Skip to content

Commit

Permalink
[Auditbeat] Add system module socket dataset ECS categorization fields (
Browse files Browse the repository at this point in the history
elastic#18036)

* [Auditbeat] Add system module socket dataset ECS categorization fields

* Add changelog entry

* Add related fields and additional connection type

* update integration test expectations

(cherry picked from commit ed3a0e9)
  • Loading branch information
Andrew Stucki committed May 5, 2020
1 parent de2248f commit 361a798
Show file tree
Hide file tree
Showing 4 changed files with 37 additions and 5 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -283,6 +283,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Fix syscall kprobe arguments for 32-bit systems in socket module. {pull}17500[17500]
- Fix memory leak on when we miss socket close kprobe events. {pull}17500[17500]
- Add system module process dataset ECS categorization fields. {pull}18032[18032]
- Add system module socket dataset ECS categorization fields. {pull}18036[18036]

*Filebeat*

Expand Down
20 changes: 19 additions & 1 deletion x-pack/auditbeat/module/system/socket/state.go
Original file line number Diff line number Diff line change
Expand Up @@ -884,6 +884,11 @@ func (f *flow) toEvent(final bool) (ev mb.Event, err error) {
if inetType == inetTypeIPv6 && f.local.addr.IP.To4() != nil && f.remote.addr.IP.To4() != nil {
inetType = inetTypeIPv4
}
eventType := []string{"info"}
if inetType == inetTypeIPv6 || inetType == inetTypeIPv4 {
eventType = append(eventType, "connection")
}

root := common.MapStr{
"source": src,
"client": src,
Expand All @@ -906,7 +911,8 @@ func (f *flow) toEvent(final bool) (ev mb.Event, err error) {
"event": common.MapStr{
"kind": "event",
"action": "network_flow",
"category": "network_traffic",
"category": []string{"network", "network_traffic"},
"type": eventType,
"start": f.createdTime,
"end": f.lastSeenTime,
"duration": f.lastSeenTime.Sub(f.createdTime).Nanoseconds(),
Expand All @@ -917,6 +923,17 @@ func (f *flow) toEvent(final bool) (ev mb.Event, err error) {
},
}

relatedIPs := []string{}
if len(localAddr.IP) != 0 {
relatedIPs = append(relatedIPs, localAddr.IP.String())
}
if len(localAddr.IP) > 0 {
relatedIPs = append(relatedIPs, remoteAddr.IP.String())
}
if len(relatedIPs) > 0 {
root.Put("related.ip", relatedIPs)
}

metricset := common.MapStr{
"kernel_sock_address": fmt.Sprintf("0x%x", f.sock),
}
Expand All @@ -940,6 +957,7 @@ func (f *flow) toEvent(final bool) (ev mb.Event, err error) {
root.Put("group.id", gid)
if name := userCache.LookupUID(uid); name != "" {
root.Put("user.name", name)
root.Put("related.user", []string{name})
}
if name := groupCache.LookupGID(gid); name != "" {
root.Put("group.name", name)
Expand Down
17 changes: 15 additions & 2 deletions x-pack/auditbeat/module/system/socket/state_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ func TestTCPConnWithProcess(t *testing.T) {
lAddr, rAddr := ipv4(localIP), ipv4(remoteIP)
evs := []event{
callExecve(meta(1234, 1234, 1), []string{"/usr/bin/curl", "https://example.net/", "-o", "/tmp/site.html"}),
&commitCreds{Meta: meta(1234, 1234, 2), UID: 501, GID: 20, EUID: 501, EGID: 20},
&commitCreds{Meta: meta(1234, 1234, 2), UID: 0, GID: 20, EUID: 501, EGID: 20},
&execveRet{Meta: meta(1234, 1234, 2), Retval: 1234},
&inetCreate{Meta: meta(1234, 1235, 5), Proto: 0},
&sockInitData{Meta: meta(1234, 1235, 5), Sock: sock},
Expand Down Expand Up @@ -119,7 +119,12 @@ func TestTCPConnWithProcess(t *testing.T) {
"network.type": "ipv4",
"process.pid": 1234,
"process.name": "curl",
"user.id": "501",
"user.id": "0",
"user.name": "root",
"event.type": []string{"info", "connection"},
"event.category": []string{"network", "network_traffic"},
"related.ip": []string{localIP, remoteIP},
"related.user": []string{"root"},
} {
if !assertValue(t, flow, expected, field) {
t.Fatal("expected value not found")
Expand Down Expand Up @@ -212,6 +217,8 @@ func TestTCPConnWithProcessSocketTimeouts(t *testing.T) {
"process.pid": 1234,
"process.name": "curl",
"user.id": "501",
"event.type": []string{"info", "connection"},
"event.category": []string{"network", "network_traffic"},
} {
if !assertValue(t, flow, expected, field) {
t.Fatal("expected value not found")
Expand All @@ -234,6 +241,8 @@ func TestTCPConnWithProcessSocketTimeouts(t *testing.T) {
"network.direction": "unknown",
"network.transport": "tcp",
"network.type": "ipv4",
"event.type": []string{"info", "connection"},
"event.category": []string{"network", "network_traffic"},
} {
if !assertValue(t, flow, expected, field) {
t.Fatal("expected value not found")
Expand Down Expand Up @@ -300,6 +309,8 @@ func TestUDPOutgoingSinglePacketWithProcess(t *testing.T) {
"process.pid": 1234,
"process.name": "exfil-udp",
"user.id": "501",
"event.type": []string{"info", "connection"},
"event.category": []string{"network", "network_traffic"},
} {
assertValue(t, flow, expected, field)
}
Expand Down Expand Up @@ -370,6 +381,8 @@ func TestUDPIncomingSinglePacketWithProcess(t *testing.T) {
"process.pid": 1234,
"process.name": "exfil-udp",
"user.id": "501",
"event.type": []string{"info", "connection"},
"event.category": []string{"network", "network_traffic"},
} {
assertValue(t, flow, expected, field)
}
Expand Down
4 changes: 2 additions & 2 deletions x-pack/auditbeat/tests/system/test_system_socket.py
Original file line number Diff line number Diff line change
Expand Up @@ -617,7 +617,7 @@ def expected(self):
"destination.packets": 1,
"destination.port": self.dns_server_addr[1],
"event.action": "network_flow",
"event.category": "network_traffic",
"event.category": ["network", "network_traffic"],
"event.dataset": "socket",
"event.kind": "event",
"event.module": "system",
Expand Down Expand Up @@ -648,7 +648,7 @@ def expected(self):
"destination.packets": server_packets,
"destination.port": self.server_addr[1],
"event.action": "network_flow",
"event.category": "network_traffic",
"event.category": ["network", "network_traffic"],
"event.dataset": "socket",
"event.kind": "event",
"event.module": "system",
Expand Down

0 comments on commit 361a798

Please sign in to comment.