Populate source/destination.mac for Suricata (elastic#23721)

When 'ethernet' is enabled in Suricata with will log the mac addresses. ECS has fields for the MAC addresses so this renames the two Suricata fields to follow the ECS conventions. Closes elastic#23706
andrewkroh · Feb 3, 2021 · 10fdd24 · 10fdd24
1 parent 86d87c8
commit 10fdd24
Show file tree

Hide file tree

Showing 7 changed files with 113 additions and 1 deletion.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -835,6 +835,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Added `encode_as` and `decode_as` options to httpjson along with pluggable encoders/decoders {pull}23478[23478]
 - Added `application/x-ndjson` as decode option for httpjson input {pull}23521[23521]
 - Added `application/x-www-form-urlencoded` as encode option for httpjson input {pull}23521[23521]
+- Populate `source.mac` and `destination.mac` for Suricata EVE events. {issue}23706[23706] {pull}23721[23721]
 - Added RFC6587 framing option for tcp and unix inputs {issue}23663[23663] {pull}23724[23724]
 
 *Heartbeat*

diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -140983,6 +140983,15 @@ type: keyword
 --
 
 
+*`suricata.eve.alert.metadata`*::
++
+--
+Metadata about the alert.
+
+type: flattened
+
+--
+
 *`suricata.eve.alert.category`*::
 +
 --

diff --git a/x-pack/filebeat/module/suricata/eve/_meta/fields.yml b/x-pack/filebeat/module/suricata/eve/_meta/fields.yml
@@ -182,6 +182,10 @@
     - name: alert
       type: group
       fields:
+      - name: metadata
+        type: flattened
+        description: Metadata about the alert.
+
       - name: category
         type: keyword
 

diff --git a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml
@@ -6,6 +6,15 @@ processors:
       field: event.ingested
       value: '{{_ingest.timestamp}}'
 
+  - rename:
+      field: suricata.eve.ether.dest_mac
+      target_field: destination.mac
+      ignore_missing: true
+  - rename:
+      field: suricata.eve.ether.src_mac
+      target_field: source.mac
+      ignore_missing: true
+
   # Handle the different Suricata event types.
   - lowercase:
       field: suricata.eve.event_type

diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-6.0.log b/x-pack/filebeat/module/suricata/eve/test/eve-6.0.log
@@ -0,0 +1 @@
+{"timestamp":"2021-01-27T01:28:11.488362+0100","flow_id":1805461738637437,"in_iface":"enp6s0","event_type":"alert","src_ip":"52.222.141.99","src_port":80,"dest_ip":"10.31.64.240","dest_port":47592,"proto":"TCP","ether":{"src_mac":"00:03:2d:3f:e5:63","dest_mac":"00:1b:17:00:01:18"},"alert":{"action":"allowed","gid":1,"signature_id":2100498,"rev":7,"signature":"GPL ATTACK_RESPONSE id check returned root","category":"Potentially Bad Traffic","severity":2,"metadata":{"created_at":["2010_09_23"],"updated_at":["2010_09_23"]}},"http":{"hostname":"testmynids.org","url":"/uid/index.html","http_user_agent":"curl/7.58.0","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":39},"app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":5,"bytes_toserver":496,"bytes_toclient":876,"start":"2021-01-22T23:28:38.673917+0100"}}
diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-6.0.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-6.0.log-expected.json
@@ -0,0 +1,88 @@
+[
+    {
+        "@timestamp": "2021-01-27T00:28:11.488Z",
+        "destination.address": "10.31.64.240",
+        "destination.bytes": 876,
+        "destination.domain": "testmynids.org",
+        "destination.ip": "10.31.64.240",
+        "destination.mac": "00:1b:17:00:01:18",
+        "destination.packets": 5,
+        "destination.port": 47592,
+        "event.category": [
+            "network",
+            "intrusion_detection"
+        ],
+        "event.dataset": "suricata.eve",
+        "event.kind": "alert",
+        "event.module": "suricata",
+        "event.original": "{\"timestamp\":\"2021-01-27T01:28:11.488362+0100\",\"flow_id\":1805461738637437,\"in_iface\":\"enp6s0\",\"event_type\":\"alert\",\"src_ip\":\"52.222.141.99\",\"src_port\":80,\"dest_ip\":\"10.31.64.240\",\"dest_port\":47592,\"proto\":\"TCP\",\"ether\":{\"src_mac\":\"00:03:2d:3f:e5:63\",\"dest_mac\":\"00:1b:17:00:01:18\"},\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2100498,\"rev\":7,\"signature\":\"GPL ATTACK_RESPONSE id check returned root\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"created_at\":[\"2010_09_23\"],\"updated_at\":[\"2010_09_23\"]}},\"http\":{\"hostname\":\"testmynids.org\",\"url\":\"/uid/index.html\",\"http_user_agent\":\"curl/7.58.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":39},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":6,\"pkts_toclient\":5,\"bytes_toserver\":496,\"bytes_toclient\":876,\"start\":\"2021-01-22T23:28:38.673917+0100\"}}",
+        "event.severity": 2,
+        "event.start": "2021-01-22T22:28:38.673Z",
+        "event.type": [
+            "allowed"
+        ],
+        "fileset.name": "eve",
+        "http.request.method": "GET",
+        "http.response.body.bytes": 39,
+        "http.response.status_code": 200,
+        "input.type": "log",
+        "log.offset": 0,
+        "message": "Potentially Bad Traffic",
+        "network.bytes": 1372,
+        "network.community_id": "1:/b5R3BDG/6TU2Pu+pRF8w6d1Z18=",
+        "network.packets": 11,
+        "network.protocol": "http",
+        "network.transport": "tcp",
+        "related.hosts": [
+            "testmynids.org"
+        ],
+        "related.ip": [
+            "52.222.141.99",
+            "10.31.64.240"
+        ],
+        "rule.category": "Potentially Bad Traffic",
+        "rule.id": "2100498",
+        "rule.name": "GPL ATTACK_RESPONSE id check returned root",
+        "service.type": "suricata",
+        "source.address": "52.222.141.99",
+        "source.bytes": 496,
+        "source.geo.city_name": "Seattle",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.6348,
+        "source.geo.location.lon": -122.3451,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "52.222.141.99",
+        "source.mac": "00:03:2d:3f:e5:63",
+        "source.packets": 6,
+        "source.port": 80,
+        "suricata.eve.alert.category": "Potentially Bad Traffic",
+        "suricata.eve.alert.gid": 1,
+        "suricata.eve.alert.metadata.created_at": [
+            "2010_09_23"
+        ],
+        "suricata.eve.alert.metadata.updated_at": [
+            "2010_09_23"
+        ],
+        "suricata.eve.alert.rev": 7,
+        "suricata.eve.alert.signature": "GPL ATTACK_RESPONSE id check returned root",
+        "suricata.eve.alert.signature_id": 2100498,
+        "suricata.eve.event_type": "alert",
+        "suricata.eve.flow_id": "1805461738637437",
+        "suricata.eve.http.http_content_type": "text/html",
+        "suricata.eve.http.protocol": "HTTP/1.1",
+        "suricata.eve.in_iface": "enp6s0",
+        "tags": [
+            "suricata"
+        ],
+        "url.domain": "testmynids.org",
+        "url.original": "/uid/index.html",
+        "url.path": "/uid/index.html",
+        "user_agent.device.name": "Other",
+        "user_agent.name": "curl",
+        "user_agent.original": "curl/7.58.0",
+        "user_agent.version": "7.58.0"
+    }
+]
diff --git a/x-pack/filebeat/module/suricata/fields.go b/x-pack/filebeat/module/suricata/fields.go