Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add MAC address mapping to ECS in Filebeat Suricata module #23706

Closed
0xtf opened this issue Jan 27, 2021 · 2 comments · Fixed by #23721
Closed

Add MAC address mapping to ECS in Filebeat Suricata module #23706

0xtf opened this issue Jan 27, 2021 · 2 comments · Fixed by #23721
Labels
enhancement Filebeat Filebeat

Comments

@0xtf
Copy link

0xtf commented Jan 27, 2021

Map additional (MAC address) Filebeat Suricata module fields to ECS.

Since version 6 of Suricata support for the inclusion of source and destination MAC address has been added to the eve.json file.

The outcome of that is something along the lines of this:

alert","src_ip":"52.222.141.99","src_port":80,"dest_ip":"10.31.64.240","dest_port":47592,"proto":"TCP","ether":{"src_mac":"00:03:2d:3f:e5:63","dest_mac":"00:1b:17:00:01:18"}

After discussion in Slack it was recommended I opened an enhancement request.

Currently in ES the fields are being presented as exported fields:

suricata.eve.ether.dest_mac 00:50:56:9b:2c:51
suricata.eve.ether.src_mac 00:00:5e:00:01:21

Would be great if these could be mapped to source.mac and destination.mac . In case someone wants to give it a try, just add ethernet: yes in the eve.json output section of suricata.yaml.

Full event for reference:

{"timestamp":"2021-01-22T23:28:38.681563+0100","flow_id":1805461738637437,"in_iface":"enp6s0","event_type":"alert","src_ip":"52.222.141.99","src_port":80,"dest_ip":"10.31.64.240","dest_port":47592,"proto":"TCP","ether":{"src_mac":"00:03:2d:3f:e5:63","dest_mac":"00:1b:17:00:01:18"},"alert":{"action":"allowed","gid":1,"signature_id":2100498,"rev":7,"signature":"GPL ATTACK_RESPONSE id check returned root","category":"Potentially Bad Traffic","severity":2,"metadata":{"created_at":["2010_09_23"],"updated_at":["2010_09_23"]}},"http":{"hostname":"testmynids.org","url":"/uid/index.html","http_user_agent":"curl/7.58.0","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":39},"files":[{"filename":"/uid/index.html","sid":[],"gaps":false,"state":"CLOSED","stored":false,"size":39,"tx_id":0}],"app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":5,"bytes_toserver":496,"bytes_toclient":876,"start":"2021-01-22T23:28:38.673917+0100"},"payload_printable":"HTTP/1.1 200 OK\r\nContent-Type: text/html\r\nContent-Length: 39\r\nConnection: keep-alive\r\nDate: Fri, 22 Jan 2021 10:02:43 GMT\r\nLast-Modified: Sun, 26 May 2019 13:50:40 GMT\r\nETag: \"c7d0a1ea4ab73fa3e7cd72fc1eb5b492\"\r\nx-amz-server-side-encryption: AES256\r\nAccept-Ranges: bytes\r\nServer: AmazonS3\r\nX-Cache: Hit from cloudfront\r\nVia: 1.1 5345148f0ba8ae3c67b69d035acdbfc5.cloudfront.net (CloudFront)\r\nX-Amz-Cf-Pop: AMS50-C1\r\nX-Amz-Cf-Id: s2rhiZFkU-8RGWrxrXOvPm1U1NY9k3JZJDzDX2aBxE-dy9b8cqv3TA==\r\nAge: 44756\r\n\r\nuid=0(root) gid=0(root) groups=0(root)\n","stream":1}
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jan 27, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jan 27, 2021
@andrewkroh andrewkroh mentioned this issue Jan 27, 2021
Merged
4 tasks
@andrewkroh
Copy link
Member

PR: #23721

andrewkroh added a commit to andrewkroh/beats that referenced this issue Jan 27, 2021
@andrewkroh
Populate source/destination.mac for Suricata
2578ff1 
When 'ethernet' is enabled in Suricata with will log the mac addresses.
ECS has fields for the MAC addresses so this renames the two Suricata
fields to follow the ECS conventions.

Closes elastic#23706
andrewkroh added a commit that referenced this issue Feb 3, 2021
@andrewkroh
Populate source/destination.mac for Suricata (#23721)
10fdd24 
When 'ethernet' is enabled in Suricata with will log the mac addresses.
ECS has fields for the MAC addresses so this renames the two Suricata
fields to follow the ECS conventions.

Closes #23706
@andrewkroh andrewkroh mentioned this issue Feb 3, 2021
Merged
4 tasks
andrewkroh added a commit to andrewkroh/beats that referenced this issue Feb 12, 2021
@andrewkroh
Populate source/destination.mac for Suricata (elastic#23721)
5f6583a 
When 'ethernet' is enabled in Suricata with will log the mac addresses.
ECS has fields for the MAC addresses so this renames the two Suricata
fields to follow the ECS conventions.

Closes elastic#23706

(cherry picked from commit 10fdd24)
andrewkroh added a commit that referenced this issue Feb 16, 2021
@andrewkroh
Cherry-pick #23721 to 7.x: [Filebeat] Populate source/destination.mac…
c24a92c 
… for Suricata (#23834)

When 'ethernet' is enabled in Suricata with will log the mac addresses.
ECS has fields for the MAC addresses so this renames the two Suricata
fields to follow the ECS conventions.

Closes #23706

(cherry picked from commit 10fdd24)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Filebeat Filebeat
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Filebeat] Populate source/destination.mac for Suricata andrewkroh/beats
4 participants
@andrewkroh @elasticmachine @0xtf @jamiehynds