- ./suricata-logs:/var/log/suricata
- ./suricata/rules:/opt/suricata/rules:ro
file-monitor:
- image: malcolmnetsec/file-monitor:6.2.0
+ image: malcolmnetsec/file-monitor:6.3.0
restart: "no"
stdin_open: false
tty: true
@@ -650,12 +711,14 @@ services:
- default
environment:
<< : *process-variables
+ << : *ssl-variables
<< : *zeek-variables
VIRTUAL_HOST : 'file-monitor.malcolm.local'
expose:
- 3310
- 8440
volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
- ./zeek-logs/extract_files:/zeek/extract_files
- ./zeek-logs/current:/zeek/logs
- ./yara/rules:/yara-rules/custom:ro
@@ -666,7 +729,7 @@ services:
retries: 3
start_period: 60s
pcap-capture:
- image: malcolmnetsec/pcap-capture:6.2.0
+ image: malcolmnetsec/pcap-capture:6.3.0
restart: "no"
stdin_open: false
tty: true
@@ -682,11 +745,13 @@ services:
- SYS_ADMIN
environment:
<< : *process-variables
+ << : *ssl-variables
<< : *pcap-capture-variables
volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
- ./pcap/upload:/pcap
pcap-monitor:
- image: malcolmnetsec/pcap-monitor:6.2.0
+ image: malcolmnetsec/pcap-monitor:6.3.0
restart: "no"
stdin_open: false
tty: true
@@ -695,13 +760,16 @@ services:
- default
environment:
<< : *process-variables
+ << : *ssl-variables
+ << : *opensearch-variables
<< : *common-upload-variables
- OPENSEARCH_URL : 'http://opensearch:9200'
depends_on:
- opensearch
expose:
- 30441
volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
+ - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro
- ./zeek-logs:/zeek
- ./pcap:/pcap
healthcheck:
@@ -711,7 +779,7 @@ services:
retries: 3
start_period: 90s
upload:
- image: malcolmnetsec/file-upload:6.2.0
+ image: malcolmnetsec/file-upload:6.3.0
restart: "no"
stdin_open: false
tty: true
@@ -722,6 +790,7 @@ services:
- ./auth.env
environment:
<< : *process-variables
+ << : *ssl-variables
SITE_NAME : 'Capture File and Log Archive Upload'
VIRTUAL_HOST : 'upload.malcolm.local'
depends_on:
@@ -731,6 +800,7 @@ services:
ports:
- "127.0.0.1:8022:22"
volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
- ./pcap/upload:/var/www/upload/server/php/chroot/files
healthcheck:
test: ["CMD", "wget", "-qO-", "http://localhost"]
@@ -739,7 +809,7 @@ services:
retries: 3
start_period: 60s
htadmin:
- image: malcolmnetsec/htadmin:6.2.0
+ image: malcolmnetsec/htadmin:6.3.0
restart: "no"
stdin_open: false
tty: true
@@ -748,11 +818,13 @@ services:
- default
environment:
<< : *process-variables
+ << : *ssl-variables
<< : *auth-variables
VIRTUAL_HOST : 'htadmin.malcolm.local'
expose:
- 80
volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
- ./htadmin/config.ini:/var/www/htadmin/config/config.ini:rw
- ./htadmin/metadata:/var/www/htadmin/config/metadata:rw
- ./nginx/htpasswd:/var/www/htadmin/config/htpasswd:rw
@@ -763,7 +835,7 @@ services:
retries: 3
start_period: 60s
freq:
- image: malcolmnetsec/freq:6.2.0
+ image: malcolmnetsec/freq:6.3.0
restart: "no"
stdin_open: false
tty: true
@@ -772,10 +844,13 @@ services:
- default
environment:
<< : *process-variables
+ << : *ssl-variables
<< : *common-lookup-variables
VIRTUAL_HOST : 'freq.malcolm.local'
expose:
- 10004
+ volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
healthcheck:
test: ["CMD", "curl", "--silent", "--fail", "http://localhost:10004"]
interval: 30s
@@ -783,7 +858,7 @@ services:
retries: 3
start_period: 60s
name-map-ui:
- image: malcolmnetsec/name-map-ui:6.2.0
+ image: malcolmnetsec/name-map-ui:6.3.0
restart: "no"
stdin_open: false
tty: true
@@ -792,10 +867,12 @@ services:
- default
environment:
<< : *process-variables
+ << : *ssl-variables
VIRTUAL_HOST : 'name-map-ui.malcolm.local'
expose:
- 8080
volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
- ./cidr-map.txt:/var/www/html/maps/cidr-map.txt:ro
- ./host-map.txt:/var/www/html/maps/host-map.txt:ro
- ./net-map.json:/var/www/html/maps/net-map.json:rw
@@ -806,7 +883,7 @@ services:
retries: 3
start_period: 60s
api:
- image: malcolmnetsec/api:6.2.0
+ image: malcolmnetsec/api:6.3.0
command: gunicorn --bind 0:5000 manage:app
restart: "no"
stdin_open: false
@@ -816,9 +893,14 @@ services:
- default
environment:
<< : *process-variables
+ << : *ssl-variables
+ << : *opensearch-variables
VIRTUAL_HOST : 'api.malcolm.local'
expose:
- 5000
+ volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
+ - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro
healthcheck:
test: ["CMD", "curl", "--silent", "--fail", "http://localhost:5000/ping"]
interval: 30s
@@ -826,7 +908,7 @@ services:
retries: 3
start_period: 60s
nginx-proxy:
- image: malcolmnetsec/nginx-proxy:6.2.0
+ image: malcolmnetsec/nginx-proxy:6.3.0
restart: "no"
stdin_open: false
tty: true
@@ -835,6 +917,7 @@ services:
- default
environment:
<< : *process-variables
+ << : *ssl-variables
<< : *auth-variables
<< : *nginx-variables
depends_on:
@@ -851,10 +934,10 @@ services:
- "127.0.0.1:5601:5601"
- "127.0.0.1:9200:9200"
volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
- nginx-log-path:/var/log/nginx:rw
- ./nginx/nginx_ldap.conf:/etc/nginx/nginx_ldap.conf:ro
- ./nginx/htpasswd:/etc/nginx/.htpasswd:ro
- - ./nginx/ca-trust:/etc/nginx/ca-trust:ro
- ./nginx/certs:/etc/nginx/certs:ro
- ./nginx/certs/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
healthcheck:
@@ -882,3 +965,4 @@ volumes:
networks:
default:
+ external: false
\ No newline at end of file
diff --git a/docker-compose.yml b/docker-compose.yml
index 78503d507..3dd519abb 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -18,24 +18,69 @@ x-auth-variables: &auth-variables
# and use stunnel to tunnel the connection.
NGINX_LDAP_TLS_STUNNEL : 'false'
# stunnel will require and verify certificates for StartTLS when one or more
- # trusted CA certificate files are placed in the ./nginx/ca-trust directory.
- # For additional security, hostname or IP address checking of the associated
- # CA certificate(s) can be enabled by providing these values.
+ # trusted CA certificate files are placed in the ./nginx/ca-trust directory.
+ # For additional security, hostname or IP address checking of the associated
+ # CA certificate(s) can be enabled by providing these values.
NGINX_LDAP_TLS_STUNNEL_CHECK_HOST : ''
NGINX_LDAP_TLS_STUNNEL_CHECK_IP : ''
NGINX_LDAP_TLS_STUNNEL_VERIFY_LEVEL : 2
x-nginx-variables: &nginx-variables
# Whether or not nginx should use HTTPS. This is almost CERTAINLY what you want.
- # The only case you may want to set this to false is if you're using another
- # reverse proxy in front of Malcolm. Even if set to 'false', NGINX will still
- # listen on port 443 (it just won't be encrypted). If you change this, you'll
- # probably want to change "0.0.0.0:443:443" to something like
- # "127.0.0.1:80:443" in the ports section for the nginx-proxy service.
+ # The only case you may want to set this to false is if you're using another
+ # reverse proxy in front of Malcolm. Even if set to 'false', NGINX will still
+ # listen on port 443 (it just won't be encrypted). If you change this, you'll
+ # probably want to change "0.0.0.0:443:443" to something like
+ # "127.0.0.1:80:443" in the ports section for the nginx-proxy service.
NGINX_SSL : 'true'
# Whether or not to write nginx's access.log and error.log to OpenSearch
NGINX_LOG_ACCESS_AND_ERRORS : 'false'
+x-ssl-variables: &ssl-variables
+ # When possible, docker containers will automatically add trusted CA certificate files
+ # found in the ./nginx/ca-trust directory (which is bind mounted to /ca-trust).
+ PUSER_CA_TRUST : '/var/local/ca-trust'
+
+x-opensearch-variables: &opensearch-variables
+ # Used in various services to define the connection to the OpenSearch document store.
+ # Whether or not Malcolm will start and use its own local OpenSearch instance as its
+ # primary data store. Set to 'false' if you're connecting to another OpenSearch
+ # cluster, in which case the other environment variables in this section must also
+ # be set with the connection parameters.
+ OPENSEARCH_LOCAL : 'true'
+ # URL for connecting to OpenSearch instance. When using Malcolm's internal instance
+ # of OpenSearch (i.e., OPENSEARCH_LOCAL is 'true') this should be
+ # 'http://opensearch:9200', otherwise specify the primary remote instance URL
+ # in the format 'protocol://host:port'.
+ OPENSEARCH_URL : 'http://opensearch:9200'
+ # Used when OPENSEARCH_LOCAL is 'false', the cURL-formatted config file contains login
+ # credentials for the primary OpenSearch instance. It can be generated for you by the
+ # ./scripts/auth_setup script. The notable parameters expected from this file would be
+ # user (with a "user:password" value) and "insecure" (if the certificate verification
+ # setting below is 'false'). See cURL config file format at
+ # https://everything.curl.dev/cmdline/configfile. This file is bind mounted locally
+ # from .opensearch.primary.curlrc as /var/local/opensearch.primary.curlrc
+ OPENSEARCH_CREDS_CONFIG_FILE : '/var/local/opensearch.primary.curlrc'
+ # Whether or not connections to the primary remote OpenSearch instance require full
+ # TLS certificate validation for the connection (this may fail if using self-signed
+ # certificates).
+ OPENSEARCH_SSL_CERTIFICATE_VERIFICATION : 'false'
+ # Whether or not Malcolm's Logstash instance will forward logs to a secondary remote
+ # OpenSearch instance in addition to the (local or remote) primary instance.
+ OPENSEARCH_SECONDARY : 'false'
+ # URL for connecting to the secondary remote OpenSearch instance, specified
+ # in the format 'protocol://host:port'.
+ OPENSEARCH_SECONDARY_URL : ''
+ # Used when OPENSEARCH_SECONDARY is 'true', the cURL-formatted config file contains login
+ # credentials for the secondary OpenSearch instance. The comments describing
+ # OPENSEARCH_CREDS_CONFIG_FILE above also apply here. This file is bind mounted locally
+ # from .opensearch.secondary.curlrc as /var/local/opensearch.secondary.curlrc
+ OPENSEARCH_SECONDARY_CREDS_CONFIG_FILE : '/var/local/opensearch.secondary.curlrc'
+ # Whether or not connections to the secondary remote OpenSearch instance require full
+ # TLS certificate validation for the connection (this may fail if using self-signed
+ # certificates).
+ OPENSEARCH_SECONDARY_SSL_CERTIFICATE_VERIFICATION : 'false'
+
x-arkime-variables: &arkime-variables
# Whether or not Arkime is allowed to delete uploaded/captured PCAP (see
# https://arkime.com/faq#pcap-deletion)
@@ -186,19 +231,6 @@ x-logstash-variables: &logstash-variables
LOGSTASH_SEVERITY_SCORING : 'true'
# Whether or not Logstash will perform a reverse DNS lookup for external IP addresses
LOGSTASH_REVERSE_DNS : 'false'
- # If specified (in the format '10.0.0.123:9200'), logs received by Logstash will be
- # forwarded on to another external OpenSearch instance in addition to the one
- # maintained locally by Malcolm
- OS_EXTERNAL_HOSTS : ''
- # Whether or not Logstash will use HTTPS for the connection to OS_EXTERNAL_HOSTS
- OS_EXTERNAL_SSL : 'true'
- # Whether or not Logstash will require full TLS certificate validation for the connection
- # to OS_EXTERNAL_HOSTS (this may fail if using self-signed certificates)
- OS_EXTERNAL_SSL_CERTIFICATE_VERIFICATION : 'false'
- # For security, OS_EXTERNAL_USER and OS_EXTERNAL_PASSWORD should be stored in Logstash keystore using ./scripts/auth_setup
- # See also volume mount for logstash.keystore below.
- # OS_EXTERNAL_USER : 'janedoe'
- # OS_EXTERNAL_PASSWORD : 'secret'
x-filebeat-variables: &filebeat-variables
# filebeat parameters used for monitoring log files containing network traffic metadata
@@ -266,13 +298,13 @@ x-common-lookup-variables: &common-lookup-variables
# for assigning severity to long connections
CONNECTION_SECONDS_SEVERITY_THRESHOLD : 3600
# When severity scoring is enabled, this variable defines a comma-separated list of
- # countries of concern (using ISO 3166-1 alpha-2 codes)
- QUESTIONABLE_COUNTRY_CODES : 'CN,IR,KP,RU,UA'
+ # sensitive countries (using ISO 3166-1 alpha-2 codes)
+ SENSITIVE_COUNTRY_CODES : 'AM,AZ,BY,CN,CU,DZ,GE,HK,IL,IN,IQ,IR,KG,KP,KZ,LY,MD,MO,PK,RU,SD,SS,SY,TJ,TM,TW,UA,UZ'
x-common-beats-variables: &common-beats-variables
# Whether or not Logstash will use require encrypted communications for any external
# Beats-based forwarders from which it will accept logs
- BEATS_SSL : 'false'
+ BEATS_SSL : 'true'
x-pcap-capture-variables: &pcap-capture-variables
# Whether or not netsniff-ng should create PCAP files from live traffic on a local
@@ -305,7 +337,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/opensearch.Dockerfile
- image: malcolmnetsec/opensearch:6.2.0
+ image: malcolmnetsec/opensearch:6.3.0
restart: "no"
stdin_open: false
tty: true
@@ -314,6 +346,8 @@ services:
- default
environment:
<< : *process-variables
+ << : *ssl-variables
+ << : *opensearch-variables
logger.level : 'INFO'
bootstrap.memory_lock : 'true'
MAX_LOCKED_MEMORY : 'unlimited'
@@ -333,8 +367,10 @@ services:
cap_add:
- IPC_LOCK
volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
+ - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro
+ - ./.opensearch.secondary.curlrc:/var/local/opensearch.secondary.curlrc:ro
- ./opensearch/opensearch.keystore:/usr/share/opensearch/config/opensearch.keystore:rw
- - ./nginx/ca-trust:/usr/share/opensearch/ca-trust:ro
- ./opensearch:/usr/share/opensearch/data:delegated
- ./opensearch-backup:/opt/opensearch/backup:delegated
healthcheck:
@@ -347,7 +383,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/dashboards-helper.Dockerfile
- image: malcolmnetsec/dashboards-helper:6.2.0
+ image: malcolmnetsec/dashboards-helper:6.3.0
restart: "no"
stdin_open: false
tty: true
@@ -356,8 +392,9 @@ services:
- default
environment:
<< : *process-variables
+ << : *ssl-variables
+ << : *opensearch-variables
<< : *dashboards-helper-variables
- OPENSEARCH_URL : 'http://opensearch:9200'
DASHBOARDS_URL : 'http://dashboards:5601/dashboards'
VIRTUAL_HOST : 'dashboards-helper.malcolm.local'
ARKIME_INDEX_PATTERN : 'arkime_sessions3-*'
@@ -368,6 +405,10 @@ services:
- opensearch
expose:
- 28991
+ volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
+ - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro
+ - ./.opensearch.secondary.curlrc:/var/local/opensearch.secondary.curlrc:ro
healthcheck:
test: ["CMD", "supervisorctl", "status", "cron", "maps"]
interval: 60s
@@ -378,7 +419,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/dashboards.Dockerfile
- image: malcolmnetsec/dashboards:6.2.0
+ image: malcolmnetsec/dashboards:6.3.0
restart: "no"
stdin_open: false
tty: true
@@ -387,13 +428,17 @@ services:
- default
environment:
<< : *process-variables
- OPENSEARCH_URL : 'http://opensearch:9200'
+ << : *ssl-variables
+ << : *opensearch-variables
VIRTUAL_HOST : 'dashboards.malcolm.local'
depends_on:
- opensearch
- dashboards-helper
expose:
- 5601
+ volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
+ - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro
healthcheck:
test: ["CMD", "curl", "--silent", "--fail", "http://localhost:5601/dashboards/api/status"]
interval: 30s
@@ -404,7 +449,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/logstash.Dockerfile
- image: malcolmnetsec/logstash-oss:6.2.0
+ image: malcolmnetsec/logstash-oss:6.3.0
restart: "no"
stdin_open: false
tty: true
@@ -419,10 +464,11 @@ services:
- IPC_LOCK
environment:
<< : *process-variables
+ << : *ssl-variables
+ << : *opensearch-variables
<< : *logstash-variables
<< : *common-beats-variables
<< : *common-lookup-variables
- OS_HOSTS : 'opensearch:9200'
LS_JAVA_OPTS : '-server -Xms2g -Xmx2g -Xss1536k -XX:-HeapDumpOnOutOfMemoryError -Djava.security.egd=file:/dev/./urandom -Dlog4j.formatMsgNoLookups=true'
depends_on:
- opensearch
@@ -433,13 +479,14 @@ services:
ports:
- "127.0.0.1:5044:5044"
volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
+ - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro
+ - ./.opensearch.secondary.curlrc:/var/local/opensearch.secondary.curlrc:ro
- ./logstash/config/logstash.yml:/usr/share/logstash/config/logstash.orig.yml:ro
- ./logstash/pipelines:/usr/share/logstash/malcolm-pipelines.available:ro
- ./logstash/patterns:/usr/share/logstash/malcolm-patterns:ro
- ./logstash/ruby:/usr/share/logstash/malcolm-ruby:ro
- ./logstash/maps/malcolm_severity.yaml:/etc/malcolm_severity.yaml:ro
- - ./logstash/certs/logstash.keystore:/usr/share/logstash/config/logstash.keystore:rw
- - ./nginx/ca-trust:/usr/share/logstash/ca-trust:ro
- ./logstash/certs/ca.crt:/certs/ca.crt:ro
- ./logstash/certs/server.crt:/certs/server.crt:ro
- ./logstash/certs/server.key:/certs/server.key:ro
@@ -456,7 +503,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/filebeat.Dockerfile
- image: malcolmnetsec/filebeat-oss:6.2.0
+ image: malcolmnetsec/filebeat-oss:6.3.0
restart: "no"
stdin_open: false
tty: true
@@ -465,7 +512,9 @@ services:
- default
environment:
<< : *process-variables
+ << : *ssl-variables
<< : *nginx-variables
+ << : *opensearch-variables
<< : *filebeat-variables
<< : *common-upload-variables
<< : *common-beats-variables
@@ -480,6 +529,8 @@ services:
ports:
- "127.0.0.1:5045:5045"
volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
+ - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro
- nginx-log-path:/nginx:ro
- ./zeek-logs:/zeek
- ./suricata-logs:/suricata
@@ -496,7 +547,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/arkime.Dockerfile
- image: malcolmnetsec/arkime:6.2.0
+ image: malcolmnetsec/arkime:6.3.0
restart: "no"
stdin_open: false
tty: true
@@ -507,12 +558,12 @@ services:
- ./auth.env
environment:
<< : *process-variables
+ << : *ssl-variables
+ << : *opensearch-variables
<< : *common-upload-variables
<< : *arkime-variables
VIRTUAL_HOST : 'arkime.malcolm.local'
- OS_HOST : 'opensearch'
- OS_PORT : 9200
- OS_MAX_SHARDS_PER_NODE : 2500
+ OPENSEARCH_MAX_SHARDS_PER_NODE : 2500
VIEWER : 'on'
WISE : 'on'
ulimits:
@@ -526,10 +577,12 @@ services:
- 8005
- 8081
volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
+ - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro
- ./pcap:/data/pcap
- ./arkime-logs:/opt/arkime/logs
- ./arkime-raw:/opt/arkime/raw
- - ./arkime/etc/config.ini:/opt/arkime/etc/config.ini:ro
+ - ./arkime/etc/config.ini:/opt/arkime/etc/config.orig.ini:ro
- ./arkime/etc/user_settings.json:/opt/arkime/etc/user_settings.json:ro
- ./arkime/wise/source.zeeklogs.js:/opt/arkime/wiseService/source.zeeklogs.js:ro
healthcheck:
@@ -542,7 +595,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/zeek.Dockerfile
- image: malcolmnetsec/zeek:6.2.0
+ image: malcolmnetsec/zeek:6.3.0
restart: "no"
stdin_open: false
tty: true
@@ -560,6 +613,7 @@ services:
- SYS_ADMIN
environment:
<< : *process-variables
+ << : *ssl-variables
<< : *common-upload-variables
<< : *zeek-variables
<< : *zeek-offline-variables
@@ -568,6 +622,7 @@ services:
depends_on:
- opensearch
volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
- ./pcap:/pcap
- ./zeek-logs/upload:/zeek/upload
- ./zeek-logs/extract_files:/zeek/extract_files
@@ -583,7 +638,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/zeek.Dockerfile
- image: malcolmnetsec/zeek:6.2.0
+ image: malcolmnetsec/zeek:6.3.0
restart: "no"
stdin_open: false
tty: true
@@ -599,6 +654,7 @@ services:
- SYS_ADMIN
environment:
<< : *process-variables
+ << : *ssl-variables
<< : *common-upload-variables
<< : *zeek-variables
<< : *zeek-live-variables
@@ -609,6 +665,7 @@ services:
ZEEK_INTEL_PATH : '/opt/zeek/share/zeek/site/intel'
EXTRACT_FILES_PATH : '/zeek/extract_files'
volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
- ./zeek-logs/live:/zeek/live
- ./zeek-logs/extract_files:/zeek/extract_files
- ./zeek/config/local.zeek:/opt/zeek/share/zeek/site/local.zeek:ro
@@ -617,7 +674,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/suricata.Dockerfile
- image: malcolmnetsec/suricata:6.2.0
+ image: malcolmnetsec/suricata:6.3.0
restart: "no"
stdin_open: false
tty: true
@@ -635,6 +692,7 @@ services:
- SYS_ADMIN
environment:
<< : *process-variables
+ << : *ssl-variables
<< : *common-upload-variables
<< : *suricata-variables
<< : *suricata-offline-variables
@@ -642,6 +700,7 @@ services:
depends_on:
- logstash
volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
- ./suricata-logs:/var/log/suricata
- ./pcap:/data/pcap
- ./suricata/rules:/opt/suricata/rules:ro
@@ -655,7 +714,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/suricata.Dockerfile
- image: malcolmnetsec/suricata:6.2.0
+ image: malcolmnetsec/suricata:6.3.0
restart: "no"
stdin_open: false
tty: true
@@ -671,19 +730,21 @@ services:
- SYS_ADMIN
environment:
<< : *process-variables
+ << : *ssl-variables
<< : *common-upload-variables
<< : *suricata-variables
<< : *suricata-live-variables
<< : *pcap-capture-variables
SURICATA_PCAP_PROCESSOR : 'false'
volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
- ./suricata-logs:/var/log/suricata
- ./suricata/rules:/opt/suricata/rules:ro
file-monitor:
build:
context: .
dockerfile: Dockerfiles/file-monitor.Dockerfile
- image: malcolmnetsec/file-monitor:6.2.0
+ image: malcolmnetsec/file-monitor:6.3.0
restart: "no"
stdin_open: false
tty: true
@@ -692,12 +753,14 @@ services:
- default
environment:
<< : *process-variables
+ << : *ssl-variables
<< : *zeek-variables
VIRTUAL_HOST : 'file-monitor.malcolm.local'
expose:
- 3310
- 8440
volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
- ./zeek-logs/extract_files:/zeek/extract_files
- ./zeek-logs/current:/zeek/logs
- ./yara/rules:/yara-rules/custom:ro
@@ -711,7 +774,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/pcap-capture.Dockerfile
- image: malcolmnetsec/pcap-capture:6.2.0
+ image: malcolmnetsec/pcap-capture:6.3.0
restart: "no"
stdin_open: false
tty: true
@@ -727,14 +790,16 @@ services:
- SYS_ADMIN
environment:
<< : *process-variables
+ << : *ssl-variables
<< : *pcap-capture-variables
volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
- ./pcap/upload:/pcap
pcap-monitor:
build:
context: .
dockerfile: Dockerfiles/pcap-monitor.Dockerfile
- image: malcolmnetsec/pcap-monitor:6.2.0
+ image: malcolmnetsec/pcap-monitor:6.3.0
restart: "no"
stdin_open: false
tty: true
@@ -743,13 +808,16 @@ services:
- default
environment:
<< : *process-variables
+ << : *ssl-variables
+ << : *opensearch-variables
<< : *common-upload-variables
- OPENSEARCH_URL : 'http://opensearch:9200'
depends_on:
- opensearch
expose:
- 30441
volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
+ - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro
- ./zeek-logs:/zeek
- ./pcap:/pcap
healthcheck:
@@ -762,7 +830,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/file-upload.Dockerfile
- image: malcolmnetsec/file-upload:6.2.0
+ image: malcolmnetsec/file-upload:6.3.0
restart: "no"
stdin_open: false
tty: true
@@ -773,6 +841,7 @@ services:
- ./auth.env
environment:
<< : *process-variables
+ << : *ssl-variables
SITE_NAME : 'Capture File and Log Archive Upload'
VIRTUAL_HOST : 'upload.malcolm.local'
depends_on:
@@ -782,6 +851,7 @@ services:
ports:
- "127.0.0.1:8022:22"
volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
- ./pcap/upload:/var/www/upload/server/php/chroot/files
healthcheck:
test: ["CMD", "wget", "-qO-", "http://localhost"]
@@ -790,7 +860,7 @@ services:
retries: 3
start_period: 60s
htadmin:
- image: malcolmnetsec/htadmin:6.2.0
+ image: malcolmnetsec/htadmin:6.3.0
build:
context: .
dockerfile: Dockerfiles/htadmin.Dockerfile
@@ -802,11 +872,13 @@ services:
- default
environment:
<< : *process-variables
+ << : *ssl-variables
<< : *auth-variables
VIRTUAL_HOST : 'htadmin.malcolm.local'
expose:
- 80
volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
- ./htadmin/config.ini:/var/www/htadmin/config/config.ini:rw
- ./htadmin/metadata:/var/www/htadmin/config/metadata:rw
- ./nginx/htpasswd:/var/www/htadmin/config/htpasswd:rw
@@ -817,7 +889,7 @@ services:
retries: 3
start_period: 60s
freq:
- image: malcolmnetsec/freq:6.2.0
+ image: malcolmnetsec/freq:6.3.0
build:
context: .
dockerfile: Dockerfiles/freq.Dockerfile
@@ -829,10 +901,13 @@ services:
- default
environment:
<< : *process-variables
+ << : *ssl-variables
<< : *common-lookup-variables
VIRTUAL_HOST : 'freq.malcolm.local'
expose:
- 10004
+ volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
healthcheck:
test: ["CMD", "curl", "--silent", "--fail", "http://localhost:10004"]
interval: 30s
@@ -840,7 +915,7 @@ services:
retries: 3
start_period: 60s
name-map-ui:
- image: malcolmnetsec/name-map-ui:6.2.0
+ image: malcolmnetsec/name-map-ui:6.3.0
build:
context: .
dockerfile: Dockerfiles/name-map-ui.Dockerfile
@@ -852,10 +927,12 @@ services:
- default
environment:
<< : *process-variables
+ << : *ssl-variables
VIRTUAL_HOST : 'name-map-ui.malcolm.local'
expose:
- 8080
volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
- ./cidr-map.txt:/var/www/html/maps/cidr-map.txt:ro
- ./host-map.txt:/var/www/html/maps/host-map.txt:ro
- ./net-map.json:/var/www/html/maps/net-map.json:rw
@@ -866,7 +943,7 @@ services:
retries: 3
start_period: 60s
api:
- image: malcolmnetsec/api:6.2.0
+ image: malcolmnetsec/api:6.3.0
build:
context: .
dockerfile: Dockerfiles/api.Dockerfile
@@ -879,9 +956,14 @@ services:
- default
environment:
<< : *process-variables
+ << : *ssl-variables
+ << : *opensearch-variables
VIRTUAL_HOST : 'api.malcolm.local'
expose:
- 5000
+ volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
+ - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro
healthcheck:
test: ["CMD", "curl", "--silent", "--fail", "http://localhost:5000/ping"]
interval: 30s
@@ -892,7 +974,7 @@ services:
build:
context: .
dockerfile: Dockerfiles/nginx.Dockerfile
- image: malcolmnetsec/nginx-proxy:6.2.0
+ image: malcolmnetsec/nginx-proxy:6.3.0
restart: "no"
stdin_open: false
tty: true
@@ -901,6 +983,7 @@ services:
- default
environment:
<< : *process-variables
+ << : *ssl-variables
<< : *auth-variables
<< : *nginx-variables
depends_on:
@@ -917,10 +1000,10 @@ services:
- "127.0.0.1:5601:5601"
- "127.0.0.1:9200:9200"
volumes:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
- nginx-log-path:/var/log/nginx:rw
- ./nginx/nginx_ldap.conf:/etc/nginx/nginx_ldap.conf:ro
- ./nginx/htpasswd:/etc/nginx/.htpasswd:ro
- - ./nginx/ca-trust:/etc/nginx/ca-trust:ro
- ./nginx/certs:/etc/nginx/certs:ro
- ./nginx/certs/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
healthcheck:
@@ -948,3 +1031,4 @@ volumes:
networks:
default:
+ external: false
\ No newline at end of file
diff --git a/docs/contributing/README.md b/docs/contributing/README.md
index 9e6822675..b9f38d11f 100644
--- a/docs/contributing/README.md
+++ b/docs/contributing/README.md
@@ -35,65 +35,104 @@ There are several ways to customize Malcolm's runtime behavior via local changes
Some configuration changes can be put in place by modifying local copies of configuration files and then use a [Docker bind mount](https://docs.docker.com/storage/bind-mounts/) to overlay the modified file onto the running Malcolm container. This is already done for many files and directories used to persist Malcolm configuration and data. For example, the default list of bind mounted files and directories for each Malcolm service is as follows:
```
-$ grep -P "^( - ./| \w+:)" docker-compose-standalone.yml
-opensearch:
- - ./opensearch/opensearch.keystore:/usr/share/opensearch/config/opensearch.keystore:rw
- - ./nginx/ca-trust:/usr/share/opensearch/ca-trust:ro
- - ./opensearch:/usr/share/opensearch/data:delegated
- - ./opensearch-backup:/opt/opensearch/backup:delegated
-dashboards-helper:
-dashboards:
-logstash:
- - ./logstash/certs/logstash.keystore:/usr/share/logstash/config/logstash.keystore:rw
- - ./logstash/maps/malcolm_severity.yaml:/etc/malcolm_severity.yaml:ro
- - ./nginx/ca-trust:/usr/share/logstash/ca-trust:ro
- - ./logstash/certs/ca.crt:/certs/ca.crt:ro
- - ./logstash/certs/server.crt:/certs/server.crt:ro
- - ./logstash/certs/server.key:/certs/server.key:ro
- - ./cidr-map.txt:/usr/share/logstash/config/cidr-map.txt:ro
- - ./host-map.txt:/usr/share/logstash/config/host-map.txt:ro
- - ./net-map.json:/usr/share/logstash/config/net-map.json:ro
-filebeat:
- - ./zeek-logs:/data/zeek
- - ./filebeat/certs/ca.crt:/certs/ca.crt:ro
- - ./filebeat/certs/client.crt:/certs/client.crt:ro
- - ./filebeat/certs/client.key:/certs/client.key:ro
-arkime:
- - ./auth.env
- - ./pcap:/data/pcap
- - ./arkime-logs:/opt/arkime/logs
- - ./arkime-raw:/opt/arkime/raw
-zeek:
- - ./pcap:/pcap
- - ./zeek-logs/upload:/zeek/upload
- - ./zeek-logs/extract_files:/zeek/extract_files
-file-monitor:
- - ./zeek-logs/extract_files:/data/zeek/extract_files
- - ./zeek-logs/current:/data/zeek/logs
- - ./yara/rules:/yara-rules/custom:ro
-pcap-capture:
- - ./pcap/upload:/pcap
-pcap-monitor:
- - ./zeek-logs:/zeek
- - ./pcap:/pcap
-upload:
- - ./auth.env
- - ./pcap/upload:/var/www/upload/server/php/chroot/files
-htadmin:
- - ./htadmin/config.ini:/var/www/htadmin/config/config.ini:rw
- - ./htadmin/metadata:/var/www/htadmin/config/metadata:rw
- - ./nginx/htpasswd:/var/www/htadmin/config/htpasswd:rw
-freq:
-name-map-ui:
- - ./cidr-map.txt:/var/www/html/maps/cidr-map.txt:ro
- - ./host-map.txt:/var/www/html/maps/host-map.txt:ro
- - ./net-map.json:/var/www/html/maps/net-map.json:rw
-nginx-proxy:
- - ./nginx/nginx_ldap.conf:/etc/nginx/nginx_ldap.conf:ro
- - ./nginx/htpasswd:/etc/nginx/.htpasswd:ro
- - ./nginx/ca-trust:/etc/nginx/ca-trust:ro
- - ./nginx/certs:/etc/nginx/certs:ro
- - ./nginx/certs/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
+$ grep -P "^( - ./| [\w-]+:)" docker-compose-standalone.yml
+ opensearch:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
+ - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro
+ - ./.opensearch.secondary.curlrc:/var/local/opensearch.secondary.curlrc:ro
+ - ./opensearch/opensearch.keystore:/usr/share/opensearch/config/opensearch.keystore:rw
+ - ./opensearch:/usr/share/opensearch/data:delegated
+ - ./opensearch-backup:/opt/opensearch/backup:delegated
+ dashboards-helper:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
+ - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro
+ dashboards:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
+ - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro
+ logstash:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
+ - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro
+ - ./.opensearch.secondary.curlrc:/var/local/opensearch.secondary.curlrc:ro
+ - ./logstash/maps/malcolm_severity.yaml:/etc/malcolm_severity.yaml:ro
+ - ./logstash/certs/ca.crt:/certs/ca.crt:ro
+ - ./logstash/certs/server.crt:/certs/server.crt:ro
+ - ./logstash/certs/server.key:/certs/server.key:ro
+ - ./cidr-map.txt:/usr/share/logstash/config/cidr-map.txt:ro
+ - ./host-map.txt:/usr/share/logstash/config/host-map.txt:ro
+ - ./net-map.json:/usr/share/logstash/config/net-map.json:ro
+ filebeat:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
+ - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro
+ - ./zeek-logs:/zeek
+ - ./suricata-logs:/suricata
+ - ./filebeat/certs/ca.crt:/certs/ca.crt:ro
+ - ./filebeat/certs/client.crt:/certs/client.crt:ro
+ - ./filebeat/certs/client.key:/certs/client.key:ro
+ arkime:
+ - ./auth.env
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
+ - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro
+ - ./pcap:/data/pcap
+ - ./arkime-logs:/opt/arkime/logs
+ - ./arkime-raw:/opt/arkime/raw
+ zeek:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
+ - ./pcap:/pcap
+ - ./zeek-logs/upload:/zeek/upload
+ - ./zeek-logs/extract_files:/zeek/extract_files
+ - ./zeek/intel:/opt/zeek/share/zeek/site/intel
+ zeek-live:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
+ - ./zeek-logs/live:/zeek/live
+ - ./zeek-logs/extract_files:/zeek/extract_files
+ - ./zeek/intel:/opt/zeek/share/zeek/site/intel
+ suricata:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
+ - ./suricata-logs:/var/log/suricata
+ - ./pcap:/data/pcap
+ - ./suricata/rules:/opt/suricata/rules:ro
+ suricata-live:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
+ - ./suricata-logs:/var/log/suricata
+ - ./suricata/rules:/opt/suricata/rules:ro
+ file-monitor:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
+ - ./zeek-logs/extract_files:/zeek/extract_files
+ - ./zeek-logs/current:/zeek/logs
+ - ./yara/rules:/yara-rules/custom:ro
+ pcap-capture:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
+ - ./pcap/upload:/pcap
+ pcap-monitor:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
+ - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro
+ - ./zeek-logs:/zeek
+ - ./pcap:/pcap
+ upload:
+ - ./auth.env
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
+ - ./pcap/upload:/var/www/upload/server/php/chroot/files
+ htadmin:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
+ - ./htadmin/config.ini:/var/www/htadmin/config/config.ini:rw
+ - ./htadmin/metadata:/var/www/htadmin/config/metadata:rw
+ - ./nginx/htpasswd:/var/www/htadmin/config/htpasswd:rw
+ freq:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
+ name-map-ui:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
+ - ./cidr-map.txt:/var/www/html/maps/cidr-map.txt:ro
+ - ./host-map.txt:/var/www/html/maps/host-map.txt:ro
+ - ./net-map.json:/var/www/html/maps/net-map.json:rw
+ api:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
+ - ./.opensearch.primary.curlrc:/var/local/opensearch.primary.curlrc:ro
+ nginx-proxy:
+ - ./nginx/ca-trust:/var/local/ca-trust:ro
+ - ./nginx/nginx_ldap.conf:/etc/nginx/nginx_ldap.conf:ro
+ - ./nginx/htpasswd:/etc/nginx/.htpasswd:ro
+ - ./nginx/certs:/etc/nginx/certs:ro
+ - ./nginx/certs/dhparam.pem:/etc/nginx/dhparam/dhparam.pem:ro
```
So, for example, if you wanted to make a change to the `nginx-proxy` container's `nginx.conf` file, you could add the following line to the `volumes:` section of the `nginx-proxy` service in your `docker-compose.yml` file:
@@ -198,7 +237,7 @@ Next, tweak [`filebeat.yml`](../../filebeat/filebeat.yml) by adding a new log in
Logstash can then be easily extended to add more [`logstash/pipelines`](../../logstash/pipelines). At the time of this writing (as of the [v5.0.0 release](https://github.com/cisagov/Malcolm/releases/tag/v5.0.0)), the Logstash pipelines basically look like this:
-* input (from `filebeat`) sends logs to 1..*n* **parse pipelines** (today it's just `zeek`)
+* input (from `filebeat`) sends logs to 1..*n* **parse pipelines**
* each **parse pipeline** does what it needs to do to parse its logs then sends them to the [**enrichment pipeline**](#LogstashEnrichments)
* the [**enrichment pipeline**](../../logstash/pipelines/enrichment) performs common lookups to the fields that have been normalized and indexes the logs into the OpenSearch data store
diff --git a/docs/images/screenshots/dashboards_opcua_binary.png b/docs/images/screenshots/dashboards_opcua_binary.png
index 14e7b11ae..a5f95d0f4 100644
Binary files a/docs/images/screenshots/dashboards_opcua_binary.png and b/docs/images/screenshots/dashboards_opcua_binary.png differ
diff --git a/docs/slides/Malcolm OT Protocol Support.odp b/docs/slides/Malcolm OT Protocol Support.odp
index f29dae679..8c85e1073 100644
Binary files a/docs/slides/Malcolm OT Protocol Support.odp and b/docs/slides/Malcolm OT Protocol Support.odp differ
diff --git a/docs/slides/Malcolm OT Protocol Support.pdf b/docs/slides/Malcolm OT Protocol Support.pdf
index c6f9741e4..cd4749bf2 100644
Binary files a/docs/slides/Malcolm OT Protocol Support.pdf and b/docs/slides/Malcolm OT Protocol Support.pdf differ
diff --git a/logstash/maps/malcolm_severity.yaml b/logstash/maps/malcolm_severity.yaml
index 05d53b14d..3f21a1271 100644
--- a/logstash/maps/malcolm_severity.yaml
+++ b/logstash/maps/malcolm_severity.yaml
@@ -12,7 +12,7 @@
"Connection aborted (responder)": 50
"Connection attempt rejected": 40
"Connection attempt, no reply": 20
-"Country of concern": 40
+"Sensitive country": 40
"High entropy domain": 0
"Intelligence": 80
"File transfer": 0
diff --git a/logstash/maps/s7comm_result_codes.yaml b/logstash/maps/s7comm_result_codes.yaml
deleted file mode 100644
index 5c893f417..000000000
--- a/logstash/maps/s7comm_result_codes.yaml
+++ /dev/null
@@ -1,206 +0,0 @@
-"0": "Success"
-"272": "Invalid block number"
-"273": "Invalid request length"
-"274": "Invalid parameter"
-"275": "Invalid block type"
-"276": "Block not found"
-"277": "Block already exists"
-"278": "Block is write-protected"
-"279": "The block/operating system update is too large"
-"280": "Invalid block number"
-"281": "Incorrect password entered"
-"282": "PG resource error"
-"283": "PLC resource error"
-"284": "Protocol error"
-"285": "Too many blocks (module-related restriction)"
-"286": "There is no longer a connection to the database, or S7DOS handle is invalid"
-"287": "Result buffer too small"
-"288": "End of block list"
-"320": "Insufficient memory available"
-"321": "Job cannot be processed because of a lack of resources"
-"32769": "The requested service cannot be performed while the block is in the current status"
-"32771": "S7 protocol error: Error occurred while transferring the block"
-"33024": "Application, general error: Service unknown to remote module"
-"33028": "This service is not implemented on the module or a frame error was reported"
-"33284": "The type specification for the object is inconsistent"
-"33285": "A copied block already exists and is not linked"
-"33537": "Insufficient memory space or work memory on the module, or specified storage medium not accessible"
-"33538": "Too few resources available or the processor resources are not available"
-"33540": "No further parallel upload possible. There is a resource bottleneck"
-"33541": "Function not available"
-"33542": "Insufficient work memory (for copying, linking, loading AWP)"
-"33543": "Not enough retentive work memory (for copying, linking, loading AWP)"
-"33793": "S7 protocol error: Invalid service sequence (for example, loading or uploading a block)"
-"33794": "Service cannot execute owing to status of the addressed object"
-"33796": "S7 protocol: The function cannot be performed"
-"33797": "Remote block is in DISABLE state (CFB). The function cannot be performed"
-"34048": "S7 protocol error: Wrong frames"
-"34051": "Alarm from the module: Service canceled prematurely"
-"34561": "Error addressing the object on the communications partner (for example, area length error)"
-"34562": "The requested service is not supported by the module"
-"34563": "Access to object refused"
-"34564": "Access error: Object damaged"
-"53249": "Protocol error: Illegal job number"
-"53250": "Parameter error: Illegal job variant"
-"53251": "Parameter error: Debugging function not supported by module"
-"53252": "Parameter error: Illegal job status"
-"53253": "Parameter error: Illegal job termination"
-"53254": "Parameter error: Illegal link disconnection ID"
-"53255": "Parameter error: Illegal number of buffer elements"
-"53256": "Parameter error: Illegal scan rate"
-"53257": "Parameter error: Illegal number of executions"
-"53258": "Parameter error: Illegal trigger event"
-"53259": "Parameter error: Illegal trigger condition"
-"53265": "Parameter error in path of the call environment: Block does not exist"
-"53266": "Parameter error: Wrong address in block"
-"53268": "Parameter error: Block being deleted/overwritten"
-"53269": "Parameter error: Illegal tag address"
-"53270": "Parameter error: Test jobs not possible, because of errors in user program"
-"53271": "Parameter error: Illegal trigger number"
-"53285": "Parameter error: Invalid path"
-"53286": "Parameter error: Illegal access type"
-"53287": "Parameter error: This number of data blocks is not permitted"
-"53297": "Internal protocol error"
-"53298": "Parameter error: Wrong result buffer length"
-"53299": "Protocol error: Wrong job length"
-"53311": "Coding error: Error in parameter section (for example, reserve bytes not equal to 0)"
-"53313": "Data error: Illegal status list ID"
-"53314": "Data error: Illegal tag address"
-"53315": "Data error: Referenced job not found, check job data"
-"53316": "Data error: Illegal tag value, check job data"
-"53317": "Data error: Exiting the ODIS control is not allowed in HOLD"
-"53318": "Data error: Illegal measuring stage during run-time measurement"
-"53319": "Data error: Illegal hierarchy in 'Read job list'"
-"53320": "Data error: Illegal deletion ID in 'Delete job'"
-"53321": "Invalid substitute ID in 'Replace job'"
-"53322": "Error executing 'program status'"
-"53343": "Coding error: Error in data section (for example, reserve bytes not equal to 0, ...)"
-"53345": "Resource error: No memory space for job"
-"53346": "Resource error: Job list full"
-"53347": "Resource error: Trigger event occupied"
-"53348": "Resource error: Not enough memory space for one result buffer element"
-"53349": "Resource error: Not enough memory space for several result buffer elements"
-"53350": "Resource error: The timer available for run-time measurement is occupied by another job"
-"53351": "Resource error: Too many 'modify tag' jobs active (in particular multi-processor operation)"
-"53377": "Function not permitted in current mode"
-"53378": "Mode error: Cannot exit HOLD mode"
-"53409": "Function not permitted in current protection level"
-"53410": "Function not possible at present, because a function is running that modifies memory"
-"53411": "Too many 'modify tag' jobs active on the I/O (in particular multi-processor operation)"
-"53412": "'Forcing' has already been established"
-"53413": "Referenced job not found"
-"53414": "Job cannot be disabled/enabled"
-"53415": "Job cannot be deleted, for example because it is currently being read"
-"53416": "Job cannot be replaced, for example because it is currently being read or deleted"
-"53417": "Job cannot be read, for example because it is currently being deleted"
-"53418": "Time limit exceeded in processing operation"
-"53419": "Invalid job parameters in process operation"
-"53420": "Invalid job data in process operation"
-"53421": "Operating mode already set"
-"53422": "The job was set up over a different connection and can only be handled over this connection"
-"53441": "At least one error has been detected while accessing the tag(s)"
-"53442": "Change to STOP/HOLD mode"
-"53443": "At least one error was detected while accessing the tag(s). Mode change to STOP/HOLD"
-"53444": "Timeout during run-time measurement"
-"53445": "Display of block stack inconsistent, because blocks were deleted/reloaded"
-"53446": "Job was automatically deleted as the jobs it referenced have been deleted"
-"53447": "The job was automatically deleted because STOP mode was exited"
-"53448": "'Block status' aborted because of inconsistencies between test job and running program"
-"53449": "Exit the status area by resetting OB90"
-"53450": "Exiting the status range by resetting OB90 and access error reading tags before exiting"
-"53451": "The output disable for the peripheral outputs has been activated again"
-"53452": "The amount of data for the debugging functions is restricted by the time limit"
-"53761": "Syntax error in block name"
-"53762": "Syntax error in function parameters"
-"53765": "Linked block already exists in RAM: Conditional copying is not possible"
-"53766": "Linked block already exists in EPROM: Conditional copying is not possible"
-"53768": "Maximum number of copied (not linked) blocks on module exceeded"
-"53769": "(At least) one of the given blocks not found on the module"
-"53770": "The maximum number of blocks that can be linked with one job was exceeded"
-"53771": "The maximum number of blocks that can be deleted with one job was exceeded"
-"53772": "OB cannot be copied because the associated priority class does not exist"
-"53773": "SDB cannot be interpreted (for example, unknown number)"
-"53774": "No (further) block available"
-"53775": "Module-specific maximum block size exceeded"
-"53776": "Invalid block number"
-"53778": "Incorrect header attribute (run-time relevant)"
-"53779": "Too many SDBs. Note the restrictions on the module being used"
-"53782": "Invalid user program - reset module"
-"53783": "Protection level specified in module properties not permitted"
-"53784": "Incorrect attribute (active/passive)"
-"53785": "Incorrect block lengths (for example, incorrect length of first section or of the whole block)"
-"53786": "Incorrect local data length or write-protection code faulty"
-"53787": "Module cannot compress or compression was interrupted early"
-"53789": "The volume of dynamic project data transferred is illegal"
-"53790": "Unable to assign parameters to a module (such as FM, CP). The system data could not be linked"
-"53792": "Invalid programming language. Note the restrictions on the module being used"
-"53793": "The system data for connections or routing are not valid"
-"53794": "The system data of the global data definition contain invalid parameters"
-"53795": "Error in instance data block for communication function block or maximum number of instance DBs exceeded"
-"53796": "The SCAN system data block contains invalid parameters"
-"53797": "The DP system data block contains invalid parameters"
-"53798": "A structural error occurred in a block"
-"53808": "A structural error occurred in a block"
-"53809": "At least one loaded OB cannot be copied because the associated priority class does not exist"
-"53810": "At least one block number of a loaded block is illegal"
-"53812": "Block exists twice in the specified memory medium or in the job"
-"53813": "The block contains an incorrect checksum"
-"53814": "The block does not contain a checksum"
-"53815": "You are about to load the block twice, i.e. a block with the same time stamp already exists on the CPU"
-"53816": "At least one of the blocks specified is not a DB"
-"53817": "At least one of the DBs specified is not available as a linked variant in the load memory"
-"53818": "At least one of the specified DBs is considerably different from the copied and linked variant"
-"53824": "Coordination rules violated"
-"53825": "The function is not permitted in the current protection level"
-"53826": "Protection violation while processing F blocks"
-"53840": "Update and module ID or version do not match"
-"53841": "Incorrect sequence of operating system components"
-"53842": "Checksum error"
-"53843": "No executable loader available; update only possible using a memory card"
-"53844": "Storage error in operating system"
-"53888": "Error compiling block in S7-300 CPU"
-"53921": "Another block function or a trigger on a block is active"
-"53922": "A trigger is active on a block. Complete the debugging function first"
-"53923": "The block is not active (linked), the block is occupied or the block is currently marked for deletion"
-"53924": "The block is already being processed by another block function"
-"53926": "It is not possible to save and change the user program simultaneously"
-"53927": "The block has the attribute 'unlinked' or is not processed"
-"53928": "An active debugging function is preventing parameters from being assigned to the CPU"
-"53929": "New parameters are being assigned to the CPU"
-"53930": "New parameters are currently being assigned to the modules"
-"53931": "The dynamic configuration limits are currently being changed"
-"53932": "A running active or deactivate assignment (SFC 12) is temporarily preventing R-KiR process"
-"53936": "An error occurred while configuring in RUN (CiR)"
-"53952": "The maximum number of technological objects has been exceeded"
-"53953": "The same technology data block already exists on the module"
-"53954": "Downloading the user program or downloading the hardware configuration is not possible"
-"54273": "Information function unavailable"
-"54274": "Information function unavailable"
-"54275": "Service has already been logged on/off (Diagnostics/PMC)"
-"54276": "Maximum number of nodes reached. No more logons possible for diagnostics/PMC"
-"54277": "Service not supported or syntax error in function parameters"
-"54278": "Required information currently unavailable"
-"54279": "Diagnostics error occurred"
-"54280": "Update aborted"
-"54281": "Error on DP bus"
-"54785": "Syntax error in function parameter"
-"54786": "Incorrect password entered"
-"54787": "The connection has already been legitimized"
-"54788": "The connection has already been enabled"
-"54789": "Legitimization not possible because password does not exist"
-"55297": "At least one tag address is invalid"
-"55298": "Specified job does not exist"
-"55299": "Illegal job status"
-"55300": "Illegal cycle time (illegal time base or multiple)"
-"55301": "No more cyclic read jobs can be set up"
-"55302": "The referenced job is in a state in which the requested function cannot be performed"
-"55303": "Function aborted due to overload, meaning executing the read cycle takes longer than the set scan cycle time"
-"56321": "Date and/or time invalid"
-"57857": "CPU is already the coordinator"
-"57858": "Connect and update not possible due to different user program in flash module"
-"57859": "Connect and update not possible due to different firmware"
-"57860": "Connect and update not possible due to different memory configuration"
-"57861": "Connect/update aborted due to synchronization error"
-"57862": "Connect/update denied due to coordination violation"
-"61185": "S7 protocol error: Error at ID2; only 00H permitted in job"
-"61186": "S7 protocol error: Error at ID2; set of resources does not exist"
\ No newline at end of file
diff --git a/logstash/maps/winlog_levels_to_name.yaml b/logstash/maps/winlog_levels_to_name.yaml
new file mode 100644
index 000000000..67a2bb8c2
--- /dev/null
+++ b/logstash/maps/winlog_levels_to_name.yaml
@@ -0,0 +1,6 @@
+"0": "Success"
+"1": "Error"
+"2": "Warning"
+"4": "Information"
+"8": "SuccessAudit"
+"16": "FailureAudit"
\ No newline at end of file
diff --git a/logstash/maps/winlog_levels_to_numbers.yaml b/logstash/maps/winlog_levels_to_numbers.yaml
new file mode 100644
index 000000000..4affe11a1
--- /dev/null
+++ b/logstash/maps/winlog_levels_to_numbers.yaml
@@ -0,0 +1,6 @@
+"Success": "0"
+"Error": "1"
+"Warning": "2"
+"Information": "4"
+"SuccessAudit": "8"
+"FailureAudit": "16"
\ No newline at end of file
diff --git a/logstash/maps/zeek_log_ecs_categories.yaml b/logstash/maps/zeek_log_ecs_categories.yaml
index 0911eab4d..a857e8e6e 100644
--- a/logstash/maps/zeek_log_ecs_categories.yaml
+++ b/logstash/maps/zeek_log_ecs_categories.yaml
@@ -13,6 +13,7 @@
"cip_identity": ["ot", "network"]
"cip_io": ["ot", "network"]
"conn": ["network"]
+"cotp": ["ot", "network"]
"dce_rpc": ["network"]
"dhcp": ["network"]
"dnp3": ["ot", "network"]
@@ -36,7 +37,6 @@
"intel": ["intrusion_detection", "network"]
"ipsec": ["network"]
"irc": ["network"]
-"iso_cotp": ["ot", "network"]
"kerberos": ["authentication", "iam", "network"]
"known_certs": ["file"]
"known_hosts": ["network"]
@@ -64,6 +64,8 @@
"rdp": ["network"]
"rfb": ["network"]
"s7comm": ["ot", "network"]
+"s7comm_plus": ["ot", "network"]
+"s7comm_read_szl": ["ot", "network"]
"signatures": ["malware", "intrusion_detection", "network"]
"sip": ["network"]
"smb_cmd": ["network"]
diff --git a/logstash/pipelines/beats/11_beats_logs.conf b/logstash/pipelines/beats/11_beats_logs.conf
index 0b3f4923c..21e7cf4cd 100644
--- a/logstash/pipelines/beats/11_beats_logs.conf
+++ b/logstash/pipelines/beats/11_beats_logs.conf
@@ -48,7 +48,7 @@ filter {
mutate { id => "mutate_replace_agent_type_beats_filebeat_nginx"
replace => { "[agent][type]" => "nginx" } }
- } else if ("_malcolm_miscbeat" in [tags]) {
+ } else if ("_malcolm_miscbeat" in [tags]) or ([miscbeat]) {
#############################################################################################################################
# misc. sensor metrics and logs from fluentbit received by filebeat TCP input
# https://docs.fluentbit.io/manual/
@@ -104,7 +104,7 @@ filter {
"
}
- # convert hashe of hashes to arrays of hashes so we don't end up creating a new
+ # convert hash of hashes to arrays of hashes so we don't end up creating a new
# dynamically-mapped field for every single file/directory
if ([miscbeat][aide][details]) {
ruby {
@@ -168,7 +168,7 @@ filter {
event.get('[miscbeat][aide][added]').to_a +
event.get('[miscbeat][aide][changed]').to_a +
event.get('[miscbeat][aide][removed]').to_a
- event.set('[file][path]', paths.uniq.flatten.compact) unless (paths.length == 0)
+ event.set('[file][path]', paths.uniq.flatten.reject{ |e| e.nil? || e&.empty? }) unless (paths.length == 0)
"
}
@@ -521,6 +521,121 @@ filter {
} # if ([miscbeat][syslog])
+ # merge winevtlog and winlog (from fluent-bit)
+ if ([miscbeat][winevtlog]) or ([miscbeat][winlog]) {
+
+ ruby {
+ id => "ruby_miscbeat_winlog_remove_empty_values"
+ path => "/usr/share/logstash/malcolm-ruby/compact_event.rb"
+ }
+
+ # save event.module to agent.type before we replace it
+ mutate { id => "mutate_replace_agent_type_beats_miscbeat_winlog"
+ replace => { "[agent][type]" => "%{[event][module]}" } }
+
+ if ([miscbeat][winevtlog]) {
+ if ([miscbeat][winevtlog][Level]) {
+ translate {
+ id => "translate_miscbeat_winevtlog_level_to_eventtype"
+ source => "[miscbeat][winevtlog][Level]"
+ target => "[event][result]"
+ dictionary_path => "/etc/winlog_levels_to_name.yaml"
+ }
+ }
+
+ mutate { id => "mutate_replace_winevtlog_event_module"
+ replace => { "[event][module]" => "winlog" } }
+ mutate { id => "mutate_rename_miscbeat_winevtlog_winlog"
+ rename => { "[miscbeat][winevtlog]" => "[miscbeat][winlog]" } }
+
+ } # [miscbeat][winevtlog]
+
+ if ([miscbeat][winlog][EventType]) {
+ translate {
+ id => "translate_miscbeat_winlog_eventtype_to_level"
+ source => "[miscbeat][winlog][EventType]"
+ target => "[miscbeat][winlog][Level]"
+ dictionary_path => "/etc/winlog_levels_to_numbers.yaml"
+ }
+ }
+
+ mutate { id => "mutate_rename_miscbeat_winlog"
+ rename => { "[miscbeat][winlog][EventID]" => "[event][id]" }
+ rename => { "[miscbeat][winlog][Channel]" => "[event][dataset]" }
+ rename => { "[miscbeat][winlog][RecordNumber]" => "[miscbeat][winlog][EventRecordID]" }
+ rename => { "[miscbeat][winlog][EventCategory]" => "[miscbeat][winlog][Task]" }
+ rename => { "[miscbeat][winlog][ComputerName]" => "[miscbeat][winlog][Computer]" }
+ rename => { "[miscbeat][winlog][EventType]" => "[event][result]" }
+ rename => { "[miscbeat][winlog][SourceName]" => "[miscbeat][winlog][ProviderName]" }
+ rename => { "[miscbeat][winlog][TimeCreated]" => "[miscbeat][winlog][TimeGenerated]" }
+ rename => { "[miscbeat][winlog][Message]" => "[event][original]" }
+ }
+
+ if ([miscbeat][winlog][TimeGenerated]) {
+ date {
+ id => "date_beats_miscbeat_winlog_timegenerated"
+ match => [ "[miscbeat][winlog][TimeGenerated]", "yyyy-MM-dd HH:mm:ss Z" ]
+ target => "[miscbeat][winlog][TimeGenerated]"
+ }
+ }
+ if ([miscbeat][winlog][TimeWritten]) {
+ date {
+ id => "date_beats_miscbeat_winlog_timewritten"
+ match => [ "[miscbeat][winlog][TimeWritten]", "yyyy-MM-dd HH:mm:ss Z" ]
+ target => "[miscbeat][winlog][TimeWritten]"
+ }
+ }
+
+ # generate unique ID
+ if (![event][hash]) {
+ fingerprint {
+ id => "fingerprint_malcolm_miscbeat_winlog"
+ source => [ "[host][name]",
+ "[agent][type]",
+ "[event][dataset]",
+ "[miscbeat][winlog][Computer]",
+ "[miscbeat][winlog][ProviderName]",
+ "[event][id]",
+ "[miscbeat][winlog][EventRecordID]",
+ "[event][original]",
+ "[@timestamp]" ]
+ concatenate_sources => true
+ # uses event.hash
+ ecs_compatibility => "v8"
+ method => "MURMUR3_128"
+ base64encode => true
+ }
+ }
+
+ } # ([miscbeat][winevtlog]) or ([miscbeat][winlog])
+
+ if ([miscbeat][winstat]) {
+
+ # generate unique ID
+ if (![event][hash]) {
+ fingerprint {
+ id => "fingerprint_malcolm_miscbeat_winstat"
+ source => [ "[host][name]",
+ "[event][module]",
+ "[miscbeat][winstat][cpu_kernel]",
+ "[miscbeat][winstat][cpu_user]",
+ "[miscbeat][winstat][kernel_paged]",
+ "[miscbeat][winstat][kernel_nonpaged]",
+ "[miscbeat][winstat][physical_used]",
+ "[miscbeat][winstat][physical_available]",
+ "[miscbeat][winstat][processes]",
+ "[miscbeat][winstat][uptime_msec]",
+ "[@timestamp]" ]
+ concatenate_sources => true
+ # uses event.hash
+ ecs_compatibility => "v8"
+ method => "MURMUR3_128"
+ base64encode => true
+ }
+ }
+
+ } # [miscbeat][winstat]
+
} # event type (filebeat.nginx, miscbeat, etc)
}
\ No newline at end of file
diff --git a/logstash/pipelines/enrichment/11_lookups.conf b/logstash/pipelines/enrichment/11_lookups.conf
index 20360d446..b2f2d7dff 100644
--- a/logstash/pipelines/enrichment/11_lookups.conf
+++ b/logstash/pipelines/enrichment/11_lookups.conf
@@ -253,6 +253,33 @@ filter {
}
} # if ([destination][ip])
+ # network.direction (from tags assigned above)
+ if ("internal_source" in [tags]) and ("internal_destination" in [tags]) {
+ mutate { id => "mutate_add_field_metadata_network_direction_internal"
+ add_field => { "[@metadata][network_direction]" => "internal" } }
+ } else if ("external_source" in [tags]) and ("external_destination" in [tags]) {
+ mutate { id => "mutate_add_field_metadata_network_direction_external"
+ add_field => { "[@metadata][network_direction]" => "external" } }
+ } else if ("internal_source" in [tags]) and ("external_destination" in [tags]) {
+ mutate { id => "mutate_add_field_metadata_network_direction_outbound"
+ add_field => { "[@metadata][network_direction]" => "outbound" } }
+ } else if ("external_source" in [tags]) and ("internal_destination" in [tags]) {
+ mutate { id => "mutate_add_field_metadata_network_direction_inbound"
+ add_field => { "[@metadata][network_direction]" => "inbound" } }
+ }
+ if ([@metadata][network_direction]) {
+ mutate { id => "mutate_add_field_ecs_network_direction"
+ add_field => { "[network][direction]" => "%{[@metadata][network_direction]}" } }
+ mutate { id => "mutate_enrichment_tags_remove_direction"
+ remove_tag => [ "internal_source",
+ "internal_destination",
+ "external_source",
+ "external_destination" ] }
+ } else {
+ mutate { id => "mutate_add_field_ecs_network_direction_unknown"
+ add_field => { "[network][direction]" => "unknown" } }
+ }
+
if ([dns][host]) {
# if requested, look up DNS queries using freq_server.py to get entropy scores
@@ -408,12 +435,12 @@ filter {
# event.set('ruby_exception', 'ruby_signatures_attack_extract: ' + e.message)
# end
# if (matches.length > 0) then
-# tacticNames = matches.map{ |x| x[1].gsub(' ', '_') }.compact
-# tacticIds = tacticNames.clone.map(&:clone).map{ |x| $tacticIdMap[x] }.compact
- #tacticRefs = tacticIds.clone.map(&:clone).map { |x| x.gsub(/\..*/, '').prepend('https://attack.mitre.org/tactics/') }.uniq.compact
-# techniqueNames = matches.map{ |x| [x[2], x[3]].compact.join(':') }.compact
-# techniqueIds = matches.map{ |x| x[4] }.compact
- #techniqueRefs = techniqueIds.clone.map(&:clone).map { |x| x.gsub(/\..*/, '').prepend('https://attack.mitre.org/techniques/') }.uniq.compact
+# tacticNames = matches.map{ |x| x[1].gsub(' ', '_') }.reject{ |e| e.nil? || e&.empty? }
+# tacticIds = tacticNames.clone.map(&:clone).map{ |x| $tacticIdMap[x] }.reject{ |e| e.nil? || e&.empty? }
+ #tacticRefs = tacticIds.clone.map(&:clone).map { |x| x.gsub(/\..*/, '').prepend('https://attack.mitre.org/tactics/') }.uniq.reject{ |e| e.nil? || e&.empty? }
+# techniqueNames = matches.map{ |x| [x[2], x[3]].reject{ |e| e.nil? || e&.empty? }.join(':') }.reject{ |e| e.nil? || e&.empty? }
+# techniqueIds = matches.map{ |x| x[4] }.reject{ |e| e.nil? || e&.empty? }
+ #techniqueRefs = techniqueIds.clone.map(&:clone).map { |x| x.gsub(/\..*/, '').prepend('https://attack.mitre.org/techniques/') }.uniq.reject{ |e| e.nil? || e&.empty? }
# event.set('[threat][tactic][name]', tacticNames.uniq) unless (tacticNames.length == 0)
# event.set('[threat][tactic][id]', tacticIds.uniq) unless (tacticIds.length == 0)
# event.set('[threat][tactic][reference]', tacticRefs.uniq) unless (tacticRefs.length == 0)
@@ -466,12 +493,14 @@ filter {
("enip" in [network][protocol]) or
("ethercat" in [network][protocol]) or
("genisys" in [network][protocol]) or
- ("iso_cotp" in [network][protocol]) or
+ ("cotp" in [network][protocol]) or
("opcua-binary" in [network][protocol]) or
("modbus" in [network][protocol]) or
("profinet" in [network][protocol]) or
("profinet_dce_rpc" in [network][protocol]) or
- ("s7comm" in [network][protocol])) {
+ ("s7comm" in [network][protocol]) or
+ ("s7comm_plus" in [network][protocol]) or
+ ("s7comm_read_szl" in [network][protocol])) {
mutate { id => "mutate_add_tag_ics_from_network_protocol"
add_tag => [ "ics" ] }
}
diff --git a/logstash/pipelines/enrichment/19_severity.conf b/logstash/pipelines/enrichment/19_severity.conf
index 297f199e3..54c70a879 100644
--- a/logstash/pipelines/enrichment/19_severity.conf
+++ b/logstash/pipelines/enrichment/19_severity.conf
@@ -16,19 +16,19 @@ filter {
add_field => { "[event][severity_tags]" => "Cross-segment traffic" } }
}
- # inbound/outbound/internal/external connection based on previously-populated tag
+ # inbound/outbound/internal/external connection based on previously-populated network.direction value
if ([event][provider] != "zeek") or ([event][dataset] != "files") {
- # files.log is excluded here because tx_hosts and tx_hosts doesn't really indicate the direction of the connection itself
- if ("internal_source" in [tags]) and ("internal_destination" in [tags]) {
+ # zeek's files.log is excluded here because tx_hosts and tx_hosts doesn't really indicate the direction of the connection itself
+ if ([network][direction] == "internal") {
mutate { id => "mutate_add_field_severity_item_internal"
add_field => { "[event][severity_tags]" => "Internal traffic" } }
- } else if ("external_source" in [tags]) and ("external_destination" in [tags]) {
+ } else if ([network][direction] == "external") {
mutate { id => "mutate_add_field_severity_item_external"
add_field => { "[event][severity_tags]" => "External traffic" } }
- } else if ("internal_source" in [tags]) and ("external_destination" in [tags]) {
+ } else if ([network][direction] == "outbound") {
mutate { id => "mutate_add_field_severity_item_outbound"
add_field => { "[event][severity_tags]" => "Outbound traffic" } }
- } else if ("external_source" in [tags]) and ("internal_destination" in [tags]) {
+ } else if ([network][direction] == "inbound") {
mutate { id => "mutate_add_field_severity_item_inbound"
add_field => { "[event][severity_tags]" => "Inbound traffic" } }
}
@@ -38,7 +38,7 @@ filter {
if ([source][geo][country_iso_code]) or ([destination][geo][country_iso_code]) or ([dns][GEO]) {
ruby {
id => "ruby_add_field_severity_geo"
- init => "countriesStr = ENV['QUESTIONABLE_COUNTRY_CODES'] || 'CN,IR,KP,RU,UA' ; $countries = countriesStr.gsub(/\s+/, '').upcase.split(',')"
+ init => "countriesStr = ENV['SENSITIVE_COUNTRY_CODES'] || 'AM,AZ,BY,CN,CU,DZ,GE,HK,IL,IN,IQ,IR,KG,KP,KZ,LY,MD,MO,PK,RU,SD,SS,SY,TJ,TM,TW,UA,UZ' ; $countries = countriesStr.gsub(/\s+/, '').upcase.split(',')"
code => "
srcGEOs = event.get('[source][geo][country_iso_code]')
dstGEOs = event.get('[destination][geo][country_iso_code]')
@@ -53,7 +53,7 @@ filter {
newtags.push(sevtags)
sevtags = newtags
end
- sevtags.push('Country of concern')
+ sevtags.push('Sensitive country')
event.set('[event][severity_tags]', sevtags)
end"
}
diff --git a/logstash/pipelines/enrichment/20_enriched_to_ecs.conf b/logstash/pipelines/enrichment/20_enriched_to_ecs.conf
index 0e383adeb..8b73c7745 100644
--- a/logstash/pipelines/enrichment/20_enriched_to_ecs.conf
+++ b/logstash/pipelines/enrichment/20_enriched_to_ecs.conf
@@ -32,25 +32,6 @@ filter {
add_field => { "[network][iana_number]" => "%{[ipProtocol]}" } }
}
- # network.direction (from tags assigned during 11_lookups.conf)
- if ("internal_source" in [tags]) and ("internal_destination" in [tags]) {
- mutate { id => "mutate_add_field_metadata_network_direction_internal"
- add_field => { "[@metadata][network_direction]" => "internal" } }
- } else if ("external_source" in [tags]) and ("external_destination" in [tags]) {
- mutate { id => "mutate_add_field_metadata_network_direction_external"
- add_field => { "[@metadata][network_direction]" => "external" } }
- } else if ("internal_source" in [tags]) and ("external_destination" in [tags]) {
- mutate { id => "mutate_add_field_metadata_network_direction_outbound"
- add_field => { "[@metadata][network_direction]" => "outbound" } }
- } else if ("external_source" in [tags]) and ("internal_destination" in [tags]) {
- mutate { id => "mutate_add_field_metadata_network_direction_inbound"
- add_field => { "[@metadata][network_direction]" => "inbound" } }
- }
- if ([@metadata][network_direction]) {
- mutate { id => "mutate_add_field_ecs_network_direction"
- add_field => { "[network][direction]" => "%{[@metadata][network_direction]}" } }
- }
-
# network.name (based on info from [destination][segment] and [source][segment])
if ([destination][segment]) { mutate { id => "mutate_add_field_ecs_network_name_resp"
merge => { "[network][name]" => "[destination][segment]" } } }
diff --git a/logstash/pipelines/external/99_opensearch_output.conf b/logstash/pipelines/external/99_opensearch_output.conf
index e95c82079..bf1142169 100644
--- a/logstash/pipelines/external/99_opensearch_output.conf
+++ b/logstash/pipelines/external/99_opensearch_output.conf
@@ -1,11 +1,10 @@
output {
opensearch {
id => "output_external_opensearch_malcolm"
- hosts => "${OS_EXTERNAL_HOSTS}"
- ssl => "${OS_EXTERNAL_SSL:true}"
- ssl_certificate_verification => "${OS_EXTERNAL_SSL_CERTIFICATE_VERIFICATION:false}"
- user => "${OS_EXTERNAL_USER:}"
- password => "${OS_EXTERNAL_PASSWORD:}"
+ hosts => "${OPENSEARCH_SECONDARY_URL}"
+ ssl_certificate_verification => "_MALCOLM_LOGSTASH_OPENSEARCH_SECONDARY_SSL_VERIFICATION_"
+ user => "_MALCOLM_LOGSTASH_OPENSEARCH_SECONDARY_USER_"
+ password => "_MALCOLM_LOGSTASH_OPENSEARCH_SECONDARY_PASSWORD_"
manage_template => false
index => "%{[@metadata][malcolm_opensearch_index_prefix]}-%{+YYMMdd}"
document_id => "%{+YYMMdd}-%{[event][hash]}"
diff --git a/logstash/pipelines/output/99_opensearch_output.conf b/logstash/pipelines/output/99_opensearch_output.conf
index 9c9555895..d17992c5b 100644
--- a/logstash/pipelines/output/99_opensearch_output.conf
+++ b/logstash/pipelines/output/99_opensearch_output.conf
@@ -1,7 +1,10 @@
output {
opensearch {
id => "output_opensearch_malcolm"
- hosts => "${OS_HOSTS:opensearch:9200}"
+ hosts => "${OPENSEARCH_URL:http://opensearch:9200}"
+ ssl_certificate_verification => "_MALCOLM_LOGSTASH_OPENSEARCH_SSL_VERIFICATION_"
+ user => "_MALCOLM_LOGSTASH_OPENSEARCH_USER_"
+ password => "_MALCOLM_LOGSTASH_OPENSEARCH_PASSWORD_"
manage_template => false
index => "%{[@metadata][malcolm_opensearch_index_prefix]}-%{+YYMMdd}"
document_id => "%{+YYMMdd}-%{[event][hash]}"
diff --git a/logstash/pipelines/suricata/11_suricata_logs.conf b/logstash/pipelines/suricata/11_suricata_logs.conf
index c8a17260d..6ba71c6fe 100644
--- a/logstash/pipelines/suricata/11_suricata_logs.conf
+++ b/logstash/pipelines/suricata/11_suricata_logs.conf
@@ -161,82 +161,82 @@ filter {
if ([suricata][dcerpc]) {
ruby { id => "ruby_add_field_suricata_dcerpc"
- code => "event.set('[network][protocol]', [ 'dce_rpc', event.get('[network][protocol]') ].flatten.compact)" }
+ code => "event.set('[network][protocol]', [ 'dce_rpc', event.get('[network][protocol]') ].flatten.reject{ |e| e.nil? || e&.empty? })" }
}
if ([suricata][dhcp]) {
ruby { id => "ruby_add_field_suricata_dhcp"
- code => "event.set('[network][protocol]', [ 'dhcp', event.get('[network][protocol]') ].flatten.compact)" }
+ code => "event.set('[network][protocol]', [ 'dhcp', event.get('[network][protocol]') ].flatten.reject{ |e| e.nil? || e&.empty? })" }
}
if ([suricata][dnp3]) {
ruby { id => "ruby_add_field_suricata_dnp3"
- code => "event.set('[network][protocol]', [ 'dnp3', event.get('[network][protocol]') ].flatten.compact)" }
+ code => "event.set('[network][protocol]', [ 'dnp3', event.get('[network][protocol]') ].flatten.reject{ |e| e.nil? || e&.empty? })" }
}
if ([suricata][dns]) {
ruby { id => "ruby_add_field_suricata_dns"
- code => "event.set('[network][protocol]', [ 'dns', event.get('[network][protocol]') ].flatten.compact)" }
+ code => "event.set('[network][protocol]', [ 'dns', event.get('[network][protocol]') ].flatten.reject{ |e| e.nil? || e&.empty? })" }
}
if ([suricata][ftp]) {
ruby { id => "ruby_add_field_suricata_ftp"
- code => "event.set('[network][protocol]', [ 'ftp', event.get('[network][protocol]') ].flatten.compact)" }
+ code => "event.set('[network][protocol]', [ 'ftp', event.get('[network][protocol]') ].flatten.reject{ |e| e.nil? || e&.empty? })" }
}
if ([suricata][http]) {
ruby { id => "ruby_add_field_suricata_http"
- code => "event.set('[network][protocol]', [ 'http', event.get('[network][protocol]') ].flatten.compact)" }
+ code => "event.set('[network][protocol]', [ 'http', event.get('[network][protocol]') ].flatten.reject{ |e| e.nil? || e&.empty? })" }
}
if ([suricata][icmp_code]) or
([suricata][icmp_type]) or
([suricata][response_icmp_code]) or
([suricata][response_icmp_type]) {
ruby { id => "ruby_add_field_suricata_icmp"
- code => "event.set('[network][protocol]', [ 'icmp', event.get('[network][protocol]') ].flatten.compact)" }
+ code => "event.set('[network][protocol]', [ 'icmp', event.get('[network][protocol]') ].flatten.reject{ |e| e.nil? || e&.empty? })" }
}
if ([suricata][ikev2]) {
ruby { id => "ruby_add_field_suricata_ikev2"
- code => "event.set('[network][protocol]', [ 'ikev2', event.get('[network][protocol]') ].flatten.compact)" }
+ code => "event.set('[network][protocol]', [ 'ikev2', event.get('[network][protocol]') ].flatten.reject{ |e| e.nil? || e&.empty? })" }
}
if ([suricata][krb5]) {
ruby { id => "ruby_add_field_suricata_krb5"
- code => "event.set('[network][protocol]', [ 'krb5', event.get('[network][protocol]') ].flatten.compact)" }
+ code => "event.set('[network][protocol]', [ 'krb5', event.get('[network][protocol]') ].flatten.reject{ |e| e.nil? || e&.empty? })" }
}
if ([suricata][nfs]) {
ruby { id => "ruby_add_field_suricata_nfs"
- code => "event.set('[network][protocol]', [ 'nfs', event.get('[network][protocol]') ].flatten.compact)" }
+ code => "event.set('[network][protocol]', [ 'nfs', event.get('[network][protocol]') ].flatten.reject{ |e| e.nil? || e&.empty? })" }
}
if ([suricata][rdp]) {
ruby { id => "ruby_add_field_suricata_rdp"
- code => "event.set('[network][protocol]', [ 'rdp', event.get('[network][protocol]') ].flatten.compact)" }
+ code => "event.set('[network][protocol]', [ 'rdp', event.get('[network][protocol]') ].flatten.reject{ |e| e.nil? || e&.empty? })" }
}
if ([suricata][rpc]) {
ruby { id => "ruby_add_field_suricata_rfc"
- code => "event.set('[network][protocol]', [ 'rfc', event.get('[network][protocol]') ].flatten.compact)" }
+ code => "event.set('[network][protocol]', [ 'rfc', event.get('[network][protocol]') ].flatten.reject{ |e| e.nil? || e&.empty? })" }
}
if ([suricata][sip]) {
ruby { id => "ruby_add_field_suricata_sip"
- code => "event.set('[network][protocol]', [ 'sip', event.get('[network][protocol]') ].flatten.compact)" }
+ code => "event.set('[network][protocol]', [ 'sip', event.get('[network][protocol]') ].flatten.reject{ |e| e.nil? || e&.empty? })" }
}
if ([suricata][smb]) {
ruby { id => "ruby_add_field_suricata_smb"
- code => "event.set('[network][protocol]', [ 'smb', event.get('[network][protocol]') ].flatten.compact)" }
+ code => "event.set('[network][protocol]', [ 'smb', event.get('[network][protocol]') ].flatten.reject{ |e| e.nil? || e&.empty? })" }
}
if ([suricata][smtp]) {
ruby { id => "ruby_add_field_suricata_smtp"
- code => "event.set('[network][protocol]', [ 'smtp', event.get('[network][protocol]') ].flatten.compact)" }
+ code => "event.set('[network][protocol]', [ 'smtp', event.get('[network][protocol]') ].flatten.reject{ |e| e.nil? || e&.empty? })" }
}
if ([suricata][snmp]) {
ruby { id => "ruby_add_field_suricata_snmp"
- code => "event.set('[network][protocol]', [ 'snmp', event.get('[network][protocol]') ].flatten.compact)" }
+ code => "event.set('[network][protocol]', [ 'snmp', event.get('[network][protocol]') ].flatten.reject{ |e| e.nil? || e&.empty? })" }
}
if ([suricata][ssh]) {
ruby { id => "ruby_add_field_suricata_ssh"
- code => "event.set('[network][protocol]', [ 'ssh', event.get('[network][protocol]') ].flatten.compact)" }
+ code => "event.set('[network][protocol]', [ 'ssh', event.get('[network][protocol]') ].flatten.reject{ |e| e.nil? || e&.empty? })" }
}
if ([suricata][tftp]) {
ruby { id => "ruby_add_field_suricata_tftp"
- code => "event.set('[network][protocol]', [ 'tftp', event.get('[network][protocol]') ].flatten.compact)" }
+ code => "event.set('[network][protocol]', [ 'tftp', event.get('[network][protocol]') ].flatten.reject{ |e| e.nil? || e&.empty? })" }
}
if ([suricata][tls]) {
ruby { id => "ruby_add_field_suricata_tls"
- code => "event.set('[network][protocol]', [ 'tls', event.get('[network][protocol]') ].flatten.compact)" }
+ code => "event.set('[network][protocol]', [ 'tls', event.get('[network][protocol]') ].flatten.reject{ |e| e.nil? || e&.empty? })" }
}
}
diff --git a/logstash/pipelines/zeek/11_zeek_logs.conf b/logstash/pipelines/zeek/11_zeek_logs.conf
index b0a6062e0..8dab967d9 100644
--- a/logstash/pipelines/zeek/11_zeek_logs.conf
+++ b/logstash/pipelines/zeek/11_zeek_logs.conf
@@ -15,7 +15,7 @@
filter {
- if (([message] =~ /^\s*#/) or (![log][file][path])) {
+ if (([message] =~ /^#/) or (![log][file][path])) {
drop { id => "drop_zeek_invalid_logs" }
}
@@ -285,7 +285,7 @@ filter {
id => "dissect_zeek_bacnet"
# zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][bvlc_function]} %{[zeek_cols][pdu_type]} %{[zeek_cols][pdu_service]} %{[zeek_cols][invoke_id]} %{[zeek_cols][result_code]}"
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][bvlc_function]} %{[zeek_cols][pdu_type]} %{[zeek_cols][pdu_service]} %{[zeek_cols][invoke_id]} %{[zeek_cols][result_code]}"
}
}
if ("_dissectfailure" in [tags]) {
@@ -296,7 +296,7 @@ filter {
}
ruby {
id => "ruby_zip_zeek_bacnet"
- init => "$zeek_bacnet_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'bvlc_function', 'pdu_type', 'pdu_service', 'invoke_id', 'result_code' ]"
+ init => "$zeek_bacnet_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'is_orig', 'bvlc_function', 'pdu_type', 'pdu_service', 'invoke_id', 'result_code' ]"
code => "event.set('[zeek_cols]', $zeek_bacnet_field_names.zip(event.get('[message]')).to_h)"
}
}
@@ -523,7 +523,7 @@ filter {
id => "dissect_zeek_bacnet_discovery"
# zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][pdu_service]} %{[zeek_cols][object_type]} %{[zeek_cols][instance_number]} %{[zeek_cols][vendor]} %{[zeek_cols][range]} %{[zeek_cols][object_name]}"
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][pdu_service]} %{[zeek_cols][object_type]} %{[zeek_cols][instance_number]} %{[zeek_cols][vendor]} %{[zeek_cols][range]} %{[zeek_cols][object_name]}"
}
}
if ("_dissectfailure" in [tags]) {
@@ -534,7 +534,7 @@ filter {
}
ruby {
id => "ruby_zip_zeek_bacnet_discovery"
- init => "$zeek_bacnet_discovery_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'pdu_service', 'object_type', 'instance_number', 'vendor', 'range', 'object_name' ]"
+ init => "$zeek_bacnet_discovery_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'is_orig', 'pdu_service', 'object_type', 'instance_number', 'vendor', 'range', 'object_name' ]"
code => "event.set('[zeek_cols]', $zeek_bacnet_discovery_field_names.zip(event.get('[message]')).to_h)"
}
}
@@ -557,7 +557,7 @@ filter {
id => "dissect_zeek_bacnet_property"
# zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][pdu_service]} %{[zeek_cols][object_type]} %{[zeek_cols][instance_number]} %{[zeek_cols][property]} %{[zeek_cols][array_index]} %{[zeek_cols][value]}"
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][pdu_service]} %{[zeek_cols][object_type]} %{[zeek_cols][instance_number]} %{[zeek_cols][property]} %{[zeek_cols][array_index]} %{[zeek_cols][value]}"
}
}
if ("_dissectfailure" in [tags]) {
@@ -568,7 +568,7 @@ filter {
}
ruby {
id => "ruby_zip_zeek_bacnet_property"
- init => "$zeek_bacnet_property_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'pdu_service', 'object_type', 'instance_number', 'property', 'array_index', 'value' ]"
+ init => "$zeek_bacnet_property_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'is_orig', 'pdu_service', 'object_type', 'instance_number', 'property', 'array_index', 'value' ]"
code => "event.set('[zeek_cols]', $zeek_bacnet_property_field_names.zip(event.get('[message]')).to_h)"
}
}
@@ -593,7 +593,7 @@ filter {
id => "dissect_zeek_cip"
# zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][cip_sequence_count]} %{[zeek_cols][direction]} %{[zeek_cols][cip_service_code]} %{[zeek_cols][cip_service]} %{[zeek_cols][cip_status]} %{[zeek_cols][class_id]} %{[zeek_cols][class_name]} %{[zeek_cols][instance_id]} %{[zeek_cols][attribute_id]}"
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][cip_sequence_count]} %{[zeek_cols][direction]} %{[zeek_cols][cip_service_code]} %{[zeek_cols][cip_service]} %{[zeek_cols][cip_status]} %{[zeek_cols][class_id]} %{[zeek_cols][class_name]} %{[zeek_cols][instance_id]} %{[zeek_cols][attribute_id]}"
}
}
if ("_dissectfailure" in [tags]) {
@@ -604,7 +604,7 @@ filter {
}
ruby {
id => "ruby_zip_zeek_cip"
- init => "$zeek_cip_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'cip_sequence_count', 'direction', 'cip_service', 'cip_status', 'class_id', 'class_name', 'instance_id', 'attribute_id' ]"
+ init => "$zeek_cip_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'is_orig', 'cip_sequence_count', 'direction', 'cip_service', 'cip_status', 'class_id', 'class_name', 'instance_id', 'attribute_id' ]"
code => "event.set('[zeek_cols]', $zeek_cip_field_names.zip(event.get('[message]')).to_h)"
}
}
@@ -658,7 +658,7 @@ filter {
id => "dissect_zeek_cip_io"
# zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][connection_id]} %{[zeek_cols][sequence_number]} %{[zeek_cols][data_length]} %{[zeek_cols][io_data]}"
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][connection_id]} %{[zeek_cols][sequence_number]} %{[zeek_cols][data_length]} %{[zeek_cols][io_data]}"
}
}
if ("_dissectfailure" in [tags]) {
@@ -669,7 +669,7 @@ filter {
}
ruby {
id => "ruby_zip_zeek_cip_io"
- init => "$zeek_cip_io_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'connection_id', 'sequence_number', 'data_length', 'io_data' ]"
+ init => "$zeek_cip_io_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'is_orig', 'connection_id', 'sequence_number', 'data_length', 'io_data' ]"
code => "event.set('[zeek_cols]', $zeek_cip_io_field_names.zip(event.get('[message]')).to_h)"
}
}
@@ -980,7 +980,7 @@ filter {
id => "dissect_zeek_enip"
# zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][enip_command_code]} %{[zeek_cols][enip_command]} %{[zeek_cols][length]} %{[zeek_cols][session_handle]} %{[zeek_cols][enip_status]} %{[zeek_cols][sender_context]} %{[zeek_cols][options]}"
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][enip_command_code]} %{[zeek_cols][enip_command]} %{[zeek_cols][length]} %{[zeek_cols][session_handle]} %{[zeek_cols][enip_status]} %{[zeek_cols][sender_context]} %{[zeek_cols][options]}"
}
}
if ("_dissectfailure" in [tags]) {
@@ -991,7 +991,7 @@ filter {
}
ruby {
id => "ruby_zip_zeek_enip"
- init => "$zeek_enip_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'enip_command', 'length', 'session_handle', 'enip_status', 'sender_context', 'options' ]"
+ init => "$zeek_enip_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'is_orig', 'enip_command', 'length', 'session_handle', 'enip_status', 'sender_context', 'options' ]"
code => "event.set('[zeek_cols]', $zeek_enip_field_names.zip(event.get('[message]')).to_h)"
}
}
@@ -1424,7 +1424,7 @@ filter {
mutate {
id => "mutate_split_zeek_genisys"
# zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
- split => { "[message]" => " " }
+ split => { "[message]" => " " }
}
ruby {
id => "ruby_zip_zeek_genisys"
@@ -1644,34 +1644,37 @@ filter {
}
}
- } else if ([log_source] == "iso_cotp") {
+ } else if ([log_source] == "cotp") {
#############################################################################################################################
- # iso_cotp.log
- # https://github.com/amzn/zeek-plugin-s7comm/blob/master/scripts/main.zeek
+ # cotp.log
+ # https://github.com/cisagov/icsnpp-s7comm
dissect {
- id => "dissect_zeek_iso_cotp"
+ id => "dissect_zeek_cotp"
# zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][pdu_type]}"
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][pdu_code]} %{[zeek_cols][pdu_name]}"
}
}
if ("_dissectfailure" in [tags]) {
mutate {
- id => "mutate_split_zeek_iso_cotp"
+ id => "mutate_split_zeek_cotp"
# zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
split => { "[message]" => " " }
}
ruby {
- id => "ruby_zip_zeek_iso_cotp"
- init => "$zeek_iso_cotp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'pdu_type' ]"
- code => "event.set('[zeek_cols]', $zeek_iso_cotp_field_names.zip(event.get('[message]')).to_h)"
+ id => "ruby_zip_zeek_cotp"
+ init => "$zeek_cotp_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'is_orig', 'pdu_code', 'pdu_name' ]"
+ code => "event.set('[zeek_cols]', $zeek_cotp_field_names.zip(event.get('[message]')).to_h)"
}
}
mutate {
- id => "mutate_add_fields_zeek_iso_cotp"
- add_field => { "[zeek_cols][service]" => "cotp" }
+ id => "mutate_add_fields_zeek_cotp"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "cotp"
+ }
add_tag => [ "ics" ]
}
@@ -2315,16 +2318,78 @@ filter {
mutate { id => "mutate_add_fields_zeek_service_ocsp"
add_field => { "[zeek_cols][service]" => "X.509" } }
+ } else if ([log_source] == "opcua_binary") {
+ #############################################################################################################################
+ # opcua-binary.log
+ # https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/types.zeek
+
+ dissect {
+ id => "dissect_zeek_opcua_binary"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][msg_type]} %{[zeek_cols][is_final]} %{[zeek_cols][msg_size]} %{[zeek_cols][error]} %{[zeek_cols][reason]} %{[zeek_cols][version]} %{[zeek_cols][rcv_buf_size]} %{[zeek_cols][snd_buf_size]} %{[zeek_cols][max_msg_size]} %{[zeek_cols][max_chunk_cnt]} %{[zeek_cols][endpoint_url]} %{[zeek_cols][sec_channel_id]} %{[zeek_cols][sec_policy_uri_len]} %{[zeek_cols][sec_policy_uri]} %{[zeek_cols][snd_cert_len]} %{[zeek_cols][snd_cert]} %{[zeek_cols][rcv_cert_len]} %{[zeek_cols][rcv_cert]} %{[zeek_cols][seq_number]} %{[zeek_cols][request_id]} %{[zeek_cols][encoding_mask]} %{[zeek_cols][namespace_idx]} %{[zeek_cols][identifier]} %{[zeek_cols][identifier_str]} %{[zeek_cols][req_hdr_node_id_type]} %{[zeek_cols][req_hdr_node_id_namespace_idx]} %{[zeek_cols][req_hdr_node_id_numeric]} %{[zeek_cols][req_hdr_node_id_string]} %{[zeek_cols][req_hdr_node_id_guid]} %{[zeek_cols][req_hdr_node_id_opaque]} %{[zeek_cols][req_hdr_timestamp]} %{[zeek_cols][req_hdr_request_handle]} %{[zeek_cols][req_hdr_return_diag]} %{[zeek_cols][req_hdr_audit_entry_id]} %{[zeek_cols][req_hdr_timeout_hint]} %{[zeek_cols][req_hdr_add_hdr_type_id]} %{[zeek_cols][req_hdr_add_hdr_enc_mask]} %{[zeek_cols][res_hdr_timestamp]} %{[zeek_cols][res_hdr_request_handle]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][res_hdr_service_diag_encoding]} %{[zeek_cols][res_hdr_add_hdr_type_id]} %{[zeek_cols][res_hdr_add_hdr_enc_mask]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ split => { "[message]" => " " }
+ }
+
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary"
+ init => "$zeek_opcua_binary_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'opcua_link_id', 'msg_type', 'is_final', 'msg_size', 'error', 'reason', 'version', 'rcv_buf_size', 'snd_buf_size', 'max_msg_size', 'max_chunk_cnt', 'endpoint_url', 'sec_channel_id', 'sec_policy_uri_len', 'sec_policy_uri', 'snd_cert_len', 'snd_cert', 'rcv_cert_len', 'rcv_cert', 'seq_number', 'request_id', 'encoding_mask', 'namespace_idx', 'identifier', 'identifier_str', 'req_hdr_node_id_type', 'req_hdr_node_id_namespace_idx', 'req_hdr_node_id_numeric', 'req_hdr_node_id_string', 'req_hdr_node_id_guid', 'req_hdr_node_id_opaque', 'req_hdr_timestamp', 'req_hdr_request_handle', 'req_hdr_return_diag', 'req_hdr_audit_entry_id', 'req_hdr_timeout_hint', 'req_hdr_add_hdr_type_id', 'req_hdr_add_hdr_enc_mask', 'res_hdr_timestamp', 'res_hdr_request_handle', 'status_code_link_id', 'res_hdr_service_diag_encoding', 'res_hdr_add_hdr_type_id', 'res_hdr_add_hdr_enc_mask' ]"
+ code => "event.set('[zeek_cols]', $zeek_opcua_binary_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+
+ mutate { id => "mutate_add_fields_zeek_service_opcua_binary"
+ add_field => { "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary" }
+ add_tag => [ "ics" ] }
+
+ } else if ([log_source] == "opcua_binary_status_code_detail") {
+ #############################################################################################################################
+ # opcua-binary-status-code-detail.log
+ # https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/statuscode-diagnostic-types.zeek
+
+ dissect {
+ id => "dissect_zeek_opcua_binary_status_code_detail"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][source]} %{[zeek_cols][source_str]} %{[zeek_cols][source_level]} %{[zeek_cols][status_code]} %{[zeek_cols][severity]} %{[zeek_cols][severity_str]} %{[zeek_cols][sub_code]} %{[zeek_cols][sub_code_str]} %{[zeek_cols][structure_changed]} %{[zeek_cols][semantics_changed]} %{[zeek_cols][info_type]} %{[zeek_cols][info_type_str]} %{[zeek_cols][limit_bits]} %{[zeek_cols][limit_bits_str]} %{[zeek_cols][overflow]} %{[zeek_cols][historian_bits]} %{[zeek_cols][historian_bits_str]} %{[zeek_cols][historianPartial]} %{[zeek_cols][historianExtraData]} %{[zeek_cols][historianMultiValue]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_status_code_detail"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ split => { "[message]" => " " }
+ }
+
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_status_code_detail"
+ init => "$zeek_opcua_binary_status_code_detail_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'status_code_link_id', 'source', 'source_str', 'source_level', 'status_code', 'severity', 'severity_str', 'sub_code', 'sub_code_str', 'structure_changed', 'semantics_changed', 'info_type', 'info_type_str', 'limit_bits', 'limit_bits_str', 'overflow', 'historian_bits', 'historian_bits_str', 'historianPartial', 'historianExtraData', 'historianMultiValue' ]"
+ code => "event.set('[zeek_cols]', $zeek_opcua_binary_status_code_detail_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+
+ mutate { id => "mutate_add_fields_zeek_service_opcua_binary_status_code_detail"
+ add_field => { "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary" }
+ add_tag => [ "ics" ] }
+
} else if ([log_source] == "opcua_binary_diag_info_detail") {
#############################################################################################################################
# opcua-binary-diag-info-detail.log
- # https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/types.zeek
+ # https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/statuscode-diagnostic-types.zeek
dissect {
id => "dissect_zeek_opcua_binary_diag_info_detail"
# zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_id]} %{[zeek_cols][inner_diag_level]} %{[zeek_cols][has_symbolic_id]} %{[zeek_cols][symbolic_id]} %{[zeek_cols][symbolic_id_str]} %{[zeek_cols][has_namespace_uri]} %{[zeek_cols][namespace_uri]} %{[zeek_cols][namespace_uri_str]} %{[zeek_cols][has_locale]} %{[zeek_cols][locale]} %{[zeek_cols][locale_str]} %{[zeek_cols][has_locale_txt]} %{[zeek_cols][locale_txt]} %{[zeek_cols][locale_txt_str]} %{[zeek_cols][has_addl_info]} %{[zeek_cols][addl_info]} %{[zeek_cols][has_inner_stat_code]} %{[zeek_cols][inner_stat_code]} %{[zeek_cols][has_inner_diag_info]}"
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][diag_info_link_id]} %{[zeek_cols][source]} %{[zeek_cols][source_str]} %{[zeek_cols][inner_diag_level]} %{[zeek_cols][has_symbolic_id]} %{[zeek_cols][symbolic_id]} %{[zeek_cols][symbolic_id_str]} %{[zeek_cols][has_namespace_uri]} %{[zeek_cols][namespace_uri]} %{[zeek_cols][namespace_uri_str]} %{[zeek_cols][has_locale]} %{[zeek_cols][locale]} %{[zeek_cols][locale_str]} %{[zeek_cols][has_locale_txt]} %{[zeek_cols][locale_txt]} %{[zeek_cols][locale_txt_str]} %{[zeek_cols][has_addl_info]} %{[zeek_cols][addl_info]} %{[zeek_cols][has_inner_stat_code]} %{[zeek_cols][inner_stat_code]} %{[zeek_cols][has_inner_diag_info]}"
}
}
if ("_dissectfailure" in [tags]) {
@@ -2336,7 +2401,7 @@ filter {
ruby {
id => "ruby_zip_zeek_opcua_binary_diag_info_detail"
- init => "$zeek_opcua_binary_diag_info_detail_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'opcua_id', 'inner_diag_level', 'has_symbolic_id', 'symbolic_id', 'symbolic_id_str', 'has_namespace_uri', 'namespace_uri', 'namespace_uri_str', 'has_locale', 'locale', 'locale_str', 'has_locale_txt', 'locale_txt', 'locale_txt_str', 'has_addl_info', 'addl_info', 'has_inner_stat_code', 'inner_stat_code', 'has_inner_diag_info' ]"
+ init => "$zeek_opcua_binary_diag_info_detail_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'diag_info_link_id', 'source', 'source_str', 'inner_diag_level', 'has_symbolic_id', 'symbolic_id', 'symbolic_id_str', 'has_namespace_uri', 'namespace_uri', 'namespace_uri_str', 'has_locale', 'locale', 'locale_str', 'has_locale_txt', 'locale_txt', 'locale_txt_str', 'has_addl_info', 'addl_info', 'has_inner_stat_code', 'inner_stat_code', 'has_inner_diag_info' ]"
code => "event.set('[zeek_cols]', $zeek_opcua_binary_diag_info_detail_field_names.zip(event.get('[message]')).to_h)"
}
}
@@ -2346,16 +2411,47 @@ filter {
"[zeek_cols][service]" => "opcua-binary" }
add_tag => [ "ics" ] }
+ } else if ([log_source] == "opcua_binary_opensecure_channel") {
+ #############################################################################################################################
+ # opcua-binary-opensecure-channel.log
+ # https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/secure-channel-types.zeek
+
+ dissect {
+ id => "dissect_zeek_opcua_binary_opensecure_channel"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][client_proto_ver]} %{[zeek_cols][sec_token_request_type]} %{[zeek_cols][message_security_mode]} %{[zeek_cols][client_nonce]} %{[zeek_cols][req_lifetime]} %{[zeek_cols][server_proto_ver]} %{[zeek_cols][sec_token_sec_channel_id]} %{[zeek_cols][sec_token_id]} %{[zeek_cols][sec_token_created_at]} %{[zeek_cols][sec_token_revised_time]} %{[zeek_cols][server_nonce]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_opensecure_channel"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ split => { "[message]" => " " }
+ }
+
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_opensecure_channel"
+ init => "$zeek_opcua_binary_opensecure_channel_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'opcua_link_id', 'client_proto_ver', 'sec_token_request_type', 'message_security_mode', 'client_nonce', 'req_lifetime', 'server_proto_ver', 'sec_token_sec_channel_id', 'sec_token_id', 'sec_token_created_at', 'sec_token_revised_time', 'server_nonce' ]"
+ code => "event.set('[zeek_cols]', $zeek_opcua_binary_opensecure_channel_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+
+ mutate { id => "mutate_add_fields_zeek_service_opcua_binary_opensecure_channel"
+ add_field => { "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary" }
+ add_tag => [ "ics" ] }
+
} else if ([log_source] == "opcua_binary_get_endpoints") {
#############################################################################################################################
# opcua-binary-get-endpoints.log
- # https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/types.zeek
+ # https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/get-endpoints-types.zeek
dissect {
id => "dissect_zeek_opcua_binary_get_endpoints"
# zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_id]} %{[zeek_cols][endpoint_url]} %{[zeek_cols][locale_id]} %{[zeek_cols][profile_uri]} %{[zeek_cols][application_uri]} %{[zeek_cols][product_uri]} %{[zeek_cols][encoding_mask]} %{[zeek_cols][locale]} %{[zeek_cols][text]} %{[zeek_cols][application_type]} %{[zeek_cols][gateway_server_uri]} %{[zeek_cols][discovery_profile_id]} %{[zeek_cols][cert_size]} %{[zeek_cols][server_cert]} %{[zeek_cols][message_security_mode]} %{[zeek_cols][security_policy_uri]} %{[zeek_cols][user_token_id]} %{[zeek_cols][transport_profile_uri]} %{[zeek_cols][security_level]}"
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][endpoint_url]} %{[zeek_cols][locale_link_id]} %{[zeek_cols][profile_uri_link_id]} %{[zeek_cols][endpoint_description_link_id]}"
}
}
if ("_dissectfailure" in [tags]) {
@@ -2367,7 +2463,7 @@ filter {
ruby {
id => "ruby_zip_zeek_opcua_binary_get_endpoints"
- init => "$zeek_opcua_binary_get_endpoints_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'opcua_id', 'endpoint_url', 'locale_id', 'profile_uri', 'application_uri', 'product_uri', 'encoding_mask', 'locale', 'text', 'application_type', 'gateway_server_uri', 'discovery_profile_id', 'cert_size', 'server_cert', 'message_security_mode', 'security_policy_uri', 'user_token_id', 'transport_profile_uri', 'security_level' ]"
+ init => "$zeek_opcua_binary_get_endpoints_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'opcua_link_id', 'endpoint_url', 'locale_link_id', 'profile_uri_link_id', 'endpoint_description_link_id' ]"
code => "event.set('[zeek_cols]', $zeek_opcua_binary_get_endpoints_field_names.zip(event.get('[message]')).to_h)"
}
}
@@ -2377,16 +2473,47 @@ filter {
"[zeek_cols][service]" => "opcua-binary" }
add_tag => [ "ics" ] }
+ } else if ([log_source] == "opcua_binary_get_endpoints_description") {
+ #############################################################################################################################
+ # opcua-binary-get-endpoints-description.log
+ # https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/get-endpoints-types.zeek
+
+ dissect {
+ id => "dissect_zeek_opcua_binary_get_endpoints_description"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][endpoint_description_link_id]} %{[zeek_cols][endpoint_uri]} %{[zeek_cols][application_uri]} %{[zeek_cols][product_uri]} %{[zeek_cols][encoding_mask]} %{[zeek_cols][locale]} %{[zeek_cols][text]} %{[zeek_cols][application_type]} %{[zeek_cols][gateway_server_uri]} %{[zeek_cols][discovery_profile_uri]} %{[zeek_cols][discovery_profile_link_id]} %{[zeek_cols][cert_size]} %{[zeek_cols][server_cert]} %{[zeek_cols][message_security_mode]} %{[zeek_cols][security_policy_uri]} %{[zeek_cols][user_token_link_id]} %{[zeek_cols][transport_profile_uri]} %{[zeek_cols][security_level]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_get_endpoints_description"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ split => { "[message]" => " " }
+ }
+
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_get_endpoints_description"
+ init => "$zeek_opcua_binary_get_endpoints_description_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'endpoint_description_link_id', 'endpoint_uri', 'application_uri', 'product_uri', 'encoding_mask', 'locale', 'text', 'application_type', 'gateway_server_uri', 'discovery_profile_uri', 'discovery_profile_link_id', 'cert_size', 'server_cert', 'message_security_mode', 'security_policy_uri', 'user_token_link_id', 'transport_profile_uri', 'security_level' ]"
+ code => "event.set('[zeek_cols]', $zeek_opcua_binary_get_endpoints_description_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+
+ mutate { id => "mutate_add_fields_zeek_service_opcua_binary_get_endpoints_description"
+ add_field => { "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary" }
+ add_tag => [ "ics" ] }
+
} else if ([log_source] == "opcua_binary_get_endpoints_discovery") {
#############################################################################################################################
# opcua-binary-get-endpoints-discovery.log
- # https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/types.zeek
+ # https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/get-endpoints-types.zeek
dissect {
id => "dissect_zeek_opcua_binary_get_endpoints_discovery"
# zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][discovery_profile_id]} %{[zeek_cols][discovery_profile_uri]} %{[zeek_cols][discovery_profile_url]}"
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][discovery_profile_link_id]} %{[zeek_cols][discovery_profile_url]}"
}
}
if ("_dissectfailure" in [tags]) {
@@ -2398,7 +2525,7 @@ filter {
ruby {
id => "ruby_zip_zeek_opcua_binary_get_endpoints_discovery"
- init => "$zeek_opcua_binary_get_endpoints_discovery_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'discovery_profile_id', 'discovery_profile_uri', 'discovery_profile_url' ]"
+ init => "$zeek_opcua_binary_get_endpoints_discovery_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'discovery_profile_link_id', 'discovery_profile_url' ]"
code => "event.set('[zeek_cols]', $zeek_opcua_binary_get_endpoints_discovery_field_names.zip(event.get('[message]')).to_h)"
}
}
@@ -2411,13 +2538,13 @@ filter {
} else if ([log_source] == "opcua_binary_get_endpoints_user_token") {
#############################################################################################################################
# opcua-binary-get-endpoints-user-token.log
- # https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/types.zeek
+ # https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/get-endpoints-types.zeek
dissect {
id => "dissect_zeek_opcua_binary_get_endpoints_user_token"
# zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][user_token_id]} %{[zeek_cols][user_token_policy_id]} %{[zeek_cols][user_token_type]} %{[zeek_cols][user_token_issued_type]} %{[zeek_cols][user_token_endpoint_url]} %{[zeek_cols][user_token_sec_policy_uri]}"
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][user_token_link_id]} %{[zeek_cols][user_token_policy_id]} %{[zeek_cols][user_token_type]} %{[zeek_cols][user_token_issued_type]} %{[zeek_cols][user_token_endpoint_url]} %{[zeek_cols][user_token_sec_policy_uri]}"
}
}
if ("_dissectfailure" in [tags]) {
@@ -2429,7 +2556,7 @@ filter {
ruby {
id => "ruby_zip_zeek_opcua_binary_get_endpoints_user_token"
- init => "$zeek_opcua_binary_get_endpoints_user_token_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'user_token_id', 'user_token_policy_id', 'user_token_type', 'user_token_issued_type', 'user_token_endpoint_url', 'user_token_sec_policy_uri' ]"
+ init => "$zeek_opcua_binary_get_endpoints_user_token_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'user_token_link_id', 'user_token_policy_id', 'user_token_type', 'user_token_issued_type', 'user_token_endpoint_url', 'user_token_sec_policy_uri' ]"
code => "event.set('[zeek_cols]', $zeek_opcua_binary_get_endpoints_user_token_field_names.zip(event.get('[message]')).to_h)"
}
}
@@ -2439,95 +2566,529 @@ filter {
"[zeek_cols][service]" => "opcua-binary" }
add_tag => [ "ics" ] }
- } else if ([log_source] == "opcua_binary") {
+ } else if ([log_source] == "opcua_binary_get_endpoints_locale_id") {
#############################################################################################################################
- # opcua-binary.log
- # https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/types.zeek
+ # opcua-binary-get-endpoints-locale_id.log
+ # https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/get-endpoints-types.zeek
dissect {
- id => "dissect_zeek_opcua_binary"
+ id => "dissect_zeek_opcua_binary_get_endpoints_locale_id"
# zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_id]} %{[zeek_cols][msg_type]} %{[zeek_cols][is_final]} %{[zeek_cols][msg_size]} %{[zeek_cols][error]} %{[zeek_cols][reason]} %{[zeek_cols][version]} %{[zeek_cols][rcv_buf_size]} %{[zeek_cols][snd_buf_size]} %{[zeek_cols][max_msg_size]} %{[zeek_cols][max_chunk_cnt]} %{[zeek_cols][endpoint_url]} %{[zeek_cols][sec_channel_id]} %{[zeek_cols][sec_policy_uri_len]} %{[zeek_cols][sec_policy_uri]} %{[zeek_cols][snd_cert_len]} %{[zeek_cols][snd_cert]} %{[zeek_cols][rcv_cert_len]} %{[zeek_cols][rcv_cert]} %{[zeek_cols][seq_number]} %{[zeek_cols][request_id]} %{[zeek_cols][encoding_mask]} %{[zeek_cols][namespace_idx]} %{[zeek_cols][identifier]} %{[zeek_cols][identifier_str]} %{[zeek_cols][req_hdr_node_id_type]} %{[zeek_cols][req_hdr_node_id_namespace_idx]} %{[zeek_cols][req_hdr_node_id_numeric]} %{[zeek_cols][req_hdr_node_id_string]} %{[zeek_cols][req_hdr_node_id_guid]} %{[zeek_cols][req_hdr_node_id_opaque]} %{[zeek_cols][req_hdr_timestamp]} %{[zeek_cols][req_hdr_request_handle]} %{[zeek_cols][req_hdr_return_diag]} %{[zeek_cols][req_hdr_audit_entry_id]} %{[zeek_cols][req_hdr_timeout_hint]} %{[zeek_cols][req_hdr_add_hdr_type_id]} %{[zeek_cols][req_hdr_add_hdr_enc_mask]} %{[zeek_cols][res_hdr_timestamp]} %{[zeek_cols][res_hdr_request_handle]} %{[zeek_cols][res_hdr_service_result]} %{[zeek_cols][res_hdr_service_diag_encoding]} %{[zeek_cols][res_hdr_add_hdr_type_id]} %{[zeek_cols][res_hdr_add_hdr_enc_mask]}"
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][locale_link_id]} %{[zeek_cols][locale_id]}"
}
}
if ("_dissectfailure" in [tags]) {
mutate {
- id => "mutate_split_zeek_opcua_binary"
+ id => "mutate_split_zeek_opcua_binary_get_endpoints_locale_id"
# zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
split => { "[message]" => " " }
}
ruby {
- id => "ruby_zip_zeek_opcua_binary"
- init => "$zeek_opcua_binary_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'opcua_id', 'msg_type', 'is_final', 'msg_size', 'error', 'reason', 'version', 'rcv_buf_size', 'snd_buf_size', 'max_msg_size', 'max_chunk_cnt', 'endpoint_url', 'sec_channel_id', 'sec_policy_uri_len', 'sec_policy_uri', 'snd_cert_len', 'snd_cert', 'rcv_cert_len', 'rcv_cert', 'seq_number', 'request_id', 'encoding_mask', 'namespace_idx', 'identifier', 'identifier_str', 'req_hdr_node_id_type', 'req_hdr_node_id_namespace_idx', 'req_hdr_node_id_numeric', 'req_hdr_node_id_string', 'req_hdr_node_id_guid', 'req_hdr_node_id_opaque', 'req_hdr_timestamp', 'req_hdr_request_handle', 'req_hdr_return_diag', 'req_hdr_audit_entry_id', 'req_hdr_timeout_hint', 'req_hdr_add_hdr_type_id', 'req_hdr_add_hdr_enc_mask', 'res_hdr_timestamp', 'res_hdr_request_handle', 'res_hdr_service_result', 'res_hdr_service_diag_encoding', 'res_hdr_add_hdr_type_id', 'res_hdr_add_hdr_enc_mask' ]"
- code => "event.set('[zeek_cols]', $zeek_opcua_binary_field_names.zip(event.get('[message]')).to_h)"
+ id => "ruby_zip_zeek_opcua_binary_get_endpoints_locale_id"
+ init => "$zeek_opcua_binary_get_endpoints_locale_id_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'locale_link_id', 'locale_id' ]"
+ code => "event.set('[zeek_cols]', $zeek_opcua_binary_get_endpoints_locale_id_field_names.zip(event.get('[message]')).to_h)"
}
}
- mutate { id => "mutate_add_fields_zeek_service_opcua_binary"
+ mutate { id => "mutate_add_fields_zeek_service_opcua_binary_get_endpoints_locale_id"
add_field => { "[zeek_cols][proto]" => "tcp"
"[zeek_cols][service]" => "opcua-binary" }
add_tag => [ "ics" ] }
- } else if ([log_source] == "opcua_binary_opensecure_channel") {
+ } else if ([log_source] == "opcua_binary_get_endpoints_profile_uri") {
#############################################################################################################################
- # opcua-binary-opensecure-channel.log
- # https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/types.zeek
+ # opcua-binary-get-endpoints-profile_uri.log
+ # https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/get-endpoints-types.zeek
dissect {
- id => "dissect_zeek_opcua_binary_opensecure_channel"
+ id => "dissect_zeek_opcua_binary_get_endpoints_profile_uri"
# zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_id]} %{[zeek_cols][client_proto_ver]} %{[zeek_cols][sec_token_request_type]} %{[zeek_cols][message_security_mode]} %{[zeek_cols][client_nonce]} %{[zeek_cols][req_lifetime]} %{[zeek_cols][server_proto_ver]} %{[zeek_cols][sec_token_sec_channel_id]} %{[zeek_cols][sec_token_id]} %{[zeek_cols][sec_token_created_at]} %{[zeek_cols][sec_token_revised_time]} %{[zeek_cols][server_nonce]}"
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][profile_uri_link_id]} %{[zeek_cols][profile_uri]}"
}
}
if ("_dissectfailure" in [tags]) {
mutate {
- id => "mutate_split_zeek_opcua_binary_opensecure_channel"
+ id => "mutate_split_zeek_opcua_binary_get_endpoints_profile_uri"
# zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
split => { "[message]" => " " }
}
ruby {
- id => "ruby_zip_zeek_opcua_binary_opensecure_channel"
- init => "$zeek_opcua_binary_opensecure_channel_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'opcua_id', 'client_proto_ver', 'sec_token_request_type', 'message_security_mode', 'client_nonce', 'req_lifetime', 'server_proto_ver', 'sec_token_sec_channel_id', 'sec_token_id', 'sec_token_created_at', 'sec_token_revised_time', 'server_nonce' ]"
- code => "event.set('[zeek_cols]', $zeek_opcua_binary_opensecure_channel_field_names.zip(event.get('[message]')).to_h)"
+ id => "ruby_zip_zeek_opcua_binary_get_endpoints_profile_uri"
+ init => "$zeek_opcua_binary_get_endpoints_profile_uri_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'profile_uri_link_id', 'profile_uri' ]"
+ code => "event.set('[zeek_cols]', $zeek_opcua_binary_get_endpoints_profile_uri_field_names.zip(event.get('[message]')).to_h)"
}
}
- mutate { id => "mutate_add_fields_zeek_service_opcua_binary_opensecure_channel"
+ mutate { id => "mutate_add_fields_zeek_service_opcua_binary_get_endpoints_profile_uri"
add_field => { "[zeek_cols][proto]" => "tcp"
"[zeek_cols][service]" => "opcua-binary" }
add_tag => [ "ics" ] }
- } else if ([log_source] == "opcua_binary_status_code_detail") {
+ } else if ([log_source] == "opcua_binary_create_session") {
+ ############################opcua_binary_create_session#################################################################################################
+ # opcua-binary-create-session.log
+ # https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/create-session-types.zeek
+
+ dissect {
+ id => "dissect_zeek_opcua_binary_create_session"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][application_uri]} %{[zeek_cols][product_uri]} %{[zeek_cols][encoding_mask]} %{[zeek_cols][locale]} %{[zeek_cols][text]} %{[zeek_cols][application_type]} %{[zeek_cols][gateway_server_uri]} %{[zeek_cols][discovery_profile_uri]} %{[zeek_cols][discovery_profile_link_id]} %{[zeek_cols][server_uri]} %{[zeek_cols][endpoint_url]} %{[zeek_cols][session_name]} %{[zeek_cols][client_nonce]} %{[zeek_cols][client_cert_size]} %{[zeek_cols][client_cert]} %{[zeek_cols][req_session_timeout]} %{[zeek_cols][max_res_msg_size]} %{[zeek_cols][session_id_encoding_mask]} %{[zeek_cols][session_id_namespace_idx]} %{[zeek_cols][session_id_numeric]} %{[zeek_cols][session_id_string]} %{[zeek_cols][session_id_guid]} %{[zeek_cols][session_id_opaque]} %{[zeek_cols][auth_token_encoding_mask]} %{[zeek_cols][auth_token_namespace_idx]} %{[zeek_cols][auth_token_numeric]} %{[zeek_cols][auth_token_string]} %{[zeek_cols][auth_token_guid]} %{[zeek_cols][auth_token_opaque]} %{[zeek_cols][revised_session_timeout]} %{[zeek_cols][server_nonce]} %{[zeek_cols][server_cert_size]} %{[zeek_cols][server_cert]} %{[zeek_cols][endpoint_link_id]} %{[zeek_cols][algorithm]} %{[zeek_cols][signature]} %{[zeek_cols][max_req_msg_size]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_create_session"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ split => { "[message]" => " " }
+ }
+
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_create_session"
+ init => "$zeek_opcua_binary_create_session_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'opcua_link_id', 'application_uri', 'product_uri', 'encoding_mask', 'locale', 'text', 'application_type', 'gateway_server_uri', 'discovery_profile_uri', 'discovery_profile_link_id', 'server_uri', 'endpoint_url', 'session_name', 'client_nonce', 'client_cert_size', 'client_cert', 'req_session_timeout', 'max_res_msg_size', 'session_id_encoding_mask', 'session_id_namespace_idx', 'session_id_numeric', 'session_id_string', 'session_id_guid', 'session_id_opaque', 'auth_token_encoding_mask', 'auth_token_namespace_idx', 'auth_token_numeric', 'auth_token_string', 'auth_token_guid', 'auth_token_opaque', 'revised_session_timeout', 'server_nonce', 'server_cert_size', 'server_cert', 'endpoint_link_id', 'algorithm', 'signature', 'max_req_msg_size' ]"
+ code => "event.set('[zeek_cols]', $zeek_opcua_binary_create_session_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+
+ mutate { id => "mutate_add_fields_zeek_service_opcua_binary_create_session"
+ add_field => { "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary" }
+ add_tag => [ "ics" ] }
+
+ } else if ([log_source] == "opcua_binary_create_session_user_token") {
#############################################################################################################################
- # opcua-binary-status-code-detail.log
- # https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/types.zeek
+ # opcua-binary-create-session-user-token.log
+ # https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/create-session-types.zeek
dissect {
- id => "dissect_zeek_opcua_binary_status_code_detail"
+ id => "dissect_zeek_opcua_binary_create_session_user_token"
# zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_id]} %{[zeek_cols][source]} %{[zeek_cols][source_str]} %{[zeek_cols][status_code]} %{[zeek_cols][severity]} %{[zeek_cols][severity_str]} %{[zeek_cols][sub_code]} %{[zeek_cols][sub_code_str]} %{[zeek_cols][structure_changed]} %{[zeek_cols][semantics_changed]} %{[zeek_cols][info_type]} %{[zeek_cols][info_type_str]} %{[zeek_cols][limit_bits]} %{[zeek_cols][limit_bits_str]} %{[zeek_cols][overflow]} %{[zeek_cols][historian_bits]} %{[zeek_cols][historian_bits_str]} %{[zeek_cols][historianPartial]} %{[zeek_cols][historianExtraData]} %{[zeek_cols][historianMultiValue]}"
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][user_token_link_id]} %{[zeek_cols][user_token_policy_id]} %{[zeek_cols][user_token_type]} %{[zeek_cols][user_token_issued_type]} %{[zeek_cols][user_token_endpoint_url]} %{[zeek_cols][user_token_sec_policy_uri]}"
}
}
if ("_dissectfailure" in [tags]) {
mutate {
- id => "mutate_split_zeek_opcua_binary_status_code_detail"
+ id => "mutate_split_zeek_opcua_binary_create_session_user_token"
# zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
split => { "[message]" => " " }
}
ruby {
- id => "ruby_zip_zeek_opcua_binary_status_code_detail"
- init => "$zeek_opcua_binary_status_code_detail_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'opcua_id', 'source', 'source_str', 'status_code', 'severity', 'severity_str', 'sub_code', 'sub_code_str', 'structure_changed', 'semantics_changed', 'info_type', 'info_type_str', 'limit_bits', 'limit_bits_str', 'overflow', 'historian_bits', 'historian_bits_str', 'historianPartial', 'historianExtraData', 'historianMultiValue' ]"
- code => "event.set('[zeek_cols]', $zeek_opcua_binary_status_code_detail_field_names.zip(event.get('[message]')).to_h)"
+ id => "ruby_zip_zeek_opcua_binary_create_session_user_token"
+ init => "$zeek_opcua_binary_create_session_user_token_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'user_token_link_id', 'user_token_policy_id', 'user_token_type', 'user_token_issued_type', 'user_token_endpoint_url', 'user_token_sec_policy_uri' ]"
+ code => "event.set('[zeek_cols]', $zeek_opcua_binary_create_session_user_token_field_names.zip(event.get('[message]')).to_h)"
}
}
- mutate { id => "mutate_add_fields_zeek_service_opcua_binary_status_code_detail"
+ mutate { id => "mutate_add_fields_zeek_service_opcua_binary_create_session_user_token"
+ add_field => { "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary" }
+ add_tag => [ "ics" ] }
+
+ } else if ([log_source] == "opcua_binary_create_session_endpoints") {
+ #############################################################################################################################
+ # opcua-binary-create-session-endpoints.log
+ # https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/create-session-types.zeek
+
+ dissect {
+ id => "dissect_zeek_opcua_binary_create_session_endpoints"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][endpoint_link_id]} %{[zeek_cols][endpoint_url]} %{[zeek_cols][application_uri]} %{[zeek_cols][product_uri]} %{[zeek_cols][encoding_mask]} %{[zeek_cols][locale]} %{[zeek_cols][text]} %{[zeek_cols][application_type]} %{[zeek_cols][gateway_server_uri]} %{[zeek_cols][discovery_profile_uri]} %{[zeek_cols][discovery_profile_link_id]} %{[zeek_cols][cert_size]} %{[zeek_cols][server_cert]} %{[zeek_cols][message_security_mode]} %{[zeek_cols][security_policy_uri]} %{[zeek_cols][user_token_link_id]} %{[zeek_cols][transport_profile_uri]} %{[zeek_cols][security_level]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_create_session_endpoints"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ split => { "[message]" => " " }
+ }
+
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_create_session_endpoints"
+ init => "$zeek_opcua_binary_create_session_endpoints_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'endpoint_link_id', 'endpoint_url', 'application_uri', 'product_uri', 'encoding_mask', 'locale', 'text', 'application_type', 'gateway_server_uri', 'discovery_profile_uri', 'discovery_profile_link_id', 'cert_size', 'server_cert', 'message_security_mode', 'security_policy_uri', 'user_token_link_id', 'transport_profile_uri', 'security_level' ]"
+ code => "event.set('[zeek_cols]', $zeek_opcua_binary_create_session_endpoints_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+
+ mutate { id => "mutate_add_fields_zeek_service_opcua_binary_create_session_endpoints"
+ add_field => { "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary" }
+ add_tag => [ "ics" ] }
+
+ } else if ([log_source] == "opcua_binary_create_session_discovery") {
+ #############################################################################################################################
+ # opcua-binary-create-session-discovery.log
+ # https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/create-session-types.zeek
+
+ dissect {
+ id => "dissect_zeek_opcua_binary_create_session_discovery"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][discovery_profile_link_id]} %{[zeek_cols][discovery_profile_uri]} %{[zeek_cols][discovery_profile_url]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_create_session_discovery"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ split => { "[message]" => " " }
+ }
+
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_create_session_discovery"
+ init => "$zeek_opcua_binary_create_session_discovery_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'discovery_profile_link_id', 'discovery_profile_uri', 'discovery_profile_url' ]"
+ code => "event.set('[zeek_cols]', $zeek_opcua_binary_create_session_discovery_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+
+ mutate { id => "mutate_add_fields_zeek_service_opcua_binary_create_session_discovery"
+ add_field => { "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary" }
+ add_tag => [ "ics" ] }
+
+ } else if ([log_source] == "opcua_binary_activate_session") {
+ #############################################################################################################################
+ # opcua-binary-activate_session.log
+ # https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/activate-session-types.zeek
+
+ dissect {
+ id => "dissect_zeek_opcua_binary_activate_session"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][client_algorithm]} %{[zeek_cols][client_signature]} %{[zeek_cols][client_software_cert_link_id]} %{[zeek_cols][locale_link_id]} %{[zeek_cols][ext_obj_type_id_encoding_mask]} %{[zeek_cols][ext_obj_type_id_namespace_idx]} %{[zeek_cols][ext_obj_type_id_numeric]} %{[zeek_cols][ext_obj_type_id_string]} %{[zeek_cols][ext_obj_type_id_guid]} %{[zeek_cols][ext_obj_type_id_opaque]} %{[zeek_cols][ext_obj_type_id_str]} %{[zeek_cols][ext_obj_encoding]} %{[zeek_cols][ext_obj_policy_id]} %{[zeek_cols][ext_obj_user_name]} %{[zeek_cols][ext_obj_password]} %{[zeek_cols][ext_obj_encryption_algorithom]} %{[zeek_cols][ext_obj_certificate_data]} %{[zeek_cols][ext_obj_token_data]} %{[zeek_cols][user_token_algorithm]} %{[zeek_cols][user_token_signature]} %{[zeek_cols][server_nonce]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][activate_session_diag_info_link_id]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_activate_session"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ split => { "[message]" => " " }
+ }
+
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_activate_session"
+ init => "$zeek_opcua_binary_activate_session_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'opcua_link_id', 'client_algorithm', 'client_signature', 'client_software_cert_link_id', 'locale_link_id', 'ext_obj_type_id_encoding_mask', 'ext_obj_type_id_namespace_idx', 'ext_obj_type_id_numeric', 'ext_obj_type_id_string', 'ext_obj_type_id_guid', 'ext_obj_type_id_opaque', 'ext_obj_type_id_str', 'ext_obj_encoding', 'ext_obj_policy_id', 'ext_obj_user_name', 'ext_obj_password', 'ext_obj_encryption_algorithom', 'ext_obj_certificate_data', 'ext_obj_token_data', 'user_token_algorithm', 'user_token_signature', 'server_nonce', 'status_code_link_id', 'activate_session_diag_info_link_id' ]"
+ code => "event.set('[zeek_cols]', $zeek_opcua_binary_activate_session_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+
+ mutate { id => "mutate_add_fields_zeek_service_opcua_binary_activate_session"
+ add_field => { "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary" }
+ add_tag => [ "ics" ] }
+
+ } else if ([log_source] == "opcua_binary_activate_session_client_software_cert") {
+ #############################################################################################################################
+ # opcua-binary-activate_session_client_software_cert.log
+ # https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/activate-session-types.zeek
+
+ dissect {
+ id => "dissect_zeek_opcua_binary_activate_session_client_software_cert"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][client_software_cert_link_id]} %{[zeek_cols][cert_data]} %{[zeek_cols][cert_signature]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_activate_session_client_software_cert"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ split => { "[message]" => " " }
+ }
+
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_activate_session_client_software_cert"
+ init => "$zeek_opcua_binary_activate_session_client_software_cert_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'client_software_cert_link_id', 'cert_data', 'cert_signature' ]"
+ code => "event.set('[zeek_cols]', $zeek_opcua_binary_activate_session_client_software_cert_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+
+ mutate { id => "mutate_add_fields_zeek_service_opcua_binary_activate_session_client_software_cert"
+ add_field => { "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary" }
+ add_tag => [ "ics" ] }
+
+ } else if ([log_source] == "opcua_binary_activate_session_locale_id") {
+ #############################################################################################################################
+ # opcua-binary-opcua_binary_activate_session_locale_id.log
+ # https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/activate-session-types.zeek
+
+ dissect {
+ id => "dissect_zeek_opcua_binary_activate_session_locale_id"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][locale_link_id]} %{[zeek_cols][locale_id]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_activate_session_locale_id"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ split => { "[message]" => " " }
+ }
+
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_activate_session_locale_id"
+ init => "$zeek_opcua_binary_activate_session_locale_id_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'locale_link_id', 'locale_id' ]"
+ code => "event.set('[zeek_cols]', $zeek_opcua_binary_activate_session_locale_id_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+
+ mutate { id => "mutate_add_fields_zeek_service_opcua_binary_activate_session_locale_id"
+ add_field => { "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary" }
+ add_tag => [ "ics" ] }
+
+ } else if ([log_source] == "opcua_binary_activate_session_diagnostic_info") {
+ #############################################################################################################################
+ # opcua-binary-opcua_binary_activate_session_diagnostic_info.log
+ # https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/activate-session-types.zeek
+
+ dissect {
+ id => "dissect_zeek_opcua_binary_activate_session_diagnostic_info"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][activate_session_diag_info_link_id]} %{[zeek_cols][diag_info_link_id]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_activate_session_diagnostic_info"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ split => { "[message]" => " " }
+ }
+
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_activate_session_diagnostic_info"
+ init => "$zeek_opcua_binary_activate_session_diagnostic_info_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'activate_session_diag_info_link_id', 'diag_info_link_id' ]"
+ code => "event.set('[zeek_cols]', $zeek_opcua_binary_activate_session_diagnostic_info_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+
+ mutate { id => "mutate_add_fields_zeek_service_opcua_binary_activate_session_diagnostic_info"
+ add_field => { "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary" }
+ add_tag => [ "ics" ] }
+
+ } else if ([log_source] == "opcua_binary_browse") {
+ #############################################################################################################################
+ # opcua-binary-browse.log
+ # https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/browse-types.zeek
+
+ dissect {
+ id => "dissect_zeek_opcua_binary_browse"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][browse_service_type]} %{[zeek_cols][browse_view_id_encoding_mask]} %{[zeek_cols][browse_view_id_namespace_idx]} %{[zeek_cols][browse_view_id_numeric]} %{[zeek_cols][browse_view_id_string]} %{[zeek_cols][browse_view_id_guid]} %{[zeek_cols][browse_view_id_opaque]} %{[zeek_cols][browse_view_description_timestamp]} %{[zeek_cols][browse_view_description_view_version]} %{[zeek_cols][req_max_ref_nodes]} %{[zeek_cols][browse_description_link_id]} %{[zeek_cols][browse_next_release_continuation_point]} %{[zeek_cols][browse_next_link_id]} %{[zeek_cols][browse_response_link_id]} %{[zeek_cols][browse_diag_info_link_id]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_browse"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ split => { "[message]" => " " }
+ }
+
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_browse"
+ init => "$zeek_opcua_binary_browse_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'opcua_link_id', 'browse_service_type', 'browse_view_id_encoding_mask', 'browse_view_id_namespace_idx', 'browse_view_id_numeric', 'browse_view_id_string', 'browse_view_id_guid', 'browse_view_id_opaque', 'browse_view_description_timestamp', 'browse_view_description_view_version', 'req_max_ref_nodes', 'browse_description_link_id', 'browse_next_release_continuation_point', 'browse_next_link_id', 'browse_browse_response_link_id', 'browse_diag_info_link_id' ]"
+ code => "event.set('[zeek_cols]', $zeek_opcua_binary_browse_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+
+ mutate { id => "mutate_add_fields_zeek_service_opcua_binary_browse"
+ add_field => { "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary" }
+ add_tag => [ "ics" ] }
+
+ } else if ([log_source] == "opcua_binary_browse_description") {
+ #############################################################################################################################
+ # opcua-binary-browse_description.log
+ # https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/browse-types.zeek
+
+ dissect {
+ id => "dissect_zeek_opcua_binary_browse_description"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][browse_description_link_id]} %{[zeek_cols][browse_description_encoding_mask]} %{[zeek_cols][browse_description_namespace_idx]} %{[zeek_cols][browse_description_numeric]} %{[zeek_cols][browse_description_string]} %{[zeek_cols][browse_description_guid]} %{[zeek_cols][browse_description_opaque]} %{[zeek_cols][browse_direction]} %{[zeek_cols][browse_description_ref_encoding_mask]} %{[zeek_cols][browse_description_ref_namespace_idx]} %{[zeek_cols][browse_description_ref_numeric]} %{[zeek_cols][browse_description_ref_string]} %{[zeek_cols][browse_description_ref_guid]} %{[zeek_cols][browse_description_ref_opaque]} %{[zeek_cols][browse_description_include_subtypes]} %{[zeek_cols][browse_node_class_mask]} %{[zeek_cols][browse_result_mask]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_browse_description"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ split => { "[message]" => " " }
+ }
+
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_browse_description"
+ init => "$zeek_opcua_binary_browse_description_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'browse_description_link_id', 'browse_description_encoding_mask', 'browse_description_namespace_idx', 'browse_description_numeric', 'browse_description_string', 'browse_description_guid', 'browse_description_opaque', 'browse_direction', 'browse_description_ref_encoding_mask', 'browse_description_ref_namespace_idx', 'browse_description_ref_numeric', 'browse_description_ref_string', 'browse_description_ref_guid', 'browse_description_ref_opaque', 'browse_description_include_subtypes', 'browse_node_class_mask', 'browse_result_mask' ]"
+ code => "event.set('[zeek_cols]', $zeek_opcua_binary_browse_description_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+
+ mutate { id => "mutate_add_fields_zeek_service_opcua_binary_browse_description"
+ add_field => { "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary" }
+ add_tag => [ "ics" ] }
+
+ } else if ([log_source] == "opcua_binary_browse_request_continuation_point") {
+ #############################################################################################################################
+ # opcua-binary-browse_request_continuation_point.log
+ # https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/browse-types.zeek
+
+ dissect {
+ id => "dissect_zeek_opcua_binary_browse_request_continuation_point"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][browse_next_link_id]} %{[zeek_cols][continuation_point]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_browse_request_continuation_point"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ split => { "[message]" => " " }
+ }
+
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_browse_request_continuation_point"
+ init => "$zeek_opcua_binary_browse_request_continuation_point_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'browse_next_link_id', 'continuation_point' ]"
+ code => "event.set('[zeek_cols]', $zeek_opcua_binary_browse_request_continuation_point_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+
+ mutate { id => "mutate_add_fields_zeek_service_opcua_binary_browse_request_continuation_point"
+ add_field => { "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary" }
+ add_tag => [ "ics" ] }
+
+ } else if ([log_source] == "opcua_binary_browse_result") {
+ #############################################################################################################################
+ # opcua-binary-browse_result.log
+ # https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/browse-types.zeek
+
+ dissect {
+ id => "dissect_zeek_opcua_binary_browse_result"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][browse_response_link_id]} %{[zeek_cols][status_code_link_id]} %{[zeek_cols][browse_result_continuation_point]} %{[zeek_cols][browse_reference_link_id]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_browse_result"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ split => { "[message]" => " " }
+ }
+
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_browse_result"
+ init => "$zeek_opcua_binary_browse_result_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'browse_response_link_id', 'status_code_link_id', 'browse_result_continuation_point', 'browse_reference_link_id' ]"
+ code => "event.set('[zeek_cols]', $zeek_opcua_binary_browse_result_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+
+ mutate { id => "mutate_add_fields_zeek_service_opcua_binary_browse_result"
+ add_field => { "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary" }
+ add_tag => [ "ics" ] }
+
+ } else if ([log_source] == "opcua_binary_browse_response_references") {
+ #############################################################################################################################
+ # opcua-binary-browse_response_references.log
+ # https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/browse-types.zeek
+
+ dissect {
+ id => "dissect_zeek_opcua_binary_browse_response_references"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][browse_reference_link_id]} %{[zeek_cols][browse_response_ref_encoding_mask]} %{[zeek_cols][browse_response_ref_namespace_idx]} %{[zeek_cols][browse_response_ref_numeric]} %{[zeek_cols][browse_response_ref_string]} %{[zeek_cols][browse_response_ref_guid]} %{[zeek_cols][browse_response_ref_opaque]} %{[zeek_cols][browse_response_is_forward]} %{[zeek_cols][browse_response_ref_type_encoding_mask]} %{[zeek_cols][browse_response_ref_type_namespace_idx]} %{[zeek_cols][browse_response_ref_type_numeric]} %{[zeek_cols][browse_response_ref_type_string]} %{[zeek_cols][browse_response_ref_type_guid]} %{[zeek_cols][browse_response_ref_type_opaque]} %{[zeek_cols][browse_response_ref_type_namespace_uri]} %{[zeek_cols][browse_response_ref_type_server_idx]} %{[zeek_cols][browse_response_ref_name_idx]} %{[zeek_cols][browse_response_ref_name]} %{[zeek_cols][browse_response_display_name_mask]} %{[zeek_cols][browse_response_display_name_locale]} %{[zeek_cols][browse_response_display_name_text]} %{[zeek_cols][browse_response_node_class]} %{[zeek_cols][browse_response_type_def_encoding_mask]} %{[zeek_cols][browse_response_type_def_namespace_idx]} %{[zeek_cols][browse_response_type_def_numeric]} %{[zeek_cols][browse_response_type_def_string]} %{[zeek_cols][browse_response_type_def_guid]} %{[zeek_cols][browse_response_type_def_opaque]} %{[zeek_cols][browse_response_type_def_namespace_uri]} %{[zeek_cols][browse_response_type_def_server_idx]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_browse_response_references"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ split => { "[message]" => " " }
+ }
+
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_browse_response_references"
+ init => "$zeek_opcua_binary_browse_response_references_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'browse_reference_link_id', 'browse_response_ref_encoding_mask', 'browse_response_ref_namespace_idx', 'browse_response_ref_numeric', 'browse_response_ref_string', 'browse_response_ref_guid', 'browse_response_ref_opaque', 'browse_response_is_forward', 'browse_response_ref_type_encoding_mask', 'browse_response_ref_type_namespace_idx', 'browse_response_ref_type_numeric', 'browse_response_ref_type_string', 'browse_response_ref_type_guid', 'browse_response_ref_type_opaque', 'browse_response_ref_type_namespace_uri', 'browse_response_ref_type_server_idx', 'browse_response_ref_name_idx', 'browse_response_ref_name', 'browse_response_display_name_mask', 'browse_response_display_name_locale', 'browse_response_display_name_text', 'browse_response_node_class', 'browse_response_type_def_encoding_mask', 'browse_response_type_def_namespace_idx', 'browse_response_type_def_numeric', 'browse_response_type_def_string', 'browse_response_type_def_guid', 'browse_response_type_def_opaque', 'browse_response_type_def_namespace_uri', 'browse_response_type_def_server_idx' ]"
+ code => "event.set('[zeek_cols]', $zeek_opcua_binary_browse_response_references_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+
+ mutate { id => "mutate_add_fields_zeek_service_opcua_binary_browse_response_references"
+ add_field => { "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary" }
+ add_tag => [ "ics" ] }
+
+ } else if ([log_source] == "opcua_binary_browse_diagnostic_info") {
+ #############################################################################################################################
+ # opcua-binary-browse_diagnostic_info.log
+ # https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/browse-types.zeek
+
+ dissect {
+ id => "dissect_zeek_opcua_binary_browse_diagnostic_info"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][browse_diag_info_link_id]} %{[zeek_cols][diag_info_link_id]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_browse_diagnostic_info"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ split => { "[message]" => " " }
+ }
+
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_browse_diagnostic_info"
+ init => "$zeek_opcua_binary_browse_diagnostic_info_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'browse_diag_info_link_id', 'diag_info_link_id' ]"
+ code => "event.set('[zeek_cols]', $zeek_opcua_binary_browse_diagnostic_info_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+
+ mutate { id => "mutate_add_fields_zeek_service_opcua_binary_browse_diagnostic_info"
+ add_field => { "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "opcua-binary" }
+ add_tag => [ "ics" ] }
+
+ } else if ([log_source] == "opcua_binary_create_subscription") {
+ #############################################################################################################################
+ # opcua-binary-create_subscription.log
+ # https://github.com/cisagov/icsnpp-opcua-binary/blob/main/scripts/create-subscription-types.zeek
+
+ dissect {
+ id => "dissect_zeek_opcua_binary_create_subscription"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][requested_publishing_interval]} %{[zeek_cols][requested_lifetime_count]} %{[zeek_cols][requested_max_keep_alive_count]} %{[zeek_cols][max_notifications_per_publish]} %{[zeek_cols][publishing_enabled]} %{[zeek_cols][priority]} %{[zeek_cols][subscription_id]} %{[zeek_cols][revised_publishing_interval]} %{[zeek_cols][revised_lifetime_count]} %{[zeek_cols][revised_max_keep_alive_count]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_opcua_binary_create_subscription"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ split => { "[message]" => " " }
+ }
+
+ ruby {
+ id => "ruby_zip_zeek_opcua_binary_create_subscription"
+ init => "$zeek_opcua_binary_create_subscription_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'opcua_link_id', 'requested_publishing_interval', 'requested_lifetime_count', 'requested_max_keep_alive_count', 'max_notifications_per_publish', 'publishing_enabled', 'priority', 'subscription_id', 'revised_publishing_interval', 'revised_lifetime_count', 'revised_max_keep_alive_count' ]"
+ code => "event.set('[zeek_cols]', $zeek_opcua_binary_create_subscription_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+
+ mutate { id => "mutate_add_fields_zeek_service_opcua_binary_create_subscription"
add_field => { "[zeek_cols][proto]" => "tcp"
"[zeek_cols][service]" => "opcua-binary" }
add_tag => [ "ics" ] }
@@ -2787,13 +3348,13 @@ filter {
} else if ([log_source] == "s7comm") {
#############################################################################################################################
# s7comm.log
- # https://github.com/amzn/zeek-plugin-s7comm/blob/master/scripts/main.zeek
+ # https://github.com/cisagov/icsnpp-s7comm
dissect {
id => "dissect_zeek_s7comm"
# zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
mapping => {
- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][rosctr]} %{[zeek_cols][parameter]} %{[zeek_cols][item_count]} %{[zeek_cols][data_info]}"
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][rosctr_code]} %{[zeek_cols][rosctr_name]} %{[zeek_cols][pdu_reference]} %{[zeek_cols][function_code]} %{[zeek_cols][function_name]} %{[zeek_cols][subfunction_code]} %{[zeek_cols][subfunction_name]} %{[zeek_cols][error_class]} %{[zeek_cols][error_code]}"
}
}
if ("_dissectfailure" in [tags]) {
@@ -2804,7 +3365,7 @@ filter {
}
ruby {
id => "ruby_zip_zeek_s7comm"
- init => "$zeek_s7comm_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'rosctr', 'parameter', 'item_count', 'data_info' ]"
+ init => "$zeek_s7comm_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'is_orig', 'rosctr_code', 'rosctr_name', 'pdu_reference', 'function_code', 'function_name', 'subfunction_code', 'subfunction_name', 'error_class', 'error_code' ]"
code => "event.set('[zeek_cols]', $zeek_s7comm_field_names.zip(event.get('[message]')).to_h)"
}
}
@@ -2818,6 +3379,74 @@ filter {
add_tag => [ "ics" ]
}
+ } else if ([log_source] == "s7comm_plus") {
+ #############################################################################################################################
+ # s7comm_plus.log
+ # https://github.com/cisagov/icsnpp-s7comm
+
+ dissect {
+ id => "dissect_zeek_s7comm_plus"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][version]} %{[zeek_cols][opcode]} %{[zeek_cols][opcode_name]} %{[zeek_cols][function_code]} %{[zeek_cols][function_name]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_s7comm_plus"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_s7comm_plus"
+ init => "$zeek_s7comm_plus_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'is_orig', 'version', 'opcode', 'opcode_name', 'function_code', 'function_name' ]"
+ code => "event.set('[zeek_cols]', $zeek_s7comm_plus_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_s7comm_plus"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "s7comm_plus"
+ }
+ add_tag => [ "ics" ]
+ }
+
+ } else if ([log_source] == "s7comm_read_szl") {
+ #############################################################################################################################
+ # s7comm_read_szl.log
+ # https://github.com/cisagov/icsnpp-s7comm
+
+ dissect {
+ id => "dissect_zeek_s7comm_read_szl"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ mapping => {
+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][pdu_reference]} %{[zeek_cols][method]} %{[zeek_cols][szl_id]} %{[zeek_cols][szl_id_name]} %{[zeek_cols][szl_index]} %{[zeek_cols][return_code]} %{[zeek_cols][return_code_name]}"
+ }
+ }
+ if ("_dissectfailure" in [tags]) {
+ mutate {
+ id => "mutate_split_zeek_s7comm_read_szl"
+ # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
+ split => { "[message]" => " " }
+ }
+ ruby {
+ id => "ruby_zip_zeek_s7comm_read_szl"
+ init => "$zeek_s7comm_read_szl_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'pdu_reference', 'method', 'szl_id', 'szl_id_name', 'szl_index', 'return_code', 'return_code_name' ]"
+ code => "event.set('[zeek_cols]', $zeek_s7comm_read_szl_field_names.zip(event.get('[message]')).to_h)"
+ }
+ }
+
+ mutate {
+ id => "mutate_add_fields_zeek_s7comm_read_szl"
+ add_field => {
+ "[zeek_cols][proto]" => "tcp"
+ "[zeek_cols][service]" => "s7comm"
+ }
+ add_tag => [ "ics" ]
+ }
+
} else if ([log_source] == "signatures") {
#############################################################################################################################
# signatures.log
@@ -3701,6 +4330,7 @@ filter {
rename => { "[zeek][%{[log_source]}][ts]" => "[zeek][ts]" }
rename => { "[zeek][%{[log_source]}][uid]" => "[zeek][uid]" }
rename => { "[zeek][%{[log_source]}][fuid]" => "[zeek][fuid]" }
+ rename => { "[zeek][%{[log_source]}][is_orig]" => "[network][is_orig]" }
rename => { "[zeek][%{[log_source]}][orig_h]" => "[source][ip]" }
rename => { "[zeek][%{[log_source]}][orig_p]" => "[source][port]" }
rename => { "[zeek][%{[log_source]}][orig_l2_addr]" => "[source][mac]" }
@@ -3867,11 +4497,11 @@ filter {
id => "ruby_zeek_conn_history"
# see https://www.zeek.org/sphinx/scripts/base/protocols/conn/main.bro.html#type-Conn::Info
code => "historyStr = event.get('[zeek][conn][history]').upcase
- sCnt = historyStr.count('S')
- hCnt = historyStr.count('H')
- aCnt = historyStr.count('A')
- fCnt = historyStr.count('F')
- rCnt = historyStr.count('R')
+ sCnt = [historyStr.count('S'), 19].min
+ hCnt = [historyStr.count('H'), 19].min
+ aCnt = [historyStr.count('A'), 19].min
+ fCnt = [historyStr.count('F'), 19].min
+ rCnt = [historyStr.count('R'), 19].min
event.set('[tcpflags][syn]', 10**(sCnt-1)) if sCnt > 0
event.set('[tcpflags][syn-ack]', 10**(hCnt-1)) if hCnt > 0
event.set('[tcpflags][ack]', 10**(aCnt-1)) if aCnt > 0
@@ -4080,7 +4710,7 @@ filter {
mutate { id => "mutate_merge_zeek_query"
merge => { "[dns][host]" => "[zeek][dns][query]" } }
ruby { id => "ruby_add_field_zeek_dns_opcode"
- code => "event.set('[dns][opcode]', [ 'QUERY', event.get('[dns][opcode]') ].flatten.compact)" }
+ code => "event.set('[dns][opcode]', [ 'QUERY', event.get('[dns][opcode]') ].flatten.reject{ |e| e.nil? || e&.empty? })" }
}
if ([@metadata][answers_ip]) {
@@ -4709,7 +5339,7 @@ filter {
ruby {
id => "ruby_add_field_zeek_notice_event_original"
code => " event.set('[event][original]', [event.get('[zeek][notice][msg]'),
- event.get('[zeek][notice][sub]')].compact.join(':'))" }
+ event.get('[zeek][notice][sub]')].reject{ |e| e.nil? || e&.empty? }.join(':'))" }
# split "Category::Subcategory" into two different fields
ruby {
@@ -4764,13 +5394,13 @@ filter {
# ECS - zeek.notice.category -> rule.category
if ([zeek][notice][category]) {
ruby { id => "ruby_add_field_ecs_rule_category_notice_category"
- code => "event.set('[rule][category]', [ event.get('[zeek][notice][category]'), event.get('[rule][category]') ].flatten.compact)" }
+ code => "event.set('[rule][category]', [ event.get('[zeek][notice][category]'), event.get('[rule][category]') ].flatten.reject{ |e| e.nil? || e&.empty? })" }
}
# ECS - zeek.notice.sub_category -> rule.name
if ([zeek][notice][sub_category]) {
ruby { id => "ruby_add_field_ecs_zeek_rule_name_notice_sub_category"
- code => "event.set('[rule][name]', [ event.get('[zeek][notice][sub_category]'), event.get('[rule][name]') ].flatten.compact)" }
+ code => "event.set('[rule][name]', [ event.get('[zeek][notice][sub_category]'), event.get('[rule][name]') ].flatten.reject{ |e| e.nil? || e&.empty? })" }
}
# ECS - zeek.notice.category -> rule.author (mapped)
@@ -4931,14 +5561,93 @@ filter {
#############################################################################################################################
# opcua-binary-*.log specific logic
- # all of the opcua-binary logs are also linked together by the opcua_id field,
- # so normalize it under zeek.opcua_binary.opcua_id like the "parent" log is so
- # they can be filtered together
- if (![zeek][opcua_binary][opcua_id]) {
- mutate {
- id => "mutate_rename_opcua_binary_opcua_id"
- rename => { "[zeek][%{[log_source]}][opcua_id]" => "[zeek][opcua_binary][opcua_id]" }
- }
+ # There is a lot of linking between various different field types to tie logs together,
+ # see https://github.com/cisagov/icsnpp-opcua-binary/tree/main/scripts.
+ # We want to rename these fields as much as possible in order to have them cofilterable.
+ # I identified these from the the icsnpp-opcua-binary scripts source code with something like
+ # > grep -R '&log' | grep -Pi "\s*#.+$"
+
+ mutate {
+ id => "mutate_rename_opcua_linkage_fields"
+ rename => { "[zeek][opcua_binary][status_code_link_id]" => "[zeek][opcua_binary_status_code_detail][status_code_link_id]" }
+ rename => { "[zeek][opcua_binary_activate_session][activate_session_diag_info_link_id]" => "[zeek][opcua_binary_activate_session_diagnostic_info][activate_session_diag_info_link_id]" }
+ rename => { "[zeek][opcua_binary_activate_session][client_software_cert_link_id]" => "[zeek][opcua_binary_activate_session_client_software_cert][client_software_cert_link_id]" }
+ rename => { "[zeek][opcua_binary_activate_session][opcua_link_id]" => "[zeek][opcua_binary][opcua_link_id]" }
+ rename => { "[zeek][opcua_binary_activate_session][locale_link_id]" => "[zeek][opcua_binary_activate_session_locale_id][locale_link_id]" }
+ rename => { "[zeek][opcua_binary_activate_session][status_code_link_id]" => "[zeek][opcua_binary_status_code_detail][status_code_link_id]" }
+ rename => { "[zeek][opcua_binary_activate_session_diagnostic_info][diag_info_link_id]" => "[zeek][opcua_binary_diag_info_detail][diag_info_link_id]" }
+ rename => { "[zeek][opcua_binary_browse][browse_description_link_id]" => "[zeek][opcua_binary_browse_description][browse_description_link_id]" }
+ rename => { "[zeek][opcua_binary_browse][browse_diag_info_link_id]" => "[zeek][opcua_binary_browse_diagnostic_info][browse_diag_info_link_id]" }
+ rename => { "[zeek][opcua_binary_browse][browse_next_link_id]" => "[zeek][opcua_binary_browse_request_continuation_point][browse_next_link_id]" }
+ rename => { "[zeek][opcua_binary_browse][browse_response_link_id]" => "[zeek][opcua_binary_browse_result][browse_response_link_id]" }
+ rename => { "[zeek][opcua_binary_browse][opcua_link_id]" => "[zeek][opcua_binary][opcua_link_id]" }
+ rename => { "[zeek][opcua_binary_browse_diagnostic_info][diag_info_link_id]" => "[zeek][opcua_binary_diag_info_detail][diag_info_link_id]" }
+ rename => { "[zeek][opcua_binary_browse_result][browse_reference_link_id]" => "[zeek][opcua_binary_browse_response_references][browse_reference_link_id]" }
+ rename => { "[zeek][opcua_binary_browse_result][status_code_link_id]" => "[zeek][opcua_binary_status_code_detail][status_code_link_id]" }
+ rename => { "[zeek][opcua_binary_create_session][discovery_profile_link_id]" => "[zeek][opcua_binary_create_session_discovery][discovery_profile_link_id]" }
+ rename => { "[zeek][opcua_binary_create_session][endpoint_link_id]" => "[zeek][opcua_binary_create_session_endpoints][endpoint_link_id]" }
+ rename => { "[zeek][opcua_binary_create_session][opcua_link_id]" => "[zeek][opcua_binary][opcua_link_id]" }
+ rename => { "[zeek][opcua_binary_create_session_endpoints][user_token_link_id]" => "[zeek][opcua_binary_create_session_user_token][user_token_link_id]" }
+ rename => { "[zeek][opcua_binary_create_session_endpoints][discovery_profile_link_id]" => "[zeek][opcua_binary_create_session_discovery][discovery_profile_link_id]" }
+ rename => { "[zeek][opcua_binary_create_subscription][opcua_link_id]" => "[zeek][opcua_binary][opcua_link_id]" }
+ rename => { "[zeek][opcua_binary_get_endpoints][endpoint_description_link_id]" => "[zeek][opcua_binary_get_endpoints_description][endpoint_description_link_id]" }
+ rename => { "[zeek][opcua_binary_get_endpoints][locale_link_id]" => "[zeek][opcua_binary_get_endpoints_locale_id][locale_link_id]" }
+ rename => { "[zeek][opcua_binary_get_endpoints][opcua_link_id]" => "[zeek][opcua_binary][opcua_link_id]" }
+ rename => { "[zeek][opcua_binary_get_endpoints][profile_uri_link_id]" => "[zeek][opcua_binary_get_endpoints_profile_uri][profile_uri_link_id]" }
+ rename => { "[zeek][opcua_binary_get_endpoints_description][discovery_profile_link_id]" => "[zeek][opcua_binary_get_endpoints_discovery][discovery_profile_link_id]" }
+ rename => { "[zeek][opcua_binary_get_endpoints_description][user_token_link_id]" => "[zeek][opcua_binary_get_endpoints_user_token][user_token_link_id]" }
+ rename => { "[zeek][opcua_binary_opensecure_channel][opcua_link_id]" => "[zeek][opcua_binary][opcua_link_id]" }
+ }
+
+ # count the number of contributing "log types" after we've renamed stuff
+ ruby {
+ id => "ruby_zeek_opcua_binary_log_types"
+ code => "
+ zeekHash = event.get('[zeek]')
+ if !zeekHash.nil? && zeekHash.is_a?(Hash) then
+ event.set('[zeek][opcua_binary][log_types]', zeekHash.count { |_, v| v.is_a?(Hash) })
+ end
+ "
+ }
+
+ if ([zeek][opcua_binary_activate_session][ext_obj_password]) {
+ mutate { id => "mutate_merge_zeek_opcua_binary_activate_session_ext_obj_password"
+ merge => { "[related][password]" => "[zeek][opcua_binary_activate_session][ext_obj_password]" } }
+ }
+
+ if ([zeek][opcua_binary_activate_session][ext_obj_user_name]) {
+ mutate { id => "mutate_merge_zeek_opcua_binary_activate_session_ext_obj_user_name"
+ merge => { "[related][user]" => "[zeek][opcua_binary_activate_session][ext_obj_user_name]" } }
+ }
+
+ if ([zeek][opcua_binary_create_session_user_token][user_token_policy_id]) {
+ mutate { id => "mutate_merge_zeek_opcua_binary_create_session_user_token_user_token_policy_id"
+ merge => { "[related][user]" => "[zeek][opcua_binary_create_session_user_token][user_token_policy_id]" } }
+ }
+
+ if ([zeek][opcua_binary_get_endpoints_user_token][user_token_policy_id]) {
+ mutate { id => "mutate_merge_zeek_opcua_binary_get_endpoints_user_token_user_token_policy_id"
+ merge => { "[related][user]" => "[zeek][opcua_binary_get_endpoints_user_token][user_token_policy_id]" } }
+ }
+
+ if ([zeek][opcua_binary_activate_session][ext_obj_policy_id]) and
+ ([zeek][opcua_binary_activate_session][ext_obj_type_id_str] =~ /(User(Name)?IdentityToken|AnonymousIdentityToken)/) {
+ mutate { id => "mutate_merge_zeek_opcua_binary_activate_session_ext_obj_policy_id"
+ merge => { "[related][user]" => "[zeek][opcua_binary_activate_session][ext_obj_policy_id]" } }
+ }
+
+ if ([zeek][opcua_binary_create_session_endpoints][text]) {
+ mutate { id => "mutate_add_field_zeek_opcua_binary_create_session_endpoints_text_software_name"
+ add_field => { "[zeek][software][name]" => "%{[zeek][opcua_binary_create_session_endpoints][text]}" } }
+ mutate { id => "mutate_add_field_zeek_opcua_binary_create_session_endpoints_text_software_type"
+ add_field => { "[zeek][software][software_type]" => "OPCUA" } }
+ }
+
+ if ([zeek][opcua_binary_get_endpoints_description][text]) {
+ mutate { id => "mutate_add_field_zeek_opcua_binary_get_endpoints_description_text_software_name"
+ add_field => { "[zeek][software][name]" => "%{[zeek][opcua_binary_get_endpoints_description][text]}" } }
+ mutate { id => "mutate_add_field_zeek_opcua_binary_get_endpoints_description_text_software_type"
+ add_field => { "[zeek][software][software_type]" => "OPCUA" } }
}
} else if ([log_source] == "ospf") {
@@ -5000,32 +5709,14 @@ filter {
mutate { id => "mutate_split_zeek_rdp_client_channels"
split => { "[zeek][rdp][client_channels]" => "," } }
-
- } else if ([log_source] == "s7comm") {
+ } else if ([log_source] == "s7comm_read_szl") {
#############################################################################################################################
- # s7comm.log specific logic
+ # s7comm_read_szl.log specific logic
- if ([zeek][s7comm][parameter]) {
- ruby {
- id => "ruby_zeek_s7comm_parse_parameter"
- code => "
- parameterHash = event.get('[zeek][s7comm][parameter]').split(',').each_with_object({}) do |a, hash|
- key,value = a.split(/\s*=\s*/)
- hash[key] = value
- end
- event.set('[zeek][s7comm][parameters]', parameterHash)"
- }
- mutate { id => "mutate_split_field_s7comm_parameter"
- split => { "[zeek][s7comm][parameter]" => "," } }
- }
+ # so we can link s7comm and s7comm_read_szl by this field
+ mutate { id => "mutate_rename_zeek_s7comm_read_szl_pdu_reference"
+ rename => { "[zeek][s7comm_read_szl][pdu_reference]" => "[zeek][s7comm][pdu_reference]" } }
- if ([zeek][s7comm][data_info] == "Null") {
- mutate { id => "mutate_remove_field_s7comm_data_info_null"
- remove_field => [ "[zeek][s7comm][data_info]" ] }
- } else if ([zeek][s7comm][data_info]) {
- mutate { id => "mutate_split_field_s7comm_data_info"
- split => { "[zeek][s7comm][data_info]" => "," } }
- }
} else if ([log_source] == "signatures") {
#############################################################################################################################
@@ -5091,7 +5782,7 @@ filter {
if (![event][module]) {
ruby { id => "ruby_add_field_zeek_signature_event_module"
- code => "event.set('[event][module]', [ 'zeek' ].flatten.compact)" }
+ code => "event.set('[event][module]', [ 'zeek' ].flatten.reject{ |e| e.nil? || e&.empty? })" }
}
# ECS - zeek.signatures.note -> rule.category
@@ -5130,12 +5821,12 @@ filter {
event.set('ruby_exception', 'ruby_signatures_attack_extract: ' + e.message)
end
if (matches.length > 0) then
- tacticNames = matches.map{ |x| x[1].gsub(' ', '_') }.compact
- tacticIds = tacticNames.clone.map(&:clone).map{ |x| $tacticIdMap[x] }.compact
- tacticRefs = tacticIds.clone.map(&:clone).map { |x| x.gsub(/\..*/, '').prepend('https://attack.mitre.org/tactics/') }.uniq.compact
- techniqueNames = matches.map{ |x| [x[2], x[3]].compact.join(':') }.compact
- techniqueIds = matches.map{ |x| x[4] }.compact
- techniqueRefs = techniqueIds.clone.map(&:clone).map { |x| x.gsub(/\..*/, '').prepend('https://attack.mitre.org/techniques/') }.uniq.compact
+ tacticNames = matches.map{ |x| x[1].gsub(' ', '_') }.reject{ |e| e.nil? || e&.empty? }
+ tacticIds = tacticNames.clone.map(&:clone).map{ |x| $tacticIdMap[x] }.reject{ |e| e.nil? || e&.empty? }
+ tacticRefs = tacticIds.clone.map(&:clone).map { |x| x.gsub(/\..*/, '').prepend('https://attack.mitre.org/tactics/') }.uniq.reject{ |e| e.nil? || e&.empty? }
+ techniqueNames = matches.map{ |x| [x[2], x[3]].reject{ |e| e.nil? || e&.empty? }.join(':') }.reject{ |e| e.nil? || e&.empty? }
+ techniqueIds = matches.map{ |x| x[4] }.reject{ |e| e.nil? || e&.empty? }
+ techniqueRefs = techniqueIds.clone.map(&:clone).map { |x| x.gsub(/\..*/, '').prepend('https://attack.mitre.org/techniques/') }.uniq.reject{ |e| e.nil? || e&.empty? }
event.set('[threat][tactic][name]', tacticNames.uniq) unless (tacticNames.length == 0)
event.set('[threat][tactic][id]', tacticIds.uniq) unless (tacticIds.length == 0)
event.set('[threat][tactic][reference]', tacticRefs.uniq) unless (tacticRefs.length == 0)
@@ -5169,7 +5860,7 @@ filter {
mutate { id => "remove_field_zeek_sensitive_signature_multiple"
remove_field => [ "[rule][category][0]" ] }
ruby { id => "ruby_add_field_zeek_multiple_signatures"
- code => "event.set('[rule][category]', [ 'Signatures::Multiple_Signatures', event.get('[rule][category]') ].flatten.compact)" }
+ code => "event.set('[rule][category]', [ 'Signatures::Multiple_Signatures', event.get('[rule][category]') ].flatten.reject{ |e| e.nil? || e&.empty? })" }
}
}
@@ -5187,7 +5878,7 @@ filter {
id => "ruby_zeek_field_zeek_sip_version"
code => '
versions = Array.new
- paths = [event.get("[zeek][sip][request_path]"), event.get("[zeek][sip][response_path]")].compact.join(",")
+ paths = [event.get("[zeek][sip][request_path]"), event.get("[zeek][sip][response_path]")].reject{ |e| e.nil? || e&.empty? }.join(",")
paths.scan(/\bSIP:?\/([\d\.]+)/i) { |match| versions << match[0] }
event.set("[zeek][sip][version]", versions.uniq)'
}
@@ -5722,13 +6413,13 @@ filter {
add_field => { "[rule][reference]" => "https://docs.zeek.org/en/current/scripts/base/frameworks/notice/weird.zeek.html" } }
# ECS - zeek.weird.name -> rule.name
ruby { id => "ruby_add_field_ecs_zeek_rule_name_weird_name"
- code => "event.set('[rule][name]', [ event.get('[zeek][weird][name]'), event.get('[rule][name]') ].flatten.compact)" }
+ code => "event.set('[rule][name]', [ event.get('[zeek][weird][name]'), event.get('[rule][name]') ].flatten.reject{ |e| e.nil? || e&.empty? })" }
}
ruby {
id => "ruby_add_field_zeek_weird_event_original"
code => " event.set('[event][original]', [event.get('[zeek][weird][name]'),
- event.get('[zeek][weird][addl]')].compact.join(':'))" }
+ event.get('[zeek][weird][addl]')].reject{ |e| e.nil? || e&.empty? }.join(':'))" }
# remove signature fields that were mapped to ECS or not useful
mutate { id => "mutate_remove_fields_zeek_weird"
@@ -5863,7 +6554,7 @@ filter {
if ([event][dataset] == "smb_cmd") {
ruby { id => "ruby_add_field_zeek_tmp_logtype_smb_cmd"
- code => "event.set('[event][dataset]', [ 'smb_files', event.get('[event][dataset]') ].flatten.compact)" }
+ code => "event.set('[event][dataset]', [ 'smb_files', event.get('[event][dataset]') ].flatten.reject{ |e| e.nil? || e&.empty? })" }
}
# ECS - zeek.smb_files.times_created -> file.created
diff --git a/logstash/pipelines/zeek/12_zeek_normalize.conf b/logstash/pipelines/zeek/12_zeek_normalize.conf
index c9111bedb..125d3a264 100644
--- a/logstash/pipelines/zeek/12_zeek_normalize.conf
+++ b/logstash/pipelines/zeek/12_zeek_normalize.conf
@@ -80,7 +80,7 @@ filter {
code => "
versions = Array.new
versions << [event.get('[zeek][ipsec][maj_ver]'),
- event.get('[zeek][ipsec][min_ver]')].compact.join('.')
+ event.get('[zeek][ipsec][min_ver]')].reject{ |e| e.nil? || e&.empty? }.join('.')
event.set('[network][protocol_version]', versions)"
}
}
@@ -91,8 +91,12 @@ filter {
if ([zeek][ntp][version]) { mutate { id => "mutate_merge_normalize_zeek_ntp_version"
merge => { "[network][protocol_version]" => "[zeek][ntp][version]" } } }
- if ([zeek][opcua_binary][version]) { mutate { id => "mutate_merge_normalize_zeek_opcua_binary_version"
- merge => { "[network][protocol_version]" => "[zeek][opcua_binary][version]" } } }
+ if ([zeek][opcua_binary][version]) { mutate { id => "mutate_merge_normalize_zeek_opcua_binary_version"
+ merge => { "[network][protocol_version]" => "[zeek][opcua_binary][version]" } } }
+
+ if ([zeek][opcua_binary_browse][browse_view_description_view_version]) {
+ mutate { id => "mutate_merge_normalize_zeek_opcua_binary_browse_browse_view_description_view_version"
+ merge => { "[network][protocol_version]" => "[zeek][opcua_binary_browse][browse_view_description_view_version]" } } }
if ([zeek][opcua_binary_opensecure_channel][client_proto_ver]) { mutate { id => "mutate_merge_normalize_zeek_opcua_binary_opensecure_channel_client_proto_version"
merge => { "[network][protocol_version]" => "[zeek][opcua_binary_opensecure_channel][client_proto_ver]" } } }
@@ -131,6 +135,9 @@ filter {
if ([zeek][rdp][client_build]) { mutate { id => "mutate_merge_normalize_zeek_rdp_client_build"
merge => { "[network][protocol_version]" => "[zeek][rdp][client_build]" } } }
+ if ([zeek][s7comm_plus][version]) { mutate { id => "mutate_merge_normalize_zeek_s7comm_plus_version"
+ merge => { "[network][protocol_version]" => "[zeek][s7comm_plus][version]" } } }
+
if ([zeek][smb_cmd][version]) { mutate { id => "mutate_merge_normalize_zeek_smb_cmd_version"
merge => { "[network][protocol_version]" => "[zeek][smb_cmd][version]" } } }
@@ -175,7 +182,7 @@ filter {
code => "
actions = Array.new unless (actions = event.get('[event][action]'))
actions.append([event.get('[zeek][bsap_ip_rdb][app_func_code]'),
- event.get('[zeek][bsap_ip_rdb][func_code]')].compact.join(':'))
+ event.get('[zeek][bsap_ip_rdb][func_code]')].reject{ |e| e.nil? || e&.empty? }.join(':'))
event.set('[event][action]', actions)"
}
}
@@ -218,7 +225,7 @@ filter {
actions = Array.new unless (actions = event.get('[event][action]'))
actions.append([event.get('[zeek][dnp3_control][function_code]'),
event.get('[zeek][dnp3_control][operation_type]'),
- event.get('[zeek][dnp3_control][trip_control_code]')].compact.join(':'))
+ event.get('[zeek][dnp3_control][trip_control_code]')].reject{ |e| e.nil? || e&.empty? }.join(':'))
event.set('[event][action]', actions)"
}
}
@@ -286,8 +293,8 @@ filter {
if ([zeek][irc][command]) { mutate { id => "mutate_merge_normalize_zeek_irc_command"
merge => { "[event][action]" => "[zeek][irc][command]" } } }
- if ([zeek][iso_cotp][pdu_type]) { mutate { id => "mutate_merge_normalize_zeek_iso_cotp_pdu_type"
- merge => { "[event][action]" => "[zeek][iso_cotp][pdu_type]" } } }
+ if ([zeek][cotp][pdu_name]) { mutate { id => "mutate_merge_normalize_zeek_cotp_pdu_type"
+ merge => { "[event][action]" => "[zeek][cotp][pdu_name]" } } }
if ([zeek][kerberos][request_type]) { mutate { id => "mutate_merge_normalize_zeek_kerberos_request_type"
merge => { "[event][action]" => "[zeek][kerberos][request_type]" } } }
@@ -364,11 +371,19 @@ filter {
code => "
actions = Array.new unless (actions = event.get('[event][action]'))
actions.append([event.get('[zeek][opcua_binary][msg_type]'),
- event.get('[zeek][opcua_binary][identifier_str]')].compact.join(':'))
+ event.get('[zeek][opcua_binary][identifier_str]')].reject{ |e| e.nil? || e&.empty? }.join(':'))
event.set('[event][action]', actions)"
}
}
+ if ([zeek][opcua_binary_status_code_detail][source_str]) {
+ mutate { id => "mutate_merge_normalize_zeek_opcua_binary_status_code_detail_source_str"
+ merge => { "[event][action]" => "[zeek][opcua_binary_status_code_detail][source_str]" } } }
+
+ if ([zeek][opcua_binary_browse][browse_service_type]) {
+ mutate { id => "mutate_merge_normalize_zeek_opcua_binary_browse_browse_service_type"
+ merge => { "[event][action]" => "[zeek][opcua_binary_browse][browse_service_type]" } } }
+
if ([zeek][profinet][operation_type]) { mutate { id => "mutate_merge_normalize_zeek_profinet_operation_type"
merge => { "[event][action]" => "[zeek][profinet][operation_type]" } } }
@@ -385,18 +400,44 @@ filter {
if ([zeek][s7comm]) {
ruby {
- # action = rosctr:mode:type:sub
+ # action = rosctr_name:function_name:subfunction_name
id => "ruby_zeek_s7comm_generate_action"
code => "
actions = Array.new unless (actions = event.get('[event][action]'))
- actions.append([event.get('[zeek][s7comm][rosctr]'),
- event.get('[zeek][s7comm][parameters][mode]'),
- event.get('[zeek][s7comm][parameters][type]'),
- event.get('[zeek][s7comm][parameters][sub]')].compact.join(':'))
+ action = [event.get('[zeek][s7comm][rosctr_name]'),
+ event.get('[zeek][s7comm][function_name]'),
+ event.get('[zeek][s7comm][subfunction_name]')].reject{ |e| e.nil? || e&.empty? }.join(':')
+ actions.append(action) unless action.nil? || action&.empty?
event.set('[event][action]', actions)"
}
}
+ if ([zeek][s7comm_plus]) {
+ ruby {
+ # action = opcode:function
+ id => "ruby_zeek_s7comm_plus_generate_action"
+ code => "
+ actions = Array.new unless (actions = event.get('[event][action]'))
+ if (opcodeName = event.get('[zeek][s7comm_plus][opcode_name]').to_s).start_with?('Unknown') then
+ opcodeName = event.get('[zeek][s7comm_plus][opcode]')
+ end
+ if (functionName = event.get('[zeek][s7comm_plus][function_name]').to_s).start_with?('Unknown') then
+ functionName = event.get('[zeek][s7comm_plus][function_code]')
+ end
+ action = [opcodeName, functionName].reject{ |e| e.nil? || e&.empty? }.join(':')
+ actions.append(action) unless action.nil? || action&.empty?
+ event.set('[event][action]', actions)"
+ }
+ }
+
+
+ if ([zeek][s7comm_read_szl][szl_id_name]) {
+ mutate { id => "mutate_add_field_metadata_zeek_s7comm_read_szl_action"
+ add_field => { "[@metadata][s7comm_read_szl_action]" => "Read-SZL %{[zeek][s7comm_read_szl][szl_id_name]}" } }
+ mutate { id => "mutate_merge_zeek_s7comm_read_szl_action"
+ merge => { "[event][action]" => "[@metadata][s7comm_read_szl_action]" } }
+ }
+
if ([zeek][sip][method]) { mutate { id => "mutate_merge_normalize_zeek_sip_method"
merge => { "[event][action]" => "[zeek][sip][method]" } } }
@@ -446,7 +487,7 @@ filter {
cmd = event.get('[zeek][smb_cmd][command]')
subCmd = event.get('[zeek][smb_cmd][sub_command]')
actions = Array.new unless (actions = event.get('[event][action]'))
- actions.append((cmd =~ /^\s*transaction\d*\s*$/i) ? subCmd : [cmd, subCmd].compact.join(':'))
+ actions.append((cmd =~ /^\s*transaction\d*\s*$/i) ? subCmd : [cmd, subCmd].reject{ |e| e.nil? || e&.empty? }.join(':'))
event.set('[event][action]', actions)"
}
}
@@ -764,13 +805,43 @@ filter {
merge => { "[event][result]" => "[@metadata][zeek_ntlm_result]" } }
}
- if ([zeek][opcua_binary_status_code_detail]) {
- if ([zeek][opcua_binary_status_code_detail][sub_code_str]) {
- mutate { id => "mutate_merge_zeek_opcua_binary_status_code_detail_sub_code_str_result"
- merge => { "[event][result]" => "[zeek][opcua_binary_status_code_detail][sub_code_str]" } }
- } else if if ([zeek][opcua_binary_status_code_detail][status_code]) {
- mutate { id => "mutate_merge_zeek_opcua_binary_status_code_detail_status_code_result"
- merge => { "[event][result]" => "[zeek][opcua_binary_status_code_detail][status_code]" } }
+ if ([zeek][opcua_binary][error] or [zeek][opcua_binary][reason]) {
+ ruby {
+ # result = error:reason
+ id => "ruby_zeek_opcua_binary_generate_result"
+ code => "
+ results = Array.new unless (results = event.get('[event][result]'))
+ results.append([event.get('[zeek][opcua_binary][error]'),
+ event.get('[zeek][opcua_binary][reason]')].reject{ |e| e.nil? || e&.empty? }.join(':'))
+ event.set('[event][result]', results)"
+ }
+ }
+
+ if ([zeek][opcua_binary_status_code_detail][severity_str] or [zeek][opcua_binary_status_code_detail][sub_code_str]) {
+ ruby {
+ # result = severity_str:sub_code_str
+ id => "ruby_zeek_opcua_binary_status_code_detail_generate_result"
+ code => "
+ results = Array.new unless (results = event.get('[event][result]'))
+ errClass = event.get('[zeek][opcua_binary_status_code_detail][severity_str]').to_s.delete_prefix('Severity_')
+ errMsg = event.get('[zeek][opcua_binary_status_code_detail][sub_code_str]')
+ errClass = if (errClass == 'Good')
+ 'Success'
+ elsif (errClass == 'Bad')
+ 'Failure'
+ else
+ errClass
+ end
+ errMsg = if (errMsg == 'Good')
+ 'Success'
+ elsif (errMsg == 'Bad')
+ 'Failure'
+ else
+ errMsg
+ end
+ errFinal = [errClass, errMsg].reject{ |e| e.nil? || e&.empty? }.uniq.join(':')
+ results.append(errFinal) unless errFinal&.empty?
+ event.set('[event][result]', results) unless (results.length == 0)"
}
}
@@ -797,18 +868,25 @@ filter {
if ([zeek][rdp][result]) { mutate { id => "mutate_merge_normalize_zeek_rdp_result"
merge => { "[event][result]" => "[zeek][rdp][result]" } } }
- if ([zeek][s7comm][parameters][code]) {
- # reference: https://github.com/wireshark/wireshark/blob/master/epan/dissectors/packet-s7comm.c
- translate {
- id => "translate_zeek_s7comm_parameters_code"
- source => "[zeek][s7comm][parameters][code]"
- target => "[@metadata][zeek_s7comm_mapped_result]"
- dictionary_path => "/etc/s7comm_result_codes.yaml"
- fallback => "%{[zeek][s7comm][parameters][code]}"
+ if ([zeek][s7comm]) {
+ if ([zeek][s7comm][error_class] == 'No error') {
+ mutate { id => "mutate_add_field_zeek_s7comm_success"
+ add_field => { "[@metadata][zeek_s7comm_success]" => "Success" } }
+ mutate { id => "mutate_merge_field_zeek_s7comm_success"
+ merge => { "[event][result]" => "[@metadata][zeek_s7comm_success]" } }
+ } else if ([zeek][s7comm][error_class]) {
+ mutate { id => "mutate_merge_zeek_s7comm_non_status"
+ merge => { "[event][result]" => "[zeek][s7comm][error_class]" } }
}
- if ([@metadata][zeek_s7comm_mapped_result]) {
- mutate { id => "mutate_merge_zeek_s7comm_mapped_result"
- merge => { "[event][result]" => "[@metadata][zeek_s7comm_mapped_result]" } }
+ }
+
+ if ([zeek][s7comm_read_szl]) {
+ if ([zeek][s7comm_read_szl][return_code_name]) {
+ mutate { id => "mutate_merge_zeek_s7comm_read_szl_return_code_name_result"
+ merge => { "[event][result]" => "[zeek][s7comm_read_szl][return_code_name]" } }
+ } else if ([zeek][s7comm_read_szl][return_code]) {
+ mutate { id => "mutate_merge_zeek_s7comm_read_szl_return_code_result"
+ merge => { "[event][result]" => "[zeek][s7comm_read_szl][return_code]" } }
}
}
@@ -1120,9 +1198,9 @@ filter {
smbShare = Array(smbShare).first.delete_prefix('\\').delete_suffix('\\') unless smbShare.nil? or (smbShare.length == 0)
smbFile = Array(smbFile).first.delete_prefix('\\') unless smbFile.nil? or (smbFile.length == 0)
- fullParts = [smbHost, smbShare, smbFile].compact
+ fullParts = [smbHost, smbShare, smbFile].reject{ |e| e.nil? || e&.empty? }
filePath << fullParts.join('\\')
- fileDir << [smbHost, smbShare].compact.join('\\')
+ fileDir << [smbHost, smbShare].reject{ |e| e.nil? || e&.empty? }.join('\\')
if !smbFile.nil? and (smbFile.length > 0) then
fileName << fullParts.last
end
@@ -1194,47 +1272,25 @@ filter {
# URLs/URIs #########################################################################################################
# ECS - various -> url.original
- if ([zeek][opcua_binary][endpoint_url]) { mutate { id => "mutate_merge_field_zeek_opcua_binary_endpoint_url_url_original"
- merge => { "[url][original]" => "[zeek][opcua_binary][endpoint_url]" } } }
-
- if ([zeek][opcua_binary][sec_policy_uri]) { mutate { id => "mutate_merge_field_zeek_opcua_binary_sec_policy_uri_url_original"
- merge => { "[url][original]" => "[zeek][opcua_binary][sec_policy_uri]" } } }
-
- if ([zeek][opcua_binary_diag_info_detail][namespace_uri_str]) { mutate { id => "mutate_merge_field_zeek_opcua_binary_diag_info_detail_namespace_uri_str_url_original"
- merge => { "[url][original]" => "[zeek][opcua_binary_diag_info_detail][namespace_uri_str]" } } }
-
- if ([zeek][opcua_binary_get_endpoints][application_uri]) { mutate { id => "mutate_merge_field_zeek_opcua_binary_get_endpoints_application_uri_url_original"
- merge => { "[url][original]" => "[zeek][opcua_binary_get_endpoints][application_uri]" } } }
-
- if ([zeek][opcua_binary_get_endpoints][endpoint_url]) { mutate { id => "mutate_merge_field_zeek_opcua_binary_get_endpoints_endpoint_url_url_original"
- merge => { "[url][original]" => "[zeek][opcua_binary_get_endpoints][endpoint_url]" } } }
-
- if ([zeek][opcua_binary_get_endpoints][gateway_server_uri]) { mutate { id => "mutate_merge_field_zeek_opcua_binary_get_endpoints_gateway_server_uri_url_original"
- merge => { "[url][original]" => "[zeek][opcua_binary_get_endpoints][gateway_server_uri]" } } }
-
- if ([zeek][opcua_binary_get_endpoints][product_uri]) { mutate { id => "mutate_merge_field_zeek_opcua_binary_get_endpoints_product_uri_url_original"
- merge => { "[url][original]" => "[zeek][opcua_binary_get_endpoints][product_uri]" } } }
-
- if ([zeek][opcua_binary_get_endpoints][profile_uri]) { mutate { id => "mutate_merge_field_zeek_opcua_binary_get_endpoints_profile_uri_url_original"
- merge => { "[url][original]" => "[zeek][opcua_binary_get_endpoints][profile_uri]" } } }
-
- if ([zeek][opcua_binary_get_endpoints][security_policy_uri]) { mutate { id => "mutate_merge_field_zeek_opcua_binary_get_endpoints_security_policy_uri_url_original"
- merge => { "[url][original]" => "[zeek][opcua_binary_get_endpoints][security_policy_uri]" } } }
-
- if ([zeek][opcua_binary_get_endpoints][transport_profile_uri]) { mutate { id => "mutate_merge_field_zeek_opcua_binary_get_endpoints_transport_profile_uri_url_original"
- merge => { "[url][original]" => "[zeek][opcua_binary_get_endpoints][transport_profile_uri]" } } }
-
- if ([zeek][opcua_binary_get_endpoints_discovery][discovery_profile_uri]) { mutate { id => "mutate_merge_field_zeek_opcua_binary_get_endpoints_discovery_discovery_profile_uri_url_original"
- merge => { "[url][original]" => "[zeek][opcua_binary_get_endpoints_discovery][discovery_profile_uri]" } } }
-
- if ([zeek][opcua_binary_get_endpoints_discovery][discovery_profile_url]) { mutate { id => "mutate_merge_field_zeek_opcua_binary_get_endpoints_discovery_discovery_profile_url_url_original"
- merge => { "[url][original]" => "[zeek][opcua_binary_get_endpoints_discovery][discovery_profile_url]" } } }
-
- if ([zeek][opcua_binary_get_endpoints_user_token][user_token_endpoint_url]) { mutate { id => "mutate_merge_field_zeek_opcua_binary_get_endpoints_user_token_user_token_endpoint_url_url_original"
- merge => { "[url][original]" => "[zeek][opcua_binary_get_endpoints_user_token][user_token_endpoint_url]" } } }
-
- if ([zeek][opcua_binary_get_endpoints_user_token][user_token_sec_policy_uri]) { mutate { id => "mutate_merge_field_zeek_opcua_binary_get_endpoints_user_token_user_token_sec_policy_uri_url_original"
- merge => { "[url][original]" => "[zeek][opcua_binary_get_endpoints_user_token][user_token_sec_policy_uri]" } } }
+ if ([zeek][opcua_binary][log_types]) {
+ # OPCUA has a TON of URL/URI types, let's just get them all at once based
+ # on the key name =~ /_ur[il](_str(ing))?/
+ ruby {
+ id => "ruby_zeek_opcua_binary_all_uris"
+ code => '
+ urls = Array.new unless (urls = event.get("[url][original]"))
+ zeekVals = event.get("[zeek]")
+ if !zeekVals.nil? and (zeekVals.length > 0) then
+ flattened = (q = zeekVals.to_a).select { |key, value|
+ value = (1..value.size).zip(value).to_h if value.is_a? Array
+ !value.is_a?(Hash) || !value.each { |k, v| q << ["#{key}.#{k}", v] }
+ }.to_h.select { |key, value| value.is_a?String and (key =~ /opcua/) and (key !~ /\.has_/) and (!(key =~ /_ur[il](_str(ing))?$/).nil?) }.values.uniq
+ urls.concat(flattened) unless flattened.nil? or (flattened.length == 0)
+ end
+ event.set("[url][original]", urls) unless urls.nil? or (urls.length == 0)
+ '
+ }
+ }
if ([zeek][software][url]) { mutate { id => "mutate_merge_field_zeek_software_url_url_original"
merge => { "[url][original]" => "[zeek][software][url]" } } }
diff --git a/logstash/pipelines/zeek/13_zeek_convert.conf b/logstash/pipelines/zeek/13_zeek_convert.conf
index 995d76845..86374e227 100644
--- a/logstash/pipelines/zeek/13_zeek_convert.conf
+++ b/logstash/pipelines/zeek/13_zeek_convert.conf
@@ -136,15 +136,15 @@ filter {
}
}
- if ([zeek][opcua_binary][req_hdr_timeout_hint]) {
- if ([zeek][opcua_binary][req_hdr_timeout_hint] == "0.000000") {
- mutate { id => "mutate_remove_field_zeek_opcua_binary_req_hdr_timeout_hint_zero"
- remove_field => [ "[zeek][opcua_binary][req_hdr_timeout_hint]" ] }
+ if ([zeek][opcua_binary_browse][browse_view_description_timestamp]) {
+ if ([zeek][opcua_binary_browse][browse_view_description_timestamp] == "0.000000") {
+ mutate { id => "mutate_remove_field_zeek_opcua_binary_browse_view_description_timestamp"
+ remove_field => [ "[zeek][opcua_binary_browse][browse_view_description_timestamp]" ] }
} else {
date {
- id => "date_zeek_opcua_binary_req_hdr_timeout_hint"
- match => [ "[zeek][opcua_binary][req_hdr_timeout_hint]", "UNIX" ]
- target => "[zeek][opcua_binary][req_hdr_timeout_hint]"
+ id => "date_zeek_opcua_binary_browse_view_description_timestamp_hint"
+ match => [ "[zeek][opcua_binary_browse][browse_view_description_timestamp]", "UNIX" ]
+ target => "[zeek][opcua_binary_browse][browse_view_description_timestamp]"
}
}
}
diff --git a/logstash/scripts/logstash-start.sh b/logstash/scripts/logstash-start.sh
index 23cb44d9f..dfea12e45 100755
--- a/logstash/scripts/logstash-start.sh
+++ b/logstash/scripts/logstash-start.sh
@@ -36,6 +36,19 @@ OPENSEARCH_OUTPUT_PIPELINE_ADDRESSES=${LOGSTASH_OPENSEARCH_OUTPUT_PIPELINE_ADDRE
# ip-to-segment-logstash.py translate $INPUT_CIDR_MAP, $INPUT_HOST_MAP, $INPUT_MIXED_MAP into this logstash filter file
NETWORK_MAP_OUTPUT_FILTER="$PIPELINES_DIR"/"$ENRICHMENT_PIPELINE"/16_host_segment_filters.conf
+# output plugin configuration for primary and secondary opensearch destinations
+OPENSEARCH_LOCAL=${OPENSEARCH_LOCAL:-"true"}
+OPENSEARCH_SECONDARY=${OPENSEARCH_SECONDARY:-"false"}
+
+OPENSEARCH_SSL_CERTIFICATE_VERIFICATION=${OPENSEARCH_SSL_CERTIFICATE_VERIFICATION:-"false"}
+OPENSEARCH_SECONDARY_SSL_CERTIFICATE_VERIFICATION=${OPENSEARCH_SECONDARY_SSL_CERTIFICATE_VERIFICATION:-"false"}
+
+OPENSEARCH_CREDS_CONFIG_FILE=${OPENSEARCH_CREDS_CONFIG_FILE:-"/var/local/opensearch.primary.curlrc"}
+OPENSEARCH_SECONDARY_CREDS_CONFIG_FILE=${OPENSEARCH_SECONDARY_CREDS_CONFIG_FILE:-"/var/local/opensearch.secondary.curlrc"}
+
+[[ "$OPENSEARCH_SECONDARY" != "true" ]] && OPENSEARCH_SECONDARY_URL=
+export OPENSEARCH_SECONDARY_URL
+
####################################################################################################################
# copy over pipeline filters from host-mapped volumes (if any) into their final resting places
@@ -53,7 +66,7 @@ find "$PIPELINES_DIR" -mindepth 1 -maxdepth 1 -type d -print0 2>/dev/null | sort
xargs -0 -n 1 -I '{}' bash -c '
PIPELINE_NAME="$(basename "{}")"
PIPELINE_ADDRESS_NAME="$(cat "{}"/*.conf | sed -e "s/:[\}]*.*\(}\)/\1/" | envsubst | grep -P "\baddress\s*=>" | awk "{print \$3}" | sed "s/[\"'']//g" | head -n 1)"
- if [[ -n "$OS_EXTERNAL_HOSTS" ]] || [[ "$PIPELINE_ADDRESS_NAME" != "$OPENSEARCH_PIPELINE_ADDRESS_EXTERNAL" ]]; then
+ if [[ -n "$OPENSEARCH_SECONDARY_URL" ]] || [[ "$PIPELINE_ADDRESS_NAME" != "$OPENSEARCH_PIPELINE_ADDRESS_EXTERNAL" ]]; then
echo "- pipeline.id: malcolm-$PIPELINE_NAME" >> "$PIPELINES_CFG"
echo " path.config: "{}"" >> "$PIPELINES_CFG"
echo " pipeline.ecs_compatibility: disabled" >> "$PIPELINES_CFG"
@@ -68,7 +81,7 @@ find "$PIPELINES_DIR" -mindepth 1 -maxdepth 1 -type d -print0 2>/dev/null | sort
rm -f "$NETWORK_MAP_OUTPUT_FILTER"
/usr/local/bin/ip-to-segment-logstash.py --mixed "$INPUT_MIXED_MAP" --segment "$INPUT_CIDR_MAP" --host "$INPUT_HOST_MAP" -o "$NETWORK_MAP_OUTPUT_FILTER"
-if [[ -z "$OS_EXTERNAL_HOSTS" ]]; then
+if [[ -z "$OPENSEARCH_SECONDARY_URL" ]]; then
# external ES host destination is not specified, remove external destination from enrichment pipeline output
OPENSEARCH_OUTPUT_PIPELINE_ADDRESSES="$(echo "$OPENSEARCH_OUTPUT_PIPELINE_ADDRESSES" | sed "s/,[[:blank:]]*$OPENSEARCH_PIPELINE_ADDRESS_EXTERNAL//")"
fi
@@ -77,10 +90,45 @@ fi
MALCOLM_PARSE_PIPELINE_ADDRESSES=$(printf '"%s"\n' "${PARSE_PIPELINE_ADDRESSES//,/\",\"}")
MALCOLM_OPENSEARCH_OUTPUT_PIPELINES=$(printf '"%s"\n' "${OPENSEARCH_OUTPUT_PIPELINE_ADDRESSES//,/\",\"}")
+# get the username/password for opensearch from the curlrf file(s) for both primary and secondary outputs
+# (I already wrote python code to do this, so sue me)
+OPENSSL_USER=
+OPENSSL_PASSWORD=
+if [[ "$OPENSEARCH_LOCAL" == "false" ]] && [[ -r "$OPENSEARCH_CREDS_CONFIG_FILE" ]]; then
+ pushd "$(dirname $(realpath -e "${BASH_SOURCE[0]}"))" >/dev/null 2>&1
+ NEW_USER_PASSWORD="$(python3 -c "import malcolm_common; result=malcolm_common.ParseCurlFile('$OPENSEARCH_CREDS_CONFIG_FILE'); print(result['user']+'|'+result['password']);")"
+ OPENSSL_USER="$(echo "$NEW_USER_PASSWORD" | cut -d'|' -f1)"
+ OPENSSL_PASSWORD="$(echo "$NEW_USER_PASSWORD" | cut -d'|' -f2-)"
+ popd >/dev/null 2>&1
+fi
+
+OPENSSL_SECONDARY_USER=
+OPENSSL_SECONDARY_PASSWORD=
+if [[ "$OPENSEARCH_SECONDARY" == "true" ]] && [[ -r "$OPENSEARCH_SECONDARY_CREDS_CONFIG_FILE" ]]; then
+ pushd "$(dirname $(realpath -e "${BASH_SOURCE[0]}"))" >/dev/null 2>&1
+ NEW_SECONDARY_USER_PASSWORD="$(python3 -c "import malcolm_common; result=malcolm_common.ParseCurlFile('$OPENSEARCH_SECONDARY_CREDS_CONFIG_FILE'); print(result['user']+'|'+result['password']);")"
+ OPENSSL_SECONDARY_USER="$(echo "$NEW_SECONDARY_USER_PASSWORD" | cut -d'|' -f1)"
+ OPENSSL_SECONDARY_PASSWORD="$(echo "$NEW_SECONDARY_USER_PASSWORD" | cut -d'|' -f2-)"
+ popd >/dev/null 2>&1
+fi
+
+# set some permissions restrictions for conf files we're going to put passwords into
+find "$PIPELINES_DIR" -type f -name "*.conf" -exec grep -H -P "_MALCOLM_LOGSTASH_OPENSEARCH\w*_PASSWORD_" "{}" \; | \
+ cut -d: -f1 | \
+ xargs -r -l chmod 600
+
# do a manual global replace on these particular values in the config files, as Logstash doesn't like the environment variables with quotes in them
find "$PIPELINES_DIR" -type f -name "*.conf" -exec sed -i "s/_MALCOLM_OPENSEARCH_OUTPUT_PIPELINES_/${MALCOLM_OPENSEARCH_OUTPUT_PIPELINES}/g" "{}" \; 2>/dev/null
find "$PIPELINES_DIR" -type f -name "*.conf" -exec sed -i "s/_MALCOLM_PARSE_PIPELINE_ADDRESSES_/${MALCOLM_PARSE_PIPELINE_ADDRESSES}/g" "{}" \; 2>/dev/null
+find "$PIPELINES_DIR" -type f -name "*.conf" -exec sed -i "s/_MALCOLM_LOGSTASH_OPENSEARCH_SSL_VERIFICATION_/${OPENSEARCH_SSL_CERTIFICATE_VERIFICATION}/g" "{}" \; 2>/dev/null
+find "$PIPELINES_DIR" -type f -name "*.conf" -exec sed -i "s/_MALCOLM_LOGSTASH_OPENSEARCH_USER_/${OPENSSL_USER}/g" "{}" \; 2>/dev/null
+find "$PIPELINES_DIR" -type f -name "*.conf" -exec sed -i "s/_MALCOLM_LOGSTASH_OPENSEARCH_PASSWORD_/${OPENSSL_PASSWORD}/g" "{}" \; 2>/dev/null
+
+find "$PIPELINES_DIR" -type f -name "*.conf" -exec sed -i "s/_MALCOLM_LOGSTASH_OPENSEARCH_SECONDARY_SSL_VERIFICATION_/${OPENSEARCH_SECONDARY_SSL_CERTIFICATE_VERIFICATION}/g" "{}" \; 2>/dev/null
+find "$PIPELINES_DIR" -type f -name "*.conf" -exec sed -i "s/_MALCOLM_LOGSTASH_OPENSEARCH_SECONDARY_USER_/${OPENSSL_SECONDARY_USER}/g" "{}" \; 2>/dev/null
+find "$PIPELINES_DIR" -type f -name "*.conf" -exec sed -i "s/_MALCOLM_LOGSTASH_OPENSEARCH_SECONDARY_PASSWORD_/${OPENSSL_SECONDARY_PASSWORD}/g" "{}" \; 2>/dev/null
+
# import trusted CA certificates if necessary
/usr/local/bin/jdk-cacerts-auto-import.sh || true
diff --git a/nginx/scripts/docker_entrypoint.sh b/nginx/scripts/docker_entrypoint.sh
index 1ff06482c..8215af859 100755
--- a/nginx/scripts/docker_entrypoint.sh
+++ b/nginx/scripts/docker_entrypoint.sh
@@ -59,7 +59,7 @@ NGINX_RUNTIME_LDAP_CONF=/etc/nginx/nginx_ldap_rt.conf
# config file for stunnel if using stunnel to issue LDAP StartTLS function
STUNNEL_CONF=/etc/stunnel/stunnel.conf
-CA_TRUST_HOST_DIR=/etc/nginx/ca-trust
+CA_TRUST_HOST_DIR=/var/local/ca-trust
CA_TRUST_RUN_DIR=/var/run/ca-trust
# copy trusted CA certs to runtime directory and c_rehash them to create symlinks
diff --git a/pcap-monitor/supervisord.conf b/pcap-monitor/supervisord.conf
index 6934fbc7d..d0e578f01 100644
--- a/pcap-monitor/supervisord.conf
+++ b/pcap-monitor/supervisord.conf
@@ -1,5 +1,6 @@
; Copyright (c) 2022 Battelle Energy Alliance, LLC. All rights reserved.
+
[unix_http_server]
file=/tmp/supervisor.sock ; (the path to the socket file)
chmod=0700
@@ -31,6 +32,8 @@ command=python3 /usr/local/bin/pcap_watcher.py
--verbose "%(ENV_PCAP_PIPELINE_DEBUG)s"
--extra-verbose "%(ENV_PCAP_PIPELINE_DEBUG_EXTRA)s"
--opensearch "%(ENV_OPENSEARCH_URL)s"
+ --opensearch-curlrc "%(ENV_OPENSEARCH_CREDS_CONFIG_FILE)s"
+ --opensearch-ssl-verify %(ENV_OPENSEARCH_SSL_CERTIFICATE_VERIFICATION)s
--opensearch-wait
--node "%(ENV_PCAP_NODE_NAME)s"
--ignore-existing "%(ENV_PCAP_PIPELINE_IGNORE_PREEXISTING)s"
diff --git a/scripts/control.py b/scripts/control.py
index 19bf469d2..b2ad796bd 100755
--- a/scripts/control.py
+++ b/scripts/control.py
@@ -19,6 +19,7 @@
from base64 import b64encode
from collections import defaultdict, namedtuple
from subprocess import PIPE, STDOUT, Popen, check_call, CalledProcessError
+from urllib.parse import urlparse
try:
from contextlib import nullcontext
@@ -140,7 +141,7 @@ def keystore_op(service, dropPriv=False, *keystore_args, **run_process_kwargs):
'-T' if ('stdin' in run_process_kwargs and run_process_kwargs['stdin']) else '',
# execute as UID:GID in docker-compose.yml file
'-u',
- f'{uidGidDict["PUID"]}:{uidGidDict["PGID"]}'
+ f'{uidGidDict["PUID"]}:{uidGidDict["PGID"]}',
# the work directory in the container is the directory to contain the keystore file
'-w',
volumeKeystoreDir,
@@ -270,6 +271,8 @@ def logs():
global dockerBin
global dockerComposeBin
+ urlUserPassRegEx = re.compile(r'(\w+://[^/]+?:)[^/]+?(@[^/]+)')
+
# noisy logs (a lot of it is NGINX logs from health checks)
ignoreRegEx = re.compile(
r"""
@@ -352,7 +355,7 @@ def logs():
if (len(output) == 0) and (process.poll() is not None):
break
if output:
- outputStr = output.decode().strip()
+ outputStr = urlUserPassRegEx.sub(r"\1xxxxxxxx\2", output.decode().strip())
outputStrEscaped = EscapeAnsi(outputStr)
if ignoreRegEx.match(outputStrEscaped):
pass ### print(f'!!!!!!!: {outputStr}')
@@ -442,23 +445,6 @@ def stop(wipe=False):
osEnv = os.environ.copy()
osEnv['TMPDIR'] = MalcolmTmpPath
- if wipe:
- # attempt to DELETE _index_template/malcolm_template in OpenSearch
- err, out = run_process(
- [
- dockerComposeBin,
- '-f',
- args.composeFile,
- 'exec',
- 'arkime',
- 'bash',
- '-c',
- 'curl -fs --output /dev/null -H"Content-Type: application/json" -XDELETE "http://$OS_HOST:$OS_PORT/_index_template/malcolm_template"',
- ],
- env=osEnv,
- debug=args.debug,
- )
-
# if stop.sh is being called with wipe.sh (after the docker-compose file)
# then also remove named and anonymous volumes (not external volumes, of course)
err, out = run_process(
@@ -523,18 +509,16 @@ def start():
'Malcolm administrator account authentication files are missing, please run ./scripts/auth_setup to generate them'
)
- # touch the metadata file
+ # touch the htadmin metadata file and .opensearch.*.curlrc files
open(os.path.join(MalcolmPath, os.path.join('htadmin', 'metadata')), 'a').close()
+ open(os.path.join(MalcolmPath, '.opensearch.primary.curlrc'), 'a').close()
+ open(os.path.join(MalcolmPath, '.opensearch.secondary.curlrc'), 'a').close()
- # if the OpenSearch and Logstash keystore don't exist exist, create empty ones
+ # if the OpenSearch keystore doesn't exist exist, create empty ones
if not os.path.isfile(os.path.join(MalcolmPath, os.path.join('opensearch', 'opensearch.keystore'))):
keystore_op('opensearch', True, 'create')
- if not os.path.isfile(
- os.path.join(MalcolmPath, os.path.join('logstash', os.path.join('certs', 'logstash.keystore')))
- ):
- keystore_op('logstash', True, 'create')
- # make sure permissions are set correctly for the nginx worker processes
+ # make sure permissions are set correctly for the worker processes
for authFile in [
os.path.join(MalcolmPath, os.path.join('nginx', 'htpasswd')),
os.path.join(MalcolmPath, os.path.join('htadmin', 'config.ini')),
@@ -542,7 +526,11 @@ def start():
]:
# chmod 644 authFile
os.chmod(authFile, stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH)
- for authFile in [os.path.join(MalcolmPath, os.path.join('nginx', 'nginx_ldap.conf'))]:
+ for authFile in [
+ os.path.join(MalcolmPath, os.path.join('nginx', 'nginx_ldap.conf')),
+ os.path.join(MalcolmPath, '.opensearch.primary.curlrc'),
+ os.path.join(MalcolmPath, '.opensearch.secondary.curlrc'),
+ ]:
# chmod 600 authFile
os.chmod(authFile, stat.S_IRUSR | stat.S_IWUSR)
@@ -614,7 +602,11 @@ def authSetup(wipe=False):
password = None
passwordConfirm = None
passwordEncrypted = ''
- username = AskForString("Administrator username")
+
+ while True:
+ username = AskForString("Administrator username")
+ if len(username) > 0:
+ break
while True:
password = AskForPassword(f"{username} password: ")
@@ -960,49 +952,66 @@ def authSetup(wipe=False):
for oldfile in glob.glob(pat):
os.remove(oldfile)
- # create and populate keystore for remote
- if YesOrNo(
- 'Store username/password for forwarding Logstash events to a secondary, external OpenSearch instance',
- default=False,
- ):
+ # create and populate connection parameters file for remote OpenSearch instance(s)
+ for instance in ['primary', 'secondary']:
+ openSearchCredFileName = os.path.join(MalcolmPath, f'.opensearch.{instance}.curlrc')
+ if YesOrNo(
+ f'Store username/password for {instance} remote OpenSearch instance?',
+ default=False,
+ ):
+ prevCurlContents = ParseCurlFile(openSearchCredFileName)
- # prompt username and password
- esPassword = None
- esPasswordConfirm = None
- esUsername = AskForString("External OpenSearch username")
+ # prompt host, username and password
+ esUsername = None
+ esPassword = None
+ esPasswordConfirm = None
- while True:
- esPassword = AskForPassword(f"{esUsername} password: ")
- esPasswordConfirm = AskForPassword(f"{esUsername} password (again): ")
- if esPassword == esPasswordConfirm:
- break
- eprint("Passwords do not match")
+ while True:
+ esUsername = AskForString(
+ "OpenSearch username",
+ default=prevCurlContents['user'],
+ )
+ if (len(esUsername) > 0) and (':' not in esUsername):
+ break
+ eprint("Username is blank (or contains a colon, which is not allowed)")
+
+ while True:
+ esPassword = AskForPassword(f"{esUsername} password: ")
+ if (
+ (len(esPassword) == 0)
+ and (prevCurlContents['password'] is not None)
+ and YesOrNo(f'Use previously entered password for "{esUsername}"?', default=True)
+ ):
+ esPassword = prevCurlContents['password']
+ esPasswordConfirm = esPassword
+ else:
+ esPasswordConfirm = AskForPassword(f"{esUsername} password (again): ")
+ if (esPassword == esPasswordConfirm) and (len(esPassword) > 0):
+ break
+ eprint("Passwords do not match")
+
+ esSslVerify = YesOrNo(
+ f'Require SSL certificate validation for OpenSearch communication?',
+ default=(not (('k' in prevCurlContents) or ('insecure' in prevCurlContents))),
+ )
+
+ with open(openSearchCredFileName, 'w') as f:
+ f.write(f'user: "{EscapeForCurl(esUsername)}:{EscapeForCurl(esPassword)}"\n')
+ if not esSslVerify:
+ f.write('insecure\n')
- # create logstash keystore file, don't complain if it already exists, and set the keystore items
- keystore_op('logstash', False, 'create', stdin='N')
- keystore_op('logstash', False, 'remove', 'OS_EXTERNAL_USER', '--force')
- keystore_op('logstash', False, 'add', 'OS_EXTERNAL_USER', '--stdin', '--force', stdin=esUsername)
- keystore_op('logstash', False, 'remove', 'OS_EXTERNAL_PASSWORD', '--force')
- keystore_op('logstash', False, 'add', 'OS_EXTERNAL_PASSWORD', '--stdin', '--force', stdin=esPassword)
- success, results = keystore_op('logstash', False, 'list')
- results = [
- x.upper()
- for x in results
- if x
- and (not x.upper().startswith('WARNING'))
- and (not x.upper().startswith('KEYSTORE'))
- and (not x.upper().startswith('USING BUNDLED JDK'))
- ]
- if success and ('OS_EXTERNAL_USER' in results) and ('OS_EXTERNAL_PASSWORD' in results):
- eprint(f"External OpenSearch instance variables stored: {', '.join(results)}")
else:
- eprint("Failed to store external OpenSearch instance variables:\n")
- eprint("\n".join(results))
+ try:
+ os.remove(openSearchCredFileName)
+ except:
+ pass
+ open(openSearchCredFileName, 'a').close()
+ os.chmod(openSearchCredFileName, stat.S_IRUSR | stat.S_IWUSR)
# OpenSearch authenticate sender account credentials
# https://opensearch.org/docs/latest/monitoring-plugins/alerting/monitors/#authenticate-sender-account
if YesOrNo(
- 'Store username/password for email alert sender account (see https://opensearch.org/docs/latest/monitoring-plugins/alerting/monitors/#authenticate-sender-account)',
+ 'Store username/password for email alert sender account? (see https://opensearch.org/docs/latest/monitoring-plugins/alerting/monitors/#authenticate-sender-account)',
default=False,
):
@@ -1010,7 +1019,10 @@ def authSetup(wipe=False):
emailPassword = None
emailPasswordConfirm = None
emailSender = AskForString("OpenSearch alerting email sender name")
- emailUsername = AskForString("Email account username")
+ while True:
+ emailUsername = AskForString("Email account username")
+ if len(emailUsername) > 0:
+ break
while True:
emailPassword = AskForPassword(f"{emailUsername} password: ")
diff --git a/scripts/demo/amazon_linux_2_malcolm_demo_setup.sh b/scripts/demo/amazon_linux_2_malcolm_demo_setup.sh
index 7d3e11026..89f6bb369 100755
--- a/scripts/demo/amazon_linux_2_malcolm_demo_setup.sh
+++ b/scripts/demo/amazon_linux_2_malcolm_demo_setup.sh
@@ -316,7 +316,7 @@ function InstallCommonPackages {
fi
# wireshark
- WIRESHARK_VERSION=3.6.2
+ WIRESHARK_VERSION=3.6.7
curl -sSL -O -J "https://2.na.dl.wireshark.org/src/wireshark-${WIRESHARK_VERSION}.tar.xz"
tar xvf wireshark-"${WIRESHARK_VERSION}".tar.xz
pushd wireshark-"${WIRESHARK_VERSION}" >/dev/null 2>&1
diff --git a/scripts/demo/reset_and_auto_populate.sh b/scripts/demo/reset_and_auto_populate.sh
index bf8866c98..3dadf829c 100755
--- a/scripts/demo/reset_and_auto_populate.sh
+++ b/scripts/demo/reset_and_auto_populate.sh
@@ -218,7 +218,7 @@ if [[ -f "$MALCOLM_DOCKER_COMPOSE" ]] && \
# wipe and/or restart the database as requested
if [[ "$WIPE" == "true" ]]; then
- ./scripts/wipe $VERBOSE_FLAG -f "$MALCOLM_FILE"
+ ./scripts/wipe $VERBOSE_FLAG -f "$MALCOLM_FILE" || true
./scripts/start $VERBOSE_FLAG -f "$MALCOLM_FILE" >/dev/null 2>&1 &
START_PID=$!
elif [[ "$RESTART" == "true" ]]; then
diff --git a/scripts/install.py b/scripts/install.py
index 2dc5d1979..e7f480efa 100755
--- a/scripts/install.py
+++ b/scripts/install.py
@@ -135,6 +135,26 @@ def InstallerChooseMultiple(
)
+###################################################################################################
+# display a message to the user without feedback
+def InstallerDisplayMessage(
+ message,
+ forceInteraction=False,
+ defaultBehavior=UserInputDefaultsBehavior.DefaultsPrompt | UserInputDefaultsBehavior.DefaultsAccept,
+ uiMode=UserInterfaceMode.InteractionInput | UserInterfaceMode.InteractionDialog,
+):
+ global args
+ defBehavior = defaultBehavior
+ if args.acceptDefaultsNonInteractive and not forceInteraction:
+ defBehavior = defBehavior + UserInputDefaultsBehavior.DefaultsNonInteractive
+
+ return DisplayMessage(
+ message,
+ defaultBehavior=defBehavior,
+ uiMode=uiMode,
+ )
+
+
def TrueOrFalseQuote(expression):
return "'{}'".format('true' if expression else 'false')
@@ -389,6 +409,48 @@ def tweak_malcolm_runtime(
else:
lsWorkers = 3
+ opensearchPrimaryRemote = False
+ opensearchPrimaryUrl = 'http://opensearch:9200'
+ opensearchPrimarySslVerify = False
+ opensearchSecondaryRemote = False
+ opensearchSecondaryUrl = ''
+ opensearchSecondarySslVerify = False
+
+ opensearchPrimaryRemote = not InstallerYesOrNo(
+ 'Should Malcolm use and maintain its own OpenSearch instance?',
+ default=True,
+ )
+ if opensearchPrimaryRemote:
+ opensearchPrimaryUrl = ''
+ while len(opensearchPrimaryUrl) <= 1:
+ opensearchPrimaryUrl = InstallerAskForString(
+ 'Enter primary remote OpenSearch connection URL (e.g., https://192.168.1.123:9200)',
+ )
+ opensearchPrimarySslVerify = opensearchPrimaryUrl.lower().startswith('https') and InstallerYesOrNo(
+ 'Require SSL certificate validation for communication with primary OpenSearch instance?',
+ default=False,
+ )
+
+ opensearchSecondaryRemote = InstallerYesOrNo(
+ 'Forward Logstash logs to a secondary remote OpenSearch instance?',
+ default=False,
+ )
+ if opensearchSecondaryRemote:
+ opensearchSecondaryUrl = ''
+ while len(opensearchSecondaryUrl) <= 1:
+ opensearchSecondaryUrl = InstallerAskForString(
+ 'Enter secondary remote OpenSearch connection URL (e.g., https://192.168.1.123:9200)',
+ )
+ opensearchSecondarySslVerify = opensearchSecondaryUrl.lower().startswith('https') and InstallerYesOrNo(
+ 'Require SSL certificate validation for communication with secondary OpenSearch instance?',
+ default=False,
+ )
+
+ if opensearchPrimaryRemote or opensearchSecondaryRemote:
+ InstallerDisplayMessage(
+ f'You must run auth_setup after {ScriptName} to store OpenSearch connection credentials.',
+ )
+
while not InstallerYesOrNo(
f'Setting {osMemory} for OpenSearch and {lsMemory} for Logstash. Is this OK?', default=True
):
@@ -482,31 +544,34 @@ def tweak_malcolm_runtime(
# snapshot repository directory and compression
indexSnapshotDir = './opensearch-backup'
- if not InstallerYesOrNo(
- 'Store OpenSearch index snapshots locally in {}?'.format(
- os.path.join(malcolm_install_path, 'opensearch-backup')
- ),
- default=True,
- ):
- while True:
- indexSnapshotDir = InstallerAskForString('Enter OpenSearch index snapshot directory')
- if (len(indexSnapshotDir) > 1) and os.path.isdir(indexSnapshotDir):
- indexSnapshotDir = os.path.realpath(indexSnapshotDir)
- break
- indexSnapshotCompressed = InstallerYesOrNo('Compress OpenSearch index snapshots?', default=False)
+ indexSnapshotCompressed = False
+ if not opensearchPrimaryRemote:
+ if not InstallerYesOrNo(
+ 'Store OpenSearch index snapshots locally in {}?'.format(
+ os.path.join(malcolm_install_path, 'opensearch-backup')
+ ),
+ default=True,
+ ):
+ while True:
+ indexSnapshotDir = InstallerAskForString('Enter OpenSearch index snapshot directory')
+ if (len(indexSnapshotDir) > 1) and os.path.isdir(indexSnapshotDir):
+ indexSnapshotDir = os.path.realpath(indexSnapshotDir)
+ break
+ indexSnapshotCompressed = InstallerYesOrNo('Compress OpenSearch index snapshots?', default=False)
# delete oldest indexes based on index pattern size
indexPruneSizeLimit = '0'
indexPruneNameSort = False
- if InstallerYesOrNo('Delete the oldest indices when the database exceeds a certain size?', default=False):
- indexPruneSizeLimit = ''
- while (not re.match(r'^\d+(\.\d+)?\s*[kmgtp%]?b?$', indexPruneSizeLimit, flags=re.IGNORECASE)) and (
- indexPruneSizeLimit != '0'
- ):
- indexPruneSizeLimit = InstallerAskForString('Enter index threshold (e.g., 250GB, 1TB, 60%, etc.)')
- indexPruneNameSort = InstallerYesOrNo(
- 'Determine oldest indices by name (instead of creation time)?', default=True
- )
+ if not opensearchPrimaryRemote:
+ if InstallerYesOrNo('Delete the oldest indices when the database exceeds a certain size?', default=False):
+ indexPruneSizeLimit = ''
+ while (not re.match(r'^\d+(\.\d+)?\s*[kmgtp%]?b?$', indexPruneSizeLimit, flags=re.IGNORECASE)) and (
+ indexPruneSizeLimit != '0'
+ ):
+ indexPruneSizeLimit = InstallerAskForString('Enter index threshold (e.g., 250GB, 1TB, 60%, etc.)')
+ indexPruneNameSort = InstallerYesOrNo(
+ 'Determine oldest indices by name (instead of creation time)?', default=True
+ )
autoSuricata = InstallerYesOrNo('Automatically analyze all PCAP files with Suricata?', default=True)
suricataRuleUpdate = autoSuricata and InstallerYesOrNo(
@@ -518,28 +583,45 @@ def tweak_malcolm_runtime(
)
autoOui = InstallerYesOrNo('Perform hardware vendor OUI lookups for MAC addresses?', default=True)
autoFreq = InstallerYesOrNo('Perform string randomness scoring on some fields?', default=True)
- opensearchOpen = InstallerYesOrNo(
+ opensearchOpen = (not opensearchPrimaryRemote) and InstallerYesOrNo(
'Expose OpenSearch port to external hosts?', default=expose_opensearch_default
)
logstashOpen = InstallerYesOrNo('Expose Logstash port to external hosts?', default=expose_logstash_default)
- logstashSsl = logstashOpen and InstallerYesOrNo(
- 'Should Logstash require SSL for forwarded logs? (Note: This requires the forwarder to be similarly configured and a corresponding copy of the client SSL files.)',
- default=True,
- )
- externalEsForward = InstallerYesOrNo('Forward Logstash logs to external OpenSearch instance?', default=False)
- if externalEsForward:
- externalEsHost = InstallerAskForString('Enter external OpenSearch host:port (e.g., 10.0.0.123:9200)')
- externalEsSsl = InstallerYesOrNo(f'Connect to "{externalEsHost}" using SSL?', default=True)
- externalEsSslVerify = externalEsSsl and InstallerYesOrNo(
- f'Require SSL certificate validation for communication with "{externalEsHost}"?', default=False
- )
- else:
- externalEsHost = ""
- externalEsSsl = False
- externalEsSslVerify = False
filebeatTcpOpen = InstallerYesOrNo(
'Expose Filebeat TCP port to external hosts?', default=expose_filebeat_default
)
+ filebeatTcpSourceField = ''
+ filebeatTcpTargetField = ''
+ filebeatTcpDropField = ''
+ filebeatTcpTag = '_malcolm_beats'
+ if filebeatTcpOpen:
+ allowedFilebeatTcpFormats = ('json', 'raw')
+ filebeatTcpFormat = 'unset'
+ while filebeatTcpFormat not in allowedFilebeatTcpFormats:
+ filebeatTcpFormat = InstallerChooseOne(
+ 'Select log format for messages sent to Filebeat TCP listener',
+ choices=[(x, '', x == allowedFilebeatTcpFormats[0]) for x in allowedFilebeatTcpFormats],
+ )
+ if filebeatTcpFormat == 'json':
+ filebeatTcpSourceField = InstallerAskForString(
+ 'Source field to parse for messages sent to Filebeat TCP listener',
+ default="message",
+ )
+ filebeatTcpTargetField = InstallerAskForString(
+ 'Target field under which to store decoded JSON fields for messages sent to Filebeat TCP listener',
+ default="miscbeat",
+ )
+ filebeatTcpDropField = InstallerAskForString(
+ f'Field to drop from events sent to Filebeat TCP listener',
+ default=filebeatTcpSourceField,
+ )
+ filebeatTcpTag = InstallerAskForString(
+ f'Tag to apply to messages sent to Filebeat TCP listener',
+ default=filebeatTcpTag,
+ )
+ else:
+ filebeatTcpFormat = 'raw'
+
sftpOpen = InstallerYesOrNo(
'Expose SFTP server (for PCAP upload) to external hosts?', default=expose_sftp_default
)
@@ -834,11 +916,85 @@ def tweak_malcolm_runtime(
# freq.py string randomness calculations
line = re.sub(r'(FREQ_LOOKUP\s*:\s*)(\S+)', fr"\g<1>{TrueOrFalseQuote(autoFreq)}", line)
- elif 'BEATS_SSL' in line:
- # enable/disable beats SSL
+ elif 'FILEBEAT_TCP_LISTEN' in line:
+ # expose a filebeat TCP input listener
+ line = re.sub(
+ r'(FILEBEAT_TCP_LISTEN\s*:\s*)(\S+)',
+ fr"\g<1>{TrueOrFalseQuote(filebeatTcpOpen)}",
+ line,
+ )
+
+ elif 'FILEBEAT_TCP_LOG_FORMAT' in line:
+ # log format expected for events sent to the filebeat TCP input listener
+ line = re.sub(
+ r'(FILEBEAT_TCP_LOG_FORMAT\s*:\s*)(\S+)', fr"\g<1>'{filebeatTcpFormat}'", line
+ )
+
+ elif 'FILEBEAT_TCP_PARSE_SOURCE_FIELD' in line:
+ # source field name to parse for events sent to the filebeat TCP input listener
+ line = re.sub(
+ r'(FILEBEAT_TCP_PARSE_SOURCE_FIELD\s*:\s*)(\S+)',
+ fr"\g<1>'{filebeatTcpSourceField}'",
+ line,
+ )
+
+ elif 'FILEBEAT_TCP_PARSE_TARGET_FIELD' in line:
+ # target field name to store decoded JSON fields for events sent to the filebeat TCP input listener
+ line = re.sub(
+ r'(FILEBEAT_TCP_PARSE_TARGET_FIELD\s*:\s*)(\S+)',
+ fr"\g<1>'{filebeatTcpTargetField}'",
+ line,
+ )
+
+ elif 'FILEBEAT_TCP_PARSE_DROP_FIELD' in line:
+ # field to drop in events sent to the filebeat TCP input listener
+ line = re.sub(
+ r'(FILEBEAT_TCP_PARSE_DROP_FIELD\s*:\s*)(\S+)', fr"\g<1>'{filebeatTcpDropField}'", line
+ )
+
+ elif 'FILEBEAT_TCP_TAG' in line:
+ # tag to append to events sent to the filebeat TCP input listener
+ line = re.sub(r'(FILEBEAT_TCP_TAG\s*:\s*)(\S+)', fr"\g<1>'{filebeatTcpTag}'", line)
+
+ elif 'OPENSEARCH_LOCAL' in line:
+ # OpenSearch primary instance is local vs. remote
+ line = re.sub(
+ r'(OPENSEARCH_LOCAL\s*:\s*)(\S+)',
+ fr"\g<1>{TrueOrFalseQuote(not opensearchPrimaryRemote)}",
+ line,
+ )
+
+ elif 'OPENSEARCH_URL' in line:
+ # OpenSearch primary instance URL
+ line = re.sub(r'(OPENSEARCH_URL\s*:\s*)(\S+)', fr"\g<1>'{opensearchPrimaryUrl}'", line)
+
+ elif 'OPENSEARCH_SSL_CERTIFICATE_VERIFICATION' in line:
+ # OpenSearch primary instance needs SSL verification
+ line = re.sub(
+ r'(OPENSEARCH_SSL_CERTIFICATE_VERIFICATION\s*:\s*)(\S+)',
+ fr"\g<1>{TrueOrFalseQuote(opensearchPrimarySslVerify)}",
+ line,
+ )
+
+ elif 'OPENSEARCH_SECONDARY_URL' in line:
+ # OpenSearch secondary instance URL
+ line = re.sub(
+ r'(OPENSEARCH_SECONDARY_URL\s*:\s*)(\S+)', fr"\g<1>'{opensearchSecondaryUrl}'", line
+ )
+
+ elif 'OPENSEARCH_SECONDARY_SSL_CERTIFICATE_VERIFICATION' in line:
+ # OpenSearch secondary instance needs SSL verification
+ line = re.sub(
+ r'(OPENSEARCH_SECONDARY_SSL_CERTIFICATE_VERIFICATION\s*:\s*)(\S+)',
+ fr"\g<1>{TrueOrFalseQuote(opensearchSecondarySslVerify)}",
+ line,
+ )
+
+ elif 'OPENSEARCH_SECONDARY' in line:
+ # OpenSearch secondary remote instance is enabled
line = re.sub(
- r'(BEATS_SSL\s*:\s*)(\S+)',
- fr"\g<1>{TrueOrFalseQuote(logstashOpen and logstashSsl)}",
+ r'(OPENSEARCH_SECONDARY\s*:\s*)(\S+)',
+ fr"\g<1>{TrueOrFalseQuote(opensearchSecondaryRemote)}",
line,
)
@@ -866,26 +1022,6 @@ def tweak_malcolm_runtime(
line,
)
- elif 'OS_EXTERNAL_HOSTS' in line:
- # enable/disable forwarding Logstash to external OpenSearch instance
- line = re.sub(r'(#\s*)?(OS_EXTERNAL_HOSTS\s*:\s*)(\S+)', fr"\g<2>'{externalEsHost}'", line)
-
- elif 'OS_EXTERNAL_SSL_CERTIFICATE_VERIFICATION' in line:
- # enable/disable SSL certificate verification for external OpenSearch instance
- line = re.sub(
- r'(#\s*)?(OS_EXTERNAL_SSL_CERTIFICATE_VERIFICATION\s*:\s*)(\S+)',
- fr"\g<2>{TrueOrFalseQuote(externalEsSsl and externalEsSslVerify)}",
- line,
- )
-
- elif 'OS_EXTERNAL_SSL' in line:
- # enable/disable SSL certificate verification for external OpenSearch instance
- line = re.sub(
- r'(#\s*)?(OS_EXTERNAL_SSL\s*:\s*)(\S+)',
- fr"\g<2>{TrueOrFalseQuote(externalEsSsl)}",
- line,
- )
-
elif (currentSection == 'services') and (not serviceStartLine) and (currentService is not None):
# down in the individual services sections of the compose file
@@ -1032,9 +1168,11 @@ def tweak_malcolm_runtime(
if not sectionStartLine:
if not networkWritten:
print(f"{sectionIndents[currentSection]}default:")
+ print(
+ f"{sectionIndents[currentSection] * 2}external: {'true' if (len(dockerNetworkExternalName) > 0) else 'false'}"
+ )
if len(dockerNetworkExternalName) > 0:
- print(f"{sectionIndents[currentSection] * 2}external:")
- print(f"{sectionIndents[currentSection] * 3}name: {dockerNetworkExternalName}")
+ print(f"{sectionIndents[currentSection] * 2}name: {dockerNetworkExternalName}")
networkWritten = True
# we already re-wrote the network stuff, anything else is superfluous
skipLine = True
diff --git a/scripts/malcolm_appliance_packager.sh b/scripts/malcolm_appliance_packager.sh
index c6e8e6c67..adb968b9f 100755
--- a/scripts/malcolm_appliance_packager.sh
+++ b/scripts/malcolm_appliance_packager.sh
@@ -96,6 +96,8 @@ if mkdir "$DESTDIR"; then
cp $VERBOSE ./logstash/certs/*.conf "$DESTDIR/logstash/certs/"
cp $VERBOSE ./logstash/maps/malcolm_severity.yaml "$DESTDIR/logstash/maps/"
pushd "$DESTDIR" >/dev/null 2>&1
+ touch ./.opensearch.primary.curlrc ./.opensearch.secondary.curlrc
+ chmod 600 ./.opensearch.primary.curlrc ./.opensearch.secondary.curlrc
pushd "./scripts" >/dev/null 2>&1
ln -s ./control.py auth_setup
ln -s ./control.py logs
diff --git a/scripts/malcolm_common.py b/scripts/malcolm_common.py
index 35ffd6e80..14ce0d779 100644
--- a/scripts/malcolm_common.py
+++ b/scripts/malcolm_common.py
@@ -10,6 +10,7 @@
import os
import platform
import re
+import string
import sys
import time
@@ -73,6 +74,7 @@ class UserInterfaceMode(IntFlag):
DOCKER_COMPOSE_INSTALL_URLS = defaultdict(lambda: 'https://docs.docker.com/compose/install/')
HOMEBREW_INSTALL_URLS = defaultdict(lambda: 'https://brew.sh/')
+
###################################################################################################
# chdir to directory as context manager, returning automatically
@contextlib.contextmanager
@@ -97,12 +99,93 @@ def EscapeAnsi(line):
return ansiEscape.sub('', line)
+###################################################################################################
+def EscapeForCurl(s):
+ return s.translate(
+ str.maketrans(
+ {
+ '"': r'\"',
+ "\\": r"\\",
+ "\t": r"\t",
+ "\n": r"\n",
+ "\r": r"\r",
+ "\v": r"\v",
+ }
+ )
+ )
+
+
+###################################################################################################
+def custom_make_translation(text, translation):
+ regex = re.compile('|'.join(map(re.escape, translation)))
+ return regex.sub(lambda match: translation[match.group(0)], text)
+
+
+##################################################################################################
+def UnescapeForCurl(s):
+ return custom_make_translation(
+ s,
+ {
+ r'\"': '"',
+ r"\t": "\t",
+ r"\n": "\n",
+ r"\r": "\r",
+ r"\v": "\v",
+ r"\\": "\\",
+ },
+ )
+
+
+###################################################################################################
+# parse a curl-formatted config file, with special handling for user:password and URL
+# see https://everything.curl.dev/cmdline/configfile
+# e.g.:
+#
+# given .opensearch.primary.curlrc containing:
+# -
+# user: "sikari:changethis"
+# insecure
+# -
+#
+# ParseCurlFile('.opensearch.primary.curlrc') returns:
+# {
+# 'user': 'sikari',
+# 'password': 'changethis',
+# 'insecure': ''
+# }
+def ParseCurlFile(curlCfgFileName):
+ result = defaultdict(lambda: None)
+ if os.path.isfile(curlCfgFileName):
+ itemRegEx = re.compile(r'^([^\s:=]+)((\s*[:=]?\s*)(.*))?$')
+ with open(curlCfgFileName, 'r') as f:
+ allLines = [x.strip().lstrip('-') for x in f.readlines() if not x.startswith('#')]
+ for line in allLines:
+ found = itemRegEx.match(line)
+ if found is not None:
+ key = found.group(1)
+ value = UnescapeForCurl(found.group(4).lstrip('"').rstrip('"'))
+ if (key == 'user') and (':' in value):
+ splitVal = value.split(':', 1)
+ result[key] = splitVal[0]
+ if len(splitVal) > 1:
+ result['password'] = splitVal[1]
+ else:
+ result[key] = value
+
+ return result
+
+
+###################################################################################################
+def contains_whitespace(s):
+ return True in [c in s for c in string.whitespace]
+
+
###################################################################################################
# attempt to clear the screen
def ClearScreen():
try:
os.system("clear" if platform.system() != PLATFORM_WINDOWS else "cls")
- except Exception as e:
+ except Exception:
pass
@@ -148,7 +231,7 @@ def YesOrNo(
try:
str2bool(reply)
break
- except ValueError as e:
+ except ValueError:
pass
elif (defaultBehavior & UserInputDefaultsBehavior.DefaultsAccept) and (default is not None):
break
@@ -159,12 +242,12 @@ def YesOrNo(
if (len(reply) == 0) and (defaultBehavior & UserInputDefaultsBehavior.DefaultsAccept):
reply = "y" if (default is not None) and str2bool(default) else "n"
- if clearScreen == True:
+ if clearScreen is True:
ClearScreen()
try:
return str2bool(reply)
- except ValueError as e:
+ except ValueError:
return YesOrNo(
question,
default=default,
@@ -214,7 +297,7 @@ def AskForString(
else:
raise RuntimeError("No user interfaces available")
- if clearScreen == True:
+ if clearScreen is True:
ClearScreen()
return reply
@@ -239,7 +322,7 @@ def AskForPassword(
else:
raise RuntimeError("No user interfaces available")
- if clearScreen == True:
+ if clearScreen is True:
ClearScreen()
return reply
@@ -260,7 +343,7 @@ def ChooseOne(
):
validChoices = [x for x in choices if len(x) == 3 and isinstance(x[0], str) and isinstance(x[2], bool)]
- defaulted = next(iter([x for x in validChoices if x[2] == True]), None)
+ defaulted = next(iter([x for x in validChoices if x[2] is True]), None)
if (defaultBehavior & UserInputDefaultsBehavior.DefaultsAccept) and (
defaultBehavior & UserInputDefaultsBehavior.DefaultsNonInteractive
@@ -302,7 +385,7 @@ def ChooseOne(
else:
raise RuntimeError("No user interfaces available")
- if clearScreen == True:
+ if clearScreen is True:
ClearScreen()
return reply
@@ -322,7 +405,7 @@ def ChooseMultiple(
):
validChoices = [x for x in choices if len(x) == 3 and isinstance(x[0], str) and isinstance(x[2], bool)]
- defaulted = [x[0] for x in validChoices if x[2] == True]
+ defaulted = [x[0] for x in validChoices if x[2] is True]
if (defaultBehavior & UserInputDefaultsBehavior.DefaultsAccept) and (
defaultBehavior & UserInputDefaultsBehavior.DefaultsNonInteractive
@@ -340,7 +423,7 @@ def ChooseMultiple(
elif uiMode & UserInterfaceMode.InteractionInput:
allowedChars = set(string.digits + ',' + ' ')
defaultValListStr = ",".join(defaulted)
- print(f"0: NONE")
+ print("0: NONE")
index = 0
for choice in validChoices:
index = index + 1
@@ -373,7 +456,41 @@ def ChooseMultiple(
else:
raise RuntimeError("No user interfaces available")
- if clearScreen == True:
+ if clearScreen is True:
+ ClearScreen()
+
+ return reply
+
+
+###################################################################################################
+# display a message to the user without feedback
+def DisplayMessage(
+ message,
+ defaultBehavior=UserInputDefaultsBehavior.DefaultsPrompt,
+ uiMode=UserInterfaceMode.InteractionDialog | UserInterfaceMode.InteractionInput,
+ clearScreen=False,
+):
+ reply = False
+
+ if (defaultBehavior & UserInputDefaultsBehavior.DefaultsAccept) and (
+ defaultBehavior & UserInputDefaultsBehavior.DefaultsNonInteractive
+ ):
+ reply = True
+
+ elif (uiMode & UserInterfaceMode.InteractionDialog) and (MainDialog is not None):
+ code = MainDialog.msgbox(
+ message,
+ )
+ if (code == Dialog.CANCEL) or (code == Dialog.ESC):
+ raise RuntimeError("Operation cancelled")
+ else:
+ reply = True
+
+ else:
+ print(f"\n{message}")
+ reply = True
+
+ if clearScreen is True:
ClearScreen()
return reply
@@ -419,7 +536,7 @@ def SizeHumanFormat(num, suffix='B'):
def LoadStrIfJson(jsonStr):
try:
return json.loads(jsonStr)
- except ValueError as e:
+ except ValueError:
return None
@@ -445,7 +562,7 @@ def check_output_input(*popenargs, **kwargs):
process = Popen(*popenargs, stdout=PIPE, stderr=PIPE, **kwargs)
try:
output, errput = process.communicate(inputdata)
- except:
+ except Exception:
process.kill()
process.wait()
raise
@@ -476,7 +593,7 @@ def run_process(
if stdout and (len(cmdout) > 0):
output.extend(cmdout.decode(sys.getdefaultencoding()).split('\n'))
- except (FileNotFoundError, OSError, IOError) as e:
+ except (FileNotFoundError, OSError, IOError):
if stderr:
output.append(f"Command {command} not found or unable to execute")
@@ -508,7 +625,7 @@ def DoDynamicImport(importName, pipPkgName, interactive=False, debug=False):
if tmpImport:
DynImports[importName] = tmpImport
return DynImports[importName]
- except ImportError as e:
+ except ImportError:
pass
# see if we can help out by installing the module
@@ -571,6 +688,7 @@ def MalcolmAuthFilesExist():
and os.path.isfile(os.path.join(MalcolmPath, os.path.join('nginx', os.path.join('certs', 'key.pem'))))
and os.path.isfile(os.path.join(MalcolmPath, os.path.join('htadmin', 'config.ini')))
and os.path.isfile(os.path.join(MalcolmPath, 'auth.env'))
+ and os.path.isfile(os.path.join(MalcolmPath, '.opensearch.primary.curlrc'))
)
@@ -608,5 +726,5 @@ def RemoveEmptyFolders(path, removeRoot=True):
if len(files) == 0 and removeRoot:
try:
os.rmdir(path)
- except:
+ except Exception:
pass
diff --git a/scripts/third-party-logs/README.md b/scripts/third-party-logs/README.md
new file mode 100644
index 000000000..4e4b58530
--- /dev/null
+++ b/scripts/third-party-logs/README.md
@@ -0,0 +1,328 @@
+# Forwarding Third-Party Logs to Malcolm
+
+Malcolm uses [OpenSearch](https://opensearch.org/) and [OpenSearch Dashboards](https://opensearch.org/docs/latest/dashboards/index/) for data storage, search and visualization, and [Logstash](https://www.elastic.co/logstash/) for log processing. Because these tools are data agnostic, Malcolm can be configured to accept various host logs and other third-party logs sent from log forwaders such as [Fluent Bit](https://fluentbit.io/) and [Beats](https://www.elastic.co/beats/). Some examples of the types of logs these forwarders might send include:
+
+* System resource utilization metrics (CPU, memory, disk, network, etc.)
+* System temperatures
+* Linux system logs
+* Windows event logs
+* Process or service health status
+* Logs appended to textual log files (e.g., `tail`-ing a log file)
+* The output of an external script or program
+* Messages in the form of MQTT control packets
+* many more...
+
+The types of third-party logs and metrics discussed in this document are *not* the same as the network session metadata provided by Arkime, Zeek and Suricata. Please refer to the [Malcolm Contributor Guide](../../docs/contributing/README.md) for information on integrating a new network traffic analysis provider.
+
+## Table of Contents
+
+* [Configuring Malcolm](#Malcolm)
+ - [Secure communication](#MalcolmTLS)
+* [Fluent Bit](#FluentBit)
+ - [Convenience Script for Linux/macOS](#FluentBitBash)
+ - [Convenience Script for Windows](#FluentBitPowerShell)
+* [Beats](#Beats)
+* [Data Format and Visualization](#Data)
+* [Document Indices](#Indices)
+
+## Configuring Malcolm
+
+The environment variables in [`docker-compose.yml`](../../README.md#DockerComposeYml) for configuring how Malcolm accepts external logs are prefixed with `FILEBEAT_TCP_โฆ`. These values can be specified during Malcolm configuration (i.e., when running [`./scripts/install.py --configure`](../../README.md#ConfigAndTuning)), as can be seen from the following excerpt from the [Installation example](../../README.md#InstallationExample):
+
+```
+โฆ
+Expose Logstash port to external hosts? (y/N): y
+โฆ
+Expose Filebeat TCP port to external hosts? (y/N): y
+1: json
+2: raw
+Select log format for messages sent to Filebeat TCP listener (json): 1
+
+Source field to parse for messages sent to Filebeat TCP listener (message): message
+
+Target field under which to store decoded JSON fields for messages sent to Filebeat TCP listener (miscbeat): miscbeat
+
+Field to drop from events sent to Filebeat TCP listener (message): message
+
+Tag to apply to messages sent to Filebeat TCP listener (_malcolm_beats): _malcolm_beats
+โฆ
+```
+
+The variables corresponding to these questions can be found in the `filebeat-variables` section of`docker-compose.yml`:
+
+* `FILEBEAT_TCP_LISTEN` - whether or not to expose a [Filebeat TCP input listener](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-tcp.html) to which logs may be sent (the default TCP port is `5045`: you may need to adjust your firewall accordingly)
+* `FILEBEAT_TCP_LOG_FORMAT` - log format expected for logs sent to the Filebeat TCP input listener (`json` or `raw`)
+* `FILEBEAT_TCP_PARSE_SOURCE_FIELD` - source field name to parse (when `FILEBEAT_TCP_LOG_FORMAT` is `json`) for logs sent to the Filebeat TCP input listener
+* `FILEBEAT_TCP_PARSE_TARGET_FIELD` - target field name to store decoded JSON fields (when `FILEBEAT_TCP_LOG_FORMAT` is `json`) for logs sent to the Filebeat TCP input listener
+* `FILEBEAT_TCP_PARSE_DROP_FIELD` - name of field to drop (if it exists) in logs sent to the Filebeat TCP input listener
+* `FILEBEAT_TCP_TAG` - tag to append to events sent to the Filebeat TCP input listener
+
+These variables' values will depend on your forwarder and the format of the data it sends. Note that unless you are creating your own [Logstash pipeline](../../docs/contributing/README.md#LogstashNewSource), you probably want to choose the default `_malcolm_beats` for `FILEBEAT_TCP_TAG` in order for your logs to be picked up and ingested through Malcolm's `beats` pipeline.
+
+### Secure communication
+
+In order to maintain the integrity and confidentiality of your data, Malcolm's default (set via the `BEATS_SSL` environment variable in `docker-compose.yml`) is to require connections from external forwarders to be encrypted using TLS. When [`./scripts/auth_setup`](../../README.md#AuthSetup) is run, self-signed certificates are generated which may be used by remote log forwarders. Located in the `filebeat/certs/` directory, the certificate authority and client certificate and key files should be copied to the host on which your forwarder is running and used when defining its settings for connecting to Malcolm.
+
+## Fluent Bit
+
+[Fluent Bit](https://fluentbit.io/) is a fast and lightweight logging and metrics processor and forwarder that works well with Malcolm. It is [well-documented](https://docs.fluentbit.io/manual), supports a number of [platforms](https://docs.fluentbit.io/manual/installation/getting-started-with-fluent-bit) including [Linux](https://docs.fluentbit.io/manual/installation/linux), [Microsoft Windows](https://docs.fluentbit.io/manual/installation/windows), macOS (either built [via source](https://docs.fluentbit.io/manual/installation/macos) or installed with [Homebrew](https://formulae.brew.sh/formula/fluent-bit#default)) and more. It provides many [data sources](https://docs.fluentbit.io/manual/pipeline/inputs) (inputs).
+
+### Convenience Script for Linux/macOS
+
+[`fluent-bit-setup.sh`](./fluent-bit-setup.sh) is a Bash script to help install and configure Fluent Bit on Linux and macOS systems. After configuring Malcolm to accept and parse forwarded logs as described above, run `fluent-bit-setup.sh` as illustrated in the examples below:
+
+Linux example:
+
+```
+$ ~/Malcolm/scripts/third-party-logs/fluent-bit-setup.sh
+0 ALL
+1 InstallFluentBit
+2 GetMalcolmConnInfo
+3 GetFluentBitFormatInfo
+4 CreateFluentbitService
+Operation: 0
+Install fluent-bit via GitHub/fluent install script [Y/n]? y
+================================
+ Fluent Bit Installation Script
+================================
+This script requires superuser access to install packages.
+You will be prompted for your password by sudo.
+โฆ
+Installation completed. Happy Logging!
+
+Choose input plugin and enter parameters. Leave parameters blank for defaults.
+ see https://docs.fluentbit.io/manual/pipeline/inputs
+1 collectd
+2 cpu
+3 disk
+4 docker
+5 docker_events
+6 dummy
+7 dummy_thread
+8 exec
+9 fluentbit_metrics
+10 forward
+11 head
+12 health
+13 http
+14 kmsg
+15 mem
+16 mqtt
+17 netif
+18 nginx_metrics
+19 node_exporter_metrics
+20 opentelemetry
+21 proc
+22 prometheus_scrape
+23 random
+24 serial
+25 statsd
+26 stdin
+27 syslog
+28 systemd
+29 tail
+30 tcp
+31 thermal
+Input plugin: 2
+cpu Interval_Sec: 10
+cpu Interval_NSec:
+cpu PID:
+Enter Malcolm host or IP address (172.16.0.20): 172.16.0.20
+Enter Malcolm Filebeat TCP port (5045): 5045
+Enter fluent-bit output format (json_lines): json_lines
+Nest values under field: cpu
+Add "module" value: cpu
+
+/usr/local/bin/fluent-bit -R /etc/fluent-bit/parsers.conf -i cpu -p Interval_Sec=10 -o tcp://172.16.0.20:5045 -p tls=on -p tls.verify=off -p tls.ca_file=/home/user/Malcolm/filebeat/certs/ca.crt -p tls.crt_file=/home/user/Malcolm/filebeat/certs/client.crt -p tls.key_file=/home/user/Malcolm/filebeat/certs/client.key -p format=json_lines -F nest -p Operation=nest -p Nested_under=cpu -p WildCard='*' -m '*' -F record_modifier -p 'Record=module cpu' -m '*' -f 1
+
+Configure service to run fluent-bit [y/N]? y
+Enter .service file prefix: fluentbit_cpu
+Configure systemd service as user "user" [Y/n]? y
+[sudo] password for user:
+Created symlink /home/user/.config/systemd/user/default.target.wants/fluentbit_cpu.service โ /home/user/.config/systemd/user/fluentbit_cpu.service.
+โ fluentbit_cpu.service
+ Loaded: loaded (/home/user/.config/systemd/user/fluentbit_cpu.service; enabled; vendor preset: enabled)
+ Active: active (running) since Tue 2022-08-09 09:19:43 MDT; 5s ago
+ Main PID: 105521 (fluent-bit)
+ Tasks: 5 (limit: 76711)
+ Memory: 24.7M
+ CPU: 8ms
+ CGroup: /user.slice/user-1000.slice/user@1000.service/app.slice/fluentbit_cpu.service
+ โโ105521 /usr/local/bin/fluent-bit -R /etc/fluent-bit/parsers.conf -i cpu -p Interval_Sec=10 -o tcp://172.16.0.20:5045 -p tls=on -p tls.verify=off -p tls.ca_filโฆ
+
+Aug 09 09:19:43 localhost fluent-bit[105521]: Fluent Bit v1.9.6
+โฆ
+Aug 09 09:19:43 localhost fluent-bit[105521]: [2022/08/09 09:19:43] [ info] [output:tcp:tcp.0] worker #0 started
+Aug 09 09:19:43 localhost fluent-bit[105521]: [2022/08/09 09:19:43] [ info] [output:tcp:tcp.0] worker #1 started
+```
+
+macOS example:
+
+```
+$ bash fluent-bit-setup.sh
+0 ALL
+1 InstallFluentBit
+2 GetMalcolmConnInfo
+3 GetFluentBitFormatInfo
+4 CreateFluentbitService
+Operation: 0
+Install fluent-bit via Homebrew [Y/n]? y
+==> Downloading https://ghcr.io/v2/homebrew/core/fluent-bit/manifests/1.9.6
+โฆ
+Choose input plugin and enter parameters. Leave parameters blank for defaults.
+ see https://docs.fluentbit.io/manual/pipeline/inputs
+1 collectd
+2 dummy
+3 dummy_thread
+4 exec
+5 fluentbit_metrics
+6 forward
+7 head
+8 health
+9 http
+10 mqtt
+11 nginx_metrics
+12 opentelemetry
+13 prometheus_scrape
+14 random
+15 serial
+16 statsd
+17 stdin
+18 syslog
+19 tail
+20 tcp
+Input plugin: 14
+random Samples: 10
+random Interval_Sec: 30
+random Internal_NSec:
+Enter Malcolm host or IP address (127.0.0.1): 172.16.0.20
+Enter Malcolm Filebeat TCP port (5045): 5045
+Enter fluent-bit output format (json_lines): json_lines
+Nest values under field: random
+Add "module" value: random
+
+/usr/local/bin/fluent-bit -R /usr/local/etc/fluent-bit/parsers.conf -i random -p Samples=10 -p Interval_Sec=30 -o tcp://172.16.0.20:5045 -p tls=on -p tls.verify=off -p tls.ca_file=/Users/user/forwarder/ca.crt -p tls.crt_file=/Users/user/forwarder/client.crt -p tls.key_file=/Users/user/forwarder/client.key -p format=json_lines -F nest -p Operation=nest -p Nested_under=random -p WildCard='*' -m '*' -F record_modifier -p 'Record=module random' -m '*' -f 1
+
+Configure service to run fluent-bit [y/N]? n
+```
+
+### Convenience Script for Windows
+
+[fluent-bit-setup.ps1](./fluent-bit-setup.ps1) is a PowerShell script to help install and configure Fluent Bit on Microsoft Windows systems.
+
+```
+PS C:\work> .\fluent-bit-setup.ps1
+
+Download fluent-bit
+Would you like to download fluent-bit (zip) to C:\work?
+[Y] Yes [N] No [?] Help (default is "Y"): y
+
+Select input plugin (https://docs.fluentbit.io/manual/pipeline/inputs):
+1. dummy
+2. dummy_thread
+3. fluentbit_metrics
+4. forward
+5. nginx_metrics
+6. opentelemetry
+7. prometheus_scrape
+8. random
+9. statsd
+10. tail
+11. tcp
+12. windows_exporter_metrics
+13. winevtlog
+14. winlog
+15. winstat
+Make a selection: 13
+
+Enter parameters for winevtlog. Leave parameters blank for defaults.
+ see https://docs.fluentbit.io/manual/pipeline/inputs
+
+winevtlog Channels: Application,Security,Setup,Windows PowerShell
+winevtlog Interval_Sec:
+winevtlog Interval_NSec:
+winevtlog Read_Existing_Events:
+winevtlog DB:
+winevtlog String_Inserts:
+winevtlog Render_Event_As_XML:
+winevtlog Use_ANSI:
+Enter Malcolm host or IP address: 172.16.0.20
+Enter Malcolm Filebeat TCP port (5045): 5045
+Enter fluent-bit output format (json_lines): json_lines
+Nest values under field (winevtlog): winevtlog
+Add "module" value (winevtlog): winevtlog
+
+C:\work\bin\fluent-bit.exe -c "C:\work\winevtlog_172.16.0.20_1660062217.cfg"
+
+Install fluent-bit Service
+Install Windows service for winevtlog to 172.16.0.20:5045?
+[Y] Yes [N] No [?] Help (default is "N"): Y
+Enter name for service: fluentbit_winevtlog
+Enter account name to run service (DOMAIN\user): DOMAIN\user
+
+Status Name DisplayName
+------ ---- -----------
+Stopped fluentbit_winev... fluentbit_winevtlog
+
+Start fluent-bit Service
+Start Windows service for winevtlog to 172.16.0.20:5045?
+[Y] Yes [N] No [?] Help (default is "Y"): y
+
+Status Name DisplayName
+------ ---- -----------
+Running fluentbit_winev... fluentbit_winevtlog
+```
+
+## Beats
+
+Elastic [Beats](https://www.elastic.co/beats/) can also be used to forward data to Malcolm's Filebeat TCP listener. Follow the [Get started with Beats](https://www.elastic.co/guide/en/beats/libbeat/current/getting-started.html) documentation for configuring Beats on your system.
+
+In contrast to Fluent Bit, Beats forwarders write to Malcolm's Logstash input over TCP port 5044 (rather than its Filebeat TCP input). Answer `Y` when prompted `Expose Logstash port to external hosts?` during Malcolm configuration (i.e., when running [`./scripts/install.py --configure`](../../README.md#ConfigAndTuning)) to allow external remote Beats forwarders to send logs to Logstash.
+
+Your Beat's [configuration YML file](https://www.elastic.co/guide/en/beats/libbeat/current/config-file-format.html) file might look something like this sample [filebeat.yml](https://www.elastic.co/guide/en/beats/filebeat/current/configuring-howto-filebeat.html) file:
+
+
+```yml
+filebeat.inputs:
+- type: log
+ paths:
+ - /home/user/logs/*.log
+
+processors:
+ - add_tags:
+ tags: [_malcolm_beats]
+
+output.logstash:
+ hosts: ["172.16.0.20:5044"]
+ ssl.enabled: true
+ ssl.certificate_authorities: ["/home/user/Malcolm/filebeat/certs/ca.crt"]
+ ssl.certificate: "/home/user/Malcolm/filebeat/certs/client.crt"
+ ssl.key: "/home/user/Malcolm/filebeat/certs/client.key"
+ ssl.supported_protocols: "TLSv1.2"
+ ssl.verification_mode: "none"
+```
+
+The important bits to note in this example are the settings under [`output.logstash`](https://www.elastic.co/guide/en/beats/filebeat/current/logstash-output.html) (including the TLS-related files described above in **Configuring Malcolm**) and the `_malcolm_beats` value in [`tags`](https://www.elastic.co/guide/en/beats/filebeat/current/add-tags.html): unless you are creating your own [Logstash pipeline](../../docs/contributing/README.md#LogstashNewSource), you probably want to use `_malcolm_beats` in order for your logs to be picked up and ingested through Malcolm's `beats` pipeline. This parts should apply regardless of the specific Beats forwarder you're using (e.g., Filebeat, Metricbeat, Winlogbeat, etc.).
+
+Most Beats forwarders can use [processors](https://www.elastic.co/guide/en/beats/filebeat/current/defining-processors.html) to filter, transform and enhance data prior to sending it to Malcolm. Consult each forwarder's [documentation](https://www.elastic.co/beats/) to learn more about what processors are available and how to configure them. Use the [Console output](https://www.elastic.co/guide/en/beats/filebeat/current/console-output.html) for debugging and experimenting with how Beats forwarders format the logs they generate.
+
+## Data Format and Visualization
+
+Because Malcolm could receive logs or metrics from virtually any provider, Malcolm most likely does not have prebuilt dashboards and visualizations for your third-party logs. Luckily, [OpenSearch Dashboards](https://opensearch.org/docs/latest/dashboards/index/) provides visualization tools that can be used with whatever data is stored in Malcolm's OpenSearch document store. Here are some resources to help you get started understanding OpenSearch Dashboards and building custom visualizations for your data:
+
+* [OpenSearch Dashboards](../../README.md#Dashboards) in the Malcolm documentation
+* [OpenSearch Dashboards](https://opensearch.org/docs/latest/dashboards/index/) documentation
+* [Kibana User Guide](https://www.elastic.co/guide/en/kibana/7.10/index.html) (OpenSearch Dashboards is an open-source fork of Kibana, so much of its documentation also applies to OpenSearch Dashboards)
+ - [Discover](https://www.elastic.co/guide/en/kibana/7.10/discover.html)
+ - [Searching Your Data](https://www.elastic.co/guide/en/kibana/7.10/search.html)
+ - [Kibana Dashboards](https://www.elastic.co/guide/en/kibana/7.10/dashboard.html)
+ - [TimeLine](https://www.elastic.co/guide/en/kibana/7.12/timelion.html)
+* [Search Queries in Arkime and OpenSearch](../../README.md#SearchCheatSheet)
+
+## Document Indices
+
+Third-party logs ingested into Malcolm as outlined in this document will be indexed into the `malcolm_beats_*` index pattern (unless you've created your own [Logstash pipeline](../../docs/contributing/README.md#LogstashNewSource)), which can be selected in the OpenSearch Dashboards' Discover view or when specifying the log source for a new visualization.
+
+Because these documents are indexed by OpenSearch dynamically as they are ingested by Logstash, their component fields will not show up as searchable in OpenSearch Dashboards visualizations until its copy of the field list is refreshed. Malcolm periodically refreshes this list, but if fields are missing from your visualizations you may wish to do it manually.
+
+After Malcolm ingests your data (or, more specifically, after it has ingested a new log type it has not seen before) you may manually refresh OpenSearch Dashboards's field list by clicking **Management** โ **Index Patterns**, then selecting the index pattern (`malcolm_beats_*`) and clicking the reload **๐** button near the upper-right of the window.
diff --git a/scripts/third-party-logs/fluent-bit-setup.ps1 b/scripts/third-party-logs/fluent-bit-setup.ps1
new file mode 100644
index 000000000..e9091ad4d
--- /dev/null
+++ b/scripts/third-party-logs/fluent-bit-setup.ps1
@@ -0,0 +1,386 @@
+###############################################################################
+# fluent-bit-setup.ps1
+#
+# Interactive PowerShell script to aid in the installation and
+# configuration of fluent-bit (https://fluentbit.io/) for forwarding logs to
+# an instance of Malcolm (https://github.com/idaholab/malcolm).
+#
+# Copyright (c) 2022 Battelle Energy Alliance, LLC. All rights reserved.
+###############################################################################
+
+$fluent_bit_version = '1.9'
+$fluent_bit_full_version = '1.9.8'
+
+###############################################################################
+# select an item from a menu provided in an array
+###############################################################################
+Function DynamicMenu {
+ Param ([array] $Items, [string] $Title = "Menu")
+
+ $num = 0
+
+ if($Title -ne "") {
+ Write-Host $Title
+ }
+
+ foreach($item in $Items) {
+ $num++
+ $Separator = ":" + " " + " " *(($Items.Count).tostring().length - ($Num).tostring().length)
+ Write-Host "$num$Separator$item"
+ }
+ $Separator = ":" + " " *($Items.Count).tostring().length
+ $selection = (Read-Host "Make a selection") -as [int]
+ if (($selection -ne 0) -and ($selection -gt 0) -and ($selection -lt $Items.Count + 1)) {
+ return $Items[$selection - 1];
+ }
+ return $null;
+}
+
+###############################################################################
+# "main"
+###############################################################################
+$now_unix_secs = [int](Get-Date -UFormat %s -Millisecond 0)
+
+# navigate to script directory
+$workdir = Split-Path $MyInvocation.MyCommand.Path
+Push-Location $workdir
+
+###############################################################################
+# determine if fluent-bit is already installed (via package, in local ./bin directory or in current PATH)
+$fluentbit_installed = 0
+$fluentbit_path = ''
+$fluentbit_bin = ''
+if ([Environment]::Is64BitOperatingSystem) {
+ $fluent_bit_platform = 'win64'
+} else {
+ $fluent_bit_platform = 'win32'
+}
+$fluent_bit_zip = "fluent-bit-$fluent_bit_full_version-$fluent_bit_platform.zip"
+$fluent_bit_shafile = "fluent-bit-$fluent_bit_full_version-$fluent_bit_platform.zip.sha256"
+
+if (Test-Path -Path './bin/fluent-bit.exe' -PathType Leaf) {
+ # ./bin/fluent-bit.exe exists, we'll use that
+ $fluentbit_bin = (Resolve-Path -Path './bin/fluent-bit.exe')
+ $fluentbit_path = Split-Path -Path "$fluentbit_bin"
+
+} elseif ((Get-Package | Where-Object -Property Name -like 'fluent-bit').Length -gt 0) {
+ # package is installed, get the installation location from the registry and use that
+ if ([Environment]::Is64BitOperatingSystem) {
+ $fluentbit_path = (Get-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\WOW6432Node\Calyptia Inc.\fluent-bit').'(default)'
+ } else {
+ $fluentbit_path = (Get-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\Calyptia Inc.\fluent-bit').'(default)'
+ }
+ $fluentbit_bin = $fluentbit_path + '/bin/fluent-bit.exe'
+
+} else {
+ # fluent-bit.exe is in PATH, use that
+ $fluentbit_bin = (Get-Command 'fluent-bit.exe' -errorAction SilentlyContinue).Source
+ if ($fluentbit_bin) {
+ $fluentbit_path = Split-Path -Path "$fluentbit_bin"
+ }
+}
+if ($fluentbit_bin) {
+ $fluentbit_path = (Resolve-Path -Path "$fluentbit_path")
+ $fluentbit_bin = (Resolve-Path -Path "$fluentbit_bin")
+ $fluentbit_installed = (Test-Path -Path "$fluentbit_bin" -PathType Leaf)
+}
+
+###############################################################################
+# fluent-bit is not already installed, try to download/extract it
+if (-Not $fluentbit_installed) {
+
+ # see if the .zip file already exists, and whether or not we should use it
+ if (Test-Path -Path $fluent_bit_zip -PathType Leaf) {
+ $title = "$fluent_bit_zip found"
+ $question = "Would you like to use existing $fluent_bit_zip at "+$workdir+'?'
+ $choices = '&Yes', '&No'
+ $decision = $Host.UI.PromptForChoice($title, $question, $choices, 0)
+ if ($decision -ne 0) {
+ Remove-Item "$fluent_bit_zip"
+ }
+ }
+
+ # download the zip file if requested
+ if (-Not (Test-Path -Path $fluent_bit_zip -PathType Leaf)) {
+ $title = 'Download fluent-bit'
+ $question = 'Would you like to download fluent-bit (zip) to '+$workdir+'?'
+ $choices = '&Yes', '&No'
+ $decision = $Host.UI.PromptForChoice($title, $question, $choices, 0)
+ if ($decision -eq 0) {
+ $fluentbit_sha_url = "https://fluentbit.io/releases/$fluent_bit_version/$fluent_bit_shafile"
+ $fluentbit_url = "https://fluentbit.io/releases/$fluent_bit_version/$fluent_bit_zip"
+ Invoke-WebRequest -Uri "$fluentbit_sha_url" -OutFile "$fluent_bit_shafile"
+ Invoke-WebRequest -Uri "$fluentbit_url" -OutFile "$fluent_bit_zip"
+ }
+ }
+
+ # check whether or not we can do the sha sum, and if not, confirm if that's okay
+ $fluentbit_sha_good = 0
+ $ignore_sha_sum = 0
+ if ((Test-Path -Path $fluent_bit_zip -PathType Leaf) -And (-Not (Test-Path -Path $fluent_bit_shafile -PathType Leaf))) {
+ $title = "$fluent_bit_shafile not found"
+ $question = "Cannot verify SHA256 of $fluent_bit_zip (missing $fluent_bit_shafile), abort?"
+ $choices = '&Yes', '&No'
+ $decision = $Host.UI.PromptForChoice($title, $question, $choices, 0)
+ if ($decision -eq 1) {
+ $ignore_sha_sum = 1
+ }
+ }
+
+ # calculate the SHA256 sum of the ZIP file an compare it to the downloaded SHA256 value
+ if ((Test-Path -Path $fluent_bit_shafile -PathType Leaf) -and (Test-Path -Path $fluent_bit_zip -PathType Leaf)) {
+ $fluentbit_expected_hash = ((Get-Content "$fluent_bit_shafile" -First 1).ToLower() -split '\s+')[0]
+ $fluentbit_zip_hash = (Get-FileHash "$fluent_bit_zip").Hash.ToLower()
+ if ($fluentbit_zip_hash -eq $fluentbit_expected_hash) {
+ $fluentbit_sha_good = 1
+ }
+ }
+
+ # download integrity is good, extract the .zip file into the current directory
+ if (($fluentbit_sha_good -eq 1) -or ($ignore_sha_sum -eq 1)) {
+ Expand-Archive "$fluent_bit_zip" -DestinationPath "$workdir"
+ if (Test-Path -Path "fluent-bit-$fluent_bit_full_version-$fluent_bit_platform" -PathType Container) {
+ Get-ChildItem -Path "fluent-bit-$fluent_bit_full_version-$fluent_bit_platform" |
+ Move-Item -Destination "$workdir"
+ Remove-Item -Path "fluent-bit-$fluent_bit_full_version-$fluent_bit_platform"
+ $fluentbit_installed = (Test-Path -Path './bin/fluent-bit.exe' -PathType Leaf)
+ if ($fluentbit_installed) {
+ $fluentbit_bin = (Resolve-Path -Path './bin/fluent-bit.exe')
+ $fluentbit_path = Split-Path -Path "$fluentbit_bin"
+ }
+ } else {
+ Write-Host "Failed to expand $fluent_bit_zip" -ForegroundColor Red
+ }
+ } else {
+ Write-Host "Could not download or verify SHA256 sum of $fluent_bit_zip" -ForegroundColor Red
+ }
+}
+
+if (-Not $fluentbit_installed) {
+ Write-Host "Visit https://docs.fluentbit.io/manual/installation/windows to download and install fluent-bit" -ForegroundColor Red
+ Exit 1
+}
+
+###############################################################################
+# fluent-bit is installed, get a list of the input filters available and prompt the user
+
+$fluentbit_help = &"$fluentbit_bin" --help 2>&1
+$inputs_regex = '(?ms)Inputs(.+?)Filters'
+$fluentbit_help = $fluentbit_help -join "`n"
+$fluentbit_help =
+[regex]::Matches($fluentbit_help,$inputs_regex) |
+ foreach {$_.groups[1].value -split "`n"} | Where-Object {$_}
+$fluentbit_inputs = @()
+foreach ($i in $fluentbit_help) {
+ $input_name = ($i.Trim() -split '\s+')[0]
+ $input_name = $input_name.subString(0, [System.Math]::Min(24, $input_name.Length))
+ $fluentbit_inputs = $fluentbit_inputs + $input_name
+}
+$fluentbit_inputs = $fluentbit_inputs | Sort-Object
+do {
+ $input_chosen = DynamicMenu $fluentbit_inputs "Select input plugin (https://docs.fluentbit.io/manual/pipeline/inputs):"
+} until (![string]::IsNullOrWhiteSpace($input_chosen))
+
+###############################################################################
+# prompt the user for values to the parameters for the chosen input plugin
+
+Write-Host "Enter parameters for $input_chosen. Leave parameters blank for defaults."
+Write-Host " see https://docs.fluentbit.io/manual/pipeline/inputs"
+Write-Host ""
+$param_names = switch ( $input_chosen ) {
+ 'dummy' { @('Dummy', 'Start_time_sec', 'Start_time_nsec', 'Rate', 'Samples') }
+ 'random' { @('Samples', 'Interval_Sec', 'Interval_NSec') }
+ 'statsd' { @('Listen', 'Port') }
+ 'tail' { @('Buffer_Chunk_Size', 'Buffer_Max_Size', 'Path', 'Path_Key', 'Exclude_Path', 'Offset_Key', 'Read_from_Head', 'Refresh_Interval', 'Rotate_Wait', 'Ignore_Older', 'Skip_Long_Lines', 'Skip_Empty_Lines', 'DB', 'DB.sync', 'DB.locking', 'DB.journal_mode', 'Mem_Buf_Limit', 'Exit_On_Eof', 'Parser', 'Key', 'Inotify_Watcher', 'Tag', 'Tag_Regex', 'Static_Batch_Size') }
+ 'tcp' { @('Listen', 'Port', 'Buffer_Size', 'Chunk_Size', 'Format', 'Separator') }
+ 'windows_exporter_metrics' { @('scrape_interval') }
+ 'winevtlog' { @('Channels', 'Interval_Sec', 'Interval_NSec', 'Read_Existing_Events', 'DB', 'String_Inserts', 'Render_Event_As_XML', 'Use_ANSI') }
+ 'winlog' { @('Channels', 'Interval_Sec', 'DB') }
+ 'winstat' { @('Interval_Sec', 'Interval_NSec') }
+ default { @() }
+}
+$param_map = @{}
+foreach ($param_name in $param_names) {
+ $param_val = Read-Host -Prompt "$input_chosen ${param_name}"
+ $param_map[$param_name] = $param_val
+}
+
+###############################################################################
+# prompt the user for connection and message format parameters
+
+do { $malcolm_ip = Read-Host -Prompt 'Enter Malcolm host or IP address' } until (-Not [string]::IsNullOrWhiteSpace($malcolm_ip))
+$malcolm_port = Read-Host -Prompt 'Enter Malcolm Filebeat TCP port (5045)'
+if ([string]::IsNullOrWhiteSpace($malcolm_port)) {
+ $malcolm_port = '5045'
+}
+$message_format = Read-Host -Prompt 'Enter fluent-bit output format (json_lines)'
+if ([string]::IsNullOrWhiteSpace($message_format)) {
+ $message_format = 'json_lines'
+}
+if ($message_format -eq 'json_lines') {
+ $message_nest = Read-Host -Prompt "Nest values under field ($input_chosen)"
+ $message_module = Read-Host -Prompt "Add `"module`" value ($input_chosen)"
+ if ([string]::IsNullOrWhiteSpace($message_nest)) {
+ $message_nest = $input_chosen
+ }
+ if ([string]::IsNullOrWhiteSpace($message_module)) {
+ $message_module = $input_chosen
+ }
+} else {
+ $message_nest = Read-Host -Prompt 'Nest values under field'
+ $message_module = Read-Host -Prompt 'Add "module" value'
+}
+
+###############################################################################
+# prompt for TLS client ca/certificate/key files
+$ca = ''
+$cert = ''
+$key = ''
+if ((Test-Path -Path './ca.crt' -PathType Leaf) -and
+ (Test-Path -Path './client.crt' -PathType Leaf) -and
+ (Test-Path -Path './client.key' -PathType Leaf)) {
+ $ca = './ca.crt'
+ $cert = './client.crt'
+ $key = './client.key'
+} elseif ((Test-Path -Path '../../filebeat/certs' -PathType Container) -and
+ (Test-Path -Path '../../filebeat/certs/ca.crt' -PathType Leaf) -and
+ (Test-Path -Path '../../filebeat/certs/client.crt' -PathType Leaf) -and
+ (Test-Path -Path '../../filebeat/certs/client.key' -PathType Leaf)) {
+ $ca = '../../filebeat/certs/ca.crt'
+ $cert = '../../filebeat/certs/client.crt'
+ $key = '../../filebeat/certs/client.key'
+}
+
+while (([string]::IsNullOrWhiteSpace($ca)) -or
+ ([string]::IsNullOrWhiteSpace($cert)) -or
+ ([string]::IsNullOrWhiteSpace($key)) -or
+ (-Not (Test-Path -Path "$ca" -PathType Leaf)) -or
+ (-Not (Test-Path -Path "$cert" -PathType Leaf)) -or
+ (-Not (Test-Path -Path "$key" -PathType Leaf))) {
+ Write-Host "Enter paths and filenames of client certificate files"
+ Write-Host " e.g., files generated in Malcolm/filebeat/certs/ directory"
+ $ca = Read-Host -Prompt 'Enter CA certificate file'
+ $cert = Read-Host -Prompt 'Enter client certificate file'
+ $key = Read-Host -Prompt 'Enter client key file'
+}
+$ca = (Resolve-Path -Path "$ca")
+$cert = (Resolve-Path -Path "$cert")
+$key = (Resolve-Path -Path "$key")
+
+###############################################################################
+# build fluent-bit.exe configuration. saving it into a file rather than building
+# the command line as the escaping of quotes/spaces becomes tricky when building
+# a service
+
+$fluentbit_config = @()
+$fluentbit_config += "[SERVICE]"
+$fluentbit_config += " Flush 1"
+$fluentbit_config += " Daemon off"
+
+# parser config file
+$fluentbit_parsers_conf = ''
+if (Test-Path -Path "$fluentbit_path/../conf/parsers.conf" -PathType Leaf) {
+ $fluentbit_parsers_conf = (Resolve-Path -Path "$fluentbit_path/../conf/parsers.conf")
+} elseif (Test-Path -Path "$fluentbit_path/parsers.conf" -PathType Leaf) {
+ $fluentbit_parsers_conf = (Resolve-Path -Path "$fluentbit_path/parsers.conf")
+}
+if ([string]::IsNullOrWhiteSpace($fluentbit_parsers_conf)) {
+ $fluentbit_parsers_conf = Read-Host -Prompt 'Enter location of fluent-bit parsers.conf'
+}
+if ((-Not ([string]::IsNullOrWhiteSpace($fluentbit_parsers_conf))) -and (Test-Path -Path "$fluentbit_parsers_conf" -PathType Leaf)) {
+ $fluentbit_config += " Parsers_File ${fluentbit_parsers_conf}"
+}
+
+# input
+$fluentbit_config += ""
+$fluentbit_config += "[INPUT]"
+$fluentbit_config += " Name ${input_chosen}"
+
+# input parameters
+foreach ($element in $param_map.GetEnumerator()) {
+ if (($($element.Name) -eq 'DB') -and ([string]::IsNullOrWhiteSpace($($element.Value)))) {
+ # if the monitor file/offset DB is an unspecified parameter, choose it for them
+ $fluentbit_config += " $($element.Name) $workdir\${input_chosen}_${malcolm_ip}_${now_unix_secs}.db"
+ } elseif (-Not ([string]::IsNullOrWhiteSpace($($element.Value)))) {
+ # otherwise output specified values as-is
+ $fluentbit_config += " $($element.Name) $($element.Value)"
+ }
+}
+
+# output parameters
+$fluentbit_config += ""
+$fluentbit_config += "[OUTPUT]"
+$fluentbit_config += " Name tcp://${malcolm_ip}:${malcolm_port}"
+$fluentbit_config += " Match *"
+$fluentbit_config += " tls on"
+$fluentbit_config += " tls.verify off"
+$fluentbit_config += " tls.ca_file ${ca}"
+$fluentbit_config += " tls.crt_file ${cert}"
+$fluentbit_config += " tls.key_file ${key}"
+$fluentbit_config += " format ${message_format}"
+$fluentbit_config += ""
+
+# filters
+if (-Not ([string]::IsNullOrWhiteSpace($message_nest))) {
+ $fluentbit_config += "[FILTER]"
+ $fluentbit_config += " Name nest"
+ $fluentbit_config += " Operation nest"
+ $fluentbit_config += " Nested_under ${message_nest}"
+ $fluentbit_config += " WildCard *"
+ $fluentbit_config += " Match *"
+ $fluentbit_config += ""
+}
+
+if (-Not ([string]::IsNullOrWhiteSpace($message_module))) {
+ $fluentbit_config += "[FILTER]"
+ $fluentbit_config += " Name record_modifier"
+ $fluentbit_config += " Record module ${message_module}"
+ $fluentbit_config += " Match *"
+ $fluentbit_config += ""
+}
+
+# write configuration out to file for fluent-bit.exe to read upon execution
+$fluentbit_config_path = "${input_chosen}_${malcolm_ip}_${now_unix_secs}.cfg"
+($fluentbit_config -join "`n") + "`n" | Out-File -FilePath "${fluentbit_config_path}" -Encoding ascii -NoNewLine
+$fluentbit_config_path = (Resolve-Path -Path "$fluentbit_config_path")
+
+Write-Host ""
+Write-Host "$fluentbit_bin -c `"${fluentbit_config_path}`""
+
+# prompt the user if they want to create a service
+$title = "Install fluent-bit Service"
+$question = "Install Windows service for ${input_chosen} to ${malcolm_ip}:${malcolm_port}?"
+$choices = '&Yes', '&No'
+$decision = $Host.UI.PromptForChoice($title, $question, $choices, 1)
+if ($decision -eq 0) {
+ # prompt for service name and account to run under (default to current user)
+ do { $service_name = Read-Host -Prompt 'Enter name for service' } until (-Not [string]::IsNullOrWhiteSpace($service_name))
+ $service_account_default=[System.Security.Principal.WindowsIdentity]::GetCurrent().Name
+ $service_account = Read-Host -Prompt "Enter account name to run service ($service_account_default)"
+ if ([string]::IsNullOrWhiteSpace($service_account)) {
+ $service_account = $service_account_default
+ }
+
+ # create the service
+ $service_cmd = "${fluentbit_bin} -c ${fluentbit_config_path}"
+ New-Service -name $service_name `
+ -displayName $service_name `
+ -description "fluent-bit ${input_chosen} to ${malcolm_ip}:${malcolm_port}" `
+ -StartupType Automatic `
+ -Credential "$service_account" `
+ -binaryPathName "$service_cmd"
+
+ # prompt to start it
+ $title = "Start fluent-bit Service"
+ $question = "Start Windows service for ${input_chosen} to ${malcolm_ip}:${malcolm_port}?"
+ $choices = '&Yes', '&No'
+ $decision = $Host.UI.PromptForChoice($title, $question, $choices, 0)
+ if ($decision -eq 0) {
+ Restart-Service -DisplayName $service_name
+ Get-Service -DisplayName $service_name
+ }
+}
+
+###############################################################################
+# return to original directory
+Pop-Location
diff --git a/scripts/third-party-logs/fluent-bit-setup.sh b/scripts/third-party-logs/fluent-bit-setup.sh
new file mode 100755
index 000000000..072103661
--- /dev/null
+++ b/scripts/third-party-logs/fluent-bit-setup.sh
@@ -0,0 +1,719 @@
+#!/usr/bin/env bash
+
+###############################################################################
+# fluent-bit-setup.sh
+#
+# Interactive bash script for Linux and macOS to aid in the installation and
+# configuration of fluent-bit (https://fluentbit.io/) for forwarding logs to
+# an instance of Malcolm (https://github.com/idaholab/malcolm).
+#
+# Copyright (c) 2022 Battelle Energy Alliance, LLC. All rights reserved.
+
+###############################################################################
+# force bash
+if [[ -z "$BASH_VERSION" ]]; then
+ echo "Wrong interpreter, please run \"$0\" with bash" >&2
+ exit 1
+fi
+
+###############################################################################
+# determine OS, root user and some other parameters
+unset MACOS
+unset LINUX
+if [[ $(uname -s) = 'Darwin' ]]; then
+ export MACOS=0
+elif [[ $(uname -s) = 'Linux' ]]; then
+ export LINUX=0
+else
+ echo "Unsupported platform: $(uname -s)"
+fi
+
+#
+if [[ $EUID -eq 0 ]]; then
+ SCRIPT_USER="root"
+ SUDO_CMD=""
+else
+ SCRIPT_USER="$(whoami)"
+ SUDO_CMD="sudo"
+fi
+
+###############################################################################
+# get directory script is executing from
+[[ -n $MACOS ]] && REALPATH=grealpath || REALPATH=realpath
+[[ -n $MACOS ]] && DIRNAME=gdirname || DIRNAME=dirname
+[[ -n $MACOS ]] && SED=gsed || SED=sed
+if ! (type "$REALPATH" && type "$DIRNAME" && type "$SED") > /dev/null; then
+ echo "$(basename "${BASH_SOURCE[0]}") requires $REALPATH, $DIRNAME and $SED" >&2
+ exit 1
+fi
+SCRIPT_PATH="$($DIRNAME $($REALPATH -e "${BASH_SOURCE[0]}") | head -n 1)"
+FULL_PWD="$($REALPATH "$(pwd)" | head -n 1)"
+
+###################################################################################
+# _GetConfirmation - get a yes/no confirmation from the user (or accept the default)
+function _GetConfirmation {
+ PROMPT=${1:-"[y/N]?"}
+ DEFAULT_ANSWER=${2:-n}
+ unset CONFIRMATION
+ echo -n "${PROMPT} " >&2
+ read CONFIRMATION
+ CONFIRMATION=${CONFIRMATION:-$DEFAULT_ANSWER}
+ echo $CONFIRMATION
+}
+
+###################################################################################
+# _GetString - get a string response from the user (or accept the default)
+function _GetString {
+ PROMPT=${1:-""}
+ DEFAULT_ANSWER=${2:-""}
+ unset RESPONSE
+ echo -n "${PROMPT} " >&2
+ read RESPONSE
+ RESPONSE=${RESPONSE:-$DEFAULT_ANSWER}
+ echo $RESPONSE
+}
+
+###################################################################################
+# _in_array - does an array contain an element
+function _in_array() {
+ local haystack="${1}[@]"
+ local needle="${2}"
+ for i in "${!haystack}"; do
+ if [[ "${i}" == "${needle}" ]]; then
+ return 0
+ fi
+ done
+ return 1
+}
+
+###############################################################################
+# script options
+set -o pipefail
+ENCODING="utf-8"
+
+###############################################################################
+# command-line parameters
+# options
+# -v (verbose)
+# -i input (input string)
+
+# parse command-line options
+VERBOSE_FLAG=""
+INPUT_STR="world"
+while getopts 'vi:' OPTION; do
+ case "$OPTION" in
+ v)
+ VERBOSE_FLAG="-v"
+ ;;
+
+ i)
+ INPUT_STR="$OPTARG"
+ ;;
+
+ ?)
+ echo "script usage: $(basename $0) [-v] [-i input]" >&2
+ exit 1
+ ;;
+ esac
+done
+shift "$(($OPTIND -1))"
+
+###############################################################################
+# clean-up code
+function _clean_up {
+ [[ -n $VERBOSE_FLAG ]] && echo "Cleaning up..." >&2
+}
+
+###############################################################################
+# run fluent-bit bin wherever it's at
+function _fluentbit_bin {
+ if hash fluent-bit >/dev/null 2>&1; then
+ FLUENTBIT_BIN="$(command -v fluent-bit)"
+ elif [[ -n "$LINUX" ]]; then
+ FLUENTBIT_BIN='/opt/fluent-bit/bin/fluent-bit'
+ elif [[ -n "$MACOS" ]]; then
+ FLUENTBIT_BIN='/usr/local/bin/fluent-bit'
+ else
+ FLUENTBIT_BIN='fluent-bit'
+ fi
+ echo "$FLUENTBIT_BIN"
+}
+
+function _fluentbit_parser_cfg {
+ if [[ -s /usr/local/etc/fluent-bit/parsers.conf ]]; then
+ echo /usr/local/etc/fluent-bit/parsers.conf
+ elif [[ -s /etc/fluent-bit/parsers.conf ]]; then
+ echo /etc/fluent-bit/parsers.conf
+ elif [[ -s /opt/fluent-bit/etc/parsers.conf ]]; then
+ echo /opt/fluent-bit/etc/parsers.conf
+ else
+ echo ""
+ fi
+}
+
+function _fluentbit_run {
+ "$(_fluentbit_bin)" "$@"
+}
+
+###############################################################################
+# install fluent-bit if it's not already installed
+function InstallFluentBit() {
+ _fluentbit_run --version >/dev/null 2>&1
+ if [[ $? -ne 0 ]]; then
+
+ if [[ -n "$LINUX" ]]; then
+ INSTALL_CONFIRM="$(_GetConfirmation "Install fluent-bit via GitHub/fluent install script [Y/n]?" "y")"
+ if [[ $INSTALL_CONFIRM =~ ^[Yy] ]]; then
+ source <(curl -fsSL https://raw.githubusercontent.com/fluent/fluent-bit/master/install.sh)
+ else
+ echo "Visit https://docs.fluentbit.io/manual/installation/linux" >&2
+ fi
+
+ elif [[ -n "$MACOS" ]]; then
+ if ! brew info >/dev/null 2>&1; then
+ INSTALL_BREW_CONFIRM="$(_GetConfirmation "Install Homebrew for macOS [y/N]?" "n")"
+ if [[ $INSTALL_BREW_CONFIRM =~ ^[Yy] ]]; then
+ source <(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)
+ fi
+ fi
+ INSTALL_CONFIRM="$(_GetConfirmation "Install fluent-bit via Homebrew [Y/n]?" "y")"
+ if [[ $INSTALL_CONFIRM =~ ^[Yy] ]]; then
+ brew install fluent-bit
+ else
+ echo "Visit https://docs.fluentbit.io/manual/installation/macos" >&2
+ fi
+
+ else
+ echo "Visit https://docs.fluentbit.io/manual/installation/getting-started-with-fluent-bit" >&2
+ fi
+ else
+ echo "fluent-bit is already installed" >&2
+ fi
+
+ _fluentbit_run --version >/dev/null 2>&1
+}
+
+###############################################################################
+# identify malcolm connection information
+function GetMalcolmConnInfo() {
+ IP=
+ PORT=
+ FORMAT=
+ NEST=
+ MODULE=
+ CA=
+ CERT=
+ KEY=
+
+ command -v ip >/dev/null 2>&1 && SUGGESTED_IP=$(ip route get 255.255.255.255 2>/dev/null | grep -Po '(?<=src )(\d{1,3}.){4}' | $SED "s/ //g") || SUGGESTED_IP='127.0.0.1'
+ SUGGESTED_PORT=5045
+ SUGGESTED_FORMAT=json_lines
+
+ while [[ -z "$IP" ]] || \
+ [[ -z "$PORT" ]] || \
+ [[ -z "$FORMAT" ]]; do
+ IP="$(_GetString "Enter Malcolm host or IP address ($SUGGESTED_IP):" "$SUGGESTED_IP")"
+ PORT="$(_GetString "Enter Malcolm Filebeat TCP port ($SUGGESTED_PORT):" "$SUGGESTED_PORT")"
+ FORMAT="$(_GetString "Enter fluent-bit output format ($SUGGESTED_FORMAT):" "$SUGGESTED_FORMAT")"
+ NEST="$(_GetString "Nest values under field:")"
+ MODULE="$(_GetString "Add \"module\" value:")"
+ done
+
+ if [[ -r "$SCRIPT_PATH"/ca.crt ]] && \
+ [[ -r "$SCRIPT_PATH"/client.crt ]] && \
+ [[ -r "$SCRIPT_PATH"/client.key ]]; then
+ CA="$SCRIPT_PATH"/ca.crt
+ CERT="$SCRIPT_PATH"/client.crt
+ KEY="$SCRIPT_PATH"/client.key
+
+ elif [[ -d "$SCRIPT_PATH"/../../filebeat/certs ]] && \
+ [[ -r "$SCRIPT_PATH"/../../filebeat/certs/ca.crt ]] && \
+ [[ -r "$SCRIPT_PATH"/../../filebeat/certs/client.crt ]] && \
+ [[ -r "$SCRIPT_PATH"/../../filebeat/certs/client.key ]]; then
+ CA="$($REALPATH -e "$SCRIPT_PATH"/../../filebeat/certs/ca.crt)"
+ CERT="$($REALPATH -e "$SCRIPT_PATH"/../../filebeat/certs/client.crt)"
+ KEY="$($REALPATH -e "$SCRIPT_PATH"/../../filebeat/certs/client.key)"
+ fi
+
+ FIRST_TIME=1
+ while [[ -z "$CA" ]] || \
+ [[ -z "$CERT" ]] || \
+ [[ -z "$KEY" ]] || \
+ [[ ! -r "$CA" ]] || \
+ [[ ! -r "$CERT" ]] || \
+ [[ ! -r "$KEY" ]]; do
+ if [[ $FIRST_TIME -eq 1 ]]; then
+ echo "Enter paths and filenames of client certificate files" >&2
+ echo " e.g., files generated in Malcolm/filebeat/certs/ directory" >&2
+ fi
+ FIRST_TIME=0
+ CA="$(_GetString "Enter CA certificate file: ")"
+ CERT="$(_GetString "Enter client certificate file: ")"
+ KEY="$(_GetString "Enter client key file: ")"
+ done
+
+ FLUENTBIT_ARGS=()
+ FLUENTBIT_ARGS+=( -o )
+ FLUENTBIT_ARGS+=( "tcp://$IP:$PORT" )
+ FLUENTBIT_ARGS+=( -p )
+ FLUENTBIT_ARGS+=( tls=on )
+ FLUENTBIT_ARGS+=( -p )
+ FLUENTBIT_ARGS+=( tls.verify=off )
+ FLUENTBIT_ARGS+=( -p )
+ FLUENTBIT_ARGS+=( tls.ca_file="$CA" )
+ FLUENTBIT_ARGS+=( -p )
+ FLUENTBIT_ARGS+=( tls.crt_file="$CERT" )
+ FLUENTBIT_ARGS+=( -p )
+ FLUENTBIT_ARGS+=( tls.key_file="$KEY" )
+ FLUENTBIT_ARGS+=( -p )
+ FLUENTBIT_ARGS+=( format="$FORMAT" )
+
+ if [[ -n "$NEST" ]]; then
+ FLUENTBIT_ARGS+=( -F )
+ FLUENTBIT_ARGS+=( nest )
+ FLUENTBIT_ARGS+=( -p )
+ FLUENTBIT_ARGS+=( Operation=nest )
+ FLUENTBIT_ARGS+=( -p )
+ FLUENTBIT_ARGS+=( "Nested_under=$NEST" )
+ FLUENTBIT_ARGS+=( -p )
+ FLUENTBIT_ARGS+=( "WildCard='*'" )
+ FLUENTBIT_ARGS+=( -m )
+ FLUENTBIT_ARGS+=( "'*'" )
+ fi
+ if [[ -n "$MODULE" ]]; then
+ FLUENTBIT_ARGS+=( -F )
+ FLUENTBIT_ARGS+=( record_modifier )
+ FLUENTBIT_ARGS+=( -p )
+ FLUENTBIT_ARGS+=( "'Record=module $MODULE'" )
+ FLUENTBIT_ARGS+=( -m )
+ FLUENTBIT_ARGS+=( "'*'" )
+ fi
+ FLUENTBIT_ARGS+=( -f )
+ FLUENTBIT_ARGS+=( 1 )
+
+ ( IFS=$'\n'; echo "${FLUENTBIT_ARGS[*]}" )
+}
+
+###############################################################################
+# identify information for fluent-bit intput/output
+function GetFluentBitFormatInfo() {
+ INPUT_NAME=
+ declare -A PARAMS
+
+ echo "Choose input plugin and enter parameters. Leave parameters blank for defaults." >&2
+ echo " see https://docs.fluentbit.io/manual/pipeline/inputs" >&2
+ readarray -t PLUGINS < <(_fluentbit_run --help 2>&1 | $SED 's/\x1B\[[0-9;]\{1,\}[A-Za-z]//g' | $SED -n '/^Inputs$/, /^Filters$/{ /^Inputs$/! { /^Filters$/! p } }' | grep . | awk '{print $1}' | sort)
+ if [[ ${#PLUGINS[@]} -eq 0 ]]; then
+ # this shouldn't have happened, but we need to have at least one plugin here
+ PLUGINS=(
+ dummy
+ )
+ fi
+ for i in "${!PLUGINS[@]}"; do
+ ((IPLUS=i+1))
+ printf "%s\t%s\n" "$IPLUS" "${PLUGINS[$i]}" >&2
+ done
+ while [[ -z "$INPUT_NAME" ]] || ! _in_array PLUGINS "$INPUT_NAME"; do
+ echo -n "Input plugin: " >&2
+ read PLUGIN_IDX
+ if (( $PLUGIN_IDX > 0 )) && (( $PLUGIN_IDX <= "${#PLUGINS[@]}" )); then
+ INPUT_NAME="${PLUGINS[((PLUGIN_IDX-1))]}"
+ fi
+ done
+
+ case $INPUT_NAME in
+
+ collectd)
+ PARAM_NAMES=(
+ Listen
+ Port
+ TypesDB
+ )
+ ;;
+
+ cpu)
+ PARAM_NAMES=(
+ Interval_Sec
+ Interval_NSec
+ PID
+ )
+ ;;
+
+ disk)
+ PARAM_NAMES=(
+ Interval_Sec
+ Interval_NSec
+ Dev_Name
+ )
+ ;;
+
+ docker)
+ PARAM_NAMES=(
+ Interval_Sec
+ Include
+ Exclude
+ )
+ ;;
+
+ docker_events)
+ PARAM_NAMES=(
+ Unix_Path
+ Buffer_Size
+ Parser
+ Key
+ Reconnect.Retry_limits
+ Reconnect.Retry_interval
+ )
+ ;;
+
+ dummy)
+ PARAM_NAMES=(
+ Dummy
+ Start_time_sec
+ Start_time_nsec
+ Rate
+ Samples
+ )
+ ;;
+
+ exec)
+ PARAM_NAMES=(
+ Command
+ Parser
+ Interval_Sec
+ Interval_NSec
+ Buf_Size
+ Oneshot
+ )
+ ;;
+
+ head)
+ PARAM_NAMES=(
+ File
+ Buf_Size
+ Interval_Sec
+ Interval_NSec
+ Add_Path
+ Key
+ Lines
+ Split_line
+ )
+ ;;
+
+ http)
+ PARAM_NAMES=(
+ host
+ port
+ buffer_max_size
+ buffer_chunk_size
+ successful_response_code
+ )
+ ;;
+
+ health)
+ PARAM_NAMES=(
+ Host
+ Port
+ Interval_Sec
+ Internal_NSec
+ Alert
+ Add_Host
+ Add_Port
+ )
+ ;;
+
+ mem)
+ PARAM_NAMES=(
+ Interval_Sec
+ Interval_NSec
+ PID
+ )
+ ;;
+
+ mqtt)
+ PARAM_NAMES=(
+ Listen
+ Port
+ )
+ ;;
+
+ netif)
+ PARAM_NAMES=(
+ Interface
+ Interval_Sec
+ Internal_NSec
+ Verbose
+ Test_At_Init
+ )
+ ;;
+
+ proc)
+ PARAM_NAMES=(
+ Proc_Name
+ Interval_Sec
+ Internal_NSec
+ Alert
+ Fd
+ Mem
+ )
+ ;;
+
+ random)
+ PARAM_NAMES=(
+ Samples
+ Interval_Sec
+ Internal_NSec
+ )
+ ;;
+
+ statsd)
+ PARAM_NAMES=(
+ Listen
+ Port
+ )
+ ;;
+
+ syslog)
+ PARAM_NAMES=(
+ Mode
+ Listen
+ Port
+ Path
+ Unix_Perm
+ Parser
+ Buffer_Chunk_Size
+ Buffer_Max_Size
+ )
+ ;;
+
+ systemd)
+ PARAM_NAMES=(
+ Path
+ Max_Fields
+ Max_Entries
+ Systemd_Filter
+ Systemd_Filter_Type
+ Tag
+ DB
+ DB.Sync
+ Read_From_Tail
+ Lowercase
+ Strip_Underscores
+ )
+ ;;
+
+ tail)
+ PARAM_NAMES=(
+ Buffer_Chunk_Size
+ Buffer_Max_Size
+ Path
+ Path_Key
+ Exclude_Path
+ Offset_Key
+ Read_from_Head
+ Refresh_Interval
+ Rotate_Wait
+ Ignore_Older
+ Skip_Long_Lines
+ Skip_Empty_Lines
+ DB
+ DB.sync
+ DB.locking
+ DB.journal_mode
+ Mem_Buf_Limit
+ Exit_On_Eof
+ Parser
+ Key
+ Inotify_Watcher
+ Tag
+ Tag_Regex
+ Static_Batch_Size
+ )
+ ;;
+
+ tcp)
+ PARAM_NAMES=(
+ Listen
+ Port
+ Buffer_Size
+ Chunk_Size
+ Format
+ Separator
+ )
+ ;;
+
+ thermal)
+ PARAM_NAMES=(
+ Interval_Sec
+ Interval_NSec
+ name_regex
+ type_regex
+ )
+ ;;
+
+ *)
+ PARAM_NAMES=()
+ ;;
+ esac
+
+ for KEY in ${PARAM_NAMES[@]}; do
+ VALUE="$(_GetString "$INPUT_NAME $KEY: ")"
+ [[ -n "$VALUE" ]] && PARAMS+=(["$KEY"]="$VALUE")
+ done
+
+ FLUENTBIT_ARGS=()
+ FLUENTBIT_PARSER_CFG=$(_fluentbit_parser_cfg)
+ if [[ -n "$FLUENTBIT_PARSER_CFG" ]]; then
+ FLUENTBIT_ARGS+=( -R )
+ FLUENTBIT_ARGS+=( "$FLUENTBIT_PARSER_CFG" )
+ fi
+ FLUENTBIT_ARGS+=( -i )
+ FLUENTBIT_ARGS+=( "$INPUT_NAME" )
+ for key in "${!PARAMS[@]}"; do
+ FLUENTBIT_ARGS+=( -p )
+ FLUENTBIT_ARGS+=( $key="${PARAMS[$key]}" )
+ done
+
+ ( IFS=$'\n'; echo "${FLUENTBIT_ARGS[*]}" )
+}
+
+###############################################################################
+# setup systemd (linux) service to run fluentbit as configured
+function CreateFluentbitService() {
+ COMMAND=("$@")
+
+ SERVICE_CONFIRM="$(_GetConfirmation "Configure service to run fluent-bit [y/N]?" "n")"
+ if [[ $SERVICE_CONFIRM =~ ^[Yy] ]]; then
+
+ # linux services via systemd
+ if [[ -n "$LINUX" ]]; then
+ if systemctl --version >/dev/null 2>&1; then
+
+ # prompt for a valid service name
+ SERVICE_NAME=
+ while [[ -z "$SERVICE_NAME" ]] || \
+ [[ ! "$SERVICE_NAME" =~ ^[A-Za-z0-9_-]*$ ]] || \
+ [[ -e "$HOME"/.config/systemd/user/"$SERVICE_NAME".service ]]; do
+ SERVICE_NAME="$(_GetString "Enter .service file prefix:")"
+ done
+
+ # run as root or a regular user?
+ if [[ "$SCRIPT_USER" != "root" ]]; then
+ SYSCTL_USER_CONFIRM="$(_GetConfirmation "Configure systemd service as user \"$SCRIPT_USER\" [Y/n]?" "y")"
+ else
+ SYSCTL_USER_CONFIRM=n
+ fi
+
+ if [[ $SYSCTL_USER_CONFIRM =~ ^[Yy] ]]; then
+ # running as a regular user, need to enable-linger for service to be able to run
+ "$SUDO_CMD" loginctl enable-linger "$SCRIPT_USER" || echo "loginctl enable-linger $SCRIPT_USER failed" >&2
+
+ # create service directory and write .service file
+ mkdir -p "$HOME"/.config/systemd/user/ || echo "creating "$HOME"/.config/systemd/user/ failed" >&2
+ cat < "$HOME"/.config/systemd/user/"$SERVICE_NAME".service
+[Unit]
+AssertPathExists=$(_fluentbit_bin)
+After=network.target
+
+[Service]
+ExecStart=$( ( IFS=$' '; echo "${FLUENTBIT_COMMAND[*]}" ) )
+Restart=on-failure
+PrivateTmp=false
+NoNewPrivileges=false
+
+[Install]
+WantedBy=default.target
+EOF
+ systemctl --user daemon-reload
+ systemctl --user enable "$SERVICE_NAME".service >&2
+ systemctl --user start "$SERVICE_NAME".service >&2
+ sleep 5
+ systemctl --user status --no-pager "$SERVICE_NAME".service >&2
+
+ else
+ # running as root, ensure service directory exists and write .service file
+ mkdir -p /etc/systemd/system/ || echo "creating /etc/systemd/system/ failed" >&2
+ cat << EOF | "$SUDO_CMD" tee /etc/systemd/system/"$SERVICE_NAME".service >/dev/null 2>&1
+[Unit]
+AssertPathExists=$(_fluentbit_bin)
+After=network.target
+
+[Service]
+ExecStart=$( ( IFS=$' '; echo "${FLUENTBIT_COMMAND[*]}" ) )
+Restart=on-failure
+PrivateTmp=false
+NoNewPrivileges=false
+
+[Install]
+WantedBy=multi-user.target
+EOF
+ "$SUDO_CMD" systemctl daemon-reload
+ "$SUDO_CMD" systemctl enable "$SERVICE_NAME".service >&2
+ "$SUDO_CMD" systemctl start "$SERVICE_NAME".service >&2
+ "$SUDO_CMD" sleep 5
+ "$SUDO_CMD" systemctl status --no-pager "$SERVICE_NAME".service >&2
+ fi # unprivileged vs. root
+ else
+ echo "systemctl not detected" >&2 && false
+ fi # systemctl check
+
+ elif [[ -n "$MACOS" ]]; then
+ echo "macOS services not yet implemented" >&2 && false
+ fi # os determination
+ fi # user prompt
+}
+
+################################################################################
+# "main" - ask the user what they want to do, and do it (or do it without interaction)
+[[ -n $VERBOSE_FLAG ]] && echo "script in \"${SCRIPT_PATH}\" called from \"${FULL_PWD}\"" >&2 && set -x
+
+trap _clean_up EXIT
+
+# get a list of all the "public" functions (not starting with _)
+FUNCTIONS=($(declare -F | awk '{print $NF}' | tac | egrep -v "^_"))
+
+# present the menu to our customer and get their selection
+printf "%s\t%s\n" "0" "ALL" >&2
+for i in "${!FUNCTIONS[@]}"; do
+ ((IPLUS=i+1))
+ printf "%s\t%s\n" "$IPLUS" "${FUNCTIONS[$i]}" >&2
+done
+
+echo -n "Operation: " >&2
+read USER_FUNCTION_IDX
+if [[ -z "$USER_FUNCTION_IDX" ]] || (( $USER_FUNCTION_IDX == 0 )); then
+ # do everything, in order
+ if InstallFluentBit; then
+ readarray -t FLUENTBIT_INPUT_INFO < <(GetFluentBitFormatInfo)
+ if [[ "${#FLUENTBIT_INPUT_INFO[@]}" -ge 2 ]]; then
+ readarray -t MALCOLM_CONN_INFO < <(GetMalcolmConnInfo)
+ if [[ "${#MALCOLM_CONN_INFO[@]}" -ge 4 ]]; then
+ FLUENTBIT_COMMAND=("$(_fluentbit_bin)" "${FLUENTBIT_INPUT_INFO[@]}" "${MALCOLM_CONN_INFO[@]}")
+ echo
+ ( IFS=$' '; echo "${FLUENTBIT_COMMAND[*]}" )
+ echo
+ CreateFluentbitService "${FLUENTBIT_COMMAND[@]}"
+ else
+ echo "Failed to get fluent-bit output parameters" >&2
+ exit 1;
+ fi
+ else
+ echo "Failed to get fluent-bit input parameters" >&2
+ exit 1;
+ fi
+ else
+ echo "Failed to install fluent-bit" >&2
+ exit 1;
+ fi
+
+elif (( $USER_FUNCTION_IDX > 0 )) && (( $USER_FUNCTION_IDX <= "${#FUNCTIONS[@]}" )); then
+ # execute one function, ร la carte
+ USER_FUNCTION="${FUNCTIONS[((USER_FUNCTION_IDX-1))]}"
+ echo $USER_FUNCTION >&2
+ $USER_FUNCTION
+
+else
+ # some people just want to watch the world burn
+ echo "Invalid operation selected" >&2
+ exit 1;
+fi
diff --git a/sensor-iso/README.md b/sensor-iso/README.md
index 065a899ca..60f5a80bc 100644
--- a/sensor-iso/README.md
+++ b/sensor-iso/README.md
@@ -273,7 +273,7 @@ The last step for SSL-encrypted log forwarding is to specify the SSL certificate
-The Logstash instance receiving the events must be similarly configured with matching SSL certificate and key files. Under Malcolm, the `BEATS_SSL` variable must be set to true in Malcolm's `docker-compose.yml` file and the SSL files must exist in the `logstash/certs/` subdirectory of the Malcolm installation.
+The Logstash instance receiving the events must be similarly configured with matching SSL certificate and key files. Under Malcolm, the `BEATS_SSL` variable must be set to `true` in Malcolm's `docker-compose.yml` file and the SSL files must exist in the `logstash/certs/` subdirectory of the Malcolm installation.
Once you have specified all of the filebeat parameters, you will be presented with a summary of the settings related to the forwarding of these logs. Selecting **OK** will cause the parameters to be written to filebeat's configuration keystore under `/opt/sensor/sensor_ctl/logstash-client-certificates` and you will be returned to the configuration tool's welcome screen.
@@ -397,7 +397,7 @@ Building the ISO may take 90 minutes or more depending on your system. As the bu
```
โฆ
-Finished, created "/sensor-build/hedgehog-6.2.0.iso"
+Finished, created "/sensor-build/hedgehog-6.3.0.iso"
โฆ
```
diff --git a/sensor-iso/arkime/Dockerfile b/sensor-iso/arkime/Dockerfile
index 9c16e3f29..c0c2fe345 100644
--- a/sensor-iso/arkime/Dockerfile
+++ b/sensor-iso/arkime/Dockerfile
@@ -7,7 +7,7 @@ LABEL maintainer="malcolm@inl.gov"
ENV DEBIAN_FRONTEND noninteractive
ENV ARKIME_VERSION "3.4.2"
-ENV ARKIMEDIR "/opt/arkime"
+ENV ARKIME_DIR "/opt/arkime"
RUN sed -i "s/bullseye main/bullseye main contrib non-free/g" /etc/apt/sources.list && \
apt-get -q update && \
diff --git a/sensor-iso/arkime/build-arkime-deb.sh b/sensor-iso/arkime/build-arkime-deb.sh
index aa6a4225c..3d72a545f 100755
--- a/sensor-iso/arkime/build-arkime-deb.sh
+++ b/sensor-iso/arkime/build-arkime-deb.sh
@@ -27,26 +27,26 @@ for i in /opt/patches/*; do
patch -p 1 -r - --no-backup-if-mismatch < $i || true
done
-export PATH="$ARKIMEDIR/bin:/tmp/arkime-$ARKIME_VERSION/node_modules/.bin:${PATH}"
+export PATH="$ARKIME_DIR/bin:/tmp/arkime-$ARKIME_VERSION/node_modules/.bin:${PATH}"
-./easybutton-build.sh --dir "$ARKIMEDIR"
+./easybutton-build.sh --dir "$ARKIME_DIR"
npm -g config set user root
make install
-cp -r ./capture/plugins/lua/samples "$ARKIMEDIR"/lua
+cp -r ./capture/plugins/lua/samples "$ARKIME_DIR"/lua
npm install license-checker
-release/notice.txt.pl $ARKIMEDIR NOTICE release/CAPTURENOTICE > $ARKIMEDIR/NOTICE.txt
+release/notice.txt.pl $ARKIME_DIR NOTICE release/CAPTURENOTICE > $ARKIME_DIR/NOTICE.txt
ETC_FILES=$(shopt -s nullglob dotglob; echo /arkime-etc/*)
if (( ${#ETC_FILES} )) ; then
- mkdir -p $ARKIMEDIR/etc
- cp -r /arkime-etc/* $ARKIMEDIR/etc/
+ mkdir -p $ARKIME_DIR/etc
+ cp -r /arkime-etc/* $ARKIME_DIR/etc/
fi
-fpm -s dir -t deb -n arkime -x opt/arkime/logs -x opt/arkime/raw -v $ARKIME_VERSION --iteration 1 --template-scripts --after-install "release/afterinstall.sh" --url "http://molo.ch" --description "Arkime Full Packet System" -d libwww-perl -d libjson-perl -d ethtool -d libyaml-dev "$ARKIMEDIR"
+fpm -s dir -t deb -n arkime -x opt/arkime/logs -x opt/arkime/raw -v $ARKIME_VERSION --iteration 1 --template-scripts --after-install "release/afterinstall.sh" --url "http://molo.ch" --description "Arkime Full Packet System" -d libwww-perl -d libjson-perl -d ethtool -d libyaml-dev "$ARKIME_DIR"
ls -l *.deb && mv -v *.deb "$OUTPUT_DIR"/
diff --git a/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot b/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot
index 8eec3e82f..a6ac72e83 100755
--- a/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot
+++ b/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot
@@ -13,7 +13,7 @@ GITHUB_API_CURL_ARGS+=( -H )
GITHUB_API_CURL_ARGS+=( "Accept: application/vnd.github.v3+json" )
[[ -n "$GITHUB_TOKEN" ]] && GITHUB_API_CURL_ARGS+=( -H ) && GITHUB_API_CURL_ARGS+=( "Authorization: token $GITHUB_TOKEN" )
-ZEEK_VER=5.0.0-0
+ZEEK_VER=5.0.1-0
ZEEK_LTS=
ZEEK_DIR="/opt/zeek"
export PATH="${ZEEK_DIR}"/bin:$PATH
diff --git a/shared/bin/docker-uid-gid-setup.sh b/shared/bin/docker-uid-gid-setup.sh
index 908d22061..d111ebfd0 100755
--- a/shared/bin/docker-uid-gid-setup.sh
+++ b/shared/bin/docker-uid-gid-setup.sh
@@ -26,6 +26,61 @@ if [[ -n ${PUSER_CHOWN} ]]; then
done
fi
+# if there is a trusted CA file or directory specified and openssl is available, handle it
+if [[ -n ${PUSER_CA_TRUST} ]] && command -v openssl >/dev/null 2>&1; then
+ declare -a CA_FILES
+ if [[ -d "${PUSER_CA_TRUST}" ]]; then
+ while read -r -d ''; do
+ CA_FILES+=("$REPLY")
+ done < <(find "${PUSER_CA_TRUST}" -type f -size +31c -print0 2>/dev/null)
+ elif [[ -f "${PUSER_CA_TRUST}" ]]; then
+ CA_FILES+=("${PUSER_CA_TRUST}")
+ fi
+ for CA_FILE in "${CA_FILES[@]}"; do
+ CA_NAME_ORIG="$(basename "$CA_FILE")"
+ CA_NAME_CRT="${CA_NAME_ORIG%.*}.crt"
+ DEST_FILE=
+ CONCAT_FILE=
+ HASH_FILE="$(openssl x509 -hash -noout -in "$CA_FILE")".0
+ if command -v update-ca-certificates >/dev/null 2>&1; then
+ if [[ -d /usr/local/share/ca-certificates ]]; then
+ DEST_FILE=/usr/local/share/ca-certificates/"$CA_NAME_CRT"
+ elif [[ -d /usr/share/ca-certificates ]]; then
+ DEST_FILE=/usr/share/ca-certificates/"$CA_NAME_CRT"
+ elif [[ -d /etc/ssl/certs ]]; then
+ DEST_FILE==/etc/ssl/certs/"$HASH_FILE"
+ fi
+ elif command -v update-ca-trust >/dev/null 2>&1; then
+ if [[ -d /usr/share/pki/ca-trust-source/anchors ]]; then
+ DEST_FILE=/usr/share/pki/ca-trust-source/anchors/"$CA_NAME_CRT"
+ elif [[ -d /etc/pki/ca-trust/source/anchors ]]; then
+ DEST_FILE=/etc/pki/ca-trust/source/anchors/"$CA_NAME_CRT"
+ fi
+ else
+ if [[ -d /etc/ssl/certs ]]; then
+ DEST_FILE=/etc/ssl/certs/"$HASH_FILE"
+ CONCAT_FILE=/etc/ssl/certs/ca-certificates.crt
+ fi
+ if [[ -f /etc/ssl/certs/ca-certificates.crt ]]; then
+ CONCAT_FILE=/etc/ssl/certs/ca-certificates.crt
+ elif [[ -f /etc/pki/tls/certs/ca-bundle.crt ]]; then
+ CONCAT_FILE=/etc/pki/tls/certs/ca-bundle.crt
+ elif [[ -f /usr/share/ssl/certs/ca-bundle.crt ]]; then
+ CONCAT_FILE=/usr/share/ssl/certs/ca-bundle.crt
+ elif [[ -f /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem ]]; then
+ CONCAT_FILE=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+ fi
+ fi
+ [[ -n "$DEST_FILE" ]] && ( cp "$CA_FILE" "$DEST_FILE" && chmod 644 "$DEST_FILE" ) || true
+ [[ -n "$CONCAT_FILE" ]] && \
+ ( echo "" >> "$CONCAT_FILE" && \
+ echo "# $CA_NAME_ORIG" >> "$CONCAT_FILE" \
+ && cat "$CA_FILE" >> "$CONCAT_FILE" ) || true
+ done
+ command -v update-ca-certificates >/dev/null 2>&1 && update-ca-certificates >/dev/null 2>&1 || true
+ command -v update-ca-trust >/dev/null 2>&1 && update-ca-trust extract >/dev/null 2>&1 || true
+fi
+
# determine if we are now dropping privileges to exec ENTRYPOINT_CMD
if [[ "$PUSER_PRIV_DROP" == "true" ]]; then
EXEC_USER="${PUSER}"
diff --git a/shared/bin/jdk-cacerts-auto-import.sh b/shared/bin/jdk-cacerts-auto-import.sh
index ae2abc9ea..788fcab01 100755
--- a/shared/bin/jdk-cacerts-auto-import.sh
+++ b/shared/bin/jdk-cacerts-auto-import.sh
@@ -18,6 +18,7 @@ CA_DIR_PARENTS=(
"$JDK_DIR"/../"$TRUSTED_CA_DIRNAME"
/etc/"$TRUSTED_CA_DIRNAME"
/opt/"$TRUSTED_CA_DIRNAME"
+ /var/local/"$TRUSTED_CA_DIRNAME"
/"$TRUSTED_CA_DIRNAME"
)
for i in ${CA_DIR_PARENTS[@]}; do
diff --git a/shared/bin/opensearch_index_size_prune.py b/shared/bin/opensearch_index_size_prune.py
index eb29261cf..6dbe918ea 100755
--- a/shared/bin/opensearch_index_size_prune.py
+++ b/shared/bin/opensearch_index_size_prune.py
@@ -4,15 +4,21 @@
import argparse
import humanfriendly
import json
+import malcolm_common
import re
import requests
import os
import sys
+import urllib3
+
+from collections import defaultdict
+from requests.auth import HTTPBasicAuth
###################################################################################################
debug = False
scriptName = os.path.basename(__file__)
scriptPath = os.path.dirname(os.path.realpath(__file__))
+urllib3.disable_warnings()
###################################################################################################
# print to stderr
@@ -62,9 +68,36 @@ def main():
dest='opensearchUrl',
metavar='',
type=str,
- default=os.getenv('OPENSEARCH_URL', 'http://opensearch:9200'),
+ default=os.getenv('OPENSEARCH_URL', None),
help='OpenSearch URL',
)
+ parser.add_argument(
+ '-c',
+ '--opensearch-curlrc',
+ dest='opensearchCurlRcFile',
+ metavar='',
+ type=str,
+ default=os.getenv('OPENSEARCH_CREDS_CONFIG_FILE', '/var/local/opensearch.primary.curlrc'),
+ help='cURL.rc formatted file containing OpenSearch connection parameters',
+ )
+ parser.add_argument(
+ '--opensearch-ssl-verify',
+ dest='opensearchSslVerify',
+ type=str2bool,
+ nargs='?',
+ const=True,
+ default=str2bool(os.getenv('OPENSEARCH_SSL_CERTIFICATE_VERIFICATION', default='False')),
+ help="Verify SSL certificates for OpenSearch",
+ )
+ parser.add_argument(
+ '--opensearch-local',
+ dest='opensearchIsLocal',
+ type=str2bool,
+ nargs='?',
+ const=True,
+ default=str2bool(os.getenv('OPENSEARCH_LOCAL', default='True')),
+ help="Malcolm is using its local OpenSearch instance",
+ )
parser.add_argument(
'--node',
dest='node',
@@ -130,7 +163,28 @@ def main():
if args.limit == '0':
return
- osInfoResponse = requests.get(args.opensearchUrl)
+ args.opensearchIsLocal = args.opensearchIsLocal or (args.opensearchUrl == 'http://opensearch:9200')
+ opensearchCreds = (
+ malcolm_common.ParseCurlFile(args.opensearchCurlRcFile)
+ if (not args.opensearchIsLocal)
+ else defaultdict(lambda: None)
+ )
+ if not args.opensearchUrl:
+ if args.opensearchIsLocal:
+ args.opensearchUrl = 'http://opensearch:9200'
+ elif 'url' in opensearchCreds:
+ args.opensearchUrl = opensearchCreds['url']
+ opensearchReqHttpAuth = (
+ HTTPBasicAuth(opensearchCreds['user'], opensearchCreds['password'])
+ if opensearchCreds['user'] is not None
+ else None
+ )
+
+ osInfoResponse = requests.get(
+ args.opensearchUrl,
+ auth=opensearchReqHttpAuth,
+ verify=args.opensearchSslVerify,
+ )
osInfo = osInfoResponse.json()
opensearchVersion = osInfo['version']['number']
if debug:
@@ -159,7 +213,9 @@ def main():
# get allocation statistics for node(s) to do percentage calculation
esDiskUsageStats = []
osInfoResponse = requests.get(
- f'{args.opensearchUrl}/_cat/allocation{f"/{args.node}" if args.node else ""}?format=json'
+ f'{args.opensearchUrl}/_cat/allocation{f"/{args.node}" if args.node else ""}?format=json',
+ auth=opensearchReqHttpAuth,
+ verify=args.opensearchSslVerify,
)
osInfo = osInfoResponse.json()
@@ -213,7 +269,11 @@ def main():
)
# now determine the total size of the indices from the index pattern
- osInfoResponse = requests.get(f'{args.opensearchUrl}/{args.index}/_stats/store')
+ osInfoResponse = requests.get(
+ f'{args.opensearchUrl}/{args.index}/_stats/store',
+ auth=opensearchReqHttpAuth,
+ verify=args.opensearchSslVerify,
+ )
osInfo = osInfoResponse.json()
try:
totalSizeInMegabytes = (
@@ -239,6 +299,8 @@ def main():
osInfoResponse = requests.get(
f'{args.opensearchUrl}/_cat/indices/{args.index}',
params={'format': 'json', 'h': 'i,id,status,health,rep,creation.date,pri.store.size,store.size'},
+ auth=opensearchReqHttpAuth,
+ verify=args.opensearchSslVerify,
)
osInfo = sorted(osInfoResponse.json(), key=lambda k: k['i' if args.nameSorted else 'creation.date'])
@@ -263,7 +325,11 @@ def main():
if not args.dryrun:
# delete the indices to free up the space indicated
for index in indicesToDelete:
- esDeleteResponse = requests.delete(f'{args.opensearchUrl}/{index["i"]}')
+ esDeleteResponse = requests.delete(
+ f'{args.opensearchUrl}/{index["i"]}',
+ auth=opensearchReqHttpAuth,
+ verify=args.opensearchSslVerify,
+ )
print(
f'DELETE {index["i"]} ({humanfriendly.format_size(humanfriendly.parse_size(index[sizeKey]))}): {requests.status_codes._codes[esDeleteResponse.status_code][0]}'
)
diff --git a/shared/bin/opensearch_read_only.py b/shared/bin/opensearch_read_only.py
index 3c04c25ff..8be3b3104 100755
--- a/shared/bin/opensearch_read_only.py
+++ b/shared/bin/opensearch_read_only.py
@@ -6,13 +6,19 @@
import argparse
import json
import requests
+import malcolm_common
import os
import sys
+import urllib3
+
+from collections import defaultdict
+from requests.auth import HTTPBasicAuth
###################################################################################################
debug = False
scriptName = os.path.basename(__file__)
scriptPath = os.path.dirname(os.path.realpath(__file__))
+urllib3.disable_warnings()
###################################################################################################
# print to stderr
@@ -62,9 +68,38 @@ def main():
dest='opensearchUrl',
metavar='',
type=str,
- default=os.getenv('OPENSEARCH_URL', 'http://opensearch:9200'),
+ default=os.getenv('OPENSEARCH_URL', None),
help='OpenSearch URL',
)
+ parser.add_argument(
+ '-c',
+ '--opensearch-curlrc',
+ dest='opensearchCurlRcFile',
+ metavar='',
+ type=str,
+ default=os.getenv('OPENSEARCH_CREDS_CONFIG_FILE', '/var/local/opensearch.primary.curlrc'),
+ help='cURL.rc formatted file containing OpenSearch connection parameters',
+ )
+ parser.add_argument(
+ '-s',
+ '--opensearch-ssl-verify',
+ dest='opensearchSslVerify',
+ type=str2bool,
+ nargs='?',
+ const=True,
+ default=str2bool(os.getenv('OPENSEARCH_SSL_CERTIFICATE_VERIFICATION', default='False')),
+ help="Verify SSL certificates for OpenSearch",
+ )
+ parser.add_argument(
+ '-l',
+ '--opensearch-local',
+ dest='opensearchIsLocal',
+ type=str2bool,
+ nargs='?',
+ const=True,
+ default=str2bool(os.getenv('OPENSEARCH_LOCAL', default='True')),
+ help="Malcolm is using its local OpenSearch instance",
+ )
parser.add_argument(
'-r',
'--read-only',
@@ -110,7 +145,28 @@ def main():
else:
sys.tracebacklimit = 0
- osInfoResponse = requests.get(args.opensearchUrl)
+ args.opensearchIsLocal = args.opensearchIsLocal or (args.opensearchUrl == 'http://opensearch:9200')
+ opensearchCreds = (
+ malcolm_common.ParseCurlFile(args.opensearchCurlRcFile)
+ if (not args.opensearchIsLocal)
+ else defaultdict(lambda: None)
+ )
+ if not args.opensearchUrl:
+ if args.opensearchIsLocal:
+ args.opensearchUrl = 'http://opensearch:9200'
+ elif 'url' in opensearchCreds:
+ args.opensearchUrl = opensearchCreds['url']
+ opensearchReqHttpAuth = (
+ HTTPBasicAuth(opensearchCreds['user'], opensearchCreds['password'])
+ if opensearchCreds['user'] is not None
+ else None
+ )
+
+ osInfoResponse = requests.get(
+ args.opensearchUrl,
+ auth=opensearchReqHttpAuth,
+ verify=args.opensearchSslVerify,
+ )
osInfo = osInfoResponse.json()
opensearchVersion = osInfo['version']['number']
if debug:
@@ -150,8 +206,10 @@ def main():
# make the PUT request to change the index/cluster setting and raise an exception if it fails
putResponse = requests.put(
settingsUrl,
+ auth=opensearchReqHttpAuth,
headers={'Content-Type': 'application/json'},
data=json.dumps(settingsInfo),
+ verify=args.opensearchSslVerify,
)
putResponse.raise_for_status()
if debug:
@@ -159,7 +217,11 @@ def main():
if debug:
# request settings to verify change(s)
- checkResponse = requests.get(settingsUrl)
+ checkResponse = requests.get(
+ settingsUrl,
+ auth=opensearchReqHttpAuth,
+ verify=args.opensearchSslVerify,
+ )
if args.index == '_cluster':
eprint(json.dumps(checkResponse.json()))
else:
diff --git a/shared/bin/opensearch_status.sh b/shared/bin/opensearch_status.sh
index bd1286d5d..7754b49fd 100755
--- a/shared/bin/opensearch_status.sh
+++ b/shared/bin/opensearch_status.sh
@@ -7,77 +7,63 @@ set -e
ENCODING="utf-8"
# options
-# -v (verbose)
-#
-# -e url (OpenSearch URL, e.g., http://opensearch:9200)
-# OR
-# -i ip (OpenSearch ip)
-# -p port (OpenSearch port)
+# -v (verbose)
#
# -w (wait not only for "up" status, but also wait for actual arkime_sessions3-* logs to exist)
+#
+# opensearch connection parameters are read from environment variables
-OS_URL=
WAIT_FOR_LOG_DATA=0
-while getopts 've:i:p:w' OPTION; do
+while getopts 'vw' OPTION; do
case "$OPTION" in
v)
set -x
;;
- e)
- OS_URL="$OPTARG"
- ;;
-
- i)
- OS_HOST="$OPTARG"
- ;;
-
- p)
- OS_PORT="$OPTARG"
- ;;
-
w)
WAIT_FOR_LOG_DATA=1
;;
?)
- echo "script usage: $(basename $0) [-v] [-e ] [-w]" >&2
+ echo "script usage: $(basename $0) [-v] [-w]" >&2
exit 1
;;
esac
done
shift "$(($OPTIND -1))"
-if [[ -z $OS_URL ]]; then
- if [[ -n $OPENSEARCH_URL ]]; then
- OS_URL="$OPENSEARCH_URL"
- elif [[ -n $OS_HOST ]] && [[ -n $OS_PORT ]]; then
- OS_URL="http://$OS_HOST:$OS_PORT"
- else
- OS_URL="http://opensearch:9200"
- fi
+OPENSEARCH_URL=${OPENSEARCH_URL:-"http://opensearch:9200"}
+OPENSEARCH_LOCAL=${OPENSEARCH_LOCAL:-"true"}
+OPENSEARCH_SSL_CERTIFICATE_VERIFICATION=${OPENSEARCH_SSL_CERTIFICATE_VERIFICATION:-"false"}
+OPENSEARCH_CREDS_CONFIG_FILE=${OPENSEARCH_CREDS_CONFIG_FILE:-"/var/local/opensearch.primary.curlrc"}
+if [[ "$OPENSEARCH_LOCAL" == "false" ]] && [[ -r "$OPENSEARCH_CREDS_CONFIG_FILE" ]]; then
+ CURL_CONFIG_PARAMS=(
+ --config
+ "$OPENSEARCH_CREDS_CONFIG_FILE"
+ )
+else
+ CURL_CONFIG_PARAMS=()
fi
-
# wait for the ES HTTP server to respond at all
-until $(curl --output /dev/null --silent --head --fail "$OS_URL"); do
+until $(curl "${CURL_CONFIG_PARAMS[@]}" --output /dev/null --silent --head --fail "$OPENSEARCH_URL"); do
# printf '.' >&2
sleep 1
done
# now wait for the HTTP "Ok" response
-until [ "$(curl --write-out %{http_code} --silent --output /dev/null "$OS_URL")" = "200" ]; do
+until [ "$(curl "${CURL_CONFIG_PARAMS[@]}" --write-out %{http_code} --silent --output /dev/null "$OPENSEARCH_URL")" = "200" ]; do
# printf '-' >&2
sleep 1
done
# next wait for ES status to turn to green or yellow
-until [[ "$(curl -fsSL "$OS_URL/_cat/health?h=status" | sed -r 's/^[[:space:]]+|[[:space:]]+$//g')" =~ ^(yellow|green)$ ]]; do
+until [[ "$(curl "${CURL_CONFIG_PARAMS[@]}" -fsSL "$OPENSEARCH_URL/_cat/health?h=status" | sed -r 's/^[[:space:]]+|[[:space:]]+$//g')" =~ ^(yellow|green)$ ]]; do
# printf '+' >&2
sleep 1
done
-echo "OpenSearch is up and healthy at "$OS_URL"" >&2
+echo "OpenSearch is up and healthy at "$OPENSEARCH_URL"" >&2
if (( $WAIT_FOR_LOG_DATA == 1 )); then
sleep 1
@@ -85,13 +71,13 @@ if (( $WAIT_FOR_LOG_DATA == 1 )); then
echo "Waiting until OpenSearch has logs..." >&2
# wait until at least one arkime_sessions3-* index exists
- until (( $(curl -fs -H'Content-Type: application/json' -XGET "$OS_URL/_cat/indices/arkime_sessions3-*" 2>/dev/null | wc -l) > 0 )) ; do
+ until (( $(curl "${CURL_CONFIG_PARAMS[@]}" -fs -H'Content-Type: application/json' -XGET "$OPENSEARCH_URL/_cat/indices/arkime_sessions3-*" 2>/dev/null | wc -l) > 0 )) ; do
sleep 5
done
echo "Log indices exist." >&2
# wait until at least one record with @timestamp exists
- until curl -fs -H'Content-Type: application/json' -XPOST "$OS_URL/arkime_sessions3-*/_search" -d'{ "sort": { "@timestamp" : "desc" }, "size" : 1 }' >/dev/null 2>&1 ; do
+ until curl "${CURL_CONFIG_PARAMS[@]}" -fs -H'Content-Type: application/json' -XPOST "$OPENSEARCH_URL/arkime_sessions3-*/_search" -d'{ "sort": { "@timestamp" : "desc" }, "size" : 1 }' >/dev/null 2>&1 ; do
sleep 5
done
echo "Logs exist." >&2
diff --git a/shared/bin/pcap_processor.py b/shared/bin/pcap_processor.py
index 6ba968a29..24726b1f4 100755
--- a/shared/bin/pcap_processor.py
+++ b/shared/bin/pcap_processor.py
@@ -154,6 +154,7 @@ def arkimeCaptureFileWorker(arkimeWorkerArgs):
cmd = [
arkimeBin,
'--quiet',
+ '--insecure',
'-n',
fileInfo[FILE_INFO_DICT_NODE] if (FILE_INFO_DICT_NODE in fileInfo) else nodeName,
'-o',
diff --git a/shared/bin/pcap_watcher.py b/shared/bin/pcap_watcher.py
index e66b11ccc..206d27314 100755
--- a/shared/bin/pcap_watcher.py
+++ b/shared/bin/pcap_watcher.py
@@ -14,6 +14,7 @@
import json
import logging
import magic
+import malcolm_common
import os
import pathlib
import pyinotify
@@ -23,6 +24,7 @@
import zmq
from pcap_utils import *
+from collections import defaultdict
import opensearchpy
import opensearch_dsl
@@ -42,6 +44,7 @@
verboseDebug = False
pdbFlagged = False
args = None
+opensearchDslHttpAuth = None
scriptName = os.path.basename(__file__)
scriptPath = os.path.dirname(os.path.realpath(__file__))
origPath = os.getcwd()
@@ -57,6 +60,7 @@ class EventWatcher(pyinotify.ProcessEvent):
def __init__(self):
global args
+ global opensearchDslHttpAuth
global debug
global verboseDebug
@@ -65,7 +69,7 @@ def __init__(self):
self.useOpenSearch = False
# if we're going to be querying OpenSearch for past PCAP file status, connect now
- if args.opensearchHost is not None:
+ if args.opensearchUrl is not None:
connected = False
healthy = False
@@ -74,8 +78,14 @@ def __init__(self):
while (not connected) and (not shuttingDown):
try:
if debug:
- eprint(f"{scriptName}:\tconnecting to OpenSearch {args.opensearchHost}...")
- opensearch_dsl.connections.create_connection(hosts=[args.opensearchHost])
+ eprint(f"{scriptName}:\tconnecting to OpenSearch {args.opensearchUrl}...")
+ opensearch_dsl.connections.create_connection(
+ hosts=[args.opensearchUrl],
+ http_auth=opensearchDslHttpAuth,
+ verify_certs=args.opensearchSslVerify,
+ ssl_assert_hostname=False,
+ ssl_show_warn=False,
+ )
if verboseDebug:
eprint(f"{scriptName}:\t{opensearch_dsl.connections.get_connection().cluster.health()}")
connected = opensearch_dsl.connections.get_connection() is not None
@@ -233,6 +243,7 @@ def debug_toggle_handler(signum, frame):
# main
def main():
global args
+ global opensearchDslHttpAuth
global debug
global verboseDebug
global debugToggled
@@ -285,12 +296,38 @@ def main():
parser.add_argument(
'--opensearch',
required=False,
- dest='opensearchHost',
+ dest='opensearchUrl',
metavar='',
type=str,
- default=None,
+ default=os.getenv('OPENSEARCH_URL', None),
help='OpenSearch connection string for querying Arkime files index to ignore duplicates',
)
+ parser.add_argument(
+ '--opensearch-curlrc',
+ dest='opensearchCurlRcFile',
+ metavar='',
+ type=str,
+ default=os.getenv('OPENSEARCH_CREDS_CONFIG_FILE', '/var/local/opensearch.primary.curlrc'),
+ help='cURL.rc formatted file containing OpenSearch connection parameters',
+ )
+ parser.add_argument(
+ '--opensearch-ssl-verify',
+ dest='opensearchSslVerify',
+ type=str2bool,
+ nargs='?',
+ const=True,
+ default=str2bool(os.getenv('OPENSEARCH_SSL_CERTIFICATE_VERIFICATION', default='False')),
+ help="Verify SSL certificates for OpenSearch",
+ )
+ parser.add_argument(
+ '--opensearch-local',
+ dest='opensearchIsLocal',
+ type=str2bool,
+ nargs='?',
+ const=True,
+ default=str2bool(os.getenv('OPENSEARCH_LOCAL', default='True')),
+ help="Malcolm is using its local OpenSearch instance",
+ )
parser.add_argument(
'--opensearch-wait',
dest='opensearchWaitForHealth',
@@ -375,6 +412,21 @@ def main():
logging.basicConfig(level=logging.ERROR)
+ args.opensearchIsLocal = args.opensearchIsLocal or (args.opensearchUrl == 'http://opensearch:9200')
+ opensearchCreds = (
+ malcolm_common.ParseCurlFile(args.opensearchCurlRcFile)
+ if (not args.opensearchIsLocal)
+ else defaultdict(lambda: None)
+ )
+ if not args.opensearchUrl:
+ if args.opensearchIsLocal:
+ args.opensearchUrl = 'http://opensearch:9200'
+ elif 'url' in opensearchCreds:
+ args.opensearchUrl = opensearchCreds['url']
+ opensearchDslHttpAuth = (
+ f"{opensearchCreds['user']}:{opensearchCreds['password']}" if opensearchCreds['user'] is not None else None
+ )
+
# handle sigint and sigterm for graceful shutdown
signal.signal(signal.SIGINT, shutdown_handler)
signal.signal(signal.SIGTERM, shutdown_handler)
diff --git a/shared/bin/service_check_passthrough.sh b/shared/bin/service_check_passthrough.sh
new file mode 100755
index 000000000..68e9e27bf
--- /dev/null
+++ b/shared/bin/service_check_passthrough.sh
@@ -0,0 +1,173 @@
+#!/bin/bash
+
+# Copyright (c) 2022 Battelle Energy Alliance, LLC. All rights reserved.
+
+# This script will check command-line parameters and environment variables to see
+# if the service (determined by the hostname, unless otherwise specified) is
+# disabled. If it is disabled, it will attempt to serve a static HTTP page
+# to that effect. If it is not disabled, it will just pass through to the
+# default command.
+
+###############################################################################
+# script options
+set -o pipefail
+shopt -s nocasematch
+ENCODING="utf-8"
+
+###############################################################################
+# command-line parameters
+# options
+# -v (verbose)
+# -d (service is disabled)
+# -s service (service name)
+# -p port (port)
+# -f format (http|json)
+VERBOSE_FLAG=
+SERVICE=
+DISABLED=
+PORT=
+FORMAT=
+while getopts 'vds:p:f:' OPTION; do
+ case "$OPTION" in
+ v)
+ VERBOSE_FLAG="-v"
+ ;;
+
+ d)
+ DISABLED=1
+ ;;
+
+ s)
+ SERVICE="$OPTARG"
+ ;;
+
+ p)
+ PORT="$OPTARG"
+ ;;
+
+ f)
+ FORMAT="$OPTARG"
+ ;;
+
+ ?)
+ echo "script usage: $(basename $0) [-v] [-i input]" >&2
+ exit 1
+ ;;
+ esac
+done
+shift "$(($OPTIND -1))"
+
+# if service not specified via command line, use hostname instead
+if [[ -z "$SERVICE" ]]; then
+ if command -v hostname >/dev/null 2>&1; then
+ SERVICE="$(hostname -s)"
+ elif hostnamectl status >/dev/null 2>&1; then
+ SERVICE="$(hostnamectl status | grep "hostname" | cut -d: -f2- | xargs echo)"
+ elif [[ -r /proc/sys/kernel/hostname ]] >/dev/null 2>&1; then
+ SERVICE="$(head -n 1 /proc/sys/kernel/hostname)"
+ elif [[ -s /etc/hostname ]] >/dev/null 2>&1; then
+ SERVICE="$(head -n 1 /etc/hostname)"
+ elif command -v uname >/dev/null 2>&1; then
+ SERVICE="$(uname -a | awk '{print $2}')"
+ fi
+fi
+SERVICE_UCASE="$(echo ${SERVICE^^})"
+
+# if disabled wasn't specified on command line, but service was, check environment variables
+if [[ -z "$DISABLED" ]] && [[ -n "$SERVICE" ]]; then
+ DISABLED_VARNAME="${SERVICE_UCASE}_DISABLED"
+ if [[ -n "${!DISABLED_VARNAME}" ]] && \
+ [[ "${!DISABLED_VARNAME}" != "0" ]] && \
+ [[ "${!DISABLED_VARNAME}" != "false" ]] && \
+ [[ "${!DISABLED_VARNAME}" != "no" ]] && \
+ [[ "${!DISABLED_VARNAME}" != "f" ]] && \
+ [[ "${!DISABLED_VARNAME}" != "n" ]]; then
+ DISABLED=1
+ fi
+ LOCAL_VARNAME="${SERVICE_UCASE}_LOCAL"
+ if [[ -n "${!LOCAL_VARNAME}" ]] && \
+ ( [[ "${!LOCAL_VARNAME}" == "0" ]] || \
+ [[ "${!LOCAL_VARNAME}" == "false" ]] || \
+ [[ "${!LOCAL_VARNAME}" == "no" ]] || \
+ [[ "${!LOCAL_VARNAME}" == "f" ]] || \
+ [[ "${!LOCAL_VARNAME}" == "n" ]] ); then
+ DISABLED=1
+ fi
+fi
+
+# if port and/or format not specified via command line, make some inferences based on service
+if [[ -n "$SERVICE" ]]; then
+ if [[ -z "$PORT" ]]; then
+ if [[ "$SERVICE" == "api" ]]; then
+ PORT=500
+ elif [[ "$SERVICE" == "arkime" ]]; then
+ PORT=8005
+ elif [[ "$SERVICE" == "dashboards" ]]; then
+ PORT=5601
+ elif [[ "$SERVICE" == "dashboards-helper" ]]; then
+ PORT=28991
+ elif [[ "$SERVICE" == "file-monitor" ]]; then
+ PORT=8440
+ elif [[ "$SERVICE" == "freq" ]]; then
+ PORT=10004
+ elif [[ "$SERVICE" == "logstash" ]]; then
+ PORT=9600
+ elif [[ "$SERVICE" == "name-map-ui" ]]; then
+ PORT=8080
+ elif [[ "$SERVICE" == "opensearch" ]]; then
+ PORT=9200
+ fi
+ fi
+ if [[ -z "$FORMAT" ]]; then
+ if [[ "$SERVICE" == "api" ]]; then
+ FORMAT=json
+ elif [[ "$SERVICE" == "logstash" ]]; then
+ FORMAT=json
+ elif [[ "$SERVICE" == "opensearch" ]]; then
+ FORMAT=json
+ fi
+ fi
+fi
+[[ -z "$PORT" ]] && PORT=80
+[[ -z "$FORMAT" ]] && FORMAT=http
+
+if [[ -n "$DISABLED" ]]; then
+ pushd "$(mktemp -d)" >/dev/null 2>&1
+
+ if [[ "$FORMAT" == "json" ]]; then
+ cat << EOF > index.html
+{ "error": { "code": 422, "message": "The local service $SERVICE has been disabled." } }
+EOF
+ else
+ cat << EOF > index.html
+
+
+
+The local service $SERVICE has been disabled.
+Refer to the Malcolm documentation.
+
+
+EOF
+ fi # json vs http
+
+ if command -v python3 >/dev/null 2>&1; then
+ python3 -m http.server --bind 0.0.0.0 $PORT
+ elif command -v python >/dev/null 2>&1; then
+ python -m SimpleHTTPServer $PORT
+ elif command -v ruby >/dev/null 2>&1; then
+ ruby -run -ehttpd --bind-address=0.0.0.0 --port=$PORT .
+ elif command -v http-server >/dev/null 2>&1; then
+ http-server -a 0.0.0.0 --port $PORT
+ elif command -v php >/dev/null 2>&1; then
+ php -S 0.0.0.0:$PORT -t .
+ else
+ echo "No tool available for service HTTP" >&2
+ fi
+
+ popd >/dev/null 2>&1
+
+else
+ # the service isn't disabled, just do the service already
+ exec "$@"
+fi
+
diff --git a/shared/bin/zeek_install_plugins.sh b/shared/bin/zeek_install_plugins.sh
index 16725463b..750fb17e5 100755
--- a/shared/bin/zeek_install_plugins.sh
+++ b/shared/bin/zeek_install_plugins.sh
@@ -74,7 +74,6 @@ ZKG_GITHUB_URLS=(
"https://github.com/0xxon/cve-2020-0601"
"https://github.com/0xxon/cve-2020-13777"
"https://github.com/amzn/zeek-plugin-profinet|master"
- "https://github.com/amzn/zeek-plugin-s7comm|master"
"https://github.com/amzn/zeek-plugin-tds|master"
"https://github.com/cisagov/icsnpp-bacnet"
"https://github.com/cisagov/icsnpp-bsap"
@@ -84,6 +83,7 @@ ZKG_GITHUB_URLS=(
"https://github.com/cisagov/icsnpp-genisys"
"https://github.com/cisagov/icsnpp-modbus"
"https://github.com/cisagov/icsnpp-opcua-binary"
+ "https://github.com/cisagov/icsnpp-s7comm"
"https://github.com/corelight/callstranger-detector"
"https://github.com/corelight/CVE-2020-16898"
"https://github.com/corelight/CVE-2021-31166"