trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added Malcolm

Browse Source
This commit is contained in:
Trinitor
2021-08-06 10:35:01 +02:00
parent f043730066
commit 70f1922e80
751 changed files with 195277 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
Vagrant/resources/malcolm/logstash/maps/conn_states.yaml Normal file
View File

@@ -0,0 +1,13 @@
"S0": "Connection attempt seen, no reply"
"S1": "Connection established, not terminated"
"S2": "Connection established and close attempt by originator seen (but no reply from responder)"
"S3": "Connection established and close attempt by responder seen (but no reply from originator)"
"SF": "Normal SYN/FIN completion"
"REJ": "Connection attempt rejected"
"RSTO": "Connection established, originator aborted (sent a RST)"
"RSTR": "Established, responder aborted"
"RSTOS0": "Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder"
"RSTRH": "Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator"
"SH": "Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was 'half' open)"
"SHR": "Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator"
"OTH": "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed)"

49
Vagrant/resources/malcolm/logstash/maps/ftp_result_codes.yaml Normal file
View File

@@ -0,0 +1,49 @@
"110": "Restart marker replay"
"120": "Service ready in n minutes"
"125": "Data connection already open; transfer starting"
"150": "Opening data connection"
"200": "Success"
"202": "Command not implemented"
"211": "System status or help reply"
"212": "Directory status"
"213": "File status"
"214": "Help message"
"215": "System type"
"220": "Service ready for new user"
"221": "Service closing control connection"
"225": "Data connection open; no transfer in progress"
"226": "Closing data connection"
"227": "Entering Passive Mode"
"228": "Entering Long Passive Mode"
"229": "Entering Extended Passive Mode"
"230": "User logged in"
"231": "User logged out"
"232": "Logout command noted"
"234": "Authentication method accepted"
"250": "Successful file action"
"257": "Successful directory creation"
"331": "Username okay, need password"
"332": "Need account for login"
"350": "Requested file action pending further information"
"421": "Service not available"
"425": "Can't open data connection"
"426": "Connection closed; transfer aborted"
"430": "Invalid username or password"
"434": "Requested host unavailable"
"450": "Requested file action not taken"
"451": "Requested action aborted; local error in processing"
"452": "Requested action not taken; file system error"
"501": "Syntax error"
"502": "Command not implemented"
"503": "Bad command sequence"
"504": "Command not implemented for that parameter"
"530": "Not logged in"
"532": "Need account for storing files"
"534": "Could not connect; policy requires SSL"
"550": "Requested action not taken; file unavailable"
"551": "Requested action aborted; page type unknown"
"552": "Requested file action aborted; exceeded storage allocation"
"553": "Requested action not taken; file name not allowed"
"631": "Integrity protected"
"632": "Confidentiality and integrity protected"
"633": "Confidentiality protected"

97
Vagrant/resources/malcolm/logstash/maps/http_result_codes.yaml Normal file
View File

@@ -0,0 +1,97 @@
"100": "Continue"
"101": "Switching Protocols"
"102": "Processing"
"103": "Early Hints"
"110": "Response is Stale"
"111": "Revalidation Failed"
"112": "Disconnected Operation"
"113": "Heuristic Expiration"
"199": "Miscellaneous Warning"
"200": "Success"
"201": "Created"
"202": "Accepted"
"203": "Non-authoritative Information"
"204": "No Content"
"205": "Reset Content"
"206": "Partial Content"
"207": "Multi-status"
"208": "Already Reported"
"214": "Transformation Applied"
"218": "This Is Fine"
"226": "IM Used"
"299": "Miscellaneous Persistent Warning"
"300": "Multiple Choices"
"301": "Moved Permanently"
"302": "Redirect"
"303": "See Other"
"304": "Not Modified"
"305": "Use Proxy"
"306": "Switch Proxy"
"307": "Temporary Redirect"
"308": "Permanent Redirect"
"400": "Bad Request"
"401": "Not Authorized"
"402": "Payment Required"
"403": "Forbidden"
"404": "Error On Wikipedia"
"404": "Not Found"
"405": "Method Not Allowed"
"406": "Not Acceptable"
"407": "Proxy Authentication Required"
"408": "Request Timeout"
"409": "Conflict"
"410": "Gone"
"411": "Length Required"
"412": "Precondition Failed"
"413": "Payload Too Large"
"414": "URI Too Long"
"415": "Unsupported Media Type"
"416": "Range Not Satisfiable"
"417": "Expectation Failed"
"418": "I'm A Teapot"
"419": "Page Expired"
"420": "Method Failure / Enhance Your Calm"
"421": "Misdirected Request"
"422": "Unprocessable Entity"
"423": "Locked"
"424": "Failed Dependency"
"425": "Too Early"
"426": "Upgrade Required"
"427": "Unassigned"
"428": "Precondition Required"
"429": "Too Many Requests"
"430": "Unassigned"
"431": "Request Header Fields Too Large"
"440": "Login Timeout"
"444": "No Response"
"449": "Retry With"
"450": "Blocked By Windows Parental Controls"
"451": "Unavailable For Legal Reasons"
"494": "Request Header Too Large"
"495": "SSL Certificate Error"
"496": "SSL Certificate Required"
"497": "HTTP Request Sent To HTTPS Port"
"498": "Invalid Token"
"499": "Client Closed Request"
"500": "Internal Server Error"
"501": "Unsupported Method"
"502": "Bad Gateway"
"503": "Service Unavailable"
"504": "Gateway Timeout"
"505": "HTTP Version Not Supported"
"506": "Variant Also Negotiates"
"507": "Insufficient Storage"
"508": "Loop Detected"
"509": "Bandwidth Limit Exceeded"
"510": "Not Extended"
"511": "Network Authentication Required"
"520": "Web Server Returned An Unknown Error"
"521": "Web Server Is Down"
"522": "Connection Timed Out"
"523": "Origin Is Unreachable"
"524": "A Timeout Occurred"
"525": "SSL Handshake Failed"
"526": "Invalid SSL Certificate"
"527": "Railgun Error"
"529": "Site Is Overloaded"
"530": "Site Is Frozen"

56
Vagrant/resources/malcolm/logstash/maps/ip_protocol_numbers.yaml Normal file
View File

@@ -0,0 +1,56 @@
"ip": "0"
"hopopt": "0"
"icmp": "1"
"igmp": "2"
"ggp": "3"
"ipencap": "4"
"st": "5"
"tcp": "6"
"egp": "8"
"igp": "9"
"pup": "12"
"udp": "17"
"hmp": "20"
"xns-idp": "22"
"rdp": "27"
"iso-tp4": "29"
"dccp": "33"
"xtp": "36"
"ddp": "37"
"idpr-cmtp": "38"
"ipv6": "41"
"ipv6-route": "43"
"ipv6-frag": "44"
"idrp": "45"
"rsvp": "46"
"gre": "47"
"esp": "50"
"ah": "51"
"skip": "57"
"ipv6-icmp": "58"
"ipv6-nonxt": "59"
"ipv6-opts": "60"
"rspf": "73"
"vmtp": "81"
"eigrp": "88"
"ospf": "89"
"ax.25": "93"
"ipip": "94"
"etherip": "97"
"encap": "98"
"#": "99"
"pim": "103"
"ipcomp": "108"
"vrrp": "112"
"l2tp": "115"
"isis": "124"
"sctp": "132"
"fc": "133"
"mobility-header": "135"
"udplite": "136"
"mpls-in-ip": "137"
"manet": "138"
"hip": "139"
"shim6": "140"
"wesp": "141"
"rohc": "142"

15
Vagrant/resources/malcolm/logstash/maps/mitre_attack_tactic_ids.yaml Normal file
View File

@@ -0,0 +1,15 @@
"Collection": "TA0009"
"Command_and_Control": "TA0011"
"Credential_Access": "TA0006"
"Defense_Evasion": "TA0005"
"Discovery": "TA0007"
"Execution": "TA0002"
"Exfiltration": "TA0010"
"Impact": "TA0040"
"Initial_Access": "TA0001"
"Lateral_Movement": "TA0008"
"Lateral_Movement_and_Execution": [ "TA0002", "TA0008" ]
"Lateral_Movement_Extracted_File": "TA0008"
"Lateral_Movement_Multiple_Attempts": "TA0008"
"Persistence": "TA0003"
"Privilege_Escalation": "TA0004"

15
Vagrant/resources/malcolm/logstash/maps/mitre_attack_tactic_reference.yaml Normal file
View File

@@ -0,0 +1,15 @@
"Collection": "https://attack.mitre.org/tactics/TA0009/"
"Command_and_Control": "https://attack.mitre.org/tactics/TA0011/"
"Credential_Access": "https://attack.mitre.org/tactics/TA0006/"
"Defense_Evasion": "https://attack.mitre.org/tactics/TA0005/"
"Discovery": "https://attack.mitre.org/tactics/TA0007/"
"Execution": "https://attack.mitre.org/tactics/TA0002/"
"Exfiltration": "https://attack.mitre.org/tactics/TA0010/"
"Impact": "https://attack.mitre.org/tactics/TA0040/"
"Initial_Access": "https://attack.mitre.org/tactics/TA0001/"
"Lateral_Movement": "https://attack.mitre.org/tactics/TA0008/"
"Lateral_Movement_and_Execution": [ "https://attack.mitre.org/tactics/TA0002/", "https://attack.mitre.org/tactics/TA0008/" ]
"Lateral_Movement_Extracted_File": "https://attack.mitre.org/tactics/TA0008/"
"Lateral_Movement_Multiple_Attempts": "https://attack.mitre.org/tactics/TA0008/"
"Persistence": "https://attack.mitre.org/tactics/TA0003/"
"Privilege_Escalation": "https://attack.mitre.org/tactics/TA0004/"

7
Vagrant/resources/malcolm/logstash/maps/notice_authors.yaml Normal file
View File

@@ -0,0 +1,7 @@
"EternalSafety": "Lexi Brent"
"ATTACK": "MITRE"
"HTTPATTACKS": "Andrew Klaus"
"Corelight": "Corelight"
"SNIFFPASS": "Andrew Klaus"
"CVE_2020_0601": "Johanna Amann"
"CVE_2020_13777": "Johanna Amann"

7
Vagrant/resources/malcolm/logstash/maps/notice_license.yaml Normal file
View File

@@ -0,0 +1,7 @@
"EternalSafety": "BSD-3-Clause License"
"ATTACK": " BSD-3-Clause License"
"HTTPATTACKS": "BSD-2-Clause License"
"SNIFFPASS": "BSD-3-Clause License"
"Corelight": "https://github.com/corelight"
"CVE_2020_0601": "https://raw.githubusercontent.com/0xxon/cve-2020-0601/master/COPYING"
"CVE_2020_13777": "https://raw.githubusercontent.com/0xxon/cve-2020-13777/master/COPYING"

7
Vagrant/resources/malcolm/logstash/maps/notice_reference.yaml Normal file
View File

@@ -0,0 +1,7 @@
"EternalSafety": "https://github.com/0xl3x1/zeek-EternalSafety"
"ATTACK": "https://github.com/mitre-attack/bzar"
"HTTPATTACKS": "https://github.com/precurse/zeek-httpattacks"
"Corelight": "https://github.com/corelight"
"SNIFFPASS": "https://github.com/cybera/zeek-sniffpass"
"CVE_2020_0601": "https://github.com/0xxon/cve-2020-0601"
"CVE_2020_13777": "https://github.com/0xxon/cve-2020-13777"

4
Vagrant/resources/malcolm/logstash/maps/ntp_modes.yaml Normal file
View File

@@ -0,0 +1,4 @@
"1": "client"
"2": "server"
"3": "peer"
"4": "broadcast/multicast"

206
Vagrant/resources/malcolm/logstash/maps/s7comm_result_codes.yaml Normal file
View File

@@ -0,0 +1,206 @@
"0": "Success"
"272": "Invalid block number"
"273": "Invalid request length"
"274": "Invalid parameter"
"275": "Invalid block type"
"276": "Block not found"
"277": "Block already exists"
"278": "Block is write-protected"
"279": "The block/operating system update is too large"
"280": "Invalid block number"
"281": "Incorrect password entered"
"282": "PG resource error"
"283": "PLC resource error"
"284": "Protocol error"
"285": "Too many blocks (module-related restriction)"
"286": "There is no longer a connection to the database, or S7DOS handle is invalid"
"287": "Result buffer too small"
"288": "End of block list"
"320": "Insufficient memory available"
"321": "Job cannot be processed because of a lack of resources"
"32769": "The requested service cannot be performed while the block is in the current status"
"32771": "S7 protocol error: Error occurred while transferring the block"
"33024": "Application, general error: Service unknown to remote module"
"33028": "This service is not implemented on the module or a frame error was reported"
"33284": "The type specification for the object is inconsistent"
"33285": "A copied block already exists and is not linked"
"33537": "Insufficient memory space or work memory on the module, or specified storage medium not accessible"
"33538": "Too few resources available or the processor resources are not available"
"33540": "No further parallel upload possible. There is a resource bottleneck"
"33541": "Function not available"
"33542": "Insufficient work memory (for copying, linking, loading AWP)"
"33543": "Not enough retentive work memory (for copying, linking, loading AWP)"
"33793": "S7 protocol error: Invalid service sequence (for example, loading or uploading a block)"
"33794": "Service cannot execute owing to status of the addressed object"
"33796": "S7 protocol: The function cannot be performed"
"33797": "Remote block is in DISABLE state (CFB). The function cannot be performed"
"34048": "S7 protocol error: Wrong frames"
"34051": "Alarm from the module: Service canceled prematurely"
"34561": "Error addressing the object on the communications partner (for example, area length error)"
"34562": "The requested service is not supported by the module"
"34563": "Access to object refused"
"34564": "Access error: Object damaged"
"53249": "Protocol error: Illegal job number"
"53250": "Parameter error: Illegal job variant"
"53251": "Parameter error: Debugging function not supported by module"
"53252": "Parameter error: Illegal job status"
"53253": "Parameter error: Illegal job termination"
"53254": "Parameter error: Illegal link disconnection ID"
"53255": "Parameter error: Illegal number of buffer elements"
"53256": "Parameter error: Illegal scan rate"
"53257": "Parameter error: Illegal number of executions"
"53258": "Parameter error: Illegal trigger event"
"53259": "Parameter error: Illegal trigger condition"
"53265": "Parameter error in path of the call environment: Block does not exist"
"53266": "Parameter error: Wrong address in block"
"53268": "Parameter error: Block being deleted/overwritten"
"53269": "Parameter error: Illegal tag address"
"53270": "Parameter error: Test jobs not possible, because of errors in user program"
"53271": "Parameter error: Illegal trigger number"
"53285": "Parameter error: Invalid path"
"53286": "Parameter error: Illegal access type"
"53287": "Parameter error: This number of data blocks is not permitted"
"53297": "Internal protocol error"
"53298": "Parameter error: Wrong result buffer length"
"53299": "Protocol error: Wrong job length"
"53311": "Coding error: Error in parameter section (for example, reserve bytes not equal to 0)"
"53313": "Data error: Illegal status list ID"
"53314": "Data error: Illegal tag address"
"53315": "Data error: Referenced job not found, check job data"
"53316": "Data error: Illegal tag value, check job data"
"53317": "Data error: Exiting the ODIS control is not allowed in HOLD"
"53318": "Data error: Illegal measuring stage during run-time measurement"
"53319": "Data error: Illegal hierarchy in 'Read job list'"
"53320": "Data error: Illegal deletion ID in 'Delete job'"
"53321": "Invalid substitute ID in 'Replace job'"
"53322": "Error executing 'program status'"
"53343": "Coding error: Error in data section (for example, reserve bytes not equal to 0, ...)"
"53345": "Resource error: No memory space for job"
"53346": "Resource error: Job list full"
"53347": "Resource error: Trigger event occupied"
"53348": "Resource error: Not enough memory space for one result buffer element"
"53349": "Resource error: Not enough memory space for several result buffer elements"
"53350": "Resource error: The timer available for run-time measurement is occupied by another job"
"53351": "Resource error: Too many 'modify tag' jobs active (in particular multi-processor operation)"
"53377": "Function not permitted in current mode"
"53378": "Mode error: Cannot exit HOLD mode"
"53409": "Function not permitted in current protection level"
"53410": "Function not possible at present, because a function is running that modifies memory"
"53411": "Too many 'modify tag' jobs active on the I/O (in particular multi-processor operation)"
"53412": "'Forcing' has already been established"
"53413": "Referenced job not found"
"53414": "Job cannot be disabled/enabled"
"53415": "Job cannot be deleted, for example because it is currently being read"
"53416": "Job cannot be replaced, for example because it is currently being read or deleted"
"53417": "Job cannot be read, for example because it is currently being deleted"
"53418": "Time limit exceeded in processing operation"
"53419": "Invalid job parameters in process operation"
"53420": "Invalid job data in process operation"
"53421": "Operating mode already set"
"53422": "The job was set up over a different connection and can only be handled over this connection"
"53441": "At least one error has been detected while accessing the tag(s)"
"53442": "Change to STOP/HOLD mode"
"53443": "At least one error was detected while accessing the tag(s). Mode change to STOP/HOLD"
"53444": "Timeout during run-time measurement"
"53445": "Display of block stack inconsistent, because blocks were deleted/reloaded"
"53446": "Job was automatically deleted as the jobs it referenced have been deleted"
"53447": "The job was automatically deleted because STOP mode was exited"
"53448": "'Block status' aborted because of inconsistencies between test job and running program"
"53449": "Exit the status area by resetting OB90"
"53450": "Exiting the status range by resetting OB90 and access error reading tags before exiting"
"53451": "The output disable for the peripheral outputs has been activated again"
"53452": "The amount of data for the debugging functions is restricted by the time limit"
"53761": "Syntax error in block name"
"53762": "Syntax error in function parameters"
"53765": "Linked block already exists in RAM: Conditional copying is not possible"
"53766": "Linked block already exists in EPROM: Conditional copying is not possible"
"53768": "Maximum number of copied (not linked) blocks on module exceeded"
"53769": "(At least) one of the given blocks not found on the module"
"53770": "The maximum number of blocks that can be linked with one job was exceeded"
"53771": "The maximum number of blocks that can be deleted with one job was exceeded"
"53772": "OB cannot be copied because the associated priority class does not exist"
"53773": "SDB cannot be interpreted (for example, unknown number)"
"53774": "No (further) block available"
"53775": "Module-specific maximum block size exceeded"
"53776": "Invalid block number"
"53778": "Incorrect header attribute (run-time relevant)"
"53779": "Too many SDBs. Note the restrictions on the module being used"
"53782": "Invalid user program - reset module"
"53783": "Protection level specified in module properties not permitted"
"53784": "Incorrect attribute (active/passive)"
"53785": "Incorrect block lengths (for example, incorrect length of first section or of the whole block)"
"53786": "Incorrect local data length or write-protection code faulty"
"53787": "Module cannot compress or compression was interrupted early"
"53789": "The volume of dynamic project data transferred is illegal"
"53790": "Unable to assign parameters to a module (such as FM, CP). The system data could not be linked"
"53792": "Invalid programming language. Note the restrictions on the module being used"
"53793": "The system data for connections or routing are not valid"
"53794": "The system data of the global data definition contain invalid parameters"
"53795": "Error in instance data block for communication function block or maximum number of instance DBs exceeded"
"53796": "The SCAN system data block contains invalid parameters"
"53797": "The DP system data block contains invalid parameters"
"53798": "A structural error occurred in a block"
"53808": "A structural error occurred in a block"
"53809": "At least one loaded OB cannot be copied because the associated priority class does not exist"
"53810": "At least one block number of a loaded block is illegal"
"53812": "Block exists twice in the specified memory medium or in the job"
"53813": "The block contains an incorrect checksum"
"53814": "The block does not contain a checksum"
"53815": "You are about to load the block twice, i.e. a block with the same time stamp already exists on the CPU"
"53816": "At least one of the blocks specified is not a DB"
"53817": "At least one of the DBs specified is not available as a linked variant in the load memory"
"53818": "At least one of the specified DBs is considerably different from the copied and linked variant"
"53824": "Coordination rules violated"
"53825": "The function is not permitted in the current protection level"
"53826": "Protection violation while processing F blocks"
"53840": "Update and module ID or version do not match"
"53841": "Incorrect sequence of operating system components"
"53842": "Checksum error"
"53843": "No executable loader available; update only possible using a memory card"
"53844": "Storage error in operating system"
"53888": "Error compiling block in S7-300 CPU"
"53921": "Another block function or a trigger on a block is active"
"53922": "A trigger is active on a block. Complete the debugging function first"
"53923": "The block is not active (linked), the block is occupied or the block is currently marked for deletion"
"53924": "The block is already being processed by another block function"
"53926": "It is not possible to save and change the user program simultaneously"
"53927": "The block has the attribute 'unlinked' or is not processed"
"53928": "An active debugging function is preventing parameters from being assigned to the CPU"
"53929": "New parameters are being assigned to the CPU"
"53930": "New parameters are currently being assigned to the modules"
"53931": "The dynamic configuration limits are currently being changed"
"53932": "A running active or deactivate assignment (SFC 12) is temporarily preventing R-KiR process"
"53936": "An error occurred while configuring in RUN (CiR)"
"53952": "The maximum number of technological objects has been exceeded"
"53953": "The same technology data block already exists on the module"
"53954": "Downloading the user program or downloading the hardware configuration is not possible"
"54273": "Information function unavailable"
"54274": "Information function unavailable"
"54275": "Service has already been logged on/off (Diagnostics/PMC)"
"54276": "Maximum number of nodes reached. No more logons possible for diagnostics/PMC"
"54277": "Service not supported or syntax error in function parameters"
"54278": "Required information currently unavailable"
"54279": "Diagnostics error occurred"
"54280": "Update aborted"
"54281": "Error on DP bus"
"54785": "Syntax error in function parameter"
"54786": "Incorrect password entered"
"54787": "The connection has already been legitimized"
"54788": "The connection has already been enabled"
"54789": "Legitimization not possible because password does not exist"
"55297": "At least one tag address is invalid"
"55298": "Specified job does not exist"
"55299": "Illegal job status"
"55300": "Illegal cycle time (illegal time base or multiple)"
"55301": "No more cyclic read jobs can be set up"
"55302": "The referenced job is in a state in which the requested function cannot be performed"
"55303": "Function aborted due to overload, meaning executing the read cycle takes longer than the set scan cycle time"
"56321": "Date and/or time invalid"
"57857": "CPU is already the master"
"57858": "Connect and update not possible due to different user program in flash module"
"57859": "Connect and update not possible due to different firmware"
"57860": "Connect and update not possible due to different memory configuration"
"57861": "Connect/update aborted due to synchronization error"
"57862": "Connect/update denied due to coordination violation"
"61185": "S7 protocol error: Error at ID2; only 00H permitted in job"
"61186": "S7 protocol error: Error at ID2; set of resources does not exist"

76
Vagrant/resources/malcolm/logstash/maps/sip_result_codes.yaml Normal file
View File

@@ -0,0 +1,76 @@
"100": "Trying"
"180": "Ringing"
"181": "Call Is Being Forwarded"
"182": "Queued"
"183": "Session Progress"
"199": "Early Dialog Terminated"
"200": "Success"
"202": "Accepted"
"204": "No Notification"
"300": "Multiple Choices"
"301": "Moved Permanently"
"302": "Moved Temporarily"
"305": "Use Proxy"
"380": "Alternative Service"
"400": "Bad Request"
"401": "Unauthorized"
"402": "Payment Required"
"403": "Forbidden"
"404": "Not Found"
"405": "Method Not Allowed"
"406": "Not Acceptable"
"407": "Proxy Authentication Required"
"408": "Request Timeout"
"409": "Conflict"
"410": "Gone"
"411": "Length Required"
"412": "Conditional Request Failed"
"413": "Request Entity Too Large"
"414": "Request URI Too Long"
"415": "Unsupported Media Type"
"416": "Unsupported URI Scheme"
"417": "Unknown Resource-priority"
"420": "Bad Extension"
"421": "Extension Required"
"422": "Session Interval Too Small"
"423": "Interval Too Brief"
"424": "Bad Location Information"
"428": "Use Identity Header"
"429": "Provide Referrer Identity"
"430": "Flow Failed"
"433": "Anonymity Disallowed"
"436": "Bad Identity Info"
"437": "Unsupported Certificate"
"438": "Invalid Identity Header"
"439": "First Hop Lacks Outbound Support"
"440": "Max-breadth Exceeded"
"469": "Bad Info Package"
"470": "Consent Needed"
"480": "Temporarily Unavailable"
"481": "Call/transaction Does Not Exist"
"482": "Loop Detected"
"483": "Too Many Hops"
"484": "Address Incomplete"
"485": "Ambiguous"
"486": "Busy Here"
"487": "Request Terminated"
"488": "Not Acceptable Here"
"489": "Bad Event"
"491": "Request Pending"
"493": "Undecipherable"
"494": "Security Agreement Required"
"500": "Internal Server Error"
"501": "Not Implemented"
"502": "Bad Gateway"
"503": "Service Unavailable"
"504": "Server Time-out"
"505": "Version Not Supported"
"513": "Message Too Large"
"555": "Push Notification Service Not Supported"
"580": "Precondition Failure"
"600": "Busy Everywhere"
"603": "Decline"
"604": "Does Not Exist Anywhere"
"606": "Not Acceptable"
"607": "Unwanted"
"608": "Rejected"

40
Vagrant/resources/malcolm/logstash/maps/smtp_result_codes.yaml Normal file
View File

@@ -0,0 +1,40 @@
"101": "The server is unable to connect"
"111": "Connection refused or inability to open an SMTP stream"
"200": "System status message or help reply"
"214": "A response to the HELP command"
"220": "The server is ready"
"221": "The server is closing its transmission channel"
"250": "Success"
"251": "User not local will forward"
"252": "Cannot verify the user, but it will try to deliver the message anyway"
"354": "Start mail input"
"420": "Timeout connection problem"
"421": "Service is unavailable due to a connection problem"
"422": "The recipient's mailbox has exceeded its storage limit"
"431": "Not enough space on the disk"
"432": "Recipient's incoming mail queue has been stopped"
"441": "The recipient's server is not responding"
"442": "The connection was dropped during the transmission"
"446": "The maximum hop count was exceeded for the message"
"447": "Message timed out because of issues concerning the incoming server"
"449": "Routing error"
"450": "User's mailbox is unavailable"
"451": "Aborted Local error in processing"
"452": "Too many emails sent or too many recipients"
"471": "An error of your mail server"
"500": "Syntax error"
"501": "Syntax error in parameters or arguments"
"503": "Bad sequence of commands, or requires authentication"
"504": "Command parameter is not implemented"
"510": "Bad email address"
"511": "Bad email address"
"512": "Host server for the recipient's domain name cannot be found in DNS"
"513": "Address type is incorrect"
"523": "associated with encryption in RFC 5248"
"530": "Authentication problem"
"541": "The recipient address rejected your message"
"550": "Non-existent email address"
"551": "User not local or invalid address relay denied"
"552": "Exceeded storage allocation"
"553": "Mailbox name invalid"
"554": "Transaction has failed"

7
Vagrant/resources/malcolm/logstash/maps/tftp_result_codes.yaml Normal file
View File

@@ -0,0 +1,7 @@
"1": "File not found"
"2": "Access violation"
"3": "Disk full or allocation exceeded"
"4": "Illegal operation"
"5": "Unknown transfer ID"
"6": "File already exists"
"7": "No such user"

84
Vagrant/resources/malcolm/logstash/maps/zeek_log_ecs_categories.yaml Normal file
View File

@@ -0,0 +1,84 @@
"bacnet": ["ot", "network"]
"bacnet_discovery": ["ot", "network"]
"bacnet_property": ["ot", "network"]
"bsap_ip_header": ["ot", "network"]
"bsap_ip_rdb": ["ot", "network"]
"bsap_ip_unknown": ["ot", "network"]
"bsap_serial_header": ["ot", "network"]
"bsap_serial_rdb": ["ot", "network"]
"bsap_serial_rdb_ext": ["ot", "network"]
"bsap_serial_unknown": ["ot", "network"]
"cip": ["ot", "network"]
"cip_identity": ["ot", "network"]
"cip_io": ["ot", "network"]
"conn": ["network"]
"dce_rpc": ["network"]
"dhcp": ["network"]
"dnp3": ["ot", "network"]
"dnp3_control": ["ot", "network"]
"dnp3_objects": ["ot", "network"]
"dns": ["network"]
"dpd": ["network"]
"enip": ["ot", "network"]
"ecat_registers": ["ot", "network"]
"ecat_log_address": ["ot", "network"]
"ecat_dev_info": ["ot", "network"]
"ecat_aoe_info": ["ot", "network"]
"ecat_coe_info": ["ot", "network"]
"ecat_foe_info": ["ot", "network"]
"ecat_soe_info": ["ot", "network"]
"ecat_arp_info": ["ot", "network"]
"files": ["file"]
"ftp": ["file", "network"]
"gquic": ["network"]
"http": ["web", "network"]
"intel": ["intrusion_detection", "network"]
"ipsec": ["network"]
"irc": ["network"]
"iso_cotp": ["ot", "network"]
"kerberos": ["authentication", "iam", "network"]
"known_certs": ["file"]
"known_hosts": ["network"]
"known_modbus": ["ot", "network"]
"known_services": ["network"]
"ldap": ["authentication", "iam", "network"]
"login": ["authentication", "network"]
"modbus": ["ot", "network"]
"modbus_detailed": ["ot", "network"]
"modbus_mask_write_register": ["ot", "network"]
"modbus_read_write_multiple_registers": ["ot", "network"]
"modbus_register_change": ["ot", "network"]
"mqtt_connect": ["network"]
"mqtt_publish": ["network"]
"mqtt_subscribe": ["network"]
"mysql": ["database", "network"]
"notice": ["intrusion_detection", "network"]
"ntlm": ["authentication", "iam", "network"]
"ntp": ["network"]
"openvpn": ["network"]
"pe": ["file"]
"profinet": ["ot", "network"]
"profinet_dce_rpc": ["ot", "network"]
"radius": ["authentication", "iam", "network"]
"rdp": ["network"]
"rfb": ["network"]
"s7comm": ["ot", "network"]
"signatures": ["malware", "intrusion_detection", "network"]
"sip": ["network"]
"smb_cmd": ["network"]
"smb_files": ["file", "network"]
"smb_mapping": ["file", "network"]
"smtp": ["network"]
"snmp": ["network"]
"socks": ["network"]
"software": ["network"]
"ssh": ["authentication", "network"]
"ssl": ["network"]
"syslog": ["network"]
"tds": ["database", "network"]
"tds_rpc": ["database", "network"]
"tds_sql_batch": ["database", "network"]
"tunnel": ["network"]
"weird": ["intrusion_detection", "network"]
"wireguard": ["network"]
"x509": ["file"]