replace salesforce with corelight hassh plugin

mmguero-dev · Mar 21, 2024 · 4a72770 · 4a72770
1 parent 87f5cdf
commit 4a72770
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 4 deletions.
diff --git a/docs/components.md b/docs/components.md
@@ -38,6 +38,7 @@ Malcolm leverages the following excellent open source tools, among others.
     * Corelight's [bro-xor-exe](https://github.com/corelight/bro-xor-exe-plugin) plugin
     * Corelight's [callstranger-detector](https://github.com/corelight/callstranger-detector) plugin
     * Corelight's [DCE/RPC remote code execution vulnerability (CVE-2022-26809)](https://github.com/corelight/cve-2022-26809) plugin
+    * Corelight's [HASSH](https://github.com/corelight/hassh) SSH fingerprinting plugin
     * Corelight's [HTTP More Filenames](https://github.com/corelight/http-more-files-names) plugin
     * Corelight's [HTTP protocol stack vulnerability (CVE-2021-31166)](https://github.com/corelight/CVE-2021-31166) plugin
     * Corelight's [OpenSSL RCE buffer overrun vulnerability (CVE-2022-3602)](https://github.com/corelight/CVE-2022-3602) plugin
@@ -52,7 +53,6 @@ Malcolm leverages the following excellent open source tools, among others.
     * Lexi Brent's [EternalSafety](https://github.com/0xl3x1/zeek-EternalSafety) plugin
     * MITRE Cyber Analytics Repository's [Bro/Zeek ATT&CK®-Based Analytics (BZAR)](https://github.com/mitre-attack/car/tree/master/implementations) script
     * Salesforce's [gQUIC](https://github.com/salesforce/GQUIC_Protocol_Analyzer) analyzer
-    * Salesforce's [HASSH](https://github.com/salesforce/hassh) SSH fingerprinting plugin
     * Salesforce's [JA3](https://github.com/salesforce/ja3) TLS fingerprinting plugin
     * Zeek's [Spicy](https://github.com/zeek/spicy) plugin framework
 * [GeoLite2](https://dev.maxmind.com/geoip/geoip2/geolite2/) - Malcolm includes GeoLite2 data created by [MaxMind](https://www.maxmind.com)

diff --git a/logstash/pipelines/zeek/11_zeek_parse.conf b/logstash/pipelines/zeek/11_zeek_parse.conf
@@ -3366,7 +3366,13 @@ filter {
     # ssh.log
     # https://docs.zeek.org/en/stable/scripts/base/protocols/ssh/main.zeek.html#type-SSH::Info
 
-    if ("_jsonparsesuccess" not in [tags]) {
+    if ("_jsonparsesuccess" in [tags]) {
+      mutate {
+        id => "mutate_rename_zeek_json_ssh_fields"
+        rename => { "[zeek_cols][hasshServer_Algorithms]" => "[zeek_cols][hasshServerAlgorithms]" }
+      }
+
+    } else {
       dissect {
         id => "dissect_zeek_ssh_with_all_fields_with_hassh"
         # zeek's default delimiter is a literal tab, MAKE SURE YOUR EDITOR DOESN'T SCREW IT UP

diff --git a/logstash/pipelines/zeek/12_zeek_mutate.conf b/logstash/pipelines/zeek/12_zeek_mutate.conf
@@ -1812,7 +1812,7 @@ filter {
                merge => { "[ssh][key]" => "[@metadata][ssh_key_str]" } }
     }
 
-    # HASSH stuff (see https://github.com/salesforce/hassh/tree/master/bro)
+    # HASSH stuff (see https://github.com/corelight/hassh)
 
     if ([zeek][ssh][hassh]) {
       mutate { id => "mutate_merge_zeek_ssh_hassh"

diff --git a/shared/bin/zeek_install_plugins.sh b/shared/bin/zeek_install_plugins.sh
@@ -89,6 +89,7 @@ ZKG_GITHUB_URLS=(
   "https://github.com/corelight/cve-2022-22954"
   "https://github.com/corelight/cve-2022-26809"
   "https://github.com/corelight/CVE-2022-3602"
+  "https://github.com/corelight/hassh"
   "https://github.com/corelight/http-more-files-names"
   "https://github.com/corelight/pingback"
   "https://github.com/corelight/ripple20"
@@ -106,7 +107,6 @@ ZKG_GITHUB_URLS=(
   "https://github.com/ncsa/bro-simple-scan"
   "https://github.com/precurse/zeek-httpattacks"
   "https://github.com/mmguero-dev/GQUIC_Protocol_Analyzer"
-  "https://github.com/salesforce/hassh"
   "https://github.com/salesforce/ja3"
   "https://github.com/zeek/spicy-dhcp"
   "https://github.com/zeek/spicy-dns"