Work in progress for cisagov#541, making sure conn.log and known_serv…

…ices.log get the ICS protocols assigned to them corrrectly and tagged appropriately
mmguero-dev · Jan 9, 2025 · de41177 · de41177
1 parent 8cb4348
commit de41177
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 13 deletions.
diff --git a/logstash/pipelines/zeek/1014_zeek_conn.conf b/logstash/pipelines/zeek/1014_zeek_conn.conf
@@ -32,6 +32,9 @@ filter {
 
     # normalize service string(s)
 
+    mutate { id => "mutate_lowercase_conn_service"
+             lowercase => [ "[zeek_cols][service]" ] }
+
     # For some reason, even in JSON, I have service strings like:
     #   ...,"proto":"udp","service":"profinet,profinet_dce_rpc,spicy_profinet_io_cm,profinet",...
     # so whatever reason it's not already an array. Split it here.

diff --git a/logstash/pipelines/zeek/1033_zeek_known.conf b/logstash/pipelines/zeek/1033_zeek_known.conf
@@ -176,26 +176,21 @@ filter {
       }
     }
 
+    # normalize service string(s)
+
     mutate { id => "mutate_lowercase_zeek_known_services_service"
              lowercase => [ "[zeek_cols][service]" ] }
 
-    # normalize service string(s)
-
     # some services are named like blah_udp/blah_tcp/blah_data, and we don't care about the suffix
-    mutate { id => "mutate_gsub_field_zeek_known_services_protocol_suffix"
+    mutate { id => "mutate_gsub_field_zeek_known_services_service_suffix"
              gsub => [ "[zeek_cols][service]", "[_-](tcp|udp|data)", "" ] }
 
-    if ([zeek_cols][service] =~ /^spicy_/) {
-      # if it's coming from spicy, we don't care to have that in the service name
-      mutate { id => "mutate_gsub_field_zeek_known_service_spicy_prefix"
-               gsub => [ "[zeek_cols][service]", "^spicy_", "" ] }
-
-      # some spicy services are named like blah_udp or blah_tcp,
-      # and we don't care about the _udp/_tcp suffix
-      mutate { id => "mutate_gsub_field_zeek_known_service_spicy_suffix"
-               gsub => [ "[zeek_cols][service]", "(_hmac)?(_(sha|md)\d+)?$", "" ] }
+    # if it's coming from spicy, we don't care to have that in the service name
+    mutate { id => "mutate_gsub_field_zeek_known_services_spicy_prefix"
+             gsub => [ "[zeek_cols][service]", "spicy_", "" ] }
 
-    }
+    mutate { id => "mutate_gsub_field_zeek_known_services_spicy_cipher_suffix"
+             gsub => [ "[zeek_cols][service]", "(_hmac)?(_(sha|md)\d+)?$", "" ] }
 
   }