Skip to content

Commit 362016d

Browse files
leehinmanleehinman
authored
[Filebeat] Fix tls mapping in suricata module (elastic#19494)
* Fix tls mapping in suricata module - add suricata.eve.tls.ja3s.string field - add suricata.eve.tls.ja3s.hash field - add suricata.eve.tls.ja3.string field - add suricata.eve.tls.ja3.hash field - set default_field to false for ja3 & ja3s fields - map suricata.eve.tls.ja3.hash to tls.client.ja3 - map suricata.eve.tls.ja3s.hash to tls.server.ja3s - perform suricata.eve.tls.* -> tls.* mappings for all event types Closes elastic#19492
1 parent 12bce01 commit 362016d

8 files changed

Lines changed: 213 additions & 21 deletions

File tree

CHANGELOG.next.asciidoc

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -199,6 +199,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
199199
- Fix date and timestamp formats for fortigate module {pull}19316[19316]
200200
- Fix memory leak in tcp and unix input sources. {pull}19459[19459]
201201
- Add missing `default_field: false` to aws filesets fields.yml. {pull}19568[19568]
202+
- Fix tls mapping in suricata module {issue}19492[19492] {pull}19494[19494]
202203

203204
*Heartbeat*
204205

filebeat/docs/fields.asciidoc

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34596,6 +34596,36 @@ type: keyword
3459634596
3459734597
--
3459834598
34599+
34600+
*`suricata.eve.tls.ja3s.string`*::
34601+
+
34602+
--
34603+
type: keyword
34604+
34605+
--
34606+
34607+
*`suricata.eve.tls.ja3s.hash`*::
34608+
+
34609+
--
34610+
type: keyword
34611+
34612+
--
34613+
34614+
34615+
*`suricata.eve.tls.ja3.string`*::
34616+
+
34617+
--
34618+
type: keyword
34619+
34620+
--
34621+
34622+
*`suricata.eve.tls.ja3.hash`*::
34623+
+
34624+
--
34625+
type: keyword
34626+
34627+
--
34628+
3459934629
*`suricata.eve.app_proto_ts`*::
3460034630
+
3460134631
--

x-pack/filebeat/module/suricata/eve/_meta/fields.yml

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -665,6 +665,24 @@
665665
- name: subject
666666
type: keyword
667667

668+
- name: ja3s
669+
type: group
670+
default_field: false
671+
fields:
672+
- name: string
673+
type: keyword
674+
- name: hash
675+
type: keyword
676+
677+
- name: ja3
678+
type: group
679+
default_field: false
680+
fields:
681+
- name: string
682+
type: keyword
683+
- name: hash
684+
type: keyword
685+
668686
- name: app_proto_ts
669687
type: keyword
670688

x-pack/filebeat/module/suricata/eve/config/eve.yml

Lines changed: 17 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -373,26 +373,23 @@ processors:
373373
addTlsVersion(evt);
374374
cleanupTlsSni(evt);
375375
}
376-
- if:
377-
equals:
378-
suricata.eve.event_type: tls
379-
then:
380-
- convert:
381-
ignore_missing: true
382-
ignore_failure: true
383-
mode: copy
384-
fields:
385-
- {from: suricata.eve.tls.subject, to: tls.server.subject}
386-
- {from: suricata.eve.tls.issuerdn, to: tls.server.issuer}
387-
- {from: suricata.eve.tls.session_resumed, to: tls.resumed, type: boolean}
388-
- {from: suricata.eve.tls.fingerprint, to: tls.server.hash.sha1}
389-
- {from: suricata.eve.tls.sni, to: tls.client.server_name}
390-
- {from: suricata.eve.tls.sni, to: destination.domain}
391-
- {from: suricata.eve.tls.notbefore, to: tls.server.not_before}
392-
- {from: suricata.eve.tls.notafter, to: tls.server.not_after}
393-
- {from: suricata.eve.tls.ja3s, to: tls.server.ja3s}
394-
- {from: suricata.eve.tls.certificate, to: tls.server.certificate}
395-
- {from: suricata.eve.tls.chain, to: tls.server.certificate_chain}
376+
- convert:
377+
ignore_missing: true
378+
fail_on_error: false
379+
mode: copy
380+
fields:
381+
- {from: suricata.eve.tls.subject, to: tls.server.subject}
382+
- {from: suricata.eve.tls.issuerdn, to: tls.server.issuer}
383+
- {from: suricata.eve.tls.session_resumed, to: tls.resumed, type: boolean}
384+
- {from: suricata.eve.tls.fingerprint, to: tls.server.hash.sha1}
385+
- {from: suricata.eve.tls.sni, to: tls.client.server_name}
386+
- {from: suricata.eve.tls.sni, to: destination.domain}
387+
- {from: suricata.eve.tls.notbefore, to: tls.server.not_before}
388+
- {from: suricata.eve.tls.notafter, to: tls.server.not_after}
389+
- {from: suricata.eve.tls.ja3s.hash, to: tls.server.ja3s}
390+
- {from: suricata.eve.tls.ja3.hash, to: tls.client.ja3}
391+
- {from: suricata.eve.tls.certificate, to: tls.server.certificate}
392+
- {from: suricata.eve.tls.chain, to: tls.server.certificate_chain}
396393
- drop_fields:
397394
ignore_missing: true
398395
fields:

x-pack/filebeat/module/suricata/eve/test/eve-alerts.log

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,3 +18,5 @@
1818
{"timestamp":"2018-10-04T09:35:00.897009+0000","flow_id":112424506237238,"in_iface":"enp0s3","event_type":"alert","src_ip":"192.168.1.146","src_port":52340,"dest_ip":"91.189.91.23","dest_port":80,"proto":"TCP","tx_id":7,"alert":{"action":"allowed","gid":1,"signature_id":2013504,"rev":5,"signature":"ET POLICY GNU\/Linux APT User-Agent Outbound likely related to package management","category":"Not Suspicious Traffic","severity":3},"http":{"hostname":"archive.ubuntu.com","url":"\/ubuntu\/dists\/bionic-updates\/universe\/binary-amd64\/by-hash\/SHA256\/5190f7afbee38b3cb32225db478fdbabd46f76eaa9c5921a13091891bf3e9bbc","http_user_agent":"Debian APT-HTTP\/1.3 (1.6.3ubuntu0.1)","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2687},"app_proto":"http","flow":{"pkts_toserver":330,"pkts_toclient":591,"bytes_toserver":23758,"bytes_toclient":884342,"start":"2018-10-04T09:34:58.926006+0000"}}
1919
{"timestamp":"2018-10-04T09:35:01.362208+0000","flow_id":112424506237238,"in_iface":"enp0s3","event_type":"alert","src_ip":"192.168.1.146","src_port":52340,"dest_ip":"91.189.91.23","dest_port":80,"proto":"TCP","tx_id":8,"alert":{"action":"allowed","gid":1,"signature_id":2013504,"rev":5,"signature":"ET POLICY GNU\/Linux APT User-Agent Outbound likely related to package management","category":"Not Suspicious Traffic","severity":3},"http":{"hostname":"archive.ubuntu.com","url":"\/ubuntu\/dists\/bionic-updates\/universe\/i18n\/by-hash\/SHA256\/9fe539b7036e51327cd85ca5e0a4dd4eb47f69168875de2ac9842a5e36ebd4a4","http_user_agent":"Debian APT-HTTP\/1.3 (1.6.3ubuntu0.1)","http_method":"GET","protocol":"HTTP\/1.1","length":0},"app_proto":"http","flow":{"pkts_toserver":524,"pkts_toclient":979,"bytes_toserver":36819,"bytes_toclient":1467603,"start":"2018-10-04T09:34:58.926006+0000"}}
2020
{"timestamp":"2018-10-04T09:35:01.575088+0000","flow_id":112424506237238,"in_iface":"enp0s3","event_type":"alert","src_ip":"192.168.1.146","src_port":52340,"dest_ip":"91.189.91.23","dest_port":80,"proto":"TCP","tx_id":9,"alert":{"action":"allowed","gid":1,"signature_id":2013504,"rev":5,"signature":"ET POLICY GNU\/Linux APT User-Agent Outbound likely related to package management","category":"Not Suspicious Traffic","severity":3},"http":{"hostname":"archive.ubuntu.com","url":"\/ubuntu\/dists\/bionic-updates\/multiverse\/binary-amd64\/by-hash\/SHA256\/8ab8cb220c0e50521c589acc2bc2b43a3121210f0b035a0605972bcffd73dd16","http_user_agent":"Debian APT-HTTP\/1.3 (1.6.3ubuntu0.1)","http_method":"GET","protocol":"HTTP\/1.1","length":0},"app_proto":"http","flow":{"pkts_toserver":575,"pkts_toclient":1079,"bytes_toserver":40452,"bytes_toclient":1618380,"start":"2018-10-04T09:34:58.926006+0000"}}
21+
{"tls":{"ja3s":{"string":"333,55555,66666-22","hash":"0993626a07ad09e1ce91293be7aa5721"},"ja3":{"string":"001,22222-33333-00-44444-66666-333-333-55555-55555-22-55555-44444-22-33-66666-77777-22-88888-99999-333-22-66666-77777-22-99999-96611-22-33-88888-33333-88888-333-22222-33333-333-222-88888-444-99999-22222-666-777-888,22-33-44-55-6,77-88-99-0-11-11-22-33-44-55,0","hash":"d92325c876e7279f4eb8c62415e3a6b7"},"notafter":"2024-07-16T14:52:35","notbefore":"2019-07-17T14:52:35","version":"TLS 1.2","sni":"hostname.domain.net","fingerprint":"00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33","serial":"00:11:22:33:44:55:66:77:88","issuerdn":"CN=UNKNOWN/DC=UNKNOWN/DC=UNKNOWN/C=UNKNOWN/ST=UNKNOWN/O=UNK-NOWN/OU=UNKNOWN","subject":"C=UNKNOWN, ST=UNKNOWN, L=UNKNOWN, O=UNKNOWN, OU=UNKNOWN, CN=hostname.domain.net/emailAddress=user@domain.com"},"proto":"TCP","dest_port":9080,"dest_ip":"10.232.0.237","src_port":45884,"src_ip":"10.126.2.140","event_type":"tls","in_iface":"enp5s0","flow_id":1091813059495729,"timestamp":"2018-10-04T09:35:02.796615+0000"}
22+
{"flow":{"start":"2020-06-26T11:00:02.970011-0400","bytes_toclient":4660,"bytes_toserver":1074,"pkts_toclient":8,"pkts_toserver":7},"app_proto":"tls","tls":{"ja3s":{"string":"742,48172,30210-30","hash":"391231ba5675e42807b9e1f457b2614e"},"ja3":{"string":"718,4682-2687-2686-41992-41911-53292-53297-41969-22905-41926-41924-94181-94711-15-23-95-12-11-205,0-33-50-53-6-61-39-23-34-85-81,93-04-52,3-9-3","hash":"3f1ea03f5822e8021b60cc3e4b233181"},"notafter":"2026-06-25T17:36:29","notbefore":"2016-06-27T17:36:29","version":"TLS 1.2","sni":"host.domain.net","fingerprint":"36:3f:ee:2a:1c:fa:de:ad:be:ef:42:99:cf:a9:b0:91:01:eb:a9:cc","serial":"72:A9:2C:51","issuerdn":"C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown","subject":"C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown"},"alert":{"severity":3,"category":"","signature":"SURICATA TLS on unusual port","rev":1,"signature_id":2610003,"gid":1,"action":"allowed"},"proto":"TCP","dest_port":8443,"dest_ip":"10.128.2.48","src_port":64389,"src_ip":"10.137.3.54","event_type":"alert","in_iface":"enp0s31f6","flow_id":991192778198299,"timestamp":"2020-06-26T11:00:03.342282-0400"}

x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json

Lines changed: 141 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1536,5 +1536,146 @@
15361536
"user_agent.original": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)",
15371537
"user_agent.os.name": "Debian",
15381538
"user_agent.version": "1.3"
1539+
},
1540+
{
1541+
"@timestamp": "2018-10-04T09:35:02.796Z",
1542+
"destination.address": "10.232.0.237",
1543+
"destination.domain": "hostname.domain.net",
1544+
"destination.ip": "10.232.0.237",
1545+
"destination.port": 9080,
1546+
"event.category": [
1547+
"network"
1548+
],
1549+
"event.dataset": "suricata.eve",
1550+
"event.kind": "event",
1551+
"event.module": "suricata",
1552+
"event.original": "{\"tls\":{\"ja3s\":{\"string\":\"333,55555,66666-22\",\"hash\":\"0993626a07ad09e1ce91293be7aa5721\"},\"ja3\":{\"string\":\"001,22222-33333-00-44444-66666-333-333-55555-55555-22-55555-44444-22-33-66666-77777-22-88888-99999-333-22-66666-77777-22-99999-96611-22-33-88888-33333-88888-333-22222-33333-333-222-88888-444-99999-22222-666-777-888,22-33-44-55-6,77-88-99-0-11-11-22-33-44-55,0\",\"hash\":\"d92325c876e7279f4eb8c62415e3a6b7\"},\"notafter\":\"2024-07-16T14:52:35\",\"notbefore\":\"2019-07-17T14:52:35\",\"version\":\"TLS 1.2\",\"sni\":\"hostname.domain.net\",\"fingerprint\":\"00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33\",\"serial\":\"00:11:22:33:44:55:66:77:88\",\"issuerdn\":\"CN=UNKNOWN/DC=UNKNOWN/DC=UNKNOWN/C=UNKNOWN/ST=UNKNOWN/O=UNK-NOWN/OU=UNKNOWN\",\"subject\":\"C=UNKNOWN, ST=UNKNOWN, L=UNKNOWN, O=UNKNOWN, OU=UNKNOWN, CN=hostname.domain.net/emailAddress=user@domain.com\"},\"proto\":\"TCP\",\"dest_port\":9080,\"dest_ip\":\"10.232.0.237\",\"src_port\":45884,\"src_ip\":\"10.126.2.140\",\"event_type\":\"tls\",\"in_iface\":\"enp5s0\",\"flow_id\":1091813059495729,\"timestamp\":\"2018-10-04T09:35:02.796615+0000\"}",
1553+
"event.type": [
1554+
"protocol"
1555+
],
1556+
"fileset.name": "eve",
1557+
"input.type": "log",
1558+
"log.offset": 16546,
1559+
"network.community_id": "1:qsGDjYDIWp+kHhxotTdhPbUaWSo=",
1560+
"network.protocol": "tls",
1561+
"network.transport": "tcp",
1562+
"related.hash": [
1563+
"00112233445566778899AABBCCDDEEFF00112233"
1564+
],
1565+
"related.ip": [
1566+
"10.126.2.140",
1567+
"10.232.0.237"
1568+
],
1569+
"service.type": "suricata",
1570+
"source.address": "10.126.2.140",
1571+
"source.ip": "10.126.2.140",
1572+
"source.port": 45884,
1573+
"suricata.eve.event_type": "tls",
1574+
"suricata.eve.flow_id": 1091813059495729,
1575+
"suricata.eve.in_iface": "enp5s0",
1576+
"suricata.eve.tls.fingerprint": "00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33",
1577+
"suricata.eve.tls.issuerdn": "CN=UNKNOWN/DC=UNKNOWN/DC=UNKNOWN/C=UNKNOWN/ST=UNKNOWN/O=UNK-NOWN/OU=UNKNOWN",
1578+
"suricata.eve.tls.ja3.hash": "d92325c876e7279f4eb8c62415e3a6b7",
1579+
"suricata.eve.tls.ja3.string": "001,22222-33333-00-44444-66666-333-333-55555-55555-22-55555-44444-22-33-66666-77777-22-88888-99999-333-22-66666-77777-22-99999-96611-22-33-88888-33333-88888-333-22222-33333-333-222-88888-444-99999-22222-666-777-888,22-33-44-55-6,77-88-99-0-11-11-22-33-44-55,0",
1580+
"suricata.eve.tls.ja3s.hash": "0993626a07ad09e1ce91293be7aa5721",
1581+
"suricata.eve.tls.ja3s.string": "333,55555,66666-22",
1582+
"suricata.eve.tls.notafter": "2024-07-16T14:52:35",
1583+
"suricata.eve.tls.notbefore": "2019-07-17T14:52:35",
1584+
"suricata.eve.tls.serial": "00:11:22:33:44:55:66:77:88",
1585+
"suricata.eve.tls.sni": "hostname.domain.net",
1586+
"suricata.eve.tls.subject": "C=UNKNOWN, ST=UNKNOWN, L=UNKNOWN, O=UNKNOWN, OU=UNKNOWN, CN=hostname.domain.net/emailAddress=user@domain.com",
1587+
"suricata.eve.tls.version": "TLS 1.2",
1588+
"tags": [
1589+
"suricata"
1590+
],
1591+
"tls.client.ja3": "d92325c876e7279f4eb8c62415e3a6b7",
1592+
"tls.client.server_name": "hostname.domain.net",
1593+
"tls.server.hash.sha1": "00112233445566778899AABBCCDDEEFF00112233",
1594+
"tls.server.issuer": "CN=UNKNOWN/DC=UNKNOWN/DC=UNKNOWN/C=UNKNOWN/ST=UNKNOWN/O=UNK-NOWN/OU=UNKNOWN",
1595+
"tls.server.ja3s": "0993626a07ad09e1ce91293be7aa5721",
1596+
"tls.server.not_after": "2024-07-16T14:52:35",
1597+
"tls.server.not_before": "2019-07-17T14:52:35",
1598+
"tls.server.subject": "C=UNKNOWN, ST=UNKNOWN, L=UNKNOWN, O=UNKNOWN, OU=UNKNOWN, CN=hostname.domain.net/emailAddress=user@domain.com",
1599+
"tls.version": "1.2",
1600+
"tls.version_protocol": "tls"
1601+
},
1602+
{
1603+
"@timestamp": "2020-06-26T15:00:03.342Z",
1604+
"destination.address": "10.128.2.48",
1605+
"destination.bytes": 4660,
1606+
"destination.domain": "host.domain.net",
1607+
"destination.ip": "10.128.2.48",
1608+
"destination.packets": 8,
1609+
"destination.port": 8443,
1610+
"event.category": [
1611+
"network",
1612+
"intrusion_detection"
1613+
],
1614+
"event.dataset": "suricata.eve",
1615+
"event.kind": "alert",
1616+
"event.module": "suricata",
1617+
"event.original": "{\"flow\":{\"start\":\"2020-06-26T11:00:02.970011-0400\",\"bytes_toclient\":4660,\"bytes_toserver\":1074,\"pkts_toclient\":8,\"pkts_toserver\":7},\"app_proto\":\"tls\",\"tls\":{\"ja3s\":{\"string\":\"742,48172,30210-30\",\"hash\":\"391231ba5675e42807b9e1f457b2614e\"},\"ja3\":{\"string\":\"718,4682-2687-2686-41992-41911-53292-53297-41969-22905-41926-41924-94181-94711-15-23-95-12-11-205,0-33-50-53-6-61-39-23-34-85-81,93-04-52,3-9-3\",\"hash\":\"3f1ea03f5822e8021b60cc3e4b233181\"},\"notafter\":\"2026-06-25T17:36:29\",\"notbefore\":\"2016-06-27T17:36:29\",\"version\":\"TLS 1.2\",\"sni\":\"host.domain.net\",\"fingerprint\":\"36:3f:ee:2a:1c:fa:de:ad:be:ef:42:99:cf:a9:b0:91:01:eb:a9:cc\",\"serial\":\"72:A9:2C:51\",\"issuerdn\":\"C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown\",\"subject\":\"C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown\"},\"alert\":{\"severity\":3,\"category\":\"\",\"signature\":\"SURICATA TLS on unusual port\",\"rev\":1,\"signature_id\":2610003,\"gid\":1,\"action\":\"allowed\"},\"proto\":\"TCP\",\"dest_port\":8443,\"dest_ip\":\"10.128.2.48\",\"src_port\":64389,\"src_ip\":\"10.137.3.54\",\"event_type\":\"alert\",\"in_iface\":\"enp0s31f6\",\"flow_id\":991192778198299,\"timestamp\":\"2020-06-26T11:00:03.342282-0400\"}",
1618+
"event.severity": 3,
1619+
"event.start": "2020-06-26T15:00:02.970Z",
1620+
"event.type": [
1621+
"allowed"
1622+
],
1623+
"fileset.name": "eve",
1624+
"input.type": "log",
1625+
"log.offset": 17606,
1626+
"message": "",
1627+
"network.bytes": 5734,
1628+
"network.community_id": "1:W6fjhboFUwyEchJ3ELaqSBzDEJE=",
1629+
"network.packets": 15,
1630+
"network.protocol": "tls",
1631+
"network.transport": "tcp",
1632+
"related.hash": [
1633+
"363FEE2A1CFADEADBEEF4299CFA9B09101EBA9CC"
1634+
],
1635+
"related.ip": [
1636+
"10.137.3.54",
1637+
"10.128.2.48"
1638+
],
1639+
"rule.id": "2610003",
1640+
"rule.name": "SURICATA TLS on unusual port",
1641+
"service.type": "suricata",
1642+
"source.address": "10.137.3.54",
1643+
"source.bytes": 1074,
1644+
"source.ip": "10.137.3.54",
1645+
"source.packets": 7,
1646+
"source.port": 64389,
1647+
"suricata.eve.alert.category": "",
1648+
"suricata.eve.alert.gid": 1,
1649+
"suricata.eve.alert.rev": 1,
1650+
"suricata.eve.alert.signature": "SURICATA TLS on unusual port",
1651+
"suricata.eve.alert.signature_id": 2610003,
1652+
"suricata.eve.event_type": "alert",
1653+
"suricata.eve.flow_id": 991192778198299,
1654+
"suricata.eve.in_iface": "enp0s31f6",
1655+
"suricata.eve.tls.fingerprint": "36:3f:ee:2a:1c:fa:de:ad:be:ef:42:99:cf:a9:b0:91:01:eb:a9:cc",
1656+
"suricata.eve.tls.issuerdn": "C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown",
1657+
"suricata.eve.tls.ja3.hash": "3f1ea03f5822e8021b60cc3e4b233181",
1658+
"suricata.eve.tls.ja3.string": "718,4682-2687-2686-41992-41911-53292-53297-41969-22905-41926-41924-94181-94711-15-23-95-12-11-205,0-33-50-53-6-61-39-23-34-85-81,93-04-52,3-9-3",
1659+
"suricata.eve.tls.ja3s.hash": "391231ba5675e42807b9e1f457b2614e",
1660+
"suricata.eve.tls.ja3s.string": "742,48172,30210-30",
1661+
"suricata.eve.tls.notafter": "2026-06-25T17:36:29",
1662+
"suricata.eve.tls.notbefore": "2016-06-27T17:36:29",
1663+
"suricata.eve.tls.serial": "72:A9:2C:51",
1664+
"suricata.eve.tls.sni": "host.domain.net",
1665+
"suricata.eve.tls.subject": "C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown",
1666+
"suricata.eve.tls.version": "TLS 1.2",
1667+
"tags": [
1668+
"suricata"
1669+
],
1670+
"tls.client.ja3": "3f1ea03f5822e8021b60cc3e4b233181",
1671+
"tls.client.server_name": "host.domain.net",
1672+
"tls.server.hash.sha1": "363FEE2A1CFADEADBEEF4299CFA9B09101EBA9CC",
1673+
"tls.server.issuer": "C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown",
1674+
"tls.server.ja3s": "391231ba5675e42807b9e1f457b2614e",
1675+
"tls.server.not_after": "2026-06-25T17:36:29",
1676+
"tls.server.not_before": "2016-06-27T17:36:29",
1677+
"tls.server.subject": "C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown",
1678+
"tls.version": "1.2",
1679+
"tls.version_protocol": "tls"
15391680
}
15401681
]

x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,7 @@
4343
"@timestamp": "2018-07-05T19:07:20.910Z",
4444
"destination.address": "192.168.156.70",
4545
"destination.bytes": 343,
46+
"destination.domain": "l2.io",
4647
"destination.ip": "192.168.156.70",
4748
"destination.packets": 3,
4849
"destination.port": 443,
@@ -96,6 +97,8 @@
9697
"tags": [
9798
"suricata"
9899
],
100+
"tls.client.server_name": "l2.io",
101+
"tls.resumed": true,
99102
"tls.version": "1.2",
100103
"tls.version_protocol": "tls"
101104
},

0 commit comments

Comments
 (0)