Can I use replace to add a field?

Peter_S · January 9, 2019, 9:38pm

Hello,

I'm trying to write a mutation to describe a service name based on the port given. Suricata is feeding the data to logstash, and it currently doesn't have a very good way of describing services unless it's in the predefined list. I'd like to still have that information available instead of getting nothing or getting a "failed" entry.

<snip>
    # Is app_proto set or failed?
    if ![app_proto] or [app_proto] == "failed" {
        if [src_port] and [dest_port] {
            # Set variable
            if [src_port] < [dest_port] {
                mutate { add_field => { "[@metadata][port]" => "%{src_port}" } }
            }
            else if [dest_port] < [src_port] {
                mutate { add_field => { "[@metadata][port]" => "%{dest_port}" } }
            }
            # FTP
            if [@metadata][port] == "20" or [@metadata][port] == "21" {
                mutate { replace => { "app_proto" => "ftp(%{[@metadata][port]})" } }
            }
            # SSH
            else if [@metadata][port] == "22" {
                mutate { replace => { "app_proto" => "ssh(%{[@metadata][port]})" } }
            }
            # Telnet
            else if [@metadata][port] == "23" {
                mutate { replace => { "app_proto" => "telnet(%{[@metadata][port]})" } }
            }
<snip>

Do I have to do a separate check for whether [app_proto] is set? I'm using replace currently, but I'm not sure if it will create the [app_proto] field if it doesn't already exist. Otherwise, I think I'll have to remove_field first, then add_field.

Badger · January 9, 2019, 10:03pm

It will.

rcowart · January 12, 2019, 5:28am

@Peter_S, as you are collecting Suricata data, might I suggest that you consider this...

It uses filebeat to tail Suricata's EVE log and send the data to Logstash, which then performs a lot of processing and enrichment of the data (including the service name mapping you are looking to achieve). The reason for using Filebeat and Logstash together, is to allow multiple Suricata instances to report into a single central collection point.

It also looks like you are trying to figure out the client and server end of the connections by looking for the lowest port number. The integration above also does the same, but with a bit more sophisticated method.

Peter_S · January 14, 2019, 4:53pm

@rcowart

I've looked at this, and it does look great, but you only seem to be compatible with Elastic Stack 6.2. We're on 6.5, and we rather like the extra features we get with it over 6.2. If you update to supporting newer Elastic Stack versions, let me know.

system · February 11, 2019, 4:53pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.