From ad727e11e979bb86e03bef15da2df05d79e31d9e Mon Sep 17 00:00:00 2001
From: Tim Shelton <tshelton@hawkdefense.com>
Date: Tue, 10 May 2022 03:39:16 +0000
Subject: [PATCH] adding additional zeek categories to sort out false positive
 matching

---
 tools/config/hawk.yml | 301 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 301 insertions(+)

diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml
index 1a0bb8902..42ff226c1 100644
--- a/tools/config/hawk.yml
+++ b/tools/config/hawk.yml
@@ -235,6 +235,307 @@ logsources:
   conditions:
     vendor_name: "Zeek"
     vendor_type: "IDS"
+ zeek-category-firewall:
+  category: firewall
+  rewrite:
+    product: zeek
+    service: conn
+ zeek-category-dns:
+  category: dns
+  rewrite:
+    product: zeek
+    service: dns
+ zeek-category-proxy:
+  category: proxy
+  rewrite:
+    product: zeek
+    service: http
+ zeek-rdp:
+  product: zeek
+  service: rdp
+  conditions:
+    hawk_source: "rdp.log"
+ zeek-conn:
+  product: zeek
+  service: conn
+  conditions:
+    hawk_source: "conn.log"
+ zeek-conn_long:
+  product: zeek
+  service: conn_long
+  conditions:
+    hawk_source: "conn_long.log"
+ zeek-dce_rpc:
+  product: zeek
+  service: dce_rpc
+  conditions:
+    hawk_source: "dce_rpc.log"
+ zeek-dns:
+  product: zeek
+  service: dns
+  conditions:
+    hawk_source: "dns.log"
+ zeek-dnp3:
+  product: zeek
+  service: dnp3
+  conditions:
+    hawk_source: "dnp3.log"
+ zeek-dpd:
+  product: zeek
+  service: dpd
+  conditions:
+    hawk_source: "dpd.log"
+ zeek-files:
+  product: zeek
+  service: files
+  conditions:
+    hawk_source: "files.log"
+ zeek-ftp:
+  product: zeek
+  service: ftp
+  conditions:
+    hawk_source: "ftp.log"
+ zeek-gquic:
+  product: zeek
+  service: gquic
+  conditions:
+    hawk_source: "gquic.log"
+ zeek-http:
+  product: zeek
+  service: http
+  conditions:
+    hawk_source: "http.log"
+ zeek-http2:
+  product: zeek
+  service: http2
+  conditions:
+    hawk_source: "http2.log"
+ zeek-intel:
+  product: zeek
+  service: intel
+  conditions:
+    hawk_source: "intel.log"
+ zeek-irc:
+  product: zeek
+  service: irc
+  conditions:
+    hawk_source: "irc.log"
+ zeek-kerberos:
+  product: zeek
+  service: kerberos
+  conditions:
+    hawk_source: "kerberos.log"
+ zeek-known_certs:
+  product: zeek
+  service: known_certs
+  conditions:
+    hawk_source: "known_certs.log"
+ zeek-known_hosts:
+  product: zeek
+  service: known_hosts
+  conditions:
+    hawk_source: "known_hosts.log"
+ zeek-known_modbus:
+  product: zeek
+  service: known_modbus
+  conditions:
+    hawk_source: "known_modbus.log"
+ zeek-known_services:
+  product: zeek
+  service: known_services
+  conditions:
+    hawk_source: "known_services.log"
+ zeek-modbus:
+  product: zeek
+  service: modbus
+  conditions:
+    hawk_source: "modbus.log"
+ zeek-modbus_register_change:
+  product: zeek
+  service: modbus_register_change
+  conditions:
+    hawk_source: "modbus_register_change.log"
+ zeek-mqtt_connect:
+  product: zeek
+  service: mqtt_connect
+  conditions:
+    hawk_source: "mqtt_connect.log"
+ zeek-mqtt_publish:
+  product: zeek
+  service: mqtt_publish
+  conditions:
+    hawk_source: "mqtt_publish.log"
+ zeek-mqtt_subscribe:
+  product: zeek
+  service: mqtt_subscribe
+  conditions:
+    hawk_source: "mqtt_subscribe.log"
+ zeek-mysql:
+  product: zeek
+  service: mysql
+  conditions:
+    hawk_source: "mysql.log"
+ zeek-notice:
+  product: zeek
+  service: notice
+  conditions:
+    hawk_source: "notice.log"
+ zeek-ntlm:
+  product: zeek
+  service: ntlm
+  conditions:
+    hawk_source: "ntlm.log"
+ zeek-ntp:
+  product: zeek
+  service: ntp
+  conditions:
+    hawk_source: "ntp.log"
+ zeek-ocsp:
+  product: zeek
+  service: ntp
+  conditions:
+    hawk_source: "ocsp.log"
+ zeek-pe:
+  product: zeek
+  service: pe
+  conditions:
+    hawk_source: "pe.log"
+ zeek-pop3:
+  product: zeek
+  service: pop3
+  conditions:
+    hawk_source: "pop3.log"
+ zeek-radius:
+  product: zeek
+  service: radius
+  conditions:
+    hawk_source: "radius.log"
+ zeek-rdp:
+  product: zeek
+  service: rdp
+  conditions:
+    hawk_source: "rdp.log"
+ zeek-rfb:
+  product: zeek
+  service: rfb
+  conditions:
+    hawk_source: "rfb.log"
+ zeek-sip:
+  product: zeek
+  service: sip
+  conditions:
+    hawk_source: "sip.log"
+ zeek-smb_files:
+  product: zeek
+  service: smb_files
+  conditions:
+    hawk_source: "smb_files.log"
+ zeek-smb_mapping:
+  product: zeek
+  service: smb_mapping
+  conditions:
+    hawk_source: "smb_mapping.log"
+ zeek-smtp:
+  product: zeek
+  service: smtp
+  conditions:
+    hawk_source: "smtp.log"
+ zeek-smtp_links:
+  product: zeek
+  service: smtp_links
+  conditions:
+    hawk_source: "smtp_links.log"
+ zeek-snmp:
+  product: zeek
+  service: snmp
+  conditions:
+    hawk_source: "snmp.log"
+ zeek-socks:
+  product: zeek
+  service: socks
+  conditions:
+    hawk_source: "socks.log"
+ zeek-software:
+  product: zeek
+  service: software
+  conditions:
+    hawk_source: "software.log"
+ zeek-ssh:
+  product: zeek
+  service: ssh
+  conditions:
+    hawk_source: "ssh.log"
+ zeek-ssl:
+  product: zeek
+  service: ssl
+  conditions:
+    hawk_source: "tls.log"
+ zeek-tls: # In case people call it TLS even though orig log is called ssl, but dataset is tls so may cause confusion so cover that
+  product: zeek
+  service: tls
+  conditions:
+    hawk_source: "tls.log"
+ zeek-syslog:
+  product: zeek
+  service: syslog
+  conditions:
+    hawk_source: "syslog.log"
+ zeek-tunnel:
+  product: zeek
+  service: tunnel
+  conditions:
+    hawk_source: "tunnel.log"
+ zeek-traceroute:
+  product: zeek
+  service: traceroute
+  conditions:
+    hawk_source: "traceroute.log"
+ zeek-weird:
+  product: zeek
+  service: weird
+  conditions:
+    hawk_source: "weird.log"
+ zeek-x509:
+  product: zeek
+  service: x509
+  conditions:
+    hawk_source: "x509.log"
+ zeek-ip_search:
+  product: zeek
+  service: network
+  conditions:
+    hawk_source:
+        - "conn.log"
+        - "conn_long.log"
+        - "dce_rpc.log"
+        - "dhcp.log"
+        - "dnp3.log"
+        - "dns.log"
+        - "ftp.log"
+        - "gquic.log"
+        - "http.log"
+        - "irc.log"
+        - "kerberos.log"
+        - "modbus.log"
+        - "mqtt_connect.log"
+        - "mqtt_publish.log"
+        - "mqtt_subscribe.log"
+        - "mysql.log"
+        - "ntlm.log"
+        - "ntp.log"
+        - "radius.log"
+        - "rfb.log"
+        - "sip.log"
+        - "smb_files.log"
+        - "smb_mapping.log"
+        - "smtp.log"
+        - "smtp_links.log"
+        - "snmp.log"
+        - "socks.log"
+        - "ssh.log"
+        - "tls.log" #SSL
+        - "tunnel.log"
+        - "weird.log"
  azure-signin:
   product: azure
   service: signinlogs