Skip to content

Commit

Permalink
Remove event.category network_traffic from Packetbeat
Browse files Browse the repository at this point in the history
network_traffic is not a valid ECS event.category value so remove it from all Packetbeat events.
  • Loading branch information
andrewkroh committed Aug 11, 2020
1 parent 7b47f1f commit 79e8058
Show file tree
Hide file tree
Showing 15 changed files with 15 additions and 21 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
*Packetbeat*

- Redis: fix incorrectly handle with two-words redis command. {issue}14872[14872] {pull}14873[14873]
- `event.category` no longer contains the value `network_traffic` because this is not a valid ECS event category value. {pull}20556[20556]

*Winlogbeat*

Expand Down
1 change: 0 additions & 1 deletion packetbeat/_meta/sample_outputs/flow.json
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,6 @@
"kind": "event",
"action": "network_flow",
"category": [
"network_traffic",
"network"
]
}
Expand Down
2 changes: 1 addition & 1 deletion packetbeat/flows/worker.go
Original file line number Diff line number Diff line change
Expand Up @@ -213,7 +213,7 @@ func createEvent(
"duration": f.ts.Sub(f.createTS),
"dataset": "flow",
"kind": "event",
"category": []string{"network_traffic", "network"},
"category": []string{"network"},
"action": "network_flow",
}
flow := common.MapStr{
Expand Down
2 changes: 1 addition & 1 deletion packetbeat/flows/worker_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@ func TestCreateEvent(t *testing.T) {
"duration": isdef.KeyPresent,
"dataset": "flow",
"kind": "event",
"category": []string{"network_traffic", "network"},
"category": []string{"network"},
"action": "network_flow",
},
"type": "flow",
Expand Down
2 changes: 1 addition & 1 deletion packetbeat/pb/event.go
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ func NewFields() *Fields {
Kind: "event",
},
Type: []string{"connection", "protocol"},
Category: []string{"network_traffic", "network"},
Category: []string{"network"},
},
}
}
Expand Down
2 changes: 1 addition & 1 deletion packetbeat/pb/event_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ func TestMarshalMapStr(t *testing.T) {
assert.Equal(t, common.MapStr{
"event": common.MapStr{
"kind": "event",
"category": []string{"network_traffic", "network"},
"category": []string{"network"},
"type": []string{"connection", "protocol"},
},
"source": common.MapStr{"ip": "127.0.0.1"},
Expand Down
4 changes: 2 additions & 2 deletions packetbeat/protos/dhcpv4/dhcpv4_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,7 @@ func TestParseDHCPRequest(t *testing.T) {
"port": 67,
},
"event": common.MapStr{
"category": []string{"network_traffic", "network"},
"category": []string{"network"},
"type": []string{"connection", "protocol"},
"dataset": "dhcpv4",
"kind": "event",
Expand Down Expand Up @@ -201,7 +201,7 @@ func TestParseDHCPACK(t *testing.T) {
"bytes": 300,
},
"event": common.MapStr{
"category": []string{"network_traffic", "network"},
"category": []string{"network"},
"type": []string{"connection", "protocol"},
"dataset": "dhcpv4",
"kind": "event",
Expand Down
2 changes: 1 addition & 1 deletion packetbeat/protos/tls/tls_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ type eventStore struct {
}

const (
expectedClientHello = `{"client":{"ip":"192.168.0.1","port":6512},"destination":{"domain":"example.org","ip":"192.168.0.2","port":27017},"event":{"category":["network_traffic","network"],"dataset":"tls","kind":"event","type":["connection","protocol"]},"network":{"community_id":"1:jKfewJN/czjTuEpVvsKdYXXiMzs=","protocol":"tls","transport":"tcp","type":"ipv4"},"related":{"ip":["192.168.0.1","192.168.0.2"]},"server":{"domain":"example.org","ip":"192.168.0.2","port":27017},"source":{"ip":"192.168.0.1","port":6512},"status":"Error","tls":{"client":{"ja3":"94c485bca29d5392be53f2b8cf7f4304","server_name":"example.org","supported_ciphers":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_AES_128_GCM_SHA256","TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_3DES_EDE_CBC_SHA"]},"detailed":{"client_certificate_requested":false,"client_hello":{"extensions":{"_unparsed_":["renegotiation_info","23","status_request","18","30032"],"application_layer_protocol_negotiation":["h2","http/1.1"],"ec_points_formats":["uncompressed"],"server_name_indication":["example.org"],"session_ticket":"","signature_algorithms":["ecdsa_secp256r1_sha256","rsa_pss_sha256","rsa_pkcs1_sha256","ecdsa_secp384r1_sha384","rsa_pss_sha384","rsa_pkcs1_sha384","rsa_pss_sha512","rsa_pkcs1_sha512","rsa_pkcs1_sha1"],"supported_groups":["x25519","secp256r1","secp384r1"]},"supported_compression_methods":["NULL"],"version":"3.3"},"version":"TLS 1.2"},"established":false,"resumed":false,"version":"1.2","version_protocol":"tls"},"type":"tls"}`
expectedClientHello = `{"client":{"ip":"192.168.0.1","port":6512},"destination":{"domain":"example.org","ip":"192.168.0.2","port":27017},"event":{"category":["network"],"dataset":"tls","kind":"event","type":["connection","protocol"]},"network":{"community_id":"1:jKfewJN/czjTuEpVvsKdYXXiMzs=","protocol":"tls","transport":"tcp","type":"ipv4"},"related":{"ip":["192.168.0.1","192.168.0.2"]},"server":{"domain":"example.org","ip":"192.168.0.2","port":27017},"source":{"ip":"192.168.0.1","port":6512},"status":"Error","tls":{"client":{"ja3":"94c485bca29d5392be53f2b8cf7f4304","server_name":"example.org","supported_ciphers":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_AES_128_GCM_SHA256","TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_3DES_EDE_CBC_SHA"]},"detailed":{"client_certificate_requested":false,"client_hello":{"extensions":{"_unparsed_":["renegotiation_info","23","status_request","18","30032"],"application_layer_protocol_negotiation":["h2","http/1.1"],"ec_points_formats":["uncompressed"],"server_name_indication":["example.org"],"session_ticket":"","signature_algorithms":["ecdsa_secp256r1_sha256","rsa_pss_sha256","rsa_pkcs1_sha256","ecdsa_secp384r1_sha384","rsa_pss_sha384","rsa_pkcs1_sha384","rsa_pss_sha512","rsa_pkcs1_sha512","rsa_pkcs1_sha1"],"supported_groups":["x25519","secp256r1","secp384r1"]},"supported_compression_methods":["NULL"],"version":"3.3"},"version":"TLS 1.2"},"established":false,"resumed":false,"version":"1.2","version_protocol":"tls"},"type":"tls"}`
expectedServerHello = `{"extensions":{"_unparsed_":["renegotiation_info","status_request"],"application_layer_protocol_negotiation":["h2"],"ec_points_formats":["uncompressed","ansiX962_compressed_prime","ansiX962_compressed_char2"],"session_ticket":""},"selected_compression_method":"NULL","version":"3.3"}`
rawClientHello = "16030100c2010000be03033367dfae0d46ec0651e49cca2ae47317e8989df710" +
"ee7570a88b9a7d5d56b3af00001c3a3ac02bc02fc02cc030cca9cca8c013c014" +
Expand Down
3 changes: 1 addition & 2 deletions packetbeat/tests/system/golden/established_tls-expected.json
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@
"destination.ip": "93.184.216.34",
"destination.port": 443,
"event.category": [
"network_traffic",
"network"
],
"event.dataset": "tls",
Expand Down Expand Up @@ -251,4 +250,4 @@
"tls.version_protocol": "tls",
"type": "tls"
}
]
]
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@
"destination.ip": "151.101.134.217",
"destination.port": 443,
"event.category": [
"network_traffic",
"network"
],
"event.dataset": "tls",
Expand Down Expand Up @@ -113,4 +112,4 @@
"tls.version_protocol": "tls",
"type": "tls"
}
]
]
3 changes: 1 addition & 2 deletions packetbeat/tests/system/golden/tls_1_3-expected.json
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@
"destination.ip": "216.58.201.174",
"destination.port": 443,
"event.category": [
"network_traffic",
"network"
],
"event.dataset": "tls",
Expand Down Expand Up @@ -123,4 +122,4 @@
"tls.version_protocol": "tls",
"type": "tls"
}
]
]
3 changes: 1 addition & 2 deletions packetbeat/tests/system/golden/tls_all_options-expected.json
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@
"destination.ip": "93.184.216.34",
"destination.port": 443,
"event.category": [
"network_traffic",
"network"
],
"event.dataset": "tls",
Expand Down Expand Up @@ -258,4 +257,4 @@
"tls.version_protocol": "tls",
"type": "tls"
}
]
]
3 changes: 1 addition & 2 deletions packetbeat/tests/system/golden/tls_no_certs-expected.json
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@
"destination.ip": "93.184.216.34",
"destination.port": 443,
"event.category": [
"network_traffic",
"network"
],
"event.dataset": "tls",
Expand Down Expand Up @@ -147,4 +146,4 @@
"tls.version_protocol": "tls",
"type": "tls"
}
]
]
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@
"destination.ip": "93.184.216.34",
"destination.port": 443,
"event.category": [
"network_traffic",
"network"
],
"event.dataset": "tls",
Expand Down Expand Up @@ -91,4 +90,4 @@
"tls.version_protocol": "tls",
"type": "tls"
}
]
]
2 changes: 1 addition & 1 deletion packetbeat/tests/system/test_0050_icmp.py
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ def test_icmp6_ping_over_vlan(self):
def assert_common_fields(self, objs):
assert all([o["type"] == "icmp" for o in objs])
assert all([o["event.dataset"] == "icmp" for o in objs])
assert all([o["event.category"] == ['network_traffic', 'network'] for o in objs])
assert all([o["event.category"] == ['network'] for o in objs])
assert all([o["event.type"] == ["connection"] for o in objs])
assert all([o["source.bytes"] == 4 for o in objs])
assert all([o["destination.bytes"] == 4 for o in objs])
Expand Down

0 comments on commit 79e8058

Please sign in to comment.