cisagov#750, update to zeek v8.0.0

mmguero · mmguero · commit 67a1fd8cbce2 · 2025-08-19T20:29:13.000Z
diff --git a/arkime/etc/config.ini b/arkime/etc/config.ini
@@ -2572,7 +2572,9 @@ zeek.rdp.encryption_method=db:zeek.rdp.encryption_method;group:zeek_rdp;kind:ter
 
 # redis.log
 # https://docs.zeek.org/en/v8.0.0/scripts/base/protocols/redis/main.zeek.html#type-Redis::Info
-zeek.redis.cmd=db:zeek.redis.cmd;group:zeek_redis;kind:termfield;viewerOnly:true;friendly:Command;help:Command
+zeek.redis.cmd_name=db:zeek.redis.cmd_name;group:zeek_redis;kind:termfield;viewerOnly:true;friendly:Command Name;help:Command Name
+zeek.redis.cmd_key=db:zeek.redis.cmd_key;group:zeek_redis;kind:termfield;viewerOnly:true;friendly:Command Key;help:Command Key
+zeek.redis.cmd_value=db:zeek.redis.cmd_value;group:zeek_redis;kind:termfield;viewerOnly:true;friendly:Command Value;help:Command Value
 zeek.redis.success=db:zeek.redis.success;group:zeek_redis;kind:termfield;viewerOnly:true;friendly:Success;help:Success
 zeek.redis.reply=db:zeek.redis.reply;group:zeek_redis;kind:termfield;viewerOnly:true;friendly:Reply;help:Reply
 
diff --git a/arkime/wise/source.zeeklogs.js b/arkime/wise/source.zeeklogs.js
@@ -2733,7 +2733,9 @@ class MalcolmSource extends WISESource {
       "zeek.rdp.requested_color_depth",
       "zeek.rdp.result",
       "zeek.rdp.security_protocol",
-      "zeek.redis.cmd",
+      "zeek.redis.cmd_name",
+      "zeek.redis.cmd_key",
+      "zeek.redis.cmd_value",
       "zeek.redis.success",
       "zeek.redis.reply",
       "zeek.rfb.auth",
diff --git a/dashboards/templates/composable/component/zeek.json b/dashboards/templates/composable/component/zeek.json
@@ -1415,9 +1415,21 @@
             },
             "redis": {
               "properties": {
-                "cmd": {
+                "cmd_name": {
+                  "type": "keyword"
+                },
+                "cmd_key": {
                   "type": "keyword"
                 },
+                "cmd_value": {
+                  "type": "keyword",
+                  "ignore_above": 1024,
+                  "fields": {
+                    "text": {
+                      "type": "text"
+                    }
+                  }
+                },
                 "success": {
                   "type": "keyword"
                 },
diff --git a/docs/protocols.md b/docs/protocols.md
@@ -38,6 +38,7 @@ Malcolm uses [Zeek](https://docs.zeek.org/en/stable/script-reference/proto-analy
 |PostgreSQL|[🔗](https://en.wikipedia.org/wiki/PostgreSQL)|[🔗](https://www.postgresql.org/)|[✓](https://github.com/arkime/arkime/blob/master/capture/parsers/postgresql.c)|[✓](https://docs.zeek.org/en/master/scripts/base/protocols/postgresql/main.zeek.html)|
 |Process Field Net (PROFINET)|[🔗](https://en.wikipedia.org/wiki/PROFINET)|[🔗](https://us.profinet.com/technology/profinet/)||[✓](https://github.com/amzn/zeek-plugin-profinet/blob/master/scripts/main.zeek)|
 |PROFINET IO CM (Input/Output Context Manager)|[🔗](https://wiki.wireshark.org/PROFINET/IO)|[🔗](https://us.profinet.com/technology/profinet/)[🔗](https://webstore.iec.ch/publication/83418)||[✓](https://github.com/cisagov/icsnpp-profinet-io-cm/blob/main/analyzer/types.zeek)|
+|Redis|[🔗](https://en.wikipedia.org/wiki/Redis)|[🔗](https://redis.io/docs/latest/develop/reference/protocol-spec/)||[✓](https://docs.zeek.org/en/current/scripts/base/protocols/redis/main.zeek.html#type-Redis::Info)|
 |Remote Authentication Dial-In User Service (RADIUS)|[🔗](https://en.wikipedia.org/wiki/RADIUS)|[🔗](https://tools.ietf.org/html/rfc2865)|[✓](https://github.com/arkime/arkime/blob/master/capture/parsers/radius.c)|[✓](https://docs.zeek.org/en/stable/scripts/base/protocols/radius/main.zeek.html#type-RADIUS::Info)|
 |Remote Desktop Protocol (RDP)|[🔗](https://en.wikipedia.org/wiki/Remote_Desktop_Protocol)|[🔗](https://docs.microsoft.com/en-us/windows/win32/termserv/remote-desktop-protocol?redirectedfrom=MSDN)||[✓](https://docs.zeek.org/en/stable/scripts/base/protocols/rdp/main.zeek.html#type-RDP::Info)|
 |Remote Framebuffer (RFB)|[🔗](https://en.wikipedia.org/wiki/RFB_protocol)|[🔗](https://tools.ietf.org/html/rfc6143)||[✓](https://docs.zeek.org/en/stable/scripts/base/protocols/rfb/main.zeek.html#type-RFB::Info)|
diff --git a/logstash/pipelines/zeek/1173_zeek_redis.conf b/logstash/pipelines/zeek/1173_zeek_redis.conf
@@ -8,12 +8,11 @@ filter {
     #############################################################################################################################
     # redis.log
     # https://docs.zeek.org/en/current/scripts/base/protocols/redis/main.zeek.html#type-Redis::Info
-
     if ("_jsonparsesuccess" not in [tags]) {
       dissect {
         id => "dissect_zeek_redis"
         mapping => {
-          "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][cmd]} %{[zeek_cols][success]} %{[zeek_cols][reply]}"
+          "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][cmd_name]} %{[zeek_cols][cmd_key]} %{[zeek_cols][cmd_value]} %{[zeek_cols][success]} %{[zeek_cols][reply]}"
         }
       }
       if ("_dissectfailure" in [tags]) {
@@ -23,7 +22,7 @@ filter {
         }
         ruby {
           id => "ruby_zip_zeek_redis"
-          init => "@zeek_redis_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'cmd', 'success', 'reply' ]"
+          init => "@zeek_redis_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'cmd_name', 'cmd_key', 'cmd_value', 'success', 'reply' ]"
           code => "event.set('[zeek_cols]', @zeek_redis_field_names.zip(event.get('[message]')).to_h)"
         }
       }
diff --git a/logstash/pipelines/zeek/1300_zeek_normalize.conf b/logstash/pipelines/zeek/1300_zeek_normalize.conf
@@ -670,6 +670,9 @@ filter {
   if ([zeek][profinet_io_cm][operation])         { mutate { id => "mutate_merge_normalize_zeek_profinet_io_cm_operation"
                                                             merge => { "[event][action]" => "[zeek][profinet_io_cm][operation]" } } }
 
+  if ([zeek][redis][cmd_name])         { mutate { id => "mutate_merge_normalize_zeek_redis_cmd_name_action"
+                                                  merge => { "[event][action]" => "[zeek][redis][cmd_name]" } } }
+
   if ([zeek][rfb][auth]) and ([zeek][rfb][authentication_method]) {
     # if authentication was attempted, assign an "authenticate" action
     mutate { id => "mutate_add_field_zeek_rfb_auth_action"
@@ -1301,6 +1304,23 @@ filter {
   if ([zeek][rdp][result]) { mutate { id => "mutate_merge_normalize_zeek_rdp_result"
                                             merge => { "[event][result]" => "[zeek][rdp][result]" } } }
 
+
+  if ([zeek][redis]) {
+    # result populated from success and reply
+    if ([zeek][redis][success] == 'T') {
+      mutate { id => "mutate_add_field_zeek_zeek_redis_success"
+               add_field => { "[@metadata][zeek_redis_result]" => "Success" } }
+    } else if ([zeek][redis][reply]) {
+      mutate { id => "mutate_add_field_zeek_zeek_redis_reply"
+               add_field => { "[@metadata][zeek_redis_result]" => "%{[zeek][redis][reply]}" } }
+    } else {
+      mutate { id => "mutate_add_field_zeek_zeek_redis_failure"
+               add_field => { "[@metadata][zeek_redis_result]" => "Failure" } }
+    }
+    mutate { id => "mutate_merge_zeek_redis_result"
+             merge => { "[event][result]" => "[@metadata][zeek_redis_result]" } }
+  }
+
   if ([zeek][roc_plus][error_code]) { mutate { id => "mutate_merge_normalize_roc_plus_error_code_result"
                                                merge => { "[event][result]" => "[zeek][roc_plus][error_code]" } } }
 

Original file line number	Diff line number	Diff line change
`@@ -8,12 +8,11 @@ filter {`
`8`	`8`	`#############################################################################################################################`
`9`	`9`	`# redis.log`
`10`	`10`	`# https://docs.zeek.org/en/current/scripts/base/protocols/redis/main.zeek.html#type-Redis::Info`
`11`		`-`
`12`	`11`	`if ("_jsonparsesuccess" not in [tags]) {`
`13`	`12`	`dissect {`
`14`	`13`	`id => "dissect_zeek_redis"`
`15`	`14`	`mapping => {`
`16`		`- "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][cmd]} %{[zeek_cols][success]} %{[zeek_cols][reply]}"`
	`15`	`+ "[message]" => "%{[zeek_cols][ts]} %{[zeek_cols][uid]} %{[zeek_cols][orig_h]} %{[zeek_cols][orig_p]} %{[zeek_cols][resp_h]} %{[zeek_cols][resp_p]} %{[zeek_cols][cmd_name]} %{[zeek_cols][cmd_key]} %{[zeek_cols][cmd_value]} %{[zeek_cols][success]} %{[zeek_cols][reply]}"`
`17`	`16`	`}`
`18`	`17`	`}`
`19`	`18`	`if ("_dissectfailure" in [tags]) {`
`@@ -23,7 +22,7 @@ filter {`
`23`	`22`	`}`
`24`	`23`	`ruby {`
`25`	`24`	`id => "ruby_zip_zeek_redis"`
`26`		`- init => "@zeek_redis_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'cmd', 'success', 'reply' ]"`
	`25`	`+ init => "@zeek_redis_field_names = [ 'ts', 'uid', 'orig_h', 'orig_p', 'resp_h', 'resp_p', 'cmd_name', 'cmd_key', 'cmd_value', 'success', 'reply' ]"`
`27`	`26`	`code => "event.set('[zeek_cols]', @zeek_redis_field_names.zip(event.get('[message]')).to_h)"`
`28`	`27`	`}`
`29`	`28`	`}`