Add dns.resolved_ip

elastic · Aug 27, 2019 · ca81c60 · ca81c60
1 parent d2eeb68
commit ca81c60
Show file tree

Hide file tree

Showing 5 changed files with 181 additions and 1 deletion.
diff --git a/libbeat/processors/script/javascript/module/include.go b/libbeat/processors/script/javascript/module/include.go
@@ -20,6 +20,7 @@ package module
 import (
 	// Register javascript modules.
 	_ "github.com/elastic/beats/libbeat/processors/script/javascript/module/console"
+	_ "github.com/elastic/beats/libbeat/processors/script/javascript/module/net"
 	_ "github.com/elastic/beats/libbeat/processors/script/javascript/module/path"
 	_ "github.com/elastic/beats/libbeat/processors/script/javascript/module/processor"
 	_ "github.com/elastic/beats/libbeat/processors/script/javascript/module/require"

diff --git a/libbeat/processors/script/javascript/module/net/net.go b/libbeat/processors/script/javascript/module/net/net.go
@@ -0,0 +1,68 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package net
+
+import (
+	"net"
+
+	"github.com/dop251/goja"
+	"github.com/dop251/goja_nodejs/require"
+)
+
+// Require registers the net module that provides utilities for working with IP
+// addresses. It can be accessed using:
+//
+//    // javascript
+//    var net = require('net');
+//
+func Require(vm *goja.Runtime, module *goja.Object) {
+	o := module.Get("exports").(*goja.Object)
+	o.Set("isIP", isIP)
+	o.Set("isIPv4", isIPv4)
+	o.Set("isIPv6", isIPv6)
+}
+
+func isIP(input string) int32 {
+	ip := net.ParseIP(input)
+	if ip == nil {
+		return 0
+	}
+
+	if ip.To4() != nil {
+		return 4
+	}
+
+	return 6
+}
+
+func isIPv4(input string) bool {
+	return 4 == isIP(input)
+}
+
+func isIPv6(input string) bool {
+	return 6 == isIP(input)
+}
+
+// Enable adds net to the given runtime.
+func Enable(runtime *goja.Runtime) {
+	runtime.Set("net", require.Require(runtime, "net"))
+}
+
+func init() {
+	require.RegisterNativeModule("net", Require)
+}
diff --git a/libbeat/processors/script/javascript/module/net/net_test.go b/libbeat/processors/script/javascript/module/net/net_test.go
@@ -0,0 +1,98 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package net_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/elastic/beats/libbeat/beat"
+	"github.com/elastic/beats/libbeat/common"
+	"github.com/elastic/beats/libbeat/processors/script/javascript"
+
+	_ "github.com/elastic/beats/libbeat/processors/script/javascript/module/net"
+	_ "github.com/elastic/beats/libbeat/processors/script/javascript/module/require"
+)
+
+func TestNetIsIP(t *testing.T) {
+	const script = `
+var net = require('net');
+
+function process(evt) {
+    var ip = evt.Get("ip");
+    var ipType = net.isIP(ip);
+	switch (ipType) {
+    case 4:
+        evt.Put("network.type", "ipv4");
+        break
+    case 6:
+        evt.Put("network.type", "ipv6");
+        break
+    }
+}
+`
+
+	p, err := javascript.NewFromConfig(javascript.Config{Source: script}, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	for ip, typ := range map[string]interface{}{
+		"192.168.0.1":        "ipv4",
+		"::ffff:192.168.0.1": "ipv4",
+		"2001:0db8:0000:0000:0000:ff00:0042:8329": "ipv6",
+		"2001:db8:0:0:0:ff00:42:8329":             "ipv6",
+		"2001:db8::ff00:42:8329":                  "ipv6",
+		"www.elastic.co":                          nil,
+	} {
+		evt, err := p.Run(&beat.Event{Fields: common.MapStr{"ip": ip}})
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		fields := evt.Fields.Flatten()
+		assert.Equal(t, typ, fields["network.type"])
+	}
+}
+
+func TestNetIsIPvN(t *testing.T) {
+	const script = `
+var net = require('net');
+
+function process(evt) {
+   	if (net.isIPv4("192.168.0.1") !== true) {
+        throw "isIPv4 failed";
+    }
+
+   	if (net.isIPv6("2001:db8::ff00:42:8329") !== true) {
+        throw "isIPv6 failed";
+    }
+}
+`
+
+	p, err := javascript.NewFromConfig(javascript.Config{Source: script}, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = p.Run(&beat.Event{Fields: common.MapStr{}})
+	if err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/x-pack/filebeat/module/zeek/dns/config/dns.yml b/x-pack/filebeat/module/zeek/dns/config/dns.yml
@@ -17,6 +17,8 @@ processors:
       lang: javascript
       id: zeek_dns_flags
       source: >
+        var net = require("net");
+
         function addDnsHeaderFlags(evt) {
             var flag = evt.Get("zeek.dns.AA");
             if (flag === true) {
@@ -68,14 +70,22 @@ processors:
                 return;
             }
 
+            var resolvedIps = [];
             var answersObjs = [];
             for (var i = 0; i < answers.length; i++) {
+                var answer = answers[i];
                 answersObjs.push({
-                    data: answers[i],
+                    data: answer,
                     ttl: ttls[i],
                 })
+                if (net.isIP(answer)) {
+                    resolvedIps.push(answer);
+                }
             }
             evt.Put("dns.answers", answersObjs);
+            if (resolvedIps.length > 0) {
+                evt.Put("dns.resolved_ip", resolvedIps);
+            }
         }
 
         function addEventDuration(evt) {

diff --git a/x-pack/filebeat/module/zeek/dns/test/dns-json.log-expected.json b/x-pack/filebeat/module/zeek/dns/test/dns-json.log-expected.json
@@ -27,6 +27,9 @@
         "dns.question.name": "dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io",
         "dns.question.registered_domain": "es.io",
         "dns.question.type": "A",
+        "dns.resolved_ip": [
+            "35.199.178.4"
+        ],
         "dns.response_code": "NOERROR",
         "event.dataset": "zeek.dns",
         "event.duration": 76967000,