From 4985e0652e1f41c9bd6426dbd28d9c5ea2fc41ee Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Wed, 26 Jun 2024 13:47:08 -0600 Subject: [PATCH] more fixes for ja4+ --- arkime/etc/config.ini | 2 +- arkime/wise/source.zeeklogs.js | 1 - dashboards/templates/composable/component/arkime.json | 3 +++ logstash/pipelines/zeek/11_zeek_parse.conf | 4 ++-- 4 files changed, 6 insertions(+), 4 deletions(-) diff --git a/arkime/etc/config.ini b/arkime/etc/config.ini index 8e6585398..8cf460406 100644 --- a/arkime/etc/config.ini +++ b/arkime/etc/config.ini @@ -582,7 +582,7 @@ zeek.http.resp_filenames=db:zeek.http.resp_filenames;group:zeek_http;kind:termfi zeek.http.resp_mime_types=db:zeek.http.resp_mime_types;group:zeek_http;kind:termfield;viewerOnly:true;friendly:Responding File Magic;help:Responding File Magic zeek.http.post_username=db:zeek.http.post_username;group:zeek_http;kind:termfield;viewerOnly:true;friendly:POST User;help:POST User zeek.http.post_password_plain=db:zeek.http.post_password_plain;group:zeek_http;kind:termfield;viewerOnly:true;friendly:POST Password;help:POST Password -zeek.http.ja4h=db:zeek.http.ja4;group:zeek_http;kind:termfield;viewerOnly:true;friendly:JA4 HTTP Fingerprint;help:JA4 HTTP Fingerprint +zeek.http.ja4h=db:zeek.http.ja4h;group:zeek_http;kind:termfield;viewerOnly:true;friendly:JA4 HTTP Fingerprint;help:JA4 HTTP Fingerprint # intel.log # https://docs.zeek.org/en/stable/scripts/base/frameworks/intel/main.zeek.html#type-Intel::Info diff --git a/arkime/wise/source.zeeklogs.js b/arkime/wise/source.zeeklogs.js index 8d79c275e..3ed4ff7bd 100644 --- a/arkime/wise/source.zeeklogs.js +++ b/arkime/wise/source.zeeklogs.js @@ -113,7 +113,6 @@ class MalcolmSource extends WISESource { "file.type", "file.uid", "host.name", - "http.ja4h", "http.request.body.bytes", "http.request.method", "http.request.mime_type", diff --git a/dashboards/templates/composable/component/arkime.json b/dashboards/templates/composable/component/arkime.json index cc66e3afd..050af4805 100644 --- a/dashboards/templates/composable/component/arkime.json +++ b/dashboards/templates/composable/component/arkime.json @@ -55,6 +55,9 @@ "issuerON" : { "type" : "keyword" }, + "ja4x" : { + "type" : "keyword" + }, "notAfter" : { "type" : "date" }, diff --git a/logstash/pipelines/zeek/11_zeek_parse.conf b/logstash/pipelines/zeek/11_zeek_parse.conf index 8e5593e43..bde807368 100644 --- a/logstash/pipelines/zeek/11_zeek_parse.conf +++ b/logstash/pipelines/zeek/11_zeek_parse.conf @@ -1487,7 +1487,7 @@ filter { id => "dissect_zeek_http_with_all_fields" # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP mapping => { - "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_depth]} %{[zeek_cols][method]} %{[zeek_cols][host]} %{[zeek_cols][uri]} %{[zeek_cols][referrer]} %{[zeek_cols][version]} %{[zeek_cols][user_agent]} %{[zeek_cols][origin]} %{[zeek_cols][request_body_len]} %{[zeek_cols][response_body_len]} %{[zeek_cols][status_code]} %{[zeek_cols][status_msg]} %{[zeek_cols][info_code]} %{[zeek_cols][info_msg]} %{[zeek_cols][tags]} %{[zeek_cols][user]} %{[zeek_cols][password]} %{[zeek_cols][proxied]} %{[zeek_cols][orig_fuids]} %{[zeek_cols][orig_filenames]} %{[zeek_cols][orig_mime_types]} %{[zeek_cols][resp_fuids]} %{[zeek_cols][resp_filenames]} %{[zeek_cols][resp_mime_types]} %{[zeek_cols][post_username]} %{[zeek_cols][post_password_plain]} %{[zeek_cols][post_password_md5]} %{[zeek_cols][post_password_sha1]} %{[zeek_cols][post_password_sha256]} %{[zeek_cols][ja4h]}" + "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][trans_depth]} %{[zeek_cols][method]} %{[zeek_cols][host]} %{[zeek_cols][uri]} %{[zeek_cols][referrer]} %{[zeek_cols][version]} %{[zeek_cols][user_agent]} %{[zeek_cols][origin]} %{[zeek_cols][request_body_len]} %{[zeek_cols][response_body_len]} %{[zeek_cols][status_code]} %{[zeek_cols][status_msg]} %{[zeek_cols][info_code]} %{[zeek_cols][info_msg]} %{[zeek_cols][tags]} %{[zeek_cols][user]} %{[zeek_cols][password]} %{[zeek_cols][proxied]} %{[zeek_cols][orig_fuids]} %{[zeek_cols][orig_filenames]} %{[zeek_cols][orig_mime_types]} %{[zeek_cols][resp_fuids]} %{[zeek_cols][resp_filenames]} %{[zeek_cols][resp_mime_types]} %{[zeek_cols][ja4h]} %{[zeek_cols][post_username]} %{[zeek_cols][post_password_plain]} %{[zeek_cols][post_password_md5]} %{[zeek_cols][post_password_sha1]} %{[zeek_cols][post_password_sha256]}" } } if ("_dissectfailure" in [tags]) { @@ -1498,7 +1498,7 @@ filter { } ruby { id => "ruby_zip_zeek_http" - init => "@zeek_http_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_depth', 'method', 'host', 'uri', 'referrer', 'version', 'user_agent', 'origin', 'request_body_len', 'response_body_len', 'status_code', 'status_msg', 'info_code', 'info_msg', 'tags', 'user', 'password', 'proxied', 'orig_fuids', 'orig_filenames', 'orig_mime_types', 'resp_fuids', 'resp_filenames', 'resp_mime_types', 'post_username', 'post_password_plain', 'post_password_md5', 'post_password_sha1', 'post_password_sha256', 'ja4h' ]" + init => "@zeek_http_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'trans_depth', 'method', 'host', 'uri', 'referrer', 'version', 'user_agent', 'origin', 'request_body_len', 'response_body_len', 'status_code', 'status_msg', 'info_code', 'info_msg', 'tags', 'user', 'password', 'proxied', 'orig_fuids', 'orig_filenames', 'orig_mime_types', 'resp_fuids', 'resp_filenames', 'resp_mime_types', 'ja4h', 'post_username', 'post_password_plain', 'post_password_md5', 'post_password_sha1', 'post_password_sha256' ]" code => "event.set('[zeek_cols]', @zeek_http_field_names.zip(event.get('[message]')).to_h)" } }