diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 24cffad8adea..309c70711504 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -57,6 +57,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Packetbeat* - Use /proc//comm for linux process names where possible. {pull}31527[31527] +- Move "protocol" term from event.category to event.type in SIP events. {pull}31599[31599] *Winlogbeat* diff --git a/packetbeat/_meta/sample_outputs/sip.json b/packetbeat/_meta/sample_outputs/sip.json index 4a57d85908ff..2f4dbbdeb462 100644 --- a/packetbeat/_meta/sample_outputs/sip.json +++ b/packetbeat/_meta/sample_outputs/sip.json @@ -8,7 +8,6 @@ "event.action": "sip_register", "event.category": [ "network", - "protocol", "authentication" ], "event.dataset": "sip", @@ -17,7 +16,8 @@ "event.original": "REGISTER sip:sip.cybercity.dk SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.1.2;branch=z9hG4bKnp112903503-43a64480192.168.1.2;rport\r\nFrom: ;tag=6bac55c\r\nTo: \r\nCall-ID: 578222729-4665d775@578222732-4665d772\r\nContact: ;expires=1200;q=0.500\r\nExpires: 1200\r\nCSeq: 75 REGISTER\r\nContent-Length: 0\r\nAuthorization: Digest username=\"voi18062\",realm=\"sip.cybercity.dk\",uri=\"sip:192.168.1.2\",nonce=\"1701b22972b90f440c3e4eb250842bb\",opaque=\"1701a1351f70795\",nc=\"00000001\",response=\"79a0543188495d288c9ebbe0c881abdc\"\r\nMax-Forwards: 70\r\nUser-Agent: Nero SIPPS IP Phone Version 2.0.51.16\r\n\r\n", "event.sequence": 75, "event.type": [ - "info" + "info", + "protocol" ], "network.application": "sip", "network.community_id": "1:dOa61R2NaaJsJlcFAiMIiyXX+Kk=", diff --git a/packetbeat/protos/sip/README.md b/packetbeat/protos/sip/README.md index 5e5962675a1d..8874fb3df0a8 100644 --- a/packetbeat/protos/sip/README.md +++ b/packetbeat/protos/sip/README.md @@ -52,7 +52,6 @@ SIP is a text-based protocol like HTTP. But SIP has various unique features like "event.action": "sip_register", "event.category": [ "network", - "protocol", "authentication" ], "event.dataset": "sip", @@ -61,7 +60,8 @@ SIP is a text-based protocol like HTTP. But SIP has various unique features like "event.original": "REGISTER sip:sip.cybercity.dk SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.1.2;branch=z9hG4bKnp112903503-43a64480192.168.1.2;rport\r\nFrom: ;tag=6bac55c\r\nTo: \r\nCall-ID: 578222729-4665d775@578222732-4665d772\r\nContact: ;expires=1200;q=0.500\r\nExpires: 1200\r\nCSeq: 75 REGISTER\r\nContent-Length: 0\r\nAuthorization: Digest username=\"voi18062\",realm=\"sip.cybercity.dk\",uri=\"sip:192.168.1.2\",nonce=\"1701b22972b90f440c3e4eb250842bb\",opaque=\"1701a1351f70795\",nc=\"00000001\",response=\"79a0543188495d288c9ebbe0c881abdc\"\r\nMax-Forwards: 70\r\nUser-Agent: Nero SIPPS IP Phone Version 2.0.51.16\r\n\r\n", "event.sequence": 75, "event.type": [ - "info" + "info", + "protocol" ], "network.application": "sip", "network.community_id": "1:dOa61R2NaaJsJlcFAiMIiyXX+Kk=", diff --git a/packetbeat/protos/sip/plugin.go b/packetbeat/protos/sip/plugin.go index bdd93d241170..4ed77b4f2d0a 100644 --- a/packetbeat/protos/sip/plugin.go +++ b/packetbeat/protos/sip/plugin.go @@ -147,7 +147,7 @@ func newParsingInfo(pkt *protos.Packet) *parsingInfo { } } -func (p *plugin) buildEvent(m *message, pkt *protos.Packet) (*beat.Event, error) { +func (p *plugin) buildEvent(m *message, _ *protos.Packet) (*beat.Event, error) { status := common.OK_STATUS if m.statusCode >= 400 { status = common.ERROR_STATUS @@ -259,6 +259,7 @@ func (p *plugin) populateHeadersFields(m *message, evt beat.Event, pbf *pb.Field } } +//nolint:dupl // These are not readily refactorable in the short term as the ProtocolFields is constrained to be flat. func populateFromFields(m *message, pbf *pb.Fields, fields *ProtocolFields) { if len(m.from) > 0 { displayInfo, uri, params := parseFromToContact(m.from) @@ -277,6 +278,7 @@ func populateFromFields(m *message, pbf *pb.Fields, fields *ProtocolFields) { } } +//nolint:dupl // These are not readily refactorable in the short term as the ProtocolFields is constrained to be flat. func populateToFields(m *message, pbf *pb.Fields, fields *ProtocolFields) { if len(m.to) > 0 { displayInfo, uri, params := parseFromToContact(m.to) @@ -318,7 +320,7 @@ func populateContactFields(m *message, pbf *pb.Fields, fields *ProtocolFields) { func (p *plugin) populateEventFields(m *message, pbf *pb.Fields, fields ProtocolFields) { pbf.Event.Kind = "event" - pbf.Event.Type = []string{"info"} + pbf.Event.Type = []string{"info", "protocol"} pbf.Event.Dataset = "sip" pbf.Event.Sequence = int64(fields.CseqCode) @@ -331,7 +333,7 @@ func (p *plugin) populateEventFields(m *message, pbf *pb.Fields, fields Protocol pbf.Event.Original = string(m.rawData) } - pbf.Event.Category = []string{"network", "protocol"} + pbf.Event.Category = []string{"network"} if _, found := m.headers["authorization"]; found { pbf.Event.Category = append(pbf.Event.Category, "authentication") } diff --git a/packetbeat/tests/system/golden/sip-expected.json b/packetbeat/tests/system/golden/sip-expected.json index 7b133413af36..6521ad40c4d6 100644 --- a/packetbeat/tests/system/golden/sip-expected.json +++ b/packetbeat/tests/system/golden/sip-expected.json @@ -8,8 +8,7 @@ "destination.port": 5060, "event.action": "sip-invite", "event.category": [ - "network", - "protocol" + "network" ], "event.dataset": "sip", "event.duration": 0, @@ -17,7 +16,8 @@ "event.original": "INVITE sip:test@10.0.2.15:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-0\r\nFrom: \"DVI4/8000\" ;tag=1\r\nTo: test \r\nCall-ID: 1-2187@10.0.2.20\r\nCSeq: 1 INVITE\r\nContact: sip:sipp@10.0.2.20:5060\r\nMax-Forwards: 70\r\nContent-Type: application/sdp\r\nContent-Length: 123\r\n\r\nv=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 5\r\na=rtpmap:5 DVI4/8000\r\na=recvonly\r\n", "event.sequence": 1, "event.type": [ - "info" + "info", + "protocol" ], "network.application": "sip", "network.community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", @@ -96,8 +96,7 @@ "destination.port": 5060, "event.action": "sip-invite", "event.category": [ - "network", - "protocol" + "network" ], "event.dataset": "sip", "event.duration": 0, @@ -106,7 +105,8 @@ "event.reason": "Trying", "event.sequence": 1, "event.type": [ - "info" + "info", + "protocol" ], "network.application": "sip", "network.community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", @@ -166,8 +166,7 @@ "destination.port": 5060, "event.action": "sip-invite", "event.category": [ - "network", - "protocol" + "network" ], "event.dataset": "sip", "event.duration": 0, @@ -177,7 +176,8 @@ "event.reason": "OK", "event.sequence": 1, "event.type": [ - "info" + "info", + "protocol" ], "network.application": "sip", "network.community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", @@ -277,8 +277,7 @@ "destination.port": 5060, "event.action": "sip-ack", "event.category": [ - "network", - "protocol" + "network" ], "event.dataset": "sip", "event.duration": 0, @@ -286,7 +285,8 @@ "event.original": "ACK sip:test@10.0.2.15:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2187-1-5\r\nFrom: \"DVI4/8000\" ;tag=1\r\nTo: test ;tag=e2jv529vDZ3eQ\r\nCall-ID: 1-2187@10.0.2.20\r\nCSeq: 1 ACK\r\nContact: sip:sipp@10.0.2.20:5060\r\nMax-Forwards: 70\r\nContent-Length: 0\r\n\r\n", "event.sequence": 1, "event.type": [ - "info" + "info", + "protocol" ], "network.application": "sip", "network.community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", @@ -357,8 +357,7 @@ "destination.port": 5060, "event.action": "sip-bye", "event.category": [ - "network", - "protocol" + "network" ], "event.dataset": "sip", "event.duration": 0, @@ -366,7 +365,8 @@ "event.original": "BYE sip:sipp@10.0.2.20:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.15;rport;branch=z9hG4bKDQ7XK6BBH57ya\r\nMax-Forwards: 70\r\nFrom: test ;tag=e2jv529vDZ3eQ\r\nTo: \"DVI4/8000\" ;tag=1\r\nCall-ID: 1-2187@10.0.2.20\r\nCSeq: 99750433 BYE\r\nUser-Agent: FreeSWITCH-mod_sofia/1.6.12-20-b91a0a6~64bit\r\nAllow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE\r\nSupported: timer, path, replaces\r\nReason: Q.850;cause=16;text=\"NORMAL_CLEARING\"\r\nContent-Length: 0\r\n\r\n", "event.sequence": 99750433, "event.type": [ - "info" + "info", + "protocol" ], "network.application": "sip", "network.community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", @@ -452,8 +452,7 @@ "destination.port": 5060, "event.action": "sip-bye", "event.category": [ - "network", - "protocol" + "network" ], "event.dataset": "sip", "event.duration": 0, @@ -463,7 +462,8 @@ "event.reason": "OK", "event.sequence": 99750433, "event.type": [ - "info" + "info", + "protocol" ], "network.application": "sip", "network.community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", @@ -529,8 +529,7 @@ "destination.port": 5060, "event.action": "sip-invite", "event.category": [ - "network", - "protocol" + "network" ], "event.dataset": "sip", "event.duration": 0, @@ -538,7 +537,8 @@ "event.original": "INVITE sip:test@10.0.2.15:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2189-1-0\r\nFrom: \"DVI4/16000\" ;tag=1\r\nTo: test \r\nCall-ID: 1-2189@10.0.2.20\r\nCSeq: 1 INVITE\r\nContact: sip:sipp@10.0.2.20:5060\r\nMax-Forwards: 70\r\nContent-Type: application/sdp\r\nContent-Length: 124\r\n\r\nv=0\r\no=- 42 42 IN IP4 10.0.2.20\r\ns=-\r\nc=IN IP4 10.0.2.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 6\r\na=rtpmap:6 DVI4/16000\r\na=recvonly\r\n", "event.sequence": 1, "event.type": [ - "info" + "info", + "protocol" ], "network.application": "sip", "network.community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", @@ -617,8 +617,7 @@ "destination.port": 5060, "event.action": "sip-invite", "event.category": [ - "network", - "protocol" + "network" ], "event.dataset": "sip", "event.duration": 0, @@ -627,7 +626,8 @@ "event.reason": "Trying", "event.sequence": 1, "event.type": [ - "info" + "info", + "protocol" ], "network.application": "sip", "network.community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", @@ -687,8 +687,7 @@ "destination.port": 5060, "event.action": "sip-invite", "event.category": [ - "network", - "protocol" + "network" ], "event.dataset": "sip", "event.duration": 0, @@ -698,7 +697,8 @@ "event.reason": "OK", "event.sequence": 1, "event.type": [ - "info" + "info", + "protocol" ], "network.application": "sip", "network.community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", @@ -798,8 +798,7 @@ "destination.port": 5060, "event.action": "sip-ack", "event.category": [ - "network", - "protocol" + "network" ], "event.dataset": "sip", "event.duration": 0, @@ -807,7 +806,8 @@ "event.original": "ACK sip:test@10.0.2.15:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2189-1-5\r\nFrom: \"DVI4/16000\" ;tag=1\r\nTo: test ;tag=FBcN7Xt0a8S1j\r\nCall-ID: 1-2189@10.0.2.20\r\nCSeq: 1 ACK\r\nContact: sip:sipp@10.0.2.20:5060\r\nMax-Forwards: 70\r\nContent-Length: 0\r\n\r\n", "event.sequence": 1, "event.type": [ - "info" + "info", + "protocol" ], "network.application": "sip", "network.community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", @@ -878,8 +878,7 @@ "destination.port": 5060, "event.action": "sip-bye", "event.category": [ - "network", - "protocol" + "network" ], "event.dataset": "sip", "event.duration": 0, @@ -887,7 +886,8 @@ "event.original": "BYE sip:sipp@10.0.2.20:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.0.2.15;rport;branch=z9hG4bKe00pN1veeeyHp\r\nMax-Forwards: 70\r\nFrom: test ;tag=FBcN7Xt0a8S1j\r\nTo: \"DVI4/16000\" ;tag=1\r\nCall-ID: 1-2189@10.0.2.20\r\nCSeq: 99750437 BYE\r\nUser-Agent: FreeSWITCH-mod_sofia/1.6.12-20-b91a0a6~64bit\r\nAllow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE\r\nSupported: timer, path, replaces\r\nReason: Q.850;cause=16;text=\"NORMAL_CLEARING\"\r\nContent-Length: 0\r\n\r\n", "event.sequence": 99750437, "event.type": [ - "info" + "info", + "protocol" ], "network.application": "sip", "network.community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", @@ -973,8 +973,7 @@ "destination.port": 5060, "event.action": "sip-bye", "event.category": [ - "network", - "protocol" + "network" ], "event.dataset": "sip", "event.duration": 0, @@ -984,7 +983,8 @@ "event.reason": "OK", "event.sequence": 99750437, "event.type": [ - "info" + "info", + "protocol" ], "network.application": "sip", "network.community_id": "1:xDRQZvk3ErEhBDslXv1c6EKI804=", diff --git a/packetbeat/tests/system/golden/sip_authenticated_register-expected.json b/packetbeat/tests/system/golden/sip_authenticated_register-expected.json index 0a582c42b35b..e888b0904a57 100644 --- a/packetbeat/tests/system/golden/sip_authenticated_register-expected.json +++ b/packetbeat/tests/system/golden/sip_authenticated_register-expected.json @@ -9,7 +9,6 @@ "event.action": "sip-register", "event.category": [ "network", - "protocol", "authentication" ], "event.dataset": "sip", @@ -18,7 +17,8 @@ "event.original": "REGISTER sip:sip.cybercity.dk SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.1.2;branch=z9hG4bKnp112903503-43a64480192.168.1.2;rport\r\nFrom: ;tag=6bac55c\r\nTo: \r\nCall-ID: 578222729-4665d775@578222732-4665d772\r\nContact: ;expires=1200;q=0.500\r\nExpires: 1200\r\nCSeq: 75 REGISTER\r\nContent-Length: 0\r\nAuthorization: Digest username=\"voi18062\",realm=\"sip.cybercity.dk\",uri=\"sip:192.168.1.2\",nonce=\"1701b22972b90f440c3e4eb250842bb\",opaque=\"1701a1351f70795\",nc=\"00000001\",response=\"79a0543188495d288c9ebbe0c881abdc\"\r\nMax-Forwards: 70\r\nUser-Agent: Nero SIPPS IP Phone Version 2.0.51.16\r\n\r\n", "event.sequence": 75, "event.type": [ - "info" + "info", + "protocol" ], "network.application": "sip", "network.community_id": "1:dOa61R2NaaJsJlcFAiMIiyXX+Kk=", @@ -85,8 +85,7 @@ "destination.port": 5060, "event.action": "sip-register", "event.category": [ - "network", - "protocol" + "network" ], "event.dataset": "sip", "event.duration": 0, @@ -95,7 +94,8 @@ "event.reason": "Trying", "event.sequence": 75, "event.type": [ - "info" + "info", + "protocol" ], "network.application": "sip", "network.community_id": "1:dOa61R2NaaJsJlcFAiMIiyXX+Kk=", @@ -148,8 +148,7 @@ "destination.port": 5060, "event.action": "sip-register", "event.category": [ - "network", - "protocol" + "network" ], "event.dataset": "sip", "event.duration": 0, @@ -159,7 +158,8 @@ "event.reason": "OK", "event.sequence": 75, "event.type": [ - "info" + "info", + "protocol" ], "network.application": "sip", "network.community_id": "1:dOa61R2NaaJsJlcFAiMIiyXX+Kk=",