-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathcorelight-dns.ssp
113 lines (96 loc) · 4.3 KB
/
corelight-dns.ssp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
<%
import com.humio.perftest._
import play.api.libs.json._
import org.fusesource.scalate._
import org.fusesource.scalate.RenderContext._
import org.apache.commons.math3.distribution._
// setup
if (init) {
// domain/ip(s) pairs
data.register("domains",
new CSVSampler(data.distributions.normal, "templates/data/dns.csv"))
// log line elements
data.register("uid", new IntSampler(data.distributions.normal, 0, 166956))
data.register("id.orig_h_host2", new IntSampler(data.distributions.normal, 0, 200))
data.register("id.orig_p", new IntSampler(data.distributions.uniform, 16000, 65535))
data.register("id.resp_h", new CSVSampler(data.distributions.logNormal, "templates/data/dns_id.resp_h.samples.csv"))
data.register("id.resp_p", new ArraySampler(data.distributions.logNormal, Array("53", "137", "5355", "5353")))
data.register("trans_id", new IntSampler(data.distributions.uniform, 0, 65535))
data.register("proto", new ArraySampler(data.distributions.exponential, Array("udp", "tcp")))
data.register("qtype", new CSVSampler(data.distributions.logNormal, "templates/data/dns_qtype.samples.csv"))
data.register("rcode", new CSVSampler(data.distributions.logNormal, "templates/data/dns_rcode.samples.csv"))
data.register("Z", new ArraySampler(data.distributions.logNormal,
Array("0", "1", "1", "1", "1", "1")))
// host for tagging
data.register("host", new IntSampler(data.distributions.normal, 0, 768))
// ttl for first answer
data.register("ttl_1", new CSVSampler(data.distributions.uniform, "templates/data/dns_ttls0.csv"))
// ttls for subsequent answers (if they exist)
data.register("ttl_2", new CSVSampler(data.distributions.uniform, "templates/data/dns_ttls1.csv"))
// guesstimate
data.register("AA", new ArraySampler(data.distributions.logNormal,
Array("0", "0", "0", "0", "0", "1")))
// guesstimate
data.register("rejected", new ArraySampler(data.distributions.logNormal,
Array("0", "0", "0", "0", "1", "1")))
}
// build data
val host = data.sample("host")
val uid = "C" + data.sha1(data.sample("uid")).substring(0,20)
val id_orig_h = "192.168.0." + data.sample("id.orig_h_host2")
val id_orig_p = data.sample("id.orig_p")
val id_resp_h = data.sample("id.resp_h")
val id_resp_p = data.sample("id.resp_p")
val proto = data.sample("proto")
val trans_id = data.sample("trans_id")
val domain_row = data.sampleRow("domains")
val query = domain_row(0)
val answers = domain_row(1).split(" ")
val first_ttl = data.sample("ttl_1") + ".0"
val ttl_rest = (1 to answers.length-1).map(_idx => data.sample("ttl_2") + ".0").toList
val ttls = List(first_ttl) ++ ttl_rest
val qtype_row = data.sampleRow("qtype")
val qtype_name = qtype_row(0)
val qtype = qtype_row(1)
val rcode_row = data.sampleRow("rcode")
val rcode_name = rcode_row(0)
val rcode = rcode_row(1)
val z = data.sample("Z")
val aa = data.sample("AA")
val rejected = data.sample("rejected")
val jsonObj = Json.obj(
"source" -> "corelight-dns",
"sourcetype" -> "json",
"host" -> host,
"fields" -> Json.obj(
"#path" -> "dns"
),
"event" -> Json.obj(
"uid" -> uid,
"id.orig_h" -> id_orig_h,
"id.orig_p" -> id_orig_p,
"id.resp_h" -> id_resp_h,
"id.resp_p" -> id_resp_p,
"proto" -> proto,
"trans_id" -> trans_id,
"query" -> query,
"qclass" -> "1",
"qclass_name" -> "C_INTERNET",
"qtype" -> qtype,
"qtype_name" -> qtype_name,
"rcode" -> rcode,
"rcode_name" -> rcode_name,
"AA" -> (if (aa == "1") true else false),
"TC" -> false,
"RA" -> true,
"RD" -> true,
"Z" -> z,
"answers" -> answers,
"TTLs" -> ttls,
"rejected" -> (if (rejected == "1") true else false),
"_write_ts" -> iso8601TimestampSeconds
),
"time" -> data.timestamp
)
val output = Json.toJson(jsonObj)
%>${output.toString.trim}