From 549916831340ede7818e01abbcc37e589f9608ad Mon Sep 17 00:00:00 2001 From: JW-Corelight Date: Thu, 7 Nov 2024 21:45:07 -0500 Subject: [PATCH 01/10] Add http README.md with field mapping Signed-off-by: JW-Corelight --- mappings/markdown/Zeek/http_log/README.md | 81 +++++++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 mappings/markdown/Zeek/http_log/README.md diff --git a/mappings/markdown/Zeek/http_log/README.md b/mappings/markdown/Zeek/http_log/README.md new file mode 100644 index 00000000..e930a9f8 --- /dev/null +++ b/mappings/markdown/Zeek/http_log/README.md @@ -0,0 +1,81 @@ +# Event Dossier: Zeek http.log +### Summary: +- **Description**: Translates a Zeek http.log to OCSF. +- **Event References**: + - https://schema.ocsf.io/1.3.0/classes/http_activity + - https://docs.zeek.org/en/master/logs/http.html + - https://docs.zeek.org/en/master/scripts/base/protocols/http/main.zeek.html#type-HTTP::Info + + ### Static mapping: OCSF Version 1.3.0 + - `metadata.version`: `1.3.0` + - `category_name`: `Network Activity` + - `category_uid`: `4` + - `class_name`: `HTTP Activity` + - `class_uid`: `4002` + - `metadata.log_name`: `http.log` + - `metadata.loggers.log_provider`: `Zeek` + - `metadata.loggers.product.name=`: `Zeek` + - `metadata.product.cpe_name`: `cpe:2.3:a:zeek:zeek` + - `metadata.product.feature.name`: `http.log` + - `metadata.product.name`: `Zeek` + - `metadata.product.url_string`: `https://docs.zeek.org/en/current/logs/http.html` + - `metadata.product.vendor_name`: `Zeek` + - `severity`: `Informational` + - `severity_id`: `1` + + ### Mapping: + +| OCSF | Raw | +| ------------------------------ | ----------------- | +|`time` |`ts` | +|`start_time` |`ts` | +|`metadata.loggers.logged_time` |`_write_ts` | +|`metadata.loggers.name` |`_system_name` | +|`metadata.uid` |`uid` | +|`src_endpoint.ip` |`id.orig_h` | +|`src_endpoint.port` |`id.orig_p` | +|`dst_endpoint.ip` |`id.resp_h` | +|`dst_endpoint.port` |`id.resp_p` | +|`http_request.http_cookies.value` |`cookie` | +|`http_request.http_headers.name` |"Accept Language"| +|`http_request.http_headers.value` |`accept_language`| +|`http_request.http_headers.name` |"Accept Encoding"| +|`http_request.http_headers.value` |`accept_encoding`| +|`http_request.http_headers.name` |"Accept" | +|`http_request.http_headers.value` |`accept` | +|`http_request.http_headers.name` |"Body" | +|`http_request.http_headers.value` |`post_body` | +|`http_request.http_headers.name` |"Origin" | +|`http_request.http_headers.value` |`origin` | +|`http_request.http_headers.name` |"Client Headers" | +|`http_request.http_headers.value` |`client_headers` | +|`http_request.http_method` |`method` | +|`http_request.length` |`request_body_len` | +|`http_request.referrer` |`referrer` | +|`http_request.url.hostname` |`dest_host` | +|`http_request.url.path` |`uri` | +|`http_request.user_agent` |`user_agent` | +|`http_request.version` |`version` | +|`http_request.x_forwarded_for` |`proxied` | +|`http_response.code` |`status_code` | +|`http_response.http_cookies.value` |`resp_cookie` | +|`http_response.http_headers.value` |`server_headers`| +|`http_response.length` |`response_body_len`| +|`http_response.status` |`status_msg` | +|`message` |`tags` | +|`observables.type_id:21` |`username` | + + + ### Unmapped (proposed): + +| OCSF | Raw | +| -------------------------| -------------------------| +| `file.name (src)` | `orig_filenames` | +| `file.name (dst)` | `resp_filenames` | +| `file.mime_type (src)` | `orig_mime_types` | +| `file.mime_type (dst)` | `resp_mime_types` | +| `file.uid (src)` | `orig_fuids` | +| `file.uid (dst)` | `resp_fuids` | +| `unmapped` | `trans_depth` | +| `unmapped` | `if_none_match` | +| `unmapped` | `if_modified_since` | From 4d06d45c4f8b114e412a076b71f3729ea43adfaf Mon Sep 17 00:00:00 2001 From: JW-Corelight Date: Thu, 7 Nov 2024 21:45:37 -0500 Subject: [PATCH 02/10] Add http_log.raw example log Signed-off-by: JW-Corelight --- .../Zeek/http_log/samples/http_log.raw | 88 +++++++++++++++++++ 1 file changed, 88 insertions(+) create mode 100644 mappings/markdown/Zeek/http_log/samples/http_log.raw diff --git a/mappings/markdown/Zeek/http_log/samples/http_log.raw b/mappings/markdown/Zeek/http_log/samples/http_log.raw new file mode 100644 index 00000000..2f8f7d34 --- /dev/null +++ b/mappings/markdown/Zeek/http_log/samples/http_log.raw @@ -0,0 +1,88 @@ +{ + _path: http + _system_name: sensor + _write_ts: 2024-10-16T02:43:57.736852Z + accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 + accept_encoding: gzip + accept_language: en-US,en;q=0.9,fr;q=0.8 + client_headers: [ + HOST: lifeisnetwork.com + CONNECTION: Keep-Alive + ACCEPT-ENCODING: gzip + CF-IPCOUNTRY: US + X-FORWARDED-FOR: 20.115.4.12 + CF-RAY: 6bc5aa001b3f6fbb-IAD + CONTENT-LENGTH: 28 + X-FORWARDED-PROTO: https + CF-VISITOR: {"scheme":"https"} + ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 + USER-AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 + ACCEPT-LANGUAGE: en-US,en;q=0.9,fr;q=0.8 + CACHE-CONTROL: max-age=0 + REFERER: anonymousfox.co + UPGRADE-INSECURE-REQUESTS: 1 + CONTENT-TYPE: application/x-www-form-urlencoded + CF-CONNECTING-IP: 20.115.4.12 + CDN-LOOP: cloudflare + ] + cookie: [ + JSESSIONID=80DF1E116C9617F3EEAFBE46CF0A8E05 + ] + dest_host: lifeisnetwork.com + id.orig_h: 172.70.175.90 + id.orig_p: 26566 + id.resp_h: 198.71.247.91 + id.resp_p: 80 + if_modified_since: Fri, 02 Jun 2017 17:39:05 GMT + if_none_match: "80424021c7dbd21:0" + method: POST + orig_filenames: [ + payload.zip + ] + orig_fuids: [ + FDDthg48f7r5xYMkAf + ] + orig_mime_types: [ + text/plain + ] + origin: http://172.0.0.101 + post_body: 1=echo%22AnonymousFox+%22%3B + proxied: [ + X-FORWARDED-FOR -> 20.115.4.12 + ] + referrer: anonymousfox.co + request_body_len: 28 + resp_cookie: [ + SSID=eaf1bddcaafb7e25f4fe29a6dc0744f1; HttpOnly + ] + resp_filenames: [ + ISRG Root X1.der + ] + resp_fuids: [ + Fa3Nye3upzqg6Rruoa + ] + resp_mime_types: [ + text/html + ] + response_body_len: 279 + server_headers: [ + DATE: Sun, 12 Dec 2021 08:43:15 GMT + SERVER: Apache/2.4.41 (Ubuntu) + CONTENT-LENGTH: 279 + KEEP-ALIVE: timeout=5, max=100 + CONNECTION: Keep-Alive + CONTENT-TYPE: text/html; charset=iso-8859-1 + ] + status_code: 404 + status_msg: Not Found + tags: [ + CVE_2021_44228::LOG4J_RCE + ] + trans_depth: 1 + ts: 2024-10-16T02:43:57.734946Z + uid: CbNapWwSGFIOYRBzk + uri: /wp-includes/css/wp-config.php + user_agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 + username: tomcat + version: 1.1 +} From 8883523beadaa221462bdf73857414e41afbaf95 Mon Sep 17 00:00:00 2001 From: JW-Corelight Date: Fri, 8 Nov 2024 09:39:41 -0500 Subject: [PATCH 03/10] Update http_log.raw to valid JSON Signed-off-by: JW-Corelight --- .../Zeek/http_log/samples/http_log.raw | 172 +++++++++--------- 1 file changed, 86 insertions(+), 86 deletions(-) diff --git a/mappings/markdown/Zeek/http_log/samples/http_log.raw b/mappings/markdown/Zeek/http_log/samples/http_log.raw index 2f8f7d34..08b840db 100644 --- a/mappings/markdown/Zeek/http_log/samples/http_log.raw +++ b/mappings/markdown/Zeek/http_log/samples/http_log.raw @@ -1,88 +1,88 @@ { - _path: http - _system_name: sensor - _write_ts: 2024-10-16T02:43:57.736852Z - accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 - accept_encoding: gzip - accept_language: en-US,en;q=0.9,fr;q=0.8 - client_headers: [ - HOST: lifeisnetwork.com - CONNECTION: Keep-Alive - ACCEPT-ENCODING: gzip - CF-IPCOUNTRY: US - X-FORWARDED-FOR: 20.115.4.12 - CF-RAY: 6bc5aa001b3f6fbb-IAD - CONTENT-LENGTH: 28 - X-FORWARDED-PROTO: https - CF-VISITOR: {"scheme":"https"} - ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 - USER-AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 - ACCEPT-LANGUAGE: en-US,en;q=0.9,fr;q=0.8 - CACHE-CONTROL: max-age=0 - REFERER: anonymousfox.co - UPGRADE-INSECURE-REQUESTS: 1 - CONTENT-TYPE: application/x-www-form-urlencoded - CF-CONNECTING-IP: 20.115.4.12 - CDN-LOOP: cloudflare - ] - cookie: [ - JSESSIONID=80DF1E116C9617F3EEAFBE46CF0A8E05 - ] - dest_host: lifeisnetwork.com - id.orig_h: 172.70.175.90 - id.orig_p: 26566 - id.resp_h: 198.71.247.91 - id.resp_p: 80 - if_modified_since: Fri, 02 Jun 2017 17:39:05 GMT - if_none_match: "80424021c7dbd21:0" - method: POST - orig_filenames: [ - payload.zip - ] - orig_fuids: [ - FDDthg48f7r5xYMkAf - ] - orig_mime_types: [ - text/plain - ] - origin: http://172.0.0.101 - post_body: 1=echo%22AnonymousFox+%22%3B - proxied: [ - X-FORWARDED-FOR -> 20.115.4.12 - ] - referrer: anonymousfox.co - request_body_len: 28 - resp_cookie: [ - SSID=eaf1bddcaafb7e25f4fe29a6dc0744f1; HttpOnly - ] - resp_filenames: [ - ISRG Root X1.der - ] - resp_fuids: [ - Fa3Nye3upzqg6Rruoa - ] - resp_mime_types: [ - text/html - ] - response_body_len: 279 - server_headers: [ - DATE: Sun, 12 Dec 2021 08:43:15 GMT - SERVER: Apache/2.4.41 (Ubuntu) - CONTENT-LENGTH: 279 - KEEP-ALIVE: timeout=5, max=100 - CONNECTION: Keep-Alive - CONTENT-TYPE: text/html; charset=iso-8859-1 - ] - status_code: 404 - status_msg: Not Found - tags: [ - CVE_2021_44228::LOG4J_RCE - ] - trans_depth: 1 - ts: 2024-10-16T02:43:57.734946Z - uid: CbNapWwSGFIOYRBzk - uri: /wp-includes/css/wp-config.php - user_agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 - username: tomcat - version: 1.1 + "_path": "http", + "_system_name": "sensor", + "_write_ts": "2024-10-16T02:43:57.736852Z", + "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8", + "accept_encoding": "gzip", + "accept_language": "en-US,en;q=0.9,fr;q=0.8", + "client_headers": [ + "HOST: lifeisnetwork.com", + "CONNECTION: Keep-Alive", + "ACCEPT-ENCODING: gzip", + "CF-IPCOUNTRY: US", + "X-FORWARDED-FOR: 20.115.4.12", + "CF-RAY: 6bc5aa001b3f6fbb-IAD", + "CONTENT-LENGTH: 28", + "X-FORWARDED-PROTO: https", + "CF-VISITOR: {\"scheme\":\"https\"}", + "ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8", + "USER-AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36", + "ACCEPT-LANGUAGE: en-US,en;q=0.9,fr;q=0.8", + "CACHE-CONTROL: max-age=0", + "REFERER: anonymousfox.co", + "UPGRADE-INSECURE-REQUESTS: 1", + "CONTENT-TYPE: application/x-www-form-urlencoded", + "CF-CONNECTING-IP: 20.115.4.12", + "CDN-LOOP: cloudflare" + ], + "cookie": [ + "JSESSIONID=80DF1E116C9617F3EEAFBE46CF0A8E05" + ], + "dest_host": "lifeisnetwork.com", + "id.orig_h": "172.70.175.90", + "id.orig_p": 26566, + "id.resp_h": "198.71.247.91", + "id.resp_p": 80, + "if_modified_since": "Fri, 02 Jun 2017 17:39:05 GMT", + "if_none_match": "\"80424021c7dbd21:0\"", + "method": "POST", + "orig_filenames": [ + "payload.zip" + ], + "orig_fuids": [ + "FDDthg48f7r5xYMkAf" + ], + "orig_mime_types": [ + "text/plain" + ], + "origin": "http://172.0.0.101", + "post_body": "1=echo%22AnonymousFox+%22%3B", + "proxied": [ + "X-FORWARDED-FOR -> 20.115.4.12" + ], + "referrer": "anonymousfox.co", + "request_body_len": 28, + "resp_cookie": [ + "SSID=eaf1bddcaafb7e25f4fe29a6dc0744f1; HttpOnly" + ], + "resp_filenames": [ + "ISRG Root X1.der" + ], + "resp_fuids": [ + "Fa3Nye3upzqg6Rruoa" + ], + "resp_mime_types": [ + "text/html" + ], + "response_body_len": 279, + "server_headers": [ + "DATE: Sun, 12 Dec 2021 08:43:15 GMT", + "SERVER: Apache/2.4.41 (Ubuntu)", + "CONTENT-LENGTH: 279", + "KEEP-ALIVE: timeout=5, max=100", + "CONNECTION: Keep-Alive", + "CONTENT-TYPE: text/html; charset=iso-8859-1" + ], + "status_code": 404, + "status_msg": "Not Found", + "tags": [ + "CVE_2021_44228::LOG4J_RCE" + ], + "trans_depth": 1, + "ts": "2024-10-16T02:43:57.734946Z", + "uid": "CbNapWwSGFIOYRBzk", + "uri": "/wp-includes/css/wp-config.php", + "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36", + "username": "tomcat", + "version": "1.1" } From 0f1954d53a2811390daef086060b6198a599a9ce Mon Sep 17 00:00:00 2001 From: JW-Corelight Date: Tue, 12 Nov 2024 12:44:34 -0500 Subject: [PATCH 04/10] Update to metadata.loggers[] fields Signed-off-by: JW-Corelight --- mappings/markdown/Zeek/http_log/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/mappings/markdown/Zeek/http_log/README.md b/mappings/markdown/Zeek/http_log/README.md index e930a9f8..dbd8c0a5 100644 --- a/mappings/markdown/Zeek/http_log/README.md +++ b/mappings/markdown/Zeek/http_log/README.md @@ -29,14 +29,14 @@ | ------------------------------ | ----------------- | |`time` |`ts` | |`start_time` |`ts` | -|`metadata.loggers.logged_time` |`_write_ts` | -|`metadata.loggers.name` |`_system_name` | +|`metadata.loggers[].logged_time`|`_write_ts` | +|`metadata.loggers[].name` |`_system_name` | |`metadata.uid` |`uid` | |`src_endpoint.ip` |`id.orig_h` | |`src_endpoint.port` |`id.orig_p` | |`dst_endpoint.ip` |`id.resp_h` | |`dst_endpoint.port` |`id.resp_p` | -|`http_request.http_cookies.value` |`cookie` | +|`http_request.http_cookies.value` |`cookie` | |`http_request.http_headers.name` |"Accept Language"| |`http_request.http_headers.value` |`accept_language`| |`http_request.http_headers.name` |"Accept Encoding"| From 931af9918687fb4bc10d154e36e055d94886993a Mon Sep 17 00:00:00 2001 From: JW-Corelight Date: Wed, 13 Nov 2024 11:58:58 -0500 Subject: [PATCH 05/10] Update to metadata.logged_time Signed-off-by: JW-Corelight --- mappings/markdown/Zeek/http_log/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mappings/markdown/Zeek/http_log/README.md b/mappings/markdown/Zeek/http_log/README.md index dbd8c0a5..4fc571cd 100644 --- a/mappings/markdown/Zeek/http_log/README.md +++ b/mappings/markdown/Zeek/http_log/README.md @@ -29,7 +29,7 @@ | ------------------------------ | ----------------- | |`time` |`ts` | |`start_time` |`ts` | -|`metadata.loggers[].logged_time`|`_write_ts` | +|`metadata.logged_time` |`_write_ts` | |`metadata.loggers[].name` |`_system_name` | |`metadata.uid` |`uid` | |`src_endpoint.ip` |`id.orig_h` | From 741b4387455e61ab3d5b05988838d7c7e22adae9 Mon Sep 17 00:00:00 2001 From: JW-Corelight Date: Thu, 14 Nov 2024 16:01:12 -0500 Subject: [PATCH 06/10] Update http_request header record notes and unmapped .file. field proposal list Signed-off-by: JW-Corelight --- mappings/markdown/Zeek/http_log/README.md | 94 +++++++++++------------ 1 file changed, 44 insertions(+), 50 deletions(-) diff --git a/mappings/markdown/Zeek/http_log/README.md b/mappings/markdown/Zeek/http_log/README.md index 4fc571cd..72132800 100644 --- a/mappings/markdown/Zeek/http_log/README.md +++ b/mappings/markdown/Zeek/http_log/README.md @@ -25,57 +25,51 @@ ### Mapping: -| OCSF | Raw | -| ------------------------------ | ----------------- | -|`time` |`ts` | -|`start_time` |`ts` | -|`metadata.logged_time` |`_write_ts` | -|`metadata.loggers[].name` |`_system_name` | -|`metadata.uid` |`uid` | -|`src_endpoint.ip` |`id.orig_h` | -|`src_endpoint.port` |`id.orig_p` | -|`dst_endpoint.ip` |`id.resp_h` | -|`dst_endpoint.port` |`id.resp_p` | -|`http_request.http_cookies.value` |`cookie` | -|`http_request.http_headers.name` |"Accept Language"| -|`http_request.http_headers.value` |`accept_language`| -|`http_request.http_headers.name` |"Accept Encoding"| -|`http_request.http_headers.value` |`accept_encoding`| -|`http_request.http_headers.name` |"Accept" | -|`http_request.http_headers.value` |`accept` | -|`http_request.http_headers.name` |"Body" | -|`http_request.http_headers.value` |`post_body` | -|`http_request.http_headers.name` |"Origin" | -|`http_request.http_headers.value` |`origin` | -|`http_request.http_headers.name` |"Client Headers" | -|`http_request.http_headers.value` |`client_headers` | -|`http_request.http_method` |`method` | -|`http_request.length` |`request_body_len` | -|`http_request.referrer` |`referrer` | -|`http_request.url.hostname` |`dest_host` | -|`http_request.url.path` |`uri` | -|`http_request.user_agent` |`user_agent` | -|`http_request.version` |`version` | -|`http_request.x_forwarded_for` |`proxied` | -|`http_response.code` |`status_code` | -|`http_response.http_cookies.value` |`resp_cookie` | -|`http_response.http_headers.value` |`server_headers`| -|`http_response.length` |`response_body_len`| -|`http_response.status` |`status_msg` | -|`message` |`tags` | -|`observables.type_id:21` |`username` | +| OCSF | Raw | Notes | +| ------------------------------ | ----------------- | ----------------- | +|`time` |`ts` | | +|`start_time` |`ts` | | +|`metadata.logged_time` |`_write_ts` | | +|`metadata.loggers[].name` |`_system_name` | | +|`metadata.uid` |`uid` | | +|`src_endpoint.ip` |`id.orig_h` | | +|`src_endpoint.port` |`id.orig_p` | | +|`dst_endpoint.ip` |`id.resp_h` | | +|`dst_endpoint.port` |`id.resp_p` | | +|`http_request.http_cookies.value` |`cookie` | | +|`http_request.http_headers.value` |`accept_language`| In a record where `http_request.http_headers.name` = "Accept Language"| +|`http_request.http_headers.value` |`accept_encoding`| In a record where `http_request.http_headers.name` = "Accept Encoding"| +|`http_request.http_headers.value` |`accept` | In a record where `http_request.http_headers.name` = "Accept" | +|`http_request.http_headers.value` |`post_body` | In a record where `http_request.http_headers.name` = "Body" | +|`http_request.http_headers.value` |`origin` | In a record where `http_request.http_headers.name` = "Origin" | +|`http_request.http_headers.value` |`client_headers` | In a record where `http_request.http_headers.name` = "Client Headers" | +|`http_request.http_method` |`method` | | +|`http_request.length` |`request_body_len` | | +|`http_request.referrer` |`referrer` | | +|`http_request.url.hostname` |`dest_host` | | +|`http_request.url.path` |`uri` | | +|`http_request.user_agent` |`user_agent` | | +|`http_request.version` |`version` | | +|`http_request.x_forwarded_for` |`proxied` | | +|`http_response.code` |`status_code` | | +|`http_response.http_cookies.value` |`resp_cookie` | | +|`http_response.http_headers.value` |`server_headers`| | +|`http_response.length` |`response_body_len`| | +|`http_response.status` |`status_msg` | | +|`message` |`tags` | | +|`observables.type_id:21` |`username` | | ### Unmapped (proposed): -| OCSF | Raw | -| -------------------------| -------------------------| -| `file.name (src)` | `orig_filenames` | -| `file.name (dst)` | `resp_filenames` | -| `file.mime_type (src)` | `orig_mime_types` | -| `file.mime_type (dst)` | `resp_mime_types` | -| `file.uid (src)` | `orig_fuids` | -| `file.uid (dst)` | `resp_fuids` | -| `unmapped` | `trans_depth` | -| `unmapped` | `if_none_match` | -| `unmapped` | `if_modified_since` | +| OCSF | Raw | +| ----------------------------------| -------------------------| +| `http_request.(file.name)` | `orig_filenames` | +| `http_response.(file.name)` | `resp_filenames` | +| `http_request.(file.mime_type[])` | `orig_mime_types` | +| `http_response.(file.mime_type[])`| `resp_mime_types` | +| `http_request.(file.uid)` | `orig_fuids` | +| `http_response.(file.uid)` | `resp_fuids` | +| `unmapped` | `trans_depth` | +| `unmapped` | `if_none_match` | +| `unmapped` | `if_modified_since` | From 7654740145a673aa6f345275b61cc761826a4c80 Mon Sep 17 00:00:00 2001 From: JW-Corelight Date: Thu, 21 Nov 2024 12:36:44 -0500 Subject: [PATCH 07/10] Add Zeek Field Description context; add Conditional mapping section Signed-off-by: JW-Corelight --- mappings/markdown/Zeek/http_log/README.md | 94 ++++++++++++----------- 1 file changed, 48 insertions(+), 46 deletions(-) diff --git a/mappings/markdown/Zeek/http_log/README.md b/mappings/markdown/Zeek/http_log/README.md index 72132800..de2d0dea 100644 --- a/mappings/markdown/Zeek/http_log/README.md +++ b/mappings/markdown/Zeek/http_log/README.md @@ -24,52 +24,54 @@ - `severity_id`: `1` ### Mapping: +| OCSF | Raw | Zeek Field Description | +| ------------------------------ | ----------------- | --------------------------------------------------------------------------------------- | +| `time` | `ts` | Timestamp indicating when the event occurred. | +| `start_time` | `ts` | Timestamp indicating when the event occurred. | +| `metadata.logged_time` | `_write_ts` | Timestamp indicating when the log entry was written to disk. | +| `metadata.loggers[].name` | `_system_name` | Name of the system or logging subsystem generating the log entry. | +| `metadata.uid` | `uid` | Unique ID for the connection. | +| `src_endpoint.ip` | `id.orig_h` | The originator’s IP address. | +| `src_endpoint.port` | `id.orig_p` | The originator’s port number. | +| `dst_endpoint.ip` | `id.resp_h` | The responder’s IP address. | +| `dst_endpoint.port` | `id.resp_p` | The responder’s port number. | +| `http_request.http_method` | `method` | Verb used in the HTTP request (GET, POST, HEAD, etc.). | +| `http_request.length` | `request_body_len`| Actual uncompressed content size of the data transferred from the client. | +| `http_request.referrer` | `referrer` | Value of the “referrer” header. | +| `http_request.url.hostname` | `dest_host` | (No description available) | +| `http_request.url.path` | `uri` | URI used in the request. | +| `http_request.user_agent` | `user_agent` | Value of the User-Agent header from the client. | +| `http_request.version` | `version` | Value of the version portion of the reply. | +| `http_request.x_forwarded_for` | `proxied` | All of the headers that may indicate if the request was proxied. | +| `http_response.code` | `status_code` | Status code returned by the server. | +| `http_response.length` | `response_body_len`| Actual uncompressed content size of the data transferred from the server. | +| `http_response.status` | `status_msg` | Status message returned by the server. | +| `message` | `tags` | A set of indicators of various attributes discovered and related to a particular request/response pair. | -| OCSF | Raw | Notes | -| ------------------------------ | ----------------- | ----------------- | -|`time` |`ts` | | -|`start_time` |`ts` | | -|`metadata.logged_time` |`_write_ts` | | -|`metadata.loggers[].name` |`_system_name` | | -|`metadata.uid` |`uid` | | -|`src_endpoint.ip` |`id.orig_h` | | -|`src_endpoint.port` |`id.orig_p` | | -|`dst_endpoint.ip` |`id.resp_h` | | -|`dst_endpoint.port` |`id.resp_p` | | -|`http_request.http_cookies.value` |`cookie` | | -|`http_request.http_headers.value` |`accept_language`| In a record where `http_request.http_headers.name` = "Accept Language"| -|`http_request.http_headers.value` |`accept_encoding`| In a record where `http_request.http_headers.name` = "Accept Encoding"| -|`http_request.http_headers.value` |`accept` | In a record where `http_request.http_headers.name` = "Accept" | -|`http_request.http_headers.value` |`post_body` | In a record where `http_request.http_headers.name` = "Body" | -|`http_request.http_headers.value` |`origin` | In a record where `http_request.http_headers.name` = "Origin" | -|`http_request.http_headers.value` |`client_headers` | In a record where `http_request.http_headers.name` = "Client Headers" | -|`http_request.http_method` |`method` | | -|`http_request.length` |`request_body_len` | | -|`http_request.referrer` |`referrer` | | -|`http_request.url.hostname` |`dest_host` | | -|`http_request.url.path` |`uri` | | -|`http_request.user_agent` |`user_agent` | | -|`http_request.version` |`version` | | -|`http_request.x_forwarded_for` |`proxied` | | -|`http_response.code` |`status_code` | | -|`http_response.http_cookies.value` |`resp_cookie` | | -|`http_response.http_headers.value` |`server_headers`| | -|`http_response.length` |`response_body_len`| | -|`http_response.status` |`status_msg` | | -|`message` |`tags` | | -|`observables.type_id:21` |`username` | | - + ### Conditional mapping: +Fields described here are subject to dynamic mappings contingent on a conditional evaluation of source data. +| OCSF | Raw | Evaluation Conditions | Zeek Field Description | +| --------------------------------- | ----------------- | --------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------- | +| `http_request.http_cookies.value` | `cookie` | Where `http_request.http_cookies.name` = "Request Cookie" | Cookie value used by the client machine. | +| `http_request.http_headers.value` | `accept_language` | Where `http_request.http_headers.name` = "Accept Language" | (No description available) | +| `http_request.http_headers.value` | `accept_encoding` | Where `http_request.http_headers.name` = "Accept Encoding" | (No description available) | +| `http_request.http_headers.value` | `accept` | Where `http_request.http_headers.name` = "Accept" | (No description available) | +| `http_request.http_headers.value` | `post_body` | Where `http_request.http_headers.name` = "Body" | The post_body information. | +| `http_request.http_headers.value` | `origin` | Where `http_request.http_headers.name` = "Origin" | Value of the Origin header from the client. | +| `http_request.http_headers.value` | `client_headers` | Where `http_request.http_headers.name` = "Client Headers" | (No description available) | +| `http_response.http_cookies.value`| `resp_cookie` | Where `http_response.http_cookies.name` = "Response Cookie" | (No description available) | +| `http_response.http_headers.value`| `server_headers` | Where `http_response.http_headers.name` = "Server Headers" | (No description available) | +| `observables.value` | `username` | Where `observables.type_id` = `4` | Username if basic-auth is performed for the request. | ### Unmapped (proposed): - -| OCSF | Raw | -| ----------------------------------| -------------------------| -| `http_request.(file.name)` | `orig_filenames` | -| `http_response.(file.name)` | `resp_filenames` | -| `http_request.(file.mime_type[])` | `orig_mime_types` | -| `http_response.(file.mime_type[])`| `resp_mime_types` | -| `http_request.(file.uid)` | `orig_fuids` | -| `http_response.(file.uid)` | `resp_fuids` | -| `unmapped` | `trans_depth` | -| `unmapped` | `if_none_match` | -| `unmapped` | `if_modified_since` | +| OCSF | Raw | Zeek Field Description | +| ----------------------------------| -------------------------| --------------------------------------------------------------------------------------- | +| `http_request.(file.names[])` | `orig_filenames` | An ordered vector of filenames from the client. | +| `http_response.(file.names[])` | `resp_filenames` | An ordered vector of filenames from the server. | +| `http_request.(file.mime_types[])`| `orig_mime_types` | An ordered vector of mime types. | +| `http_response.(file.mime_types[])`| `resp_mime_types` | An ordered vector of mime types. | +| `http_request.(file.uids[])` | `orig_fuids` | An ordered vector of file unique IDs. | +| `http_response.(file.uids[])` | `resp_fuids` | An ordered vector of file unique IDs. | +| `unmapped` | `trans_depth` | Represents the pipelined depth into the connection of this request/response transaction.| +| `unmapped` | `if_none_match` | (No description available) | +| `unmapped` | `if_modified_since` | (No description available) | From d245f7d697a540e0797010175e5fda589022c9ad Mon Sep 17 00:00:00 2001 From: JW-Corelight Date: Thu, 21 Nov 2024 14:48:10 -0500 Subject: [PATCH 08/10] Changed observables and http_headers to observables[] and http_headers[] Signed-off-by: JW-Corelight --- mappings/markdown/Zeek/http_log/README.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/mappings/markdown/Zeek/http_log/README.md b/mappings/markdown/Zeek/http_log/README.md index de2d0dea..1fffb4eb 100644 --- a/mappings/markdown/Zeek/http_log/README.md +++ b/mappings/markdown/Zeek/http_log/README.md @@ -52,16 +52,16 @@ Fields described here are subject to dynamic mappings contingent on a conditional evaluation of source data. | OCSF | Raw | Evaluation Conditions | Zeek Field Description | | --------------------------------- | ----------------- | --------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------- | -| `http_request.http_cookies.value` | `cookie` | Where `http_request.http_cookies.name` = "Request Cookie" | Cookie value used by the client machine. | -| `http_request.http_headers.value` | `accept_language` | Where `http_request.http_headers.name` = "Accept Language" | (No description available) | -| `http_request.http_headers.value` | `accept_encoding` | Where `http_request.http_headers.name` = "Accept Encoding" | (No description available) | -| `http_request.http_headers.value` | `accept` | Where `http_request.http_headers.name` = "Accept" | (No description available) | -| `http_request.http_headers.value` | `post_body` | Where `http_request.http_headers.name` = "Body" | The post_body information. | -| `http_request.http_headers.value` | `origin` | Where `http_request.http_headers.name` = "Origin" | Value of the Origin header from the client. | -| `http_request.http_headers.value` | `client_headers` | Where `http_request.http_headers.name` = "Client Headers" | (No description available) | -| `http_response.http_cookies.value`| `resp_cookie` | Where `http_response.http_cookies.name` = "Response Cookie" | (No description available) | -| `http_response.http_headers.value`| `server_headers` | Where `http_response.http_headers.name` = "Server Headers" | (No description available) | -| `observables.value` | `username` | Where `observables.type_id` = `4` | Username if basic-auth is performed for the request. | +| `http_request.http_cookies[].value` | `cookie` | Where `http_request.http_cookies[].name` = "Request Cookie" | Cookie value used by the client machine. | +| `http_request.http_headers[].value` | `accept_language` | Where `http_request.http_headers[].name` = "Accept Language" | (No description available) | +| `http_request.http_headers[].value` | `accept_encoding` | Where `http_request.http_headers[].name` = "Accept Encoding" | (No description available) | +| `http_request.http_headers[].value` | `accept` | Where `http_request.http_headers[].name` = "Accept" | (No description available) | +| `http_request.http_headers[].value` | `post_body` | Where `http_request.http_headers[].name` = "Body" | The post_body information. | +| `http_request.http_headers[].value` | `origin` | Where `http_request.http_headers[].name` = "Origin" | Value of the Origin header from the client. | +| `http_request.http_headers[].value` | `client_headers` | Where `http_request.http_headers[].name` = "Client Headers" | (No description available) | +| `http_response.http_cookies[].value`| `resp_cookie` | Where `http_response.http_cookies[].name` = "Response Cookie" | (No description available) | +| `http_response.http_headers[].value`| `server_headers` | Where `http_response.http_headers[].name` = "Server Headers" | (No description available) | +| `observables[].value` | `username` | Where `observables[].type_id` = `4` | Username if basic-auth is performed for the request. | ### Unmapped (proposed): | OCSF | Raw | Zeek Field Description | From 8d0857291831dbdcd1eb868fff30ac6306e8b5f4 Mon Sep 17 00:00:00 2001 From: JW-Corelight Date: Thu, 21 Nov 2024 16:35:59 -0500 Subject: [PATCH 09/10] Convert Static mapping section to table Signed-off-by: JW-Corelight --- mappings/markdown/Zeek/http_log/README.md | 52 ++++++++++++----------- 1 file changed, 27 insertions(+), 25 deletions(-) diff --git a/mappings/markdown/Zeek/http_log/README.md b/mappings/markdown/Zeek/http_log/README.md index 1fffb4eb..efaeeeaa 100644 --- a/mappings/markdown/Zeek/http_log/README.md +++ b/mappings/markdown/Zeek/http_log/README.md @@ -6,22 +6,24 @@ - https://docs.zeek.org/en/master/logs/http.html - https://docs.zeek.org/en/master/scripts/base/protocols/http/main.zeek.html#type-HTTP::Info - ### Static mapping: OCSF Version 1.3.0 - - `metadata.version`: `1.3.0` - - `category_name`: `Network Activity` - - `category_uid`: `4` - - `class_name`: `HTTP Activity` - - `class_uid`: `4002` - - `metadata.log_name`: `http.log` - - `metadata.loggers.log_provider`: `Zeek` - - `metadata.loggers.product.name=`: `Zeek` - - `metadata.product.cpe_name`: `cpe:2.3:a:zeek:zeek` - - `metadata.product.feature.name`: `http.log` - - `metadata.product.name`: `Zeek` - - `metadata.product.url_string`: `https://docs.zeek.org/en/current/logs/http.html` - - `metadata.product.vendor_name`: `Zeek` - - `severity`: `Informational` - - `severity_id`: `1` + ### Static mapping +| OCSF field | Value | +| ----------------------------------- | ----------------------------------------------- | +| `metadata.version` | "1.3.0" | +| `category_name` | "Network Activity" | +| `category_uid` | "4" | +| `class_name` | "HTTP Activity" | +| `class_uid` | "4002" | +| `metadata.log_name` | "http.log" | +| `metadata.loggers[].log_provider` | "Zeek" | +| `metadata.loggers[].product.name` | "Zeek" | +| `metadata.product.cpe_name` | "cpe:2.3:a:zeek:zeek" | +| `metadata.product.feature.name` | "http.log" | +| `metadata.product.name` | "Zeek" | +| `metadata.product.url_string` | "https://docs.zeek.org/en/current/logs/http.html"| +| `metadata.product.vendor_name` | "Zeek" | +| `severity` | "Informational" | +| `severity_id` | "1" | ### Mapping: | OCSF | Raw | Zeek Field Description | @@ -53,15 +55,15 @@ Fields described here are subject to dynamic mappings contingent on a conditiona | OCSF | Raw | Evaluation Conditions | Zeek Field Description | | --------------------------------- | ----------------- | --------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------- | | `http_request.http_cookies[].value` | `cookie` | Where `http_request.http_cookies[].name` = "Request Cookie" | Cookie value used by the client machine. | -| `http_request.http_headers[].value` | `accept_language` | Where `http_request.http_headers[].name` = "Accept Language" | (No description available) | -| `http_request.http_headers[].value` | `accept_encoding` | Where `http_request.http_headers[].name` = "Accept Encoding" | (No description available) | -| `http_request.http_headers[].value` | `accept` | Where `http_request.http_headers[].name` = "Accept" | (No description available) | +| `http_request.http_headers[].value` | `accept_language` | Where `http_request.http_headers[].name` = "Accept Language" | | +| `http_request.http_headers[].value` | `accept_encoding` | Where `http_request.http_headers[].name` = "Accept Encoding" | | +| `http_request.http_headers[].value` | `accept` | Where `http_request.http_headers[].name` = "Accept" | | | `http_request.http_headers[].value` | `post_body` | Where `http_request.http_headers[].name` = "Body" | The post_body information. | | `http_request.http_headers[].value` | `origin` | Where `http_request.http_headers[].name` = "Origin" | Value of the Origin header from the client. | -| `http_request.http_headers[].value` | `client_headers` | Where `http_request.http_headers[].name` = "Client Headers" | (No description available) | -| `http_response.http_cookies[].value`| `resp_cookie` | Where `http_response.http_cookies[].name` = "Response Cookie" | (No description available) | -| `http_response.http_headers[].value`| `server_headers` | Where `http_response.http_headers[].name` = "Server Headers" | (No description available) | -| `observables[].value` | `username` | Where `observables[].type_id` = `4` | Username if basic-auth is performed for the request. | +| `http_request.http_headers[].value` | `client_headers` | Where `http_request.http_headers[].name` = "Client Headers" | | +| `http_response.http_cookies[].value`| `resp_cookie` | Where `http_response.http_cookies[].name` = "Response Cookie" | | +| `http_response.http_headers[].value`| `server_headers` | Where `http_response.http_headers[].name` = "Server Headers" | | +| `observables[].value` | `username` | Where `observables[].type_id` = "4" | Username if basic-auth is performed for the request. | ### Unmapped (proposed): | OCSF | Raw | Zeek Field Description | @@ -73,5 +75,5 @@ Fields described here are subject to dynamic mappings contingent on a conditiona | `http_request.(file.uids[])` | `orig_fuids` | An ordered vector of file unique IDs. | | `http_response.(file.uids[])` | `resp_fuids` | An ordered vector of file unique IDs. | | `unmapped` | `trans_depth` | Represents the pipelined depth into the connection of this request/response transaction.| -| `unmapped` | `if_none_match` | (No description available) | -| `unmapped` | `if_modified_since` | (No description available) | +| `unmapped` | `if_none_match` | | +| `unmapped` | `if_modified_since` | | From 8a1a0e11b5599b1a007f5f5780670cd654b90ea5 Mon Sep 17 00:00:00 2001 From: JW-Corelight Date: Fri, 22 Nov 2024 11:23:18 -0500 Subject: [PATCH 10/10] Create http_log.ocsf Signed-off-by: JW-Corelight --- .../Zeek/http_log/samples/http_log.ocsf | 136 ++++++++++++++++++ 1 file changed, 136 insertions(+) create mode 100644 mappings/markdown/Zeek/http_log/samples/http_log.ocsf diff --git a/mappings/markdown/Zeek/http_log/samples/http_log.ocsf b/mappings/markdown/Zeek/http_log/samples/http_log.ocsf new file mode 100644 index 00000000..181bd92e --- /dev/null +++ b/mappings/markdown/Zeek/http_log/samples/http_log.ocsf @@ -0,0 +1,136 @@ +{ + "time": "2024-10-16T02:43:57.734946Z", + "start_time": "2024-10-16T02:43:57.734946Z", + "category_name": "Network Activity", + "category_uid": 4, + "class_name": "HTTP Activity", + "class_uid": 4002, + "severity": "Informational", + "severity_id": 1, + "metadata": { + "version": "1.3.0", + "log_name": "http.log", + "logged_time": "2024-10-16T02:43:57.736852Z", + "loggers": [ + { + "name": "sensor", + "log_provider": "Zeek", + "product": { + "name": "Zeek" + } + } + ], + "product": { + "cpe_name": "cpe:2.3:a:zeek:zeek", + "feature": { + "name": "http.log" + }, + "name": "Zeek", + "url_string": "https://docs.zeek.org/en/current/logs/http.html", + "vendor_name": "Zeek" + }, + "uid": "CbNapWwSGFIOYRBzk" + }, + "src_endpoint": { + "ip": "172.70.175.90", + "port": 26566 + }, + "dst_endpoint": { + "ip": "198.71.247.91", + "port": 80 + }, + "http_request": { + "http_method": "POST", + "length": 28, + "referrer": "anonymousfox.co", + "url": { + "hostname": "lifeisnetwork.com", + "path": "/wp-includes/css/wp-config.php" + }, + "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36", + "version": "1.1", + "x_forwarded_for": [ + "X-FORWARDED-FOR -> 20.115.4.12" + ], + "http_cookies": [ + { + "name": "Request Cookie", + "value": "JSESSIONID=80DF1E116C9617F3EEAFBE46CF0A8E05" + } + ], + "http_headers": [ + { + "name": "Accept Language", + "value": "en-US,en;q=0.9,fr;q=0.8" + }, + { + "name": "Accept Encoding", + "value": "gzip" + }, + { + "name": "Accept", + "value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8" + }, + { + "name": "Body", + "value": "1=echo%22AnonymousFox+%22%3B" + }, + { + "name": "Origin", + "value": "http://172.0.0.101" + }, + { + "name": "Client Headers", + "value": "HOST: lifeisnetwork.com; CONNECTION: Keep-Alive; ACCEPT-ENCODING: gzip; CF-IPCOUNTRY: US; X-FORWARDED-FOR: 20.115.4.12; CF-RAY: 6bc5aa001b3f6fbb-IAD; CONTENT-LENGTH: 28; X-FORWARDED-PROTO: https; CF-VISITOR: {\"scheme\":\"https\"}; ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8; USER-AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36; ACCEPT-LANGUAGE: en-US,en;q=0.9,fr;q=0.8; CACHE-CONTROL: max-age=0; REFERER: anonymousfox.co; UPGRADE-INSECURE-REQUESTS: 1; CONTENT-TYPE: application/x-www-form-urlencoded; CF-CONNECTING-IP: 20.115.4.12; CDN-LOOP: cloudflare" + } + ] + }, + "http_response": { + "code": 404, + "length": 279, + "status": "Not Found", + "http_cookies": [ + { + "name": "Response Cookie", + "value": "SSID=eaf1bddcaafb7e25f4fe29a6dc0744f1; HttpOnly" + } + ], + "http_headers": [ + { + "name": "Server Headers", + "value": "DATE: Sun, 12 Dec 2021 08:43:15 GMT; SERVER: Apache/2.4.41 (Ubuntu); CONTENT-LENGTH: 279; KEEP-ALIVE: timeout=5, max=100; CONNECTION: Keep-Alive; CONTENT-TYPE: text/html; charset=iso-8859-1" + } + ] + }, + "message": "CVE_2021_44228::LOG4J_RCE", + "observables": [ + { + "value": "tomcat", + "type_id": "4", + "type": "Username" + } + ], + "unmapped": { + "orig_filenames": [ + "payload.zip" + ], + "resp_filenames": [ + "ISRG Root X1.der" + ], + "orig_mime_types": [ + "text/plain" + ], + "resp_mime_types": [ + "text/html" + ], + "orig_fuids": [ + "FDDthg48f7r5xYMkAf" + ], + "resp_fuids": [ + "Fa3Nye3upzqg6Rruoa" + ], + "trans_depth": 1, + "if_none_match": "\"80424021c7dbd21:0\"", + "if_modified_since": "Fri, 02 Jun 2017 17:39:05 GMT" + } +}