From a5f722f804d8226ab7343043b16762395e3e0a1e Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Thu, 18 Jun 2020 13:44:06 -0400 Subject: [PATCH] [Packetbeat] ECS 1.5 update (#19167) * Add packetbeat changes * Fix up tests * Add changelog entry * Add compile time upgrade guard as a reminder and add inline marshal tag for ecs * Fix early termination for marshaling code (cherry picked from commit 9e9aa8880ef36efc2f60c24648e17361a33e11fe) --- CHANGELOG.next.asciidoc | 1 + packetbeat/docs/fields.asciidoc | 628 +++++++++++ packetbeat/pb/ecs.go | 60 ++ packetbeat/pb/event.go | 59 +- packetbeat/pb/event_test.go | 24 +- packetbeat/protos/amqp/amqp.go | 1 + packetbeat/protos/dhcpv4/dhcpv4.go | 3 + packetbeat/protos/dhcpv4/dhcpv4_test.go | 13 +- packetbeat/protos/dns/dns.go | 9 +- packetbeat/protos/dns/names_test.go | 3 +- packetbeat/protos/icmp/icmp.go | 2 + packetbeat/protos/memcache/memcache.go | 28 +- packetbeat/protos/nfs/request_handler.go | 9 +- packetbeat/protos/redis/redis.go | 6 + packetbeat/protos/tls/_meta/fields.yml | 986 ++++++++++++------ packetbeat/protos/tls/fields.go | 2 +- packetbeat/protos/tls/parse.go | 17 +- packetbeat/protos/tls/tls.go | 6 + packetbeat/protos/tls/tls_test.go | 2 +- .../golden/established_tls-expected.json | 57 +- .../golden/non_established_tls-expected.json | 13 +- .../tests/system/golden/tls_1_3-expected.json | 13 +- .../golden/tls_all_options-expected.json | 57 +- .../system/golden/tls_no_certs-expected.json | 13 +- .../golden/tls_not_detailed-expected.json | 13 +- .../test_0040_memcache_tcp_bin_basic.py | 2 +- packetbeat/tests/system/test_0050_icmp.py | 4 +- .../tests/system/test_0051_amqp_publish.py | 68 +- .../system/test_0052_amqp_emit_receive.py | 145 +-- .../system/test_0053_amqp_channel_error.py | 81 +- 30 files changed, 1799 insertions(+), 526 deletions(-) create mode 100644 packetbeat/pb/ecs.go diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 05bc218a4e8a..e0085cc37089 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -575,6 +575,7 @@ field. You can revert this change by configuring tags for the module and omittin *Packetbeat* +- Add ECS fields for x509 certs, event categorization, and related IP info. {pull}19167[19167] *Functionbeat* diff --git a/packetbeat/docs/fields.asciidoc b/packetbeat/docs/fields.asciidoc index 48167602c8e1..2f3736038172 100644 --- a/packetbeat/docs/fields.asciidoc +++ b/packetbeat/docs/fields.asciidoc @@ -10343,6 +10343,550 @@ Detailed TLS-specific event fields. + +*`tls.client.x509.version`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + +*`tls.client.x509.version_number`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + +*`tls.client.x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + + +type: keyword + +example: 55FBB9C7DEBF09809D12CCAA + +-- + +*`tls.client.x509.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of issuing certificate authority. + +type: keyword + +example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA + +-- + +*`tls.client.x509.issuer.common_name`*:: ++ +-- +List of common name (CN) of issuing certificate authority. + +type: keyword + +example: DigiCert SHA2 High Assurance Server CA + +-- + +*`tls.client.x509.issuer.organizational_unit`*:: ++ +-- +List of organizational units (OU) of issuing certificate authority. + +type: keyword + +example: www.digicert.com + +-- + +*`tls.client.x509.issuer.organization`*:: ++ +-- +List of organizations (O) of issuing certificate authority. + +type: keyword + +example: DigiCert Inc + +-- + +*`tls.client.x509.issuer.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: Mountain View + +-- + +*`tls.client.x509.issuer.province`*:: ++ +-- +Province or region within country. + +type: keyword + +-- + +*`tls.client.x509.issuer.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`tls.client.x509.issuer.country`*:: ++ +-- +List of country (C) codes + +type: keyword + +example: US + +-- + +*`tls.client.x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. Recommend using names found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). + +type: keyword + +example: SHA256-RSA + +-- + +*`tls.client.x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. + +type: date + +example: 2019-08-16 01:40:25 + +-- + +*`tls.client.x509.not_after`*:: ++ +-- +Time at which the certificate is no longer considered valid. + +type: date + +example: 2020-07-16 03:15:39 + +-- + +*`tls.client.x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + +-- + +*`tls.client.x509.subject.common_name`*:: ++ +-- +List of common names (CN) of subject. + +type: keyword + +example: r2.shared.global.fastly.net + +-- + +*`tls.client.x509.subject.organizational_unit`*:: ++ +-- +List of organizational units (OU) of subject. + +type: keyword + +-- + +*`tls.client.x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. + +type: keyword + +example: Fastly, Inc. + +-- + +*`tls.client.x509.subject.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: San Francisco + +-- + +*`tls.client.x509.subject.province`*:: ++ +-- +Province or region within country. + +type: keyword + +-- + +*`tls.client.x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`tls.client.x509.subject.country`*:: ++ +-- +List of country (C) code + +type: keyword + +example: US + +-- + +*`tls.client.x509.public_key_algorithm`*:: ++ +-- +Algorithm used to generate the public key. + +type: keyword + +example: RSA + +-- + +*`tls.client.x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`tls.client.x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + +example: *.elastic.co + +-- + + + +*`tls.server.x509.version`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + +*`tls.server.x509.version_number`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + +*`tls.server.x509.serial_number`*:: ++ +-- +Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. + + +type: keyword + +example: 55FBB9C7DEBF09809D12CCAA + +-- + +*`tls.server.x509.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of issuing certificate authority. + +type: keyword + +example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA + +-- + +*`tls.server.x509.issuer.common_name`*:: ++ +-- +List of common name (CN) of issuing certificate authority. + +type: keyword + +example: DigiCert SHA2 High Assurance Server CA + +-- + +*`tls.server.x509.issuer.organizational_unit`*:: ++ +-- +List of organizational units (OU) of issuing certificate authority. + +type: keyword + +example: www.digicert.com + +-- + +*`tls.server.x509.issuer.organization`*:: ++ +-- +List of organizations (O) of issuing certificate authority. + +type: keyword + +example: DigiCert Inc + +-- + +*`tls.server.x509.issuer.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: Mountain View + +-- + +*`tls.server.x509.issuer.province`*:: ++ +-- +Province or region within country. + +type: keyword + +-- + +*`tls.server.x509.issuer.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`tls.server.x509.issuer.country`*:: ++ +-- +List of country (C) codes + +type: keyword + +example: US + +-- + +*`tls.server.x509.signature_algorithm`*:: ++ +-- +Identifier for certificate signature algorithm. Recommend using names found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). + +type: keyword + +example: SHA256-RSA + +-- + +*`tls.server.x509.not_before`*:: ++ +-- +Time at which the certificate is first considered valid. + +type: date + +example: 2019-08-16 01:40:25 + +-- + +*`tls.server.x509.not_after`*:: ++ +-- +Time at which the certificate is no longer considered valid. + +type: date + +example: 2020-07-16 03:15:39 + +-- + +*`tls.server.x509.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + +-- + +*`tls.server.x509.subject.common_name`*:: ++ +-- +List of common names (CN) of subject. + +type: keyword + +example: r2.shared.global.fastly.net + +-- + +*`tls.server.x509.subject.organizational_unit`*:: ++ +-- +List of organizational units (OU) of subject. + +type: keyword + +-- + +*`tls.server.x509.subject.organization`*:: ++ +-- +List of organizations (O) of subject. + +type: keyword + +example: Fastly, Inc. + +-- + +*`tls.server.x509.subject.locality`*:: ++ +-- +List of locality names (L) + +type: keyword + +example: San Francisco + +-- + +*`tls.server.x509.subject.province`*:: ++ +-- +Province or region within country. + +type: keyword + +-- + +*`tls.server.x509.subject.state_or_province`*:: ++ +-- +List of state or province names (ST, S, or P) + +type: keyword + +example: California + +-- + +*`tls.server.x509.subject.country`*:: ++ +-- +List of country (C) code + +type: keyword + +example: US + +-- + +*`tls.server.x509.public_key_algorithm`*:: ++ +-- +Algorithm used to generate the public key. + +type: keyword + +example: RSA + +-- + +*`tls.server.x509.public_key_size`*:: ++ +-- +The size of the public key space in bits. + +type: long + +example: 2048 + +-- + +*`tls.server.x509.alternative_names`*:: ++ +-- +List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + +type: keyword + +example: *.elastic.co + +-- + + *`tls.detailed.version`*:: + -- @@ -10592,6 +11136,17 @@ type: long -- +*`tls.detailed.client_certificate.version_number`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + *`tls.detailed.client_certificate.serial_number`*:: + -- @@ -10717,6 +11272,17 @@ type: keyword -- +*`tls.detailed.client_certificate.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + +-- + [float] === issuer @@ -10777,6 +11343,17 @@ type: keyword -- +*`tls.detailed.client_certificate.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate issuer entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + +-- + [float] === server_certificate @@ -10792,6 +11369,17 @@ type: long -- +*`tls.detailed.server_certificate.version_number`*:: ++ +-- +Version of x509 format. + +type: keyword + +example: 3 + +-- + *`tls.detailed.server_certificate.serial_number`*:: + -- @@ -10899,6 +11487,15 @@ type: keyword -- +*`tls.detailed.server_certificate.subject.state_or_province`*:: ++ +-- +Province or region within country. + +type: keyword + +-- + *`tls.detailed.server_certificate.subject.common_name`*:: + -- @@ -10917,6 +11514,17 @@ type: keyword -- +*`tls.detailed.server_certificate.subject.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate subject entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + +-- + [float] === issuer @@ -10959,6 +11567,15 @@ type: keyword -- +*`tls.detailed.server_certificate.issuer.state_or_province`*:: ++ +-- +Province or region within country. + +type: keyword + +-- + *`tls.detailed.server_certificate.issuer.common_name`*:: + -- @@ -10977,6 +11594,17 @@ type: keyword -- +*`tls.detailed.server_certificate.issuer.distinguished_name`*:: ++ +-- +Distinguished name (DN) of the certificate issuer entity. + +type: keyword + +example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + +-- + *`tls.detailed.server_certificate_chain`*:: + -- diff --git a/packetbeat/pb/ecs.go b/packetbeat/pb/ecs.go new file mode 100644 index 000000000000..b7722c2c22ae --- /dev/null +++ b/packetbeat/pb/ecs.go @@ -0,0 +1,60 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package pb + +import ( + "github.com/elastic/ecs/code/go/ecs" +) + +// Fixes for non-array datatypes +// ============================= +// +// Code at github.com/elastic/ecs/code/go/ecs has some fields as string +// when they should be []string. +// +// Once the code generator is fixed, this code will no longer compile +// which reminds us to strip out the overrides below +var ( + compileTimeUpgradeCheckEvent = ecs.Event{ + Type: "remove this when we upgrade ECS", + } + compileTimeUpgradeCheckRelated = ecs.Related{ + User: "remove this when we upgrade ECS", + } +) + +type ecsEvent struct { + ecs.Event `ecs:",inline"` + // overridden because this needs to be an array + Category []string `ecs:"category"` + // overridden because this needs to be an array + Type []string `ecs:"type"` +} + +type ecsRelated struct { + ecs.Related `ecs:",inline"` + // overridden because this needs to be an array + IP []string `ecs:"ip"` + // overridden because this needs to be an array + User []string `ecs:"user"` + // overridden because this needs to be an array + Hash []string `ecs:"hash"` + + // for de-dup + ipSet map[string]struct{} +} diff --git a/packetbeat/pb/event.go b/packetbeat/pb/event.go index d4330b542eac..73387c7f796d 100644 --- a/packetbeat/pb/event.go +++ b/packetbeat/pb/event.go @@ -18,8 +18,10 @@ package pb import ( + "fmt" "net" "reflect" + "strings" "time" "github.com/pkg/errors" @@ -54,8 +56,9 @@ type Fields struct { Destination *ecs.Destination `ecs:"destination"` Client *ecs.Client `ecs:"client"` Server *ecs.Server `ecs:"server"` + Related *ecsRelated `ecs:"related"` Network ecs.Network `ecs:"network"` - Event ecs.Event `ecs:"event"` + Event ecsEvent `ecs:"event"` SourceProcess *ecs.Process `ecs:"source.process"` DestinationProcess *ecs.Process `ecs:"destination.process"` @@ -72,10 +75,13 @@ type Fields struct { // NewFields returns a new Fields value. func NewFields() *Fields { return &Fields{ - Event: ecs.Event{ - Duration: -1, - Kind: "event", - Category: "network_traffic", + Event: ecsEvent{ + Event: ecs.Event{ + Duration: -1, + Kind: "event", + }, + Type: []string{"connection", "protocol"}, + Category: []string{"network_traffic", "network"}, }, } } @@ -112,6 +118,7 @@ func (f *Fields) SetSource(endpoint *common.Endpoint) { if f.Source == nil { f.Source = &ecs.Source{} } + f.AddIP(endpoint.IP) f.Source.IP = endpoint.IP f.Source.Port = int64(endpoint.Port) f.Source.Domain = endpoint.Domain @@ -126,6 +133,7 @@ func (f *Fields) SetDestination(endpoint *common.Endpoint) { if f.Destination == nil { f.Destination = &ecs.Destination{} } + f.AddIP(endpoint.IP) f.Destination.IP = endpoint.IP f.Destination.Port = int64(endpoint.Port) f.Destination.Domain = endpoint.Domain @@ -135,6 +143,21 @@ func (f *Fields) SetDestination(endpoint *common.Endpoint) { } } +// AddIP adds the given ip addresses to the related ECS IP field +func (f *Fields) AddIP(ip ...string) { + if f.Related == nil { + f.Related = &ecsRelated{ + ipSet: make(map[string]struct{}), + } + } + for _, ipAddress := range ip { + if _, ok := f.Related.ipSet[ipAddress]; !ok { + f.Related.ipSet[ipAddress] = struct{}{} + f.Related.IP = append(f.Related.IP, ipAddress) + } + } +} + func makeProcess(p *common.Process) *ecs.Process { return &ecs.Process{ Name: p.Name, @@ -314,7 +337,21 @@ func marshalStruct(m common.MapStr, key string, val reflect.Value) error { structField := typ.Field(i) tag := getTag(structField) if tag == "" { - break + continue + } + + inline := false + tags := strings.Split(tag, ",") + if len(tags) > 1 { + for _, flag := range tags[1:] { + switch flag { + case "inline": + inline = true + default: + return fmt.Errorf("Unsupported flag %q in tag %q of type %s", flag, tag, typ) + } + } + tag = tags[0] } fieldValue := val.Field(i) @@ -322,8 +359,14 @@ func marshalStruct(m common.MapStr, key string, val reflect.Value) error { continue } - if _, err := m.Put(key+"."+tag, fieldValue.Interface()); err != nil { - return err + if inline { + if err := marshalStruct(m, key, fieldValue); err != nil { + return err + } + } else { + if _, err := m.Put(key+"."+tag, fieldValue.Interface()); err != nil { + return err + } } } return nil diff --git a/packetbeat/pb/event_test.go b/packetbeat/pb/event_test.go index b44bd4c5c4c3..1fdb84257565 100644 --- a/packetbeat/pb/event_test.go +++ b/packetbeat/pb/event_test.go @@ -41,7 +41,8 @@ func TestMarshalMapStr(t *testing.T) { assert.Equal(t, common.MapStr{ "event": common.MapStr{ "kind": "event", - "category": "network_traffic", + "category": []string{"network_traffic", "network"}, + "type": []string{"connection", "protocol"}, }, "source": common.MapStr{"ip": "127.0.0.1"}, }, m) @@ -73,3 +74,24 @@ func TestIsEmptyValue(t *testing.T) { assert.False(t, isEmptyValue(reflect.ValueOf(time.Duration(0)))) assert.True(t, isEmptyValue(reflect.ValueOf(time.Duration(-1)))) } + +func TestSkipFields(t *testing.T) { + m := common.MapStr{} + if err := MarshalStruct(m, "test", &struct { + Field1 string `ecs:"field1"` + Field2 string + Field3 string `ecs:"field3"` + }{ + Field1: "field1", + Field2: "field2", + Field3: "field3", + }); err != nil { + t.Fatal(err) + } + assert.Equal(t, common.MapStr{ + "test": common.MapStr{ + "field1": "field1", + "field3": "field3", + }, + }, m) +} diff --git a/packetbeat/protos/amqp/amqp.go b/packetbeat/protos/amqp/amqp.go index 8b5689e4f2e7..c361c3e7fe69 100644 --- a/packetbeat/protos/amqp/amqp.go +++ b/packetbeat/protos/amqp/amqp.go @@ -435,6 +435,7 @@ func (amqp *amqpPlugin) publishTransaction(t *amqpTransaction) { pbf.Event.Start = t.ts pbf.Event.End = t.endTime pbf.Event.Dataset = "amqp" + pbf.Event.Action = "amqp." + t.method pbf.Network.Protocol = pbf.Event.Dataset pbf.Network.Transport = "tcp" pbf.Error.Message = t.notes diff --git a/packetbeat/protos/dhcpv4/dhcpv4.go b/packetbeat/protos/dhcpv4/dhcpv4.go index a50108a83c6b..10d299aea769 100644 --- a/packetbeat/protos/dhcpv4/dhcpv4.go +++ b/packetbeat/protos/dhcpv4/dhcpv4.go @@ -133,12 +133,15 @@ func (p *dhcpv4Plugin) parseDHCPv4(pkt *protos.Packet) *beat.Event { if !v4.ClientIPAddr().IsUnspecified() { dhcpData.Put("client_ip", v4.ClientIPAddr().String()) + pbf.AddIP(v4.ClientIPAddr().String()) } if !v4.YourIPAddr().IsUnspecified() { dhcpData.Put("assigned_ip", v4.YourIPAddr().String()) + pbf.AddIP(v4.YourIPAddr().String()) } if !v4.GatewayIPAddr().IsUnspecified() { dhcpData.Put("relay_ip", v4.GatewayIPAddr().String()) + pbf.AddIP(v4.GatewayIPAddr().String()) } if serverName := v4.ServerHostNameToString(); serverName != "" { dhcpData.Put("server_name", serverName) diff --git a/packetbeat/protos/dhcpv4/dhcpv4_test.go b/packetbeat/protos/dhcpv4/dhcpv4_test.go index 72aade5014e3..704c4d2beced 100644 --- a/packetbeat/protos/dhcpv4/dhcpv4_test.go +++ b/packetbeat/protos/dhcpv4/dhcpv4_test.go @@ -117,7 +117,8 @@ func TestParseDHCPRequest(t *testing.T) { "port": 67, }, "event": common.MapStr{ - "category": "network_traffic", + "category": []string{"network_traffic", "network"}, + "type": []string{"connection", "protocol"}, "dataset": "dhcpv4", "kind": "event", "start": pkt.Ts, @@ -129,6 +130,9 @@ func TestParseDHCPRequest(t *testing.T) { "bytes": 272, "community_id": "1:t9O1j0qj71O4wJM7gnaHtgmfev8=", }, + "related": common.MapStr{ + "ip": []string{"0.0.0.0", "255.255.255.255"}, + }, "dhcpv4": common.MapStr{ "client_mac": "00:0b:82:01:fc:42", "flags": "unicast", @@ -197,7 +201,8 @@ func TestParseDHCPACK(t *testing.T) { "bytes": 300, }, "event": common.MapStr{ - "category": "network_traffic", + "category": []string{"network_traffic", "network"}, + "type": []string{"connection", "protocol"}, "dataset": "dhcpv4", "kind": "event", "start": pkt.Ts, @@ -209,7 +214,9 @@ func TestParseDHCPACK(t *testing.T) { "bytes": 300, "community_id": "1:VbRSZnvQqvLiQRhYHLrdVI17sLQ=", }, - + "related": common.MapStr{ + "ip": []string{"192.168.0.1", "192.168.0.10"}, + }, "dhcpv4": common.MapStr{ "assigned_ip": "192.168.0.10", "client_mac": "00:0b:82:01:fc:42", diff --git a/packetbeat/protos/dns/dns.go b/packetbeat/protos/dns/dns.go index 29efcc9bcdcc..8fbf402b6b45 100644 --- a/packetbeat/protos/dns/dns.go +++ b/packetbeat/protos/dns/dns.go @@ -391,7 +391,7 @@ func (dns *dnsPlugin) publishTransaction(t *dnsTransaction) { fields["query"] = dnsQuestionToString(t.request.data.Question[0]) fields["resource"] = t.request.data.Question[0].Name } - addDNSToMapStr(dnsEvent, t.response.data, dns.includeAuthorities, + addDNSToMapStr(dnsEvent, pbf, t.response.data, dns.includeAuthorities, dns.includeAdditionals) if t.response.data.Rcode == 0 { @@ -414,7 +414,7 @@ func (dns *dnsPlugin) publishTransaction(t *dnsTransaction) { fields["query"] = dnsQuestionToString(t.request.data.Question[0]) fields["resource"] = t.request.data.Question[0].Name } - addDNSToMapStr(dnsEvent, t.request.data, dns.includeAuthorities, + addDNSToMapStr(dnsEvent, pbf, t.request.data, dns.includeAuthorities, dns.includeAdditionals) if dns.sendRequest { @@ -430,7 +430,7 @@ func (dns *dnsPlugin) publishTransaction(t *dnsTransaction) { fields["query"] = dnsQuestionToString(t.response.data.Question[0]) fields["resource"] = t.response.data.Question[0].Name } - addDNSToMapStr(dnsEvent, t.response.data, dns.includeAuthorities, + addDNSToMapStr(dnsEvent, pbf, t.response.data, dns.includeAuthorities, dns.includeAdditionals) if dns.sendResponse { fields["response"] = dnsToString(t.response.data) @@ -448,7 +448,7 @@ func (dns *dnsPlugin) expireTransaction(t *dnsTransaction) { } // Adds the DNS message data to the supplied MapStr. -func addDNSToMapStr(m common.MapStr, dns *mkdns.Msg, authority bool, additional bool) { +func addDNSToMapStr(m common.MapStr, pbf *pb.Fields, dns *mkdns.Msg, authority bool, additional bool) { m["id"] = dns.Id m["op_code"] = dnsOpCodeToString(dns.Opcode) @@ -533,6 +533,7 @@ func addDNSToMapStr(m common.MapStr, dns *mkdns.Msg, authority bool, additional m["answers"], resolvedIPs = rrsToMapStrs(dns.Answer, true) if len(resolvedIPs) > 0 { m["resolved_ip"] = resolvedIPs + pbf.AddIP(resolvedIPs...) } } diff --git a/packetbeat/protos/dns/names_test.go b/packetbeat/protos/dns/names_test.go index 9066082cab8a..5d5d9323eb52 100644 --- a/packetbeat/protos/dns/names_test.go +++ b/packetbeat/protos/dns/names_test.go @@ -32,6 +32,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/packetbeat/pb" ) type dnsTestMsg struct { @@ -110,7 +111,7 @@ func assertDNSMessage(t testing.TB, q dnsTestMsg) { } mapStr := common.MapStr{} - addDNSToMapStr(mapStr, dns, true, true) + addDNSToMapStr(mapStr, pb.NewFields(), dns, true, true) if q.question != nil { for k, v := range q.question { assert.NotNil(t, mapStr["question"].(common.MapStr)[k]) diff --git a/packetbeat/protos/icmp/icmp.go b/packetbeat/protos/icmp/icmp.go index 3c4b692ca828..6fb210fd8713 100644 --- a/packetbeat/protos/icmp/icmp.go +++ b/packetbeat/protos/icmp/icmp.go @@ -287,7 +287,9 @@ func (icmp *icmpPlugin) publishTransaction(trans *icmpTransaction) { evt, pbf := pb.NewBeatEvent(trans.ts) pbf.Source = &ecs.Source{IP: trans.tuple.srcIP.String()} pbf.Destination = &ecs.Destination{IP: trans.tuple.dstIP.String()} + pbf.AddIP(trans.tuple.srcIP.String(), trans.tuple.dstIP.String()) pbf.Event.Dataset = "icmp" + pbf.Event.Type = []string{"connection"} pbf.Error.Message = trans.notes // common fields - group "event" diff --git a/packetbeat/protos/memcache/memcache.go b/packetbeat/protos/memcache/memcache.go index 74bbd0f3f89c..e59550287a56 100644 --- a/packetbeat/protos/memcache/memcache.go +++ b/packetbeat/protos/memcache/memcache.go @@ -22,6 +22,7 @@ package memcache import ( "encoding/json" "math" + "strings" "time" "github.com/elastic/beats/v7/libbeat/beat" @@ -388,12 +389,18 @@ func (t *transaction) Event(event *beat.Event) error { mc := common.MapStr{} event.Fields["memcache"] = mc + msg := t.request + if msg == nil { + msg = t.response + } + if t.request != nil { _, err := t.request.SubEvent("request", mc) if err != nil { logp.Warn("error filling transaction request: %v", err) return err } + event.Fields["event.action"] = "memcache." + strings.ToLower(t.request.command.typ.String()) } if t.response != nil { _, err := t.response.SubEvent("response", mc) @@ -401,12 +408,12 @@ func (t *transaction) Event(event *beat.Event) error { logp.Warn("error filling transaction response: %v", err) return err } + normalized := normalizeEventOutcome(memcacheStatusCode(t.response.status).String()) + if normalized != "" { + event.Fields["event.outcome"] = normalized + } } - msg := t.request - if msg == nil { - msg = t.response - } if msg == nil { mc["protocol_type"] = "unknown" } else { @@ -420,6 +427,19 @@ func (t *transaction) Event(event *beat.Event) error { return nil } +func normalizeEventOutcome(outcome string) string { + switch outcome { + case "Fail": + return "failure" + case "UNKNOWN": + return "unknown" + case "Success": + return "success" + default: + return "" + } +} + func computeTransactionStatus(requ, resp *message) string { switch { case requ == nil && resp != nil: diff --git a/packetbeat/protos/nfs/request_handler.go b/packetbeat/protos/nfs/request_handler.go index 241e0dca482c..d46560477432 100644 --- a/packetbeat/protos/nfs/request_handler.go +++ b/packetbeat/protos/nfs/request_handler.go @@ -143,7 +143,12 @@ func (r *rpc) handleCall(xid string, xdr *xdr, ts time.Time, tcptuple *common.TC pbf: pbf, event: evt, } - fields["nfs"] = nfs.getRequestInfo(xdr) + info := nfs.getRequestInfo(xdr) + fields["nfs"] = info + + if opcode, ok := info["opcode"].(string); ok && opcode != "" { + pbf.Event.Action = "nfs." + opcode + } // use xid+src ip to uniquely identify request reqID := xid + tcptuple.SrcIP.String() @@ -190,6 +195,8 @@ func (r *rpc) handleReply(xid string, xdr *xdr, ts time.Time, tcptuple *common.T if status == 0 { nfsInfo := fields["nfs"].(common.MapStr) nfsInfo["status"] = nfs.getNFSReplyStatus(xdr) + } else { + nfs.pbf.Event.Outcome = "failure" } r.results(nfs.event) } diff --git a/packetbeat/protos/redis/redis.go b/packetbeat/protos/redis/redis.go index e7feac645c53..bf23e94836f9 100644 --- a/packetbeat/protos/redis/redis.go +++ b/packetbeat/protos/redis/redis.go @@ -19,6 +19,7 @@ package redis import ( "bytes" + "strings" "time" "github.com/elastic/beats/v7/libbeat/beat" @@ -326,6 +327,11 @@ func (redis *redisPlugin) newTransaction(requ, resp *redisMessage) beat.Event { fields["response"] = resp.message } + pbf.Event.Action = "redis." + strings.ToLower(string(requ.method)) + if resp.isError { + pbf.Event.Outcome = "failure" + } + return evt } diff --git a/packetbeat/protos/tls/_meta/fields.yml b/packetbeat/protos/tls/_meta/fields.yml index 5c5734de0156..d34b6b5869b0 100644 --- a/packetbeat/protos/tls/_meta/fields.yml +++ b/packetbeat/protos/tls/_meta/fields.yml @@ -1,357 +1,657 @@ - key: tls_detailed - title: "Detailed TLS" + title: 'Detailed TLS' description: > Detailed TLS-specific event fields. fields: - name: tls type: group fields: + # get rid of this when we upgrade to ECS 1.6 + - name: client + type: group + fields: + - name: x509 + type: group + default_fields: false + fields: + - name: version + type: keyword + description: Version of x509 format. + example: 3 + + - name: version_number + type: keyword + description: Version of x509 format. + example: 3 + + - name: serial_number + type: keyword + description: > + Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be + formatted without colons and uppercase characters. + example: 55FBB9C7DEBF09809D12CCAA + + - name: issuer.distinguished_name + type: keyword + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA + + - name: issuer.common_name + type: keyword + description: List of common name (CN) of issuing certificate authority. + example: DigiCert SHA2 High Assurance Server CA + + - name: issuer.organizational_unit + type: keyword + description: List of organizational units (OU) of issuing certificate authority. + example: www.digicert.com + + - name: issuer.organization + type: keyword + description: List of organizations (O) of issuing certificate authority. + example: DigiCert Inc + + - name: issuer.locality + type: keyword + description: List of locality names (L) + example: Mountain View + + - name: issuer.province + type: keyword + description: Province or region within country. + + - name: issuer.state_or_province + type: keyword + description: List of state or province names (ST, S, or P) + example: California + + - name: issuer.country + type: keyword + description: List of country (C) codes + example: US + + - name: signature_algorithm + type: keyword + description: Identifier for certificate signature algorithm. Recommend using names found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). + example: SHA256-RSA + + - name: not_before + type: date + description: Time at which the certificate is first considered valid. + example: 2019-08-16T01:40:25Z + + - name: not_after + type: date + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16T03:15:39Z + + - name: subject.distinguished_name + type: keyword + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + + - name: subject.common_name + type: keyword + description: List of common names (CN) of subject. + example: r2.shared.global.fastly.net + + - name: subject.organizational_unit + type: keyword + description: List of organizational units (OU) of subject. + + - name: subject.organization + type: keyword + description: List of organizations (O) of subject. + example: Fastly, Inc. + + - name: subject.locality + type: keyword + description: List of locality names (L) + example: San Francisco + + - name: subject.province + type: keyword + description: Province or region within country. + + - name: subject.state_or_province + type: keyword + description: List of state or province names (ST, S, or P) + example: California + + - name: subject.country + type: keyword + description: List of country (C) code + example: US + + - name: public_key_algorithm + type: keyword + description: Algorithm used to generate the public key. + example: RSA + + - name: public_key_size + type: long + description: The size of the public key space in bits. + example: 2048 + + - name: alternative_names + type: keyword + description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + example: '*.elastic.co' + + # get rid of this when we upgrade to ECS 1.6 + - name: server + type: group + fields: + - name: x509 + type: group + default_fields: false + fields: + - name: version + type: keyword + description: Version of x509 format. + example: 3 + + - name: version_number + type: keyword + description: Version of x509 format. + example: 3 + + - name: serial_number + type: keyword + description: > + Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be + formatted without colons and uppercase characters. + example: 55FBB9C7DEBF09809D12CCAA + + - name: issuer.distinguished_name + type: keyword + description: Distinguished name (DN) of issuing certificate authority. + example: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA + + - name: issuer.common_name + type: keyword + description: List of common name (CN) of issuing certificate authority. + example: DigiCert SHA2 High Assurance Server CA + + - name: issuer.organizational_unit + type: keyword + description: List of organizational units (OU) of issuing certificate authority. + example: www.digicert.com + + - name: issuer.organization + type: keyword + description: List of organizations (O) of issuing certificate authority. + example: DigiCert Inc + + - name: issuer.locality + type: keyword + description: List of locality names (L) + example: Mountain View + + - name: issuer.province + type: keyword + description: Province or region within country. + + - name: issuer.state_or_province + type: keyword + description: List of state or province names (ST, S, or P) + example: California + + - name: issuer.country + type: keyword + description: List of country (C) codes + example: US + + - name: signature_algorithm + type: keyword + description: Identifier for certificate signature algorithm. Recommend using names found in Go Lang Crypto library (See https://github.com/golang/go/blob/go1.14/src/crypto/x509/x509.go#L337-L353). + example: SHA256-RSA + + - name: not_before + type: date + description: Time at which the certificate is first considered valid. + example: 2019-08-16T01:40:25Z + + - name: not_after + type: date + description: Time at which the certificate is no longer considered valid. + example: 2020-07-16T03:15:39Z + + - name: subject.distinguished_name + type: keyword + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + + - name: subject.common_name + type: keyword + description: List of common names (CN) of subject. + example: r2.shared.global.fastly.net + + - name: subject.organizational_unit + type: keyword + description: List of organizational units (OU) of subject. + + - name: subject.organization + type: keyword + description: List of organizations (O) of subject. + example: Fastly, Inc. + + - name: subject.locality + type: keyword + description: List of locality names (L) + example: San Francisco + + - name: subject.province + type: keyword + description: Province or region within country. + + - name: subject.state_or_province + type: keyword + description: List of state or province names (ST, S, or P) + example: California + + - name: subject.country + type: keyword + description: List of country (C) code + example: US + + - name: public_key_algorithm + type: keyword + description: Algorithm used to generate the public key. + example: RSA + + - name: public_key_size + type: long + description: The size of the public key space in bits. + example: 2048 + + - name: alternative_names + type: keyword + description: List of subject alternative names (SAN). Name types vary by certificate authority and certificate type but commonly contain IP addresses, DNS names (and wildcards), and email addresses. + example: '*.elastic.co' + - name: detailed type: group default_fields: false fields: - - name: version - type: keyword - description: > - The version of the TLS protocol used. - example: "TLS 1.3" - - - name: resumption_method - type: keyword - description: > - If the session has been resumed, the underlying method used. One of - "id" for TLS session ID or "ticket" for TLS ticket extension. - - - name: client_certificate_requested - type: boolean - description: > - Whether the server has requested the client to authenticate itself - using a client certificate. - - - name: client_hello - type: group - fields: - - name: version - type: keyword - description: > - The version of the TLS protocol by which the client wishes to - communicate during this session. - - - name: session_id - type: keyword - description: > - Unique number to identify the session for the corresponding - connection with the client. - - - name: supported_compression_methods - type: keyword - description: > - The list of compression methods the client supports. - See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml - - - name: extensions - type: group - description: The hello extensions provided by the client. - fields: - - name: server_name_indication - type: keyword - description: List of hostnames - - - name: application_layer_protocol_negotiation - type: keyword - description: > - List of application-layer protocols the client is willing to use. - - - name: session_ticket - type: keyword - description: > - Length of the session ticket, if provided, or an empty string - to advertise support for tickets. - - - name: supported_versions - type: keyword - description: > - List of TLS versions that the client is willing to use. - - - name: supported_groups - type: keyword - description: > - List of Elliptic Curve Cryptography (ECC) curve groups - supported by the client. - - - name: signature_algorithms - type: keyword - description: > - List of signature algorithms that may be use in digital - signatures. - - - name: ec_points_formats - type: keyword - description: > - List of Elliptic Curve (EC) point formats. Indicates the - set of point formats that the client can parse. - - - name: _unparsed_ - type: keyword - description: > - List of extensions that were left unparsed by Packetbeat. - - - name: server_hello - type: group - fields: - - name: version - type: keyword - description: > - The version of the TLS protocol that is used for this session. - It is the highest version supported by the server not exceeding - the version requested in the client hello. - - - name: selected_compression_method - type: keyword - description: > - The compression method selected by the server from the list - provided in the client hello. - - - name: session_id - type: keyword - description: > - Unique number to identify the session for the corresponding - connection with the client. - - - name: extensions - type: group - description: The hello extensions provided by the server. - fields: - - name: application_layer_protocol_negotiation - type: keyword - description: Negotiated application layer protocol - - - name: session_ticket - type: keyword - description: > - Used to announce that a session ticket will be provided - by the server. Always an empty string. - - - name: supported_versions - type: keyword - description: > - Negotiated TLS version to be used. - - - name: ec_points_formats - type: keyword - description: > - List of Elliptic Curve (EC) point formats. Indicates the - set of point formats that the server can parse. - - - name: _unparsed_ - type: keyword - description: > - List of extensions that were left unparsed by Packetbeat. - - - name: client_certificate - type: group - description: Certificate provided by the client for authentication. - fields: - - - name: version - type: long - description: X509 format version. - - - name: serial_number - type: keyword - description: The certificate's serial number. - - - name: not_before - type: date - description: Date before which the certificate is not valid. - - - name: not_after - type: date - description: Date after which the certificate expires. - - - name: public_key_algorithm - type: keyword - description: > - The algorithm used for this certificate's public key. - One of RSA, DSA or ECDSA. - - - name: public_key_size - type: long - description: Size of the public key. - - - name: signature_algorithm - type: keyword - description: > - The algorithm used for the certificate's signature. - - - name: alternative_names - type: keyword - description: Subject Alternative Names for this certificate. - - - name: subject - type: group - description: Subject represented by this certificate. - fields: - - name: country - type: keyword - description: Country code. - - - name: organization - type: keyword - description: Organization name. - - - name: organizational_unit - type: keyword - description: Unit within organization. - - - name: province - type: keyword - description: Province or region within country. - - - name: common_name - type: keyword - description: Name or host name identified by the certificate. - - - name: locality - type: keyword - description: Locality. - - - name: issuer - type: group - description: Entity that issued and signed this certificate. - fields: - - name: country - type: keyword - description: Country code. - - - name: organization - type: keyword - description: Organization name. - - - name: organizational_unit - type: keyword - description: Unit within organization. - - - name: province - type: keyword - description: Province or region within country. - - - name: common_name - type: keyword - description: Name or host name identified by the certificate. - - - name: locality - type: keyword - description: Locality. - - - name: server_certificate - type: group - description: Certificate provided by the server for authentication. - fields: - - - name: version - type: long - description: X509 format version. - - - name: serial_number - type: keyword - description: The certificate's serial number. - - - name: not_before - type: date - description: Date before which the certificate is not valid. - - - name: not_after - type: date - description: Date after which the certificate expires. - - - name: public_key_algorithm - type: keyword - description: > - The algorithm used for this certificate's public key. - One of RSA, DSA or ECDSA. - - - name: public_key_size - type: long - description: Size of the public key. - - - name: signature_algorithm - type: keyword - description: > - The algorithm used for the certificate's signature. - - - name: alternative_names - type: keyword - description: Subject Alternative Names for this certificate. - - - name: subject - type: group - description: Subject represented by this certificate. - fields: - - name: country - type: keyword - description: Country code. - - - name: organization - type: keyword - description: Organization name. - - - name: organizational_unit - type: keyword - description: Unit within organization. - - - name: province - type: keyword - description: Province or region within country. - - - name: common_name - type: keyword - description: Name or host name identified by the certificate. - - - name: locality - type: keyword - description: Locality. - - - name: issuer - type: group - description: Entity that issued and signed this certificate. - fields: - - name: country - type: keyword - description: Country code. - - - name: organization - type: keyword - description: Organization name. - - - name: organizational_unit - type: keyword - description: Unit within organization. - - - name: province - type: keyword - description: Province or region within country. - - - name: common_name - type: keyword - description: Name or host name identified by the certificate. - - - name: locality - type: keyword - description: Locality. - - - name: server_certificate_chain - type: array - description: Chain of trust for the server certificate. - - - name: client_certificate_chain - type: array - description: Chain of trust for the client certificate. - - - name: alert_types - type: keyword - description: > - An array containing the TLS alert type for every alert received. + - name: version + type: keyword + description: > + The version of the TLS protocol used. + example: 'TLS 1.3' + + - name: resumption_method + type: keyword + description: > + If the session has been resumed, the underlying method used. One of + "id" for TLS session ID or "ticket" for TLS ticket extension. + + - name: client_certificate_requested + type: boolean + description: > + Whether the server has requested the client to authenticate itself + using a client certificate. + + - name: client_hello + type: group + fields: + - name: version + type: keyword + description: > + The version of the TLS protocol by which the client wishes to + communicate during this session. + + - name: session_id + type: keyword + description: > + Unique number to identify the session for the corresponding + connection with the client. + + - name: supported_compression_methods + type: keyword + description: > + The list of compression methods the client supports. + See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml + + - name: extensions + type: group + description: The hello extensions provided by the client. + fields: + - name: server_name_indication + type: keyword + description: List of hostnames + + - name: application_layer_protocol_negotiation + type: keyword + description: > + List of application-layer protocols the client is willing to use. + + - name: session_ticket + type: keyword + description: > + Length of the session ticket, if provided, or an empty string + to advertise support for tickets. + + - name: supported_versions + type: keyword + description: > + List of TLS versions that the client is willing to use. + + - name: supported_groups + type: keyword + description: > + List of Elliptic Curve Cryptography (ECC) curve groups + supported by the client. + + - name: signature_algorithms + type: keyword + description: > + List of signature algorithms that may be use in digital + signatures. + + - name: ec_points_formats + type: keyword + description: > + List of Elliptic Curve (EC) point formats. Indicates the + set of point formats that the client can parse. + + - name: _unparsed_ + type: keyword + description: > + List of extensions that were left unparsed by Packetbeat. + + - name: server_hello + type: group + fields: + - name: version + type: keyword + description: > + The version of the TLS protocol that is used for this session. + It is the highest version supported by the server not exceeding + the version requested in the client hello. + + - name: selected_compression_method + type: keyword + description: > + The compression method selected by the server from the list + provided in the client hello. + + - name: session_id + type: keyword + description: > + Unique number to identify the session for the corresponding + connection with the client. + + - name: extensions + type: group + description: The hello extensions provided by the server. + fields: + - name: application_layer_protocol_negotiation + type: keyword + description: Negotiated application layer protocol + + - name: session_ticket + type: keyword + description: > + Used to announce that a session ticket will be provided + by the server. Always an empty string. + + - name: supported_versions + type: keyword + description: > + Negotiated TLS version to be used. + + - name: ec_points_formats + type: keyword + description: > + List of Elliptic Curve (EC) point formats. Indicates the + set of point formats that the server can parse. + + - name: _unparsed_ + type: keyword + description: > + List of extensions that were left unparsed by Packetbeat. + + - name: client_certificate + type: group + description: Certificate provided by the client for authentication. + fields: + - name: version + type: long + description: X509 format version. + + - name: version_number + type: keyword + description: Version of x509 format. + example: 3 + + - name: serial_number + type: keyword + description: The certificate's serial number. + + - name: not_before + type: date + description: Date before which the certificate is not valid. + + - name: not_after + type: date + description: Date after which the certificate expires. + + - name: public_key_algorithm + type: keyword + description: > + The algorithm used for this certificate's public key. + One of RSA, DSA or ECDSA. + + - name: public_key_size + type: long + description: Size of the public key. + + - name: signature_algorithm + type: keyword + description: > + The algorithm used for the certificate's signature. + + - name: alternative_names + type: keyword + description: Subject Alternative Names for this certificate. + + - name: subject + type: group + description: Subject represented by this certificate. + fields: + - name: country + type: keyword + description: Country code. + + - name: organization + type: keyword + description: Organization name. + + - name: organizational_unit + type: keyword + description: Unit within organization. + + - name: province + type: keyword + description: Province or region within country. + + - name: common_name + type: keyword + description: Name or host name identified by the certificate. + + - name: locality + type: keyword + description: Locality. + + - name: distinguished_name + type: keyword + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + + - name: issuer + type: group + description: Entity that issued and signed this certificate. + fields: + - name: country + type: keyword + description: Country code. + + - name: organization + type: keyword + description: Organization name. + + - name: organizational_unit + type: keyword + description: Unit within organization. + + - name: province + type: keyword + description: Province or region within country. + + - name: common_name + type: keyword + description: Name or host name identified by the certificate. + + - name: locality + type: keyword + description: Locality. + + - name: distinguished_name + type: keyword + description: Distinguished name (DN) of the certificate issuer entity. + example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + + - name: server_certificate + type: group + description: Certificate provided by the server for authentication. + fields: + - name: version + type: long + description: X509 format version. + + - name: version_number + type: keyword + description: Version of x509 format. + example: 3 + + - name: serial_number + type: keyword + description: The certificate's serial number. + + - name: not_before + type: date + description: Date before which the certificate is not valid. + + - name: not_after + type: date + description: Date after which the certificate expires. + + - name: public_key_algorithm + type: keyword + description: > + The algorithm used for this certificate's public key. + One of RSA, DSA or ECDSA. + + - name: public_key_size + type: long + description: Size of the public key. + + - name: signature_algorithm + type: keyword + description: > + The algorithm used for the certificate's signature. + + - name: alternative_names + type: keyword + description: Subject Alternative Names for this certificate. + + - name: subject + type: group + description: Subject represented by this certificate. + fields: + - name: country + type: keyword + description: Country code. + + - name: organization + type: keyword + description: Organization name. + + - name: organizational_unit + type: keyword + description: Unit within organization. + + - name: province + type: keyword + description: Province or region within country. + + - name: state_or_province + type: keyword + description: Province or region within country. + + - name: common_name + type: keyword + description: Name or host name identified by the certificate. + + - name: locality + type: keyword + description: Locality. + + - name: distinguished_name + type: keyword + description: Distinguished name (DN) of the certificate subject entity. + example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + + - name: issuer + type: group + description: Entity that issued and signed this certificate. + fields: + - name: country + type: keyword + description: Country code. + + - name: organization + type: keyword + description: Organization name. + + - name: organizational_unit + type: keyword + description: Unit within organization. + + - name: province + type: keyword + description: Province or region within country. + + - name: state_or_province + type: keyword + description: Province or region within country. + + - name: common_name + type: keyword + description: Name or host name identified by the certificate. + + - name: locality + type: keyword + description: Locality. + + - name: distinguished_name + type: keyword + description: Distinguished name (DN) of the certificate issuer entity. + example: C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=r2.shared.global.fastly.net + + - name: server_certificate_chain + type: array + description: Chain of trust for the server certificate. + + - name: client_certificate_chain + type: array + description: Chain of trust for the client certificate. + + - name: alert_types + type: keyword + description: > + An array containing the TLS alert type for every alert received. # # Aliases from pre-ECS fields to tls.detailed diff --git a/packetbeat/protos/tls/fields.go b/packetbeat/protos/tls/fields.go index c4e3b2743486..921084395fb2 100644 --- a/packetbeat/protos/tls/fields.go +++ b/packetbeat/protos/tls/fields.go @@ -32,5 +32,5 @@ func init() { // AssetTls returns asset data. // This is the base64 encoded gzipped contents of protos/tls. func AssetTls() string { - return "eJzsW89v4zYWvueveEgP2wITzy6KPWwOCwRODgPMtkXTwe5NoKVniw1FqiRlx/PXL0hJNiVRMvUj2bbrHAZjS/ze936RHyX6Dl7weA+aqShBTSjD5AZAU83wHm4fq6/gl8/PtzcACapY0lxTwe/hnzcAAO4tdyrHmG5pDLhHrmFLkSVqdQPV/+7tiDvgJENr034G0Mcc72EnRZFX37j3u2McjvVfd7D5S3BLCqajCgi2hCl0rrcNnE3sUSoquHOltvGCx4OQSeOKJyLnv19SrOFAbEGnaKIEuRRaxIJBoTBZNcbgK8lyG3pz499W39/eeChKVEVmbUYZ6lQkS5D9VBJUqCzflCjYIPLSGCYf7NWCJyjZkfIdlJZLH+BHjiC2LcRbmtzCVkjrdI376RGEhFtN4xfU58vlZ8BXjdzct/L5HTOKXEcxSm2qjGiMJP5WoNLoC8FGCIaEh4fg3ynqFGUVB7lHacNwsmEvlCRACyCFTpFrSwSoVsjaESiUiRSpxzjEh/xLkTHh8add474qhguVPFwgFyMEAVW9OcIhpXHqRutAVYoKtPDgxSLLCl5GMSmkiZhOqaorphEp173qekS7Psz08AunvxUIvMg2phoE0MTkeXtsdIgpXeuikBJVLnhC+c7rH+cYG2twoNoNS79rRZ4LqTGJYpHlsnK07Dj1FvlkVGmTTMdc1eDKTWPFS608MM+IkGqdq/uPHw+Hw4oSTlZC7j4SpeiOZ8i1+mjw7wzwHU1an1avqc5YX0ROE0Of+93m6DhvHLW95aCZst3TBBNTtm5m2kj+Vmskzc4YkfkQUZ6YgvZ13+WMdYh/rrKTCqUNvGpHyaVB8pxVtiNGjiijujMjjjuh6WK0fMVk/mq6DpM7y+Q0RzSKiio4UMZs3wuznnTaAjxdXy4Yb+oG8p1O6ymu7vrS7geg21PpfDArGuGAWa6PoLT0zwOWmgCS7M0yoLDupnIisbBq2PXTrFBNv91eWNL9Kotmbq/tgU6JnpG7kwO2W9+F/hNj5tYY1oXcI6zlMddiJ0meHuHbp/X6O4jthQFGcCbeniWGnKU7TnQhMSJsJyTVafYuDp/swtlumbeMHGGDJktAOSR0RzVhfR7XKMMliXGUC8q1irZCZkT/L1L67dP6O7AsoCKxgk/l/It2oulzES1aY2SnwGPCISfyQmFHBbc3JdF7+O+sXpbuASUCw62GmoYp05+ImVE2SLRXa1ar1R9ca1r/qbK7kEqQucqxC/jJ3m5wUrpLUekTfKfHqx0AF2ZbEiP2yDvtUDzvFCh3q8hGeUDIMoz9Yu8t4tnVeCcGLde3UmT2s5GHHrSTdhrn7Z9Wtr+bSC3zM0Wkvp86/KGCw8Q1Ck0h+PtQel/M7GGkGeei4DGW0wppaT6rdMwCWmejB62ZI3hgB3JUbX34OxJ6TqIcrWfiUYqF5P9UAVST4J9WAXSfpgXpgAbR9Xlwz07azrfOk7LOulzPWZOEBROeubvB8D9//+s/qtzWWANLk6SEReUCMmd1ssvsOTR/URV0tTb1EuBCRxvcCtmt2NJ60s5Sx/SjSUWJ4T6Gc/JEldU0e8Jot7VdJmSre8MQSMRC9PDA15z69hc1hbzYMBpHL3g876DeQg+dwFsqspnAko2x5JOV5fNv+Pn54QM8Pj+AkPC0fnx+CHFO0a996b5c3s/0K9bK2KXYV+HdTem7hbTTEjWXXraEaZScaLrHqHzuNYPrc7H5FWMND2dQ+MGAejM+8GjWwkwXeDUPiUaFIz/J7jaBNsplcReLgmt5XGIFWpdQEItkeOETckc4/bqYbPzRwbMmgq0TFhWcLiIUv3CqreqnvGFikItd/3jsFxsjCfxUYZmJROKu3oRQXud4kEksskxw2zKLKHmSWSKpUNpaqDdW1FnsB1rHpcZETBjVi9To5wqrt1epUkXvChbQqk9cU32sHzKowmxleGInLvsy8Nqx1469duzcjm09kXyz/Uj9UOu6H7nuR677kX7nrvuR637kuh+5qpururnuR2ZE49qx1479Q3Zs/34kilNCfSfDiZTkOLArMcOsKpKF0if5Ub9gCjsV/HY8Ak8nE4ZSR8aQ8pgefd78gZd0IRZcE8rLc7/l+Q5rygJbkrhHeay+lBgj3Z9eSn5T/gsPjBJltJMUGeQS757Wz9V8B1qAZmrV+O3AN9Vw+BlzRmIjCu3N5dfOTxRWKeGJSskL2uMZDM9nzauYG8vVNznRaTkKlSYbRlWKSRfSPee9cs760jxFqQLQq3MI3aEdU+4xn9X5oIm9PcRQeWMHdkv5DmUuKddq9Sv5PpyzubkK/b/EfiDufT9yGLJRp9gzuC8JQz8mCDI1iDOc+uazhDHWmuMvFFj7wM14Qw5EcDH3HlyfYH4QdZjR+VX5avCA9nhWl5GDmY06lTOLaaClETH1HNKZGcsGYjiTvkMz89h0UScwahwuXohPhRnOpv888jxGPtxgVn3Hh2ZR6oIG8+mc45lFxEEbXpknrATe8aHrf99B0/GWhzAvsZmyLvVBDNt607l2pqVg5tPn2kDEcCaz5toRqMGMZs0j4aDBfKbNIwFoATp2hq70oYRY9L2pmmq3iRVivfOaaqppByjUrvtSao7ZEifE6sB7qKkEvJAjuTivjRagYdGCKq/3DdLk+vMghjDpezs0lUcXLyge5eucVfNJ7uRYtNDGMPA8151LowE5lUvzKe+SlGrkMcxaz3zn0jnBjauV9tPe+fVyRhzDpPVwdy6NE1wIh/LtzEKN0wIbYX/BtvEhTmSyTNMMAI/gtVDLtNFG1chSDeMBHMFjoXZpo/Wp3JkacwAlxOJkjXkRK8T6NI05DBRqd7TGHMQJsTpXY4ZCjuQyVmMGoAVV3jyNGYgYwmSWxgzCC4rHdI0ZgDaGwdTFMhRyKpcJy+VI5DHMpiyYIXDjamXSkhmIOIbJlEUzBC6Ew3SNeRlshP0F2yZIY4aNW6ZpxmjM/uELtcxFjTmU1qUaJkRj9g9bqF0uaszu8ZIgU+6w/wYAAP//dWXXow==" + return "eJzsXF1z2zazvs+v2GkukpyxaTuu28Yz6YwrO6eecZ1MZPeceW80ELki0VAAC4BW1F//DkBSosQv8MNO0lAXnVoin312ASweLIAcwidcn4MK5cxDRWiI3jMARVWI5/DiMv0K7m6mL54BeChdQSNFOTuHX58BAOQfOZQRunRBXcAHZAoWFENPOs8g/b9z88YhMLJEY9P8DaDWEZ6DL3gcpd/kn9ef5+CjAkE94AtQAZWwCpDBCiGOfEE8BMXhajKFE+enzUuZITekyNTm6zJ7ZTbzEJ/Pjt/s/FAFoj8eLkgcqlkKCAsSStx7psxY3uADCkk5K/ye2f2E6xUXXsnvO230ZwKjo6ZdgAUXS6KcktfwM1lGutFPnzWRmrF4OUfxdXGTKCgJB6L2a8kDAPeM/h1jagkSS0CljNGD+RpUgOCiUHoAEIVAYhVwQdXagXdcgMuZpFIhc9cHQNNe/EDCGIFKIGEUEBYvUVD3AKgCGfA49GC+33GSTxIrhR6sqAp4rMDlIWcSCPMgjiIULpEIbkAEcRUKWRvWs7N3v/32ZvLz5dVv747f/HL85vLk9WRycVEdbeO1cDwqFWV+TGWA3kz/1Dfyl3lEYwxeXt6+0p1E26TMr4hxnX+Tt/fTA3j/9pL6dIJCwTVzD+D9/dvVauV41Kca0nH58gAmt9unpr9fvIbfqR/AhZSxIMxFmKJ4QAGT5ti4fLnUY2WAoNxQqXQEEsg0KpO+URnITy58wug/RFMl4SxmVA3l7y40aGgJL9/f93R8v9VbufgYvmmnhmrMa+Y2+hNyl4RUrYfyJcMzViS8vHlVR/UPHjNFKIM/Ka4auUaCP1Dm9h5DH1Ic4AIE+nri0amTMnA1H7F2GqlIRRTOuJgNxSmLnwHWxDLgLJDTuwOYHuhfPtSGdEJCuuCCUWKRloy3w6UkAwcvJ6/A5R7KOpr305r5m/qMqFjgjIS+7u/Bsi/Haw+ZHkYo9Hy5M6g21mBjzYGPqBMs6hlU6lGYNMKCx8wDyuB/OdwQ5sNErCPFIaRzQbTnU0QIlIrk+dGRT1UQz3VSOfJ5SJh/5POjecjnRz4/cU5+PJLCPXINwJEWPeY/js+f35ye/nx4c3p2+qp2mOtUffbT4cdpTV5mXM3muOCiun96RJX9uBO9O7pEIApWAXWDgrihEhZUSJXIGg8FelrMUK+W/uvjkzeHx78cnvx0d3xy/uPx+euz/9Q7QhaqRs4N4gfjEHLmo2jry+vjw+OfjS+n5ydn56dvanyR8fwvdNXTKqZ9Z1MSoIeFlWSa3r3dppYDuHk7JQzeaYVApcu1pHpHpArXB3racYx6Eq8dGRCBnuOHfE5CZ2GecBiq5ug8rmaSG9GU2auLQC9HvpQo2jjWiuGjahqbWOd7UTP1LytfdoZAM9mvQb9kXL5tAbNNEo+qYLoKmCieh9SdfcL1cArmIgOCWKIHioOPDIUOts7tiUkNVju6atVCjrak/1T3CD1FNk61gVZW/2A292z5gYyIi1pFzamqL0a8Pv7xl2q6JFQoGFH0Ac00UaY3u3XhdG7MGdh04ovbVw7c6plVQ0t40Lpvvi5fppkSTP4X/Q7MTYlGT0XhWusMswC6/gDE8wRKifIALm+nmUUNsaKh5xLhyVcHBhKXhIbb52tj+OJ/HAyJVNR1XP7i2TBlVGlKAmMZdSyjjmXU0rCOZdSxjDqWUe1cHMuoYxn1m1yFjGXUsYw6llHHMupYRh3LqGMZdSyjfnMCZiyjjmXUsYzaq4yaRTF3YnY3aPvlzKZSZl3NtLyEWdc4DTU43b0etkVD3cPubqY65yju8tCMkf2wbEOiHz1xTl88KyUrUMZLY3m2RBXwfWo9aF8nVCVKwzwgEuaILDGJ3oH5NWYeinCtlx2J/cQbeM/0aCpg/kC9H8yiRnuVIV9f6kT7g6LuJ1Tbn5O/AT8rZPo5pzwCyWHjWa7nzgT+HaNUWB6MOechkv32bQjG/wWoAhRpREyNSQdkYynRrIaKTnd6VGm1mmh1JTEsxiJZrJHsrZwD9Z4GGIbcuqj/RAX78spzU8+fr/PLmyQOK70gkKD2XUw+OhfFLImrFwsdQVOQTvtSnZhInpjRMl+Gq7Kn5XXFgSbL+PXOKNKd2zjLhUAZcebR0vlJe8oYuioTTLkQ1SqmKOJCoTdz+TISqcvJyOw95VS3cbhdtGRG03Qg802bsiudAwDy9YjVauVQwoiW+0dESuqzJTIlj7SFQw19SL29v5zPgVqG1bHZJJLqQJQNoEIYtMNmDOYQEwHp5TZU0pYqYlUNSCjs/BmhMKPM0929fIyCRRsWHMikQ8ClSrRILRkSRWHKYBaSNRoZbsbvjKHPFR2UXHkn05+Mdo7PoeGzySc7nY1KLUVCkyG4npVKhg2U5Idk2nkCd5D5KsjSYpYfEutmoy3rUmYZQhjgMlJrkEpUZQxDkAPxHvRUIjEbb0nSMcCyKQib/JGm7bKxMnQg0nbVM0NmFVRAVK/W3DhixvQTunEVhvphFyaxeMC06uoLEgVreHk10as180MtL9g6sJ9R6t0uVqOf0PWS6nTakkuyhjnqdtNrKY/6VJGw2vcMp6m7ojuLOGVKzpKN5S/XzC+vJq/AcEn3uKUD10nmRpOWqp1Fg7fzbqH7u4RBRERjt5/FzDzmzZ4uErlZ0NBeoUAIcaEgI6O78Aei888cyX4X3pvz/kXq1kSDyqQGkgi/vFItg7w2L2ikgPoBSrUxUMgH6SqEcb1EchErhaTK0dyuVyjL9y8T9VrxHKJbLisfL7ZFNbnhsReEheBL87cWoqV4G33W1u/vYNHwpMI4abGuwvhptehtCole3jDsis6vS1Xep/VWwhiPmYtJEiJ7+tJoKT0hZ61TibfbanARrsha7qvRr1BU5poupyt1ZBIZ4n33yiJNnd+BsihWCK31xQ7hSa44Xr7eN5k6V/srmef7Khab/Yz/3x5LzfBq0v93czr2bvdYwQu5eyS2JkQDHU251D0nwak71qGyUxy1fPqfMDF0DEwFG/wc0fJF2GNuHlYLQrK7rbiR1LuNWr+7COnWBHycXhzA5fQCuICryeX0ws7N3puN09KNxjoNOvwJs5YhLgybjFEN68E3PKfpRudFbqPzNj3pVuwHzacK+mndjI1AvURBtlmT7NMo4tjo3OqzAjZxK7CdpGcFXO41zfMN52s6mX+fwzRmWnCoPoXUico9oyo7gJI308Co5uBJJxpdTsXATv+oO3DWiZI5J8CF2RVIjuPR7Bxq2TWRBoI1Z506sbtJ8RrMWh1T7ERg0OOK8OWOLCbHqfslvyvjWFbfMveICPPMtGB2wsccWDQ/5sAxB/Zk9y3lwCTNfD0pcG+X4VFrAVlReqwFjLWASgJjLWCsBYy1gI6cx1qAddwKbEcd/C/TwTa3Y74IsVGgl5v9KgT6WKQYk3PB/Jicx+TcndKYnGsJ/CurJzM3ILT8rhwRguy33m6y068a90Us1WZ9kR1Msb0P9bhsrG9nkRCFmpmLlqUEOt3Bu2AJ8ezqZXLfKTlnagwmtzQ1WXxAsU6/FOgifdgccnqe/BcuQkqkXiQJvoRI4OHVZJrOcqA4qFA6Ozcsn6evw0eMQuLqNaB5OPk6c1y/FhDmyYB8QnNANMTt3bs0+tpy+k1EVJC8hVKReWjGQxEyf9vNyd1rolGAQlqgp+cei68WTOWPHjvbo67mcRtDyYMF2AVlPopIUKak8xc5teesH05D/wd/qIl71fXPOhtZE5e8XNUIdZcrrUzV4tQ3/W4RtI213fcbOtj+Qd/2hnIQ1p258pJeB/O1qPWMtgftnNqrZ+1ZNSNbM2t19rcXU0tLLWJacgi4Zyx3EO2ZVB3F7cemiNqB0c6FqIH4pJj2bKrvT/VjVIZrzarqMHIvSkVQaz6Fs8C9iOTQ6mfmDjNB6fu283/VVZf2luswm9h0mZeqIOptPWqu7WnJmnn3XGuJaM+kV65tgWrNqFcesQe15tMtj1igWejYHrqyDMXGYtkGdle7u1g21gv71l1N54Bs7eb3p/uYTXBsrNZsRnclUArZkktux3gAGgbNqudVbht37n8liDZMqraCu/Io4lnFo/SfZOsciz20NgxKqvh9aexAduWyW80fklKG3IbZXvG8L50NXLu+sl8w799ftohtmOxVxvvS2MDZcCj915i7MtgDa2F/wGFThtiRyTCDpga4Ba+Bhsw+Wqs+MtSAKQFswWOg4bKPVqVye2rMGhQbi501ZiOWjfVuGrMeyNZua41Zi2Njta/GtIVsyaWtxrRAs+p5/TSmJaINk14a0wrPKh7dNaYFWhsGXSdLW8iuXDpMly2R2zDrMmHawLXrK52mTEvENky6TJo2cDYcumvMZrAW9gccNlYa0+69YQZNG41Z/fpAQ6ZRY9Y161ADxkZjVr820HBp1JjFQyZWpvKv/TcAAP//udO+rw==" } diff --git a/packetbeat/protos/tls/parse.go b/packetbeat/protos/tls/parse.go index d6714a76784a..c007690789dd 100644 --- a/packetbeat/protos/tls/parse.go +++ b/packetbeat/protos/tls/parse.go @@ -571,12 +571,14 @@ func certToMap(cert *x509.Certificate) common.MapStr { certMap := common.MapStr{ "signature_algorithm": cert.SignatureAlgorithm.String(), "public_key_algorithm": toString(cert.PublicKeyAlgorithm), - "version": cert.Version, - "serial_number": cert.SerialNumber.Text(10), - "issuer": toMap(&cert.Issuer), - "subject": toMap(&cert.Subject), - "not_before": cert.NotBefore, - "not_after": cert.NotAfter, + // remove this in 8.x + "version": cert.Version, + "serial_number": cert.SerialNumber.Text(10), + "issuer": toMap(&cert.Issuer), + "subject": toMap(&cert.Subject), + "not_before": cert.NotBefore, + "not_after": cert.NotAfter, + "version_number": cert.Version, } if keySize := getKeySize(cert.PublicKey); keySize > 0 { certMap["public_key_size"] = keySize @@ -602,11 +604,14 @@ func toMap(name *pkix.Name) common.MapStr { {"organization", name.Organization}, {"organizational_unit", name.OrganizationalUnit}, {"locality", name.Locality}, + // remove this in 8.x {"province", name.Province}, {"postal_code", name.PostalCode}, {"serial_number", name.SerialNumber}, {"common_name", name.CommonName}, {"street_address", name.StreetAddress}, + {"state_or_province", name.Province}, + {"distinguished_name", name.String()}, } for _, field := range fields { var str string diff --git a/packetbeat/protos/tls/tls.go b/packetbeat/protos/tls/tls.go index ab068884b615..74034c4afaff 100644 --- a/packetbeat/protos/tls/tls.go +++ b/packetbeat/protos/tls/tls.go @@ -443,6 +443,12 @@ func (plugin *tlsPlugin) createEvent(conn *tlsConnectionData) beat.Event { pb.MarshalStruct(fields, "tls", tls) if plugin.includeDetailedFields { fields.Put("tls.detailed", detailed) + if cert, ok := detailed["client_certificate"]; ok { + fields.Put("tls.client.x509", cert) + } + if cert, ok := detailed["server_certificate"]; ok { + fields.Put("tls.server.x509", cert) + } } // Fixes for non-array datatypes diff --git a/packetbeat/protos/tls/tls_test.go b/packetbeat/protos/tls/tls_test.go index 608e87738837..64a790248061 100644 --- a/packetbeat/protos/tls/tls_test.go +++ b/packetbeat/protos/tls/tls_test.go @@ -39,7 +39,7 @@ type eventStore struct { } const ( - expectedClientHello = `{"client":{"ip":"192.168.0.1","port":6512},"destination":{"domain":"example.org","ip":"192.168.0.2","port":27017},"event":{"category":"network_traffic","dataset":"tls","kind":"event"},"network":{"community_id":"1:jKfewJN/czjTuEpVvsKdYXXiMzs=","protocol":"tls","transport":"tcp","type":"ipv4"},"server":{"domain":"example.org","ip":"192.168.0.2","port":27017},"source":{"ip":"192.168.0.1","port":6512},"status":"Error","tls":{"client":{"ja3":"94c485bca29d5392be53f2b8cf7f4304","server_name":"example.org","supported_ciphers":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_AES_128_GCM_SHA256","TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_3DES_EDE_CBC_SHA"]},"detailed":{"client_certificate_requested":false,"client_hello":{"extensions":{"_unparsed_":["renegotiation_info","23","status_request","18","30032"],"application_layer_protocol_negotiation":["h2","http/1.1"],"ec_points_formats":["uncompressed"],"server_name_indication":["example.org"],"session_ticket":"","signature_algorithms":["ecdsa_secp256r1_sha256","rsa_pss_sha256","rsa_pkcs1_sha256","ecdsa_secp384r1_sha384","rsa_pss_sha384","rsa_pkcs1_sha384","rsa_pss_sha512","rsa_pkcs1_sha512","rsa_pkcs1_sha1"],"supported_groups":["x25519","secp256r1","secp384r1"]},"supported_compression_methods":["NULL"],"version":"3.3"},"version":"TLS 1.2"},"established":false,"resumed":false,"version":"1.2","version_protocol":"tls"},"type":"tls"}` + expectedClientHello = `{"client":{"ip":"192.168.0.1","port":6512},"destination":{"domain":"example.org","ip":"192.168.0.2","port":27017},"event":{"category":["network_traffic","network"],"dataset":"tls","kind":"event","type":["connection","protocol"]},"network":{"community_id":"1:jKfewJN/czjTuEpVvsKdYXXiMzs=","protocol":"tls","transport":"tcp","type":"ipv4"},"related":{"ip":["192.168.0.1","192.168.0.2"]},"server":{"domain":"example.org","ip":"192.168.0.2","port":27017},"source":{"ip":"192.168.0.1","port":6512},"status":"Error","tls":{"client":{"ja3":"94c485bca29d5392be53f2b8cf7f4304","server_name":"example.org","supported_ciphers":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_AES_128_GCM_SHA256","TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_3DES_EDE_CBC_SHA"]},"detailed":{"client_certificate_requested":false,"client_hello":{"extensions":{"_unparsed_":["renegotiation_info","23","status_request","18","30032"],"application_layer_protocol_negotiation":["h2","http/1.1"],"ec_points_formats":["uncompressed"],"server_name_indication":["example.org"],"session_ticket":"","signature_algorithms":["ecdsa_secp256r1_sha256","rsa_pss_sha256","rsa_pkcs1_sha256","ecdsa_secp384r1_sha384","rsa_pss_sha384","rsa_pkcs1_sha384","rsa_pss_sha512","rsa_pkcs1_sha512","rsa_pkcs1_sha1"],"supported_groups":["x25519","secp256r1","secp384r1"]},"supported_compression_methods":["NULL"],"version":"3.3"},"version":"TLS 1.2"},"established":false,"resumed":false,"version":"1.2","version_protocol":"tls"},"type":"tls"}` expectedServerHello = `{"extensions":{"_unparsed_":["renegotiation_info","status_request"],"application_layer_protocol_negotiation":["h2"],"ec_points_formats":["uncompressed","ansiX962_compressed_prime","ansiX962_compressed_char2"],"session_ticket":""},"selected_compression_method":"NULL","version":"3.3"}` rawClientHello = "16030100c2010000be03033367dfae0d46ec0651e49cca2ae47317e8989df710" + "ee7570a88b9a7d5d56b3af00001c3a3ac02bc02fc02cc030cca9cca8c013c014" + diff --git a/packetbeat/tests/system/golden/established_tls-expected.json b/packetbeat/tests/system/golden/established_tls-expected.json index 2756f6f5bac2..5ce92528a022 100644 --- a/packetbeat/tests/system/golden/established_tls-expected.json +++ b/packetbeat/tests/system/golden/established_tls-expected.json @@ -7,14 +7,25 @@ "destination.domain": "example.net", "destination.ip": "93.184.216.34", "destination.port": 443, - "event.category": "network_traffic", + "event.category": [ + "network_traffic", + "network" + ], "event.dataset": "tls", "event.duration": 364625000, "event.kind": "event", + "event.type": [ + "connection", + "protocol" + ], "network.community_id": "1:fx1jENdlg6r3LIvBRG3wEboWbPY=", "network.protocol": "tls", "network.transport": "tcp", "network.type": "ipv4", + "related.ip": [ + "192.168.1.35", + "93.184.216.34" + ], "server.domain": "example.net", "server.ip": "93.184.216.34", "server.port": 443, @@ -115,6 +126,7 @@ ], "tls.detailed.server_certificate.issuer.common_name": "DigiCert SHA2 Secure Server CA", "tls.detailed.server_certificate.issuer.country": "US", + "tls.detailed.server_certificate.issuer.distinguished_name": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", "tls.detailed.server_certificate.issuer.organization": "DigiCert Inc", "tls.detailed.server_certificate.not_after": "2020-12-02T12:00:00.000Z", "tls.detailed.server_certificate.not_before": "2018-11-28T00:00:00.000Z", @@ -124,16 +136,20 @@ "tls.detailed.server_certificate.signature_algorithm": "SHA256-RSA", "tls.detailed.server_certificate.subject.common_name": "www.example.org", "tls.detailed.server_certificate.subject.country": "US", + "tls.detailed.server_certificate.subject.distinguished_name": "CN=www.example.org,OU=Technology,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US", "tls.detailed.server_certificate.subject.locality": "Los Angeles", "tls.detailed.server_certificate.subject.organization": "Internet Corporation for Assigned Names and Numbers", "tls.detailed.server_certificate.subject.organizational_unit": "Technology", "tls.detailed.server_certificate.subject.province": "California", + "tls.detailed.server_certificate.subject.state_or_province": "California", "tls.detailed.server_certificate.version": 3, + "tls.detailed.server_certificate.version_number": 3, "tls.detailed.server_certificate_chain": [ { "issuer": { "common_name": "DigiCert Global Root CA", "country": "US", + "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", "organization": "DigiCert Inc", "organizational_unit": "www.digicert.com" }, @@ -146,14 +162,17 @@ "subject": { "common_name": "DigiCert SHA2 Secure Server CA", "country": "US", + "distinguished_name": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", "organization": "DigiCert Inc" }, - "version": 3 + "version": 3, + "version_number": 3 }, { "issuer": { "common_name": "DigiCert Global Root CA", "country": "US", + "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", "organization": "DigiCert Inc", "organizational_unit": "www.digicert.com" }, @@ -166,10 +185,12 @@ "subject": { "common_name": "DigiCert Global Root CA", "country": "US", + "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", "organization": "DigiCert Inc", "organizational_unit": "www.digicert.com" }, - "version": 3 + "version": 3, + "version_number": 3 } ], "tls.detailed.server_hello.extensions._unparsed_": [ @@ -196,6 +217,36 @@ "tls.server.not_after": "2020-12-02T12:00:00.000Z", "tls.server.not_before": "2018-11-28T00:00:00.000Z", "tls.server.subject": "CN=www.example.org,OU=Technology,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US", + "tls.server.x509.alternative_names": [ + "www.example.org", + "example.com", + "example.edu", + "example.net", + "example.org", + "www.example.com", + "www.example.edu", + "www.example.net" + ], + "tls.server.x509.issuer.common_name": "DigiCert SHA2 Secure Server CA", + "tls.server.x509.issuer.country": "US", + "tls.server.x509.issuer.distinguished_name": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", + "tls.server.x509.issuer.organization": "DigiCert Inc", + "tls.server.x509.not_after": "2020-12-02T12:00:00.000Z", + "tls.server.x509.not_before": "2018-11-28T00:00:00.000Z", + "tls.server.x509.public_key_algorithm": "RSA", + "tls.server.x509.public_key_size": 2048, + "tls.server.x509.serial_number": "21020869104500376438182461249190639870", + "tls.server.x509.signature_algorithm": "SHA256-RSA", + "tls.server.x509.subject.common_name": "www.example.org", + "tls.server.x509.subject.country": "US", + "tls.server.x509.subject.distinguished_name": "CN=www.example.org,OU=Technology,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US", + "tls.server.x509.subject.locality": "Los Angeles", + "tls.server.x509.subject.organization": "Internet Corporation for Assigned Names and Numbers", + "tls.server.x509.subject.organizational_unit": "Technology", + "tls.server.x509.subject.province": "California", + "tls.server.x509.subject.state_or_province": "California", + "tls.server.x509.version": 3, + "tls.server.x509.version_number": 3, "tls.version": "1.2", "tls.version_protocol": "tls", "type": "tls" diff --git a/packetbeat/tests/system/golden/non_established_tls-expected.json b/packetbeat/tests/system/golden/non_established_tls-expected.json index 32a9b174e3e8..573bb6737746 100644 --- a/packetbeat/tests/system/golden/non_established_tls-expected.json +++ b/packetbeat/tests/system/golden/non_established_tls-expected.json @@ -7,13 +7,24 @@ "destination.domain": "www.elastic.co", "destination.ip": "151.101.134.217", "destination.port": 443, - "event.category": "network_traffic", + "event.category": [ + "network_traffic", + "network" + ], "event.dataset": "tls", "event.kind": "event", + "event.type": [ + "connection", + "protocol" + ], "network.community_id": "1:OD+OA3Fyagq6ZdQ3T94i6r2zqWA=", "network.protocol": "tls", "network.transport": "tcp", "network.type": "ipv4", + "related.ip": [ + "172.20.10.2", + "151.101.134.217" + ], "server.domain": "www.elastic.co", "server.ip": "151.101.134.217", "server.port": 443, diff --git a/packetbeat/tests/system/golden/tls_1_3-expected.json b/packetbeat/tests/system/golden/tls_1_3-expected.json index 7200da6b3059..30285212e325 100644 --- a/packetbeat/tests/system/golden/tls_1_3-expected.json +++ b/packetbeat/tests/system/golden/tls_1_3-expected.json @@ -7,14 +7,25 @@ "destination.domain": "play.google.com", "destination.ip": "216.58.201.174", "destination.port": 443, - "event.category": "network_traffic", + "event.category": [ + "network_traffic", + "network" + ], "event.dataset": "tls", "event.duration": 12280000, "event.kind": "event", + "event.type": [ + "connection", + "protocol" + ], "network.community_id": "1:hfsK5r0tJm7av4j7BtSxA6oH9xA=", "network.protocol": "tls", "network.transport": "tcp", "network.type": "ipv4", + "related.ip": [ + "192.168.1.36", + "216.58.201.174" + ], "server.domain": "play.google.com", "server.ip": "216.58.201.174", "server.port": 443, diff --git a/packetbeat/tests/system/golden/tls_all_options-expected.json b/packetbeat/tests/system/golden/tls_all_options-expected.json index 78d7f74f2a4c..f1ba1cf337df 100644 --- a/packetbeat/tests/system/golden/tls_all_options-expected.json +++ b/packetbeat/tests/system/golden/tls_all_options-expected.json @@ -7,14 +7,25 @@ "destination.domain": "example.net", "destination.ip": "93.184.216.34", "destination.port": 443, - "event.category": "network_traffic", + "event.category": [ + "network_traffic", + "network" + ], "event.dataset": "tls", "event.duration": 364625000, "event.kind": "event", + "event.type": [ + "connection", + "protocol" + ], "network.community_id": "1:fx1jENdlg6r3LIvBRG3wEboWbPY=", "network.protocol": "tls", "network.transport": "tcp", "network.type": "ipv4", + "related.ip": [ + "192.168.1.35", + "93.184.216.34" + ], "server.domain": "example.net", "server.ip": "93.184.216.34", "server.port": 443, @@ -115,6 +126,7 @@ ], "tls.detailed.server_certificate.issuer.common_name": "DigiCert SHA2 Secure Server CA", "tls.detailed.server_certificate.issuer.country": "US", + "tls.detailed.server_certificate.issuer.distinguished_name": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", "tls.detailed.server_certificate.issuer.organization": "DigiCert Inc", "tls.detailed.server_certificate.not_after": "2020-12-02T12:00:00.000Z", "tls.detailed.server_certificate.not_before": "2018-11-28T00:00:00.000Z", @@ -124,16 +136,20 @@ "tls.detailed.server_certificate.signature_algorithm": "SHA256-RSA", "tls.detailed.server_certificate.subject.common_name": "www.example.org", "tls.detailed.server_certificate.subject.country": "US", + "tls.detailed.server_certificate.subject.distinguished_name": "CN=www.example.org,OU=Technology,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US", "tls.detailed.server_certificate.subject.locality": "Los Angeles", "tls.detailed.server_certificate.subject.organization": "Internet Corporation for Assigned Names and Numbers", "tls.detailed.server_certificate.subject.organizational_unit": "Technology", "tls.detailed.server_certificate.subject.province": "California", + "tls.detailed.server_certificate.subject.state_or_province": "California", "tls.detailed.server_certificate.version": 3, + "tls.detailed.server_certificate.version_number": 3, "tls.detailed.server_certificate_chain": [ { "issuer": { "common_name": "DigiCert Global Root CA", "country": "US", + "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", "organization": "DigiCert Inc", "organizational_unit": "www.digicert.com" }, @@ -146,14 +162,17 @@ "subject": { "common_name": "DigiCert SHA2 Secure Server CA", "country": "US", + "distinguished_name": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", "organization": "DigiCert Inc" }, - "version": 3 + "version": 3, + "version_number": 3 }, { "issuer": { "common_name": "DigiCert Global Root CA", "country": "US", + "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", "organization": "DigiCert Inc", "organizational_unit": "www.digicert.com" }, @@ -166,10 +185,12 @@ "subject": { "common_name": "DigiCert Global Root CA", "country": "US", + "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", "organization": "DigiCert Inc", "organizational_unit": "www.digicert.com" }, - "version": 3 + "version": 3, + "version_number": 3 } ], "tls.detailed.server_hello.extensions._unparsed_": [ @@ -203,6 +224,36 @@ "tls.server.not_after": "2020-12-02T12:00:00.000Z", "tls.server.not_before": "2018-11-28T00:00:00.000Z", "tls.server.subject": "CN=www.example.org,OU=Technology,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US", + "tls.server.x509.alternative_names": [ + "www.example.org", + "example.com", + "example.edu", + "example.net", + "example.org", + "www.example.com", + "www.example.edu", + "www.example.net" + ], + "tls.server.x509.issuer.common_name": "DigiCert SHA2 Secure Server CA", + "tls.server.x509.issuer.country": "US", + "tls.server.x509.issuer.distinguished_name": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", + "tls.server.x509.issuer.organization": "DigiCert Inc", + "tls.server.x509.not_after": "2020-12-02T12:00:00.000Z", + "tls.server.x509.not_before": "2018-11-28T00:00:00.000Z", + "tls.server.x509.public_key_algorithm": "RSA", + "tls.server.x509.public_key_size": 2048, + "tls.server.x509.serial_number": "21020869104500376438182461249190639870", + "tls.server.x509.signature_algorithm": "SHA256-RSA", + "tls.server.x509.subject.common_name": "www.example.org", + "tls.server.x509.subject.country": "US", + "tls.server.x509.subject.distinguished_name": "CN=www.example.org,OU=Technology,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US", + "tls.server.x509.subject.locality": "Los Angeles", + "tls.server.x509.subject.organization": "Internet Corporation for Assigned Names and Numbers", + "tls.server.x509.subject.organizational_unit": "Technology", + "tls.server.x509.subject.province": "California", + "tls.server.x509.subject.state_or_province": "California", + "tls.server.x509.version": 3, + "tls.server.x509.version_number": 3, "tls.version": "1.2", "tls.version_protocol": "tls", "type": "tls" diff --git a/packetbeat/tests/system/golden/tls_no_certs-expected.json b/packetbeat/tests/system/golden/tls_no_certs-expected.json index e730de81c10c..3f4587b25868 100644 --- a/packetbeat/tests/system/golden/tls_no_certs-expected.json +++ b/packetbeat/tests/system/golden/tls_no_certs-expected.json @@ -7,14 +7,25 @@ "destination.domain": "example.net", "destination.ip": "93.184.216.34", "destination.port": 443, - "event.category": "network_traffic", + "event.category": [ + "network_traffic", + "network" + ], "event.dataset": "tls", "event.duration": 364625000, "event.kind": "event", + "event.type": [ + "connection", + "protocol" + ], "network.community_id": "1:fx1jENdlg6r3LIvBRG3wEboWbPY=", "network.protocol": "tls", "network.transport": "tcp", "network.type": "ipv4", + "related.ip": [ + "192.168.1.35", + "93.184.216.34" + ], "server.domain": "example.net", "server.ip": "93.184.216.34", "server.port": 443, diff --git a/packetbeat/tests/system/golden/tls_not_detailed-expected.json b/packetbeat/tests/system/golden/tls_not_detailed-expected.json index 4471fa2526b8..ae23944e0962 100644 --- a/packetbeat/tests/system/golden/tls_not_detailed-expected.json +++ b/packetbeat/tests/system/golden/tls_not_detailed-expected.json @@ -7,14 +7,25 @@ "destination.domain": "example.net", "destination.ip": "93.184.216.34", "destination.port": 443, - "event.category": "network_traffic", + "event.category": [ + "network_traffic", + "network" + ], "event.dataset": "tls", "event.duration": 364625000, "event.kind": "event", + "event.type": [ + "connection", + "protocol" + ], "network.community_id": "1:fx1jENdlg6r3LIvBRG3wEboWbPY=", "network.protocol": "tls", "network.transport": "tcp", "network.type": "ipv4", + "related.ip": [ + "192.168.1.35", + "93.184.216.34" + ], "server.domain": "example.net", "server.ip": "93.184.216.34", "server.port": 443, diff --git a/packetbeat/tests/system/test_0040_memcache_tcp_bin_basic.py b/packetbeat/tests/system/test_0040_memcache_tcp_bin_basic.py index 4e6a556bf18d..82d80d1f02f2 100644 --- a/packetbeat/tests/system/test_0040_memcache_tcp_bin_basic.py +++ b/packetbeat/tests/system/test_0040_memcache_tcp_bin_basic.py @@ -188,7 +188,7 @@ def test_delete(self): def test_stats(self): objs = self._run('memcache/memcache_bin_tcp_stats.pcap') - + print(objs) # all transactions succeed assert all(o['status'] == 'OK' for o in objs) diff --git a/packetbeat/tests/system/test_0050_icmp.py b/packetbeat/tests/system/test_0050_icmp.py index 86d5c231290f..8500963aa9f7 100644 --- a/packetbeat/tests/system/test_0050_icmp.py +++ b/packetbeat/tests/system/test_0050_icmp.py @@ -7,7 +7,6 @@ def test_2_pings(self): self.render_config_template() self.run_packetbeat(pcap="icmp/icmp_2_pings.pcap", debug_selectors=["*"]) objs = self.read_output() - assert len(objs) == 2 assert all([o["icmp.version"] == 4 for o in objs]) assert objs[0]["@timestamp"] == "2015-10-19T21:47:49.900Z" @@ -69,6 +68,8 @@ def test_icmp6_ping_over_vlan(self): def assert_common_fields(self, objs): assert all([o["type"] == "icmp" for o in objs]) assert all([o["event.dataset"] == "icmp" for o in objs]) + assert all([o["event.category"] == ['network_traffic', 'network'] for o in objs]) + assert all([o["event.type"] == ["connection"] for o in objs]) assert all([o["source.bytes"] == 4 for o in objs]) assert all([o["destination.bytes"] == 4 for o in objs]) assert all([("server.port" in o) == False for o in objs]) @@ -78,6 +79,7 @@ def assert_common_icmp4_fields(self, obj): assert obj["network.transport"] == "icmp" assert obj["server.ip"] == "10.0.0.2" assert obj["client.ip"] == "10.0.0.1" + assert obj["related.ip"] == ["10.0.0.1", "10.0.0.2"] assert obj["path"] == "10.0.0.2" assert obj["status"] == "OK" assert obj["icmp.request.message"] == "EchoRequest(0)" diff --git a/packetbeat/tests/system/test_0051_amqp_publish.py b/packetbeat/tests/system/test_0051_amqp_publish.py index cf7eeee717a0..5b4d1e4f7336 100644 --- a/packetbeat/tests/system/test_0051_amqp_publish.py +++ b/packetbeat/tests/system/test_0051_amqp_publish.py @@ -1,33 +1,35 @@ -from packetbeat import BaseTest - - -class Test(BaseTest): - - def test_amqp_publish(self): - self.render_config_template( - amqp_ports=[5672], - amqp_send_request=True - ) - self.run_packetbeat(pcap="amqp_publish.pcap", - debug_selectors=["amqp,tcp,publish"]) - - objs = self.read_output() - assert all([o["type"] == "amqp" for o in objs]) - assert len(objs) == 2 - assert all([o["server.port"] == 5672 for o in objs]) - - assert objs[0]["method"] == "queue.declare" - assert objs[0]["status"] == "OK" - assert objs[0]["amqp.queue"] == "hello" - assert objs[0]["amqp.durable"] == False - assert objs[0]["amqp.auto-delete"] == False - assert objs[0]["amqp.exclusive"] == False - assert objs[0]["amqp.no-wait"] == False - - assert objs[1]["method"] == "basic.publish" - assert objs[1]["status"] == "OK" - assert objs[1]["request"] == "hello" - assert objs[1]["amqp.routing-key"] == "hello" - assert objs[1]["amqp.mandatory"] == False - assert objs[1]["amqp.immediate"] == False - assert objs[1]["amqp.content-type"] == "text/plain" +from packetbeat import BaseTest + + +class Test(BaseTest): + + def test_amqp_publish(self): + self.render_config_template( + amqp_ports=[5672], + amqp_send_request=True + ) + self.run_packetbeat(pcap="amqp_publish.pcap", + debug_selectors=["amqp,tcp,publish"]) + + objs = self.read_output() + assert all([o["type"] == "amqp" for o in objs]) + assert len(objs) == 2 + assert all([o["server.port"] == 5672 for o in objs]) + + assert objs[0]["method"] == "queue.declare" + assert objs[0]["event.action"] == "amqp.queue.declare" + assert objs[0]["status"] == "OK" + assert objs[0]["amqp.queue"] == "hello" + assert objs[0]["amqp.durable"] == False + assert objs[0]["amqp.auto-delete"] == False + assert objs[0]["amqp.exclusive"] == False + assert objs[0]["amqp.no-wait"] == False + + assert objs[1]["method"] == "basic.publish" + assert objs[1]["event.action"] == "amqp.basic.publish" + assert objs[1]["status"] == "OK" + assert objs[1]["request"] == "hello" + assert objs[1]["amqp.routing-key"] == "hello" + assert objs[1]["amqp.mandatory"] == False + assert objs[1]["amqp.immediate"] == False + assert objs[1]["amqp.content-type"] == "text/plain" diff --git a/packetbeat/tests/system/test_0052_amqp_emit_receive.py b/packetbeat/tests/system/test_0052_amqp_emit_receive.py index d06497985581..3b62a5da8fb9 100644 --- a/packetbeat/tests/system/test_0052_amqp_emit_receive.py +++ b/packetbeat/tests/system/test_0052_amqp_emit_receive.py @@ -1,69 +1,76 @@ -from packetbeat import BaseTest - - -class Test(BaseTest): - - def test_amqp_emit_receive(self): - self.render_config_template( - amqp_ports=[5672], - ) - self.run_packetbeat(pcap="amqp_emit_receive.pcap", - debug_selectors=["amqp,tcp,publish"]) - - objs = self.read_output() - assert all([o["type"] == "amqp" for o in objs]) - assert len(objs) == 7 - assert all([o["server.port"] == 5672 for o in objs]) - - assert objs[0]["method"] == "exchange.declare" - assert objs[0]["status"] == "OK" - assert objs[0]["amqp.exchange"] == "logs" - assert objs[0]["amqp.durable"] == True - assert objs[0]["amqp.exchange-type"] == "fanout" - assert objs[0]["amqp.passive"] == False - assert objs[0]["amqp.no-wait"] == False - - assert objs[1]["method"] == "queue.declare" - assert objs[1]["status"] == "OK" - assert objs[1]["amqp.queue"] != "" - assert objs[1]["amqp.exclusive"] == True - assert objs[1]["amqp.no-wait"] == False - assert objs[1]["amqp.durable"] == False - assert objs[1]["amqp.auto-delete"] == False - assert objs[1]["amqp.passive"] == False - - assert objs[2]["method"] == "queue.bind" - assert objs[2]["status"] == "OK" - assert objs[2]["amqp.queue"] != "" - assert objs[2]["amqp.exchange"] == "logs" - assert objs[2]["amqp.no-wait"] == False - - assert objs[3]["method"] == "basic.consume" - assert objs[3]["status"] == "OK" - assert objs[3]["amqp.queue"] != "" - assert objs[3]["amqp.no-ack"] == True - assert objs[3]["amqp.no-wait"] == False - assert objs[3]["amqp.no-local"] == False - assert objs[3]["amqp.exclusive"] == False - - assert objs[4]["method"] == "exchange.declare" - assert objs[4]["status"] == "OK" - assert objs[4]["amqp.exchange"] == "logs" - assert objs[4]["amqp.durable"] == True - assert objs[4]["amqp.exchange-type"] == "fanout" - assert objs[4]["amqp.passive"] == False - assert objs[4]["amqp.no-wait"] == False - - assert objs[5]["method"] == "basic.publish" - assert objs[5]["status"] == "OK" - assert objs[5]["amqp.content-type"] == "text/plain" - assert objs[5]["amqp.exchange"] == "logs" - assert objs[5]["amqp.immediate"] == False - assert objs[5]["amqp.mandatory"] == False - - assert objs[6]["method"] == "basic.deliver" - assert objs[6]["status"] == "OK" - assert objs[6]["amqp.content-type"] == "text/plain" - assert objs[6]["amqp.delivery-tag"] == 1 - assert objs[6]["amqp.exchange"] == "logs" - assert objs[6]["amqp.redelivered"] == False +from packetbeat import BaseTest + + +class Test(BaseTest): + + def test_amqp_emit_receive(self): + self.render_config_template( + amqp_ports=[5672], + ) + self.run_packetbeat(pcap="amqp_emit_receive.pcap", + debug_selectors=["amqp,tcp,publish"]) + + objs = self.read_output() + assert all([o["type"] == "amqp" for o in objs]) + assert len(objs) == 7 + assert all([o["server.port"] == 5672 for o in objs]) + + assert objs[0]["method"] == "exchange.declare" + assert objs[0]["event.action"] == "amqp.exchange.declare" + assert objs[0]["status"] == "OK" + assert objs[0]["amqp.exchange"] == "logs" + assert objs[0]["amqp.durable"] == True + assert objs[0]["amqp.exchange-type"] == "fanout" + assert objs[0]["amqp.passive"] == False + assert objs[0]["amqp.no-wait"] == False + + assert objs[1]["method"] == "queue.declare" + assert objs[1]["event.action"] == "amqp.queue.declare" + assert objs[1]["status"] == "OK" + assert objs[1]["amqp.queue"] != "" + assert objs[1]["amqp.exclusive"] == True + assert objs[1]["amqp.no-wait"] == False + assert objs[1]["amqp.durable"] == False + assert objs[1]["amqp.auto-delete"] == False + assert objs[1]["amqp.passive"] == False + + assert objs[2]["method"] == "queue.bind" + assert objs[2]["event.action"] == "amqp.queue.bind" + assert objs[2]["status"] == "OK" + assert objs[2]["amqp.queue"] != "" + assert objs[2]["amqp.exchange"] == "logs" + assert objs[2]["amqp.no-wait"] == False + + assert objs[3]["method"] == "basic.consume" + assert objs[3]["event.action"] == "amqp.basic.consume" + assert objs[3]["status"] == "OK" + assert objs[3]["amqp.queue"] != "" + assert objs[3]["amqp.no-ack"] == True + assert objs[3]["amqp.no-wait"] == False + assert objs[3]["amqp.no-local"] == False + assert objs[3]["amqp.exclusive"] == False + + assert objs[4]["method"] == "exchange.declare" + assert objs[4]["event.action"] == "amqp.exchange.declare" + assert objs[4]["status"] == "OK" + assert objs[4]["amqp.exchange"] == "logs" + assert objs[4]["amqp.durable"] == True + assert objs[4]["amqp.exchange-type"] == "fanout" + assert objs[4]["amqp.passive"] == False + assert objs[4]["amqp.no-wait"] == False + + assert objs[5]["method"] == "basic.publish" + assert objs[5]["event.action"] == "amqp.basic.publish" + assert objs[5]["status"] == "OK" + assert objs[5]["amqp.content-type"] == "text/plain" + assert objs[5]["amqp.exchange"] == "logs" + assert objs[5]["amqp.immediate"] == False + assert objs[5]["amqp.mandatory"] == False + + assert objs[6]["method"] == "basic.deliver" + assert objs[6]["event.action"] == "amqp.basic.deliver" + assert objs[6]["status"] == "OK" + assert objs[6]["amqp.content-type"] == "text/plain" + assert objs[6]["amqp.delivery-tag"] == 1 + assert objs[6]["amqp.exchange"] == "logs" + assert objs[6]["amqp.redelivered"] == False diff --git a/packetbeat/tests/system/test_0053_amqp_channel_error.py b/packetbeat/tests/system/test_0053_amqp_channel_error.py index 6b9ab78ea9d7..13fc991af541 100644 --- a/packetbeat/tests/system/test_0053_amqp_channel_error.py +++ b/packetbeat/tests/system/test_0053_amqp_channel_error.py @@ -1,39 +1,42 @@ -from packetbeat import BaseTest - - -class Test(BaseTest): - - def test_amqp_channel_error(self): - self.render_config_template( - amqp_ports=[5672], - ) - self.run_packetbeat(pcap="amqp_channel_error.pcap", - debug_selectors=["amqp,tcp,publish"]) - - objs = self.read_output() - assert all([o["type"] == "amqp" for o in objs]) - assert len(objs) == 3 - - assert objs[0]["method"] == "exchange.declare" - assert objs[0]["status"] == "OK" - assert objs[0]["amqp.exchange"] == "titres" - assert objs[0]["amqp.durable"] == True - assert objs[0]["amqp.exchange-type"] == "fanout" - assert objs[0]["amqp.passive"] == False - assert objs[0]["amqp.no-wait"] == True - - assert objs[1]["method"] == "queue.declare" - assert objs[1]["status"] == "OK" - assert objs[1]["amqp.queue"] == "my_queue" - assert objs[1]["amqp.exclusive"] == True - assert objs[1]["amqp.no-wait"] == False - assert objs[1]["amqp.durable"] == False - assert objs[1]["amqp.auto-delete"] == False - assert objs[1]["amqp.passive"] == False - - assert objs[2]["method"] == "channel.close" - assert objs[2]["status"] == "Error" - assert objs[2]["amqp.reply-code"] == 404 - assert objs[2]["amqp.reply-text"] == "NOT_FOUND - no exchange 'plop' in vhost '/'" - assert objs[2]["amqp.class-id"] == 50 - assert objs[2]["amqp.method-id"] == 20 +from packetbeat import BaseTest + + +class Test(BaseTest): + + def test_amqp_channel_error(self): + self.render_config_template( + amqp_ports=[5672], + ) + self.run_packetbeat(pcap="amqp_channel_error.pcap", + debug_selectors=["amqp,tcp,publish"]) + + objs = self.read_output() + assert all([o["type"] == "amqp" for o in objs]) + assert len(objs) == 3 + + assert objs[0]["method"] == "exchange.declare" + assert objs[0]["event.action"] == "amqp.exchange.declare" + assert objs[0]["status"] == "OK" + assert objs[0]["amqp.exchange"] == "titres" + assert objs[0]["amqp.durable"] == True + assert objs[0]["amqp.exchange-type"] == "fanout" + assert objs[0]["amqp.passive"] == False + assert objs[0]["amqp.no-wait"] == True + + assert objs[1]["method"] == "queue.declare" + assert objs[1]["event.action"] == "amqp.queue.declare" + assert objs[1]["status"] == "OK" + assert objs[1]["amqp.queue"] == "my_queue" + assert objs[1]["amqp.exclusive"] == True + assert objs[1]["amqp.no-wait"] == False + assert objs[1]["amqp.durable"] == False + assert objs[1]["amqp.auto-delete"] == False + assert objs[1]["amqp.passive"] == False + + assert objs[2]["method"] == "channel.close" + assert objs[2]["event.action"] == "amqp.channel.close" + assert objs[2]["status"] == "Error" + assert objs[2]["amqp.reply-code"] == 404 + assert objs[2]["amqp.reply-text"] == "NOT_FOUND - no exchange 'plop' in vhost '/'" + assert objs[2]["amqp.class-id"] == 50 + assert objs[2]["amqp.method-id"] == 20