[Filebeat] Add Zeek NTP Fileset (elastic#24224)

Add the NTP fileset to the Zeek Module. Co-authored-by: Andrew Kroh <[email protected]>
andrewkroh · Mar 17, 2021 · ef48945 · ef48945
1 parent fbbd9ef
commit ef48945
Show file tree

Hide file tree

Showing 12 changed files with 562 additions and 2 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -882,7 +882,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Upgrade okta to ecs 1.8.0 and move js processor to ingest pipeline {issue}23118[23118] {pull}23929[23929]
 - Update zoom module to ECS 1.8. {pull}23904[23904] {issue}23118[23118]
 - Support X-Forwarder-For in IIS logs. {pull}19142[192142]
-
+- Added NTP fileset to Zeek module {pull}24224[24224]
 
 *Heartbeat*
 

diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -159340,6 +159340,143 @@ type: keyword
 
 --
 
+[float]
+=== ntp
+
+Fields exported by the Zeek NTP log.
+
+
+
+*`zeek.ntp.version`*::
++
+--
+The NTP version number (1, 2, 3, 4).
+
+
+type: integer
+
+--
+
+*`zeek.ntp.mode`*::
++
+--
+The NTP mode being used.
+
+
+type: integer
+
+--
+
+*`zeek.ntp.stratum`*::
++
+--
+The stratum (primary server, secondary server, etc.).
+
+
+type: integer
+
+--
+
+*`zeek.ntp.poll`*::
++
+--
+The maximum interval between successive messages in seconds.
+
+
+type: double
+
+--
+
+*`zeek.ntp.precision`*::
++
+--
+The precision of the system clock in seconds.
+
+
+type: double
+
+--
+
+*`zeek.ntp.root_delay`*::
++
+--
+Total round-trip delay to the reference clock in seconds.
+
+
+type: double
+
+--
+
+*`zeek.ntp.root_disp`*::
++
+--
+Total dispersion to the reference clock in seconds.
+
+
+type: double
+
+--
+
+*`zeek.ntp.ref_id`*::
++
+--
+For stratum 0, 4 character string used for debugging. For stratum 1, ID assigned to the reference clock by IANA. Above stratum 1, when using IPv4, the IP address of the reference clock. Note that the NTP protocol did not originally specify a large enough field to represent IPv6 addresses, so they use the first four bytes of the MD5 hash of the reference clock’s IPv6 address (i.e. an IPv4 address here is not necessarily IPv4).
+
+
+type: keyword
+
+--
+
+*`zeek.ntp.ref_time`*::
++
+--
+Time when the system clock was last set or correct.
+
+
+type: date
+
+--
+
+*`zeek.ntp.org_time`*::
++
+--
+Time at the client when the request departed for the NTP server.
+
+
+type: date
+
+--
+
+*`zeek.ntp.rec_time`*::
++
+--
+Time at the server when the request arrived from the NTP client.
+
+
+type: date
+
+--
+
+*`zeek.ntp.xmt_time`*::
++
+--
+Time at the server when the response departed for the NTP client.
+
+
+type: date
+
+--
+
+*`zeek.ntp.num_exts`*::
++
+--
+Number of extension fields (which are not currently parsed).
+
+
+type: integer
+
+--
+
 [float]
 === ocsp
 

diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml
@@ -2157,6 +2157,8 @@ filebeat.modules:
     enabled: true
   notice:
     enabled: true
+  ntp:
+    enabled: true
   ntlm:
     enabled: true
   ocsp:

diff --git a/x-pack/filebeat/module/zeek/_meta/config.yml b/x-pack/filebeat/module/zeek/_meta/config.yml
@@ -31,6 +31,8 @@
     enabled: true
   notice:
     enabled: true
+  ntp:
+    enabled: true
   ntlm:
     enabled: true
   ocsp:

diff --git a/x-pack/filebeat/module/zeek/fields.go b/x-pack/filebeat/module/zeek/fields.go
diff --git a/x-pack/filebeat/module/zeek/ntp/_meta/fields.yml b/x-pack/filebeat/module/zeek/ntp/_meta/fields.yml
@@ -0,0 +1,63 @@
+- name: ntp
+  type: group
+  default_field: false
+  description: >
+    Fields exported by the Zeek NTP log.
+  fields:
+    - name: version
+      type: integer
+      description: >
+        The NTP version number (1, 2, 3, 4).
+    - name: mode
+      type: integer
+      description: >
+        The NTP mode being used.
+    - name: stratum
+      type: integer
+      description: >
+        The stratum (primary server, secondary server, etc.).
+    - name: poll
+      type: double
+      description: >
+        The maximum interval between successive messages in seconds.
+    - name: precision
+      type: double
+      description: >
+        The precision of the system clock in seconds.
+    - name: root_delay
+      type: double
+      description: >
+        Total round-trip delay to the reference clock in seconds.
+    - name: root_disp
+      type: double
+      description: >
+        Total dispersion to the reference clock in seconds.
+    - name: ref_id
+      type: keyword
+      description: >
+        For stratum 0, 4 character string used for debugging.
+        For stratum 1, ID assigned to the reference clock by IANA.
+        Above stratum 1, when using IPv4, the IP address of the reference clock.
+        Note that the NTP protocol did not originally specify a large enough field to represent IPv6 addresses,
+        so they use the first four bytes of the MD5 hash of the reference clock’s IPv6 address
+        (i.e. an IPv4 address here is not necessarily IPv4).
+    - name: ref_time
+      type: date
+      description: >
+        Time when the system clock was last set or correct.
+    - name: org_time
+      type: date
+      description: >
+        Time at the client when the request departed for the NTP server.
+    - name: rec_time
+      type: date
+      description: >
+        Time at the server when the request arrived from the NTP client.
+    - name: xmt_time
+      type: date
+      description: >
+        Time at the server when the response departed for the NTP client.
+    - name: num_exts
+      type: integer
+      description: >
+        Number of extension fields (which are not currently parsed).
diff --git a/x-pack/filebeat/module/zeek/ntp/config/ntp.yml b/x-pack/filebeat/module/zeek/ntp/config/ntp.yml
@@ -0,0 +1,57 @@
+type: log
+paths:
+{{ range $i, $path := .paths }}
+ - {{$path}}
+{{ end }}
+exclude_files: [".gz$"]
+tags: {{.tags | tojson}}
+publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
+
+processors:
+  - rename:
+      fields:
+        - {from: message, to: event.original}
+  - decode_json_fields:
+      fields: [event.original]
+      target: zeek.ntp
+  - convert:
+      ignore_missing: true
+      fields:
+        - {from: zeek.ntp.id.orig_h, to: source.address}
+        - {from: zeek.ntp.id.orig_h, to: source.ip, type: ip}
+        - {from: zeek.ntp.id.orig_p, to: source.port, type: long}
+        - {from: zeek.ntp.id.resp_h, to: destination.address}
+        - {from: zeek.ntp.id.resp_h, to: destination.ip, type: ip}
+        - {from: zeek.ntp.id.resp_p, to: destination.port, type: long}
+  - rename:
+      ignore_missing: true
+      fields:
+        - from: zeek.ntp.uid
+          to: zeek.session_id
+  - drop_fields:
+      ignore_missing: true
+      fields:
+        - zeek.ntp.id.orig_h
+        - zeek.ntp.id.orig_p
+        - zeek.ntp.id.resp_h
+        - zeek.ntp.id.resp_p
+  - add_fields:
+      target: event
+      fields:
+        kind: event
+        category:
+          - network
+        type:
+          - connection
+          - protocol
+          - info
+  - add_fields:
+      target: network
+      fields:
+        protocol: ntp
+        transport: udp
+  - community_id:
+  - add_fields:
+      target: ''
+      fields:
+        ecs.version: 1.8.0