From ffe02cb9742e4529699b429f15bec080c75b4d32 Mon Sep 17 00:00:00 2001 From: "Lee E. Hinman" Date: Thu, 10 Dec 2020 13:22:41 -0600 Subject: [PATCH] incorporate feedback - fix indentation in fields files - fix "fail_on_error" option in dns --- packages/zeek/data_stream/dns/agent/stream/log.yml.hbs | 8 ++++---- packages/zeek/data_stream/dns/fields/ecs.yml | 3 +-- packages/zeek/data_stream/ssl/fields/ecs.yml | 3 +-- packages/zeek/data_stream/x509/fields/ecs.yml | 6 ++---- 4 files changed, 8 insertions(+), 12 deletions(-) diff --git a/packages/zeek/data_stream/dns/agent/stream/log.yml.hbs b/packages/zeek/data_stream/dns/agent/stream/log.yml.hbs index a7bf284776c3..c01ea2ce3312 100644 --- a/packages/zeek/data_stream/dns/agent/stream/log.yml.hbs +++ b/packages/zeek/data_stream/dns/agent/stream/log.yml.hbs @@ -21,7 +21,7 @@ processors: target: zeek.dns - registered_domain: ignore_missing: true - ignore_failure: true + fail_on_error: false field: zeek.dns.query target_field: dns.question.registered_domain - script: @@ -157,7 +157,7 @@ processors: } - convert: ignore_missing: true - ignore_failure: true + fail_on_error: false mode: rename fields: - {from: zeek.dns.id.orig_h, to: source.address} @@ -168,7 +168,7 @@ processors: - {from: zeek.dns.proto, to: network.transport} - convert: ignore_missing: true - ignore_failure: true + fail_on_error: false mode: copy fields: - {from: source.address, to: source.ip, type: ip} @@ -180,7 +180,7 @@ processors: - {from: zeek.dns.rcode_name, to: dns.response_code} - convert: ignore_missing: true - ignore_failure: true + fail_on_error: false fields: - {from: zeek.dns.trans_id, type: string} - add_fields: diff --git a/packages/zeek/data_stream/dns/fields/ecs.yml b/packages/zeek/data_stream/dns/fields/ecs.yml index f484ab179bb2..3a06bb0f5006 100644 --- a/packages/zeek/data_stream/dns/fields/ecs.yml +++ b/packages/zeek/data_stream/dns/fields/ecs.yml @@ -79,8 +79,7 @@ ignore_above: 1024 name: dns.answers.name type: keyword -- description: The time interval in seconds that this resource record may be cached - before it should be discarded. +- description: The time interval in seconds that this resource record may be cached before it should be discarded. example: 180 name: dns.answers.ttl type: long diff --git a/packages/zeek/data_stream/ssl/fields/ecs.yml b/packages/zeek/data_stream/ssl/fields/ecs.yml index 01a8513bc067..b6374b8742ad 100644 --- a/packages/zeek/data_stream/ssl/fields/ecs.yml +++ b/packages/zeek/data_stream/ssl/fields/ecs.yml @@ -249,8 +249,7 @@ name: tls.server.x509.issuer.country type: keyword - description: Distinguished name (DN) of issuing certificate authority. - example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance - Server CA + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA ignore_above: 1024 name: tls.server.x509.issuer.distinguished_name type: keyword diff --git a/packages/zeek/data_stream/x509/fields/ecs.yml b/packages/zeek/data_stream/x509/fields/ecs.yml index 8eb8783cb184..626a90e6c894 100644 --- a/packages/zeek/data_stream/x509/fields/ecs.yml +++ b/packages/zeek/data_stream/x509/fields/ecs.yml @@ -44,8 +44,7 @@ name: file.x509.issuer.country type: keyword - description: Distinguished name (DN) of issuing certificate authority. - example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance - Server CA + example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA ignore_above: 1024 name: file.x509.issuer.distinguished_name type: keyword @@ -82,8 +81,7 @@ ignore_above: 1024 name: file.x509.public_key_algorithm type: keyword -- description: The curve used by the elliptic curve public key algorithm. This is - algorithm specific. +- description: The curve used by the elliptic curve public key algorithm. This is algorithm specific. example: nistp521 ignore_above: 1024 name: file.x509.public_key_curve