zeek ecs 1.7 updates for network.direction (elastic#22967)

- prevent setting network.direction to external if local_orig and local_resp are both undefined
leehinman · Dec 10, 2020 · f0120ce · f0120ce
1 parent f52e452
commit f0120ce
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 13 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -344,6 +344,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Fix for `field [source] not present as part of path [source.ip]` error in azure pipelines. {pull}22377[22377]
 - Drop aws.vpcflow.pkt_srcaddr and aws.vpcflow.pkt_dstaddr when equal to "-". {pull}22721[22721] {issue}22716[22716]
 - Fix cisco umbrella module config by adding input variable. {pull}22892[22892]
+- Fix network.direction logic in zeek connection fileset. {pull}22967[22967]
 - Convert the o365 module's `client.port` and `source.port` to numbers (from strings) in events. {pull}22939[22939]
 - Fix Cisco ASA/FTD module's parsing of WebVPN log message 716002. {pull}22966[22966]
 

diff --git a/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml
@@ -45,19 +45,30 @@ processors:
     source: ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes
     ignore_failure: true
 - script:
-    source: >-
-      if (ctx?.zeek?.connection?.local_orig == true) {
-        if (ctx?.zeek?.connection?.local_resp == true) {
-          ctx.network.direction = "internal";
-        } else {
-          ctx.network.direction = "outbound";
-        }
-      } else {
-        if (ctx?.zeek?.connection?.local_resp == true) {
-          ctx.network.direction = "inbound";
-        } else {
-          ctx.network.direction = "external";
-        }
+    source: |-
+      if (ctx?.zeek?.connection?.local_orig == null ||
+          ctx?.zeek?.connection?.local_resp == null) {
+        return;
+      }
+      if (ctx.zeek.connection.local_orig == true &&
+          ctx.zeek.connection.local_resp == true) {
+        ctx.network.direction = "internal";
+        return;
+      }
+      if (ctx.zeek.connection.local_orig == true &&
+          ctx.zeek.connection.local_resp == false) {
+        ctx.network.direction = "outbound";
+        return;
+      }
+      if (ctx.zeek.connection.local_orig == false &&
+          ctx.zeek.connection.local_resp == true) {
+        ctx.network.direction = "inbound";
+        return;
+      }
+      if (ctx.zeek.connection.local_orig == false &&
+          ctx.zeek.connection.local_resp == false) {
+        ctx.network.direction = "external";
+        return;
       }
 - geoip:
     field: destination.ip