diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 1efd5bcba33..6519a578ffb 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -835,6 +835,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Added `encode_as` and `decode_as` options to httpjson along with pluggable encoders/decoders {pull}23478[23478] - Added `application/x-ndjson` as decode option for httpjson input {pull}23521[23521] - Added `application/x-www-form-urlencoded` as encode option for httpjson input {pull}23521[23521] +- Populate `source.mac` and `destination.mac` for Suricata EVE events. {issue}23706[23706] {pull}23721[23721] - Added RFC6587 framing option for tcp and unix inputs {issue}23663[23663] {pull}23724[23724] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 3ce28151cdb..42e2d318a99 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -140983,6 +140983,15 @@ type: keyword -- +*`suricata.eve.alert.metadata`*:: ++ +-- +Metadata about the alert. + +type: flattened + +-- + *`suricata.eve.alert.category`*:: + -- diff --git a/x-pack/filebeat/module/suricata/eve/_meta/fields.yml b/x-pack/filebeat/module/suricata/eve/_meta/fields.yml index 0654abd3141..4cb834de7e3 100644 --- a/x-pack/filebeat/module/suricata/eve/_meta/fields.yml +++ b/x-pack/filebeat/module/suricata/eve/_meta/fields.yml @@ -182,6 +182,10 @@ - name: alert type: group fields: + - name: metadata + type: flattened + description: Metadata about the alert. + - name: category type: keyword diff --git a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml index 92bf9800d14..a24a5df3ff6 100644 --- a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml +++ b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml @@ -6,6 +6,15 @@ processors: field: event.ingested value: '{{_ingest.timestamp}}' + - rename: + field: suricata.eve.ether.dest_mac + target_field: destination.mac + ignore_missing: true + - rename: + field: suricata.eve.ether.src_mac + target_field: source.mac + ignore_missing: true + # Handle the different Suricata event types. - lowercase: field: suricata.eve.event_type diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-6.0.log b/x-pack/filebeat/module/suricata/eve/test/eve-6.0.log new file mode 100644 index 00000000000..15d880f0630 --- /dev/null +++ b/x-pack/filebeat/module/suricata/eve/test/eve-6.0.log @@ -0,0 +1 @@ +{"timestamp":"2021-01-27T01:28:11.488362+0100","flow_id":1805461738637437,"in_iface":"enp6s0","event_type":"alert","src_ip":"52.222.141.99","src_port":80,"dest_ip":"10.31.64.240","dest_port":47592,"proto":"TCP","ether":{"src_mac":"00:03:2d:3f:e5:63","dest_mac":"00:1b:17:00:01:18"},"alert":{"action":"allowed","gid":1,"signature_id":2100498,"rev":7,"signature":"GPL ATTACK_RESPONSE id check returned root","category":"Potentially Bad Traffic","severity":2,"metadata":{"created_at":["2010_09_23"],"updated_at":["2010_09_23"]}},"http":{"hostname":"testmynids.org","url":"/uid/index.html","http_user_agent":"curl/7.58.0","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":39},"app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":5,"bytes_toserver":496,"bytes_toclient":876,"start":"2021-01-22T23:28:38.673917+0100"}} diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-6.0.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-6.0.log-expected.json new file mode 100644 index 00000000000..e8f77f9033a --- /dev/null +++ b/x-pack/filebeat/module/suricata/eve/test/eve-6.0.log-expected.json @@ -0,0 +1,88 @@ +[ + { + "@timestamp": "2021-01-27T00:28:11.488Z", + "destination.address": "10.31.64.240", + "destination.bytes": 876, + "destination.domain": "testmynids.org", + "destination.ip": "10.31.64.240", + "destination.mac": "00:1b:17:00:01:18", + "destination.packets": 5, + "destination.port": 47592, + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "suricata.eve", + "event.kind": "alert", + "event.module": "suricata", + "event.original": "{\"timestamp\":\"2021-01-27T01:28:11.488362+0100\",\"flow_id\":1805461738637437,\"in_iface\":\"enp6s0\",\"event_type\":\"alert\",\"src_ip\":\"52.222.141.99\",\"src_port\":80,\"dest_ip\":\"10.31.64.240\",\"dest_port\":47592,\"proto\":\"TCP\",\"ether\":{\"src_mac\":\"00:03:2d:3f:e5:63\",\"dest_mac\":\"00:1b:17:00:01:18\"},\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2100498,\"rev\":7,\"signature\":\"GPL ATTACK_RESPONSE id check returned root\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"created_at\":[\"2010_09_23\"],\"updated_at\":[\"2010_09_23\"]}},\"http\":{\"hostname\":\"testmynids.org\",\"url\":\"/uid/index.html\",\"http_user_agent\":\"curl/7.58.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":39},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":6,\"pkts_toclient\":5,\"bytes_toserver\":496,\"bytes_toclient\":876,\"start\":\"2021-01-22T23:28:38.673917+0100\"}}", + "event.severity": 2, + "event.start": "2021-01-22T22:28:38.673Z", + "event.type": [ + "allowed" + ], + "fileset.name": "eve", + "http.request.method": "GET", + "http.response.body.bytes": 39, + "http.response.status_code": 200, + "input.type": "log", + "log.offset": 0, + "message": "Potentially Bad Traffic", + "network.bytes": 1372, + "network.community_id": "1:/b5R3BDG/6TU2Pu+pRF8w6d1Z18=", + "network.packets": 11, + "network.protocol": "http", + "network.transport": "tcp", + "related.hosts": [ + "testmynids.org" + ], + "related.ip": [ + "52.222.141.99", + "10.31.64.240" + ], + "rule.category": "Potentially Bad Traffic", + "rule.id": "2100498", + "rule.name": "GPL ATTACK_RESPONSE id check returned root", + "service.type": "suricata", + "source.address": "52.222.141.99", + "source.bytes": 496, + "source.geo.city_name": "Seattle", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 47.6348, + "source.geo.location.lon": -122.3451, + "source.geo.region_iso_code": "US-WA", + "source.geo.region_name": "Washington", + "source.ip": "52.222.141.99", + "source.mac": "00:03:2d:3f:e5:63", + "source.packets": 6, + "source.port": 80, + "suricata.eve.alert.category": "Potentially Bad Traffic", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.metadata.created_at": [ + "2010_09_23" + ], + "suricata.eve.alert.metadata.updated_at": [ + "2010_09_23" + ], + "suricata.eve.alert.rev": 7, + "suricata.eve.alert.signature": "GPL ATTACK_RESPONSE id check returned root", + "suricata.eve.alert.signature_id": 2100498, + "suricata.eve.event_type": "alert", + "suricata.eve.flow_id": "1805461738637437", + "suricata.eve.http.http_content_type": "text/html", + "suricata.eve.http.protocol": "HTTP/1.1", + "suricata.eve.in_iface": "enp6s0", + "tags": [ + "suricata" + ], + "url.domain": "testmynids.org", + "url.original": "/uid/index.html", + "url.path": "/uid/index.html", + "user_agent.device.name": "Other", + "user_agent.name": "curl", + "user_agent.original": "curl/7.58.0", + "user_agent.version": "7.58.0" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/suricata/fields.go b/x-pack/filebeat/module/suricata/fields.go index 41b62db2d7a..59317202215 100644 --- a/x-pack/filebeat/module/suricata/fields.go +++ b/x-pack/filebeat/module/suricata/fields.go @@ -19,5 +19,5 @@ func init() { // AssetSuricata returns asset data. // This is the base64 encoded gzipped contents of module/suricata. func AssetSuricata() string { - return "eJzsXEuP47gRvs+v0G1Pa2Q32UXQh9w2hwBJDgvkSpTJksQxX0NSdju/PpDsdssWKYsPdLAz06eGu/mxXqwXi/6xOeD5pXGD5RQ8fGoaz73Al+b3908YOmq58Vyrl+Zvn5qmaf6p2SCwabVtelBMcNU1vsfmt//81vzj93//qxG6c42xmg0UWbM/3/B2n5qm5SiYe5mQfmwUSLyjYPzxZ4MvTWf1YK6fBKgYf/4+YTWt1XKi4G2fiRShu6blAnfXf59vPN8cj3j7LLT3yv4zGvDVaOsv7C6EMVvwSMUDJcqTkYK7P78RdcDzSVt2+1sQA4whxmqviba8y8fx1AQXP0omxtMdEmkF3ElhMznvMMb1EYC91gJBPQO40UE8LSMF6KGMFHdWhQAe/KORJDIxE0ehZqzzZdy0PEsc78sFctXqSvbqevipTCAjQeNvERQQHJYiN+D7y9Ld+OtT9b0SziIbCK26D7Ag57XFGA0bVd+BiVnf1qPQw8+//FrGiWS/FIqC/zdb23drgwbOqTTxsBDX9tt6hs6TMTwF14cIvJA3ruMKxqi3u1se3MVZmrOJ04OluAF/imqJ4Ar9SdvDzltQbsMWFAyhKszCczmPEuDhsPmU/9m6sA7V4/LseLw0pFSHb2tgrHjIrRjsPWfMhCh1o96LgtWWalYogwzqb2FK6NOS+4QcESXwR/azo64HP2QlIndeLvn4zX3cszM4+eGAyrYKvPe+VlK9Kq61kDPSsLPojFYOdxeYe55itoqMW6SxVG+juY7bk8GhJdDhwtFuYeB98W6scLgC8WzTKXJQHTupKaRbbNHmi/3LgM7vJhA7w4nsONgYyasCsmKzZHrtfGamOm7DtAT+NEMTqDofK9622+pes/Nuf/boNmlKou91zDluVtUDytqGVCsfqd+T/BhXhLdAS3oAAiNpWLqjoeCx0/ZcmB/jES33MZQ1dUxNkd0CIOqljgXxuCsrqXinwA+2MKIDHYNRtqT04KmWT935jdic/OcGsujJZJuZ4PFwEIKLAT54fXJE60Li3KiUGa+69SewWIr4fiTsMRpKviKO5xlLrRKGglk5Z3nCO6BVKIgBesBAR2yLI1iAMasD7Y0sKN7mg93yCeN5NNZvAWDo4xlgnthDsSqNqEBWXUaSRElhuSxNbRLl4JayTmGs5QLJ1GSryp42qMiIXWZMDFsLjxcMhYKHVzKCkp4Xn0Bujn+JQoTJixM4q/e5RD0EqdtG30y9FjqJqgqWRXAO5V4E+rFb0WaSW7ZTv0vu+XEV+lT1OHg61pu5XmTm9lkFZ1buEVGi7YjUDAkqj6Grg2xAHUql0tCWF56pCJzKtaOTABL3XNtAnIFA0PjwABYSaVF+63BgmrTAw6c1SUROkYtZT1laqdaUQ+sJAw+TLQowE5mlRKIbE+/SWHiRWyktZxW6986Xk9JWgqgipsB1+ocZ+5y5IwjOCO2RHtwgi5U/BbmKVnq1zDo6FNz5GsoLTQ8kCspbBEkYGt8Ti0D7Yu9wywrOpIppzPC6YgW8ORjG25YEr8DS8JQmwdwlrRqgmlVuZ8CxI+bgSfByPY3F+7ZxHkZ5gmAhT8gzT25KaTgKUOQLV18KcX5QgxA/FIIIP6JEQfKLjUG5wVwG8sL9+K2UzkR/8MRrTZyEIMlZsaJQfl1xlrdaJleoFzea9aFGvf8r4YpUoIabtYOab5Rv+QE3Kx3VZH+g///lIVtcVjUVxFX3wI1+rzTPoIFGY2KeCa+1QtpUQZcm9dKI0oPnVhz4H61uRutMsZmg79EqLM1qR89cy6Eh4l//9PNPsLyET8rxAoVoeZ+ddELvodSGrljhqdaP79wLfSKyq5sOW31yZD+45SV6Gn8jcY5c27FVsJSugzZx6A7cmOICjgrtkBFjB1WMpfBUB+giLYtSH4ux9mczlpSVWJwGhOuxeDUHwlV56XxBnHoq5WX9CCXhVWCpk7eViUJpAtMxKT4HjCECzpVr8NXGQMFlUDDtSL4HCuZjqSjB++MMYqauNAln06lgTLmKSOHORSqSkzXlVIcm6fJrqLUxphwULoOdvWSFUbSG1tL+BayWAeyzUW4H//W7N/nGHUCd0/b1HZO4NcfPx/qYnNJ+j218fojNi6UIBnduQMti86hbhx0VLwOINczSqLhcpxKLbpClLxdbrjq0xvLo2Or2QVAeqH+TMJT20Ppo7rdF0W7Yfy5+3vEZ/pzWI2DYwiA8mQx5TA5EoGB4HgGct1wth9Hi9C8helj1S9sF8A3yP69BLkPIkVHfTSiBmiPXA073fsTr1fHytZn6+fOwTW9PnIfAPOvzja7PHO5WR7YwB1+Np8dx58iW0JWMDVd4a/6myNWp+TWmr89sN+nQIrjSWHNVUim9W/Uj0Pq8iLY4u8Gj9/yJ9eKRXTi5Cby33ZoYzbzL4xd4JHiXQBab610sNZ4sBJZoKBK4IK3Vy3GhJJgeRRYhS+Hiq0G6NKYkB778tpfnMv5fAAAA//9J19Mm" + return "eJzsXEuP2zYQvudX6JZTjCZtgmIPvaWHAmkPAXolaGokMeYr5Mhe99cXkr1e2SJl8YEtmmRPC+/y47w4Lw79ptrB8aFyveWMIn1VVchRwEP1+fmTGhyz3CDX6qH67VVVVdUnXfcCqkbbqqOqFly1FXZQffz7Y/XH57/+rIRuXWWsrnsGdbU9XvA2r6qq4SBq9zAivakUlXBFwfCDRwMPVWt1b86feKgYfn4fsarGajlS8LTPSIrQbdVwAZvzv083nm4Oe7h85tt7Yf8JDfBotMUTuzNhTBbcUnFDiUIyUHD15yeidnA8aFtf/ubFoMYQYzVqoi1v03GQGe/iW8mEeLpCIo2gV1JYTc4zjHFdAGCrtQCq7gFc6CDI8kihbJdHijuqTACkeGskkUxMxJGpGeswj5uGJ4njebkArhpdyF5dR9/mCWQgaPgtgEIFp3ORG4rdaelm+PWu+h4JrwMbCK3aF7Agh9pCiIaVqm+pCVnf2qPQ0XfvP+RxIuv3maLg/yRr+2qt18A5kyYcFsLaflpfg0MyhCfveh+BJ/KGdVzRIeptrpZ7d3GWpWzidG8ZrMAfo1okuAI8aLvboKXKrdiCUUOY8rNwX86DBLg/bN7lf7LOr0N1uzw5Hs8NKdbh2xIYCx5yLUb9nDMmQuS6UUSRsdoyXWfKIIH6S5gS+jDnPiJHBEn5LfvJURcp9kmJyJWXiz5+Ux937wyOftijsrUC7xBLJdWL4loKOQMNGwvOaOVgc4K55ilkq1BzCyyU6q0012F70juwhLYwc7RrGHhevBkqHK6ouLfpGDmYDp3UGNItNGDTxf61B4ebEcROcAI79jZE8qKArFgtmU47TMxUh21qLSm/m6EJUC2Girf1trrV9XGzPSK4VZqSgJ0OOcfVqrpBWdqQaYWB+j3Kj3FFeENZTg9AQCANi3c0EpAuhNlGUERQnjLgqmXy6YxS0a3ucWyQjERu7kmWUYRW22Nmeg57sBxDKEvWMPZkNjOAoJPcZ6QDbV5Fx1tFsbeZCQVlg8qSJaV7ZFrejSYXYlPSrwvIrCWUauVM8HA08sGFAG+CDtmDdT5xrlTKhFfd4IFayEV8PhJ2H4xk3xDH04SpVAXFqFk4Z2nC24FVIIihbAeehtwaRzADq632dFeSoHiTDnZJZwzyYKqxBqAGDCegaWL3hco4ojxJfR5JEiSj82VxapMgezeXdQxjDRdAxh5fUfa0AUUG7DxjqqGx9PZ+I1Pw9JEMoKTj2SeQm/0vQQg/eWECJ+0GLkH3XurW0TdRr6WtBFUEywJ1DuRWePLAtWgTyc27uT8kd/+4Cn0oehyQDeVuqheZuP26gDPL94ggwbZE6hoIKATfzUUyoPalUnFo8/vWWATO5NLRiQAJe651IM5QT9B48QDmE2lWfuugrzVpKPef1igROUVOZj1mablaUw4skqHCHm1RUDOSmUskuCHxzo2FJ7nl0nJUvmv3dDkpbSUVRcTkuc1/MWOfMrengteEdcB2rpfZyh+DXEErPVtmGR0K7rCE8nzDC5GCQgtUkhoMdsQCZV22d7hkBUdSxDQmeG22Ap4cTM2bhnhbg3F4ShNv7hJXDTBdF25n0H1LzA6J924/jsXrrnUaRn6CYGmakCee3OTSsBdUka9cfc3Eea16IV5ngggcUIIg6cVGr1xvTvOA/uuAtZRORL9DgloTJ6mX5KRYkSm/NjvLWyyTC9SLK816V6Le/0C4IgWo4WbpoKYb5VN+wM1CRzXaH+j/vjysZ3dlVQFxlT1wg9/LzTOYp9EYmWfSx1Ihbaygc5N6aUTuwXMLDvz/VjeDdSbbTAA7sApys9rBM5dyaADw60/v3tL5DEBUjucpRPP77KQVektzbeiM5R+qffnOvdAHItuy6bDVB0e2vZtfosfxNxDnyLkdWwRL6TJoI4dux43JLuCY0A5qYmzvG42IrI/gUAboJC0LUu+zsbZHM5SUhVgc55PLsXg2B8JVful8Qhx7Kvll/QAl6aOAXCdvCxMF0nimY2J8DjWGCHosXIMvNgYyLoO8aUf0PZA3H4tF8d4fJxAzdqWJP5uOBauVK4jk71zEIjlZUk5laJIuvYZaGmNKQeHS29mLVhgDa1gp7Z/AShnANhnlcvAff3iT79wBlDlt394xCVtz+Hwsj8kpjVtowvND9bRYCmBw53qwdWgede2wo+J5AKGGWRwVp+tUYsH1MvfhZMNVC9ZYHhxbXT8Iyj31bxSG0kgbDOZ+axTt+u2X7NclX+jPcT2CGhraCySjIQ/JgfAUDPcjgEPL1XwYLUz/HKKji35pvQC+Q/6nNchpCDkw6rsKxVNzpHrA8d6PoF4cL1+aqZ++Tlv19MUh9cyz3t/o/MzhanVgC7PDYjzdjjsHtqRtzthwgafuT4pcnJpfYvr8yneVDi1QlxtrzkrKpXetfgRYTItos7PrPXr3X3jP3vj5kxvPc9+1idHEu9x+f0iEd/FksanexTKDZCawSEORlAvSWD0fF4qC6UAkETIXLjwaYHNjinLg8y+buS/jfwMAAP//aZ7ziw==" }