diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 375bf0e04f70..42bc36e8b31b 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -70,6 +70,9 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff] *Packetbeat* +- Use base-16 for reporting `serial_number` value in TLS fields in line with the ECS recommendation. {pull}41542[41542] + +- Expire source port mappings. {pull}41581[41581] *Winlogbeat* diff --git a/packetbeat/protos/tls/parse.go b/packetbeat/protos/tls/parse.go index dbe20d44bc4c..37e04a1e9a17 100644 --- a/packetbeat/protos/tls/parse.go +++ b/packetbeat/protos/tls/parse.go @@ -18,7 +18,7 @@ package tls import ( - "crypto/dsa" //lint:ignore SA1019 Deprecated, but still used. So we have to handle it. + "crypto/dsa" //nolint:staticcheck // SA1019 Deprecated, but still used. So we have to handle it. "crypto/ecdsa" "crypto/rsa" "crypto/x509" @@ -270,7 +270,7 @@ func (parser *parser) parse(buf *streambuf.Buffer) parserResult { debugf("handshake completed") } // discard remaining data for this stream (encrypted) - buf.Advance(buf.Len()) + _ = buf.Advance(buf.Len()) return resultEncrypted case recordTypeHandshake: @@ -300,7 +300,7 @@ func (parser *parser) parse(buf *streambuf.Buffer) parserResult { } } - buf.Advance(limit) + _ = buf.Advance(limit) } if buf.Len() == 0 { @@ -350,10 +350,10 @@ func (parser *parser) bufferHandshake(buf *streambuf.Buffer, length int) (err er } if !parser.parseHandshake(header.handshakeType, bufferView{&parser.handshakeBuf, handshakeHeaderSize, limit}) { - parser.handshakeBuf.Advance(limit) + _ = parser.handshakeBuf.Advance(limit) return fmt.Errorf("bad handshake %+v", header) } - parser.handshakeBuf.Advance(limit) + _ = parser.handshakeBuf.Advance(limit) } if parser.handshakeBuf.Len() == 0 { parser.handshakeBuf.Reset() @@ -639,7 +639,7 @@ func certToMap(cert *x509.Certificate) mapstr.M { certMap := mapstr.M{ "signature_algorithm": cert.SignatureAlgorithm.String(), "public_key_algorithm": toString(cert.PublicKeyAlgorithm), - "serial_number": cert.SerialNumber.Text(10), + "serial_number": strings.ToUpper(cert.SerialNumber.Text(16)), "issuer": toMap(&cert.Issuer), "subject": toMap(&cert.Subject), "not_before": cert.NotBefore, diff --git a/packetbeat/protos/tls/parse_test.go b/packetbeat/protos/tls/parse_test.go index 7ca71e607adf..6e9f22a3e969 100644 --- a/packetbeat/protos/tls/parse_test.go +++ b/packetbeat/protos/tls/parse_test.go @@ -302,7 +302,7 @@ func TestCertificates(t *testing.T) { "not_before": "2015-11-03 00:00:00 +0000 UTC", "public_key_algorithm": "RSA", "public_key_size": "2048", - "serial_number": "19132437207909210467858529073412672688", + "serial_number": "E64C5FBC236ADE14B172AEB41C78CB0", "signature_algorithm": "SHA256-RSA", "issuer.common_name": "DigiCert SHA2 High Assurance Server CA", "issuer.country": "US", diff --git a/packetbeat/protos/tls/tls_test.go b/packetbeat/protos/tls/tls_test.go index 8d01e3bd1279..4874f90d01c6 100644 --- a/packetbeat/protos/tls/tls_test.go +++ b/packetbeat/protos/tls/tls_test.go @@ -26,8 +26,8 @@ import ( "testing" "time" - "github.com/google/go-cmp/cmp" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/common" @@ -312,7 +312,7 @@ func TestOCSPStatus(t *testing.T) { "not_after": time.Date(2035, 3, 4, 9, 0, 0, 0, time.UTC), "public_key_algorithm": "RSA", "public_key_size": 4096, - "serial_number": "1492448539999078269498416841973088004758827", + "serial_number": "1121E97D5D37348C572C555A3A59B7B65D2B", "signature_algorithm": "SHA256-RSA", "subject": mapstr.M{ "common_name": "Orange Devices PKI TV LAB CA", @@ -335,7 +335,7 @@ func TestOCSPStatus(t *testing.T) { "not_before": time.Date(2020, 3, 2, 17, 0, 0, 0, time.UTC), "public_key_algorithm": "RSA", "public_key_size": 4096, - "serial_number": "1492246295378596931754418352553114016724120", + "serial_number": "112151567790FB40C755010CA9169CF4B498", "signature_algorithm": "SHA256-RSA", "subject": mapstr.M{ "common_name": "Orange Devices Root LAB CA", @@ -402,7 +402,7 @@ func TestOCSPStatus(t *testing.T) { "not_before": time.Date(2021, 6, 3, 13, 38, 16, 0, time.UTC), "public_key_algorithm": "ECDSA", "public_key_size": 256, - "serial_number": "189790697042017246339292011338547986350262673379", + "serial_number": "213E825A875EB349390D11117C6C14F894135FE3", "signature_algorithm": "SHA256-RSA", "subject": mapstr.M{ "common_name": "server2 test PKI TV LAB", @@ -421,9 +421,7 @@ func TestOCSPStatus(t *testing.T) { } got := results.events[0].Fields - if !cmp.Equal(got, want) { - t.Errorf("unexpected result: %s", cmp.Diff(got, want)) - } + require.Equal(t, want, got) } func TestFragmentedHandshake(t *testing.T) { diff --git a/packetbeat/tests/system/golden/established_tls-expected.json b/packetbeat/tests/system/golden/established_tls-expected.json index ddd584bbfed9..4de1087b9385 100644 --- a/packetbeat/tests/system/golden/established_tls-expected.json +++ b/packetbeat/tests/system/golden/established_tls-expected.json @@ -127,7 +127,7 @@ "not_before": "2013-03-08T12:00:00.000Z", "public_key_algorithm": "RSA", "public_key_size": 2048, - "serial_number": "2646203786665923649276728595390119057", + "serial_number": "1FDA3EB6ECA75C888438B724BCFBC91", "signature_algorithm": "SHA256-RSA", "subject": { "common_name": "DigiCert SHA2 Secure Server CA", @@ -149,7 +149,7 @@ "not_before": "2006-11-10T00:00:00.000Z", "public_key_algorithm": "RSA", "public_key_size": 2048, - "serial_number": "10944719598952040374951832963794454346", + "serial_number": "83BE056904246B1A1756AC95991C74A", "signature_algorithm": "SHA1-RSA", "subject": { "common_name": "DigiCert Global Root CA", @@ -204,7 +204,7 @@ "tls.server.x509.not_before": "2018-11-28T00:00:00.000Z", "tls.server.x509.public_key_algorithm": "RSA", "tls.server.x509.public_key_size": 2048, - "tls.server.x509.serial_number": "21020869104500376438182461249190639870", + "tls.server.x509.serial_number": "FD078DD48F1A2BD4D0F2BA96B6038FE", "tls.server.x509.signature_algorithm": "SHA256-RSA", "tls.server.x509.subject.common_name": "www.example.org", "tls.server.x509.subject.country": "US", diff --git a/packetbeat/tests/system/golden/tls_all_options-expected.json b/packetbeat/tests/system/golden/tls_all_options-expected.json index e8dcf374b1d9..95e9ebccdb2b 100644 --- a/packetbeat/tests/system/golden/tls_all_options-expected.json +++ b/packetbeat/tests/system/golden/tls_all_options-expected.json @@ -127,7 +127,7 @@ "not_before": "2013-03-08T12:00:00.000Z", "public_key_algorithm": "RSA", "public_key_size": 2048, - "serial_number": "2646203786665923649276728595390119057", + "serial_number": "1FDA3EB6ECA75C888438B724BCFBC91", "signature_algorithm": "SHA256-RSA", "subject": { "common_name": "DigiCert SHA2 Secure Server CA", @@ -149,7 +149,7 @@ "not_before": "2006-11-10T00:00:00.000Z", "public_key_algorithm": "RSA", "public_key_size": 2048, - "serial_number": "10944719598952040374951832963794454346", + "serial_number": "83BE056904246B1A1756AC95991C74A", "signature_algorithm": "SHA1-RSA", "subject": { "common_name": "DigiCert Global Root CA", @@ -211,7 +211,7 @@ "tls.server.x509.not_before": "2018-11-28T00:00:00.000Z", "tls.server.x509.public_key_algorithm": "RSA", "tls.server.x509.public_key_size": 2048, - "tls.server.x509.serial_number": "21020869104500376438182461249190639870", + "tls.server.x509.serial_number": "FD078DD48F1A2BD4D0F2BA96B6038FE", "tls.server.x509.signature_algorithm": "SHA256-RSA", "tls.server.x509.subject.common_name": "www.example.org", "tls.server.x509.subject.country": "US",