Skip to content

[pfsense] Format client.mac per ECS#3303

Merged
andrewkroh merged 8 commits intoelastic:mainfrom
andrewkroh:pfsense/format-mac
May 10, 2022
Merged

[pfsense] Format client.mac per ECS#3303
andrewkroh merged 8 commits intoelastic:mainfrom
andrewkroh:pfsense/format-mac

Conversation

@andrewkroh
Copy link
Member

@andrewkroh andrewkroh commented May 9, 2022

What does this PR do?

Format the client.mac field as per ECS (https://www.elastic.co/guide/en/ecs/current/ecs-client.html#field-client-mac).

The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.

Also cleanup field mappings:

  • Remove duplicate field definitions.
  • Use ECS definition of source.geo.location definition.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

andrewkroh added 7 commits May 9, 2022 13:23
@andrewkroh
Format client.mac per ECS
da37c02
@andrewkroh
Sort ecs.yml
816f183 
[git-generate]
cd packages/pfsense
yq -i '. | sort_by(.name) | sort_keys(..)' data_stream/log/fields/ecs.yml
@andrewkroh
Use ECS source.geo.location definition
fe5908c
@andrewkroh
Remove duplicated client.geo.country_iso_code field
f7a738f
@andrewkroh
Remove duplicated pfsense.icmp.{id,seq} fields
bc141f3
@andrewkroh
Updates sample_event.json
4c63f7c
@andrewkroh
Update readme and generated test files
7d0317d 
[git-generate]
cd packages/pfsense
elastic-package build
elastic-package test pipeline -g
@andrewkroh
Update changelog
4d54ee9 
[git-generate]
elastic-package-changelog add-next --pr 3303 --type bug --description "Format client.mac as per ECS."
@andrewkroh andrewkroh marked this pull request as ready for review May 9, 2022 17:45
@andrewkroh andrewkroh requested a review from a team as a code owner May 9, 2022 17:45
@elasticmachine
Copy link

elasticmachine commented May 9, 2022

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@elasticmachine
Copy link

elasticmachine commented May 9, 2022
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2022-05-09T17:45:23.522+0000

  • Duration: 16 min 13 sec

Test stats 🧪

Test Results
Failed 0
Passed 45
Skipped 0
Total 45

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

@elasticmachine
Copy link

elasticmachine commented May 9, 2022

🌐 Coverage report

Name Metrics % (covered/total) Diff
Packages 100.0% (1/1) 💚
Files 88.889% (8/9) 👎 -7.505
Classes 88.889% (8/9) 👎 -7.505
Methods 92.063% (58/63) 👍 3.816
Lines 87.518% (624/713) 👎 -1.468
Conditionals 100.0% (0/0) 💚

@andrewkroh andrewkroh merged commit 9fc5117 into elastic:main May 10, 2022
This was referenced May 22, 2022
Merged
Closed
Merged
andrewkroh added a commit that referenced this pull request Jun 28, 2022
@andrewkroh
[security-external-integrations packages] Update to ECS 8.3 (#3353)
1bcd21c 
This updates the ECS version used in all non-deprecated packages owned by elastic/security-external-integrations.

These packages required fixes in order to comply with the `pattern` added to ECS to validate MAC addresses.

- cef - #3566
- crowdstrike - #3302
- cylance.protect - #3368
- fortinet.fortimanager - #3401
- iptables.log - #3358
- microsoft_dhcp - #3300
- pfsense - #3303
- snort - #3301
- sonicwall.firewall - #3360
- sophos.utm - #3370

NOTE: The following packages were not updated for 8.2.0. I didn't catch anything in 8.1 or 8.2 that needed changed.

 - auth0 - 1.12.0
 - carbon_black_cloud - 8.0.0
 - cisco_ise - 8.0.0
 - cisco_meraki - 8.0.0
 - hid_bravura_monitor - 1.12.0
 - modsecurity - 1.12.0
 - mysql_enterprise - 8.0.0
 - netskope - 8.0.0
 - oracle - 8.0.0
 - symantec_endpoint - 1.12.0
 - ti_recordedfuture - 8.0

[git-generate]
go run github.com/andrewkroh/go-examples/ecs-update@6efa1ecb3871 \
  --ecs-version=8.3.0 \
  -ecs-git-ref=v8.3.0 \
  --pr=3353 \
  --owner=elastic/security-external-integrations \
  packages/*
@zez3
Copy link

zez3 commented Oct 6, 2022

Hey @andrewkroh
Same goes for https://www.elastic.co/guide/en/ecs/current/ecs-host.html#field-host-mac

@kesslerm
Copy link

kesslerm commented Oct 7, 2022

This appears to be an issue with many integrations that populate the host.mac and client.mac fields. See e.g. #4385 for a customer report. The same fix should be added to those as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@r00tu53r r00tu53r r00tu53r approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Integration:pfsense pfSense (Community supported)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@andrewkroh @elasticmachine @zez3 @kesslerm @r00tu53r