fixes to create working ecs config #64
Conversation
I don't recall all the changes I had to make but I made changes to ssh conflicts where suricata is an object and zeek is a concrete value. Other fixes for other fields were similar.
|
@spartan782 these have all been tested with the pre-release? |
| "ignore_above": 8000, | ||
| "type": "keyword" | ||
| }, | ||
| "string" : { |
There was a problem hiding this comment.
can we split this ja3.string out to a new field called ja3_string? The reason being that tls.ja3 is an ECS schema field, so converting it to an object is a breaking change with that config.
There was a problem hiding this comment.
Thats fine, the default for suricata eve.json breaks it into an object so I just followed that so that Zeek would not conflict because we can not have tls.ja3 be both a field and an object.
| "type": "keyword" | ||
| "properties": { | ||
| "hash": { | ||
| "ignore_above": 8000, |
There was a problem hiding this comment.
Since this is just a hash, we don't need to crank up ignore_above 8000 on it.
| "type": "keyword" | ||
| "properties": { | ||
| "hash": { | ||
| "ignore_above": 8000, |
There was a problem hiding this comment.
same as ja3, leave the ignore_above to default of 1024
| "ignore_above": 8000, | ||
| "type": "keyword" | ||
| }, | ||
| "string": { |
There was a problem hiding this comment.
Please make this a different field similar to the proposed ja3.string. Make this ja3s_string instead.
| @@ -5,8 +5,7 @@ input { | |||
| # Set this to one per kafka partition to scale up | |||
| #consumer_threads => 4 | |||
| group_id => "fsf_logstash" | |||
| bootstrap_servers => "127.0.0.1:9092" | |||
| codec => json | |||
| bootstrap_servers => "simplerockbuild.simplerock.lan:9092" codec => json | |||
There was a problem hiding this comment.
I think this was an artifact from committing after a deploy.
| bootstrap_servers => "simplerockbuild.simplerock.lan:9092" codec => json | |
| bootstrap_servers => "127.0.0.1:9092" | |
| codec => json |
| "[tls][ja3]" => "[tls][client][ja3]" | ||
| "[tls][ja3s]" => "[tls][server][ja3s]" | ||
| "[tls][ja3]" => "[tls][client][ja3][hash]" | ||
| "[tls][ja3s]" => "[tls][server][ja3s][hash]" |
There was a problem hiding this comment.
same
| "[tls][ja3s]" => "[tls][server][ja3s][hash]" | |
| "[tls][ja3s]" => "[tls][server][ja3s]" |
| @@ -7,8 +7,10 @@ filter { | |||
| "[tls][chain]" => "[tls][server][certificate_chain]" | |||
| "[tls][fingerprint]" => "[tls][server][hash][sha1]" | |||
| "[tls][issuer]" => "[tls][server][issuer]" | |||
| "[tls][ja3]" => "[tls][client][ja3]" | |||
| "[tls][ja3s]" => "[tls][server][ja3s]" | |||
| "[tls][ja3][hash]" => "[tls][client][ja3][hash]" | |||
There was a problem hiding this comment.
| "[tls][ja3][hash]" => "[tls][client][ja3][hash]" | |
| "[tls][ja3][hash]" => "[tls][client][ja3]" |
| "[tls][ja3]" => "[tls][client][ja3]" | ||
| "[tls][ja3s]" => "[tls][server][ja3s]" | ||
| "[tls][ja3][hash]" => "[tls][client][ja3][hash]" | ||
| "[tls][ja3][string]" => "[tls][client][ja3][string]" |
There was a problem hiding this comment.
| "[tls][ja3][string]" => "[tls][client][ja3][string]" | |
| "[tls][ja3][string]" => "[tls][client][ja3_string]" |
| "[tls][ja3s]" => "[tls][server][ja3s]" | ||
| "[tls][ja3][hash]" => "[tls][client][ja3][hash]" | ||
| "[tls][ja3][string]" => "[tls][client][ja3][string]" | ||
| "[tls][ja3s][hash]" => "[tls][server][ja3s][hash]" |
There was a problem hiding this comment.
| "[tls][ja3s][hash]" => "[tls][server][ja3s][hash]" | |
| "[tls][ja3s][hash]" => "[tls][server][ja3s]" |
| "[tls][ja3][hash]" => "[tls][client][ja3][hash]" | ||
| "[tls][ja3][string]" => "[tls][client][ja3][string]" | ||
| "[tls][ja3s][hash]" => "[tls][server][ja3s][hash]" | ||
| "[tls][ja3s][string]" => "[tls][server][ja3s][string]" |
There was a problem hiding this comment.
| "[tls][ja3s][string]" => "[tls][server][ja3s][string]" | |
| "[tls][ja3s][string]" => "[tls][server][ja3s_string]" |
I don't recall all the changes I had to make but I made changes to ssh conflicts where suricata is an object and zeek is a concrete value. Other fixes for other fields were similar.