Cherry-pick #23721 to 7.x: [Filebeat] Populate source/destination.mac…

… for Suricata (#23834) When 'ethernet' is enabled in Suricata with will log the mac addresses. ECS has fields for the MAC addresses so this renames the two Suricata fields to follow the ECS conventions. Closes #23706 (cherry picked from commit 10fdd24)
elastic · Feb 16, 2021 · c24a92c · c24a92c
1 parent 361eb92
commit c24a92c
Show file tree

Hide file tree

Showing 7 changed files with 113 additions and 1 deletion.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -533,6 +533,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Added `application/x-ndjson` as decode option for httpjson input {pull}23521[23521]
 - Added `application/x-www-form-urlencoded` as encode option for httpjson input {pull}23521[23521]
 - Move aws-s3 input to GA. {pull}23631[23631]
+- Populate `source.mac` and `destination.mac` for Suricata EVE events. {issue}23706[23706] {pull}23721[23721]
 - Added string splitting for httpjson input {pull}24022[24022]
 
 *Heartbeat*

diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -141668,6 +141668,15 @@ type: keyword
 --
 
 
+*`suricata.eve.alert.metadata`*::
++
+--
+Metadata about the alert.
+
+type: flattened
+
+--
+
 *`suricata.eve.alert.category`*::
 +
 --

diff --git a/x-pack/filebeat/module/suricata/eve/_meta/fields.yml b/x-pack/filebeat/module/suricata/eve/_meta/fields.yml
@@ -182,6 +182,10 @@
     - name: alert
       type: group
       fields:
+      - name: metadata
+        type: flattened
+        description: Metadata about the alert.
+
       - name: category
         type: keyword
 

diff --git a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml
@@ -6,6 +6,15 @@ processors:
       field: event.ingested
       value: '{{_ingest.timestamp}}'
 
+  - rename:
+      field: suricata.eve.ether.dest_mac
+      target_field: destination.mac
+      ignore_missing: true
+  - rename:
+      field: suricata.eve.ether.src_mac
+      target_field: source.mac
+      ignore_missing: true
+
   # Handle the different Suricata event types.
   - lowercase:
       field: suricata.eve.event_type

diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-6.0.log b/x-pack/filebeat/module/suricata/eve/test/eve-6.0.log
@@ -0,0 +1 @@
+{"timestamp":"2021-01-27T01:28:11.488362+0100","flow_id":1805461738637437,"in_iface":"enp6s0","event_type":"alert","src_ip":"52.222.141.99","src_port":80,"dest_ip":"10.31.64.240","dest_port":47592,"proto":"TCP","ether":{"src_mac":"00:03:2d:3f:e5:63","dest_mac":"00:1b:17:00:01:18"},"alert":{"action":"allowed","gid":1,"signature_id":2100498,"rev":7,"signature":"GPL ATTACK_RESPONSE id check returned root","category":"Potentially Bad Traffic","severity":2,"metadata":{"created_at":["2010_09_23"],"updated_at":["2010_09_23"]}},"http":{"hostname":"testmynids.org","url":"/uid/index.html","http_user_agent":"curl/7.58.0","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":39},"app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":5,"bytes_toserver":496,"bytes_toclient":876,"start":"2021-01-22T23:28:38.673917+0100"}}
diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-6.0.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-6.0.log-expected.json
@@ -0,0 +1,88 @@
+[
+    {
+        "@timestamp": "2021-01-27T00:28:11.488Z",
+        "destination.address": "10.31.64.240",
+        "destination.bytes": 876,
+        "destination.domain": "testmynids.org",
+        "destination.ip": "10.31.64.240",
+        "destination.mac": "00:1b:17:00:01:18",
+        "destination.packets": 5,
+        "destination.port": 47592,
+        "event.category": [
+            "network",
+            "intrusion_detection"
+        ],
+        "event.dataset": "suricata.eve",
+        "event.kind": "alert",
+        "event.module": "suricata",
+        "event.original": "{\"timestamp\":\"2021-01-27T01:28:11.488362+0100\",\"flow_id\":1805461738637437,\"in_iface\":\"enp6s0\",\"event_type\":\"alert\",\"src_ip\":\"52.222.141.99\",\"src_port\":80,\"dest_ip\":\"10.31.64.240\",\"dest_port\":47592,\"proto\":\"TCP\",\"ether\":{\"src_mac\":\"00:03:2d:3f:e5:63\",\"dest_mac\":\"00:1b:17:00:01:18\"},\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2100498,\"rev\":7,\"signature\":\"GPL ATTACK_RESPONSE id check returned root\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"created_at\":[\"2010_09_23\"],\"updated_at\":[\"2010_09_23\"]}},\"http\":{\"hostname\":\"testmynids.org\",\"url\":\"/uid/index.html\",\"http_user_agent\":\"curl/7.58.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":39},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":6,\"pkts_toclient\":5,\"bytes_toserver\":496,\"bytes_toclient\":876,\"start\":\"2021-01-22T23:28:38.673917+0100\"}}",
+        "event.severity": 2,
+        "event.start": "2021-01-22T22:28:38.673Z",
+        "event.type": [
+            "allowed"
+        ],
+        "fileset.name": "eve",
+        "http.request.method": "GET",
+        "http.response.body.bytes": 39,
+        "http.response.status_code": 200,
+        "input.type": "log",
+        "log.offset": 0,
+        "message": "Potentially Bad Traffic",
+        "network.bytes": 1372,
+        "network.community_id": "1:/b5R3BDG/6TU2Pu+pRF8w6d1Z18=",
+        "network.packets": 11,
+        "network.protocol": "http",
+        "network.transport": "tcp",
+        "related.hosts": [
+            "testmynids.org"
+        ],
+        "related.ip": [
+            "52.222.141.99",
+            "10.31.64.240"
+        ],
+        "rule.category": "Potentially Bad Traffic",
+        "rule.id": "2100498",
+        "rule.name": "GPL ATTACK_RESPONSE id check returned root",
+        "service.type": "suricata",
+        "source.address": "52.222.141.99",
+        "source.bytes": 496,
+        "source.geo.city_name": "Seattle",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.country_name": "United States",
+        "source.geo.location.lat": 47.6348,
+        "source.geo.location.lon": -122.3451,
+        "source.geo.region_iso_code": "US-WA",
+        "source.geo.region_name": "Washington",
+        "source.ip": "52.222.141.99",
+        "source.mac": "00:03:2d:3f:e5:63",
+        "source.packets": 6,
+        "source.port": 80,
+        "suricata.eve.alert.category": "Potentially Bad Traffic",
+        "suricata.eve.alert.gid": 1,
+        "suricata.eve.alert.metadata.created_at": [
+            "2010_09_23"
+        ],
+        "suricata.eve.alert.metadata.updated_at": [
+            "2010_09_23"
+        ],
+        "suricata.eve.alert.rev": 7,
+        "suricata.eve.alert.signature": "GPL ATTACK_RESPONSE id check returned root",
+        "suricata.eve.alert.signature_id": 2100498,
+        "suricata.eve.event_type": "alert",
+        "suricata.eve.flow_id": 1805461738637437,
+        "suricata.eve.http.http_content_type": "text/html",
+        "suricata.eve.http.protocol": "HTTP/1.1",
+        "suricata.eve.in_iface": "enp6s0",
+        "tags": [
+            "suricata"
+        ],
+        "url.domain": "testmynids.org",
+        "url.original": "/uid/index.html",
+        "url.path": "/uid/index.html",
+        "user_agent.device.name": "Other",
+        "user_agent.name": "curl",
+        "user_agent.original": "curl/7.58.0",
+        "user_agent.version": "7.58.0"
+    }
+]
diff --git a/x-pack/filebeat/module/suricata/fields.go b/x-pack/filebeat/module/suricata/fields.go