[Auditbeat] system/socket: Use ingress/egress for network direction (#…

…22991) * [Auditbeat] system/socket: Use ingress/egress for network direction * Add changelog entry
elastic · Dec 9, 2020 · 52fc1cf · 52fc1cf
1 parent ad1d651
commit 52fc1cf
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 35 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -40,14 +40,9 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Change network.direction values to ECS recommended values (inbound, outbound). {issue}12445[12445] {pull}20695[20695]
 - Docker container needs to be explicitly run as user root for auditing. {pull}21202[21202]
 - File integrity dataset no longer includes the leading dot in `file.extension` values (e.g. it will report "png" instead of ".png") to comply with ECS. {pull}21644[21644]
+- Use ECS 1.7 ingress/egress network directions instead of inbound/outbound. {pull}22991[22991]
 - Use ingress/egress instead of inbound/outbound for ECS 1.7 in auditd module. {pull}23000[23000]
 
-*Filebeat*
-
-
-*Auditbeat*
-
-
 *Filebeat*
 
 - Fix parsing of Elasticsearch node name by `elasticsearch/slowlog` fileset. {pull}14547[14547]

diff --git a/x-pack/auditbeat/module/system/socket/events.go b/x-pack/auditbeat/module/system/socket/events.go
@@ -135,7 +135,7 @@ func (e *tcpConnectResult) Update(s *state) error {
  pid: e.Meta.PID,
  inetType: inetTypeIPv4,
  proto: protoTCP,
- dir: directionOutbound,
+ dir: directionEgress,
  complete: true,
  lastSeen: kernelTime(call.Meta.Timestamp),
  local: newEndpointIPv4(call.LAddr, call.LPort, 0, 0),
@@ -147,7 +147,7 @@ func (e *tcpConnectResult) Update(s *state) error {
  pid: e.Meta.PID,
  inetType: inetTypeIPv6,
  proto: protoTCP,
- dir: directionOutbound,
+ dir: directionEgress,
  complete: true,
  lastSeen: kernelTime(call.Meta.Timestamp),
  local: newEndpointIPv6(call.LAddrA, call.LAddrB, call.LPort, 0, 0),
@@ -193,7 +193,7 @@ func (e *tcpAcceptResult) asFlow() flow {
  pid: e.Meta.PID,
  inetType: inetType(e.Af),
  proto: protoTCP,
- dir: directionInbound,
+ dir: directionIngress,
  complete: true,
  lastSeen: kernelTime(e.Meta.Timestamp),
  }
@@ -237,7 +237,7 @@ func (e *tcpAcceptResult4) asFlow() flow {
  pid: e.Meta.PID,
  inetType: inetType(e.Af),
  proto: protoTCP,
- dir: directionInbound,
+ dir: directionIngress,
  complete: true,
  lastSeen: kernelTime(e.Meta.Timestamp),
  }
@@ -551,7 +551,7 @@ func (e *udpSendMsgCall) asFlow() flow {
  pid: e.Meta.PID,
  inetType: inetTypeIPv4,
  proto: protoUDP,
- dir: directionOutbound,
+ dir: directionEgress,
  lastSeen: kernelTime(e.Meta.Timestamp),
  local: newEndpointIPv4(e.LAddr, e.LPort, 1, uint64(e.Size)+minIPv4UdpPacketSize),
  remote: newEndpointIPv4(raddr, rport, 0, 0),
@@ -605,7 +605,7 @@ func (e *udpv6SendMsgCall) asFlow() flow {
  pid: e.Meta.PID,
  inetType: inetTypeIPv6,
  proto: protoUDP,
- dir: directionOutbound,
+ dir: directionEgress,
  lastSeen: kernelTime(e.Meta.Timestamp),
  // In IPv6, udpv6_sendmsg increments local counters as there is no
  // corresponding ip6_local_out call.
@@ -665,7 +665,7 @@ func (e *udpQueueRcvSkb) asFlow() flow {
  pid: e.Meta.PID,
  inetType: inetTypeIPv4,
  proto: protoUDP,
- dir: directionInbound,
+ dir: directionIngress,
  lastSeen: kernelTime(e.Meta.Timestamp),
  local: newEndpointIPv4(e.LAddr, e.LPort, 0, 0),
  }
@@ -739,7 +739,7 @@ func (e *udpv6QueueRcvSkb) asFlow() flow {
  pid: e.Meta.PID,
  inetType: inetTypeIPv6,
  proto: protoUDP,
- dir: directionInbound,
+ dir: directionIngress,
  lastSeen: kernelTime(e.Meta.Timestamp),
  local: newEndpointIPv6(e.LAddrA, e.LAddrB, e.LPort, 0, 0),
  }

diff --git a/x-pack/auditbeat/module/system/socket/state.go b/x-pack/auditbeat/module/system/socket/state.go
@@ -82,17 +82,17 @@ type flowDirection uint8
 
 const (
  directionUnknown flowDirection = iota
- directionInbound
- directionOutbound
+ directionIngress
+ directionEgress
 )
 
 // String returns the textual representation of the flowDirection.
 func (d flowDirection) String() string {
  switch d {
- case directionInbound:
- return "inbound"
- case directionOutbound:
- return "outbound"
+ case directionIngress:
+ return "ingress"
+ case directionEgress:
+ return "egress"
  default:
  return "unknown"
  }
@@ -900,7 +900,7 @@ func (f *flow) toEvent(final bool) (ev mb.Event, err error) {
  }
 
  src, dst := local, remote
- if f.dir == directionInbound {
+ if f.dir == directionIngress {
  src, dst = dst, src
  }
 

diff --git a/x-pack/auditbeat/module/system/socket/state_test.go b/x-pack/auditbeat/module/system/socket/state_test.go
@@ -116,7 +116,7 @@ func TestTCPConnWithProcess(t *testing.T) {
  "destination.bytes": uint64(19),
  "server.ip": remoteIP,
  "server.port": remotePort,
- "network.direction": "outbound",
+ "network.direction": "egress",
  "network.transport": "tcp",
  "network.type": "ipv4",
  "process.pid": 1234,
@@ -245,7 +245,7 @@ func TestTCPConnWithProcessSocketTimeouts(t *testing.T) {
  "destination.bytes": uint64(19),
  "server.ip": remoteIP,
  "server.port": remotePort,
- "network.direction": "outbound",
+ "network.direction": "egress",
  "network.transport": "tcp",
  "network.type": "ipv4",
  "process.pid": 1234,
@@ -381,7 +381,7 @@ func TestUDPOutgoingSinglePacketWithProcess(t *testing.T) {
  "destination.bytes": uint64(0),
  "server.ip": remoteIP,
  "server.port": remotePort,
- "network.direction": "outbound",
+ "network.direction": "egress",
  "network.transport": "udp",
  "network.type": "ipv4",
  "process.pid": 1234,
@@ -453,7 +453,7 @@ func TestUDPIncomingSinglePacketWithProcess(t *testing.T) {
  "destination.bytes": uint64(0),
  "server.ip": localIP,
  "server.port": localPort,
- "network.direction": "inbound",
+ "network.direction": "ingress",
  "network.transport": "udp",
  "network.type": "ipv4",
  "process.pid": 1234,

diff --git a/x-pack/auditbeat/tests/system/test_system_socket.py b/x-pack/auditbeat/tests/system/test_system_socket.py
@@ -234,7 +234,7 @@ def expected(self):
  "server.port": self.server_addr[1],
  "network.transport": "tcp",
  "network.type": "ipv4",
- "network.direction": "outbound",
+ "network.direction": "egress",
  "group.id": str(os.getgid()),
  "user.id": str(os.getuid()),
  "process.pid": os.getpid(),
@@ -265,7 +265,7 @@ def expected(self):
  "destination.packets": 1,
  "destination.port": self.server_addr[1],
  "group.id": str(os.getgid()),
- "network.direction": "outbound",
+ "network.direction": "egress",
  "network.packets": 4,
  "network.transport": "udp",
  "network.type": "ipv4",
@@ -308,7 +308,7 @@ def expected(self):
  "source.packets": 5,
  "source.port": self.server_addr[1],
  "group.id": str(os.getgid()),
- "network.direction": "inbound",
+ "network.direction": "ingress",
  "network.packets": 7,
  "network.transport": "udp",
  "network.type": "ipv4",
@@ -355,7 +355,7 @@ def expected(self):
  "source.packets": 5,
  "source.port": self.server_addr[1],
  "group.id": str(os.getgid()),
- "network.direction": "inbound",
+ "network.direction": "ingress",
  "network.packets": 7,
  "network.transport": "udp",
  "network.type": "ipv6",
@@ -398,7 +398,7 @@ def expected(self):
  "destination.packets": 1,
  "destination.port": self.server_addr[1],
  "group.id": str(os.getgid()),
- "network.direction": "outbound",
+ "network.direction": "egress",
  "network.packets": 4,
  "network.transport": "udp",
  "network.type": "ipv6",
@@ -439,7 +439,7 @@ def expected(self):
  "destination.packets": 1,
  "destination.port": self.server_addr[0][1],
  "group.id": str(os.getgid()),
- "network.direction": "outbound",
+ "network.direction": "egress",
  "network.packets": 2,
  "network.transport": "udp",
  "network.type": "ipv4",
@@ -460,7 +460,7 @@ def expected(self):
  "destination.packets": 1,
  "destination.port": self.server_addr[1][1],
  "group.id": str(os.getgid()),
- "network.direction": "outbound",
+ "network.direction": "egress",
  "network.packets": 2,
  "network.transport": "udp",
  "network.type": "ipv4",
@@ -481,7 +481,7 @@ def expected(self):
  "destination.packets": 1,
  "destination.port": self.server_addr[2][1],
  "group.id": str(os.getgid()),
- "network.direction": "outbound",
+ "network.direction": "egress",
  "network.packets": 2,
  "network.transport": "udp",
  "network.type": "ipv4",
@@ -622,7 +622,7 @@ def expected(self):
  "event.kind": "event",
  "event.module": "system",
  "network.bytes": Comparison(operator.gt, 60),
- "network.direction": "inbound",
+ "network.direction": "ingress",
  "network.packets": 2,
  "network.transport": "udp",
  "network.type": self.socket_factory.network,
@@ -653,7 +653,7 @@ def expected(self):
  "event.kind": "event",
  "event.module": "system",
  "network.packets": net_bytes,
- "network.direction": "inbound",
+ "network.direction": "ingress",
  "network.packets": net_packets,
  "network.transport": self.socket_factory.transport,
  "network.type": self.socket_factory.network,