Update TLS protocol to use ECS fields (#9980)

* Update TLS protocol to use ECS fields That dashboards were updated too. There weren't many changes needed w.r.t. fields but I did update the visualizations and saved searches to include `[Packetbeat]` in their names. I added a python test case for TLS and discovered a few fields that were not documented so I updated the fields docs accordingly. Here's a summary of what fields changed. Part of #7968 Changed - responsetime -> event.duration (unit are now nanoseconds) Added - event.dataset = tls - event.end - event.start - network.community_id - network.protocol = tls - network.type - source.domain (added if there's a SNI value) Unchanged Packetbeat Fields - status - type = http (we might remove this since we have event.dataset) * Update TLS Session Resume to remove xxx-nope
elastic · Jan 14, 2019 · c956b80 · c956b80
1 parent cacf231
commit c956b80
Show file tree

Hide file tree

Showing 19 changed files with 2,080 additions and 1,648 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -52,6 +52,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
   - `http.response.body` moves to `http.response.body.content`
 - Changed DNS protocol fields to align with ECS. {pull}9941[9941]
 - Removed trailing dot from domain names reported by the DNS protocol. {pull}9941[9941]
+- Changed TLS protocol fields to align with ECS. {pull}9980[9980]
 
 *Winlogbeat*
 

diff --git a/packetbeat/_meta/beat.docker.yml b/packetbeat/_meta/beat.docker.yml
@@ -33,3 +33,6 @@ packetbeat.protocols.mongodb:
 packetbeat.protocols.cassandra:
   ports: [9042]
 
+packetbeat.protocols.tls:
+  ports: [443, 993, 995, 5223, 8443, 8883, 9243]
+
diff --git a/packetbeat/_meta/beat.reference.yml b/packetbeat/_meta/beat.reference.yml
@@ -444,7 +444,14 @@ packetbeat.protocols:
 
   # Configure the ports where to listen for TLS traffic. You can disable
   # the TLS protocol by commenting out the list of ports.
-  ports: [443]
+  ports:
+    - 443   # HTTPS
+    - 993   # IMAPS
+    - 995   # POP3S
+    - 5223  # XMPP over SSL
+    - 8443
+    - 8883  # Secure MQTT
+    - 9243  # Elasticsearch
 
   # List of hash algorithms to use to calculate certificates' fingerprints.
   # Valid values are `sha1`, `sha256` and `md5`.

diff --git a/packetbeat/_meta/beat.yml b/packetbeat/_meta/beat.yml
@@ -100,7 +100,14 @@ packetbeat.protocols:
 - type: tls
   # Configure the ports where to listen for TLS traffic. You can disable
   # the TLS protocol by commenting out the list of ports.
-  ports: [443]
+  ports:
+    - 443   # HTTPS
+    - 993   # IMAPS
+    - 995   # POP3S
+    - 5223  # XMPP over SSL
+    - 8443
+    - 8883  # Secure MQTT
+    - 9243  # Elasticsearch
 
 #==================== Elasticsearch template setting ==========================