Skip to content

[snort] Format {source,destination}.mac per ECS#3301

Merged
andrewkroh merged 10 commits intoelastic:mainfrom
andrewkroh:snort/format-macs
May 10, 2022
Merged

[snort] Format {source,destination}.mac per ECS#3301
andrewkroh merged 10 commits intoelastic:mainfrom
andrewkroh:snort/format-macs

Conversation

@andrewkroh
Copy link
Member

@andrewkroh andrewkroh commented May 9, 2022

What does this PR do?

Format the {source,destination}.mac field as per ECS (https://www.elastic.co/guide/en/ecs/current/ecs-observer.html#field-observer-mac).

The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.

Also add missing mappings for ECS event fields:

  • event.category
  • event.created
  • event.kind
  • event.original
  • event.timezone
  • event.type

lint was failing so I added type: date to the @timestamp. Issue reported in elastic/elastic-package#749.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

andrewkroh added 9 commits May 9, 2022 11:47
@andrewkroh
Sort ecs.yml
7328c82 
[git-generate]
cd packages/snort
yq -i '. | sort_by(.name) | sort_keys(..)' data_stream/log/fields/ecs.yml
@andrewkroh
Add missing event field mappings
79b5661 
event.category
event.created
event.kind
event.original
event.timezone
event.type
@andrewkroh
Fix lint error for @timestamp
6ed3d10 
The error was:
    expected type "date" for required field "@timestamp"
@andrewkroh
Remove duplicate host.ip definition
7380a44
@andrewkroh
Use ECS for {source,destination}.geo.location
67bf900
@andrewkroh
Format source.mac, destination.mac as per ECS
d6c3923
@andrewkroh
Update elastic/stream
421270f
@andrewkroh
Update sample event
b2d7d55
@andrewkroh
Update readme and generate pipeline test files
0ca08c7 
[git-generate]
cd packages/snort
elastic-package build
elastic-package test pipeline -g
@andrewkroh
Update changelog
25c17f3 
[git-generate]
elastic-package-changelog add-next --pr 3301 --type bug --description "Format source.mac and destination.mac as per ECS and add missing mappings for various event.* fields."
@andrewkroh andrewkroh marked this pull request as ready for review May 9, 2022 16:32
@andrewkroh andrewkroh requested a review from a team as a code owner May 9, 2022 16:32
@elasticmachine
Copy link

elasticmachine commented May 9, 2022

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@elasticmachine
Copy link

elasticmachine commented May 9, 2022
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2022-05-09T16:31:50.777+0000

  • Duration: 15 min 50 sec

Test stats 🧪

Test Results
Failed 0
Passed 11
Skipped 0
Total 11

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

@elasticmachine
Copy link

elasticmachine commented May 9, 2022

🌐 Coverage report

Name Metrics % (covered/total) Diff
Packages 100.0% (1/1) 💚
Files 100.0% (1/1) 💚 3.606
Classes 100.0% (1/1) 💚 3.606
Methods 100.0% (17/17) 💚 11.752
Lines 88.832% (175/197) 👎 -0.153
Conditionals 100.0% (0/0) 💚

@andrewkroh andrewkroh merged commit 245b216 into elastic:main May 10, 2022
This was referenced May 22, 2022
Merged
Closed
Merged
andrewkroh added a commit that referenced this pull request Jun 28, 2022
@andrewkroh
[security-external-integrations packages] Update to ECS 8.3 (#3353)
1bcd21c 
This updates the ECS version used in all non-deprecated packages owned by elastic/security-external-integrations.

These packages required fixes in order to comply with the `pattern` added to ECS to validate MAC addresses.

- cef - #3566
- crowdstrike - #3302
- cylance.protect - #3368
- fortinet.fortimanager - #3401
- iptables.log - #3358
- microsoft_dhcp - #3300
- pfsense - #3303
- snort - #3301
- sonicwall.firewall - #3360
- sophos.utm - #3370

NOTE: The following packages were not updated for 8.2.0. I didn't catch anything in 8.1 or 8.2 that needed changed.

 - auth0 - 1.12.0
 - carbon_black_cloud - 8.0.0
 - cisco_ise - 8.0.0
 - cisco_meraki - 8.0.0
 - hid_bravura_monitor - 1.12.0
 - modsecurity - 1.12.0
 - mysql_enterprise - 8.0.0
 - netskope - 8.0.0
 - oracle - 8.0.0
 - symantec_endpoint - 1.12.0
 - ti_recordedfuture - 8.0

[git-generate]
go run github.com/andrewkroh/go-examples/ecs-update@6efa1ecb3871 \
  --ecs-version=8.3.0 \
  -ecs-git-ref=v8.3.0 \
  --pr=3353 \
  --owner=elastic/security-external-integrations \
  packages/*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@r00tu53r r00tu53r r00tu53r approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Integration:snort Snort

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@andrewkroh @elasticmachine @r00tu53r