[Filebeat] Add network direction processor to Zeek and Suricata modules#24620
[Filebeat] Add network direction processor to Zeek and Suricata modules#24620P1llus merged 11 commits intoelastic:masterfrom
Conversation
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
Trends 🧪💚 Flaky test reportTests succeeded. Expand to view the summary
Test stats 🧪
|
3d36054 to
415e657
Compare
415e657 to
7095b42
Compare
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
7095b42 to
3e7aad7
Compare
12e30f0 to
48e6433
Compare
|
@andrewkroh I think I'm almost done with this PR but I think I found a bug and want to check with you first. I noticed on the Snort and Sonicwall JS scripts, for source and dest IP it was using the |
75e604e to
961dc62
Compare
|
This pull request is now in conflicts. Could you fix it? 🙏 |
3eab959 to
9471a69
Compare
|
This pull request is now in conflicts. Could you fix it? 🙏 |
6ceaf3e to
1c5722d
Compare
This reverts commit 1c5722d9f1f6cd5370ef3f3d7a882e49731a4e3d.
2fcdd43 to
0cd2824
Compare
0cd2824 to
7a4381c
Compare
|
run tests |
|
This pull request is now in conflicts. Could you fix it? 🙏 |
|
/test |
|
This pull request is now in conflicts. Could you fix it? 🙏 |
|
/test |
|
Is this okay to merge now @andrewkroh? We moved everything out of ingest pipelines and into beats, so that they offer backwards compatibility as well. |
andrewkroh
left a comment
There was a problem hiding this comment.
Modifying snort and sonicwall will cause issues in the future since those are generated modules from https://github.com/adriansr/nwdevice2filebeat. This feature could be added to the generator then all of the RSA would get this processor. IMO I think we should remove the changes from those two modules and proceed with this PR.
| "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, | ||
| "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, | ||
| "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, | ||
| "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, |
There was a problem hiding this comment.
Why set and not append? Normally related.ip is an array. This seems unrelated to adding network direction.
There was a problem hiding this comment.
i don't recall removing "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},. That is probably an accident. As for the change from {field: "destination.ip", setter: fld_append} to {field: "destination.ip", setter: fld_set}, is because the network_direction processor requires a string field not an array.
There was a problem hiding this comment.
The append for related.ip is unchanged.
There was a problem hiding this comment.
I am reverting the changes for Snort and Sonicwall.
There was a problem hiding this comment.
Thanks for pointing out at source.ip and destination.ip should be scalars. I think we should make that change just not in this PR. Would you please open an issue for this? It does look like you reverted most of the snort/sonicwall changes, but a small part of snort is still changed.
e5086b0 to
28e08cc
Compare
|
/test |
…es (#24620) * Add network direction processor to zeek and suricata module * Add Snort & Sonicwall * update changelog * use ES network_direction processor * Revert "use ES network_direction processor" This reverts commit 1c5722d9f1f6cd5370ef3f3d7a882e49731a4e3d. * update docs with new variable * Removed Snort and Sonicwall * update docs * missed one Co-authored-by: Marius Iversen <marius.iversen@elastic.co> (cherry picked from commit 9e670f7)
…arwin-arm64 * upstream/master: (295 commits) Update urllib to 1.26.5. (elastic#26380) Update golang.org/x/crypto (elastic#26448) [Filebeat] Update Fortinet Ingest Pipeline (elastic#24816) Move parsers outside of filestream input so others can use them as well (elastic#26541) [Filebeat] Fix `threatintel.indicator.url.full` field not populating (elastic#26508) [Filebeat] Add network direction processor to Zeek and Suricata modules (elastic#24620) Logging code cleanup related to Nomad auto-discovery (elastic#26498) [Metricbeat] Add Couchbase's Sync Gateway module (elastic#25599) Refactor add_cloud_metadata to handle ECS fields easier (elastic#26438) [Elastic Agent] Improper casting of int64 (elastic#26520) [Elastic Agent] Enable configuring monitoring namespace (elastic#26439) [Heartbeat] configure permissions for synthetics config (elastic#26393) Osquerybeat: set the raw index name to supress the timestamp suffix (elastic#26545) [Heartbeat] add screenshots config to synthetics (elastic#26455) [Elastic Agent] Use http2 to connect to Fleet Server. (elastic#26474) Remove all docs about Beats central management (elastic#26399) update data.json for gcp billing (elastic#26506) Skip x-pack metricbeat tests (elastic#26537) [Elastic Agent] Fix issue with FLEET_CA not being used with Fleet Server in container (elastic#26529) Add changelog entry for elastic#26224 (elastic#26531) ...
…es (#24620) (#26568) * Add network direction processor to zeek and suricata module * Add Snort & Sonicwall * update changelog * use ES network_direction processor * Revert "use ES network_direction processor" This reverts commit 1c5722d9f1f6cd5370ef3f3d7a882e49731a4e3d. * update docs with new variable * Removed Snort and Sonicwall * update docs * missed one Co-authored-by: Marius Iversen <marius.iversen@elastic.co> (cherry picked from commit 9e670f7) Co-authored-by: Alex Resnick <adr8292@gmail.com>
* master: (25 commits) fix: Force PLATFORMS environment variable when we build Elastic Agent dependencies on arm64 (elastic#26415) macos for metricbeat to run in the extended meta-stage (elastic#26573) Packaging: add arm7 platform in the main pipeline (elastic#26575) [Heartbeat] Skip flakey timer queue test (elastic#26592) Update to "read_pipeline" permission (elastic#26465) (elastic#26580) API keys do not reflect the need for read_pipeline (elastic#26466) (elastic#26582) Add Fleet agent.id to Agent monitoring data (elastic#26548) Add kinesis metricset (elastic#25989) Refactor of system/memory metricset (elastic#26334) Introduce httpcommon package in libbeat (add support for Proxy) (elastic#25219) [Filebeat] change multiline configuration in awss3 input to parsers (elastic#25873) docs: Hint for the error "Error extracting container id" (elastic#25824) [Docs] Fixed metricbeat redis exported field CPU descriptions (elastic#25846) (elastic#26496) Update urllib to 1.26.5. (elastic#26380) Update golang.org/x/crypto (elastic#26448) [Filebeat] Update Fortinet Ingest Pipeline (elastic#24816) Move parsers outside of filestream input so others can use them as well (elastic#26541) [Filebeat] Fix `threatintel.indicator.url.full` field not populating (elastic#26508) [Filebeat] Add network direction processor to Zeek and Suricata modules (elastic#24620) Logging code cleanup related to Nomad auto-discovery (elastic#26498) ...
What does this PR do?
Adds the
add_network_directionprocessor to the Zeek & Suricata module filesets using theinternal_networksvariable. Theinternal_networksvariable is set to default to[ private ]and theadd_network_directionwill only run if that varaible is defined.Why is it important?
The
add_network_directionprocess adds thenetwork.directionto documents which allows users to easily filter on traffic based on direction without needing to know specific IP subnets.Checklist
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Author's Checklist
How to test this PR locally
Related issues
N/A
Use cases
Screenshots
Logs