Add system and pipeline tests for Suricata EVE #457
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This adds tests and update the Suricata pipeline. - Sync the pipeline from beats e9d12e2119ff58. - Convert suricata.eve.flow_id to string because the field is a keyword in the mapping. - Add missing ECS field definitions.
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
|
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
| @@ -0,0 +1,173 @@ | |||
| { | |||
There was a problem hiding this comment.
each of these appear to only have 3 events in the output, that seems off to me given that the number of events/flows in each of the logs is more on the order of 8+?
There was a problem hiding this comment.
This is the input for the pipeline test. These three events are run through the ES Ingest Node pipeline. Then the output of the pipeline is checked against the test-events.json-expected.json file.
The other log files in the deploy directory are for the e2e tests. Those don't have golden files. Those tests only check that there were no errors and that all fields are documented.
adriansr
approved these changes
Dec 14, 2020
andrewkroh
added a commit
to andrewkroh/beats
that referenced
this pull request
Jan 12, 2021
Convert suricata.eve.flow_id to string because the field is a keyword in the mapping. elastic/integrations#457
1 task
andrewkroh
added a commit
to elastic/beats
that referenced
this pull request
Jan 25, 2021
* Sync changes to AWS CloudTrail elastic/integrations#408 * Sync changes to CheckPoint Firewall Change type of event.severity. elastic/integrations#409 * Sync changes from Cisco ASA / FTD elastic/integrations#414 * Sync changes from Cisco IOS Make icmp and igmp fields strings because they are keywords. elastic/integrations#416 * Sync changes to CrowdStrike Falcon Fix some field types. elastic/integrations#377 * Sync changes to Fortinet Firewall Drop assignip if the value is "N/A". elastic/integrations#437 * Sync changes to Juniper SRX Convert event.risk values to float Protect against missing event.timezone Convert event.severity to long. elastic/integrations#443 * Sync changes to Suricata EVE Convert suricata.eve.flow_id to string because the field is a keyword in the mapping. elastic/integrations#457 * Sync changes to Zeek DNS Fix usages of ignore_failure with convert processor. Make DNS transaction ID a string. elastic/integrations#448 * Add changelog
andrewkroh
added a commit
to andrewkroh/beats
that referenced
this pull request
Feb 16, 2021
* Sync changes to AWS CloudTrail elastic/integrations#408 * Sync changes to CheckPoint Firewall Change type of event.severity. elastic/integrations#409 * Sync changes from Cisco ASA / FTD elastic/integrations#414 * Sync changes from Cisco IOS Make icmp and igmp fields strings because they are keywords. elastic/integrations#416 * Sync changes to CrowdStrike Falcon Fix some field types. elastic/integrations#377 * Sync changes to Fortinet Firewall Drop assignip if the value is "N/A". elastic/integrations#437 * Sync changes to Juniper SRX Convert event.risk values to float Protect against missing event.timezone Convert event.severity to long. elastic/integrations#443 * Sync changes to Suricata EVE Convert suricata.eve.flow_id to string because the field is a keyword in the mapping. elastic/integrations#457 * Sync changes to Zeek DNS Fix usages of ignore_failure with convert processor. Make DNS transaction ID a string. elastic/integrations#448 * Add changelog (cherry picked from commit bf46572)
adriansr
pushed a commit
to elastic/beats
that referenced
this pull request
Feb 17, 2021
#24077) * Sync fixes from Integration Package Testing (#23424) * Sync changes to AWS CloudTrail elastic/integrations#408 * Sync changes to CheckPoint Firewall Change type of event.severity. elastic/integrations#409 * Sync changes from Cisco ASA / FTD elastic/integrations#414 * Sync changes from Cisco IOS Make icmp and igmp fields strings because they are keywords. elastic/integrations#416 * Sync changes to CrowdStrike Falcon Fix some field types. elastic/integrations#377 * Sync changes to Fortinet Firewall Drop assignip if the value is "N/A". elastic/integrations#437 * Sync changes to Juniper SRX Convert event.risk values to float Protect against missing event.timezone Convert event.severity to long. elastic/integrations#443 * Sync changes to Suricata EVE Convert suricata.eve.flow_id to string because the field is a keyword in the mapping. elastic/integrations#457 * Sync changes to Zeek DNS Fix usages of ignore_failure with convert processor. Make DNS transaction ID a string. elastic/integrations#448 * Add changelog (cherry picked from commit bf46572)
eyalkraft
pushed a commit
to build-security/integrations
that referenced
this pull request
Mar 30, 2022
This adds tests and update the Suricata pipeline. - Sync the pipeline from beats e9d12e2119ff58. - Convert suricata.eve.flow_id to string because the field is a keyword in the mapping. - Add missing ECS field definitions.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
This adds tests and update the Suricata pipeline.
Checklist
Related issues