Change log for SURICATA_IDS
Date | Changes |
---|---|
2024-12-03 | Enhancement:
- Mapped "pkt_src", "direction", "http.length", "flow.pkts_toserver", "flow.pkts_toclient", and "http.http_content_type" to "additional.fields". - Mapped "http.http_user_agent" to "network.http.user_agent". - Mapped "http.http_method" to "network.http.method". - Mapped "http.status" to "network.http.response_code". - Mapped "http://%{http.hostname}%{http.url}" to "target.url". - Mapped "http.protocol" to "network.tls.version". |
2024-04-08 | Enhancement:
- Mapped "dns.query.id" to "network.dns.id". - Mapped "dns.query.rrtype" to "network.dns.questions.type". - Mapped "dns.query.rrname" to "network.dns.questions.name". - Mapped "dns.query.opcode" to "network.dns.opcode". |
2024-03-21 | Enhancement -
- Added support for logs with "event_type" as "stats" and "proto" as "IPv6-ICMP". |
2023-11-23 | Enhancement:
- Added a Grok pattern to parse newly ingested unparsed logs. - Added a null check before mapping "dns.rrname" to "dns_question.name". - Set "metadata.event_type" to "NETWORK_CONNECTION" for logs where "dns_rrname" is not present. |
2023-08-24 | Bug-Fix - Removed "TODO" comments from the parser.
|
2022-07-07 | Enhancement -
When "event_type" is equal to "snmp". - Mapped "in_iface" to "security_result.rule_labels". - Mapped "community_id" to "security_result.rule_labels". - Mapped "snmp.pdu_type" to "additional.fields". - Mapped "snmp.community" to "additional.fields". - Added for loop for "snmp.vars" and mapped it to "additional.fields". When "event_type" is equal to "rdp". - Mapped "sr_action" to "security_result.action". - Mapped "in_iface" to "security_result.rule_labels". - Mapped "community_id" to "security_result.rule_labels". |
2022-06-13 | Bug - Following changes are made to this parser-
1) Fixed unparsed logs of event_type "alert". 2) Mapped missing alert event_type fields. 3) Modified the parser to eliminate old format related to sdm.proto and changed the parser entirely as per udm.proto |
2022-05-23 | Enhancement - Added mapping for following alert fields:
Mapped 'in_iface' to 'target.resource.attribute.labels'. Mapped 'vlan' to 'target.resource.attribute.labels'. Mapped 'src_ip' to 'principal.ip'. Mapped 'src_port' to 'principal.port'. Mapped 'dest_ip' to 'target.ip'. Mapped 'dest_port' to 'target.port'. Mapped 'proto' to 'network.ip_protocol'. Mapped 'alert.action' to 'security_result.action'. Mapped 'alert.gid' to 'target.resource.attribute.labels'. Mapped 'alert.signature_id' to 'target.resource.attribute.labels'. Mapped 'alert.rev' to 'target.resource.attribute.labels'. Mapped 'alert.signature' to 'target.resource.attribute.labels'. Mapped 'alert.category' to 'security_result.threat_name'. Mapped 'alert.severity' to 'security_result.severity'. Mapped 'alert.metadata.affected_product' to 'target.resource.attribute.labels'. Mapped 'alert.metadata.attack_target' to 'target.resource.attribute.labels'. Mapped 'alert.metadata.deployment' to 'target.resource.attribute.labels'. Mapped 'alert.metadata.former_category' to 'target.resource.attribute.labels'. Mapped 'alert.metadata.signature_severity' to 'target.resource.attribute.labels'. Mapped 'flow.pkts_toserver' to 'target.resource.attribute.labels'. Mapped 'flow.pkts_toclient' to 'target.resource.attribute.labels'. Mapped 'flow.bytes_toserver' to 'network.sent_bytes'. Mapped 'flow.bytes_toclient' to 'network.received_bytes'. Mapped 'payload' to 'additional.fields'. Mapped 'alert.metadata.updated_at' with the format "yyyy-MM-dd" to 'date'(metadata.event_timestamp). |