Skip to content

Commit

Permalink
Don't set dns.resolved_ip with invalid IP addresses (#18436) (#18468)
Browse files Browse the repository at this point in the history
Sometimes the DNS IP addresses from Sysmon in `winlog.event_data.QueryResults` are truncated.
The leads to mapping exceptions since the value is not of type `ip` in Elasticsearch.

To fix this the module will now filter any results that are not valid IP addresses.

Fixes #18432

(cherry picked from commit ecd0f72)
  • Loading branch information
andrewkroh authored May 13, 2020
1 parent 9ef3f83 commit 5fd3577
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 15 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -231,6 +231,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d

*Winlogbeat*

- Fix invalid IP addresses in DNS query results from Sysmon data. {issue}18432[18432] {pull}18436{18436}

*Functionbeat*

Expand Down
21 changes: 12 additions & 9 deletions x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ var sysmon = (function () {
var path = require("path");
var processor = require("processor");
var winlogbeat = require("winlogbeat");
var net = require("net");

// Windows error codes for DNS. This list was generated using
// 'go run gen_dns_error_codes.go'.
Expand Down Expand Up @@ -432,17 +433,19 @@ var sysmon = (function () {
} else {
// Convert V4MAPPED addresses.
answer = answer.replace("::ffff:", "");
ips.push(answer);
if (net.isIP(answer)) {
ips.push(answer);

// Synthesize record type based on IP address type.
var type = "A";
if (answer.indexOf(":") !== -1) {
type = "AAAA";
// Synthesize record type based on IP address type.
var type = "A";
if (answer.indexOf(":") !== -1) {
type = "AAAA";
}
answers.push({
type: type,
data: answer,
});
}
answers.push({
type: type,
data: answer,
});
}
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13341,10 +13341,6 @@
{
"data": "2001:502:7094::30",
"type": "AAAA"
},
{
"data": "192.5",
"type": "A"
}
],
"question": {
Expand Down Expand Up @@ -13403,8 +13399,7 @@
"192.43.172.30",
"2001:503:39c1::30",
"192.48.79.30",
"2001:502:7094::30",
"192.5"
"2001:502:7094::30"
]
},
"event": {
Expand Down

0 comments on commit 5fd3577

Please sign in to comment.