fix broken ja4ssh fields

cisagov · Jun 26, 2024 · ba111c4 · ba111c4
1 parent 2c6c3fb
commit ba111c4
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 9 deletions.
diff --git a/logstash/pipelines/zeek/11_zeek_parse.conf b/logstash/pipelines/zeek/11_zeek_parse.conf
@@ -1692,7 +1692,7 @@ filter {
         id => "dissect_zeek_ja4ssh"
         # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
         mapping => {
-          "[message]" => "%{[zeek_cols][ts]}	%{[zeek_cols][uid]}	%{[zeek_cols][id]}	%{[zeek_cols][ja4ssh]}	%{[zeek_cols][is_ssh]}	%{[zeek_cols][orig_pack_len]}	%{[zeek_cols][resp_pack_len]}	%{[zeek_cols][orig_ack]}	%{[zeek_cols][resp_ack]}"
+          "[message]" => "%{[zeek_cols][ts]}	%{[zeek_cols][uid]}	%{[zeek_cols][orig_h]}	%{[zeek_cols][orig_p]}	%{[zeek_cols][resp_h]}	%{[zeek_cols][resp_p]}	%{[zeek_cols][ja4ssh]}"
         }
       }
       if ("_dissectfailure" in [tags]) {
@@ -1703,7 +1703,7 @@ filter {
         }
         ruby {
           id => "ruby_zip_zeek_ja4ssh"
-          init => "@zeek_ja4ssh_field_names = [ 'ts', 'uid', 'id', 'ja4ssh', 'is_ssh', 'orig_pack_len', 'resp_pack_len', 'orig_ack', 'resp_ack' ]"
+          init => "@zeek_ja4ssh_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'ja4ssh' ]"
           code => "event.set('[zeek_cols]', @zeek_ja4ssh_field_names.zip(event.get('[message]')).to_h)"
         }
       }

diff --git a/logstash/pipelines/zeek/12_zeek_mutate.conf b/logstash/pipelines/zeek/12_zeek_mutate.conf
@@ -911,13 +911,6 @@ filter {
       }
     }
 
-    mutate { id => "mutate_remove_fields_zeek_ja4ssh"
-             remove_field => [ "[zeek][ja4ssh][is_ssh]",
-                               "[zeek][ja4ssh][orig_pack_len]",
-                               "[zeek][ja4ssh][resp_pack_len]",
-                               "[zeek][ja4ssh][orig_ack]",
-                               "[zeek][ja4ssh][resp_ack]" ] }
-
   } else if ([log_source] == "kerberos") {
     #############################################################################################################################
     # kerberos.log specific logic