trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added Malcolm

Browse Source
This commit is contained in:
Trinitor
2021-08-06 10:35:01 +02:00
parent f043730066
commit 70f1922e80
751 changed files with 195277 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

123
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/local/etc/zeek/guess.zeek Normal file
View File

@@ -0,0 +1,123 @@
module Best_Guess;
# given an input map file with the following format:
# proto dport sport name category
# (see https://docs.zeek.org/en/master/frameworks/input.html#reading-data-into-tables
# for details on how the table is loaded),
# load up the table on zeek_init and for each connection_state_remove
# make a "best guess" of protocols based on proto+dport+sport.
# Best guesses are written to bestguess according to Best_Guess::Info
# Table key is transport protocol + destination port + source port
# Zeek will segfault if there is an unset value ('-') in the key,
# so use unknown_transport and 0 for protocol and ports, respectively,
# if they are not defined in the lookup.
type Best_Guess_Key: record {
proto: transport_proto &optional;
dport: count &optional;
sport: count &optional;
};
# Other table values include name, category.
type Best_Guess_Value: record {
name: string &optional;
category: string &optional;
};
export {
redef enum Log::ID += { BEST_GUESS_LOG };
#############################################################################
# This is the format of bestguess.log
type Info: record {
# Timestamp for when the event happened.
ts: time &log;
# Unique ID for the connection.
uid: string &log;
# The connection's 4-tuple of endpoint addresses/ports.
id: conn_id &log;
# transport protocol
proto: transport_proto &log &optional;
# protocol guess values for log
name: string &log &optional;
category: string &log &optional;
# originating structure containing guess info
guess_info: Best_Guess_Value &optional;
};
# Event that can be handled to access the record as it is sent on to the logging framework.
global log_best_guess: event(rec: Best_Guess::Info);
}
# lookup table of Best_Guess_Key -> Best_Guess_Value to be loaded in zeek_init
global proto_guesses: table[transport_proto, count, count] of Best_Guess_Value = table();
# filespec containing best guess mappings
global guest_map_filespec : string = @DIR + "/guess_ics_map.txt";
#############################################################################
event zeek_init() &priority=5 {
# populate the lookup table from guest_map_filespec and then clean up the intermediate source
Input::add_table([$source=guest_map_filespec, $name="guess_ics_map",
$idx=Best_Guess_Key, $val=Best_Guess_Value,
$destination=proto_guesses, $want_record=T]);
Input::remove("guess_ics_map");
# initialize bestguess.log
Log::create_stream(Best_Guess::BEST_GUESS_LOG, [$columns=Best_Guess::Info, $ev=log_best_guess, $path="bestguess"]);
}
#############################################################################
event connection_state_remove(c: connection) {
local p = get_port_transport_proto(c$id$resp_p);
local dp = port_to_count(c$id$resp_p);
local sp = port_to_count(c$id$orig_p);
local guess = Best_Guess_Value($name="");
local category: string = "";
# 1. only check connections for which we don't already know "service"
# 2. skip ICMP, since dp and sp don't mean the same thing for ICMP
if (((!c?$service) || (|c$service| == 0)) && (p != icmp)) {
# Look up permutations of transport protocol + destination port + source port
# from more-specific to less-specific.
if ([p, dp, sp] in proto_guesses)
guess = proto_guesses[p, dp, sp];
else if ([p, dp, 0] in proto_guesses)
guess = proto_guesses[p, dp, 0];
else if ([p, 0, sp] in proto_guesses)
guess = proto_guesses[p, 0, sp];
else if ([unknown_transport, dp, sp] in proto_guesses)
guess = proto_guesses[unknown_transport, dp, sp];
else if ([unknown_transport, dp, 0] in proto_guesses)
guess = proto_guesses[unknown_transport, dp, 0];
else if ([unknown_transport, 0, sp] in proto_guesses)
guess = proto_guesses[unknown_transport, 0, sp];
# if a best guess was made based on protocol and ports, log it
if ((guess?$name) && (guess$name != "")) {
# as category may be undefined, check before accessing
if (guess?$category)
category = guess$category;
# log entry into bestguess.log
local info = Best_Guess::Info($ts=network_time(),
$uid=c$uid,
$id=c$id,
$proto=p,
$name=guess$name,
$category=category,
$guess_info=guess);
Log::write(Best_Guess::BEST_GUESS_LOG, info);
} # found guess
} # if (p != icmp)
} # connection_state_remove

360
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/local/etc/zeek/guess_ics_map.txt Normal file
View File

@@ -0,0 +1,360 @@
#fields proto dport sport name category
unknown_transport 0 2221 Rockwell CSP Rockwell Automation
unknown_transport 0 2222 Rockwell CSP Rockwell Automation
unknown_transport 0 2223 Rockwell CSP Rockwell Automation
unknown_transport 0 5007 Mitsubishi Electronic MELSEC-Q SLAVE Mitsubishi Electric
unknown_transport 0 5413 Wonderware AVEVA
unknown_transport 0 5891 Intelligent Instrumentation EDAS Intelligent Instrumentation
unknown_transport 0 7022 CT Discovery Protocol CTDP -
unknown_transport 0 7200 Fiber Optics Data Multiplexing Services FLIP -
unknown_transport 0 7201 DLIP -
tcp 0 7700 Rockwell FactoryTalk Event Server Rockwell Automation
unknown_transport 0 7710 Rockwell FactoryTalk Directory Server Rockwell Automation
unknown_transport 0 7720 Rockwell RSViewSE Rockwell Automation
unknown_transport 0 7721 Rockwell RSViewSE Rockwell Automation
unknown_transport 0 7722 Rockwell RSViewSE HMI Activation Rockwell Automation
unknown_transport 0 9212 Server View DBMS Access -
unknown_transport 0 9213 ServerStart RemoteControl -
unknown_transport 0 23400 Novar Data Honeywell
unknown_transport 0 23401 Novar Alarm Honeywell
unknown_transport 0 23402 Novar Global Honeywell
unknown_transport 0 34963 PROFInet RT Multicast PROFIBUS and PROFINET
unknown_transport 0 34964 PROFInet Context Manager PROFIBUS and PROFINET
unknown_transport 0 44818 Rockwell Encapsulation Rockwell Automation
unknown_transport 210 0 ANSI Z39.50 -
tcp 400 0 Rockwell RSSql Transaction Manager Rockwell Automation
tcp 401 0 Rockwell RSSql Compression Server Rockwell Automation
tcp 402 0 Rockwell RSSql Configuration Server Rockwell Automation
unknown_transport 500 0 Fatek FB Series FATEK Automation
unknown_transport 554 0 RTP RTSP Streaming Protocol -
unknown_transport 789 0 Red Lion CrimsonV3 Red Lion
unknown_transport 1025 0 Mitsubishi Electronic FX Mitsubishi Electric
unknown_transport 1089 0 Rockwell Foundation Fieldbus Rockwell Automation
unknown_transport 1090 0 Rockwell Foundation Fieldbus Rockwell Automation
unknown_transport 1091 0 Rockwell Foundation Fieldbus Rockwell Automation
tcp 1132 0 Rockwell AADvance Rockwell Automation
unknown_transport 1153 0 ANSI C12.22 -
tcp 1200 0 CodeSys Gateway Server CODESYS
tcp 1330 0 Rockwell FactoryTalk Object RPC Rockwell Automation
tcp 1331 0 Rockwell FactoryTalk Service Control Rockwell Automation
tcp 1332 0 Rockwell FactoryTalk Server Health Rockwell Automation
tcp 1433 0 Rockwell FactoryTalk Asset Centre Server/VantagePoint SQL Rockwell Automation
tcp 1434 0 Rockwell FactoryTalk Asset Centre Server/VantagePoint MSSQL Rockwell Automation
unknown_transport 1541 0 Foxboro/Invensys Foxboro DCS Informix Schneider Electric
unknown_transport 1962 0 Phoenix Contact PC WORX Engineering Workstation PHOENIX CONTACT
unknown_transport 2004 0 LS FEnet LS Electric
udp 2010 0 Rockwell AADvance Discover Tool Rockwell Automation
udp 2011 0 Rockwell AADvance Discover Tool Rockwell Automation
unknown_transport 2085 0 ADA Control ADA-CIP -
unknown_transport 2198 0 OneHome Remote Access -
unknown_transport 2199 0 OneHome Service Port -
unknown_transport 2221 0 Rockwell CSP Rockwell Automation
unknown_transport 2222 0 Rockwell CSP Rockwell Automation
unknown_transport 2223 0 Rockwell CSP Rockwell Automation
tcp 2393 0 OLAP Microsoft
tcp 2394 0 OLAP Microsoft
unknown_transport 2404 0 IEC 60870-5-104 -
unknown_transport 2423 0 RNRP Redundant Network Routing ABB
tcp 2455 0 CodeSys Gateway Server CODESYS
unknown_transport 2540 0 LonWorks LonWorks
unknown_transport 2541 0 LonWorks LonWorks
unknown_transport 2729 0 TCIM Control -
unknown_transport 2757 0 CNRP Common Name Resolution Protocol -
unknown_transport 2846 0 AIMPP Hello -
unknown_transport 2847 0 AIMPP Port Req -
unknown_transport 3004 0 Hitachi EHV Series Hitachi
unknown_transport 3060 0 Rockwell FactoryTalk Directory Server File Transfer Rockwell Automation
unknown_transport 3240 0 Trio Motion Control Trio Motion Technology
unknown_transport 3250 0 HMS HICP Port HMC HMS Networks
unknown_transport 3338 0 OMF Data B ANET-B -
unknown_transport 3340 0 OMF Data M ANET-M -
unknown_transport 3341 0 OMF Data H ANET-H -
tcp 102 0 ICCP -
tcp 3480 0 OPC UA Discovery -
unknown_transport 3614 0 Schleicher Satchwell Sigma Schleicher Electronic
unknown_transport 3622 0 Rockwell FF LAN Redundancy Port Rockwell Automation
unknown_transport 3639 0 xAP Home Automation -
unknown_transport 3743 0 IP Control Systems Ltd ICS Command IP Control Systems Ltd
unknown_transport 3794 0 JAUS Robots -
unknown_transport 3820 0 Siemens AuD SCP Siemens AG
unknown_transport 3848 0 IT Environmental Monitor -
unknown_transport 3873 0 Fagor DNC Fagor Automation
unknown_transport 3875 0 PNBSCADA -
unknown_transport 3881 0 Intelligent Data Acquisition and Control IDAC -
unknown_transport 4000 0 Fisher ROC Plus Emerson Electric
tcp 4120 0 Rockwell Bizware Production Server Rockwell Automation
tcp 4121 0 Rockwell Bizware Server Manager Rockwell Automation
tcp 4122 0 Rockwell Bizware PlantMetrics Server Rockwell Automation
tcp 4123 0 Rockwell Bizware Task Manager Rockwell Automation
tcp 4124 0 Rockwell Bizware Scheduler Rockwell Automation
tcp 4125 0 Rockwell Bizware CTP Server Rockwell Automation
unknown_transport 4450 0 Common ASCII Message Protocol CAMP -
unknown_transport 4451 0 CTI System Message -
unknown_transport 4452 0 CTI Program Load -
unknown_transport 4999 0 Mitsubishi Electronic MELSEC-Q Mitsubishi Electric
udp 5000 0 Rockwell AADvance Peer to P2P Rockwell Automation
unknown_transport 5001 0 Mitsubishi Electronic FX3u Mitsubishi Electric
unknown_transport 5004 0 RTP Time Transport -
unknown_transport 5006 0 Mitsubishi Electronic MELSEC-Q MASTER Mitsubishi Electric
unknown_transport 5007 0 Mitsubishi Electronic MELSEC-Q MASTER Mitsubishi Electric
tcp 5050 0 OASyS SCADA AVEVA
unknown_transport 5050 0 Danfoss ECL Apex Danfoss
tcp 5051 0 OASyS SCADA AVEVA
tcp 5052 0 OASyS SCADA AVEVA
tcp 5065 0 OASyS SCADA AVEVA
unknown_transport 5069 0 I/NET 2000-NPR Control Systems International
unknown_transport 5413 0 Wonderware AVEVA
tcp 5450 0 Rockwell FactoryTalk PI Network Manager Rockwell Automation
tcp 5454 0 Rockwell FactoryTalk Analysis Framework Rockwell Automation
tcp 5455 0 Rockwell FactoryTalk Analysis Framework Rockwell Automation
tcp 5456 0 Rockwell FactoryTalk ACE2 Scheduler Rockwell Automation
tcp 5457 0 Rockwell FactoryTalk Asset Framework Server Rockwell Automation
tcp 5458 0 Rockwell FactoryTalk PI Notification Rockwell Automation
tcp 6543 0 Rockwell FactoryTalk Alarming Server Rockwell Automation
tcp 7002 0 Rockwell FactoryTalk Asset Centre Services Rockwell Automation
tcp 7003 0 Rockwell FactoryTalk Asset Centre Services Rockwell Automation
tcp 7004 0 Rockwell FactoryTalk Asset Centre Services Rockwell Automation
unknown_transport 7022 0 CT Discovery Protocol -
unknown_transport 7201 0 DLIP -
tcp 7600 0 Rockwell FactoryTalk Event Multiplexor Rockwell Automation
tcp 7710 0 Rockwell FactoryTalk Directory Server Rockwell Automation
tcp 8081 0 Rockwell Bizware HTTP Server Manager Rockwell Automation
tcp 8083 0 Rockwell Bizware HTTP CTP Server Rockwell Automation
unknown_transport 8500 0 Panasonic FP2 Panasonic
unknown_transport 8501 0 Keyence KV-5000 Keyence
unknown_transport 9094 0 Panasonic FP Panasonic
unknown_transport 9600 0 Omron Factory Interface Network Service OMRON
tcp 10001 0 Rockwell AADvance Serial Data Rockwell Automation
tcp 10002 0 Rockwell AADvance Serial Data Rockwell Automation
tcp 10003 0 Rockwell AADvance Serial Data Rockwell Automation
tcp 10004 0 Rockwell AADvance Serial Data Rockwell Automation
tcp 10005 0 Rockwell AADvance Serial Data Rockwell Automation
tcp 10006 0 Rockwell AADvance Serial Data Rockwell Automation
tcp 10307 0 ABB Ranger ABB
tcp 10311 0 ABB Ranger ABB
tcp 10364 0 ABB Ranger ABB
tcp 10365 0 ABB Ranger ABB
tcp 10407 0 ABB Ranger ABB
tcp 10409 0 ABB Ranger ABB
tcp 10410 0 ABB Ranger ABB
tcp 10412 0 ABB Ranger ABB
tcp 10414 0 ABB Ranger ABB
tcp 10415 0 ABB Ranger ABB
tcp 10428 0 ABB Ranger ABB
tcp 10431 0 ABB Ranger ABB
tcp 10432 0 ABB Ranger ABB
tcp 10447 0 ABB Ranger ABB
tcp 10449 0 ABB Ranger ABB
tcp 10450 0 ABB Ranger ABB
unknown_transport 11001 0 Metasys N1 Johnson Controls
tcp 12135 0 OASyS SCADA AVEVA
tcp 12136 0 OASyS SCADA AVEVA
tcp 12137 0 OASyS SCADA AVEVA
tcp 12316 0 ABB Ranger ABB
tcp 12645 0 ABB Ranger ABB
tcp 12647 0 ABB Ranger ABB
tcp 12648 0 ABB Ranger ABB
tcp 13722 0 ABB Ranger ABB
tcp 13724 0 ABB Ranger ABB
tcp 13782 0 ABB Ranger ABB
tcp 13783 0 ABB Ranger ABB
tcp 18000 0 Genesis32 GenBroker ICONICS
unknown_transport 20256 0 Unitronics Socket 1 Unitronics
unknown_transport 20257 0 Unitronics Socket 2/3 Unitronics
unknown_transport 20547 0 ProconOS KW Software
tcp 27000 0 Rockwell FlexLM Server Rockwell Automation
tcp 27001 0 Rockwell FlexLM Server Rockwell Automation
tcp 27002 0 Rockwell FlexLM Server Rockwell Automation
tcp 27003 0 Rockwell FlexLM Server Rockwell Automation
tcp 27004 0 Rockwell FlexLM Server Rockwell Automation
tcp 27005 0 Rockwell FlexLM Server Rockwell Automation
tcp 27006 0 Rockwell FlexLM Server Rockwell Automation
tcp 27007 0 Rockwell FlexLM Server Rockwell Automation
tcp 27008 0 Rockwell FlexLM Server Rockwell Automation
tcp 27009 0 Rockwell FlexLM Server Rockwell Automation
unknown_transport 28784 0 Koyo Ethernet -
unknown_transport 34962 0 PROFInet RT Unicast PROFIBUS and PROFINET
tcp 38000 0 GENe SNC
tcp 38001 0 GENe SNC
tcp 38011 0 GENe SNC
tcp 38012 0 GENe SNC
tcp 38014 0 GENe SNC
tcp 38015 0 GENe SNC
tcp 38200 0 GENe SNC
tcp 38210 0 GENe SNC
tcp 38301 0 GENe SNC
tcp 38400 0 GENe SNC
tcp 38589 0 ABB Ranger ABB
tcp 38593 0 ABB Ranger ABB
tcp 38600 0 ABB Ranger ABB
tcp 38700 0 GENe SNC
tcp 38971 0 ABB Ranger ABB
tcp 39129 0 ABB Ranger ABB
tcp 39278 0 ABB Ranger ABB
unknown_transport 44818 0 Rockwell Encapsulation Rockwell Automation
unknown_transport 45678 0 Foxboro/Invensys Foxboro DCS AIMAPI Schneider Electric
tcp 49281 0 Rockwell FactoryTalk Live Data/SE HMI Tag Server Rockwell Automation
tcp 50001 0 Siemens Spectrum Power TG Siemens AG
tcp 50002 0 Siemens Spectrum Power TG Siemens AG
tcp 50003 0 Siemens Spectrum Power TG Siemens AG
tcp 50004 0 Siemens Spectrum Power TG Siemens AG
tcp 50005 0 Siemens Spectrum Power TG Siemens AG
tcp 50006 0 Siemens Spectrum Power TG Siemens AG
tcp 50007 0 Siemens Spectrum Power TG Siemens AG
tcp 50008 0 Siemens Spectrum Power TG Siemens AG
tcp 50009 0 Siemens Spectrum Power TG Siemens AG
tcp 50010 0 Siemens Spectrum Power TG Siemens AG
tcp 50011 0 Siemens Spectrum Power TG Siemens AG
tcp 50012 0 Siemens Spectrum Power TG Siemens AG
tcp 50013 0 Siemens Spectrum Power TG Siemens AG
tcp 50014 0 Siemens Spectrum Power TG Siemens AG
tcp 50015 0 Siemens Spectrum Power TG Siemens AG
tcp 50016 0 Siemens Spectrum Power TG Siemens AG
tcp 50018 0 Siemens Spectrum Power TG Siemens AG
tcp 50019 0 Siemens Spectrum Power TG Siemens AG
tcp 50020 0 Siemens Spectrum Power TG Siemens AG
tcp 50021 0 Siemens Spectrum Power TG Siemens AG
tcp 50025 0 Siemens Spectrum Power TG Siemens AG
tcp 50026 0 Siemens Spectrum Power TG Siemens AG
tcp 50027 0 Siemens Spectrum Power TG Siemens AG
tcp 50028 0 Siemens Spectrum Power TG Siemens AG
tcp 50110 0 Siemens Spectrum Power TG Siemens AG
tcp 50111 0 Siemens Spectrum Power TG Siemens AG
unknown_transport 55000 0 Mitsubishi Electronic FL-Net Cyclic Transmission Mitsubishi Electric
unknown_transport 55001 0 Mitsubishi Electronic FL-Net Message Transmission Mitsubishi Electric
unknown_transport 55002 0 Mitsubishi Electronic FL-Net Participation Request Frame Mitsubishi Electric
unknown_transport 55003 0 Mitsubishi Electronic FL-Net Sending Service Mitsubishi Electric
tcp 55555 0 Rockwell AADvance Telnet Rockwell Automation
unknown_transport 55555 0 Foxboro/Invensys Foxboro DCS FoxAPI Schneider Electric
tcp 56001 0 OASyS SCADA AVEVA
tcp 56001 0 OASyS SCADA AVEVA
tcp 56002 0 OASyS SCADA AVEVA
tcp 56003 0 OASyS SCADA AVEVA
tcp 56004 0 OASyS SCADA AVEVA
tcp 56005 0 OASyS SCADA AVEVA
tcp 56006 0 OASyS SCADA AVEVA
tcp 56007 0 OASyS SCADA AVEVA
tcp 56008 0 OASyS SCADA AVEVA
tcp 56009 0 OASyS SCADA AVEVA
tcp 56010 0 OASyS SCADA AVEVA
tcp 56011 0 OASyS SCADA AVEVA
tcp 56012 0 OASyS SCADA AVEVA
tcp 56013 0 OASyS SCADA AVEVA
tcp 56014 0 OASyS SCADA AVEVA
tcp 56015 0 OASyS SCADA AVEVA
tcp 56016 0 OASyS SCADA AVEVA
tcp 56017 0 OASyS SCADA AVEVA
tcp 56018 0 OASyS SCADA AVEVA
tcp 56019 0 OASyS SCADA AVEVA
tcp 56020 0 OASyS SCADA AVEVA
tcp 56021 0 OASyS SCADA AVEVA
tcp 56022 0 OASyS SCADA AVEVA
tcp 56023 0 OASyS SCADA AVEVA
tcp 56024 0 OASyS SCADA AVEVA
tcp 56025 0 OASyS SCADA AVEVA
tcp 56026 0 OASyS SCADA AVEVA
tcp 56027 0 OASyS SCADA AVEVA
tcp 56028 0 OASyS SCADA AVEVA
tcp 56029 0 OASyS SCADA AVEVA
tcp 56030 0 OASyS SCADA AVEVA
tcp 56031 0 OASyS SCADA AVEVA
tcp 56032 0 OASyS SCADA AVEVA
tcp 56033 0 OASyS SCADA AVEVA
tcp 56034 0 OASyS SCADA AVEVA
tcp 56035 0 OASyS SCADA AVEVA
tcp 56036 0 OASyS SCADA AVEVA
tcp 56037 0 OASyS SCADA AVEVA
tcp 56038 0 OASyS SCADA AVEVA
tcp 56039 0 OASyS SCADA AVEVA
tcp 56040 0 OASyS SCADA AVEVA
tcp 56041 0 OASyS SCADA AVEVA
tcp 56042 0 OASyS SCADA AVEVA
tcp 56043 0 OASyS SCADA AVEVA
tcp 56044 0 OASyS SCADA AVEVA
tcp 56045 0 OASyS SCADA AVEVA
tcp 56046 0 OASyS SCADA AVEVA
tcp 56047 0 OASyS SCADA AVEVA
tcp 56048 0 OASyS SCADA AVEVA
tcp 56049 0 OASyS SCADA AVEVA
tcp 56050 0 OASyS SCADA AVEVA
tcp 56051 0 OASyS SCADA AVEVA
tcp 56052 0 OASyS SCADA AVEVA
tcp 56053 0 OASyS SCADA AVEVA
tcp 56054 0 OASyS SCADA AVEVA
tcp 56055 0 OASyS SCADA AVEVA
tcp 56056 0 OASyS SCADA AVEVA
tcp 56057 0 OASyS SCADA AVEVA
tcp 56058 0 OASyS SCADA AVEVA
tcp 56059 0 OASyS SCADA AVEVA
tcp 56060 0 OASyS SCADA AVEVA
tcp 56061 0 OASyS SCADA AVEVA
tcp 56062 0 OASyS SCADA AVEVA
tcp 56063 0 OASyS SCADA AVEVA
tcp 56064 0 OASyS SCADA AVEVA
tcp 56065 0 OASyS SCADA AVEVA
tcp 56066 0 OASyS SCADA AVEVA
tcp 56067 0 OASyS SCADA AVEVA
tcp 56068 0 OASyS SCADA AVEVA
tcp 56069 0 OASyS SCADA AVEVA
tcp 56070 0 OASyS SCADA AVEVA
tcp 56071 0 OASyS SCADA AVEVA
tcp 56072 0 OASyS SCADA AVEVA
tcp 56073 0 OASyS SCADA AVEVA
tcp 56074 0 OASyS SCADA AVEVA
tcp 56075 0 OASyS SCADA AVEVA
tcp 56076 0 OASyS SCADA AVEVA
tcp 56077 0 OASyS SCADA AVEVA
tcp 56078 0 OASyS SCADA AVEVA
tcp 56079 0 OASyS SCADA AVEVA
tcp 56080 0 OASyS SCADA AVEVA
tcp 56081 0 OASyS SCADA AVEVA
tcp 56082 0 OASyS SCADA AVEVA
tcp 56083 0 OASyS SCADA AVEVA
tcp 56084 0 OASyS SCADA AVEVA
tcp 56085 0 OASyS SCADA AVEVA
tcp 56086 0 OASyS SCADA AVEVA
tcp 56087 0 OASyS SCADA AVEVA
tcp 56088 0 OASyS SCADA AVEVA
tcp 56089 0 OASyS SCADA AVEVA
tcp 56090 0 OASyS SCADA AVEVA
tcp 56091 0 OASyS SCADA AVEVA
tcp 56092 0 OASyS SCADA AVEVA
tcp 56093 0 OASyS SCADA AVEVA
tcp 56094 0 OASyS SCADA AVEVA
tcp 56095 0 OASyS SCADA AVEVA
tcp 56096 0 OASyS SCADA AVEVA
tcp 56097 0 OASyS SCADA AVEVA
tcp 56098 0 OASyS SCADA AVEVA
tcp 56099 0 OASyS SCADA AVEVA
tcp 60093 0 Rockwell FactoryTalk Diagnostics Rockwell Automation
tcp 62900 0 GENe SNC
tcp 62911 0 GENe SNC
tcp 62924 0 GENe SNC
tcp 62930 0 GENe SNC
tcp 62938 0 GENe SNC
tcp 62956 0 GENe SNC
tcp 62957 0 GENe SNC
tcp 62963 0 GENe SNC
tcp 62981 0 GENe SNC
tcp 62982 0 GENe SNC
tcp 62985 0 GENe SNC
tcp 62992 0 GENe SNC
tcp 63012 0 GENe SNC
tcp 63027 0 GENe SNC
tcp 63028 0 GENe SNC
tcp 63029 0 GENe SNC
tcp 63030 0 GENe SNC
tcp 63031 0 GENe SNC
tcp 63032 0 GENe SNC
tcp 63033 0 GENe SNC
tcp 63034 0 GENe SNC
tcp 63035 0 GENe SNC
tcp 63036 0 GENe SNC
tcp 63041 0 GENe SNC
tcp 63075 0 GENe SNC
tcp 63079 0 GENe SNC
tcp 63082 0 GENe SNC
tcp 63088 0 GENe SNC
tcp 63094 0 GENe SNC
tcp 65207 0 Rockwell FactoryTalk VantagePoint Incuity Server Advertiser Rockwell Automation
tcp 65443 0 GENe SNC

117
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek Normal file
View File

@@ -0,0 +1,117 @@
##! Zeek local site policy. Customize as appropriate.
##!
##! See https://github.com/zeek/zeekctl
##! https://docs.zeek.org/en/stable/script-reference/scripts.html
##! https://github.com/zeek/zeek/blob/master/scripts/site/local.zeek
global disable_hash_all_files = (getenv("ZEEK_DISABLE_HASH_ALL_FILES") == "") ? F : T;
global disable_log_passwords = (getenv("ZEEK_DISABLE_LOG_PASSWORDS") == "") ? F : T;
global disable_ssl_validate_certs = (getenv("ZEEK_DISABLE_SSL_VALIDATE_CERTS") == "") ? F : T;
global disable_track_all_assets = (getenv("ZEEK_DISABLE_TRACK_ALL_ASSETS") == "") ? F : T;
global disable_best_guess_ics = (getenv("ZEEK_DISABLE_BEST_GUESS_ICS") == "") ? F : T;
global disable_spicy_dhcp = (getenv("ZEEK_DISABLE_SPICY_DHCP") == "") ? F : T;
global disable_spicy_dns = (getenv("ZEEK_DISABLE_SPICY_DNS") == "") ? F : T;
global disable_spicy_http = (getenv("ZEEK_DISABLE_SPICY_HTTP") == "") ? F : T;
global disable_spicy_ldap = (getenv("ZEEK_DISABLE_SPICY_LDAP") == "") ? F : T;
global disable_spicy_ipsec = (getenv("ZEEK_DISABLE_SPICY_IPSEC") == "") ? F : T;
global disable_spicy_openvpn = (getenv("ZEEK_DISABLE_SPICY_OPENVPN") == "") ? F : T;
global disable_spicy_tftp = (getenv("ZEEK_DISABLE_SPICY_TFTP") == "") ? F : T;
global disable_spicy_wireguard = (getenv("ZEEK_DISABLE_SPICY_WIREGUARD") == "") ? F : T;
redef Broker::default_listen_address = "127.0.0.1";
redef ignore_checksums = T;
@load tuning/defaults
@load misc/scan
@load frameworks/software/vulnerable
@load frameworks/software/version-changes
@load frameworks/software/windows-version-detection
@load-sigs frameworks/signatures/detect-windows-shells
@load protocols/conn/known-hosts
@load protocols/conn/known-services
@load protocols/dhcp/software
@load protocols/dns/detect-external-names
@load protocols/ftp/detect
@load protocols/ftp/detect-bruteforcing.zeek
@load protocols/ftp/software
@load protocols/http/detect-sqli
@load protocols/http/detect-webapps
@load protocols/http/software
@load protocols/http/software-browser-plugins
@load protocols/mysql/software
@load protocols/ssl/weak-keys
@load protocols/smb/log-cmds
@load protocols/smtp/software
@load protocols/ssh/detect-bruteforcing
@load protocols/ssh/geo-data
@load protocols/ssh/interesting-hostnames
@load protocols/ssh/software
@load protocols/ssl/known-certs
@load protocols/ssl/log-hostcerts-only
@if (!disable_ssl_validate_certs)
@load protocols/ssl/validate-certs
@endif
@if (!disable_track_all_assets)
@load tuning/track-all-assets.zeek
@endif
@if (!disable_hash_all_files)
@load frameworks/files/hash-all-files
@endif
@load policy/protocols/conn/vlan-logging
@load policy/protocols/conn/mac-logging
@load policy/protocols/modbus/known-masters-slaves
@load policy/protocols/mqtt
@load ./login.zeek
@if (!disable_best_guess_ics)
@load ./guess.zeek
@endif
@load packages
event zeek_init() &priority=-5 {
if (disable_spicy_dhcp) {
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_DHCP);
}
if (disable_spicy_dns) {
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_DNS);
}
if (disable_spicy_http) {
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_HTTP);
}
if (disable_spicy_ipsec) {
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_IPSEC_TCP);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_IPSEC_UDP);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_IPSEC_IKE_UDP);
}
if (disable_spicy_ldap) {
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_LDAP_TCP);
}
if (disable_spicy_openvpn) {
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_TCP);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_TCP_HMAC_MD5);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_TCP_HMAC_SHA1);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_TCP_HMAC_SHA256);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_TCP_HMAC_SHA512);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_UDP);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_UDP_HMAC_MD5);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_UDP_HMAC_SHA1);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_UDP_HMAC_SHA256);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_UDP_HMAC_SHA512);
}
if (disable_spicy_tftp) {
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_TFTP);
}
if (disable_spicy_wireguard) {
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_WIREGUARD);
}
}
@if (!disable_log_passwords)
redef HTTP::default_capture_password = T;
redef FTP::default_capture_password = T;
redef SOCKS::default_capture_password = T;
redef SNIFFPASS::log_password_plaintext = T;
@endif
redef SNIFFPASS::notice_log_enable = F;

253
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/local/etc/zeek/login.zeek Normal file
View File

@@ -0,0 +1,253 @@
module Login;
# log telnet, rlogin, and rsh events to login.log
export {
redef enum Log::ID += {
## The logging stream identifier
Log_LOGIN
};
type Info : record {
## Time the event occurred
ts : time &log;
## Unique ID for the connection
uid : string &log;
## The connection's 4-tuple of endpoint addresses/port
id : conn_id &log;
## proto (telnet, rlogin, or rsh)
proto : string &log &optional;
## login_success event was seen (successful login)
success : bool &log &default = F;
## login_confused event was seen (successful login)
confused : bool &log &default = F;
## username given for login attempt
user : string &log &optional;
## client_user given for login attempt (empty for telnet, set for rlogin)
client_user : string &log &optional;
## password given for login attempt
password : string &log &optional;
## whether or not a line has been written to login.log
logged : bool &default = F;
};
## Event that can be handled to access the :zeek:type:`Login::Info`
## record as it is sent on to the logging framework.
global log_login : event(rec : Info);
}
# Add the state tracking information variable to the connection record
redef record connection += {
login : Info &optional;
};
###############################################
# constants borrowed from the old Bro 1.5 login.bro required to make some of the telnet/rlogin/rsh events work correctly
# see https://github.com/zeek/zeek/blob/release/1.5/policy/login.bro#L178
# https://github.com/reservoirlabs/brorefguide/blob/master/analysis.texi#L3850
redef skip_authentication = { "WELCOME TO THE BERKELEY PUBLIC LIBRARY", };
redef direct_login_prompts = { "TERMINAL?", };
redef login_prompts = {
"Login:",
"login:",
"Name:",
"Username:",
"User:",
"Member Name",
"User Access Verification",
"Cisco Systems Console",
direct_login_prompts
};
redef login_non_failure_msgs = {
"Failures",
"failures", # probably is "<n> failures since last login"
"failure since last successful login",
"failures since last successful login",
};
redef login_non_failure_msgs = {
"Failures",
"failures", # probably is "<n> failures since last login"
"failure since last successful login",
"failures since last successful login",
} &redef;
redef login_failure_msgs = {
"invalid",
"Invalid",
"incorrect",
"Incorrect",
"failure",
"Failure",
# "Unable to authenticate",
# "unable to authenticate",
"User authorization failure",
"Login failed",
"INVALID",
"Sorry.",
"Sorry,",
};
const router_prompts: set[string] &redef;
redef login_success_msgs = {
"Last login",
"Last successful login",
"Last successful login",
"checking for disk quotas",
"unsuccessful login attempts",
"failure since last successful login",
"failures since last successful login",
router_prompts,
};
redef login_timeouts = {
"timeout",
"timed out",
"Timeout",
"Timed out",
"Error reading command input", # VMS
};
# end borrowed constants from Bro 1.5 login.bro
###############################################
# telnet, rlogin, rsh
const telnet_port = 23/tcp;
const telnet_ports = { telnet_port };
const rlogin_port = 513/tcp;
const rlogin_ports = { rlogin_port };
const rsh_port = 514/tcp;
const rsh_ports = { rsh_port };
redef likely_server_ports += { telnet_ports, rlogin_ports, rsh_ports };
# set_login_session - if has not yet been registered in the connection, instantiate
# the Info record and assign in c$login
function set_login_session(c : connection) {
if ( ! c?$login ) {
local s : Info = [$ts = network_time(), $uid = c$uid, $id = c$id];
switch c$id$resp_p {
case telnet_port:
s$proto = "telnet";
add c$service["telnet"];
break;
case rlogin_port:
s$proto = "rlogin";
add c$service["rlogin"];
break;
case rsh_port:
s$proto = "rsh";
add c$service["rsh"];
break;
}
c$login = s;
}
}
# login_message - log to login.log
function login_message(s : Info) {
# strip some values that can happen in a "confused" state that aren't really valid values
if (( s?$user ) && (( s$user == "" ) || ( s$user == "<none>" ) || ( s$user == "<timeout>" )))
delete s$user;
if (( s?$client_user ) && (( s$client_user == "" ) || ( s$client_user == "<none>" ) || ( s$client_user == "<timeout>" )))
delete s$client_user;
if (( s?$password ) && (( s$password == "" ) || ( s$password == "<none>" ) || ( s$password == "<timeout>" )))
delete s$password;
if (( s?$proto ) && ( s$proto == "" ))
delete s$proto;
s$ts = network_time();
Log::write(Login::Log_LOGIN, s);
s$logged = T;
}
# create log stream for login.log and register telnet, rlogin, and rsh analyzers
event zeek_init() &priority = 5 {
Log::create_stream(Login::Log_LOGIN, [$columns = Info, $ev = log_login, $path = "login"]);
Analyzer::register_for_ports(Analyzer::ANALYZER_TELNET, telnet_ports);
Analyzer::register_for_ports(Analyzer::ANALYZER_RLOGIN, rlogin_ports);
Analyzer::register_for_ports(Analyzer::ANALYZER_RSH, rsh_ports);
}
# login_confused - Generated when tracking of Telnet/Rlogin authentication failed
# https://docs.zeek.org/en/current/scripts/base/bif/plugins/Zeek_Login.events.bif.zeek.html#id-login_confused
event login_confused(c : connection, msg : string, line : string) &priority = 5 {
# print "login_confused", msg, line;
set_login_session(c);
c$login$confused = T;
}
# login_failure - Generated when tracking of Telnet/Rlogin authentication failed
# https://docs.zeek.org/en/current/scripts/base/bif/plugins/Zeek_Login.events.bif.zeek.html#id-login_failure
event login_failure(c : connection, user : string, client_user : string, password : string, line : string) &priority = 5 {
# print "login_failure", user, client_user, password, line;
set_login_session(c);
if ((!c$login?$user) || (c$login$user == ""))
c$login$user = user;
if ((!c$login?$client_user) || (c$login$client_user == ""))
c$login$client_user = client_user;
if ((!c$login?$password) || (c$login$password == ""))
c$login$password = password;
login_message(c$login);
}
# login_success - Generated for successful Telnet/Rlogin logins
# https://docs.zeek.org/en/current/scripts/base/bif/plugins/Zeek_Login.events.bif.zeek.html#id-login_success
event login_success(c : connection, user : string, client_user : string, password : string, line : string) &priority = 5 {
# print "login_success", user, client_user, password, line;
set_login_session(c);
c$login$success = T;
c$login$user = user;
c$login$client_user = client_user;
# it appears for a successful login with rsh where client_user was checked, what we're getting in
# the "password" field is actually not the password, but the first line of data
if ((c$login$proto != "rsh") || (c$login$client_user == ""))
c$login$password = password;
login_message(c$login);
}
event connection_state_remove(c : connection) &priority = -5 {
if (c?$login) {
if ( c$login$logged == F) {
login_message(c$login);
}
delete c$login;
}
}
# for testing:
# for file in /host/telnet/*; do cd /tmp; mkdir -p /host/logs/"$(basename "$file")"; /bin/rm -f /host/logs/"$(basename "$file")"/*; cd /host/logs/"$(basename "$file")"; zeek -r "$file" local > debug_output.txt; cd /tmp; done
# event activating_encryption(c: connection) { print "activating_encryption"; }
# event authentication_accepted(name: string, c: connection) { print "authentication_accepted", name; }
# event authentication_rejected(name: string, c: connection) { print "authentication_rejected", name; }
# event authentication_skipped(c: connection) { print "authentication_skipped"; }
# event bad_option(c: connection) { print "bad_option"; }
# event bad_option_termination(c: connection) { print "bad_option_termination"; }
# event inconsistent_option(c: connection) { print "inconsistent_option"; }
# event login_confused_text(c: connection, line: string) { print "login_confused_text", line; }
# event login_display(c: connection, display: string) { print "login_display", display; }
# event login_input_line(c: connection, line: string) { print "login_input_line", line; }
# event login_output_line(c: connection, line: string) { print "login_output_line", line; }
# event login_terminal(c: connection, terminal: string) { print "login_terminal", terminal; }
# event rsh_reply(c: connection, client_user: string, server_user: string, line: string) { print "rsh_reply", client_user, server_user, line; }
# event rsh_request(c: connection, client_user: string, server_user: string, line: string; new_session: bool) { print "rsh_request", client_user, server_user, line, new_session; }

10
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/share/applications/configure-capture.desktop Normal file
View File

@@ -0,0 +1,10 @@
[Desktop Entry]
Version=1.0
Name=Configure Capture and Forwarding
Exec=/usr/bin/terminator --maximise -T "Configure Capture and Forwarding" -x /usr/local/bin/configure-capture.py
Terminal=false
X-MultipleArgs=false
Type=Application
Icon=network-receive.png
Categories=Network;
StartupNotify=true

10
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/share/applications/configure-interfaces.desktop Normal file
View File

@@ -0,0 +1,10 @@
[Desktop Entry]
Version=1.0
Name=Configure Interfaces and Hostname
Exec=/usr/bin/terminator --maximise -T "Configure Interfaces and Hostname" -x su -l -c /usr/local/bin/configure-interfaces.py
Terminal=false
X-MultipleArgs=false
Type=Application
Icon=network-wired.png
Categories=Network;
StartupNotify=true

11
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/share/applications/hedgehog-kiosk.desktop Normal file
View File

@@ -0,0 +1,11 @@
[Desktop Entry]
Version=1.0
Name=Sensor Kiosk
Exec=/opt/firefox/firefox --setDefaultBrowser --no-remote --private --kiosk http://127.0.0.1:5000
Terminal=false
X-MultipleArgs=false
Type=Application
Icon=/usr/share/images/hedgehog/hedgehog-color-small.png
Categories=Network;
StartupWMClass=Firefox
StartupNotify=true

11
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/share/applications/hedgehog-readme.desktop Normal file
View File

@@ -0,0 +1,11 @@
[Desktop Entry]
Version=1.0
Name=Sensor README
Exec=/opt/firefox/firefox --setDefaultBrowser file:////usr/share/doc/hedgehog/HedgehogLinux.html
Terminal=false
X-MultipleArgs=false
Type=Application
Icon=help-browser
Categories=Network;
StartupWMClass=Firefox
StartupNotify=true

10
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/share/applications/sensor-services-full-restart.desktop Normal file
View File

@@ -0,0 +1,10 @@
[Desktop Entry]
Version=1.0
Name=Restart Sensor Services
Exec=/usr/bin/terminator -T "Restart Sensor Services" -x bash -c "echo 'Stopping services...' && ( /opt/sensor/sensor_ctl/shutdown >/dev/null 2>&1 || true ) && echo 'Please wait...' && sleep 30 && echo 'Starting services...' && /opt/sensor/sensor_ctl/supervisor.sh"
Terminal=false
X-MultipleArgs=false
Type=Application
Icon=reload.png
Categories=Network;
StartupNotify=true

10
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/share/applications/sensor-services-status.desktop Normal file
View File

@@ -0,0 +1,10 @@
[Desktop Entry]
Version=1.0
Name=Sensor Service Status
Exec=/usr/bin/terminator -T "Sensor Service Status" -x bash -c "/opt/sensor/sensor_ctl/status && echo '' && read -p 'Press Enter to Continue'"
Terminal=false
X-MultipleArgs=false
Type=Application
Icon=view-restore.png
Categories=Network;
StartupNotify=true

142
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/share/auditbeat/kibana/7/dashboard-custom/Auditbeat-auditd-overview-custom.json Normal file
View File

@@ -0,0 +1,142 @@
{
"version": "7.6.2",
"objects": [
{
"id": "072befc0-ffba-11e8-a854-ad7782ef6a55",
"type": "dashboard",
"updated_at": "2019-12-23T19:07:39.093Z",
"version": "WzE2MDIsMV0=",
"attributes": {
"description": "Summary of Linux kernel audit events.",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"version\":true,\"highlightAll\":true}"
},
"optionsJSON": "{\"darkTheme\":true,\"useMargins\":false}",
"panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":28,\"h\":26,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\"},{\"gridData\":{\"x\":28,\"y\":0,\"w\":20,\"h\":26,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelIndex\":\"4\",\"panelRefName\":\"panel_1\"},{\"gridData\":{\"x\":0,\"y\":26,\"w\":48,\"h\":38,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelIndex\":\"5\",\"embeddableConfig\":{\"columns\":[\"beat.hostname\",\"auditd.summary.actor.primary\",\"auditd.summary.actor.secondary\",\"auditd.summary.object.type\",\"event.action\",\"auditd.summary.object.primary\",\"auditd.summary.object.secondary\",\"auditd.summary.how\",\"auditd.result\"]},\"panelRefName\":\"panel_2\"}]",
"timeRestore": false,
"title": "[Auditbeat auditd] Overview dashboard",
"version": 1
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "97680df0-c1c0-11e7-8995-936807a28b16"
},
{
"name": "panel_1",
"type": "visualization",
"id": "08679220-c25a-11e7-8692-232bd1143e8a"
},
{
"name": "panel_2",
"type": "search",
"id": "0f10c430-c1c3-11e7-8995-936807a28b16"
}
],
"migrationVersion": {
"dashboard": "7.3.0"
}
},
{
"id": "97680df0-c1c0-11e7-8995-936807a28b16",
"type": "visualization",
"updated_at": "2019-12-23T19:07:39.093Z",
"version": "WzE1OTksMV0=",
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"title": "Event Actions [Auditbeat Auditd Overview]",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"type\":\"metrics\",\"params\":{\"bar_color_rules\":[{\"id\":\"5bfc71a0-c1bd-11e7-938f-ab0645b6c431\"}],\"gauge_color_rules\":[{\"id\":\"5d20a650-c1bd-11e7-938f-ab0645b6c431\"}],\"background_color_rules\":[{\"id\":\"58c95a20-c1bd-11e7-938f-ab0645b6c431\"}],\"time_field\":\"@timestamp\",\"index_pattern\":\"auditbeat-*\",\"gauge_inner_width\":10,\"series\":[{\"line_width\":1,\"terms_field\":\"event.action\",\"point_size\":1,\"color\":\"#68BC00\",\"label\":\"Actions\",\"metrics\":[{\"type\":\"count\",\"id\":\"6b9fb2d0-c1bc-11e7-938f-ab0645b6c431\"}],\"seperate_axis\":0,\"split_mode\":\"terms\",\"chart_type\":\"line\",\"stacked\":\"none\",\"axis_position\":\"right\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"fill\":0.5}],\"axis_formatter\":\"number\",\"interval\":\"auto\",\"filter\":{\"query\":\"event.module:auditd\",\"language\":\"lucene\"},\"legend_position\":\"left\",\"show_legend\":1,\"show_grid\":1,\"gauge_style\":\"half\",\"axis_position\":\"left\",\"gauge_width\":10,\"type\":\"timeseries\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\"},\"aggs\":[],\"title\":\"Event Actions [Auditbeat Auditd Overview]\"}"
},
"references": [],
"migrationVersion": {
"visualization": "7.4.2"
}
},
{
"id": "08679220-c25a-11e7-8692-232bd1143e8a",
"type": "visualization",
"updated_at": "2019-12-23T19:07:39.093Z",
"version": "WzE2MDAsMV0=",
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
},
"title": "Event Categories [Auditbeat Auditd]",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"type\":\"pie\",\"params\":{\"legendPosition\":\"right\",\"type\":\"pie\",\"isDonut\":true,\"addTooltip\":true,\"addLegend\":true},\"aggs\":[{\"params\":{},\"type\":\"count\",\"enabled\":true,\"id\":\"1\",\"schema\":\"metric\"},{\"params\":{\"orderBy\":\"1\",\"field\":\"event.category\",\"customLabel\":\"Category\",\"order\":\"desc\",\"size\":5},\"type\":\"terms\",\"enabled\":true,\"id\":\"2\",\"schema\":\"segment\"},{\"params\":{\"orderBy\":\"1\",\"field\":\"event.action\",\"customLabel\":\"Action\",\"order\":\"desc\",\"size\":20},\"type\":\"terms\",\"enabled\":true,\"id\":\"3\",\"schema\":\"segment\"}],\"title\":\"Event Categories [Auditbeat Auditd]\"}",
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "auditbeat-*"
},
{
"type": "search",
"name": "search_0",
"id": "0f10c430-c1c3-11e7-8995-936807a28b16"
}
],
"migrationVersion": {
"visualization": "7.4.2"
}
},
{
"id": "0f10c430-c1c3-11e7-8995-936807a28b16",
"type": "search",
"updated_at": "2019-12-23T19:07:39.093Z",
"version": "WzE2MDEsMV0=",
"attributes": {
"columns": [
"beat.hostname",
"auditd.summary.actor.primary",
"auditd.summary.actor.secondary",
"event.action",
"auditd.summary.object.type",
"auditd.summary.object.primary",
"auditd.summary.object.secondary",
"auditd.summary.how",
"auditd.result"
],
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[{\"query\":{\"match\":{\"event.module\":{\"query\":\"auditd\",\"type\":\"phrase\"}}},\"meta\":{\"value\":\"auditd\",\"disabled\":false,\"alias\":null,\"params\":{\"query\":\"auditd\",\"type\":\"phrase\"},\"key\":\"event.module\",\"negate\":false,\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"$state\":{\"store\":\"appState\"}}],\"version\":true,\"highlightAll\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
},
"sort": [
[
"@timestamp",
"desc"
]
],
"title": "Audit Event Table [Auditbeat Auditd]",
"version": 1
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "auditbeat-*"
},
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
"type": "index-pattern",
"id": "auditbeat-*"
}
],
"migrationVersion": {
"search": "7.4.0"
}
}
]
}

167
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/share/filebeat/kibana/7/dashboard-custom/Filebeat-syslog-custom.json Normal file
View File

@@ -0,0 +1,167 @@
{
"version": "7.6.2",
"objects": [
{
"id": "1ca59220-ffb0-11e8-a854-ad7782ef6a55",
"type": "dashboard",
"updated_at": "2019-12-23T19:04:34.880Z",
"version": "WzE0MzcsMV0=",
"attributes": {
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}"
},
"optionsJSON": "{\"darkTheme\":true,\"hidePanelTitles\":false,\"useMargins\":false}",
"panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":41,\"i\":\"1\"},\"panelIndex\":\"1\",\"title\":\"Syslog Events\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":27,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":17,\"y\":0,\"w\":13,\"h\":27,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"gridData\":{\"x\":0,\"y\":0,\"w\":17,\"h\":27,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelIndex\":\"5\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"}]",
"timeRestore": false,
"title": "[Filebeat] Syslog dashboard",
"version": 1
},
"references": [
{
"name": "panel_0",
"type": "search",
"id": "c1e3d120-ffb0-11e8-a854-ad7782ef6a55"
},
{
"name": "panel_1",
"type": "visualization",
"id": "462e04d0-ffb3-11e8-a854-ad7782ef6a55"
},
{
"name": "panel_2",
"type": "visualization",
"id": "cc3f9cf0-ffb3-11e8-a854-ad7782ef6a55"
},
{
"name": "panel_3",
"type": "visualization",
"id": "96e77ef0-ffb4-11e8-a854-ad7782ef6a55"
}
],
"migrationVersion": {
"dashboard": "7.3.0"
}
},
{
"id": "c1e3d120-ffb0-11e8-a854-ad7782ef6a55",
"type": "search",
"updated_at": "2019-12-23T19:04:34.880Z",
"version": "WzE0MzMsMV0=",
"attributes": {
"columns": [
"host.name",
"syslog.severity_label",
"syslog.facility_label",
"process.program",
"message"
],
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"_exists_:syslog\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
},
"sort": [
[
"@timestamp",
"desc"
]
],
"title": "[Filebeat] Syslog search",
"version": 1
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "filebeat-*"
}
],
"migrationVersion": {
"search": "7.4.0"
}
},
{
"id": "462e04d0-ffb3-11e8-a854-ad7782ef6a55",
"type": "visualization",
"updated_at": "2019-12-23T19:04:34.880Z",
"version": "WzE0MzQsMV0=",
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"title": "[Filebeat] Syslog by Host Timeline",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"title\":\"[Filebeat] Syslog by Host Timeline\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\",\"mode\":\"quick\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"host.name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Host\"}}]}",
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "c1e3d120-ffb0-11e8-a854-ad7782ef6a55"
}
],
"migrationVersion": {
"visualization": "7.4.2"
}
},
{
"id": "cc3f9cf0-ffb3-11e8-a854-ad7782ef6a55",
"type": "visualization",
"updated_at": "2019-12-23T19:04:34.880Z",
"version": "WzE0MzUsMV0=",
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"title": "[Filebeat] Syslog Process Cloud",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"title\":\"[Filebeat] Syslog Process Cloud\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"log\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"process.program\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Process\"}}]}",
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "c1e3d120-ffb0-11e8-a854-ad7782ef6a55"
}
],
"migrationVersion": {
"visualization": "7.4.2"
}
},
{
"id": "96e77ef0-ffb4-11e8-a854-ad7782ef6a55",
"type": "visualization",
"updated_at": "2019-12-23T19:04:34.880Z",
"version": "WzE0MzYsMV0=",
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"title": "[Filebeat] Syslog Facility by Host Pie Chart",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"title\":\"[Filebeat] Syslog Facility by Host Pie Chart\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":false,\"labels\":{\"show\":false,\"values\":true,\"last_level\":false,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"syslog.facility_label\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Syslog Facility\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.name\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Host\"}}]}",
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "c1e3d120-ffb0-11e8-a854-ad7782ef6a55"
}
],
"migrationVersion": {
"visualization": "7.4.2"
}
}
]
}

112
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/share/protologbeat/kibana/7/dashboard/Protologbeat-temperatures-dashboard.json Normal file
View File

@@ -0,0 +1,112 @@
{
"objects": [
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"protologbeat-*\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"title": "Temperature Timeline",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"title\":\"Temperature Timeline\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":true,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Max cpu_temp_avg\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Maximum CPU °C\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":false,\"interpolate\":\"cardinal\"},{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":false,\"interpolate\":\"cardinal\",\"data\":{\"id\":\"3\",\"label\":\"Maximum Other °C\"},\"valueAxis\":\"ValueAxis-1\"},{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":false,\"interpolate\":\"cardinal\",\"data\":{\"id\":\"4\",\"label\":\"Maximum GPU °C\"},\"valueAxis\":\"ValueAxis-1\"},{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":false,\"interpolate\":\"cardinal\",\"data\":{\"id\":\"8\",\"label\":\"Maximum Storage °C\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"cpu_temp_avg\",\"customLabel\":\"Maximum CPU °C\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-12h\",\"to\":\"now\",\"mode\":\"quick\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"time_zone\":\"America/Denver\",\"drop_partials\":false,\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"other_temp_avg\",\"customLabel\":\"Maximum Other °C\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"gpu_temp_avg\",\"customLabel\":\"Maximum GPU °C\"}},{\"id\":\"8\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"hdd_temp_avg\",\"customLabel\":\"Maximum Storage °C\"}}]}"
},
"id": "752a7e30-03af-11e9-bf7f-6138c205dfb3",
"type": "visualization",
"updated_at": "2018-12-20T18:16:43.966Z",
"version": 1
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"title": "Host Chooser",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"title\":\"Host Chooser\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1545248066352\",\"indexPattern\":\"protologbeat-*\",\"fieldName\":\"host.name\",\"parent\":\"\",\"label\":\"Host\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"}}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}"
},
"id": "293d13a0-03c5-11e9-b42b-a7822d24ca20",
"type": "visualization",
"updated_at": "2018-12-19T19:34:54.681Z",
"version": 1
},
{
"attributes": {
"columns": [
"host.name",
"cpu_temp_avg",
"hdd_temp_avg",
"other_temp_avg"
],
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"protologbeat-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"sort": [
"@timestamp",
"desc"
],
"title": "Protologbeat search",
"version": 1
},
"id": "65345580-03c5-11e9-b42b-a7822d24ca20",
"type": "search",
"updated_at": "2018-12-20T18:16:42.939Z",
"version": 1
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"protologbeat-*\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"title": "CPU and Storage Temperature Gauge",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 60\":\"rgb(0,104,55)\",\"60 - 70\":\"rgb(255,255,190)\",\"70 - 90\":\"rgb(165,0,38)\"}}}",
"version": 1,
"visState": "{\"title\":\"CPU and Storage Temperature Gauge\",\"type\":\"gauge\",\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"gauge\":{\"verticalSplit\":false,\"extendRange\":true,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":60},{\"from\":60,\"to\":70},{\"from\":70,\"to\":90}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":true,\"labels\":false,\"color\":\"#333\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"#eee\",\"bgColor\":false,\"subText\":\"\",\"fontSize\":60,\"labelColor\":true}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"cpu_temp_avg\",\"customLabel\":\"Maximum CPU °C\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"hdd_temp_avg\",\"customLabel\":\"Maximum Storage °C\"}}]}"
},
"id": "db628ba0-03c5-11e9-b42b-a7822d24ca20",
"type": "visualization",
"updated_at": "2018-12-20T18:16:43.991Z",
"version": 1
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"protologbeat-*\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"title": "Maximum Sensor CPU and Storage Temperatures",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"title\":\"Maximum Sensor CPU and Storage Temperatures\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":\"ValueAxis-1\"},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\",\"defaultYExtents\":false},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Maximum CPU °C\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Maximum CPU °C\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true},{\"show\":true,\"mode\":\"normal\",\"type\":\"histogram\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"data\":{\"id\":\"3\",\"label\":\"Maximum Storage °C\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"orderBucketsBySum\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"cpu_temp_avg\",\"customLabel\":\"Maximum CPU °C\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.name\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Sensor Name\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"hdd_temp_avg\",\"customLabel\":\"Maximum Storage °C\"}}]}"
},
"id": "923c3ce0-03c6-11e9-b42b-a7822d24ca20",
"type": "visualization",
"updated_at": "2018-12-20T18:16:43.961Z",
"version": 1
},
{
"attributes": {
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}"
},
"optionsJSON": "{\"darkTheme\":true,\"hidePanelTitles\":false,\"useMargins\":false}",
"panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":31,\"w\":48,\"h\":35,\"i\":\"1\"},\"id\":\"752a7e30-03af-11e9-bf7f-6138c205dfb3\",\"panelIndex\":\"1\",\"type\":\"visualization\",\"version\":\"6.5.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":0,\"w\":20,\"h\":11,\"i\":\"2\"},\"id\":\"293d13a0-03c5-11e9-b42b-a7822d24ca20\",\"panelIndex\":\"2\",\"title\":\"Sensor Filter\",\"type\":\"visualization\",\"version\":\"6.5.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":66,\"w\":48,\"h\":29,\"i\":\"3\"},\"id\":\"65345580-03c5-11e9-b42b-a7822d24ca20\",\"panelIndex\":\"3\",\"title\":\"Sensor Metrics\",\"type\":\"search\",\"version\":\"6.5.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":11,\"w\":20,\"h\":20,\"i\":\"4\"},\"id\":\"db628ba0-03c5-11e9-b42b-a7822d24ca20\",\"panelIndex\":\"4\",\"type\":\"visualization\",\"version\":\"6.5.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":20,\"y\":0,\"w\":28,\"h\":31,\"i\":\"5\"},\"id\":\"923c3ce0-03c6-11e9-b42b-a7822d24ca20\",\"panelIndex\":\"5\",\"type\":\"visualization\",\"version\":\"6.5.3\"}]",
"timeRestore": false,
"title": "Sensor Temperature dashboard",
"version": 1
},
"id": "3c519150-03c5-11e9-b42b-a7822d24ca20",
"type": "dashboard",
"updated_at": "2018-12-20T18:16:43.882Z",
"version": 1
}
],
"version": "6.5.3"
}

16
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/share/protologbeat/kibana/7/index-pattern/protologbeat.json Normal file
View File

File diff suppressed because one or more lines are too long