From 89eea043c33327e0b6824cd820a16357a3e409e9 Mon Sep 17 00:00:00 2001 From: Lee Hinman <57081003+leehinman@users.noreply.github.com> Date: Thu, 2 Jul 2020 09:12:26 -0500 Subject: [PATCH] [Filebeat] Fix tls mapping in suricata module (#19494) * Fix tls mapping in suricata module - add suricata.eve.tls.ja3s.string field - add suricata.eve.tls.ja3s.hash field - add suricata.eve.tls.ja3.string field - add suricata.eve.tls.ja3.hash field - set default_field to false for ja3 & ja3s fields - map suricata.eve.tls.ja3.hash to tls.client.ja3 - map suricata.eve.tls.ja3s.hash to tls.server.ja3s - perform suricata.eve.tls.* -> tls.* mappings for all event types Closes #19492 --- CHANGELOG.next.asciidoc | 1 + filebeat/docs/fields.asciidoc | 30 ++++ .../module/suricata/eve/_meta/fields.yml | 18 +++ .../module/suricata/eve/config/eve.yml | 37 +++-- .../module/suricata/eve/test/eve-alerts.log | 2 + .../eve/test/eve-alerts.log-expected.json | 141 ++++++++++++++++++ .../eve/test/eve-small.log-expected.json | 3 + x-pack/filebeat/module/suricata/fields.go | 2 +- 8 files changed, 213 insertions(+), 21 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index b8a100c089f..4726420da20 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -199,6 +199,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix date and timestamp formats for fortigate module {pull}19316[19316] - Fix memory leak in tcp and unix input sources. {pull}19459[19459] - Add missing `default_field: false` to aws filesets fields.yml. {pull}19568[19568] +- Fix tls mapping in suricata module {issue}19492[19492] {pull}19494[19494] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 71c438adde9..6e8112eb268 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -34596,6 +34596,36 @@ type: keyword -- + +*`suricata.eve.tls.ja3s.string`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.tls.ja3s.hash`*:: ++ +-- +type: keyword + +-- + + +*`suricata.eve.tls.ja3.string`*:: ++ +-- +type: keyword + +-- + +*`suricata.eve.tls.ja3.hash`*:: ++ +-- +type: keyword + +-- + *`suricata.eve.app_proto_ts`*:: + -- diff --git a/x-pack/filebeat/module/suricata/eve/_meta/fields.yml b/x-pack/filebeat/module/suricata/eve/_meta/fields.yml index 7529cba1b52..45980b888b0 100644 --- a/x-pack/filebeat/module/suricata/eve/_meta/fields.yml +++ b/x-pack/filebeat/module/suricata/eve/_meta/fields.yml @@ -665,6 +665,24 @@ - name: subject type: keyword + - name: ja3s + type: group + default_field: false + fields: + - name: string + type: keyword + - name: hash + type: keyword + + - name: ja3 + type: group + default_field: false + fields: + - name: string + type: keyword + - name: hash + type: keyword + - name: app_proto_ts type: keyword diff --git a/x-pack/filebeat/module/suricata/eve/config/eve.yml b/x-pack/filebeat/module/suricata/eve/config/eve.yml index 700c8db17e9..438c30e6373 100644 --- a/x-pack/filebeat/module/suricata/eve/config/eve.yml +++ b/x-pack/filebeat/module/suricata/eve/config/eve.yml @@ -373,26 +373,23 @@ processors: addTlsVersion(evt); cleanupTlsSni(evt); } - - if: - equals: - suricata.eve.event_type: tls - then: - - convert: - ignore_missing: true - ignore_failure: true - mode: copy - fields: - - {from: suricata.eve.tls.subject, to: tls.server.subject} - - {from: suricata.eve.tls.issuerdn, to: tls.server.issuer} - - {from: suricata.eve.tls.session_resumed, to: tls.resumed, type: boolean} - - {from: suricata.eve.tls.fingerprint, to: tls.server.hash.sha1} - - {from: suricata.eve.tls.sni, to: tls.client.server_name} - - {from: suricata.eve.tls.sni, to: destination.domain} - - {from: suricata.eve.tls.notbefore, to: tls.server.not_before} - - {from: suricata.eve.tls.notafter, to: tls.server.not_after} - - {from: suricata.eve.tls.ja3s, to: tls.server.ja3s} - - {from: suricata.eve.tls.certificate, to: tls.server.certificate} - - {from: suricata.eve.tls.chain, to: tls.server.certificate_chain} + - convert: + ignore_missing: true + fail_on_error: false + mode: copy + fields: + - {from: suricata.eve.tls.subject, to: tls.server.subject} + - {from: suricata.eve.tls.issuerdn, to: tls.server.issuer} + - {from: suricata.eve.tls.session_resumed, to: tls.resumed, type: boolean} + - {from: suricata.eve.tls.fingerprint, to: tls.server.hash.sha1} + - {from: suricata.eve.tls.sni, to: tls.client.server_name} + - {from: suricata.eve.tls.sni, to: destination.domain} + - {from: suricata.eve.tls.notbefore, to: tls.server.not_before} + - {from: suricata.eve.tls.notafter, to: tls.server.not_after} + - {from: suricata.eve.tls.ja3s.hash, to: tls.server.ja3s} + - {from: suricata.eve.tls.ja3.hash, to: tls.client.ja3} + - {from: suricata.eve.tls.certificate, to: tls.server.certificate} + - {from: suricata.eve.tls.chain, to: tls.server.certificate_chain} - drop_fields: ignore_missing: true fields: diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log index 81bc39dbf4f..6587a913f52 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log +++ b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log @@ -18,3 +18,5 @@ {"timestamp":"2018-10-04T09:35:00.897009+0000","flow_id":112424506237238,"in_iface":"enp0s3","event_type":"alert","src_ip":"192.168.1.146","src_port":52340,"dest_ip":"91.189.91.23","dest_port":80,"proto":"TCP","tx_id":7,"alert":{"action":"allowed","gid":1,"signature_id":2013504,"rev":5,"signature":"ET POLICY GNU\/Linux APT User-Agent Outbound likely related to package management","category":"Not Suspicious Traffic","severity":3},"http":{"hostname":"archive.ubuntu.com","url":"\/ubuntu\/dists\/bionic-updates\/universe\/binary-amd64\/by-hash\/SHA256\/5190f7afbee38b3cb32225db478fdbabd46f76eaa9c5921a13091891bf3e9bbc","http_user_agent":"Debian APT-HTTP\/1.3 (1.6.3ubuntu0.1)","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2687},"app_proto":"http","flow":{"pkts_toserver":330,"pkts_toclient":591,"bytes_toserver":23758,"bytes_toclient":884342,"start":"2018-10-04T09:34:58.926006+0000"}} {"timestamp":"2018-10-04T09:35:01.362208+0000","flow_id":112424506237238,"in_iface":"enp0s3","event_type":"alert","src_ip":"192.168.1.146","src_port":52340,"dest_ip":"91.189.91.23","dest_port":80,"proto":"TCP","tx_id":8,"alert":{"action":"allowed","gid":1,"signature_id":2013504,"rev":5,"signature":"ET POLICY GNU\/Linux APT User-Agent Outbound likely related to package management","category":"Not Suspicious Traffic","severity":3},"http":{"hostname":"archive.ubuntu.com","url":"\/ubuntu\/dists\/bionic-updates\/universe\/i18n\/by-hash\/SHA256\/9fe539b7036e51327cd85ca5e0a4dd4eb47f69168875de2ac9842a5e36ebd4a4","http_user_agent":"Debian APT-HTTP\/1.3 (1.6.3ubuntu0.1)","http_method":"GET","protocol":"HTTP\/1.1","length":0},"app_proto":"http","flow":{"pkts_toserver":524,"pkts_toclient":979,"bytes_toserver":36819,"bytes_toclient":1467603,"start":"2018-10-04T09:34:58.926006+0000"}} {"timestamp":"2018-10-04T09:35:01.575088+0000","flow_id":112424506237238,"in_iface":"enp0s3","event_type":"alert","src_ip":"192.168.1.146","src_port":52340,"dest_ip":"91.189.91.23","dest_port":80,"proto":"TCP","tx_id":9,"alert":{"action":"allowed","gid":1,"signature_id":2013504,"rev":5,"signature":"ET POLICY GNU\/Linux APT User-Agent Outbound likely related to package management","category":"Not Suspicious Traffic","severity":3},"http":{"hostname":"archive.ubuntu.com","url":"\/ubuntu\/dists\/bionic-updates\/multiverse\/binary-amd64\/by-hash\/SHA256\/8ab8cb220c0e50521c589acc2bc2b43a3121210f0b035a0605972bcffd73dd16","http_user_agent":"Debian APT-HTTP\/1.3 (1.6.3ubuntu0.1)","http_method":"GET","protocol":"HTTP\/1.1","length":0},"app_proto":"http","flow":{"pkts_toserver":575,"pkts_toclient":1079,"bytes_toserver":40452,"bytes_toclient":1618380,"start":"2018-10-04T09:34:58.926006+0000"}} +{"tls":{"ja3s":{"string":"333,55555,66666-22","hash":"0993626a07ad09e1ce91293be7aa5721"},"ja3":{"string":"001,22222-33333-00-44444-66666-333-333-55555-55555-22-55555-44444-22-33-66666-77777-22-88888-99999-333-22-66666-77777-22-99999-96611-22-33-88888-33333-88888-333-22222-33333-333-222-88888-444-99999-22222-666-777-888,22-33-44-55-6,77-88-99-0-11-11-22-33-44-55,0","hash":"d92325c876e7279f4eb8c62415e3a6b7"},"notafter":"2024-07-16T14:52:35","notbefore":"2019-07-17T14:52:35","version":"TLS 1.2","sni":"hostname.domain.net","fingerprint":"00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33","serial":"00:11:22:33:44:55:66:77:88","issuerdn":"CN=UNKNOWN/DC=UNKNOWN/DC=UNKNOWN/C=UNKNOWN/ST=UNKNOWN/O=UNK-NOWN/OU=UNKNOWN","subject":"C=UNKNOWN, ST=UNKNOWN, L=UNKNOWN, O=UNKNOWN, OU=UNKNOWN, CN=hostname.domain.net/emailAddress=user@domain.com"},"proto":"TCP","dest_port":9080,"dest_ip":"10.232.0.237","src_port":45884,"src_ip":"10.126.2.140","event_type":"tls","in_iface":"enp5s0","flow_id":1091813059495729,"timestamp":"2018-10-04T09:35:02.796615+0000"} +{"flow":{"start":"2020-06-26T11:00:02.970011-0400","bytes_toclient":4660,"bytes_toserver":1074,"pkts_toclient":8,"pkts_toserver":7},"app_proto":"tls","tls":{"ja3s":{"string":"742,48172,30210-30","hash":"391231ba5675e42807b9e1f457b2614e"},"ja3":{"string":"718,4682-2687-2686-41992-41911-53292-53297-41969-22905-41926-41924-94181-94711-15-23-95-12-11-205,0-33-50-53-6-61-39-23-34-85-81,93-04-52,3-9-3","hash":"3f1ea03f5822e8021b60cc3e4b233181"},"notafter":"2026-06-25T17:36:29","notbefore":"2016-06-27T17:36:29","version":"TLS 1.2","sni":"host.domain.net","fingerprint":"36:3f:ee:2a:1c:fa:de:ad:be:ef:42:99:cf:a9:b0:91:01:eb:a9:cc","serial":"72:A9:2C:51","issuerdn":"C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown","subject":"C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown"},"alert":{"severity":3,"category":"","signature":"SURICATA TLS on unusual port","rev":1,"signature_id":2610003,"gid":1,"action":"allowed"},"proto":"TCP","dest_port":8443,"dest_ip":"10.128.2.48","src_port":64389,"src_ip":"10.137.3.54","event_type":"alert","in_iface":"enp0s31f6","flow_id":991192778198299,"timestamp":"2020-06-26T11:00:03.342282-0400"} diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json index 793ce164746..6e06de5c66e 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json @@ -1536,5 +1536,146 @@ "user_agent.original": "Debian APT-HTTP/1.3 (1.6.3ubuntu0.1)", "user_agent.os.name": "Debian", "user_agent.version": "1.3" + }, + { + "@timestamp": "2018-10-04T09:35:02.796Z", + "destination.address": "10.232.0.237", + "destination.domain": "hostname.domain.net", + "destination.ip": "10.232.0.237", + "destination.port": 9080, + "event.category": [ + "network" + ], + "event.dataset": "suricata.eve", + "event.kind": "event", + "event.module": "suricata", + "event.original": "{\"tls\":{\"ja3s\":{\"string\":\"333,55555,66666-22\",\"hash\":\"0993626a07ad09e1ce91293be7aa5721\"},\"ja3\":{\"string\":\"001,22222-33333-00-44444-66666-333-333-55555-55555-22-55555-44444-22-33-66666-77777-22-88888-99999-333-22-66666-77777-22-99999-96611-22-33-88888-33333-88888-333-22222-33333-333-222-88888-444-99999-22222-666-777-888,22-33-44-55-6,77-88-99-0-11-11-22-33-44-55,0\",\"hash\":\"d92325c876e7279f4eb8c62415e3a6b7\"},\"notafter\":\"2024-07-16T14:52:35\",\"notbefore\":\"2019-07-17T14:52:35\",\"version\":\"TLS 1.2\",\"sni\":\"hostname.domain.net\",\"fingerprint\":\"00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33\",\"serial\":\"00:11:22:33:44:55:66:77:88\",\"issuerdn\":\"CN=UNKNOWN/DC=UNKNOWN/DC=UNKNOWN/C=UNKNOWN/ST=UNKNOWN/O=UNK-NOWN/OU=UNKNOWN\",\"subject\":\"C=UNKNOWN, ST=UNKNOWN, L=UNKNOWN, O=UNKNOWN, OU=UNKNOWN, CN=hostname.domain.net/emailAddress=user@domain.com\"},\"proto\":\"TCP\",\"dest_port\":9080,\"dest_ip\":\"10.232.0.237\",\"src_port\":45884,\"src_ip\":\"10.126.2.140\",\"event_type\":\"tls\",\"in_iface\":\"enp5s0\",\"flow_id\":1091813059495729,\"timestamp\":\"2018-10-04T09:35:02.796615+0000\"}", + "event.type": [ + "protocol" + ], + "fileset.name": "eve", + "input.type": "log", + "log.offset": 16546, + "network.community_id": "1:qsGDjYDIWp+kHhxotTdhPbUaWSo=", + "network.protocol": "tls", + "network.transport": "tcp", + "related.hash": [ + "00112233445566778899AABBCCDDEEFF00112233" + ], + "related.ip": [ + "10.126.2.140", + "10.232.0.237" + ], + "service.type": "suricata", + "source.address": "10.126.2.140", + "source.ip": "10.126.2.140", + "source.port": 45884, + "suricata.eve.event_type": "tls", + "suricata.eve.flow_id": 1091813059495729, + "suricata.eve.in_iface": "enp5s0", + "suricata.eve.tls.fingerprint": "00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33", + "suricata.eve.tls.issuerdn": "CN=UNKNOWN/DC=UNKNOWN/DC=UNKNOWN/C=UNKNOWN/ST=UNKNOWN/O=UNK-NOWN/OU=UNKNOWN", + "suricata.eve.tls.ja3.hash": "d92325c876e7279f4eb8c62415e3a6b7", + "suricata.eve.tls.ja3.string": "001,22222-33333-00-44444-66666-333-333-55555-55555-22-55555-44444-22-33-66666-77777-22-88888-99999-333-22-66666-77777-22-99999-96611-22-33-88888-33333-88888-333-22222-33333-333-222-88888-444-99999-22222-666-777-888,22-33-44-55-6,77-88-99-0-11-11-22-33-44-55,0", + "suricata.eve.tls.ja3s.hash": "0993626a07ad09e1ce91293be7aa5721", + "suricata.eve.tls.ja3s.string": "333,55555,66666-22", + "suricata.eve.tls.notafter": "2024-07-16T14:52:35", + "suricata.eve.tls.notbefore": "2019-07-17T14:52:35", + "suricata.eve.tls.serial": "00:11:22:33:44:55:66:77:88", + "suricata.eve.tls.sni": "hostname.domain.net", + "suricata.eve.tls.subject": "C=UNKNOWN, ST=UNKNOWN, L=UNKNOWN, O=UNKNOWN, OU=UNKNOWN, CN=hostname.domain.net/emailAddress=user@domain.com", + "suricata.eve.tls.version": "TLS 1.2", + "tags": [ + "suricata" + ], + "tls.client.ja3": "d92325c876e7279f4eb8c62415e3a6b7", + "tls.client.server_name": "hostname.domain.net", + "tls.server.hash.sha1": "00112233445566778899AABBCCDDEEFF00112233", + "tls.server.issuer": "CN=UNKNOWN/DC=UNKNOWN/DC=UNKNOWN/C=UNKNOWN/ST=UNKNOWN/O=UNK-NOWN/OU=UNKNOWN", + "tls.server.ja3s": "0993626a07ad09e1ce91293be7aa5721", + "tls.server.not_after": "2024-07-16T14:52:35", + "tls.server.not_before": "2019-07-17T14:52:35", + "tls.server.subject": "C=UNKNOWN, ST=UNKNOWN, L=UNKNOWN, O=UNKNOWN, OU=UNKNOWN, CN=hostname.domain.net/emailAddress=user@domain.com", + "tls.version": "1.2", + "tls.version_protocol": "tls" + }, + { + "@timestamp": "2020-06-26T15:00:03.342Z", + "destination.address": "10.128.2.48", + "destination.bytes": 4660, + "destination.domain": "host.domain.net", + "destination.ip": "10.128.2.48", + "destination.packets": 8, + "destination.port": 8443, + "event.category": [ + "network", + "intrusion_detection" + ], + "event.dataset": "suricata.eve", + "event.kind": "alert", + "event.module": "suricata", + "event.original": "{\"flow\":{\"start\":\"2020-06-26T11:00:02.970011-0400\",\"bytes_toclient\":4660,\"bytes_toserver\":1074,\"pkts_toclient\":8,\"pkts_toserver\":7},\"app_proto\":\"tls\",\"tls\":{\"ja3s\":{\"string\":\"742,48172,30210-30\",\"hash\":\"391231ba5675e42807b9e1f457b2614e\"},\"ja3\":{\"string\":\"718,4682-2687-2686-41992-41911-53292-53297-41969-22905-41926-41924-94181-94711-15-23-95-12-11-205,0-33-50-53-6-61-39-23-34-85-81,93-04-52,3-9-3\",\"hash\":\"3f1ea03f5822e8021b60cc3e4b233181\"},\"notafter\":\"2026-06-25T17:36:29\",\"notbefore\":\"2016-06-27T17:36:29\",\"version\":\"TLS 1.2\",\"sni\":\"host.domain.net\",\"fingerprint\":\"36:3f:ee:2a:1c:fa:de:ad:be:ef:42:99:cf:a9:b0:91:01:eb:a9:cc\",\"serial\":\"72:A9:2C:51\",\"issuerdn\":\"C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown\",\"subject\":\"C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown\"},\"alert\":{\"severity\":3,\"category\":\"\",\"signature\":\"SURICATA TLS on unusual port\",\"rev\":1,\"signature_id\":2610003,\"gid\":1,\"action\":\"allowed\"},\"proto\":\"TCP\",\"dest_port\":8443,\"dest_ip\":\"10.128.2.48\",\"src_port\":64389,\"src_ip\":\"10.137.3.54\",\"event_type\":\"alert\",\"in_iface\":\"enp0s31f6\",\"flow_id\":991192778198299,\"timestamp\":\"2020-06-26T11:00:03.342282-0400\"}", + "event.severity": 3, + "event.start": "2020-06-26T15:00:02.970Z", + "event.type": [ + "allowed" + ], + "fileset.name": "eve", + "input.type": "log", + "log.offset": 17606, + "message": "", + "network.bytes": 5734, + "network.community_id": "1:W6fjhboFUwyEchJ3ELaqSBzDEJE=", + "network.packets": 15, + "network.protocol": "tls", + "network.transport": "tcp", + "related.hash": [ + "363FEE2A1CFADEADBEEF4299CFA9B09101EBA9CC" + ], + "related.ip": [ + "10.137.3.54", + "10.128.2.48" + ], + "rule.id": "2610003", + "rule.name": "SURICATA TLS on unusual port", + "service.type": "suricata", + "source.address": "10.137.3.54", + "source.bytes": 1074, + "source.ip": "10.137.3.54", + "source.packets": 7, + "source.port": 64389, + "suricata.eve.alert.category": "", + "suricata.eve.alert.gid": 1, + "suricata.eve.alert.rev": 1, + "suricata.eve.alert.signature": "SURICATA TLS on unusual port", + "suricata.eve.alert.signature_id": 2610003, + "suricata.eve.event_type": "alert", + "suricata.eve.flow_id": 991192778198299, + "suricata.eve.in_iface": "enp0s31f6", + "suricata.eve.tls.fingerprint": "36:3f:ee:2a:1c:fa:de:ad:be:ef:42:99:cf:a9:b0:91:01:eb:a9:cc", + "suricata.eve.tls.issuerdn": "C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown", + "suricata.eve.tls.ja3.hash": "3f1ea03f5822e8021b60cc3e4b233181", + "suricata.eve.tls.ja3.string": "718,4682-2687-2686-41992-41911-53292-53297-41969-22905-41926-41924-94181-94711-15-23-95-12-11-205,0-33-50-53-6-61-39-23-34-85-81,93-04-52,3-9-3", + "suricata.eve.tls.ja3s.hash": "391231ba5675e42807b9e1f457b2614e", + "suricata.eve.tls.ja3s.string": "742,48172,30210-30", + "suricata.eve.tls.notafter": "2026-06-25T17:36:29", + "suricata.eve.tls.notbefore": "2016-06-27T17:36:29", + "suricata.eve.tls.serial": "72:A9:2C:51", + "suricata.eve.tls.sni": "host.domain.net", + "suricata.eve.tls.subject": "C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown", + "suricata.eve.tls.version": "TLS 1.2", + "tags": [ + "suricata" + ], + "tls.client.ja3": "3f1ea03f5822e8021b60cc3e4b233181", + "tls.client.server_name": "host.domain.net", + "tls.server.hash.sha1": "363FEE2A1CFADEADBEEF4299CFA9B09101EBA9CC", + "tls.server.issuer": "C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown", + "tls.server.ja3s": "391231ba5675e42807b9e1f457b2614e", + "tls.server.not_after": "2026-06-25T17:36:29", + "tls.server.not_before": "2016-06-27T17:36:29", + "tls.server.subject": "C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown", + "tls.version": "1.2", + "tls.version_protocol": "tls" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json index ec02bba8dd1..5d44c5bd12f 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json @@ -43,6 +43,7 @@ "@timestamp": "2018-07-05T19:07:20.910Z", "destination.address": "192.168.156.70", "destination.bytes": 343, + "destination.domain": "l2.io", "destination.ip": "192.168.156.70", "destination.packets": 3, "destination.port": 443, @@ -96,6 +97,8 @@ "tags": [ "suricata" ], + "tls.client.server_name": "l2.io", + "tls.resumed": true, "tls.version": "1.2", "tls.version_protocol": "tls" }, diff --git a/x-pack/filebeat/module/suricata/fields.go b/x-pack/filebeat/module/suricata/fields.go index 578c30c9d6b..4cba3d5ee74 100644 --- a/x-pack/filebeat/module/suricata/fields.go +++ b/x-pack/filebeat/module/suricata/fields.go @@ -19,5 +19,5 @@ func init() { // AssetSuricata returns asset data. // This is the base64 encoded gzipped contents of module/suricata. func AssetSuricata() string { - return "eJzsXEuP27oV3udXaDerGE3QBMUsim7SRYG2iwDdEsfkkcyar5CUPe6vLyR7PLJFyuIDc3Fzk1UwCT+e94tH87HZ4+m5cb3lFDx8aBrPvcDn5vvbTxg6arnxXKvn5q8fmqZp/qlZL7BptW12oJjgqmv8Dptv//nW/OP7v//VCN25xljNeoqs2Z6ueJsPTdNyFMw9j0gfGwUSbygY/viTweems7o3l58EqBj+/H3Ealqr5UjB6z0jKUJ3TcsFbi7/fXrx9HI84PVnobsX7p/QgC9GW39mdyaMyYF7Ku4oUZ4MFNz88ytRezwdtWXXfwtigDHEWO010ZZ3+TiemuDhe8nEeLpBIq2AGymsJucNxrhdBGCrtUBQjwCudBBPy0gBui8jxZ1UIYAHf28kiUxMxFGoGet8GTctzxLH23GBXLW6kr26HXwqE8hA0PC3CAoIDnORG/C789HN8NeH6nshnEUuEFp172BBzmuLMRpWqr4DE7O+ta6wg89fvpZxItmXQlHw/2Vr++Zs0MA5lSaeFuLafj3P0HkypKfg+RCBZ/KGc1zBkPU2N8eDtzhLcy5xurcUV+CPWS0RXKE/arvfeAvKrbiCgiFUhVl4LOdBAjycNh/yPzkX1qG6P56dj+eGlBrwbQ2MhQi5FoO91YyZEKVh1HtRcNpSzQplkEH9NU0JfZxzn1AjogR+z3521vXg+6xC5CbKJbvfNMY98sExDgdUtlbgO+9rFdWL4lpKOQMNG4vOaOVwc4a55Slmq8i4RRor9Vaa63A96R1aAh3OAu0aBt4Ob4YOhysQjy4dMwfVMU9NId1iizZf7D96dH4zgtgJTuTG3sZIXhSQFasls9POZ1aqwzVMS+APKzSBqvOx5m29rW41O222J49ulaYk+p2OBcfVqrpDWbqQauUj/Xta580lOg8yNZI9/e168ulBHFOEt0BLpgwCI4Veeiij4LHT9lRYgeMBLfcxlCWFj2OXzQwgGgcPBRm/K2vaeKfA97awZgA6pLtsSeneUy0fJowrsTkV1hVkNvXJNjPB4wknBBcDvMsr5IDWhcS5UikTXnXrj2CxFPHNJewhmqx+Io6nNVGtJomCWfCzPOHt0SoUxADdY2DmtiYQzMCY1YEBShYUb/PBrhWLGXJQQYRj6OM1Zp7YQ7kqjahA3V5GkkRJYX4sTW0SZe/msk5hrOUCyTjGq8qeNqjIgF1mTAxbC/dPGIWChxcygJIdL/ZAbg5/jkKEyYsTeFv+6T5I3Tr6Juq10ElUVbAsgnMotyIw8V2LNpHcfGD7S3KP3VXoY1V38HToaHOjyCTsswrBrDwiokTbEakZElQeQ48T2YA6VEqloc2fVFMROJVLrpMAEo9c60CcgUDSePcEFhJpUX3rsGeatMDD3pokIqfI2azHKq1Ua8qh9YSBh9EWBZiRzFIi0Q2Fd2kuPMutlJaTCr2s58tJaStBVBFT4MH+3Yx9ytwBBGeE7pDuXS+LlT8muYpWerHMOjoU3PkaygvtJyQKylsESRgavyMWge6Ko8O1KjiRKqYxweuKFfAaYBhvWxJ8ZEvDU5oEa5e0boBqVnmcAYeOmL0nwef7NBZvB9N5GOUFgoU8IU8iuSml4SBAkR9c/SjEeVK9EE+FIMIPKFGQ/GajV64355W/8MR/LaUT0e898VoTJyFIclauKJRfV1zlLbbJFfrFlWa9r9HvfyVckQrUcLPkqPlG+VofcLMwUU2OB/q3bw/Z7LGqqSCuug43xL3SOoMGBo2JdSa81EppYwddWtRLI0odzy0E8N9b34zWmWIzQb9Dq7C0qh0ic62Ahoh/+dPnTzB/5k+q8QKNaPmcnXRCb6HUhi5Y4b3Z95/cC30ksqtbDlt9dGTbu/kjehp/A3GOXMaxVbCUroM2cuj23JjiBo4K7ZARY3tVjKXwWAfoLC2LUh+KsbYnM7SUlVgcV5DrsXgxB8JVeet8RhxnKuVt/QAl4UVgaZC3lYlCaQLbMSkxB4whAk6Ve/DFwUDBY1Cw7Eh+BwrWY6kowffjDGLGqTQJV9OpYEy5ikjhyUUqkpM15VSHJunye6ilNaYcFC6Dk71khVG0htbS/hmslgFss1Gujv/yK5r8wQNAHW/7+dwkbs1x/1hek1Pab7GN7w+xabMUweDO9WhZbB917bKj4mUAsYFZGhXn51Ri0fWy9NvIlqsOrbE8ura6fhGUB/rfJAylPbQ+WvutUbTrt//N/IBkWoKed1Ajm56rUAIlZ64DjM8+xOvF7eKllerp90erPm5wHgLrjI8vumy535yOXGH2vhpP99uukSuhK9karfAx86siF5eml5i+fMe5SocWwZWGmouSSuldqR9UsWC2xvPHFdy8cDjz/KDjPv4CePYNWDgzBj4HXZtVJ7Hp/vdLJMSmQAmUG5ssNZ7MBJZoZhK4IK3V812TJJgdiixC5sLFF4N0bkxJ4X/+y0gey/j/AQAA//93dIZ1" + return "eJzsXEuP67YV3t9fod2sYjRpExSzKLpJFwXaLgJ0SxyTRxJjvi5J2eP++kKyxyNbpCw+MEWTO6uBZ/jxvHhePPR3zQHPr40bLKfg4UvTeO4Fvja/fHzC0FHLjedavTZ/+dI0TfMPzQaBTatt04Nigquu8T02P//75+bvv/zrn43QnWuM1WygyJr9+Ya3+9I0LUfB3OuE9F2jQOIdBeOPPxt8bTqrB3P9JEDF+PO3CatprZYTBe/7TKQI3TUtF7i7/vt84/nmeMTbZ6G9V/af0YBvRlt/YXchjNmCRyoeKFGejBTc/fmdqAOeT9qy29+CGGAMMVZ7TbTlXT6Opya4+FEyMZ7ukEgr4E4Km8n5gDGujwDstRYI6hnAjQ7iaRkpQA9lpLizKgTw4B+NJJGJmTgKNWOdL+Om5Vni+FgukKtWV7JX18P3ZQIZCRp/i6CA4LAUuQHfX5buxl+fqu+NcBbZQGjVfYIFOa8txmjYqPoOTMz6th6FHn748acyTiT7sVAU/D/Z2r5bGzRwTqWJh4W4tt/XM3SejOEpuD5E4IW8cR1XMEa93d3y4C7O0pxNnB4sxQ34U1RLBFfoT9oedt6Cchu2oGAIVWEWnst5lAAPh82n/M/WhXWoHpdnx+OlIaU6fFsDY8VDbsVgHzljJkSpG/VeFKy2VLNCGWRQfwtTQp+W3CfkiCiBP7KfHXU9+CErEbnzcsnHb+7jnp3ByQ8HVLZV4L33tZLqVXGthZyRhp1FZ7RyuLvA3PMUs1Vk3CKNpXobzXXcngwOLYEOF452CwMfi3djhcMViGebTpGD6thJTSHdYos2X+xfB3R+N4HYGU5kx8HGSF4VkBWbJdNr5zMz1XEbpiXwpxmaQNX5WPG23Vb3mp13+7NHt0lTEn2vY85xs6oeUNY2pFr5SP2eVnlzic6DTPVkL3+9rXx54scU4S3Qki6DwEiil+7KKHjstD0XZuB4RMt9DGVN4VPbZbcAiPrBY0HE78qKNt4p8IMtzBmAjuEuW1J68FTLpwHjRmxOhnUDWXR9ss1M8HjACcHFAB/iCjmidSFxblTKjFfd+hNYLEX8OBL2GA1WvyGO5zlRrSKJglk5Z3nCO6BVKIgBesBAz22LI1iAMasDDZQsKN7mg90yFjPGoAIPx9DHc8w8sYdiVRpRgby9jCSJksJyWZraJMrBLWWdwljLBZKpjVeVPW1QkRG7zJgYthYerzAKBQ9vZAQlPS8+gdwc/xSFCJMXJ/A+/dNDkLpt9M3Ua6GTqKpgWQTnUO5FoOO7FW0muWXD9pvknh9XoU9Vj4OnY0Wb60Vmbp9VcGblHhEl2o5IzZCg8hi6nMgG1KFUKg1teaWaisCpXDs6CSBxz7UNxBkIBI1PD2AhkRbltw4HpkkLPHxak0TkFLmY9ZSllWpNObSeMPAw2aIAM5FZSiS6MfEujYUXuZXSclahm/V8OSltJYgqYgpc2H+asc+ZO4LgjNAe6cENslj5U5CraKVXy6yjQ8Gdr6G80HxCoqC8RZCEofE9sQi0L/YOt6zgTKqYxgyvK1bAu4NhvG1J8JItDU9pEsxd0qoBqlnldgYcO2IOngSv79NYvG9M52GUJwgW8oQ88+SmlIajAEW+cvW1EOdFDUK8FIIIP6JEQfKLjUG5wVxG/sId/62UzkR/8MRrTZyEIMlZsaJQfl1xlrdaJleoFzea9aFGvf8T4YpUoIabtYOab5Tv+QE3Kx3VZH+g//flIVtcVjUVxFX3wI1+rzTPoIFGY2KeCW+1QtpUQZcm9dKI0oPnVhz4/1vdjNaZYjNB36NVWJrVjp65lkNDxD//4YfvYXnNn5TjBQrR8j476YTeQ6kNXbHCc7Of37kX+kRkVzcdtvrkyH5wy0v0NP5G4hy5tmOrYCldB23i0B24McUFHBXaISPGDqoYS+GpDtBFWhalPhZj7c9mLCkrsTiNINdj8WoOhKvy0vmCOPVUysv6EUrCm8BSJ28rE4XSBKZjUnwOGEMEnCvX4KuNgYLLoGDakXwPFMzHUlGC98cZxExdaRLOplPBmHIVkcKdi1QkJ2vKqQ5N0uXXUGtjTDkoXAY7e8kKo2gNraX9C1gtA9hno9wO/ts3b/I7dwB1Tttv75jErTl+PtbH5JT2e2zj80NsXixFMLhzA1oWm0fdOuyoeBlArGGWRsXlOpVYdIMsfRvZctWhNZZHx1a3D4LyQP2bhKG0h9ZHc78tinbD/tfiByS/wh/TegQMWxiEJ5Mhj8mBCBQMzyOA85ar5TBanP4lRA+rfmm7AH6H/M9rkMsQcmTUdxNKoObI9YDTvR/xenW8fG2mfv4AbdPrFuchMM/6fKPrM4e71ZEtzMFX4+lx3DmyJXQlY8MVXrO/K3J1an6N6etD3k06tAiuNNZclVRK70b9oIpFsy2uf5rBzouHi5MfPLjPn4AvHgGGU6PAe+CtadXMNz1+wUiCbwrkwLm+yVLjyUJgiWYmgQvSWr0cNkqC6VFkEbIULr4ZpEtjSnL/y2+jeS7j/wYAAP//9F32EA==" }