8505-postprocess-freq_analysis_zeek_x509.conf

# Author: Justin Henderson
# Email: jhenderson@tekrefresh.comes
# Last Update: 5/10/2016
#
filter {
  if [type] == "zeek_x509" {
    # If SubjectCommonName exists run a frequency analysis against it.  In order for this to work you must have
    # freq.py and the corresponding frequency table in /opt/freq/.  This is a huge boost to security
    # and I highly recommend you set this up.  Example, if a frequency score less than 6 exists
    # then there is a likelihood that something malicious is happening.
    #
    # For higher accuracy, please generate your own frequency tables.  For questions on setup,
    # please refer to https://github.com/SMAPPER
    if [subject_common_name]{
      rest {
        request => {
          url => "http://localhost:10004"
          method => "get"
          params => {
           "cmd" => "measure1"
           "tgt" => "%{x509_common_name_frequency_score}"
          }
        }
        sprintf => true
        target => "x509_common_name_name_frequency_score"
      }
      if [x509_common_name_frequency_score] {
        mutate {
          convert => { "x509_common_name_frequency_score" => "float" }
          add_field => { "frequency_scores" => "%{x509_common_name_frequency_score}" }
        }
      }
    }
  }
}