Skip to content

Commit

Permalink
Add eTLD Handling in registered_domain Processor (#23046)
Browse files Browse the repository at this point in the history
* Add eTLD handling in registered_domain_processor

* Regenerate sysmon, zeek, and suricata golden files

* Add changelog entry

* Add empty string check
  • Loading branch information
Andrew Stucki authored Dec 10, 2020
1 parent 65c9928 commit e9d12e2
Show file tree
Hide file tree
Showing 10 changed files with 351 additions and 166 deletions.
3 changes: 3 additions & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -755,6 +755,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Preserve AWS CloudTrail eventCategory in aws.cloudtrail.event_category. {issue}22776[22776] {pull}22805[22805]
- Migrate microsoft/defender_atp to httpjson v2 config {pull}23017[23017]
- Migrate microsoft/m365_defender to httpjson v2 config {pull}23018[23018]
- Add top_level_domain enrichment for suricata/eve fileset. {pull}23046[23046]
- Add top_level_domain enrichment for zeek/dns fileset. {pull}23046[23046]

*Heartbeat*

Expand Down Expand Up @@ -913,6 +915,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Add file.pe and process.pe fields to ProcessCreate & LoadImage events in Sysmon module. {issue}17335[17335] {pull}22217[22217]
- Add additional event categorization for security and sysmon modules. {pull}22988[22988]
- Add dns.question.subdomain fields for sysmon DNS events. {pull}22999[22999]
- Add dns.question.top_level_domain fields for sysmon DNS events. {pull}23046[23046]

*Elastic Log Driver*

Expand Down
1 change: 1 addition & 0 deletions libbeat/processors/registered_domain/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ type config struct {
Field string `config:"field" validate:"required"`
TargetField string `config:"target_field" validate:"required"`
TargetSubdomainField string `config:"target_subdomain_field"`
TargetETLDField string `config:"target_etld_field"`
IgnoreMissing bool `config:"ignore_missing"`
IgnoreFailure bool `config:"ignore_failure"`
ID string `config:"id"`
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ processors:
- registered_domain:
field: dns.question.name
target_field: dns.question.registered_domain
target_etld_field: dns.question.top_level_domain
target_subdomain_field: dns.question.sudomain
ignore_missing: true
ignore_failure: true
Expand All @@ -33,6 +34,7 @@ The `registered_domain` processor has the following configuration settings:
| Name | Required | Default | Description |
| `field` | yes | | Source field containing a fully qualified domain name (FQDN). |
| `target_field` | yes | | Target field for the registered domain value. |
| `target_etld_field` | no | | Target field for the effective top-level domain value. |
| `target_subdomain_field` | no | | Target subdomain field for the subdomain value. |
| `ignore_missing` | no | false | Ignore errors when the source field is missing. |
| `ignore_failure` | no | false | Ignore all errors produced by the processor. |
Expand Down
9 changes: 9 additions & 0 deletions libbeat/processors/registered_domain/registered_domain.go
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,15 @@ func (p *processor) Run(event *beat.Event) (*beat.Event, error) {
return event, errors.Wrapf(err, "failed to write registered domain to target field [%v]", p.TargetField)
}

if p.TargetETLDField != "" {
tld, _ := publicsuffix.PublicSuffix(domain)
if tld != "" {
if _, err = event.PutValue(p.TargetETLDField, tld); err != nil && !p.IgnoreFailure {
return event, errors.Wrapf(err, "failed to write effective top-level domain to target field [%v]", p.TargetETLDField)
}
}
}

if p.TargetSubdomainField != "" {
subdomain := strings.TrimSuffix(strings.TrimSuffix(domain, rd), ".")
if subdomain != "" {
Expand Down
35 changes: 24 additions & 11 deletions libbeat/processors/registered_domain/registered_domain_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,24 +32,26 @@ func TestProcessorRun(t *testing.T) {
Domain string
RegisteredDomain string
Subdomain string
ETLD string
}{
{false, "www.google.com", "google.com", "www"},
{false, "www.google.co.uk", "google.co.uk", "www"},
{false, "www.mail.google.co.uk", "google.co.uk", "www.mail"},
{false, "google.com", "google.com", ""},
{false, "www.ak.local", "ak.local", "www"},
{false, "www.navy.mil", "navy.mil", "www"},
{false, "www.google.com", "google.com", "www", "com"},
{false, "www.google.co.uk", "google.co.uk", "www", "co.uk"},
{false, "www.mail.google.co.uk", "google.co.uk", "www.mail", "co.uk"},
{false, "google.com", "google.com", "", "com"},
{false, "www.ak.local", "ak.local", "www", "local"},
{false, "www.navy.mil", "navy.mil", "www", "mil"},

{true, "com", "", ""},
{true, ".", ".", ""},
{true, "", "", ""},
{true, "localhost", "", ""},
{true, "com", "", "", ""},
{true, ".", ".", "", ""},
{true, "", "", "", ""},
{true, "localhost", "", "", ""},
}

c := defaultConfig()
c.Field = "domain"
c.TargetField = "registered_domain"
c.TargetSubdomainField = "subdomain"
c.TargetETLDField = "etld"
p, err := newRegisteredDomain(c)
if err != nil {
t.Fatal(err)
Expand All @@ -75,9 +77,20 @@ func TestProcessorRun(t *testing.T) {
rd, _ := evt.GetValue("registered_domain")
assert.Equal(t, tc.RegisteredDomain, rd)

if tc.Subdomain != "" {
if tc.Subdomain == "" {
_, err := evt.GetValue("subdomain")
assert.NotNil(t, err)
} else {
subdomain, _ := evt.GetValue("subdomain")
assert.Equal(t, tc.Subdomain, subdomain)
}

if tc.ETLD == "" {
_, err := evt.GetValue("etld")
assert.NotNil(t, err)
} else {
etld, _ := evt.GetValue("etld")
assert.Equal(t, tc.ETLD, etld)
}
}
}
1 change: 1 addition & 0 deletions x-pack/filebeat/module/suricata/eve/config/eve.yml
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ processors:
field: suricata.eve.dns.rrname
target_field: dns.question.registered_domain
target_subdomain_field: dns.question.subdomain
target_etld_field: dns.question.top_level_domain
- add_fields:
target: ''
fields:
Expand Down
1 change: 1 addition & 0 deletions x-pack/filebeat/module/zeek/dns/config/dns.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ processors:
field: zeek.dns.query
target_field: dns.question.registered_domain
target_subdomain_field: dns.question.subdomain
target_etld_field: dns.question.top_level_domain
- script:
lang: javascript
id: zeek_dns_flags
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1564,6 +1564,7 @@ var sysmon = (function () {
field: "dns.question.name",
target_field: "dns.question.registered_domain",
target_subdomain_field: "dns.question.subdomain",
target_etld_field: "dns.question.top_level_domain",
})
.Add(setRuleName)
.Add(translateDnsQueryStatus)
Expand Down
Loading

0 comments on commit e9d12e2

Please sign in to comment.