proto field is no longer hard-coded in hart-ip and profinet-io-cm par…

…sers
mmguero-dev · Oct 17, 2024 · 87e2dbe · 87e2dbe
1 parent 0f669e5
commit 87e2dbe
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 30 deletions.
diff --git a/logstash/pipelines/zeek/1027_zeek_hart_ip.conf b/logstash/pipelines/zeek/1027_zeek_hart_ip.conf
@@ -39,12 +39,9 @@ filter {
       add_tag => [ "ics" ]
     }
 
-    # The "proto" field in these logs is useless.
-    #   Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed
-    # The other fields are basically just placeholders we don't want to store the raw data for.
-    mutate { id => "mutate_remove_field_zeek_hart_ip_common_commands_proto"
-             remove_field => [ "[zeek_cols][proto]",
-                               "[zeek][hart_ip][token_passing_pdu_contents_data_data]",
+    # These fields are basically just placeholders we don't want to store the raw data for.
+    mutate { id => "mutate_remove_field_zeek_hart_ip_common_commands_useless"
+             remove_field => [ "[zeek][hart_ip][token_passing_pdu_contents_data_data]",
                                "[zeek][hart_ip][message_packet_bytes]",
                                "[zeek][hart_ip][token_passing_pdu_contents_data_data]" ] }
 
@@ -83,11 +80,6 @@ filter {
       add_tag => [ "ics" ]
     }
 
-    # The "proto" field in these logs is useless.
-    # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed
-    if ([zeek_cols][proto]) { mutate { id => "mutate_remove_field_zeek_hart_ip_direct_pdu_command_proto"
-                                       remove_field => [ "[zeek_cols][proto]" ] } }
-
   } else if ([log_source] == "hart_ip") {
     #############################################################################################################################
     # hart_ip.log
@@ -122,11 +114,6 @@ filter {
       add_tag => [ "ics" ]
     }
 
-    # The "proto" field in these logs is useless.
-    # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed
-    if ([zeek_cols][proto]) { mutate { id => "mutate_remove_field_zeek_hart_ip_proto"
-                                       remove_field => [ "[zeek_cols][proto]" ] } }
-
   } else if ([log_source] == "hart_ip_session_record") {
     #############################################################################################################################
     # hart_ip_session_record.log
@@ -161,11 +148,6 @@ filter {
       add_tag => [ "ics" ]
     }
 
-    # The "proto" field in these logs is useless.
-    # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed
-    if ([zeek_cols][proto]) { mutate { id => "mutate_remove_field_zeek_hart_ip_session_proto"
-                                       remove_field => [ "[zeek_cols][proto]" ] } }
-
   } else if ([log_source] == "hart_ip_universal_commands") {
     #############################################################################################################################
     # hart_ip_universal_commands.log
@@ -200,11 +182,6 @@ filter {
       add_tag => [ "ics" ]
     }
 
-    # The "proto" field in these logs is useless.
-    # Remove this code when https://github.com/cisagov/icsnpp-hart-ip/issues/11 is fixed
-    if ([zeek_cols][proto]) { mutate { id => "mutate_remove_field_zeek_hart_ip_universal_commands_proto"
-                                       remove_field => [ "[zeek_cols][proto]" ] } }
-
   }
 
 } # end Filter
diff --git a/logstash/pipelines/zeek/1046_zeek_profinet.conf b/logstash/pipelines/zeek/1046_zeek_profinet.conf
@@ -103,10 +103,7 @@ filter {
     }
 
     mutate {
-      id => "mutate_add_fields_zeek_profinet_io_cm"
-      add_field => {
-        "[zeek_cols][proto]" => "udp"
-      }
+      id => "mutate_add_ics_tag_zeek_profinet_io_cm"
       add_tag => [ "ics" ]
     }