Below is a Logstash filter that will add some valuable fields to your x509 Bro log.
The field names are:
- cert.expired
- cert.date.not_valid_after
- cert.date.not_valid_before
- cert.lifespan.days
- cert.lifespan.hours
- cert.lifespan.seconds
# BRO x509
filter {
if [doctype] == "x509" {
mutate {
remove_field => [ "host" ]
rename => {
"id" => "[bro][fuid]"
"basic_constraints.ca" => "[basic_constraints][ca]"
"certificate.curve" => "[cert][curve]"
"certificate.exponent" => "[cert][exponent]"
"certificate.issuer" => "[cert][issuer]"
"certificate.key_alg" => "[cert][key][alg]"
"certificate.key_length" => "[cert][key][length]"
"certificate.key_type" => "[cert][key][type]"
"certificate.not_valid_after" => "[cert][not_valid_after]"
"certificate.not_valid_before" => "[cert][not_valid_before]"
"certificate.serial" => "[cert][serial]"
"certificate.sig_alg" => "[cert][sig_alg]"
"certificate.subject" => "[cert][subject]"
"certificate.version" => "[cert][version]"
"san.dns" => "san_dns"
}
}
date {
match => [ "[cert][not_valid_after]", "UNIX" ]
target => "[cert][date][not_valid_after]"
}
date {
match => [ "[cert][not_valid_before]", "UNIX" ]
target => "[cert][date][not_valid_before]"
}
ruby {
code => "
vafter = event.get('[cert][not_valid_after]');
vbefore = event.get('[cert][not_valid_before]');
seconds = (vafter - vbefore).ceil;
hours = (seconds / 3600).ceil;
days = (seconds / 84600).ceil;
validcheck = event.get('[cert][date][not_valid_after]') - event.get('@timestamp');
if validcheck > 0
expired = false
else
expired = true
end
event.set('[cert][expired]', expired);
event.set('[cert][lifespan][seconds]', seconds);
event.set('[cert][lifespan][hours]', hours);
event.set('[cert][lifespan][days]', days);
"
}
}
}
Below is what the output looks like in Kibana
No comments:
Post a Comment