| # Bro-IDS Logstash parser | |
| # Parts of this taken from http://www.appliednsm.com/wp-content/uploads/logstash-SObro22-parse.conf_.txt | |
| #Logs being parsed: | |
| #app_stats.log | |
| #conn.log | |
| #dns.log | |
| #dpd.log | |
| #files.log | |
| #http.log |
I hereby claim:
To claim this, I am signing this object:
| <manifest schemaversion="4.1" binaryversion="8.00"> | |
| <configuration> | |
| <options> | |
| <!-- Command-line only options --> | |
| <option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="u" name="UnInstall" argument="none" noconfig="true" exclusive="true" /> | |
| <option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" /> | |
| <option switch="t" name="DebugMode" argument="none" noconfig="true" /> | |
| <option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" /> |
| <manifest schemaversion="4.2" binaryversion="8.00"> | |
| <configuration> | |
| <options> | |
| <!-- Command-line only options --> | |
| <option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="u" name="UnInstall" argument="none" noconfig="true" exclusive="true" /> | |
| <option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" /> | |
| <option switch="t" name="DebugMode" argument="none" noconfig="true" /> | |
| <option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" /> |
| <DataCollectorSet><Status>0</Status><Duration>0</Duration><Description/><DescriptionUnresolved/><DisplayName/><DisplayNameUnresolved/><SchedulesEnabled>-1</SchedulesEnabled><LatestOutputLocation>C:\temp\</LatestOutputLocation><Name>sysmon</Name><OutputLocation>D:\temp\</OutputLocation><RootPath>D:\temp</RootPath><Segment>0</Segment><SegmentMaxDuration>0</SegmentMaxDuration><SegmentMaxSize>0</SegmentMaxSize><SerialNumber>7</SerialNumber><Server/><Subdirectory/><SubdirectoryFormat>1</SubdirectoryFormat><SubdirectoryFormatPattern/><Task/><TaskRunAsSelf>0</TaskRunAsSelf><TaskArguments/><TaskUserTextArguments/><UserAccount>SYSTEM</UserAccount><Security>O:BAG:DUD:AI(A;;FA;;;SY)(A;;FA;;;BA)(A;;FR;;;LU)(A;;0x1301ff;;;S-1-5-80-2661322625-712705077-2999183737-3043590567-590698655)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200ab;;;LU)(A;ID;FR;;;AU)(A;ID;FR;;;LS)(A;ID;FR;;;NS)</Security><StopOnCompletion>0</StopOnCompletion><PerformanceCounterDataCollector><DataCollectorType>0</DataCollectorType><Name>System Monitor Log</Name> |
| # Required module > ImportExcel | |
| # Install it like this > "Install-Module ImportExcel" | |
| # | |
| # Get the dataset from the ATT&CK matrix | |
| # TODO: | |
| # Diff online and offline, to only download on updates | |
| # parameters for download, xlsx file and so on. | |
| write-host "[+] Loading MITRE ATT&CK Data" -ForegroundColor Cyan | |
| $dataset=Get-Content -Path enterprise-attack.json | ConvertFrom-Json | Select-Object -ExpandProperty objects | where type -eq "attack-pattern" |
| <manifest schemaversion="4.0" binaryversion="1.01"> | |
| <configuration> | |
| <options> | |
| <!-- Command-line only options --> | |
| <option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="u" name="UnInstall" argument="none" noconfig="true" exclusive="true" /> | |
| <option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" /> | |
| <option switch="t" name="DebugMode" argument="none" noconfig="true" /> | |
| <option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" /> |
| <manifest schemaversion="4.21" binaryversion="9.10"> | |
| <configuration> | |
| <options> | |
| <!-- Command-line only options --> | |
| <option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" /> | |
| <option switch="t" name="DebugMode" argument="optional" noconfig="true" /> | |
| <option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" /> |
| <manifest schemaversion="4.22" binaryversion="9.20"> | |
| <configuration> | |
| <options> | |
| <!-- Command-line only options --> | |
| <option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" /> | |
| <option switch="t" name="DebugMode" argument="optional" noconfig="true" /> | |
| <option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" /> |
| <manifest schemaversion="4.30" binaryversion="9.20"> | |
| <configuration> | |
| <options> | |
| <!-- Command-line only options --> | |
| <option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" /> | |
| <option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" /> | |
| <option switch="t" name="DebugMode" argument="optional" noconfig="true" /> | |
| <option switch="s" name="PrintSchema" argument="optional" noconfig="true" exclusive="true" /> |
