From ba111c493d8195a86eaa0cfdf6083da1d5e78a06 Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 26 Jun 2024 11:43:41 -0600 Subject: [PATCH] fix broken ja4ssh fields --- logstash/pipelines/zeek/11_zeek_parse.conf | 4 ++-- logstash/pipelines/zeek/12_zeek_mutate.conf | 7 ------- 2 files changed, 2 insertions(+), 9 deletions(-) diff --git a/logstash/pipelines/zeek/11_zeek_parse.conf b/logstash/pipelines/zeek/11_zeek_parse.conf index d96ac7d44..8e5593e43 100644 --- a/logstash/pipelines/zeek/11_zeek_parse.conf +++ b/logstash/pipelines/zeek/11_zeek_parse.conf @@ -1692,7 +1692,7 @@ filter { id => "dissect_zeek_ja4ssh" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][id]} %{[zeek_cols][ja4ssh]} %{[zeek_cols][is_ssh]} %{[zeek_cols][orig_pack_len]} %{[zeek_cols][resp_pack_len]} %{[zeek_cols][orig_ack]} %{[zeek_cols][resp_ack]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][ja4ssh]}" } } if ("_dissectfailure" in [tags]) { @@ -1703,7 +1703,7 @@ filter { } ruby { id => "ruby_zip_zeek_ja4ssh" - init => "@zeek_ja4ssh_field_names = [ 'ts', 'uid', 'id', 'ja4ssh', 'is_ssh', 'orig_pack_len', 'resp_pack_len', 'orig_ack', 'resp_ack' ]" + init => "@zeek_ja4ssh_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'ja4ssh' ]" code => "event.set('[zeek_cols]', @zeek_ja4ssh_field_names.zip(event.get('[message]')).to_h)" } } diff --git a/logstash/pipelines/zeek/12_zeek_mutate.conf b/logstash/pipelines/zeek/12_zeek_mutate.conf index 707c679f0..d5a9b4466 100644 --- a/logstash/pipelines/zeek/12_zeek_mutate.conf +++ b/logstash/pipelines/zeek/12_zeek_mutate.conf @@ -911,13 +911,6 @@ filter { } } - mutate { id => "mutate_remove_fields_zeek_ja4ssh" - remove_field => [ "[zeek][ja4ssh][is_ssh]", - "[zeek][ja4ssh][orig_pack_len]", - "[zeek][ja4ssh][resp_pack_len]", - "[zeek][ja4ssh][orig_ack]", - "[zeek][ja4ssh][resp_ack]" ] } - } else if ([log_source] == "kerberos") { ############################################################################################################################# # kerberos.log specific logic