add new opcua log type to malcolm

arkime/wise/source.zeeklogs.js

@@ -2295,6 +2295,20 @@ class MalcolmSource extends WISESource {
       "zeek.opcua_binary_variant_metadata.variant_data_array_dim",
       "zeek.opcua_binary_variant_metadata.variant_data_source",
       "zeek.opcua_binary_variant_metadata.variant_data_source_str",
+      "zeek.opcua_binary_write.node_id_encoding_mask",
+      "zeek.opcua_binary_write.node_id_namespace_idx",
+      "zeek.opcua_binary_write.node_id_numeric",
+      "zeek.opcua_binary_write.node_id_string",
+      "zeek.opcua_binary_write.node_id_guid",
+      "zeek.opcua_binary_write.node_id_opaque",
+      "zeek.opcua_binary_write.attribute_id",
+      "zeek.opcua_binary_write.attribute_id_str",
+      "zeek.opcua_binary_write.index_range",
+      "zeek.opcua_binary_write.data_value_encoding_mask",
+      "zeek.opcua_binary_write.source_timestamp",
+      "zeek.opcua_binary_write.source_pico_sec",
+      "zeek.opcua_binary_write.server_timestamp",
+      "zeek.opcua_binary_write.server_pico_sec",
       "zeek.ospf.advert_router",
       "zeek.ospf.area_id",
       "zeek.ospf.backup_router",

dashboards/templates/composable/component/zeek_ot.json

@@ -863,6 +863,7 @@
         "zeek.opcua_binary.identifier": { "type": "long" },
         "zeek.opcua_binary.identifier_str": { "type": "keyword" },
         "zeek.opcua_binary.is_final": { "type": "keyword" },
+        "zeek.opcua_binary.log_types": { "type": "integer" },
         "zeek.opcua_binary.max_chunk_cnt": { "type": "long" },
         "zeek.opcua_binary.max_msg_size": { "type": "long" },
         "zeek.opcua_binary.msg_size": { "type": "long" },
@@ -1316,6 +1317,20 @@
         "zeek.opcua_binary_variant_metadata.variant_data_array_dim": { "type": "long" },
         "zeek.opcua_binary_variant_metadata.variant_data_source": { "type": "long" },
         "zeek.opcua_binary_variant_metadata.variant_data_source_str": { "type": "keyword" },
+        "zeek.opcua_binary_write.node_id_encoding_mask": { "type": "keyword" },
+        "zeek.opcua_binary_write.node_id_namespace_idx": { "type": "long" },
+        "zeek.opcua_binary_write.node_id_numeric": { "type": "long" },
+        "zeek.opcua_binary_write.node_id_string": { "type": "keyword" },
+        "zeek.opcua_binary_write.node_id_guid": { "type": "keyword" },
+        "zeek.opcua_binary_write.node_id_opaque": { "type": "keyword" },
+        "zeek.opcua_binary_write.attribute_id": { "type": "long" },
+        "zeek.opcua_binary_write.attribute_id_str": { "type": "keyword" },
+        "zeek.opcua_binary_write.index_range": { "type": "keyword" },
+        "zeek.opcua_binary_write.data_value_encoding_mask": { "type": "keyword" },
+        "zeek.opcua_binary_write.source_timestamp": { "type": "date" },
+        "zeek.opcua_binary_write.source_pico_sec": { "type": "long" },
+        "zeek.opcua_binary_write.server_timestamp": { "type": "date" },
+        "zeek.opcua_binary_write.server_pico_sec": { "type": "long" },
         "zeek.profinet.block_version": { "type": "keyword" },
         "zeek.profinet.index": { "type": "keyword" },
         "zeek.profinet.operation_type": { "type": "keyword" },

logstash/pipelines/zeek/1043_zeek_opcua_binary.conf

@@ -1569,6 +1569,41 @@ filter {
         add_tag => [ "ics" ]
       }
 
+    } else if ([log_source] == "opcua_binary_write") {
+      #############################################################################################################################
+      # opcua_binary_write.log
+      # write-types.zeek (https://github.com/cisagov/icsnpp-opcua-binary)
+
+      if ("_jsonparsesuccess" not in [tags]) {
+        dissect {
+          id => "dissect_zeek_opcua_binary_write"
+          mapping => {
+            "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][drop_orig_h]} %{[zeek_cols][drop_orig_p]} %{[zeek_cols][drop_resp_h]} %{[zeek_cols][drop_resp_p]} %{[zeek_cols][is_orig]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][opcua_link_id]} %{[zeek_cols][node_id_encoding_mask]} %{[zeek_cols][node_id_namespace_idx]} %{[zeek_cols][node_id_numeric]} %{[zeek_cols][node_id_string]}  %{[zeek_cols][node_id_guid]}  %{[zeek_cols][node_id_opaque]}  %{[zeek_cols][attribute_id]}  %{[zeek_cols][attribute_id_str]}  %{[zeek_cols][index_range]} %{[zeek_cols][data_value_encoding_mask]}  %{[zeek_cols][req_status_code_link_id]} %{[zeek_cols][source_timestamp]}  %{[zeek_cols][source_pico_sec]} %{[zeek_cols][server_timestamp]}  %{[zeek_cols][server_pico_sec]} %{[zeek_cols][write_results_variant_metadata_link_id]}  %{[zeek_cols][res_status_code_link_id]} %{[zeek_cols][diag_info_link_id]}"
+          }
+        }
+
+        if ("_dissectfailure" in [tags]) {
+          mutate {
+            id => "mutate_split_zeek_opcua_binary_write"
+            split => { "[message]" => " " }
+          }
+          ruby {
+            id => "ruby_zip_zeek_opcua_binary_write"
+            init => "$zeek_opcua_binary_write_field_names = [ 'ts', 'uid', 'drop_orig_h', 'drop_orig_p', 'drop_resp_h', 'drop_resp_p', 'is_orig', 'orig_h', 'orig_p', 'resp_p', 'opcua_link_id', 'node_id_encoding_mask', 'node_id_namespace_idx', 'node_id_numeric', 'node_id_string', 'node_id_guid', 'node_id_opaque', 'attribute_id', 'attribute_id_str', 'index_range', 'data_value_encoding_mask', 'req_status_code_link_id', 'source_timestamp', 'source_pico_sec', 'server_timestamp', 'server_pico_sec', 'write_results_variant_metadata_link_id', 'res_status_code_link_id', 'diag_info_link_id' ]"
+            code => "event.set('[zeek_cols]', $zeek_opcua_binary_write_field_names.zip(event.get('[message]')).to_h)"
+          }
+        }
+      }
+
+      mutate {
+        id => "mutate_add_fields_zeek_opcua_binary_write"
+        add_field => {
+          "[zeek_cols][proto]" => "tcp"
+          "[zeek_cols][service]" => "opcua-binary"
+        }
+        add_tag => [ "ics" ]
+      }
+
     } else {
       # some other unknown zeek opcua- log file. should start with ts at least!
 

logstash/pipelines/zeek/1200_zeek_mutate.conf

@@ -1602,6 +1602,19 @@ filter {
       rename => { "[zeek][opcua_binary_event_filter_attribute_operand][browse_path_element_link_id]" => "[zeek][opcua_binary_event_filter_attribute_operand_browse_paths][browse_path_element_link_id]" }
       rename => { "[zeek][opcua_binary_event_filter_element_operand][content_filter_filter_operand_link_id]" => "[zeek][opcua_binary][operand_source_link_id]" }
       rename => { "[zeek][opcua_binary_event_filter_literal_operand][content_filter_filter_operand_link_id]" => "[zeek][opcua_binary][operand_source_link_id]" }
+      rename => { "[zeek][opcua_binary_write][opcua_link_id]" => "[zeek][opcua_binary][opcua_link_id]" }
+      rename => { "[zeek][opcua_binary_write][diag_info_link_id]" => "[zeek][opcua_binary_diag_info_detail][diag_info_link_id]" }
+      rename => { "[zeek][opcua_binary_write][write_results_variant_metadata_link_id]" => "[zeek][opcua_binary][variant_source_link_id]" }
+    }
+    if ([zeek][opcua_binary_write][req_status_code_link_id]) {
+      mutate { id => "mutate_merge_zeek_opcua_binary_write_req_status_code_link_id"
+               merge => { "[zeek][opcua_binary_status_code_detail][status_code_link_id]" => "[zeek][opcua_binary_write][req_status_code_link_id]" }
+               remove_field => [ "[zeek][opcua_binary_write][req_status_code_link_id]" ] }
+    }
+    if ([zeek][opcua_binary_write][res_status_code_link_id]) {
+      mutate { id => "mutate_merge_zeek_opcua_binary_write_res_status_code_link_id"
+               merge => { "[zeek][opcua_binary_status_code_detail][status_code_link_id]" => "[zeek][opcua_binary_write][res_status_code_link_id]" }
+               remove_field => [ "[zeek][opcua_binary_write][res_status_code_link_id]" ] }
     }
 
     # count the number of contributing "log types" after we've renamed stuff

logstash/pipelines/zeek/1300_zeek_normalize.conf

@@ -580,6 +580,9 @@ filter {
       } else if ([event][dataset] =~ /^opcua_binary_read/) {
         mutate { id => "mutate_add_field_metadata_opcua_read"
                  add_field => { "[@metadata][opcua_action_from_dataset]" => "Read" } }
+      } else if ([event][dataset] =~ /^opcua_binary_write/) {
+        mutate { id => "mutate_add_field_metadata_opcua_write"
+                 add_field => { "[@metadata][opcua_action_from_dataset]" => "Write" } }
       }
       if ([@metadata][opcua_action_from_dataset]) {
         mutate { id => "mutate_merge_zeek_opcua_action_from_dataset"

logstash/pipelines/zeek/1400_zeek_convert.conf

@@ -281,6 +281,31 @@ filter {
     }
   }
 
+  if ([zeek][opcua_binary_write][server_timestamp]) {
+    if ([zeek][opcua_binary_write][server_timestamp] == "0.000000") {
+      mutate { id => "mutate_remove_zeek_opcua_binary_write_server_timestamp"
+               remove_field => [ "[zeek][opcua_binary_write][server_timestamp]" ] }
+    } else {
+      date {
+        id => "date_zeek_zeek_opcua_binary_write_server_timestamp"
+        match => [ "[zeek][opcua_binary_write][server_timestamp]", "UNIX" ]
+        target => "[zeek][opcua_binary_write][server_timestamp]"
+      }
+    }
+  }
+
+  if ([zeek][opcua_binary_write][source_timestamp]) {
+    if ([zeek][opcua_binary_write][source_timestamp] == "0.000000") {
+      mutate { id => "mutate_remove_zeek_opcua_binary_write_source_timestamp"
+               remove_field => [ "[zeek][opcua_binary_write][source_timestamp]" ] }
+    } else {
+      date {
+        id => "date_zeek_zeek_opcua_binary_write_source_timestamp"
+        match => [ "[zeek][opcua_binary_write][source_timestamp]", "UNIX" ]
+        target => "[zeek][opcua_binary_write][source_timestamp]"
+      }
+    }
+  }
 
   if ([zeek][pe][compile_ts]) {
     if ([zeek][pe][compile_ts] == "0.000000") {