Hello all,
I have the following configuration:
filter {
if [type] == "bro-conn" {
#The following makes use of the translate filter (logstash contrib) to convert conn_state into human text. Saves having to look up values for packet introspection
translate {
field => "conn_state"
add_field => ["tags", "bro"]
#destination => ["conn_state_full"]
dictionary => [
"S0", "Connection attempt seen, no reply",
"S1", "Connection established, not terminated",
"S2", "Connection established and close attempt by originator seen (but no reply from responder)",
"S3", "Connection established and close attempt by responder seen (but no reply from originator)",
"SF", "Normal SYN/FIN completion",
"REJ", "Connection attempt rejected",
"RSTO", "Connection established, originator aborted (sent a RST)",
"RSTR", "Established, responder aborted",
"RSTOS0", "Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder",
"RSTRH", "Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator",
"SH", "Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was 'half' open)",
"SHR", "Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator",
"OTH", "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed)"
]
}
}
}The output:
{
"missed_bytes" => 0,
"conn_state" => "S0",
"@timestamp" => 2018-03-20T10:57:14.334Z,
"host" => "XXXX",
"ip_dest" => 10,
"ip_orig" => 10,
"resp_bytes" => 0,
"proto" => "udp",
"senderbase_lookup" => "http://www.senderbase.org/lookup/?search_string=10.208.1.183",
"resp_I2_addr" => "-",
"ip_orig-resolved" => "10",
"ts" => 2018-03-20T10:48:20.426Z,
"CBL_lookup" => "http://cbl.abuseat.org/lookup.cgi?ip=10.208.1.183",
"offset" => 2827607,
"message" => "conn\tsensor001-001\tbro\t1521542900.426871\tCRcVWN3LO7Sk3dLSO4\t10.208.1.183\t54752\t10.208.3.255\t137\tudp\tdns\t-\t-\t-\tS0\tT\tT\t0\tD\t1\t78\t0\t0\t(empty)\t-\t-\t-\t-\t0\t0\t-\t-",
"tunnel_parents" => "(empty)",
"local_orig" => "T",
"history" => "D",
"@version" => "1",
"tags" => [
[0] "beats_input_codec_plain_applied",
[1] "bro"
],
"port_orig" => 54752,
"service" => "dns",
"port_dest" => 137,
"orig_ip_bytes" => 78,
"resp_pkts" => 0,
"ip_dest-resolved" => "10",
"proc" => "bro",
"beat" => {
"version" => "6.2.2",
"hostname" => "XXXX",
"name" => "XXXX"
},
"type" => [
[0] "bro-conn",
[1] "conn"
],
"source" => "/data/logs/current/conn.log",
"sensor" => "sensor001-001",
"uid" => "CRcVWN3LO7Sk3dLSO4",
"orig_pkts" => 1,
"vlan" => 0,
"resp_ip_bytes" => 0,
"orig_bytes" => 0,
"orig_I2_addr" => "-",
"inner_vlan" => 0,
"Spamhaus_lookup" => "http://www.spamhaus.org/query/bl?ip=10.208.1.183",
"duration" => "-",
"local_resp" => "T"
}I can't understand why I can't trigger the translate.
Already added "exact" => true & "regex" => true but still the same problem.
Thanks in advance for your help.
Pedro Cabral