From 155dfda99aeb7a74383aa9023d4f350c4d5da668 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Fri, 23 Oct 2020 09:12:12 +0200 Subject: [PATCH] Change x509 mappings from file. to tls.server. (#22097) --- .../module/suricata/eve/ingest/pipeline.yml | 32 ++++++------ .../eve/test/eve-alerts.log-expected.json | 52 +++++++++---------- .../eve/test/eve-small.log-expected.json | 24 ++++----- 3 files changed, 54 insertions(+), 54 deletions(-) diff --git a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml index 01ed5accbe6..e132a8acdde 100644 --- a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml +++ b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml @@ -247,27 +247,27 @@ processors: ignore_missing: true - rename: field: suricata.eve.tls.kv_issuerdn.C - target_field: file.x509.issuer.country + target_field: tls.server.x509.issuer.country ignore_missing: true - rename: field: suricata.eve.tls.kv_issuerdn.CN - target_field: file.x509.issuer.common_name + target_field: tls.server.x509.issuer.common_name ignore_missing: true - rename: field: suricata.eve.tls.kv_issuerdn.L - target_field: file.x509.issuer.locality + target_field: tls.server.x509.issuer.locality ignore_missing: true - rename: field: suricata.eve.tls.kv_issuerdn.O - target_field: file.x509.issuer.organization + target_field: tls.server.x509.issuer.organization ignore_missing: true - rename: field: suricata.eve.tls.kv_issuerdn.OU - target_field: file.x509.issuer.organizational_unit + target_field: tls.server.x509.issuer.organizational_unit ignore_missing: true - rename: field: suricata.eve.tls.kv_issuerdn.ST - target_field: file.x509.issuer.state_or_province + target_field: tls.server.x509.issuer.state_or_province ignore_missing: true - gsub: field: suricata.eve.tls.subject @@ -282,34 +282,34 @@ processors: ignore_missing: true - rename: field: suricata.eve.tls.kv_subject.C - target_field: file.x509.subject.country + target_field: tls.server.x509.subject.country ignore_missing: true - rename: field: suricata.eve.tls.kv_subject.CN - target_field: file.x509.subject.common_name + target_field: tls.server.x509.subject.common_name ignore_missing: true - rename: field: suricata.eve.tls.kv_subject.L - target_field: file.x509.subject.locality + target_field: tls.server.x509.subject.locality ignore_missing: true - rename: field: suricata.eve.tls.kv_subject.O - target_field: file.x509.subject.organization + target_field: tls.server.x509.subject.organization ignore_missing: true - rename: field: suricata.eve.tls.kv_subject.OU - target_field: file.x509.subject.organizational_unit + target_field: tls.server.x509.subject.organizational_unit ignore_missing: true - rename: field: suricata.eve.tls.kv_subject.ST - target_field: file.x509.subject.state_or_province + target_field: tls.server.x509.subject.state_or_province ignore_missing: true - set: - field: file.x509.serial_number + field: tls.server.x509.serial_number value: '{{suricata.eve.tls.serial}}' ignore_empty_value: true - gsub: - field: file.x509.serial_number + field: tls.server.x509.serial_number pattern: ':' replacement: '' ignore_missing: true @@ -326,11 +326,11 @@ processors: - ISO8601 if: ctx.suricata?.eve?.tls?.notbefore != null - set: - field: file.x509.not_after + field: tls.server.x509.not_after value: '{{tls.server.not_after}}' ignore_empty_value: true - set: - field: file.x509.not_before + field: tls.server.x509.not_before value: '{{tls.server.not_before}}' ignore_empty_value: true - append: diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json index a63e2fd592a..ecccab3a10f 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json @@ -1633,17 +1633,6 @@ "event.type": [ "protocol" ], - "file.x509.issuer.common_name": "Google Internet Authority G2", - "file.x509.issuer.country": "US", - "file.x509.issuer.organization": "Google Inc", - "file.x509.not_after": "2024-07-16T14:52:35.000Z", - "file.x509.not_before": "2019-07-17T14:52:35.000Z", - "file.x509.serial_number": "001122334455667788", - "file.x509.subject.common_name": "*.google.com", - "file.x509.subject.country": "US", - "file.x509.subject.locality": "Mountain View", - "file.x509.subject.organization": "Google Inc", - "file.x509.subject.state_or_province": "California", "fileset.name": "eve", "input.type": "log", "log.offset": 16546, @@ -1687,6 +1676,17 @@ "tls.server.not_after": "2024-07-16T14:52:35.000Z", "tls.server.not_before": "2019-07-17T14:52:35.000Z", "tls.server.subject": "C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com", + "tls.server.x509.issuer.common_name": "Google Internet Authority G2", + "tls.server.x509.issuer.country": "US", + "tls.server.x509.issuer.organization": "Google Inc", + "tls.server.x509.not_after": "2024-07-16T14:52:35.000Z", + "tls.server.x509.not_before": "2019-07-17T14:52:35.000Z", + "tls.server.x509.serial_number": "001122334455667788", + "tls.server.x509.subject.common_name": "*.google.com", + "tls.server.x509.subject.country": "US", + "tls.server.x509.subject.locality": "Mountain View", + "tls.server.x509.subject.organization": "Google Inc", + "tls.server.x509.subject.state_or_province": "California", "tls.version": "1.2", "tls.version_protocol": "tls" }, @@ -1711,21 +1711,6 @@ "event.type": [ "allowed" ], - "file.x509.issuer.common_name": "Unknown", - "file.x509.issuer.country": "Unknown", - "file.x509.issuer.locality": "Unknown", - "file.x509.issuer.organization": "Unknown", - "file.x509.issuer.organizational_unit": "Unknown", - "file.x509.issuer.state_or_province": "Unknown", - "file.x509.not_after": "2026-06-25T17:36:29.000Z", - "file.x509.not_before": "2016-06-27T17:36:29.000Z", - "file.x509.serial_number": "72A92C51", - "file.x509.subject.common_name": "Unknown", - "file.x509.subject.country": "Unknown", - "file.x509.subject.locality": "Unknown", - "file.x509.subject.organization": "Unknown", - "file.x509.subject.organizational_unit": "Unknown", - "file.x509.subject.state_or_province": "Unknown", "fileset.name": "eve", "input.type": "log", "log.offset": 17541, @@ -1781,6 +1766,21 @@ "tls.server.not_after": "2026-06-25T17:36:29.000Z", "tls.server.not_before": "2016-06-27T17:36:29.000Z", "tls.server.subject": "C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown", + "tls.server.x509.issuer.common_name": "Unknown", + "tls.server.x509.issuer.country": "Unknown", + "tls.server.x509.issuer.locality": "Unknown", + "tls.server.x509.issuer.organization": "Unknown", + "tls.server.x509.issuer.organizational_unit": "Unknown", + "tls.server.x509.issuer.state_or_province": "Unknown", + "tls.server.x509.not_after": "2026-06-25T17:36:29.000Z", + "tls.server.x509.not_before": "2016-06-27T17:36:29.000Z", + "tls.server.x509.serial_number": "72A92C51", + "tls.server.x509.subject.common_name": "Unknown", + "tls.server.x509.subject.country": "Unknown", + "tls.server.x509.subject.locality": "Unknown", + "tls.server.x509.subject.organization": "Unknown", + "tls.server.x509.subject.organizational_unit": "Unknown", + "tls.server.x509.subject.state_or_province": "Unknown", "tls.version": "1.2", "tls.version_protocol": "tls" } diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json index 4851f2db826..2db09a8ee38 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json @@ -430,18 +430,6 @@ "event.type": [ "protocol" ], - "file.x509.issuer.common_name": "Apple IST CA 2 - G1", - "file.x509.issuer.country": "US", - "file.x509.issuer.organization": "Apple Inc.", - "file.x509.issuer.organizational_unit": "Certification Authority", - "file.x509.not_after": "2019-03-29T17:54:31.000Z", - "file.x509.not_before": "2017-02-27T17:54:31.000Z", - "file.x509.serial_number": "5C9CE1097887F807", - "file.x509.subject.common_name": "*.icloud.com", - "file.x509.subject.country": "US", - "file.x509.subject.organization": "Apple Inc.", - "file.x509.subject.organizational_unit": "management:idms.group.506364", - "file.x509.subject.state_or_province": "California", "fileset.name": "eve", "input.type": "log", "log.offset": 4683, @@ -479,6 +467,18 @@ "tls.server.not_after": "2019-03-29T17:54:31.000Z", "tls.server.not_before": "2017-02-27T17:54:31.000Z", "tls.server.subject": "CN=*.icloud.com, OU=management:idms.group.506364, O=Apple Inc., ST=California, C=US", + "tls.server.x509.issuer.common_name": "Apple IST CA 2 - G1", + "tls.server.x509.issuer.country": "US", + "tls.server.x509.issuer.organization": "Apple Inc.", + "tls.server.x509.issuer.organizational_unit": "Certification Authority", + "tls.server.x509.not_after": "2019-03-29T17:54:31.000Z", + "tls.server.x509.not_before": "2017-02-27T17:54:31.000Z", + "tls.server.x509.serial_number": "5C9CE1097887F807", + "tls.server.x509.subject.common_name": "*.icloud.com", + "tls.server.x509.subject.country": "US", + "tls.server.x509.subject.organization": "Apple Inc.", + "tls.server.x509.subject.organizational_unit": "management:idms.group.506364", + "tls.server.x509.subject.state_or_province": "California", "tls.version": "1.2", "tls.version_protocol": "tls" },