Fix tls mapping in suricata module #19494
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
leehinman
added
bug
Filebeat
|
Pinging @elastic/siem (Team:SIEM) |
botelastic
bot
added
needs_team
leehinman
force-pushed
the
leh_suricata_sdh
branch
from
d3b82ca
to
f44cada
Compare
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
|
andrewkroh
approved these changes
Jun 29, 2020
| - {from: suricata.eve.tls.chain, to: tls.server.certificate_chain} | ||
| - convert: | ||
| ignore_missing: true | ||
| ignore_failure: true |
There was a problem hiding this comment.
Suggested change
| ignore_failure: true | |
| fail_on_error: false |
| @@ -1,5 +1,6 @@ | |||
| - name: eve | |||
| type: group | |||
| default_field: false | |||
There was a problem hiding this comment.
To avoid changing the behavior for the existing fields can you mark this on the two new field groups instead.
leehinman
force-pushed
the
leh_suricata_sdh
branch
2 times, most recently
from
6f27ebc
to
00956eb
Compare
- add suricata.eve.tls.ja3s.string field - add suricata.eve.tls.ja3s.hash field - add suricata.eve.tls.ja3.string field - add suricata.eve.tls.ja3.hash field - set default_field to false for suricata fields - map suricata.eve.tls.ja3.hash to tls.client.ja3 - map suricata.eve.tls.ja3s.hash to tls.server.ja3s - perform suricata.eve.tls.* -> tls.* mappings for all event types Closes elastic#19492
leehinman
force-pushed
the
leh_suricata_sdh
branch
from
caec153
to
ff025dc
Compare
|
run tests |
4 tasks
leehinman
added
v7.7.2
and removed
needs_backport
4 tasks
4 tasks
leehinman
added a commit
to leehinman/beats
that referenced
this pull request
Jul 2, 2020
* Fix tls mapping in suricata module - add suricata.eve.tls.ja3s.string field - add suricata.eve.tls.ja3s.hash field - add suricata.eve.tls.ja3.string field - add suricata.eve.tls.ja3.hash field - set default_field to false for ja3 & ja3s fields - map suricata.eve.tls.ja3.hash to tls.client.ja3 - map suricata.eve.tls.ja3s.hash to tls.server.ja3s - perform suricata.eve.tls.* -> tls.* mappings for all event types Closes elastic#19492 (cherry picked from commit afffe2b)
leehinman
added a commit
that referenced
this pull request
Jul 2, 2020
* Fix tls mapping in suricata module - add suricata.eve.tls.ja3s.string field - add suricata.eve.tls.ja3s.hash field - add suricata.eve.tls.ja3.string field - add suricata.eve.tls.ja3.hash field - set default_field to false for ja3 & ja3s fields - map suricata.eve.tls.ja3.hash to tls.client.ja3 - map suricata.eve.tls.ja3s.hash to tls.server.ja3s - perform suricata.eve.tls.* -> tls.* mappings for all event types Closes #19492 (cherry picked from commit afffe2b)
leehinman
added a commit
to leehinman/beats
that referenced
this pull request
Jul 2, 2020
* Fix tls mapping in suricata module - add suricata.eve.tls.ja3s.string field - add suricata.eve.tls.ja3s.hash field - add suricata.eve.tls.ja3.string field - add suricata.eve.tls.ja3.hash field - set default_field to false for ja3 & ja3s fields - map suricata.eve.tls.ja3.hash to tls.client.ja3 - map suricata.eve.tls.ja3s.hash to tls.server.ja3s - perform suricata.eve.tls.* -> tls.* mappings for all event types Closes elastic#19492 (cherry picked from commit afffe2b)
v1v
added a commit
to v1v/beats
that referenced
this pull request
Jul 3, 2020
…ne-beats * upstream/master: (35 commits) [ci] fix env variable name for xpack filebeats (elastic#19617) Cache error responses for cloudfoundry apps metadata (elastic#19181) ci: user fixed type of agent (elastic#19625) Input v2 cursor testing (elastic#19573) Update Jenkinsfile to not inspect removed vendor (elastic#19610) Fix ordering and duplicate configs on autodiscover (elastic#19317) Prepare input/file for changes in the registrar (elastic#19516) Cursor input and manager implementation (elastic#19571) [Filebeat] Fix tls mapping in suricata module (elastic#19494) [Ingest Manager] Make Agent beta and Constraints experimental (elastic#19586) Accept prefix as metric_types for stackdriver metricset in GCP (elastic#19345) Implement memlog store operations (elastic#19533) introduce journalbeat/pkg in order to provide reusable shared code (elastic#19581) Add descriptions to HAProxy fields in Metricbeat (elastic#19561) ci: apm-server-update trigered only on upstream, comments, and manual triggered (elastic#19590) ci: enable upstream triggering on the packaging job (elastic#19589) ci: some jjbb improvements (elastic#19588) [MetricBeat] set tags correctly if the dimension value is ARN (elastic#19433) [Filebeat] Add default_fields: false to fields.yml in aws module (elastic#19568) Add publisher implementation for stateful inputs (elastic#19530) ...
leehinman
added a commit
to leehinman/beats
that referenced
this pull request
Jul 6, 2020
* Fix tls mapping in suricata module - add suricata.eve.tls.ja3s.string field - add suricata.eve.tls.ja3s.hash field - add suricata.eve.tls.ja3.string field - add suricata.eve.tls.ja3.hash field - set default_field to false for ja3 & ja3s fields - map suricata.eve.tls.ja3.hash to tls.client.ja3 - map suricata.eve.tls.ja3s.hash to tls.server.ja3s - perform suricata.eve.tls.* -> tls.* mappings for all event types Closes elastic#19492 (cherry picked from commit afffe2b)
leehinman
added a commit
that referenced
this pull request
Jul 6, 2020
* Fix tls mapping in suricata module - add suricata.eve.tls.ja3s.string field - add suricata.eve.tls.ja3s.hash field - add suricata.eve.tls.ja3.string field - add suricata.eve.tls.ja3.hash field - set default_field to false for ja3 & ja3s fields - map suricata.eve.tls.ja3.hash to tls.client.ja3 - map suricata.eve.tls.ja3s.hash to tls.server.ja3s - perform suricata.eve.tls.* -> tls.* mappings for all event types Closes #19492 (cherry picked from commit afffe2b)
leehinman
added a commit
that referenced
this pull request
Jul 6, 2020
* Fix tls mapping in suricata module - add suricata.eve.tls.ja3s.string field - add suricata.eve.tls.ja3s.hash field - add suricata.eve.tls.ja3.string field - add suricata.eve.tls.ja3.hash field - set default_field to false for ja3 & ja3s fields - map suricata.eve.tls.ja3.hash to tls.client.ja3 - map suricata.eve.tls.ja3s.hash to tls.server.ja3s - perform suricata.eve.tls.* -> tls.* mappings for all event types Closes #19492 (cherry picked from commit afffe2b)
melchiormoulin
pushed a commit
to melchiormoulin/beats
that referenced
this pull request
Oct 14, 2020
* Fix tls mapping in suricata module - add suricata.eve.tls.ja3s.string field - add suricata.eve.tls.ja3s.hash field - add suricata.eve.tls.ja3.string field - add suricata.eve.tls.ja3.hash field - set default_field to false for ja3 & ja3s fields - map suricata.eve.tls.ja3.hash to tls.client.ja3 - map suricata.eve.tls.ja3s.hash to tls.server.ja3s - perform suricata.eve.tls.* -> tls.* mappings for all event types Closes elastic#19492
leweafan
pushed a commit
to leweafan/beats
that referenced
this pull request
Apr 28, 2023
…c#19607) * Fix tls mapping in suricata module - add suricata.eve.tls.ja3s.string field - add suricata.eve.tls.ja3s.hash field - add suricata.eve.tls.ja3.string field - add suricata.eve.tls.ja3.hash field - set default_field to false for ja3 & ja3s fields - map suricata.eve.tls.ja3.hash to tls.client.ja3 - map suricata.eve.tls.ja3s.hash to tls.server.ja3s - perform suricata.eve.tls.* -> tls.* mappings for all event types Closes elastic#19492 (cherry picked from commit 362016d)
leweafan
pushed a commit
to leweafan/beats
that referenced
this pull request
Apr 28, 2023
…c#19608) * Fix tls mapping in suricata module - add suricata.eve.tls.ja3s.string field - add suricata.eve.tls.ja3s.hash field - add suricata.eve.tls.ja3.string field - add suricata.eve.tls.ja3.hash field - set default_field to false for ja3 & ja3s fields - map suricata.eve.tls.ja3.hash to tls.client.ja3 - map suricata.eve.tls.ja3s.hash to tls.server.ja3s - perform suricata.eve.tls.* -> tls.* mappings for all event types Closes elastic#19492 (cherry picked from commit 362016d)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Fixes tls mappings in suricata module. Specifically:
Why is it important?
the TLS tab in the SIEM
Checklist
- [ ] I have commented my code, particularly in hard-to-understand areas- [ ] I have made corresponding change to the default configuration filesCHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.How to test this PR locally
Related issues