From 79e80583f734f3d59c33d867bc3dd546df233699 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Tue, 11 Aug 2020 10:28:37 -0400 Subject: [PATCH] Remove event.category network_traffic from Packetbeat network_traffic is not a valid ECS event.category value so remove it from all Packetbeat events. --- CHANGELOG.next.asciidoc | 1 + packetbeat/_meta/sample_outputs/flow.json | 1 - packetbeat/flows/worker.go | 2 +- packetbeat/flows/worker_test.go | 2 +- packetbeat/pb/event.go | 2 +- packetbeat/pb/event_test.go | 2 +- packetbeat/protos/dhcpv4/dhcpv4_test.go | 4 ++-- packetbeat/protos/tls/tls_test.go | 2 +- packetbeat/tests/system/golden/established_tls-expected.json | 3 +-- .../tests/system/golden/non_established_tls-expected.json | 3 +-- packetbeat/tests/system/golden/tls_1_3-expected.json | 3 +-- packetbeat/tests/system/golden/tls_all_options-expected.json | 3 +-- packetbeat/tests/system/golden/tls_no_certs-expected.json | 3 +-- packetbeat/tests/system/golden/tls_not_detailed-expected.json | 3 +-- packetbeat/tests/system/test_0050_icmp.py | 2 +- 15 files changed, 15 insertions(+), 21 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index fde6fe7abd0..08b0e1899a3 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -85,6 +85,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Packetbeat* - Redis: fix incorrectly handle with two-words redis command. {issue}14872[14872] {pull}14873[14873] +- `event.category` no longer contains the value `network_traffic` because this is not a valid ECS event category value. {pull}20556[20556] *Winlogbeat* diff --git a/packetbeat/_meta/sample_outputs/flow.json b/packetbeat/_meta/sample_outputs/flow.json index 3ea57202e95..7fbcfaaa468 100644 --- a/packetbeat/_meta/sample_outputs/flow.json +++ b/packetbeat/_meta/sample_outputs/flow.json @@ -75,7 +75,6 @@ "kind": "event", "action": "network_flow", "category": [ - "network_traffic", "network" ] } diff --git a/packetbeat/flows/worker.go b/packetbeat/flows/worker.go index 49548db9865..56445801781 100644 --- a/packetbeat/flows/worker.go +++ b/packetbeat/flows/worker.go @@ -213,7 +213,7 @@ func createEvent( "duration": f.ts.Sub(f.createTS), "dataset": "flow", "kind": "event", - "category": []string{"network_traffic", "network"}, + "category": []string{"network"}, "action": "network_flow", } flow := common.MapStr{ diff --git a/packetbeat/flows/worker_test.go b/packetbeat/flows/worker_test.go index 4346d54aaf6..15cef57cc25 100644 --- a/packetbeat/flows/worker_test.go +++ b/packetbeat/flows/worker_test.go @@ -101,7 +101,7 @@ func TestCreateEvent(t *testing.T) { "duration": isdef.KeyPresent, "dataset": "flow", "kind": "event", - "category": []string{"network_traffic", "network"}, + "category": []string{"network"}, "action": "network_flow", }, "type": "flow", diff --git a/packetbeat/pb/event.go b/packetbeat/pb/event.go index 73387c7f796..f0287665c0d 100644 --- a/packetbeat/pb/event.go +++ b/packetbeat/pb/event.go @@ -81,7 +81,7 @@ func NewFields() *Fields { Kind: "event", }, Type: []string{"connection", "protocol"}, - Category: []string{"network_traffic", "network"}, + Category: []string{"network"}, }, } } diff --git a/packetbeat/pb/event_test.go b/packetbeat/pb/event_test.go index 1fdb8425756..5722d6d9faa 100644 --- a/packetbeat/pb/event_test.go +++ b/packetbeat/pb/event_test.go @@ -41,7 +41,7 @@ func TestMarshalMapStr(t *testing.T) { assert.Equal(t, common.MapStr{ "event": common.MapStr{ "kind": "event", - "category": []string{"network_traffic", "network"}, + "category": []string{"network"}, "type": []string{"connection", "protocol"}, }, "source": common.MapStr{"ip": "127.0.0.1"}, diff --git a/packetbeat/protos/dhcpv4/dhcpv4_test.go b/packetbeat/protos/dhcpv4/dhcpv4_test.go index 704c4d2bece..1f7d416248a 100644 --- a/packetbeat/protos/dhcpv4/dhcpv4_test.go +++ b/packetbeat/protos/dhcpv4/dhcpv4_test.go @@ -117,7 +117,7 @@ func TestParseDHCPRequest(t *testing.T) { "port": 67, }, "event": common.MapStr{ - "category": []string{"network_traffic", "network"}, + "category": []string{"network"}, "type": []string{"connection", "protocol"}, "dataset": "dhcpv4", "kind": "event", @@ -201,7 +201,7 @@ func TestParseDHCPACK(t *testing.T) { "bytes": 300, }, "event": common.MapStr{ - "category": []string{"network_traffic", "network"}, + "category": []string{"network"}, "type": []string{"connection", "protocol"}, "dataset": "dhcpv4", "kind": "event", diff --git a/packetbeat/protos/tls/tls_test.go b/packetbeat/protos/tls/tls_test.go index 2845bf0f9e8..512294f2d4f 100644 --- a/packetbeat/protos/tls/tls_test.go +++ b/packetbeat/protos/tls/tls_test.go @@ -39,7 +39,7 @@ type eventStore struct { } const ( - expectedClientHello = `{"client":{"ip":"192.168.0.1","port":6512},"destination":{"domain":"example.org","ip":"192.168.0.2","port":27017},"event":{"category":["network_traffic","network"],"dataset":"tls","kind":"event","type":["connection","protocol"]},"network":{"community_id":"1:jKfewJN/czjTuEpVvsKdYXXiMzs=","protocol":"tls","transport":"tcp","type":"ipv4"},"related":{"ip":["192.168.0.1","192.168.0.2"]},"server":{"domain":"example.org","ip":"192.168.0.2","port":27017},"source":{"ip":"192.168.0.1","port":6512},"status":"Error","tls":{"client":{"ja3":"94c485bca29d5392be53f2b8cf7f4304","server_name":"example.org","supported_ciphers":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_AES_128_GCM_SHA256","TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_3DES_EDE_CBC_SHA"]},"detailed":{"client_certificate_requested":false,"client_hello":{"extensions":{"_unparsed_":["renegotiation_info","23","status_request","18","30032"],"application_layer_protocol_negotiation":["h2","http/1.1"],"ec_points_formats":["uncompressed"],"server_name_indication":["example.org"],"session_ticket":"","signature_algorithms":["ecdsa_secp256r1_sha256","rsa_pss_sha256","rsa_pkcs1_sha256","ecdsa_secp384r1_sha384","rsa_pss_sha384","rsa_pkcs1_sha384","rsa_pss_sha512","rsa_pkcs1_sha512","rsa_pkcs1_sha1"],"supported_groups":["x25519","secp256r1","secp384r1"]},"supported_compression_methods":["NULL"],"version":"3.3"},"version":"TLS 1.2"},"established":false,"resumed":false,"version":"1.2","version_protocol":"tls"},"type":"tls"}` + expectedClientHello = `{"client":{"ip":"192.168.0.1","port":6512},"destination":{"domain":"example.org","ip":"192.168.0.2","port":27017},"event":{"category":["network"],"dataset":"tls","kind":"event","type":["connection","protocol"]},"network":{"community_id":"1:jKfewJN/czjTuEpVvsKdYXXiMzs=","protocol":"tls","transport":"tcp","type":"ipv4"},"related":{"ip":["192.168.0.1","192.168.0.2"]},"server":{"domain":"example.org","ip":"192.168.0.2","port":27017},"source":{"ip":"192.168.0.1","port":6512},"status":"Error","tls":{"client":{"ja3":"94c485bca29d5392be53f2b8cf7f4304","server_name":"example.org","supported_ciphers":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_AES_128_GCM_SHA256","TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_3DES_EDE_CBC_SHA"]},"detailed":{"client_certificate_requested":false,"client_hello":{"extensions":{"_unparsed_":["renegotiation_info","23","status_request","18","30032"],"application_layer_protocol_negotiation":["h2","http/1.1"],"ec_points_formats":["uncompressed"],"server_name_indication":["example.org"],"session_ticket":"","signature_algorithms":["ecdsa_secp256r1_sha256","rsa_pss_sha256","rsa_pkcs1_sha256","ecdsa_secp384r1_sha384","rsa_pss_sha384","rsa_pkcs1_sha384","rsa_pss_sha512","rsa_pkcs1_sha512","rsa_pkcs1_sha1"],"supported_groups":["x25519","secp256r1","secp384r1"]},"supported_compression_methods":["NULL"],"version":"3.3"},"version":"TLS 1.2"},"established":false,"resumed":false,"version":"1.2","version_protocol":"tls"},"type":"tls"}` expectedServerHello = `{"extensions":{"_unparsed_":["renegotiation_info","status_request"],"application_layer_protocol_negotiation":["h2"],"ec_points_formats":["uncompressed","ansiX962_compressed_prime","ansiX962_compressed_char2"],"session_ticket":""},"selected_compression_method":"NULL","version":"3.3"}` rawClientHello = "16030100c2010000be03033367dfae0d46ec0651e49cca2ae47317e8989df710" + "ee7570a88b9a7d5d56b3af00001c3a3ac02bc02fc02cc030cca9cca8c013c014" + diff --git a/packetbeat/tests/system/golden/established_tls-expected.json b/packetbeat/tests/system/golden/established_tls-expected.json index 5ce92528a02..3cfa141af3a 100644 --- a/packetbeat/tests/system/golden/established_tls-expected.json +++ b/packetbeat/tests/system/golden/established_tls-expected.json @@ -8,7 +8,6 @@ "destination.ip": "93.184.216.34", "destination.port": 443, "event.category": [ - "network_traffic", "network" ], "event.dataset": "tls", @@ -251,4 +250,4 @@ "tls.version_protocol": "tls", "type": "tls" } -] \ No newline at end of file +] diff --git a/packetbeat/tests/system/golden/non_established_tls-expected.json b/packetbeat/tests/system/golden/non_established_tls-expected.json index 573bb673774..39641270769 100644 --- a/packetbeat/tests/system/golden/non_established_tls-expected.json +++ b/packetbeat/tests/system/golden/non_established_tls-expected.json @@ -8,7 +8,6 @@ "destination.ip": "151.101.134.217", "destination.port": 443, "event.category": [ - "network_traffic", "network" ], "event.dataset": "tls", @@ -113,4 +112,4 @@ "tls.version_protocol": "tls", "type": "tls" } -] \ No newline at end of file +] diff --git a/packetbeat/tests/system/golden/tls_1_3-expected.json b/packetbeat/tests/system/golden/tls_1_3-expected.json index 30285212e32..35fae5ab58e 100644 --- a/packetbeat/tests/system/golden/tls_1_3-expected.json +++ b/packetbeat/tests/system/golden/tls_1_3-expected.json @@ -8,7 +8,6 @@ "destination.ip": "216.58.201.174", "destination.port": 443, "event.category": [ - "network_traffic", "network" ], "event.dataset": "tls", @@ -123,4 +122,4 @@ "tls.version_protocol": "tls", "type": "tls" } -] \ No newline at end of file +] diff --git a/packetbeat/tests/system/golden/tls_all_options-expected.json b/packetbeat/tests/system/golden/tls_all_options-expected.json index f1ba1cf337d..0106aa9048d 100644 --- a/packetbeat/tests/system/golden/tls_all_options-expected.json +++ b/packetbeat/tests/system/golden/tls_all_options-expected.json @@ -8,7 +8,6 @@ "destination.ip": "93.184.216.34", "destination.port": 443, "event.category": [ - "network_traffic", "network" ], "event.dataset": "tls", @@ -258,4 +257,4 @@ "tls.version_protocol": "tls", "type": "tls" } -] \ No newline at end of file +] diff --git a/packetbeat/tests/system/golden/tls_no_certs-expected.json b/packetbeat/tests/system/golden/tls_no_certs-expected.json index 3f4587b2586..69af5c89b75 100644 --- a/packetbeat/tests/system/golden/tls_no_certs-expected.json +++ b/packetbeat/tests/system/golden/tls_no_certs-expected.json @@ -8,7 +8,6 @@ "destination.ip": "93.184.216.34", "destination.port": 443, "event.category": [ - "network_traffic", "network" ], "event.dataset": "tls", @@ -147,4 +146,4 @@ "tls.version_protocol": "tls", "type": "tls" } -] \ No newline at end of file +] diff --git a/packetbeat/tests/system/golden/tls_not_detailed-expected.json b/packetbeat/tests/system/golden/tls_not_detailed-expected.json index ae23944e096..94283acb4bb 100644 --- a/packetbeat/tests/system/golden/tls_not_detailed-expected.json +++ b/packetbeat/tests/system/golden/tls_not_detailed-expected.json @@ -8,7 +8,6 @@ "destination.ip": "93.184.216.34", "destination.port": 443, "event.category": [ - "network_traffic", "network" ], "event.dataset": "tls", @@ -91,4 +90,4 @@ "tls.version_protocol": "tls", "type": "tls" } -] \ No newline at end of file +] diff --git a/packetbeat/tests/system/test_0050_icmp.py b/packetbeat/tests/system/test_0050_icmp.py index 8500963aa9f..c0f876c1b73 100644 --- a/packetbeat/tests/system/test_0050_icmp.py +++ b/packetbeat/tests/system/test_0050_icmp.py @@ -68,7 +68,7 @@ def test_icmp6_ping_over_vlan(self): def assert_common_fields(self, objs): assert all([o["type"] == "icmp" for o in objs]) assert all([o["event.dataset"] == "icmp" for o in objs]) - assert all([o["event.category"] == ['network_traffic', 'network'] for o in objs]) + assert all([o["event.category"] == ['network'] for o in objs]) assert all([o["event.type"] == ["connection"] for o in objs]) assert all([o["source.bytes"] == 4 for o in objs]) assert all([o["destination.bytes"] == 4 for o in objs])