[Packetbeat] Update ingress/egress traffic directionality

[andrewstucki]

What does this PR do?

This changes the way Packetbeat classifies network directionality to bring it in line with ECS 1.7. It adds a home_networks option to the configuration and works like the following:

1. If Packetbeat sees a packet with a source/destination that is either link-local or corresponds to an IP on the host, it is classified as ingress or egress
2. If we can't classify as ingress or egress and home_networks is specified, we try to classify at the network perimeter
3. Perimeter classification is as follows:

match private ip as destination + private ip as source = internal
match private ip as destination + public ip as source = inbound
match public ip as destination + private ip as source = outbound
match public ip as destination + public ip as source = external

4. If home_networks is not specified, then the direction remains "unknown"

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

• Relates [ECS] Upgrade modules to 1.7 #21674

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[andrewkroh]

In the default configuration, would it make sense to change the logic for when the add_host_metadata is executed to be based on the network.direction values. I was wondering if we could use a value of ingress/egress to trigger it since they mean the packet involved the host packetbeat is running on.

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Build Cause: Pull request #22996 updated

• Start Time: 2020-12-09T21:22:36.571+0000

• Duration: 36 min 26 sec

Test stats 🧪

Test	Results
Failed	0
Passed	1087
Skipped	10
Total	1097

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test	Results
Failed	0
Passed	1087
Skipped	10
Total	1097

[andrewstucki]

In the default configuration, would it make sense to change the logic for when the add_host_metadata is executed to be based on the network.direction values. I was wondering if we could use a value of ingress/egress to trigger it since they mean the packet involved the host packetbeat is running on.

I'd be fine with that. On the other hand, I believe pretty much all other beats use forwarded tags, so maybe we want to keep it the same? I have no strong preference one way or the other.

[andrewkroh]

I'd be fine with that. On the other hand, I believe pretty much all other beats use forwarded tags, so maybe we want to keep it the same? I have no strong preference one way or the other.

That's true. Let's hold off on that change.

[leehinman]

CHANGELOG look off, but code changes look good.