Skip to content

[Filebeat] zeek ecs 1.7 updates for network.direction#22967

Merged
leehinman merged 2 commits intoelastic:masterfrom
leehinman:21674_zeek_ingress_egress
Dec 10, 2020
Merged

[Filebeat] zeek ecs 1.7 updates for network.direction#22967
leehinman merged 2 commits intoelastic:masterfrom
leehinman:21674_zeek_ingress_egress

Conversation

@leehinman
Copy link
Copy Markdown
Contributor

@leehinman leehinman commented Dec 7, 2020

What does this PR do?

prevents setting network.direction to external if local_orig and local_resp are both undefined

Why is it important?

data accuracy

Checklist

  • My code follows the style guidelines of this project
    - [ ] I have commented my code, particularly in hard-to-understand areas
    - [ ] I have made corresponding changes to the documentation
    - [ ] I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

TESTING_FILEBEAT_MODULES=zeek TESTING_FILEBEAT_FILESETS=connection mage -v pythonIntegTest

Related issues

@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Dec 7, 2020
@leehinman leehinman added bug Filebeat Filebeat needs_backport PR is waiting to be backported to other branches. Team:Security-External Integrations labels Dec 7, 2020
@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Dec 7, 2020
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Dec 7, 2020

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@leehinman
zeek ecs 1.7 updates for network.direction
0a768e5 
- prevent setting network.direction to external if local_orig and
  local_resp are both undefined
@leehinman leehinman force-pushed the 21674_zeek_ingress_egress branch from ea763c8 to 0a768e5 Compare December 7, 2020 21:05
@leehinman leehinman mentioned this pull request Dec 7, 2020
Closed
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Dec 7, 2020
edited by jenkins-beats-ci bot
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: Pull request #22967 updated

  • Start Time: 2020-12-10T19:32:08.361+0000

  • Duration: 68 min 19 sec

Test stats 🧪

Test Results
Failed 0
Passed 2422
Skipped 261
Total 2683

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test Results
Failed 0
Passed 2422
Skipped 261
Total 2683

andrewstucki
andrewstucki reviewed Dec 9, 2020
View reviewed changes
x-pack/filebeat/module/zeek/connection/ingest/pipeline.yml
return;
}
if (ctx.zeek.connection.local_orig == false &&
ctx.zeek.connection.local_resp == false) {
Copy link
Copy Markdown

@andrewstucki andrewstucki Dec 9, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, wondering what these fields equate to in practice? I'm assuming that they're generally about inbound/outbound network connections that are destined for the host that zeek is running on, right? If so, I'd actually switch this to use ingress/egress. The inbound/outbound stuff is when you're modeling around a network perimeter, like if you have a network firewall or something.

Copy link
Copy Markdown
Contributor Author

@leehinman leehinman Dec 9, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From zeek docs:

local_orig: bool
If the connection is originated locally, this value will be T. If it was originated remotely it will be F. In the case that the Site::local_nets variable is undefined, this field will be left empty at all times.

local_resp: bool
If the connection is responded to locally, this value will be T. If it was responded to remotely it will be F. In the case that the Site::local_nets variable is undefined, this field will be left empty at all times.

So I think inbound/outbound are the right pairs, since you have to define local_nets variable and traffic doesn't have to be to/from the zeek host.

@leehinman leehinman merged commit f0120ce into elastic:master Dec 10, 2020
@leehinman leehinman deleted the 21674_zeek_ingress_egress branch December 10, 2020 20:56
@leehinman leehinman mentioned this pull request Dec 10, 2020
Merged
3 tasks
@leehinman leehinman added v7.11.0 and removed needs_backport PR is waiting to be backported to other branches. labels Dec 10, 2020
leehinman added a commit to leehinman/beats that referenced this pull request Dec 10, 2020
@leehinman
zeek ecs 1.7 updates for network.direction (elastic#22967)
f65ac60 
- prevent setting network.direction to external if local_orig and
  local_resp are both undefined

(cherry picked from commit f0120ce)
leehinman added a commit that referenced this pull request Dec 10, 2020
@leehinman
zeek ecs 1.7 updates for network.direction (#22967) (#23083)
bec81ba 
- prevent setting network.direction to external if local_orig and
  local_resp are both undefined

(cherry picked from commit f0120ce)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@andrewstucki andrewstucki andrewstucki approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

bug Filebeat Filebeat v7.11.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@leehinman @elasticmachine @andrewstucki