HEX

Warning: set_time_limit() [function.set-time-limit]: Cannot set time limit - prohibited by configuration in /home/u547966/brikov.ru/www/wp-content/plugins/admin-menu-editor/menu-editor.php on line 745
Server: Apache
System: Linux 4.19.0-0.bpo.9-amd64 x86_64 at red40
User: u547966 (5490)
PHP: 5.3.29-mh2
Disabled: syslog, dl, popen, proc_open, proc_nice, proc_get_status, proc_close, proc_terminate, posix_mkfifo, chown, chgrp, accelerator_reset, opcache_reset, accelerator_get_status, opcache_get_status, pcntl_alarm, pcntl_fork, pcntl_waitpid, pcntl_wait, pcntl_wifexited, pcntl_wifstopped, pcntl_wifsignaled, pcntl_wifcontinued, pcntl_wexitstatus, pcntl_wtermsig, pcntl_wstopsig, pcntl_signal, pcntl_signal_dispatch, pcntl_get_last_error, pcntl_strerror, pcntl_sigprocmask, pcntl_sigwaitinfo, pcntl_sigtimedwait, pcntl_exec, pcntl_getpriority, pcntl_setpriority
$ pwd: /usr/share/filebeat/module/suricata/eve/ingest/
Upload Files
File: //usr/share/filebeat/module/suricata/eve/ingest/http.yml
---
description: Pipeline for Suricata DNS Events

processors:
  - set:
      value: "{{suricata.eve.http.http_method}}"
      field: http.request.method
      if: "ctx?.suricata?.eve?.http?.http_method != null"
  - rename:
      field: suricata.eve.http.status
      target_field: http.response.status_code
      ignore_missing: true
  - rename:
      field: suricata.eve.http.hostname
      target_field: destination.domain
      ignore_missing: true
  # - grok:
  #     field: suricata.eve.http.url
  #     patterns:
  #       - '%{PATH:url.path}(?:\?%{QUERY:url.query})?(?:#%{ANY:url.fragment})?'
  #     ignore_missing: true
  #     pattern_definitions:
  #       PATH: '[^?#]*'
  #       QUERY: '[^#]*'
  #       ANY: '.*'
  - rename:
      field: suricata.eve.http.url
      target_field: url.original
      ignore_missing: true
  - rename:
      field: suricata.eve.http.http_port
      target_field: url.port
      ignore_missing: true

  # URL
  - uri_parts:
      field: url.original
      target_field: _temp_.url
      ignore_failure: true
      if: ctx?.url?.original != null
  - script:
      lang: painless
      description: Updates the URL ECS fields from the results of the URI parts processor to not overwrite the RSA mappings
      if: ctx?._temp_?.url != null
      source: |
        for (entry in ctx._temp_.url.entrySet()) {
          if (entry != null && entry.getValue() != null) {
            if(ctx.url[entry.getKey()] == null) {
              ctx.url[entry.getKey()] = entry.getValue();
            } else if (!ctx.url[entry.getKey()].contains(entry.getValue())) {
              ctx.url[entry.getKey()] = [ctx.url[entry.getKey()]];
              ctx.url[entry.getKey()].add(entry.getValue());
            }
          }
        }
  - set:
      field: url.domain
      value: '{{destination.domain}}'
      ignore_empty_value: true
      if: ctx?.url?.domain == null && ctx?.destination?.domain != null
  - remove:
      field: _temp_
      ignore_missing: true
  - rename:
      field: suricata.eve.http.http_refer
      target_field: http.request.referrer
      ignore_missing: true
  - rename:
      field: suricata.eve.http.length
      target_field: http.response.body.bytes
      ignore_missing: true
  - user_agent:
      field: suricata.eve.http.http_user_agent
      ignore_missing: true

on_failure:
  - append:
      field: error.message
      value: >-
        error in HTTP pipeline:
        error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}}
        with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}}
        {{ _ingest.on_failure_message }}
@ Telegram