Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Populate more ECS fields in the Suricata module #10006

Merged
merged 17 commits into from
Jan 22, 2019
Merged

Populate more ECS fields in the Suricata module #10006

merged 17 commits into from
Jan 22, 2019

Commits on Jan 22, 2019

  1. Populate more ECS fields in the Suricata module 

    A few more ECS fields are populated by the ingest pipeline that enriches
Suricata's eve.json events.

Additions:

- http.request.referrer (from suricata.eve.http.http_refer)

- event.action (from suricata.eve.alert.category)
  describes the action that caused the event.
  Examples: "Attempted Denial of Service", "Successful Administrator Privilege Gain"

- event.outcome (from suricata.eve.alert.action)
  Possible values: "allowed", "blocked"

- event.severity (from suricata.eve.alert.severity)
  Possible values: 1, 2 or 3.

- network.transport (from suricata.eve.proto)
  Examples: "tcp", "udp", "ipv6-icmp"
    @adriansr
    adriansr committed Jan 22, 2019
    Configuration menu
    Copy the full SHA
    cb46da8 View commit details
    Browse the repository at this point in the history

  2. Use message for suricata.eve.alert.category 

    Instead of event.action, which is expected to have a fixed set of
enumeration values.
    @adriansr
    adriansr committed Jan 22, 2019
    Configuration menu
    Copy the full SHA
    7d3a2d6 View commit details
    Browse the repository at this point in the history

  3. Populate destination.domain 

    When http.hostname is present.
    @adriansr
    adriansr committed Jan 22, 2019
    Configuration menu
    Copy the full SHA
    0085424 View commit details
    Browse the repository at this point in the history

  4. Populate event.{start,end,duration}

    @adriansr
    adriansr committed Jan 22, 2019
    Configuration menu
    Copy the full SHA
    30a7fe2 View commit details
    Browse the repository at this point in the history

  5. populate network.protocol

    @adriansr
    adriansr committed Jan 22, 2019
    Configuration menu
    Copy the full SHA
    4a6c6a7 View commit details
    Browse the repository at this point in the history

  6. url.hostname is url.domain

    @adriansr
    adriansr committed Jan 22, 2019
    Configuration menu
    Copy the full SHA
    4cbea47 View commit details
    Browse the repository at this point in the history

  7. Populate url.path, url.fragment, url.query 

    From http.url
    @adriansr
    adriansr committed Jan 22, 2019
    Configuration menu
    Copy the full SHA
    2b5dac5 View commit details
    Browse the repository at this point in the history

  8. Lowercase http request method

    @adriansr
    adriansr committed Jan 22, 2019
    Configuration menu
    Copy the full SHA
    9058280 View commit details
    Browse the repository at this point in the history

  9. Source/Destination and aggregated counters 

    This assumes client=source server=destination.

Populates
- source.{packets|bytes}
- destination.{packets|bytes}
- network.{packets|bytes}
    @adriansr
    adriansr committed Jan 22, 2019
    Configuration menu
    Copy the full SHA
    b0f163e View commit details
    Browse the repository at this point in the history

  10. Updated golden files

    @adriansr
    adriansr committed Jan 22, 2019
    Configuration menu
    Copy the full SHA
    5dd36d0 View commit details
    Browse the repository at this point in the history

  11. Populate ECS field http.response.body.bytes

    @adriansr
    adriansr committed Jan 22, 2019
    Configuration menu
    Copy the full SHA
    dd802e2 View commit details
    Browse the repository at this point in the history

  12. Use grok pattern to parse url fields 

    Replace ugly painless code.
    @adriansr
    adriansr committed Jan 22, 2019
    Configuration menu
    Copy the full SHA
    1643e1b View commit details
    Browse the repository at this point in the history

  13. Avoid pairs of convert/lowercase 

    Lowercase processor can have a target field so its not neccesary to copy
the field in a previous step.
    @adriansr
    adriansr committed Jan 22, 2019
    Configuration menu
    Copy the full SHA
    3dfeb44 View commit details
    Browse the repository at this point in the history

  14. Cleanup painless script

    @adriansr
    adriansr committed Jan 22, 2019
    Configuration menu
    Copy the full SHA
    6ba3199 View commit details
    Browse the repository at this point in the history

  15. Fix golden data

    @adriansr
    adriansr committed Jan 22, 2019
    Configuration menu
    Copy the full SHA
    c114f83 View commit details
    Browse the repository at this point in the history

  16. Fix golden data (2)

    @adriansr
    adriansr committed Jan 22, 2019
    Configuration menu
    Copy the full SHA
    5fed5a9 View commit details
    Browse the repository at this point in the history

  17. Copy timestamp to event.end instead of parsing date again

    @adriansr
    adriansr committed Jan 22, 2019
    Configuration menu
    Copy the full SHA
    af68418 View commit details
    Browse the repository at this point in the history