Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Filebeat][suricata] Map x509 for suricata/eve fileset #20973

Merged
merged 2 commits into from
Sep 8, 2020
Merged

[Filebeat][suricata] Map x509 for suricata/eve fileset #20973

merged 2 commits into from
Sep 8, 2020

Conversation

marc-gr
Copy link
Contributor

@marc-gr marc-gr commented Sep 4, 2020
edited by andresrc
Loading

What does this PR do?

Maps new ecs x509 fields for suricata eve fileset.

I changed the sample test logs values for tls.issuer and tls.subject following the examples that are shown in https://suricata.readthedocs.io/en/suricata-4.1.4/output/eve/eve-json-format.html#event-type-tls.

LMK if the previous ones were also correct since I could not find any examples in suricata docs that followed that format.

Why is it important?

To keep our modules up to date with ecs 1.6

Checklist

- [ ] My code follows the style guidelines of this project
- [ ] I have commented my code, particularly in hard-to-understand areas
- [ ] I have made corresponding changes to the documentation
- [ ] I have made corresponding change to the default configuration files

  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

@marc-gr marc-gr requested a review from a team September 4, 2020 06:44
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Sep 4, 2020
@marc-gr marc-gr force-pushed the suricata_eve_x509 branch 3 times, most recently from 9c05a0a to 0eb378f Compare September 4, 2020 07:00
@elasticmachine
Copy link
Collaborator

elasticmachine commented Sep 4, 2020
edited by jenkins-beats-ci bot
Loading

💚 Build Succeeded

Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: [Pull request #20973 updated]

  • Start Time: 2020-09-08T09:03:52.552+0000

  • Duration: 53 min 29 sec

Test stats 🧪

Test Results
Failed 0
Passed 2474
Skipped 388
Total 2862

leehinman
leehinman requested changes Sep 4, 2020
View reviewed changes
Copy link
Contributor

@leehinman leehinman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good. I think the if check is wrong on not_before.

x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json
"tls.server.not_after": "2024-07-16T14:52:35",
"tls.server.not_before": "2019-07-17T14:52:35",
"tls.server.subject": "C=UNKNOWN, ST=UNKNOWN, L=UNKNOWN, O=UNKNOWN, OU=UNKNOWN, CN=hostname.domain.net/emailAddress=user@domain.com",
"tls.server.not_after": "2024-07-16T14:52:35.000Z",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tls.server.not_before seems to be missing.

leehinman
leehinman approved these changes Sep 8, 2020
View reviewed changes
Copy link
Contributor

@leehinman leehinman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@marc-gr marc-gr merged commit 70d6bde into elastic:master Sep 8, 2020
@marc-gr marc-gr deleted the suricata_eve_x509 branch September 8, 2020 10:13
@marc-gr marc-gr mentioned this pull request Sep 8, 2020
Merged
2 tasks
@marc-gr marc-gr added the v7.10.0 label Sep 8, 2020
marc-gr added a commit to marc-gr/beats that referenced this pull request Sep 9, 2020
@marc-gr
[Filebeat][suricata] Map x509 for suricata/eve fileset (elastic#20973)
09eb206 
* Map x509 for suricata/eve fileset

* Fix not_before condition and bump ecs version

(cherry picked from commit 70d6bde)
marc-gr added a commit that referenced this pull request Sep 10, 2020
@marc-gr
[Filebeat][suricata] Map x509 for suricata/eve fileset (#20973) (#21018)
a914041 
* Map x509 for suricata/eve fileset

* Fix not_before condition and bump ecs version

(cherry picked from commit 70d6bde)
v1v added a commit to v1v/beats that referenced this pull request Sep 14, 2020
@v1v
Merge remote-tracking branch 'upstream/master' into feature/windows-10
cc07c42 
* upstream/master: (362 commits)
  Add vendoring to Google Cloud Functions again (elastic#21070)
  [Elastic Agent] Add fleet.host.id for sending to endpoint. (elastic#21042)
  Do not need Google credentials before using it (elastic#21072)
  [Filebeat][New Module] Zoom webhook module (elastic#20414)
  Add support for GMT timezone offset in decode_cef (elastic#20993)
  Filebeat: Fix random error on harvester close (elastic#21048)
  Add ingress controller dashboards (elastic#21052)
  Fix loggers in composable module. (elastic#21047)
  [Ingest Manager] Increase kibana client timeout to 5 minutes (elastic#21037)
  Add changelog. (elastic#21041)
  [Elastic Agent] Add support for EQL based conditions (elastic#20994)
  Disable Kafka metricsets based on Jolokia (elastic#20989)
  Update apm agent (elastic#21031)
  Add container ECS fields in kubernetes metadata (elastic#20984)
  Sanitize event.host in Metricbeat (elastic#21022)
  Update api-keys.asciidoc - API key prerequisites (elastic#21026)
  [Filebeat][suricata] Map x509 for suricata/eve fileset (elastic#20973)
  [Filebeat][santa] Map x509 fields in santa module (elastic#20976)
  [Filebeat][fortinet] Map x509 ecs fields for fortinet fw fileset (elastic#20983)
  Bump zeek kerberos/ssl/x509 ecs version (elastic#21003)
  ...
v1v added a commit to v1v/beats that referenced this pull request Sep 14, 2020
@v1v
Merge remote-tracking branch 'upstream/master' into feature/windows-7-64
fcc41b4 
* upstream/master: (364 commits)
  Add vendoring to Google Cloud Functions again (elastic#21070)
  [Elastic Agent] Add fleet.host.id for sending to endpoint. (elastic#21042)
  Do not need Google credentials before using it (elastic#21072)
  [Filebeat][New Module] Zoom webhook module (elastic#20414)
  Add support for GMT timezone offset in decode_cef (elastic#20993)
  Filebeat: Fix random error on harvester close (elastic#21048)
  Add ingress controller dashboards (elastic#21052)
  Fix loggers in composable module. (elastic#21047)
  [Ingest Manager] Increase kibana client timeout to 5 minutes (elastic#21037)
  Add changelog. (elastic#21041)
  [Elastic Agent] Add support for EQL based conditions (elastic#20994)
  Disable Kafka metricsets based on Jolokia (elastic#20989)
  Update apm agent (elastic#21031)
  Add container ECS fields in kubernetes metadata (elastic#20984)
  Sanitize event.host in Metricbeat (elastic#21022)
  Update api-keys.asciidoc - API key prerequisites (elastic#21026)
  [Filebeat][suricata] Map x509 for suricata/eve fileset (elastic#20973)
  [Filebeat][santa] Map x509 fields in santa module (elastic#20976)
  [Filebeat][fortinet] Map x509 ecs fields for fortinet fw fileset (elastic#20983)
  Bump zeek kerberos/ssl/x509 ecs version (elastic#21003)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leehinman leehinman leehinman approved these changes

Assignees
No one assigned
Labels
ecs enhancement Filebeat Filebeat review v7.10.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@marc-gr @elasticmachine @leehinman