Merge pull request #1374 from SEKOIA-IO/fix(suricata)rpd_smart_desc

fix(suricata): missing rdp smart description
SEKOIA-IO · Dec 10, 2024 · 525a164 · 525a164
2 parents 90bbb8d + d2fbff8
commit 525a164
Show file tree

Hide file tree

Showing 2 changed files with 73 additions and 0 deletions.
diff --git a/Suricata/suricata/_meta/smart-descriptions.json b/Suricata/suricata/_meta/smart-descriptions.json
@@ -198,6 +198,22 @@
       }
     ]
   },
+  {
+    "value": "RDP traffic from  {source.ip} to {destination.ip}",
+    "conditions": [
+      {
+        "field": "action.type",
+        "value": "rdp"
+      }
+    ],
+    "relationships": [
+      {
+        "source": "source.ip",
+        "target": "destination.ip",
+        "type": "requested"
+      }
+    ]
+  },
   {
     "value": "Traffic flow from  {source.ip} with {user_agent.original} to {destination.ip} with {http.request.method} request to {url.original}",
     "conditions": [

diff --git a/Suricata/suricata/tests/rdp.json b/Suricata/suricata/tests/rdp.json
@@ -0,0 +1,57 @@
+{
+  "input": {
+    "message": "{\"timestamp\":\"2024-11-29T15:08:06.239558+0000\",\"flow_id\":1822723333770346,\"in_iface\":\"eth0\",\"event_type\":\"rdp\",\"src_ip\":\"14.225.46.243\",\"src_port\":58953,\"dest_ip\":\"10.0.1.4\",\"dest_port\":3389,\"proto\":\"TCP\",\"community_id\":\"1:kyALzWxuJ/ruPpAqvO4KTLSsEaQ=\",\"rdp\":{\"tx_id\":2,\"event_type\":\"tls_handshake\",\"x509_serials\":[\"773dbe1ea6dc998444b4f9da1f188ba8\"]}}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Suricata",
+        "dialect_uuid": "331fa58d-8cf9-454a-a87f-48a3dc07d4d3"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"timestamp\":\"2024-11-29T15:08:06.239558+0000\",\"flow_id\":1822723333770346,\"in_iface\":\"eth0\",\"event_type\":\"rdp\",\"src_ip\":\"14.225.46.243\",\"src_port\":58953,\"dest_ip\":\"10.0.1.4\",\"dest_port\":3389,\"proto\":\"TCP\",\"community_id\":\"1:kyALzWxuJ/ruPpAqvO4KTLSsEaQ=\",\"rdp\":{\"tx_id\":2,\"event_type\":\"tls_handshake\",\"x509_serials\":[\"773dbe1ea6dc998444b4f9da1f188ba8\"]}}",
+    "event": {
+      "category": [
+        "network"
+      ],
+      "type": [
+        "connection"
+      ]
+    },
+    "@timestamp": "2024-11-29T15:08:06.239558Z",
+    "action": {
+      "type": "rdp"
+    },
+    "destination": {
+      "address": "10.0.1.4",
+      "ip": "10.0.1.4",
+      "port": 3389
+    },
+    "host": {
+      "ip": "14.225.46.243"
+    },
+    "network": {
+      "community_id": "1:kyALzWxuJ/ruPpAqvO4KTLSsEaQ=",
+      "protocol": "TCP",
+      "transport": "TCP"
+    },
+    "observer": {
+      "ingress": {
+        "interface": {
+          "name": "eth0"
+        }
+      }
+    },
+    "related": {
+      "ip": [
+        "10.0.1.4",
+        "14.225.46.243"
+      ]
+    },
+    "source": {
+      "address": "14.225.46.243",
+      "ip": "14.225.46.243",
+      "port": 58953
+    }
+  }
+}