Skip to content

Commit

Permalink
Add system test for Zeek FTP, OCSP (elastic#676)
Browse files Browse the repository at this point in the history
* Add system test for Zeek FTP

This adds a system test for the Zeek FTP data stream.

There were missing fields for
- network.protocol
- network.transport

* Add system test for Zeek OCSP

This adds a system test for the Zeek OCSP data stream.

One field, zeek.ocsp.revoke.date was incorrectly named in fields.yml.
  • Loading branch information
andrewkroh authored Feb 9, 2021
1 parent 6ccd2bb commit 51d50a1
Show file tree
Hide file tree
Showing 8 changed files with 28 additions and 3 deletions.
3 changes: 3 additions & 0 deletions packages/zeek/_dev/deploy/docker/sample_logs/ftp.log
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
{"ts":1187379104.955342,"uid":"CpQoCn3o28tke89zv9","id.orig_h":"192.168.1.182","id.orig_p":62014,"id.resp_h":"192.168.1.231","id.resp_p":21,"user":"ftp","password":"ftp","command":"EPSV","reply_code":229,"reply_msg":"Entering Extended Passive Mode (|||37100|)","data_channel.passive":true,"data_channel.orig_h":"192.168.1.182","data_channel.resp_h":"192.168.1.231","data_channel.resp_p":37100}
{"ts":1187379105.01948,"uid":"CpQoCn3o28tke89zv9","id.orig_h":"192.168.1.182","id.orig_p":62014,"id.resp_h":"192.168.1.231","id.resp_p":21,"user":"ftp","password":"ftp","command":"RETR","arg":"ftp://192.168.1.231/resume.doc","file_size":39424,"reply_code":226,"reply_msg":"Transfer complete."}
{"ts":1187379117.579203,"uid":"CpQoCn3o28tke89zv9","id.orig_h":"192.168.1.182","id.orig_p":62014,"id.resp_h":"192.168.1.231","id.resp_p":21,"user":"ftp","password":"ftp","command":"STOR","arg":"ftp://192.168.1.231/uploads/README","reply_code":226,"reply_msg":"Transfer complete."}
2 changes: 2 additions & 0 deletions packages/zeek/_dev/deploy/docker/sample_logs/ocsp.log
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
{"ts":1307712421.847886,"id":"FSEWoS3ff8FcTn3WLf","hashAlgorithm":"sha1","issuerNameHash":"14A7E219F46B93E141258F08BC85764671F136B0","issuerKeyHash":"EEDD79C0D379B04D7E47BC70A6E7C62AAEBADEC9","serialNumber":"9239D5348F40D1695A745470E1F23F43","certStatus":"revoked","revoketime":1300220120.0,"thisUpdate":1307640343.0,"nextUpdate":1307985943.0}
{"ts":1307562416.100084,"id":"FdZBFMEYgAErVhoC8","hashAlgorithm":"sha1","issuerNameHash":"6C2BC55AAF8D96BF60ADF81D023F23B48A0059C2","issuerKeyHash":"A5EF0B11CEC04103A34A659048B21CE0572D7D47","serialNumber":"30119E6EF41BDBA3FEFE711DBE8F6191","certStatus":"good","thisUpdate":1307549998.0,"nextUpdate":1308154798.0}
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
vars:
base_paths:
- "{{SERVICE_LOGS_DIR}}"
input: logfile
data_stream:
vars: ~
6 changes: 6 additions & 0 deletions packages/zeek/data_stream/ftp/fields/ecs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -197,3 +197,9 @@
type: text
name: user.name
type: keyword
- name: network.protocol
type: keyword
description: L7 Network protocol name.
- name: network.transport
type: keyword
description: Protocol Name corresponding to the field `iana_number`.
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
vars:
base_paths:
- "{{SERVICE_LOGS_DIR}}"
input: logfile
data_stream:
vars: ~
2 changes: 1 addition & 1 deletion packages/zeek/data_stream/ocsp/fields/fields.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@
- name: revoke
type: group
fields:
- name: time
- name: date
type: date
description: |
Time at which the certificate was revoked.
Expand Down
4 changes: 3 additions & 1 deletion packages/zeek/docs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -842,6 +842,8 @@ activity.
| log.flags | Flags for the log file. | keyword |
| log.offset | Offset of the entry in the log file. | long |
| network.community_id | A hash of source and destination IPs and ports. | keyword |
| network.protocol | L7 Network protocol name. | keyword |
| network.transport | Protocol Name corresponding to the field `iana_number`. | keyword |
| related.ip | All of the IPs seen on your event. | ip |
| related.user | All the user names seen on your event. | keyword |
| source.address | Source network address. | keyword |
Expand Down Expand Up @@ -1802,8 +1804,8 @@ Online Certificate Status Protocol (OCSP) data.
| zeek.ocsp.hash.algorithm | Hash algorithm used to generate issuerNameHash and issuerKeyHash. | keyword |
| zeek.ocsp.hash.issuer.key | Hash of the issuer's public key. | keyword |
| zeek.ocsp.hash.issuer.name | Hash of the issuer's distingueshed name. | keyword |
| zeek.ocsp.revoke.date | Time at which the certificate was revoked. | date |
| zeek.ocsp.revoke.reason | Reason for which the certificate was revoked. | keyword |
| zeek.ocsp.revoke.time | Time at which the certificate was revoked. | date |
| zeek.ocsp.serial_number | Serial number of the affected certificate. | keyword |
| zeek.ocsp.status | Status of the affected certificate. | keyword |
| zeek.ocsp.update.next | The latest time at which new information about the status of the certificate will be available. | date |
Expand Down
2 changes: 1 addition & 1 deletion packages/zeek/manifest.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: zeek
title: Zeek
version: 0.5.0
version: 0.5.1
release: beta
description: Zeek Integration
type: integration
Expand Down

0 comments on commit 51d50a1

Please sign in to comment.