-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathfluent-bit-filters-bro-dns.conf
177 lines (157 loc) · 4.53 KB
/
fluent-bit-filters-bro-dns.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
# Tabular log format parser
[FILTER]
Name parser
Match ${observer_product}.dns
Key_Name log
Parser bro_dns_parser
Preserve_Key on
Reserve_Data on
# JSON log format parser
[FILTER]
Name parser
Match ${observer_product}.dns.json
Key_Name log
Parser bro_dns_parser_json
Preserve_Key off
Reserve_Data on
# Rename 4-tuple fields from json
[FILTER]
Name modify
Match ${observer_product}.dns.json
Rename id.orig_h orig_h
Rename id.orig_p orig_p
Rename id.resp_h resp_h
Rename id.resp_p resp_p
# Prefix all regular keys ([A-z]*) with 'zeek_dns_'
# This will also catch any extended fields to move them under zeek.dns
[FILTER]
Name lua
Match ${observer_product}.dns*
Script bro_dns_parse.lua
Call bro_dns_prefix_all
[FILTER]
Name modify
Match ${observer_product}.dns
Add zeek_log_file dns
Add zeek_log_format tab
# These are special "_*" keys, rename them separately
[FILTER]
Name modify
Match ${observer_product}.dns.json
Rename _path zeek_log_file
Rename _write_ts zeek_write_ts
Add zeek_log_format json
# Pre-process DNS-specific fields
[FILTER]
Name modify
Match ${observer_product}.dns*
Add _event_dataset ${observer_product}.dns
Rename zeek_dns_uid zeek_uid
Rename zeek_dns_orig_h source_ip
Rename zeek_dns_orig_p source_port
Rename zeek_dns_resp_h destination_ip
Rename zeek_dns_resp_p destination_port
Rename zeek_dns_proto network_transport
Rename zeek_dns_trans_id _dns_id
Rename zeek_dns_query _dns_question_name
Rename zeek_dns_qclass_name _dns_question_class
Rename zeek_dns_qtype_name _dns_question_type
Rename zeek_dns_rcode_name _dns_response_code
Rename zeek_dns_rtt _event_duration
Rename zeek_dns_log _log_original
# Copies
[FILTER]
Name modify
Match ${observer_product}.dns*
Copy zeek_uid _event_id
Copy source_ip client_ip
Copy source_port client_port
Copy destination_ip server_ip
Copy destination_port server_port
# Cleanup - remove keys represending IP addresses if value is "-"
[FILTER]
Name modify
Match ${observer_product}.dns*
Condition Key_value_equals client_ip -
Remove_regex client_ip
[FILTER]
Name modify
Match ${observer_product}.dns*
Condition Key_value_equals server_ip -
Remove_regex server_ip
# Cleanup - remove keys represending duration if value is "-"
[FILTER]
Name modify
Match ${observer_product}.*
Condition Key_value_equals _event_duration -
Remove _event_duration
# ECS: Determine DNS record type: query or answer (full exchange)
[FILTER]
Name lua
Match ${observer_product}.dns*
Script bro_dns_parse.lua
Call bro_dns_determine_dns_type
# ECS: Parse dns answers via script to handle multiple entries: dns.answers
[FILTER]
Name lua
Match ${observer_product}.dns*
Script bro_dns_parse.lua
Call bro_dns_parse_answers
# ECS: Parse dns flags via script to combine multiple flags into one vector[string]
[FILTER]
Name lua
Match ${observer_product}.dns*
Script bro_dns_parse.lua
Call bro_dns_parse_flags
# ECS: Parse custom ECS Zeek fields
[FILTER]
Name lua
Match ${observer_product}.dns*
Script bro_dns_parse.lua
Call bro_dns_parse_zeek
# Remove no longer needed keys
[FILTER]
Name modify
Match ${observer_product}.dns*
Remove zeek_dns_qclass
Remove zeek_dns_qtype
Remove zeek_dns_rcode
Remove zeek_dns_AA
Remove zeek_dns_TC
Remove zeek_dns_RD
Remove zeek_dns_RA
Remove zeek_dns_Z
# CUSTOM: Nest JSON objects to comply with ECS notation: Zeek DNS - inner layer
[FILTER]
Name nest
Match ${observer_product}.dns*
Operation nest
Wildcard zeek_dns_*
Nest_under dns
Remove_prefix zeek_dns_
# CUSTOM: Nest JSON objects to comply with ECS notation: Zeek DNS - outer layer
[FILTER]
Name nest
Match ${observer_product}.dns*
Operation nest
Wildcard zeek_*
Wildcard dns*
Nest_under zeek
Remove_prefix zeek_
# ECS: Nest JSON objects to comply with ECS notation: DNS.question
[FILTER]
Name nest
Match ${observer_product}.dns*
Operation nest
Wildcard _dns_question_*
Nest_under question
Remove_prefix _dns_question_
# ECS: Nest JSON objects to comply with ECS notation: DNS
[FILTER]
Name nest
Match ${observer_product}.dns*
Operation nest
Wildcard _dns_*
Wildcard question*
Nest_under dns
Remove_prefix _dns_