-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added dns.question.top_level_domain and dns.question.subdomain ecs field #14578
Added dns.question.top_level_domain and dns.question.subdomain ecs field #14578
Conversation
Added fields recently added to the elastic common schema to packeteat dns output.
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
1 similar comment
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
How do I fix this? ` goroutine 1 [running]: ` |
jenkins, test this |
Thanks @mbudge! @andrewkroh or @adriansr can you guys take a look? |
Please can someone help with this? Thanks |
Pinging @elastic/siem (Team:SIEM) |
Updated the change log. |
Found a bug in the subdomain extract https://play.golang.org/p/xydzQ0thVBg fmt.Println(strings.TrimRight("news.joules.com", "joules.com")) |
Fixes a bug where some subdomains where missing characters.
I found the code didn't handle domains like gov.ky because it threw an error. The code only runs if the error contains "cannot derive eTLD+1 for domain", 1 dot and the top_level_domain string to the right of the dot isn't empty.
Here's an example in Go playground https://play.golang.org/p/Kn3PQ70OGp0 |
…th 1 dot in the domain. Changed eTLDPlusOne to q.Name // Handle publicsuffix.EffectiveTLDPlusOne eTLD+1 error with 1 dot in the domain.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here's my take on some utility methods for getting at the tld, etld, registered domain, and subdomain. https://play.golang.org/p/x0sUqRePN7-
One difference from what this does today is that no longer considers private suffixes in the PSL when getting the ETLD.
packetbeat/protos/dns/dns.go
Outdated
@@ -501,6 +501,23 @@ func addDNSToMapStr(m common.MapStr, dns *mkdns.Msg, authority bool, additional | |||
// etld_plus_one should be removed for 8.0.0. | |||
qMapStr["etld_plus_one"] = eTLDPlusOne | |||
qMapStr["registered_domain"] = eTLDPlusOne | |||
|
|||
if eTLDPlusOne != "" && strings.Contains(eTLDPlusOne, ".") { | |||
topLevelDomain := strings.Join(strings.Split(eTLDPlusOne, ".")[1:], ".") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Splitting and then re-joining seems inefficient. I think it could slice up the eTLDPlusOne string by finding the index of the first dot.
packetbeat/protos/dns/dns.go
Outdated
qMapStr["subdomain"] = subdomain | ||
} | ||
} | ||
} else if strings.Contains(err.Error(), "cannot derive eTLD+1 for domain") && strings.Count(q.Name, ".") == 1 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Matching error strings is really error prone because the error can change upstream without notice. Is there a way you can do this without matching the error string?
I've removed the string.contains eTLD+1 error as it doesn't matter what the error is. Also replaced strings.split with strings.indexbyte. The helper functions would be good in a shared library so they can be accessed by all the beats agents. I've added the top_level_domain and registered_domain to all the ECS domain fields. It's only sub-domain which is dns only in ECS. |
jenkins, test this |
…elds (elastic#14578) Added the following fields to packetbeat dns.question.subdomain dns.question.top_level_domain Co-authored-by: Adrian Serrano <[email protected]> (cherry picked from commit bd1d277)
…elds (#14578) (#17127) Added the following fields to packetbeat dns.question.subdomain dns.question.top_level_domain Co-authored-by: Adrian Serrano <[email protected]> Co-authored-by: mbudge <[email protected]> (cherry picked from commit bd1d277)
Added fields recently added to the elastic common schema to packeteat dns output.
Added the following fields to packetbeat
I tried adding unit tests for these fields but you might want to check that.
I also can't find the fields.yml file to define the exported packetbeat fields in the documentation.
Also not sure how to update the change log to document updates to packetbeat.
Here is an example of the code to get the top_level_domain and the subdomain.
`
`
The top_level_domain field removes the PlusOne to get the TLD (org, net, com etc)
The subdomain field is the full question name, minus the eTLDPlusOne/Registered_Domain with dots trimmed. If the value isn't an empty string then a subdomain is present.
Elastic common schema fields
Add dns.question.subdomain field #574
elastic/ecs#574
Added top_level_domain #572
elastic/ecs#572
Both the top_level_domain and subdomain are useful for security analytics (discussed in the linked ECS pull requests in more detail).