File: //usr/share/filebeat/module/suricata/eve/ingest/tls.yml
---
description: Pipeline for Suricata TLS Events
processors:
- dissect:
if: ctx?.suricata?.eve?.tls?.version != "UNDETERMINED"
field: suricata.eve.tls.version
pattern: '%{tls.version_protocol} %{tls.version}'
ignore_missing: true
ignore_failure: true
- lowercase:
field: tls.version_protocol
ignore_missing: true
- script:
if: ctx?.suricata?.eve?.tls?.sni != null
tag: suricata_trim_tls_sni
lang: painless
source: |
def sni = ctx.suricata.eve.tls.sni;
if (!sni.endsWith(".")) {
return;
}
ctx.suricata.eve.tls.sni = sni.substring(0, sni.length() - 1);
# Subject
- set:
field: tls.server.subject
value: '{{suricata.eve.tls.subject}}'
ignore_empty_value: true
- gsub:
field: suricata.eve.tls.subject
pattern: \\,
replacement: ""
ignore_missing: true
- kv:
field: suricata.eve.tls.subject
field_split: ', '
value_split: '='
target_field: suricata.eve.tls.kv_subject
ignore_missing: true
ignore_failure: true
- rename:
field: suricata.eve.tls.kv_subject.C
target_field: tls.server.x509.subject.country
ignore_missing: true
- rename:
field: suricata.eve.tls.kv_subject.CN
target_field: tls.server.x509.subject.common_name
ignore_missing: true
- rename:
field: suricata.eve.tls.kv_subject.L
target_field: tls.server.x509.subject.locality
ignore_missing: true
- rename:
field: suricata.eve.tls.kv_subject.O
target_field: tls.server.x509.subject.organization
ignore_missing: true
- rename:
field: suricata.eve.tls.kv_subject.OU
target_field: tls.server.x509.subject.organizational_unit
ignore_missing: true
- rename:
field: suricata.eve.tls.kv_subject.ST
target_field: tls.server.x509.subject.state_or_province
ignore_missing: true
# Issuer
- set:
field: tls.server.issuer
value: '{{suricata.eve.tls.issuerdn}}'
ignore_empty_value: true
- gsub:
field: suricata.eve.tls.issuerdn
pattern: \\,
replacement: ""
ignore_missing: true
- kv:
field: suricata.eve.tls.issuerdn
field_split: ', '
value_split: '='
target_field: suricata.eve.tls.kv_issuerdn
ignore_missing: true
ignore_failure: true
- rename:
field: suricata.eve.tls.kv_issuerdn.C
target_field: tls.server.x509.issuer.country
ignore_missing: true
- rename:
field: suricata.eve.tls.kv_issuerdn.CN
target_field: tls.server.x509.issuer.common_name
ignore_missing: true
- rename:
field: suricata.eve.tls.kv_issuerdn.L
target_field: tls.server.x509.issuer.locality
ignore_missing: true
- rename:
field: suricata.eve.tls.kv_issuerdn.O
target_field: tls.server.x509.issuer.organization
ignore_missing: true
- rename:
field: suricata.eve.tls.kv_issuerdn.OU
target_field: tls.server.x509.issuer.organizational_unit
ignore_missing: true
- rename:
field: suricata.eve.tls.kv_issuerdn.ST
target_field: tls.server.x509.issuer.state_or_province
ignore_missing: true
- convert:
field: suricata.eve.tls.session_resumed
target_field: tls.resumed
type: boolean
ignore_missing: true
- set:
field: tls.server.hash.sha1
value: '{{suricata.eve.tls.fingerprint}}'
ignore_empty_value: true
- uppercase:
field: tls.server.hash.sha1
ignore_missing: true
- split:
field: tls.server.hash.sha1
separator: ":"
ignore_missing: true
- join:
field: tls.server.hash.sha1
separator: ""
ignore_failure: true
- append:
field: related.hash
value: "{{tls.server.hash.sha1}}"
if: "ctx?.tls?.server?.hash?.sha1 != null"
- set:
field: tls.client.server_name
value: '{{suricata.eve.tls.sni}}'
ignore_empty_value: true
- set:
field: destination.domain
value: '{{suricata.eve.tls.sni}}'
ignore_empty_value: true
- set:
field: tls.server.ja3s
value: '{{suricata.eve.tls.ja3s.hash}}'
ignore_empty_value: true
- set:
field: tls.client.ja3
value: '{{suricata.eve.tls.ja3.hash}}'
ignore_empty_value: true
- set:
field: tls.server.certificate
value: '{{suricata.eve.tls.certificate}}'
ignore_empty_value: true
- set:
field: tls.server.certificate_chain
value: '{{suricata.eve.tls.chain}}'
ignore_empty_value: true
- set:
field: tls.server.x509.serial_number
value: '{{suricata.eve.tls.serial}}'
ignore_empty_value: true
- gsub:
field: tls.server.x509.serial_number
pattern: ':'
replacement: ''
ignore_missing: true
- date:
field: suricata.eve.tls.notafter
target_field: tls.server.not_after
formats:
- ISO8601
if: ctx.suricata?.eve?.tls?.notafter != null
- date:
field: suricata.eve.tls.notbefore
target_field: tls.server.not_before
formats:
- ISO8601
if: ctx.suricata?.eve?.tls?.notbefore != null
- set:
field: tls.server.x509.not_after
value: '{{tls.server.not_after}}'
ignore_empty_value: true
- set:
field: tls.server.x509.not_before
value: '{{tls.server.not_before}}'
ignore_empty_value: true
- remove:
field:
- suricata.eve.tls.kv_issuerdn
- suricata.eve.tls.kv_subject
ignore_missing: true
on_failure:
- append:
field: error.message
value: >-
error in TLS pipeline:
error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}}
with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}}
{{ _ingest.on_failure_message }}