From 3705d1e22eb5f20786ebb476b1d5538959176aac Mon Sep 17 00:00:00 2001 From: MarcWort <113890636+MarcWort@users.noreply.github.com> Date: Tue, 16 Jul 2024 15:20:08 +0200 Subject: [PATCH 1/3] fix: Allow use of valid Port 0 Port 0 is a normal but reserved port. See: https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml or RFC6335 Section 6 --- CHANGELOG.next.asciidoc | 1 + libbeat/processors/communityid/communityid.go | 4 ++-- libbeat/processors/communityid/communityid_test.go | 12 ++++++------ 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 83026eeb964..0d92c3f66c7 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -46,6 +46,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff] - Fix high IO and handling of a corrupted registry log file. {pull}35893[35893] - Filebeat, when running with Elastic-Agent, reports status for Filestream input. {pull}40121[40121] - Implement Elastic Agent status and health reporting for Winlog Filebeat input. {pull}40163[40163] +- Fix the parsing of port 0 *Heartbeat* diff --git a/libbeat/processors/communityid/communityid.go b/libbeat/processors/communityid/communityid.go index 9490b041428..e2db51935a0 100644 --- a/libbeat/processors/communityid/communityid.go +++ b/libbeat/processors/communityid/communityid.go @@ -153,7 +153,7 @@ func (p *processor) buildFlow(event *beat.Event) *flowhash.Flow { return nil } sp, ok := tryToUint(v) - if !ok || sp < 1 || sp > 65535 { + if !ok || sp > 65535 { return nil } flow.SourcePort = uint16(sp) @@ -164,7 +164,7 @@ func (p *processor) buildFlow(event *beat.Event) *flowhash.Flow { return nil } dp, ok := tryToUint(v) - if !ok || dp < 1 || dp > 65535 { + if !ok || dp > 65535 { return nil } flow.DestinationPort = uint16(dp) diff --git a/libbeat/processors/communityid/communityid_test.go b/libbeat/processors/communityid/communityid_test.go index e84eb50bdae..da6fdfd4aff 100644 --- a/libbeat/processors/communityid/communityid_test.go +++ b/libbeat/processors/communityid/communityid_test.go @@ -67,12 +67,6 @@ func TestRun(t *testing.T) { testProcessor(t, 0, e, nil) }) - t.Run("invalid source port", func(t *testing.T) { - e := evt() - e.Put("source.port", 0) - testProcessor(t, 0, e, nil) - }) - t.Run("invalid source port1", func(t *testing.T) { e := evt() e.Put("source.port", 123456) @@ -142,6 +136,12 @@ func TestRun(t *testing.T) { testProcessor(t, 0, e, "1:D3t8Q1aFA6Ev0A/AO4i9PnU3AeI=") }) + t.Run("valid source port 0", func(t *testing.T) { + e := evt() + e.Put("source.port", 0) + testProcessor(t, 0, e, "1:yrNkRN7VyfVz1Wh12tjRHhxERxM=") + }) + t.Run("iana number", func(t *testing.T) { e := evt() e.Delete("network.transport") From 99f07ea740ff11c9a6015e967efbf3a8849b7c01 Mon Sep 17 00:00:00 2001 From: Denis Date: Thu, 1 Aug 2024 14:25:39 +0200 Subject: [PATCH 2/3] Improve the changelog entry --- CHANGELOG.next.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index dfd68086b9e..b1679273563 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -51,7 +51,6 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff] - Implement Elastic Agent status and health reporting for Winlog Filebeat input. {pull}40163[40163] - Fix filestream's registry GC: registry entries will never be removed if clean_inactive is set to "-1". {pull}40258[40258] - Added `ignore_empty_values` flag in `decode_cef` Filebeat processor. {pull}40268[40268] -- Fix the parsing of port 0 *Heartbeat* @@ -108,6 +107,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff] - Fix parsing of RFC 3164 process IDs in syslog processor. {issue}38947[38947] {pull}38982[38982] - Rename the field "apache2.module.error" to "apache.module.error" in Apache error visualization. {issue}39480[39480] {pull}39481[39481] - Validate config of the `replace` processor {pull}40047[40047] +- Allow port number 0 in the community ID flowhash processor *Auditbeat* From 46225cd2f32e54450ae98c9eec9b4d59165b06e4 Mon Sep 17 00:00:00 2001 From: MarcWort <113890636+MarcWort@users.noreply.github.com> Date: Wed, 7 Aug 2024 17:33:50 +0200 Subject: [PATCH 3/3] fixup! fix: Allow use of valid Port 0 --- libbeat/processors/communityid/communityid_test.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libbeat/processors/communityid/communityid_test.go b/libbeat/processors/communityid/communityid_test.go index da6fdfd4aff..608787b9265 100644 --- a/libbeat/processors/communityid/communityid_test.go +++ b/libbeat/processors/communityid/communityid_test.go @@ -79,12 +79,6 @@ func TestRun(t *testing.T) { testProcessor(t, 0, e, nil) }) - t.Run("invalid destination port", func(t *testing.T) { - e := evt() - e.Put("destination.port", 0) - testProcessor(t, 0, e, nil) - }) - t.Run("invalid destination port1", func(t *testing.T) { e := evt() e.Put("destination.port", 123456) @@ -142,6 +136,12 @@ func TestRun(t *testing.T) { testProcessor(t, 0, e, "1:yrNkRN7VyfVz1Wh12tjRHhxERxM=") }) + t.Run("valid destination port 0", func(t *testing.T) { + e := evt() + e.Put("destination.port", 0) + testProcessor(t, 0, e, "1:YaVkVTbWUkgn0a2QrblLOEsia9g=") + }) + t.Run("iana number", func(t *testing.T) { e := evt() e.Delete("network.transport")