diff --git a/packages/snort/changelog.yml b/packages/snort/changelog.yml index adafd0582a5..5a454e7255a 100644 --- a/packages/snort/changelog.yml +++ b/packages/snort/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.19.2" + changes: + - description: Generate processor tags and normalize error handler. + type: enhancement + link: https://github.com/elastic/integrations/pull/15711 - version: "1.19.1" changes: - description: Changed owners. diff --git a/packages/snort/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/snort/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 3f948f571dc..8dd7942b526 100644 --- a/packages/snort/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/snort/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -2,42 +2,53 @@ description: Pipeline for parsing Snort logs processors: - set: + tag: set_ecs_version_f5923549 field: ecs.version value: '8.17.0' - rename: + tag: rename_message_to_event_original_56a77271 field: message target_field: event.original ignore_missing: true if: ctx.event?.original == null - set: + tag: set_observer_vendor_c34d3ed0 field: observer.vendor value: snort - set: + tag: set_observer_product_09c0225f field: observer.product value: ids - set: + tag: set_observer_type_ccdf2750 field: observer.type value: ids - set: + tag: set_event_created_e3f09e3b field: event.created copy_from: '@timestamp' - grok: + tag: grok_event_original_302e2f2f field: event.original patterns: - ^%{CHAR:_tmp.first_char} pattern_definitions: CHAR: . - pipeline: + tag: pipeline_a273d711 if: ctx._tmp.first_char != '{' name: '{{ IngestPipeline "plaintext" }}' - pipeline: + tag: pipeline_88737aa4 if: ctx._tmp.first_char == '{' name: '{{ IngestPipeline "json" }}' - set: + tag: set_event_timezone_4ca44cac field: event.timezone value: "{{{_tmp.tz_offset}}}" if: ctx._tmp?.tz_offset != null && ctx._tmp?.tz_offset != 'local' - date: + tag: date__tmp_timestamp_to_@timestamp_b1347feb field: _tmp.timestamp target_field: '@timestamp' timezone: "{{{ event.timezone }}}" @@ -48,6 +59,7 @@ processors: - MMM dd HH:mm:ss if: ctx.event?.timezone != null - date: + tag: date__tmp_timestamp_to_@timestamp_0c843d11 field: _tmp.timestamp target_field: '@timestamp' formats: @@ -57,59 +69,73 @@ processors: - MMM dd HH:mm:ss if: ctx.event?.timezone == null - convert: + tag: convert_source_address_to_source_ip_48c76f83 field: source.address target_field: source.ip type: ip ignore_missing: true - convert: + tag: convert_destination_address_to_destination_ip_dbe5a90d field: destination.address target_field: destination.ip type: ip ignore_missing: true - uppercase: + tag: uppercase_destination_mac_04de3657 field: destination.mac ignore_missing: true - uppercase: + tag: uppercase_source_mac_5b4e7be2 field: source.mac ignore_missing: true - gsub: + tag: gsub_destination_mac_c758fda1 field: destination.mac pattern: '[.:]' replacement: '-' ignore_missing: true - gsub: + tag: gsub_source_mac_23244bf4 field: source.mac pattern: '[.:]' replacement: '-' ignore_missing: true - gsub: + tag: gsub_snort_tcp_flags_edebaf43 field: snort.tcp.flags pattern: \* replacement: '' ignore_missing: true - lowercase: + tag: lowercase_network_transport_bc8c1c12 field: network.transport ignore_missing: true - set: + tag: set_event_kind_39295792 field: event.kind value: alert - append: + tag: append_event_category_2559ac69 field: event.category value: network allow_duplicates: false - set: + tag: set_network_direction_a298f1f4 field: network.direction value: unknown if: ctx.network?.direction == null - set: + tag: set_network_type_b7f5a7f1 field: network.type value: ipv4 if: ctx.source?.ip != null && ctx.source?.ip.contains(".") - set: + tag: set_network_type_3f194452 field: network.type value: ipv6 if: ctx.source?.ip != null && !ctx.source?.ip.contains(".") - script: + tag: script_fb40cd29 lang: painless ignore_failure: true if: ctx.network?.transport != null @@ -123,29 +149,36 @@ processors: ctx.network.iana_number = '1'; } - network_direction: + tag: network_direction_6d15af04 internal_networks_field: _tmp.internal_networks - community_id: + tag: community_id_99f56bc8 ignore_failure: true ignore_missing: true - append: + tag: append_event_type_7c5f5272 field: event.type value: allowed if: ctx._tmp?.action?.toLowerCase() == 'allow' - append: + tag: append_event_type_d34af3c3 field: event.type value: denied if: ctx._tmp?.action?.toLowerCase() == 'block' # IP Geolocation Lookup - geoip: + tag: geoip_source_ip_to_source_geo_da2e41b2 field: source.ip target_field: source.geo ignore_missing: true - geoip: + tag: geoip_destination_ip_to_destination_geo_ab5e2968 field: destination.ip target_field: destination.geo ignore_missing: true # IP Autonomous System (AS) Lookup - geoip: + tag: geoip_source_ip_to_source_as_28d69883 database_file: GeoLite2-ASN.mmdb field: source.ip target_field: source.as @@ -154,6 +187,7 @@ processors: - organization_name ignore_missing: true - geoip: + tag: geoip_destination_ip_to_destination_as_8a007787 database_file: GeoLite2-ASN.mmdb field: destination.ip target_field: destination.as @@ -162,32 +196,39 @@ processors: - organization_name ignore_missing: true - rename: + tag: rename_source_as_asn_to_source_as_number_a917047d field: source.as.asn target_field: source.as.number ignore_missing: true - rename: + tag: rename_source_as_organization_name_to_source_as_organization_name_f1362d0b field: source.as.organization_name target_field: source.as.organization.name ignore_missing: true - rename: + tag: rename_destination_as_asn_to_destination_as_number_3b459fcd field: destination.as.asn target_field: destination.as.number ignore_missing: true - rename: + tag: rename_destination_as_organization_name_to_destination_as_organization_name_814bd459 field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true - append: + tag: append_related_ip_8121c591 if: ctx.source?.ip != null field: related.ip value: '{{{source.ip}}}' allow_duplicates: false - append: + tag: append_related_ip_c1a6356b if: ctx.destination?.ip != null field: related.ip value: '{{{destination.ip}}}' allow_duplicates: false - remove: + tag: remove_0ecf6d42 field: - _tmp - json @@ -198,4 +239,8 @@ on_failure: value: pipeline_error - append: field: error.message - value: '{{{ _ingest.on_failure_message }}}' + value: >- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{#_ingest.on_failure_processor_tag}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{/_ingest.on_failure_processor_tag}}in pipeline '{{{ _ingest.pipeline }}}' + failed with message '{{{ _ingest.on_failure_message }}}' diff --git a/packages/snort/data_stream/log/elasticsearch/ingest_pipeline/json.yml b/packages/snort/data_stream/log/elasticsearch/ingest_pipeline/json.yml index 75c94af07c8..d1f67f936e7 100644 --- a/packages/snort/data_stream/log/elasticsearch/ingest_pipeline/json.yml +++ b/packages/snort/data_stream/log/elasticsearch/ingest_pipeline/json.yml @@ -2,174 +2,206 @@ description: Pipeline for parsing Snort JSON logs processors: - json: + tag: json_event_original_to_json_5e54dc16 field: event.original target_field: json - remove: + tag: remove_json_b64_data_7e792bb7 field: json.b64_data ignore_missing: true - rename: - field: json.timestamp - target_field: _tmp.timestamp - ignore_missing: true - - rename: + tag: rename_json_timestamp_to__tmp_timestamp_18c690bc field: json.timestamp target_field: _tmp.timestamp ignore_missing: true - convert: + tag: convert_json_src_port_to_source_port_efdc0a43 field: json.src_port target_field: source.port type: long ignore_missing: true - convert: + tag: convert_json_dst_port_to_destination_port_f9b6c7c5 field: json.dst_port target_field: destination.port type: long ignore_missing: true - rename: + tag: rename_json_dst_addr_to_destination_address_37a32717 field: json.dst_addr target_field: destination.address ignore_missing: true - rename: + tag: rename_json_src_addr_to_source_address_a9f9f0b3 field: json.src_addr target_field: source.address ignore_missing: true - rename: + tag: rename_json_eth_dst_to_destination_mac_6d003604 field: json.eth_dst target_field: destination.mac ignore_missing: true - rename: + tag: rename_json_eth_src_to_source_mac_09bf4d56 field: json.eth_src target_field: source.mac ignore_missing: true - convert: + tag: convert_json_eth_len_to_snort_eth_length_a293f0fd field: json.eth_len target_field: snort.eth.length type: long ignore_missing: true -## Rule + ## Rule - rename: + tag: rename_json_class_to_rule_category_8404d310 field: json.class target_field: rule.category ignore_missing: true - rename: + tag: rename_json_msg_to_rule_description_102b1a1d field: json.msg target_field: rule.description ignore_missing: true - convert: + tag: convert_json_rev_to_rule_version_52a702c5 field: json.rev target_field: rule.version type: string ignore_missing: true - convert: + tag: convert_json_sid_to_rule_id_102bd6c3 field: json.sid target_field: rule.id type: string ignore_missing: true - convert: + tag: convert_json_gid_to_snort_gid_7dd63be3 field: json.gid target_field: snort.gid type: long ignore_missing: true -## ICMP + ## ICMP - convert: + tag: convert_json_icmp_type_to_snort_icmp_type_34629aae field: json.icmp_type target_field: snort.icmp.type type: long ignore_missing: true - convert: + tag: convert_json_icmp_code_to_snort_icmp_code_6baefa08 field: json.icmp_code target_field: snort.icmp.code type: long ignore_missing: true - convert: + tag: convert_json_icmp_id_to_snort_icmp_id_7cacbd24 field: json.icmp_id target_field: snort.icmp.id type: long ignore_missing: true - convert: + tag: convert_json_icmp_seq_to_snort_icmp_seq_2f6b6a22 field: json.icmp_seq target_field: snort.icmp.seq type: long ignore_missing: true -## TCP + ## TCP - rename: + tag: rename_json_tcp_flags_to_snort_tcp_flags_d269ee87 field: json.tcp_flags target_field: snort.tcp.flags ignore_missing: true - rename: + tag: rename_json_tcp_len_to_snort_tcp_length_58c55032 field: json.tcp_len target_field: snort.tcp.length ignore_missing: true - rename: + tag: rename_json_tcp_seq_to_snort_tcp_seq_2c83446b field: json.tcp_seq target_field: snort.tcp.seq ignore_missing: true - rename: + tag: rename_json_tcp_ack_to_snort_tcp_ack_b97ed153 field: json.tcp_ack target_field: snort.tcp.ack ignore_missing: true - rename: + tag: rename_json_tcp_win_to_snort_tcp_window_2ca5ee9d field: json.tcp_win target_field: snort.tcp.window ignore_missing: true -## UDP + ## UDP - rename: + tag: rename_json_udp_len_to_snort_udp_length_967caad6 field: json.udp_len target_field: snort.udp.length ignore_missing: true -## IP + ## IP - convert: + tag: convert_json_ip_id_to_snort_ip_id_5f602294 field: json.ip_id target_field: snort.ip.id type: long ignore_missing: true - convert: + tag: convert_json_tos_to_snort_ip_tos_7f7eeff4 field: json.tos target_field: snort.ip.tos type: long ignore_missing: true - convert: + tag: convert_json_ttl_to_snort_ip_ttl_922bd868 field: json.ttl target_field: snort.ip.ttl type: long ignore_missing: true -## Network + ## Network - convert: + tag: convert_json_pkt_num_to_network_packets_acd7e99e field: json.pkt_num target_field: network.packets type: long ignore_missing: true - convert: + tag: convert_json_pkt_len_to_network_bytes_2adbfb53 field: json.pkt_len target_field: network.bytes type: long ignore_missing: true - rename: + tag: rename_json_proto_to_network_transport_78181b45 field: json.proto target_field: network.transport ignore_missing: true - rename: + tag: rename_json_service_to_network_protocol_f00476bd field: json.service target_field: network.protocol ignore_missing: true if: ctx.json?.service != 'unknown' - convert: + tag: convert_json_vlan_to_network_vlan_id_cd0ebb29 field: json.vlan target_field: network.vlan.id type: string ignore_missing: true if: ctx.json?.vlan != 0 -## Other + ## Other - convert: + tag: convert_json_priority_to_event_severity_54f88bf8 field: json.priority target_field: event.severity type: long ignore_missing: true - rename: + tag: rename_json_action_to__tmp_action_17ba238e field: json.action target_field: _tmp.action ignore_missing: true - rename: + tag: rename_json_iface_to_observer_ingress_interface_name_a91e4a53 field: json.iface target_field: observer.ingress.interface.name ignore_missing: true @@ -180,4 +212,8 @@ on_failure: value: pipeline_error - append: field: error.message - value: '{{{ _ingest.on_failure_message }}}' + value: >- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{#_ingest.on_failure_processor_tag}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{/_ingest.on_failure_processor_tag}}in pipeline '{{{ _ingest.pipeline }}}' + failed with message '{{{ _ingest.on_failure_message }}}' diff --git a/packages/snort/data_stream/log/elasticsearch/ingest_pipeline/plaintext.yml b/packages/snort/data_stream/log/elasticsearch/ingest_pipeline/plaintext.yml index 9a43be9c294..f87dba5ebaf 100644 --- a/packages/snort/data_stream/log/elasticsearch/ingest_pipeline/plaintext.yml +++ b/packages/snort/data_stream/log/elasticsearch/ingest_pipeline/plaintext.yml @@ -2,6 +2,7 @@ description: Pipeline for parsing Snort Plaintext logs processors: - grok: + tag: grok_event_original_24037a01 field: event.original patterns: # Syslog @@ -30,6 +31,7 @@ processors: ECS_SYSLOG_PRI: '<%{NONNEGINT:log.syslog.priority:long}>' SYSLOGPROG: '%{PROG:process.name}(?:\[%{POSINT:process.pid:int}\])?' - script: + tag: script_1acc7cc9 lang: painless source: >- if (ctx.snort?.ip?.tos != null && ctx.snort.ip.tos instanceof String) { @@ -53,4 +55,8 @@ on_failure: value: pipeline_error - append: field: error.message - value: '{{{ _ingest.on_failure_message }}}' + value: >- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{#_ingest.on_failure_processor_tag}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{/_ingest.on_failure_processor_tag}}in pipeline '{{{ _ingest.pipeline }}}' + failed with message '{{{ _ingest.on_failure_message }}}' diff --git a/packages/snort/manifest.yml b/packages/snort/manifest.yml index 71341a0a259..7928819fed2 100644 --- a/packages/snort/manifest.yml +++ b/packages/snort/manifest.yml @@ -1,6 +1,6 @@ name: snort title: Snort -version: "1.19.1" +version: "1.19.2" description: Collect logs from Snort with Elastic Agent. type: integration icons: @@ -9,7 +9,7 @@ icons: size: 120x60 type: image/svg+xml format_version: "3.0.3" -categories: +categories: - ids_ips - security # Added network_security category as Snort monitors network traffic for security threats