Don't set dns.resolved_ip with invalid IP addresses (#18436)

andrewkroh · web-flow · commit ecd0f72375e5 · 2020-05-12T19:10:28.000-04:00
Sometimes the DNS IP addresses from Sysmon in `winlog.event_data.QueryResults` are truncated. The leads to mapping exceptions since the value is not of type `ip` in Elasticsearch. To fix this the module will now filter any results that are not valid IP addresses. Fixes #18432
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -186,6 +186,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 
 *Winlogbeat*
 
+- Fix invalid IP addresses in DNS query results from Sysmon data. {issue}18432[18432] {pull}18436{18436}
 
 *Functionbeat*
 
diff --git a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js
@@ -16,6 +16,7 @@ var sysmon = (function () {
     var path = require("path");
     var processor = require("processor");
     var winlogbeat = require("winlogbeat");
+    var net = require("net");
 
     // Windows error codes for DNS. This list was generated using
     // 'go run gen_dns_error_codes.go'.
@@ -432,17 +433,19 @@ var sysmon = (function () {
             } else {
                 // Convert V4MAPPED addresses.
                 answer = answer.replace("::ffff:", "");
-                ips.push(answer);
+                if (net.isIP(answer)) {
+                    ips.push(answer);
 
-                // Synthesize record type based on IP address type.
-                var type = "A";
-                if (answer.indexOf(":") !== -1) {
-                    type = "AAAA";
+                    // Synthesize record type based on IP address type.
+                    var type = "A";
+                    if (answer.indexOf(":") !== -1) {
+                        type = "AAAA";
+                    }
+                    answers.push({
+                        type: type,
+                        data: answer,
+                    });
                 }
-                answers.push({
-                    type: type,
-                    data: answer,
-                });
             }
         }
 
diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-10.2-dns.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-10.2-dns.evtx.golden.json
@@ -13341,10 +13341,6 @@
         {
           "data": "2001:502:7094::30",
           "type": "AAAA"
-        },
-        {
-          "data": "192.5",
-          "type": "A"
         }
       ],
       "question": {
@@ -13403,8 +13399,7 @@
         "192.43.172.30",
         "2001:503:39c1::30",
         "192.48.79.30",
-        "2001:502:7094::30",
-        "192.5"
+        "2001:502:7094::30"
       ]
     },
     "event": {

Original file line number	Diff line number	Diff line change
`@@ -186,6 +186,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d`
`186`	`186`
`187`	`187`	`Winlogbeat`
`188`	`188`
	`189`	`+- Fix invalid IP addresses in DNS query results from Sysmon data. {issue}18432[18432] {pull}18436{18436}`
`189`	`190`
`190`	`191`	`Functionbeat`
`191`	`192`