Advertisement
Guest User

Bro Index Template

a guest
Oct 30th, 2015
149
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 26.41 KB | None | 0 0
  1. curl -XPUT localhost:9200/_template/fixstrings_bro -d '{
  2. "template": "bro-*",
  3. "mappings": {
  4. "http": {
  5. "properties": {
  6. "host": {
  7. "type": "string",
  8. "index": "not_analyzed"
  9. },
  10. "id.orig_h": {
  11. "type": "string",
  12. "index": "not_analyzed"
  13. },
  14. "id.orig_p": {
  15. "type": "long"
  16. },
  17. "id.resp_h": {
  18. "type": "string",
  19. "index": "not_analyzed"
  20. },
  21. "id.resp_p": {
  22. "type": "long"
  23. },
  24. "method": {
  25. "type": "string",
  26. "index": "not_analyzed"
  27. },
  28. "orig_fuids": {
  29. "type": "string",
  30. "index": "not_analyzed"
  31. },
  32. "orig_mime_types": {
  33. "type": "string",
  34. "index": "not_analyzed"
  35. },
  36. "referrer": {
  37. "type": "string",
  38. "index": "not_analyzed"
  39. },
  40. "request_body_len": {
  41. "type": "long"
  42. },
  43. "resp_fuids": {
  44. "type": "string",
  45. "index": "not_analyzed"
  46. },
  47. "resp_mime_types": {
  48. "type": "string",
  49. "index": "not_analyzed"
  50. },
  51. "response_body_len": {
  52. "type": "long"
  53. },
  54. "status_code": {
  55. "type": "long"
  56. },
  57. "status_msg": {
  58. "type": "string",
  59. "index": "not_analyzed"
  60. },
  61. "tags": {
  62. "type": "string",
  63. "index": "not_analyzed"
  64. },
  65. "trans_depth": {
  66. "type": "long"
  67. },
  68. "ts": {
  69. "type": "long"
  70. },
  71. "uid": {
  72. "type": "string",
  73. "index": "not_analyzed"
  74. },
  75. "uri": {
  76. "type": "string",
  77. "index": "not_analyzed"
  78. },
  79. "user_agent": {
  80. "type": "string",
  81. "index": "not_analyzed"
  82. }
  83. }
  84. },
  85. "known_hosts": {
  86. "properties": {
  87. "host": {
  88. "type": "string",
  89. "index": "not_analyzed"
  90. },
  91. "ts": {
  92. "type": "long"
  93. }
  94. }
  95. },
  96. "known_services": {
  97. "properties": {
  98. "host": {
  99. "type": "string",
  100. "index": "not_analyzed"
  101. },
  102. "port_num": {
  103. "type": "long"
  104. },
  105. "port_proto": {
  106. "type": "string",
  107. "index": "not_analyzed"
  108. },
  109. "service": {
  110. "type": "string",
  111. "index": "not_analyzed"
  112. },
  113. "ts": {
  114. "type": "long"
  115. }
  116. }
  117. },
  118. "dpd": {
  119. "properties": {
  120. "analyzer": {
  121. "type": "string",
  122. "index": "not_analyzed"
  123. },
  124. "failure_reason": {
  125. "type": "string",
  126. "index": "not_analyzed"
  127. },
  128. "id.orig_h": {
  129. "type": "string",
  130. "index": "not_analyzed"
  131. },
  132. "id.orig_p": {
  133. "type": "long"
  134. },
  135. "id.resp_h": {
  136. "type": "string",
  137. "index": "not_analyzed"
  138. },
  139. "id.resp_p": {
  140. "type": "long"
  141. },
  142. "proto": {
  143. "type": "string",
  144. "index": "not_analyzed"
  145. },
  146. "ts": {
  147. "type": "long"
  148. },
  149. "uid": {
  150. "type": "string",
  151. "index": "not_analyzed"
  152. }
  153. }
  154. },
  155. "weird": {
  156. "properties": {
  157. "id.orig_h": {
  158. "type": "string",
  159. "index": "not_analyzed"
  160. },
  161. "id.orig_p": {
  162. "type": "long"
  163. },
  164. "id.resp_h": {
  165. "type": "string",
  166. "index": "not_analyzed"
  167. },
  168. "id.resp_p": {
  169. "type": "long"
  170. },
  171. "name": {
  172. "type": "string",
  173. "index": "not_analyzed"
  174. },
  175. "notice": {
  176. "type": "boolean"
  177. },
  178. "peer": {
  179. "type": "string",
  180. "index": "not_analyzed"
  181. },
  182. "ts": {
  183. "type": "long"
  184. },
  185. "uid": {
  186. "type": "string",
  187. "index": "not_analyzed"
  188. }
  189. }
  190. },
  191. "smtp": {
  192. "properties": {
  193. "helo": {
  194. "type": "string",
  195. "index": "not_analyzed"
  196. },
  197. "id.orig_h": {
  198. "type": "string",
  199. "index": "not_analyzed"
  200. },
  201. "id.orig_p": {
  202. "type": "long"
  203. },
  204. "id.resp_h": {
  205. "type": "string",
  206. "index": "not_analyzed"
  207. },
  208. "id.resp_p": {
  209. "type": "long"
  210. },
  211. "is_webmail": {
  212. "type": "boolean"
  213. },
  214. "last_reply": {
  215. "type": "string",
  216. "index": "not_analyzed"
  217. },
  218. "path": {
  219. "type": "string",
  220. "index": "not_analyzed"
  221. },
  222. "tls": {
  223. "type": "boolean"
  224. },
  225. "trans_depth": {
  226. "type": "long"
  227. },
  228. "ts": {
  229. "type": "long"
  230. },
  231. "uid": {
  232. "type": "string",
  233. "index": "not_analyzed"
  234. }
  235. }
  236. },
  237. "ssl": {
  238. "properties": {
  239. "cert_chain_fuids": {
  240. "type": "string",
  241. "index": "not_analyzed"
  242. },
  243. "cipher": {
  244. "type": "string",
  245. "index": "not_analyzed"
  246. },
  247. "curve": {
  248. "type": "string",
  249. "index": "not_analyzed"
  250. },
  251. "established": {
  252. "type": "boolean"
  253. },
  254. "id.orig_h": {
  255. "type": "string",
  256. "index": "not_analyzed"
  257. },
  258. "id.orig_p": {
  259. "type": "long"
  260. },
  261. "id.resp_h": {
  262. "type": "string",
  263. "index": "not_analyzed"
  264. },
  265. "id.resp_p": {
  266. "type": "long"
  267. },
  268. "issuer": {
  269. "type": "string",
  270. "index": "not_analyzed"
  271. },
  272. "next_protocol": {
  273. "type": "string",
  274. "index": "not_analyzed"
  275. },
  276. "resumed": {
  277. "type": "boolean"
  278. },
  279. "server_name": {
  280. "type": "string",
  281. "index": "not_analyzed"
  282. },
  283. "subject": {
  284. "type": "string",
  285. "index": "not_analyzed"
  286. },
  287. "ts": {
  288. "type": "long"
  289. },
  290. "uid": {
  291. "type": "string",
  292. "index": "not_analyzed"
  293. },
  294. "validation_status": {
  295. "type": "string",
  296. "index": "not_analyzed"
  297. },
  298. "version": {
  299. "type": "string",
  300. "index": "not_analyzed"
  301. }
  302. }
  303. },
  304. "dns": {
  305. "properties": {
  306. "AA": {
  307. "type": "boolean"
  308. },
  309. "RA": {
  310. "type": "boolean"
  311. },
  312. "RD": {
  313. "type": "boolean"
  314. },
  315. "TC": {
  316. "type": "boolean"
  317. },
  318. "Z": {
  319. "type": "long"
  320. },
  321. "id.orig_h": {
  322. "type": "string",
  323. "index": "not_analyzed"
  324. },
  325. "id.orig_p": {
  326. "type": "long"
  327. },
  328. "id.resp_h": {
  329. "type": "string",
  330. "index": "not_analyzed"
  331. },
  332. "id.resp_p": {
  333. "type": "long"
  334. },
  335. "proto": {
  336. "type": "string",
  337. "index": "not_analyzed"
  338. },
  339. "qclass": {
  340. "type": "long"
  341. },
  342. "qclass_name": {
  343. "type": "string",
  344. "index": "not_analyzed"
  345. },
  346. "qtype": {
  347. "type": "long"
  348. },
  349. "qtype_name": {
  350. "type": "string",
  351. "index": "not_analyzed"
  352. },
  353. "query": {
  354. "type": "string",
  355. "index": "not_analyzed"
  356. },
  357. "rcode": {
  358. "type": "long"
  359. },
  360. "rcode_name": {
  361. "type": "string",
  362. "index": "not_analyzed"
  363. },
  364. "rejected": {
  365. "type": "boolean"
  366. },
  367. "trans_id": {
  368. "type": "long"
  369. },
  370. "ts": {
  371. "type": "long"
  372. },
  373. "uid": {
  374. "type": "string",
  375. "index": "not_analyzed"
  376. }
  377. }
  378. },
  379. "snmp": {
  380. "properties": {
  381. "community": {
  382. "type": "string",
  383. "index": "not_analyzed"
  384. },
  385. "duration": {
  386. "type": "double"
  387. },
  388. "get_bulk_requests": {
  389. "type": "long"
  390. },
  391. "get_requests": {
  392. "type": "long"
  393. },
  394. "get_responses": {
  395. "type": "long"
  396. },
  397. "id.orig_h": {
  398. "type": "string",
  399. "index": "not_analyzed"
  400. },
  401. "id.orig_p": {
  402. "type": "long"
  403. },
  404. "id.resp_h": {
  405. "type": "string",
  406. "index": "not_analyzed"
  407. },
  408. "id.resp_p": {
  409. "type": "long"
  410. },
  411. "set_requests": {
  412. "type": "long"
  413. },
  414. "ts": {
  415. "type": "long"
  416. },
  417. "uid": {
  418. "type": "string",
  419. "index": "not_analyzed"
  420. },
  421. "version": {
  422. "type": "string",
  423. "index": "not_analyzed"
  424. }
  425. }
  426. },
  427. "x509": {
  428. "properties": {
  429. "basic_constraints.ca": {
  430. "type": "boolean"
  431. },
  432. "basic_constraints.path_len": {
  433. "type": "long"
  434. },
  435. "certificate.exponent": {
  436. "type": "string",
  437. "index": "not_analyzed"
  438. },
  439. "certificate.issuer": {
  440. "type": "string",
  441. "index": "not_analyzed"
  442. },
  443. "certificate.key_alg": {
  444. "type": "string",
  445. "index": "not_analyzed"
  446. },
  447. "certificate.key_length": {
  448. "type": "long"
  449. },
  450. "certificate.key_type": {
  451. "type": "string",
  452. "index": "not_analyzed"
  453. },
  454. "certificate.not_valid_after": {
  455. "type": "long"
  456. },
  457. "certificate.not_valid_before": {
  458. "type": "long"
  459. },
  460. "certificate.serial": {
  461. "type": "string",
  462. "index": "not_analyzed"
  463. },
  464. "certificate.sig_alg": {
  465. "type": "string",
  466. "index": "not_analyzed"
  467. },
  468. "certificate.subject": {
  469. "type": "string",
  470. "index": "not_analyzed"
  471. },
  472. "certificate.version": {
  473. "type": "long"
  474. },
  475. "id": {
  476. "type": "string",
  477. "index": "not_analyzed"
  478. },
  479. "san.dns": {
  480. "type": "string",
  481. "index": "not_analyzed"
  482. },
  483. "ts": {
  484. "type": "long"
  485. }
  486. }
  487. },
  488. "sip": {
  489. "properties": {
  490. "call_id": {
  491. "type": "string",
  492. "index": "not_analyzed"
  493. },
  494. "id.orig_h": {
  495. "type": "string",
  496. "index": "not_analyzed"
  497. },
  498. "id.orig_p": {
  499. "type": "long"
  500. },
  501. "id.resp_h": {
  502. "type": "string",
  503. "index": "not_analyzed"
  504. },
  505. "id.resp_p": {
  506. "type": "long"
  507. },
  508. "method": {
  509. "type": "string",
  510. "index": "not_analyzed"
  511. },
  512. "request_body_len": {
  513. "type": "string",
  514. "index": "not_analyzed"
  515. },
  516. "request_from": {
  517. "type": "string",
  518. "index": "not_analyzed"
  519. },
  520. "request_path": {
  521. "type": "string",
  522. "index": "not_analyzed"
  523. },
  524. "request_to": {
  525. "type": "string",
  526. "index": "not_analyzed"
  527. },
  528. "seq": {
  529. "type": "string",
  530. "index": "not_analyzed"
  531. },
  532. "trans_depth": {
  533. "type": "long"
  534. },
  535. "ts": {
  536. "type": "long"
  537. },
  538. "uid": {
  539. "type": "string",
  540. "index": "not_analyzed"
  541. },
  542. "uri": {
  543. "type": "string",
  544. "index": "not_analyzed"
  545. },
  546. "user_agent": {
  547. "type": "string",
  548. "index": "not_analyzed"
  549. }
  550. }
  551. },
  552. "notice": {
  553. "properties": {
  554. "actions": {
  555. "type": "string",
  556. "index": "not_analyzed"
  557. },
  558. "dropped": {
  559. "type": "boolean"
  560. },
  561. "dst": {
  562. "type": "string",
  563. "index": "not_analyzed"
  564. },
  565. "id.orig_h": {
  566. "type": "string",
  567. "index": "not_analyzed"
  568. },
  569. "id.orig_p": {
  570. "type": "long"
  571. },
  572. "id.resp_h": {
  573. "type": "string",
  574. "index": "not_analyzed"
  575. },
  576. "id.resp_p": {
  577. "type": "long"
  578. },
  579. "msg": {
  580. "type": "string",
  581. "index": "not_analyzed"
  582. },
  583. "note": {
  584. "type": "string",
  585. "index": "not_analyzed"
  586. },
  587. "p": {
  588. "type": "long"
  589. },
  590. "peer_descr": {
  591. "type": "string",
  592. "index": "not_analyzed"
  593. },
  594. "proto": {
  595. "type": "string",
  596. "index": "not_analyzed"
  597. },
  598. "src": {
  599. "type": "string",
  600. "index": "not_analyzed"
  601. },
  602. "sub": {
  603. "type": "string",
  604. "index": "not_analyzed"
  605. },
  606. "suppress_for": {
  607. "type": "double"
  608. },
  609. "ts": {
  610. "type": "long"
  611. },
  612. "uid": {
  613. "type": "string",
  614. "index": "not_analyzed"
  615. }
  616. }
  617. },
  618. "files": {
  619. "properties": {
  620. "analyzers": {
  621. "type": "string",
  622. "index": "not_analyzed"
  623. },
  624. "conn_uids": {
  625. "type": "string",
  626. "index": "not_analyzed"
  627. },
  628. "depth": {
  629. "type": "long"
  630. },
  631. "duration": {
  632. "type": "double"
  633. },
  634. "filename": {
  635. "type": "string",
  636. "index": "not_analyzed"
  637. },
  638. "fuid": {
  639. "type": "string",
  640. "index": "not_analyzed"
  641. },
  642. "is_orig": {
  643. "type": "boolean"
  644. },
  645. "local_orig": {
  646. "type": "boolean"
  647. },
  648. "md5": {
  649. "type": "string",
  650. "index": "not_analyzed"
  651. },
  652. "mime_type": {
  653. "type": "string",
  654. "index": "not_analyzed"
  655. },
  656. "missing_bytes": {
  657. "type": "long"
  658. },
  659. "overflow_bytes": {
  660. "type": "long"
  661. },
  662. "rx_hosts": {
  663. "type": "string",
  664. "index": "not_analyzed"
  665. },
  666. "seen_bytes": {
  667. "type": "long"
  668. },
  669. "sha1": {
  670. "type": "string",
  671. "index": "not_analyzed"
  672. },
  673. "source": {
  674. "type": "string",
  675. "index": "not_analyzed"
  676. },
  677. "timedout": {
  678. "type": "boolean"
  679. },
  680. "total_bytes": {
  681. "type": "long"
  682. },
  683. "ts": {
  684. "type": "long"
  685. },
  686. "tx_hosts": {
  687. "type": "string",
  688. "index": "not_analyzed"
  689. }
  690. }
  691. },
  692. "intel": {
  693. "properties": {
  694. "id.orig_h": {
  695. "type": "string",
  696. "index": "not_analyzed"
  697. },
  698. "id.orig_p": {
  699. "type": "long"
  700. },
  701. "id.resp_h": {
  702. "type": "string",
  703. "index": "not_analyzed"
  704. },
  705. "id.resp_p": {
  706. "type": "long"
  707. },
  708. "seen.indicator": {
  709. "type": "string",
  710. "index": "not_analyzed"
  711. },
  712. "seen.indicator_type": {
  713. "type": "string",
  714. "index": "not_analyzed"
  715. },
  716. "seen.node": {
  717. "type": "string",
  718. "index": "not_analyzed"
  719. },
  720. "seen.where": {
  721. "type": "string",
  722. "index": "not_analyzed"
  723. },
  724. "sources": {
  725. "type": "string",
  726. "index": "not_analyzed"
  727. },
  728. "ts": {
  729. "type": "long"
  730. },
  731. "uid": {
  732. "type": "string",
  733. "index": "not_analyzed"
  734. }
  735. }
  736. },
  737. "software": {
  738. "properties": {
  739. "host": {
  740. "type": "string",
  741. "index": "not_analyzed"
  742. },
  743. "name": {
  744. "type": "string",
  745. "index": "not_analyzed"
  746. },
  747. "software_type": {
  748. "type": "string",
  749. "index": "not_analyzed"
  750. },
  751. "ts": {
  752. "type": "long"
  753. },
  754. "unparsed_version": {
  755. "type": "string",
  756. "index": "not_analyzed"
  757. },
  758. "version.addl": {
  759. "type": "string",
  760. "index": "not_analyzed"
  761. },
  762. "version.major": {
  763. "type": "long"
  764. },
  765. "version.minor": {
  766. "type": "long"
  767. },
  768. "version.minor2": {
  769. "type": "long"
  770. },
  771. "version.minor3": {
  772. "type": "long"
  773. }
  774. }
  775. },
  776. "conn": {
  777. "properties": {
  778. "conn_state": {
  779. "type": "string",
  780. "index": "not_analyzed"
  781. },
  782. "duration": {
  783. "type": "double"
  784. },
  785. "history": {
  786. "type": "string",
  787. "index": "not_analyzed"
  788. },
  789. "id.orig_h": {
  790. "type": "string",
  791. "index": "not_analyzed"
  792. },
  793. "id.orig_p": {
  794. "type": "long"
  795. },
  796. "id.resp_h": {
  797. "type": "string",
  798. "index": "not_analyzed"
  799. },
  800. "id.resp_p": {
  801. "type": "long"
  802. },
  803. "local_orig": {
  804. "type": "boolean"
  805. },
  806. "local_resp": {
  807. "type": "boolean"
  808. },
  809. "missed_bytes": {
  810. "type": "long"
  811. },
  812. "orig_bytes": {
  813. "type": "long"
  814. },
  815. "orig_ip_bytes": {
  816. "type": "long"
  817. },
  818. "orig_pkts": {
  819. "type": "long"
  820. },
  821. "proto": {
  822. "type": "string",
  823. "index": "not_analyzed"
  824. },
  825. "resp_bytes": {
  826. "type": "long"
  827. },
  828. "resp_ip_bytes": {
  829. "type": "long"
  830. },
  831. "resp_pkts": {
  832. "type": "long"
  833. },
  834. "service": {
  835. "type": "string",
  836. "index": "not_analyzed"
  837. },
  838. "ts": {
  839. "type": "long"
  840. },
  841. "uid": {
  842. "type": "string",
  843. "index": "not_analyzed"
  844. }
  845. }
  846. },
  847. "app_stats": {
  848. "properties": {
  849. "app": {
  850. "type": "string",
  851. "index": "not_analyzed"
  852. },
  853. "bytes": {
  854. "type": "long"
  855. },
  856. "hits": {
  857. "type": "long"
  858. },
  859. "ts": {
  860. "type": "long"
  861. },
  862. "ts_delta": {
  863. "type": "double"
  864. },
  865. "uniq_hosts": {
  866. "type": "long"
  867. }
  868. }
  869. }
  870. }
  871. }'
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement