Skip to content

Commit

Permalink
Merge branch 'development' of https://github.com/mmguero-dev/Malcolm
Browse files Browse the repository at this point in the history
…into v24.06.0_merge_cisagov
  • Loading branch information
mmguero committed Jun 26, 2024
2 parents 249321f + 4985e06 commit d745e24
Show file tree
Hide file tree
Showing 4 changed files with 6 additions and 4 deletions.
2 changes: 1 addition & 1 deletion arkime/etc/config.ini
Original file line number Diff line number Diff line change
Expand Up @@ -582,7 +582,7 @@ zeek.http.resp_filenames=db:zeek.http.resp_filenames;group:zeek_http;kind:termfi
zeek.http.resp_mime_types=db:zeek.http.resp_mime_types;group:zeek_http;kind:termfield;viewerOnly:true;friendly:Responding File Magic;help:Responding File Magic
zeek.http.post_username=db:zeek.http.post_username;group:zeek_http;kind:termfield;viewerOnly:true;friendly:POST User;help:POST User
zeek.http.post_password_plain=db:zeek.http.post_password_plain;group:zeek_http;kind:termfield;viewerOnly:true;friendly:POST Password;help:POST Password
zeek.http.ja4h=db:zeek.http.ja4;group:zeek_http;kind:termfield;viewerOnly:true;friendly:JA4 HTTP Fingerprint;help:JA4 HTTP Fingerprint
zeek.http.ja4h=db:zeek.http.ja4h;group:zeek_http;kind:termfield;viewerOnly:true;friendly:JA4 HTTP Fingerprint;help:JA4 HTTP Fingerprint

# intel.log
# https://docs.zeek.org/en/stable/scripts/base/frameworks/intel/main.zeek.html#type-Intel::Info
Expand Down
1 change: 0 additions & 1 deletion arkime/wise/source.zeeklogs.js
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,6 @@ class MalcolmSource extends WISESource {
"file.type",
"file.uid",
"host.name",
"http.ja4h",
"http.request.body.bytes",
"http.request.method",
"http.request.mime_type",
Expand Down
3 changes: 3 additions & 0 deletions dashboards/templates/composable/component/arkime.json
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,9 @@
"issuerON" : {
"type" : "keyword"
},
"ja4x" : {
"type" : "keyword"
},
"notAfter" : {
"type" : "date"
},
Expand Down
4 changes: 2 additions & 2 deletions logstash/pipelines/zeek/11_zeek_parse.conf
Original file line number Diff line number Diff line change
Expand Up @@ -1487,7 +1487,7 @@ filter {
id => "dissect_zeek_http_with_all_fields"
# zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP
mapping => {
"[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_depth]} %{[zeek_cols][method]} %{[zeek_cols][host]} %{[zeek_cols][uri]} %{[zeek_cols][referrer]} %{[zeek_cols][version]} %{[zeek_cols][user_agent]} %{[zeek_cols][origin]} %{[zeek_cols][request_body_len]} %{[zeek_cols][response_body_len]} %{[zeek_cols][status_code]} %{[zeek_cols][status_msg]} %{[zeek_cols][info_code]} %{[zeek_cols][info_msg]} %{[zeek_cols][tags]} %{[zeek_cols][user]} %{[zeek_cols][password]} %{[zeek_cols][proxied]} %{[zeek_cols][orig_fuids]} %{[zeek_cols][orig_filenames]} %{[zeek_cols][orig_mime_types]} %{[zeek_cols][resp_fuids]} %{[zeek_cols][resp_filenames]} %{[zeek_cols][resp_mime_types]} %{[zeek_cols][post_username]} %{[zeek_cols][post_password_plain]} %{[zeek_cols][post_password_md5]} %{[zeek_cols][post_password_sha1]} %{[zeek_cols][post_password_sha256]} %{[zeek_cols][ja4h]}"
"[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_depth]} %{[zeek_cols][method]} %{[zeek_cols][host]} %{[zeek_cols][uri]} %{[zeek_cols][referrer]} %{[zeek_cols][version]} %{[zeek_cols][user_agent]} %{[zeek_cols][origin]} %{[zeek_cols][request_body_len]} %{[zeek_cols][response_body_len]} %{[zeek_cols][status_code]} %{[zeek_cols][status_msg]} %{[zeek_cols][info_code]} %{[zeek_cols][info_msg]} %{[zeek_cols][tags]} %{[zeek_cols][user]} %{[zeek_cols][password]} %{[zeek_cols][proxied]} %{[zeek_cols][orig_fuids]} %{[zeek_cols][orig_filenames]} %{[zeek_cols][orig_mime_types]} %{[zeek_cols][resp_fuids]} %{[zeek_cols][resp_filenames]} %{[zeek_cols][resp_mime_types]} %{[zeek_cols][ja4h]} %{[zeek_cols][post_username]} %{[zeek_cols][post_password_plain]} %{[zeek_cols][post_password_md5]} %{[zeek_cols][post_password_sha1]} %{[zeek_cols][post_password_sha256]}"
}
}
if ("_dissectfailure" in [tags]) {
Expand All @@ -1498,7 +1498,7 @@ filter {
}
ruby {
id => "ruby_zip_zeek_http"
init => "@zeek_http_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_depth', 'method', 'host', 'uri', 'referrer', 'version', 'user_agent', 'origin', 'request_body_len', 'response_body_len', 'status_code', 'status_msg', 'info_code', 'info_msg', 'tags', 'user', 'password', 'proxied', 'orig_fuids', 'orig_filenames', 'orig_mime_types', 'resp_fuids', 'resp_filenames', 'resp_mime_types', 'post_username', 'post_password_plain', 'post_password_md5', 'post_password_sha1', 'post_password_sha256', 'ja4h' ]"
init => "@zeek_http_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_depth', 'method', 'host', 'uri', 'referrer', 'version', 'user_agent', 'origin', 'request_body_len', 'response_body_len', 'status_code', 'status_msg', 'info_code', 'info_msg', 'tags', 'user', 'password', 'proxied', 'orig_fuids', 'orig_filenames', 'orig_mime_types', 'resp_fuids', 'resp_filenames', 'resp_mime_types', 'ja4h', 'post_username', 'post_password_plain', 'post_password_md5', 'post_password_sha1', 'post_password_sha256' ]"
code => "event.set('[zeek_cols]', @zeek_http_field_names.zip(event.get('[message]')).to_h)"
}
}
Expand Down

0 comments on commit d745e24

Please sign in to comment.