Skip to content

Cherry-pick #10006 to 6.x: Populate more ECS fields in the Suricata module#10537

Merged
adriansr merged 2 commits intoelastic:6.xfrom
adriansr:backport_10006_6.x
Feb 5, 2019
Merged

Cherry-pick #10006 to 6.x: Populate more ECS fields in the Suricata module#10537
adriansr merged 2 commits intoelastic:6.xfrom
adriansr:backport_10006_6.x

Conversation

@adriansr
Copy link
Copy Markdown
Contributor

@adriansr adriansr commented Feb 4, 2019

Cherry-pick of PR #10006 to 6.x branch. Original message:

A few more ECS fields are populated by the ingest pipeline that enriches Suricata's eve.json events.

Additions:

  • http.request.referrer (from suricata.eve.http.http_refer)

  • event.action (from suricata.eve.alert.category)
    describes the action that caused the event.
    Examples: "Attempted Denial of Service", "Successful Administrator Privilege Gain"

  • event.outcome (from suricata.eve.alert.action)
    Possible values: "allowed", "blocked"

  • event.severity (from suricata.eve.alert.severity)
    Possible values: 1, 2 or 3.

  • network.transport (from suricata.eve.proto)
    Examples: "tcp", "udp", "ipv6-icmp"

@adriansr
Populate more ECS fields in the Suricata module (elastic#10006)
538e8fa 
* Populate more ECS fields in the Suricata module

A few more ECS fields are populated by the ingest pipeline that enriches
Suricata's eve.json events.

Additions:

- http.request.referrer (from suricata.eve.http.http_refer)

- event.action (from suricata.eve.alert.category)
  describes the action that caused the event.
  Examples: "Attempted Denial of Service", "Successful Administrator Privilege Gain"

- event.outcome (from suricata.eve.alert.action)
  Possible values: "allowed", "blocked"

- event.severity (from suricata.eve.alert.severity)
  Possible values: 1, 2 or 3.

- network.transport (from suricata.eve.proto)
  Examples: "tcp", "udp", "ipv6-icmp"

* Use message for suricata.eve.alert.category

Instead of event.action, which is expected to have a fixed set of
enumeration values.

* Populate destination.domain

When http.hostname is present.

* Populate event.{start,end,duration}

* populate network.protocol

* url.hostname is url.domain

* Populate url.path, url.fragment, url.query

From http.url

* Lowercase http request method

* Source/Destination and aggregated counters

This assumes client=source server=destination.

Populates
- source.{packets|bytes}
- destination.{packets|bytes}
- network.{packets|bytes}

* Updated golden files

* Populate ECS field `http.response.body.bytes`

* Use grok pattern to parse url fields

Replace ugly painless code.

* Avoid pairs of convert/lowercase

Lowercase processor can have a target field so its not neccesary to copy
the field in a previous step.

* Cleanup painless script

* Fix golden data

* Fix golden data (2)

* Copy timestamp to event.end instead of parsing date again

(cherry picked from commit 184149f4a18b4162b0d6c89adba3bb924a2db0b8)
@adriansr
Copy link
Copy Markdown
Contributor Author

adriansr commented Feb 4, 2019
edited
Loading

For those reviewing the golden data, I've diff'ed it with a script:

eve-alerts.log-expected.json:

event 0
- url.hostname
+ event.duration
+ destination.domain
+ url.path
+ event.severity
+ source_ecs.bytes
+ message
+ http.response.body.bytes
+ network.packets
+ event.end
+ destination.bytes
+ event.start
+ network.protocol
+ destination.packets
+ network.bytes
+ network.transport
+ url.domain
+ source_ecs.packets
+ event.outcome
(change) http.request.method [`GET` -> `get`]

event 1
- url.hostname
+ event.duration
+ destination.domain
+ url.path
+ event.severity
+ source_ecs.bytes
+ message
+ http.response.body.bytes
+ network.packets
+ event.end
+ destination.bytes
+ event.start
+ network.protocol
+ destination.packets
+ network.bytes
+ network.transport
+ url.domain
+ source_ecs.packets
+ event.outcome
(change) http.request.method [`GET` -> `get`]

event 2
- url.hostname
+ event.duration
+ destination.domain
+ url.path
+ event.severity
+ source_ecs.bytes
+ message
+ http.response.body.bytes
+ network.packets
+ event.end
+ destination.bytes
+ event.start
+ network.protocol
+ destination.packets
+ network.bytes
+ network.transport
+ url.domain
+ source_ecs.packets
+ event.outcome
(change) http.request.method [`GET` -> `get`]

event 3
- url.hostname
+ event.duration
+ destination.domain
+ url.path
+ event.severity
+ source_ecs.bytes
+ message
+ http.response.body.bytes
+ network.packets
+ event.end
+ destination.bytes
+ event.start
+ network.protocol
+ destination.packets
+ network.bytes
+ network.transport
+ url.domain
+ source_ecs.packets
+ event.outcome
(change) http.request.method [`GET` -> `get`]

event 4
- url.hostname
+ event.duration
+ destination.domain
+ url.path
+ event.severity
+ source_ecs.bytes
+ message
+ http.response.body.bytes
+ network.packets
+ event.end
+ destination.bytes
+ event.start
+ network.protocol
+ destination.packets
+ network.bytes
+ network.transport
+ url.domain
+ source_ecs.packets
+ event.outcome
(change) http.request.method [`GET` -> `get`]

event 5
- url.hostname
+ event.duration
+ destination.domain
+ url.path
+ event.severity
+ source_ecs.bytes
+ message
+ http.response.body.bytes
+ network.packets
+ event.end
+ destination.bytes
+ event.start
+ network.protocol
+ destination.packets
+ network.bytes
+ network.transport
+ url.domain
+ source_ecs.packets
+ event.outcome
(change) http.request.method [`GET` -> `get`]

event 6
- url.hostname
+ event.duration
+ destination.domain
+ url.path
+ event.severity
+ source_ecs.bytes
+ message
+ http.response.body.bytes
+ network.packets
+ event.end
+ destination.bytes
+ event.start
+ network.protocol
+ destination.packets
+ network.bytes
+ network.transport
+ url.domain
+ source_ecs.packets
+ event.outcome
(change) http.request.method [`GET` -> `get`]

event 7
- url.hostname
+ event.duration
+ destination.domain
+ url.path
+ event.severity
+ source_ecs.bytes
+ message
+ http.response.body.bytes
+ network.packets
+ event.end
+ destination.bytes
+ event.start
+ network.protocol
+ destination.packets
+ network.bytes
+ network.transport
+ url.domain
+ source_ecs.packets
+ event.outcome
(change) http.request.method [`GET` -> `get`]

event 8
- url.hostname
+ event.duration
+ destination.domain
+ url.path
+ event.severity
+ source_ecs.bytes
+ message
+ http.response.body.bytes
+ network.packets
+ event.end
+ destination.bytes
+ event.start
+ network.protocol
+ destination.packets
+ network.bytes
+ network.transport
+ url.domain
+ source_ecs.packets
+ event.outcome
(change) http.request.method [`GET` -> `get`]

event 9
- url.hostname
+ event.duration
+ destination.domain
+ url.path
+ event.severity
+ source_ecs.bytes
+ message
+ http.response.body.bytes
+ network.packets
+ event.end
+ destination.bytes
+ event.start
+ network.protocol
+ destination.packets
+ network.bytes
+ network.transport
+ url.domain
+ source_ecs.packets
+ event.outcome
(change) http.request.method [`GET` -> `get`]

event 10
- url.hostname
+ event.duration
+ destination.domain
+ url.path
+ event.severity
+ source_ecs.bytes
+ message
+ http.response.body.bytes
+ network.packets
+ event.end
+ destination.bytes
+ event.start
+ network.protocol
+ destination.packets
+ network.bytes
+ network.transport
+ url.domain
+ source_ecs.packets
+ event.outcome
(change) http.request.method [`GET` -> `get`]

event 11
- url.hostname
+ event.duration
+ destination.domain
+ url.path
+ event.severity
+ source_ecs.bytes
+ message
+ http.response.body.bytes
+ network.packets
+ event.end
+ destination.bytes
+ event.start
+ network.protocol
+ destination.packets
+ network.bytes
+ network.transport
+ url.domain
+ source_ecs.packets
+ event.outcome
(change) http.request.method [`GET` -> `get`]

event 12
- url.hostname
+ event.duration
+ destination.domain
+ url.path
+ event.severity
+ source_ecs.bytes
+ message
+ http.response.body.bytes
+ network.packets
+ event.end
+ destination.bytes
+ event.start
+ network.protocol
+ destination.packets
+ network.bytes
+ network.transport
+ url.domain
+ source_ecs.packets
+ event.outcome
(change) http.request.method [`GET` -> `get`]

event 13
- url.hostname
+ event.duration
+ destination.domain
+ url.path
+ event.severity
+ source_ecs.bytes
+ message
+ http.response.body.bytes
+ network.packets
+ event.end
+ destination.bytes
+ event.start
+ network.protocol
+ destination.packets
+ network.bytes
+ network.transport
+ url.domain
+ source_ecs.packets
+ event.outcome
(change) http.request.method [`GET` -> `get`]

event 14
- url.hostname
+ event.duration
+ destination.domain
+ url.path
+ event.severity
+ source_ecs.bytes
+ message
+ http.response.body.bytes
+ network.packets
+ event.end
+ destination.bytes
+ event.start
+ network.protocol
+ destination.packets
+ network.bytes
+ network.transport
+ url.domain
+ source_ecs.packets
+ event.outcome
(change) http.request.method [`GET` -> `get`]

event 15
- url.hostname
+ event.duration
+ destination.domain
+ url.path
+ event.severity
+ source_ecs.bytes
+ message
+ http.response.body.bytes
+ network.packets
+ event.end
+ destination.bytes
+ event.start
+ network.protocol
+ destination.packets
+ network.bytes
+ network.transport
+ url.domain
+ source_ecs.packets
+ event.outcome
(change) http.request.method [`GET` -> `get`]

event 16
- url.hostname
+ event.duration
+ destination.domain
+ url.path
+ event.severity
+ source_ecs.bytes
+ message
+ http.response.body.bytes
+ network.packets
+ event.end
+ destination.bytes
+ event.start
+ network.protocol
+ destination.packets
+ network.bytes
+ network.transport
+ url.domain
+ source_ecs.packets
+ event.outcome
(change) http.request.method [`GET` -> `get`]

event 17
- url.hostname
+ event.duration
+ destination.domain
+ url.path
+ event.severity
+ source_ecs.bytes
+ message
+ http.response.body.bytes
+ network.packets
+ event.end
+ destination.bytes
+ event.start
+ network.protocol
+ destination.packets
+ network.bytes
+ network.transport
+ url.domain
+ source_ecs.packets
+ event.outcome
(change) http.request.method [`GET` -> `get`]

event 18
- url.hostname
+ event.duration
+ destination.domain
+ url.path
+ event.severity
+ source_ecs.bytes
+ message
+ http.response.body.bytes
+ network.packets
+ event.end
+ destination.bytes
+ event.start
+ network.protocol
+ destination.packets
+ network.bytes
+ network.transport
+ url.domain
+ source_ecs.packets
+ event.outcome
(change) http.request.method [`GET` -> `get`]

event 19
- url.hostname
+ event.duration
+ destination.domain
+ url.path
+ event.severity
+ source_ecs.bytes
+ message
+ http.response.body.bytes
+ network.packets
+ event.end
+ destination.bytes
+ event.start
+ network.protocol
+ destination.packets
+ network.bytes
+ network.transport
+ url.domain
+ source_ecs.packets
+ event.outcome
(change) http.request.method [`GET` -> `get`]

eve-small.log-expected.json:

event 0
+ event.end
+ network.transport

event 1
+ event.duration
+ event.end
+ event.severity
+ source_ecs.bytes
+ network.protocol
+ message
+ network.packets
+ destination.bytes
+ event.start
+ destination.packets
+ network.bytes
+ network.transport
+ source_ecs.packets
+ event.outcome

event 2
- url.hostname
+ destination.domain
+ event.end
+ http.response.body.bytes
+ url.path
+ network.transport
+ url.domain
(change) http.request.method [`GET` -> `get`]

event 3
- url.hostname
+ network.protocol
+ destination.domain
+ event.end
+ http.response.body.bytes
+ url.path
+ network.transport
+ url.domain
(change) http.request.method [`GET` -> `get`]

event 4
+ event.end
+ network.transport

event 5
+ event.end

event 6
+ event.end
+ network.transport

event 7
+ event.duration
+ event.end
+ source_ecs.bytes
+ network.protocol
+ network.packets
+ destination.bytes
+ event.start
+ destination.packets
+ network.bytes
+ network.transport
+ source_ecs.packets

-: removed key
+: added key
(change): key changed value

link to script

@andrewkroh
Copy link
Copy Markdown
Member

andrewkroh commented Feb 4, 2019

Shouldn't this have a changelog? (I think it was released already)

webmat
webmat approved these changes Feb 5, 2019
View reviewed changes
Copy link
Copy Markdown
Contributor

@webmat webmat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing a changelog. Other than that, LGTM 💯

@adriansr
Copy link
Copy Markdown
Contributor Author

adriansr commented Feb 5, 2019

Will open a separate PR with the missing changelog

@adriansr
Copy link
Copy Markdown
Contributor Author

adriansr commented Feb 5, 2019

jenkins, test this

@adriansr adriansr merged commit 22b1fa1 into elastic:6.x Feb 5, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

+2 more reviewers

@webmat webmat webmat approved these changes

@tsg tsg tsg approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

backport review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@adriansr @andrewkroh @webmat @tsg