diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 4d492f1d7bc..e5e41d8ab9c 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -882,7 +882,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Upgrade okta to ecs 1.8.0 and move js processor to ingest pipeline {issue}23118[23118] {pull}23929[23929] - Update zoom module to ECS 1.8. {pull}23904[23904] {issue}23118[23118] - Support X-Forwarder-For in IIS logs. {pull}19142[192142] - +- Added NTP fileset to Zeek module {pull}24224[24224] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 3ab9d5718fe..2fc60c623b5 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -159340,6 +159340,143 @@ type: keyword -- +[float] +=== ntp + +Fields exported by the Zeek NTP log. + + + +*`zeek.ntp.version`*:: ++ +-- +The NTP version number (1, 2, 3, 4). + + +type: integer + +-- + +*`zeek.ntp.mode`*:: ++ +-- +The NTP mode being used. + + +type: integer + +-- + +*`zeek.ntp.stratum`*:: ++ +-- +The stratum (primary server, secondary server, etc.). + + +type: integer + +-- + +*`zeek.ntp.poll`*:: ++ +-- +The maximum interval between successive messages in seconds. + + +type: double + +-- + +*`zeek.ntp.precision`*:: ++ +-- +The precision of the system clock in seconds. + + +type: double + +-- + +*`zeek.ntp.root_delay`*:: ++ +-- +Total round-trip delay to the reference clock in seconds. + + +type: double + +-- + +*`zeek.ntp.root_disp`*:: ++ +-- +Total dispersion to the reference clock in seconds. + + +type: double + +-- + +*`zeek.ntp.ref_id`*:: ++ +-- +For stratum 0, 4 character string used for debugging. For stratum 1, ID assigned to the reference clock by IANA. Above stratum 1, when using IPv4, the IP address of the reference clock. Note that the NTP protocol did not originally specify a large enough field to represent IPv6 addresses, so they use the first four bytes of the MD5 hash of the reference clock’s IPv6 address (i.e. an IPv4 address here is not necessarily IPv4). + + +type: keyword + +-- + +*`zeek.ntp.ref_time`*:: ++ +-- +Time when the system clock was last set or correct. + + +type: date + +-- + +*`zeek.ntp.org_time`*:: ++ +-- +Time at the client when the request departed for the NTP server. + + +type: date + +-- + +*`zeek.ntp.rec_time`*:: ++ +-- +Time at the server when the request arrived from the NTP client. + + +type: date + +-- + +*`zeek.ntp.xmt_time`*:: ++ +-- +Time at the server when the response departed for the NTP client. + + +type: date + +-- + +*`zeek.ntp.num_exts`*:: ++ +-- +Number of extension fields (which are not currently parsed). + + +type: integer + +-- + [float] === ocsp diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 1d6778167d6..1486d9eb7ef 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -2157,6 +2157,8 @@ filebeat.modules: enabled: true notice: enabled: true + ntp: + enabled: true ntlm: enabled: true ocsp: diff --git a/x-pack/filebeat/module/zeek/_meta/config.yml b/x-pack/filebeat/module/zeek/_meta/config.yml index cc4572f6874..dbe6012df6b 100644 --- a/x-pack/filebeat/module/zeek/_meta/config.yml +++ b/x-pack/filebeat/module/zeek/_meta/config.yml @@ -31,6 +31,8 @@ enabled: true notice: enabled: true + ntp: + enabled: true ntlm: enabled: true ocsp: diff --git a/x-pack/filebeat/module/zeek/fields.go b/x-pack/filebeat/module/zeek/fields.go index d048c716bf6..a0740161b64 100644 --- a/x-pack/filebeat/module/zeek/fields.go +++ b/x-pack/filebeat/module/zeek/fields.go @@ -19,5 +19,5 @@ func init() { // AssetZeek returns asset data. // This is the base64 encoded gzipped contents of module/zeek. func AssetZeek() string { - return "" + return "" } diff --git a/x-pack/filebeat/module/zeek/ntp/_meta/fields.yml b/x-pack/filebeat/module/zeek/ntp/_meta/fields.yml new file mode 100644 index 00000000000..b48dcc20723 --- /dev/null +++ b/x-pack/filebeat/module/zeek/ntp/_meta/fields.yml @@ -0,0 +1,63 @@ +- name: ntp + type: group + default_field: false + description: > + Fields exported by the Zeek NTP log. + fields: + - name: version + type: integer + description: > + The NTP version number (1, 2, 3, 4). + - name: mode + type: integer + description: > + The NTP mode being used. + - name: stratum + type: integer + description: > + The stratum (primary server, secondary server, etc.). + - name: poll + type: double + description: > + The maximum interval between successive messages in seconds. + - name: precision + type: double + description: > + The precision of the system clock in seconds. + - name: root_delay + type: double + description: > + Total round-trip delay to the reference clock in seconds. + - name: root_disp + type: double + description: > + Total dispersion to the reference clock in seconds. + - name: ref_id + type: keyword + description: > + For stratum 0, 4 character string used for debugging. + For stratum 1, ID assigned to the reference clock by IANA. + Above stratum 1, when using IPv4, the IP address of the reference clock. + Note that the NTP protocol did not originally specify a large enough field to represent IPv6 addresses, + so they use the first four bytes of the MD5 hash of the reference clock’s IPv6 address + (i.e. an IPv4 address here is not necessarily IPv4). + - name: ref_time + type: date + description: > + Time when the system clock was last set or correct. + - name: org_time + type: date + description: > + Time at the client when the request departed for the NTP server. + - name: rec_time + type: date + description: > + Time at the server when the request arrived from the NTP client. + - name: xmt_time + type: date + description: > + Time at the server when the response departed for the NTP client. + - name: num_exts + type: integer + description: > + Number of extension fields (which are not currently parsed). diff --git a/x-pack/filebeat/module/zeek/ntp/config/ntp.yml b/x-pack/filebeat/module/zeek/ntp/config/ntp.yml new file mode 100644 index 00000000000..68735e4825d --- /dev/null +++ b/x-pack/filebeat/module/zeek/ntp/config/ntp.yml @@ -0,0 +1,57 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +processors: + - rename: + fields: + - {from: message, to: event.original} + - decode_json_fields: + fields: [event.original] + target: zeek.ntp + - convert: + ignore_missing: true + fields: + - {from: zeek.ntp.id.orig_h, to: source.address} + - {from: zeek.ntp.id.orig_h, to: source.ip, type: ip} + - {from: zeek.ntp.id.orig_p, to: source.port, type: long} + - {from: zeek.ntp.id.resp_h, to: destination.address} + - {from: zeek.ntp.id.resp_h, to: destination.ip, type: ip} + - {from: zeek.ntp.id.resp_p, to: destination.port, type: long} + - rename: + ignore_missing: true + fields: + - from: zeek.ntp.uid + to: zeek.session_id + - drop_fields: + ignore_missing: true + fields: + - zeek.ntp.id.orig_h + - zeek.ntp.id.orig_p + - zeek.ntp.id.resp_h + - zeek.ntp.id.resp_p + - add_fields: + target: event + fields: + kind: event + category: + - network + type: + - connection + - protocol + - info + - add_fields: + target: network + fields: + protocol: ntp + transport: udp + - community_id: + - add_fields: + target: '' + fields: + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/ntp/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ntp/ingest/pipeline.yml new file mode 100644 index 00000000000..ed603292a3d --- /dev/null +++ b/x-pack/filebeat/module/zeek/ntp/ingest/pipeline.yml @@ -0,0 +1,150 @@ +description: Pipeline for normalizing Zeek ntp.log +processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + - set: + field: event.created + value: '{{@timestamp}}' + - date: + field: zeek.ntp.ts + formats: + - UNIX + - remove: + field: zeek.ntp.ts + # IP Geolocation Lookup + - geoip: + if: ctx.source?.geo == null + field: source.ip + target_field: source.geo + ignore_missing: true + properties: + - city_name + - continent_name + - country_iso_code + - country_name + - location + - region_iso_code + - region_name + - geoip: + if: ctx.destination?.geo == null + field: destination.ip + target_field: destination.geo + ignore_missing: true + properties: + - city_name + - continent_name + - country_iso_code + - country_name + - location + - region_iso_code + - region_name + # IP Autonomous System (AS) Lookup + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + - append: + field: "related.ip" + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" + - append: + field: "related.ip" + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" + - date: + field: zeek.ntp.ref_time + target_field: zeek.ntp.ref_time + formats: + - UNIX + - date: + field: zeek.ntp.org_time + target_field: zeek.ntp.org_time + formats: + - UNIX + - date: + field: zeek.ntp.rec_time + target_field: zeek.ntp.rec_time + formats: + - UNIX + - date: + field: zeek.ntp.xmt_time + target_field: zeek.ntp.xmt_time + formats: + - UNIX + - convert: + ignore_missing: true + field: zeek.ntp.version + type: integer + - convert: + ignore_missing: true + field: zeek.ntp.mode + type: integer + - convert: + ignore_missing: true + field: zeek.ntp.stratum + type: integer + - convert: + ignore_missing: true + field: zeek.ntp.num_exts + type: integer + - convert: + ignore_missing: true + field: zeek.ntp.poll + type: double + - convert: + ignore_missing: true + field: zeek.ntp.precision + type: double + - convert: + ignore_missing: true + field: zeek.ntp.root_delay + type: double + - convert: + ignore_missing: true + field: zeek.ntp.root_disp + type: double + - convert: + ignore_missing: true + field: zeek.ntp.ref_id + type: string + - set: + field: network.type + value: ipv4 + if: ctx.source?.ip.contains('.') + - set: + field: network.type + value: ipv6 + if: ctx.source?.ip.contains(':') +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/zeek/ntp/manifest.yml b/x-pack/filebeat/module/zeek/ntp/manifest.yml new file mode 100644 index 00000000000..034861b73fe --- /dev/null +++ b/x-pack/filebeat/module/zeek/ntp/manifest.yml @@ -0,0 +1,19 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /var/log/bro/current/ntp.log + os.linux: + - /var/log/bro/current/ntp.log + os.darwin: + - /usr/local/var/logs/current/ntp.log + - name: tags + default: [zeek.ntp] + +ingest_pipeline: ingest/pipeline.yml +input: config/ntp.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/zeek/ntp/test/ntp-json.log b/x-pack/filebeat/module/zeek/ntp/test/ntp-json.log new file mode 100644 index 00000000000..9799c888dba --- /dev/null +++ b/x-pack/filebeat/module/zeek/ntp/test/ntp-json.log @@ -0,0 +1,2 @@ +{"ts":1602116947.977,"uid":"CqlPpF1AQVLMPgGiL5","id.orig_h":"130.118.205.62","id.orig_p":38461,"id.resp_h":"208.79.89.249","id.resp_p":123,"version":4,"mode":3,"stratum":0,"poll":1,"precision":1,"root_delay":0,"root_disp":0,"ref_id":"\\x00\\x00\\x00\\x00","ref_time":0,"org_time":0,"rec_time":0,"xmt_time":1602116947.215,"num_exts":0} +{"ts":1602116948.081,"uid":"CqlPpF1AQVLMPgGiL5","id.orig_h":"130.118.205.62","id.orig_p":38461,"id.resp_h":"208.79.89.249","id.resp_p":123,"version":4,"mode":4,"stratum":2,"poll":8,"precision":5.960464477539063e-8,"root_delay":0.00921630859375,"root_disp":0.0212249755859375,"ref_id":"127.67.113.92","ref_time":1602116655.942,"org_time":1602116947.215,"rec_time":1602116947.964,"xmt_time":1602116947.964,"num_exts":0} diff --git a/x-pack/filebeat/module/zeek/ntp/test/ntp-json.log-expected.json b/x-pack/filebeat/module/zeek/ntp/test/ntp-json.log-expected.json new file mode 100644 index 00000000000..940f548b1b7 --- /dev/null +++ b/x-pack/filebeat/module/zeek/ntp/test/ntp-json.log-expected.json @@ -0,0 +1,126 @@ +[ + { + "@timestamp": "2020-10-08T00:29:07.977Z", + "destination.address": "208.79.89.249", + "destination.as.number": 25795, + "destination.as.organization.name": "ARP NETWORKS, INC.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "208.79.89.249", + "destination.port": 123, + "event.category": [ + "network" + ], + "event.dataset": "zeek.ntp", + "event.kind": "event", + "event.module": "zeek", + "event.original": "{\"ts\":1602116947.977,\"uid\":\"CqlPpF1AQVLMPgGiL5\",\"id.orig_h\":\"130.118.205.62\",\"id.orig_p\":38461,\"id.resp_h\":\"208.79.89.249\",\"id.resp_p\":123,\"version\":4,\"mode\":3,\"stratum\":0,\"poll\":1,\"precision\":1,\"root_delay\":0,\"root_disp\":0,\"ref_id\":\"\\\\x00\\\\x00\\\\x00\\\\x00\",\"ref_time\":0,\"org_time\":0,\"rec_time\":0,\"xmt_time\":1602116947.215,\"num_exts\":0}", + "event.type": [ + "connection", + "protocol", + "info" + ], + "fileset.name": "ntp", + "input.type": "log", + "log.offset": 0, + "network.community_id": "1:IDiKR+C1G8mk7LQhFpp+4p1tHrk=", + "network.protocol": "ntp", + "network.transport": "udp", + "network.type": "ipv4", + "related.ip": [ + "130.118.205.62", + "208.79.89.249" + ], + "service.type": "zeek", + "source.address": "130.118.205.62", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "130.118.205.62", + "source.port": 38461, + "tags": [ + "zeek.ntp" + ], + "zeek.ntp.mode": 3, + "zeek.ntp.num_exts": 0, + "zeek.ntp.org_time": "1970-01-01T00:00:00.000Z", + "zeek.ntp.poll": 1.0, + "zeek.ntp.precision": 1.0, + "zeek.ntp.rec_time": "1970-01-01T00:00:00.000Z", + "zeek.ntp.ref_id": "\\x00\\x00\\x00\\x00", + "zeek.ntp.ref_time": "1970-01-01T00:00:00.000Z", + "zeek.ntp.root_delay": 0.0, + "zeek.ntp.root_disp": 0.0, + "zeek.ntp.stratum": 0, + "zeek.ntp.version": 4, + "zeek.ntp.xmt_time": "2020-10-08T00:29:07.215Z", + "zeek.session_id": "CqlPpF1AQVLMPgGiL5" + }, + { + "@timestamp": "2020-10-08T00:29:08.081Z", + "destination.address": "208.79.89.249", + "destination.as.number": 25795, + "destination.as.organization.name": "ARP NETWORKS, INC.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "208.79.89.249", + "destination.port": 123, + "event.category": [ + "network" + ], + "event.dataset": "zeek.ntp", + "event.kind": "event", + "event.module": "zeek", + "event.original": "{\"ts\":1602116948.081,\"uid\":\"CqlPpF1AQVLMPgGiL5\",\"id.orig_h\":\"130.118.205.62\",\"id.orig_p\":38461,\"id.resp_h\":\"208.79.89.249\",\"id.resp_p\":123,\"version\":4,\"mode\":4,\"stratum\":2,\"poll\":8,\"precision\":5.960464477539063e-8,\"root_delay\":0.00921630859375,\"root_disp\":0.0212249755859375,\"ref_id\":\"127.67.113.92\",\"ref_time\":1602116655.942,\"org_time\":1602116947.215,\"rec_time\":1602116947.964,\"xmt_time\":1602116947.964,\"num_exts\":0}", + "event.type": [ + "connection", + "protocol", + "info" + ], + "fileset.name": "ntp", + "input.type": "log", + "log.offset": 335, + "network.community_id": "1:IDiKR+C1G8mk7LQhFpp+4p1tHrk=", + "network.protocol": "ntp", + "network.transport": "udp", + "network.type": "ipv4", + "related.ip": [ + "130.118.205.62", + "208.79.89.249" + ], + "service.type": "zeek", + "source.address": "130.118.205.62", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "130.118.205.62", + "source.port": 38461, + "tags": [ + "zeek.ntp" + ], + "zeek.ntp.mode": 4, + "zeek.ntp.num_exts": 0, + "zeek.ntp.org_time": "2020-10-08T00:29:07.215Z", + "zeek.ntp.poll": 8.0, + "zeek.ntp.precision": 5.960464477539063e-08, + "zeek.ntp.rec_time": "2020-10-08T00:29:07.964Z", + "zeek.ntp.ref_id": "127.67.113.92", + "zeek.ntp.ref_time": "2020-10-08T00:24:15.942Z", + "zeek.ntp.root_delay": 0.00921630859375, + "zeek.ntp.root_disp": 0.0212249755859375, + "zeek.ntp.stratum": 2, + "zeek.ntp.version": 4, + "zeek.ntp.xmt_time": "2020-10-08T00:29:07.964Z", + "zeek.session_id": "CqlPpF1AQVLMPgGiL5" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/modules.d/zeek.yml.disabled b/x-pack/filebeat/modules.d/zeek.yml.disabled index feacbf939d6..d1349bf1388 100644 --- a/x-pack/filebeat/modules.d/zeek.yml.disabled +++ b/x-pack/filebeat/modules.d/zeek.yml.disabled @@ -34,6 +34,8 @@ enabled: true notice: enabled: true + ntp: + enabled: true ntlm: enabled: true ocsp: