From de41177f9b2ce653387f2bec6f9f9a5b594d22c8 Mon Sep 17 00:00:00 2001
From: Seth Grover <seth.d.grover@gmail.com>
Date: Thu, 9 Jan 2025 10:34:30 -0700
Subject: [PATCH] Work in progress for cisagov/Malcolm#541, making sure
 conn.log and known_services.log get the ICS protocols assigned to them
 corrrectly and tagged appropriately

---
 logstash/pipelines/zeek/1014_zeek_conn.conf  |  3 +++
 logstash/pipelines/zeek/1033_zeek_known.conf | 21 ++++++++------------
 2 files changed, 11 insertions(+), 13 deletions(-)

diff --git a/logstash/pipelines/zeek/1014_zeek_conn.conf b/logstash/pipelines/zeek/1014_zeek_conn.conf
index dabbd20dd..3df20d5d6 100644
--- a/logstash/pipelines/zeek/1014_zeek_conn.conf
+++ b/logstash/pipelines/zeek/1014_zeek_conn.conf
@@ -32,6 +32,9 @@ filter {
 
     # normalize service string(s)
 
+    mutate { id => "mutate_lowercase_conn_service"
+             lowercase => [ "[zeek_cols][service]" ] }
+
     # For some reason, even in JSON, I have service strings like:
     #   ...,"proto":"udp","service":"profinet,profinet_dce_rpc,spicy_profinet_io_cm,profinet",...
     # so whatever reason it's not already an array. Split it here.
diff --git a/logstash/pipelines/zeek/1033_zeek_known.conf b/logstash/pipelines/zeek/1033_zeek_known.conf
index 2e54851bf..4dc4319b1 100644
--- a/logstash/pipelines/zeek/1033_zeek_known.conf
+++ b/logstash/pipelines/zeek/1033_zeek_known.conf
@@ -176,26 +176,21 @@ filter {
       }
     }
 
+    # normalize service string(s)
+
     mutate { id => "mutate_lowercase_zeek_known_services_service"
              lowercase => [ "[zeek_cols][service]" ] }
 
-    # normalize service string(s)
-
     # some services are named like blah_udp/blah_tcp/blah_data, and we don't care about the suffix
-    mutate { id => "mutate_gsub_field_zeek_known_services_protocol_suffix"
+    mutate { id => "mutate_gsub_field_zeek_known_services_service_suffix"
              gsub => [ "[zeek_cols][service]", "[_-](tcp|udp|data)", "" ] }
 
-    if ([zeek_cols][service] =~ /^spicy_/) {
-      # if it's coming from spicy, we don't care to have that in the service name
-      mutate { id => "mutate_gsub_field_zeek_known_service_spicy_prefix"
-               gsub => [ "[zeek_cols][service]", "^spicy_", "" ] }
-
-      # some spicy services are named like blah_udp or blah_tcp,
-      # and we don't care about the _udp/_tcp suffix
-      mutate { id => "mutate_gsub_field_zeek_known_service_spicy_suffix"
-               gsub => [ "[zeek_cols][service]", "(_hmac)?(_(sha|md)\d+)?$", "" ] }
+    # if it's coming from spicy, we don't care to have that in the service name
+    mutate { id => "mutate_gsub_field_zeek_known_services_spicy_prefix"
+             gsub => [ "[zeek_cols][service]", "spicy_", "" ] }
 
-    }
+    mutate { id => "mutate_gsub_field_zeek_known_services_spicy_cipher_suffix"
+             gsub => [ "[zeek_cols][service]", "(_hmac)?(_(sha|md)\d+)?$", "" ] }
 
   }