Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Filebeat] Make Suricata module append to destination.domain list #10510

Closed
andrewkroh opened this issue Feb 3, 2019 · 1 comment
Closed

[Filebeat] Make Suricata module append to destination.domain list #10510

andrewkroh opened this issue Feb 3, 2019 · 1 comment
Labels
enhancement Filebeat Filebeat

Comments

@andrewkroh
Copy link
Member

Describe the enhancement:
Enhance the Suricata pipeline to append to the destination.domain field if it already exists (make it into an array).

I'm using a processor setup like this so I can enrich events with my local network's hostnames.

processors:
    - dns:
        type: reverse
        fields:
          source.ip: source.domain
          destination.ip: destination.domain
          # Suricata Module
          json.src_ip: source.domain
          json.dest_ip: destination.domain

But this causes a cascading failure in the pipeline. The pipeline fails at setting the destination.domain field and bails out. I was expecting to be able to see the error in the indexed event as error.message, but what actually happened was an indexing failure because the pipeline's final remove processor had not run which causes {"type":"mapper_parsing_exception","reason":"failed to parse","caused_by":{"type":"illegal_argument_exception","reason":"Cannot write to a field alias [suricata.eve.event_type]."}}.

Describe a specific use case for the enhancement or feature:

To be able to use the dns processor with the suricata module in order to do reverse DNS enrichment on events.
@andrewkroh
Copy link
Member Author

By using append + remove I was able get a good result. Then I added a script processor to deduplicate the domains and convert the value back to a scalar if there's just one.

POST _ingest/pipeline/_simulate
{
  "pipeline": {
    "description": "append",
    "processors": [
      {
        "append": {
          "if": "ctx.suricata?.eve?.http?.hostname != null",
          "value": "{{suricata.eve.http.hostname}}",
          "field": "destination.domain"
        }
      },
      {
        "remove": {
          "field": "suricata.eve.http.hostname",
          "ignore_failure": true
        }
      },
      {
        "script": {
          "source": """
          def domain = ctx.destination?.domain;
          if (domain instanceof Collection) {
            if (domain.length == 1) {
              ctx.destination.domain = domain[0];
            } else {
              ctx.destination.domain = ctx.destination.domain.stream().distinct().collect(Collectors.toList());
            }
          }
""",
          "ignore_failure": true
        }
      }
    ]
  },
  "docs": [
    {
      "_index": "index",
      "_type": "_doc",
      "_id": "id",
      "_source": {
        "suricata": {
          "eve": {
            "http": {
              "hostname": "www.google.com"
            }
          }
        }
      }
    },
    {
      "_index": "index",
      "_type": "_doc",
      "_id": "id",
      "_source": {
        "suricata": {
          "eve": {
            "http": {
              "hostname": "www.google.com"
            }
          }
        },
        "destination": {
          "domain": "4.3.2.1.google.verizon.com"
        }
      }
    },
    {
      "_index": "index",
      "_type": "_doc",
      "_id": "id",
      "_source": {
        "suricata": {
          "eve": {
            "http": {
              "hostname": "www.google.com"
            }
          }
        },
        "destination": {
          "domain": [
            "4.3.2.1.google.verizon.com",
            "www.google.com"
          ]
        }
      }
    }
  ]
}

@andrewkroh andrewkroh mentioned this issue Feb 21, 2019
Merged
andrewkroh added a commit to andrewkroh/beats that referenced this issue Feb 25, 2019
@andrewkroh
Enhance Suricata pipeline to handle destination.domain being set
bf19e27 
This replaces the usage of a `rename` processor with an `append` + `remove` processor.
Then a script processor is used to deduplicate the domains.

Fixes elastic#10510
andrewkroh added a commit that referenced this issue Feb 26, 2019
@andrewkroh
Enhance Suricata pipeline to handle destination.domain being set (#10861
5ef730f 
)

This replaces the usage of a `rename` processor with an `append` + `remove` processor.
Then a script processor is used to deduplicate the domains.

Fixes #10510
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Filebeat Filebeat
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@andrewkroh