From f3bda7597165e4cea9b26522cb153c9cc013eace Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Mon, 23 May 2022 21:10:37 +0930 Subject: [PATCH 1/2] network_traffic: fix invalid terms in tls and thrift data sets --- packages/network_traffic/changelog.yml | 5 + .../elasticsearch/ingest_pipeline/default.yml | 14 + .../data_stream/thrift/sample_event.json | 30 +- .../elasticsearch/ingest_pipeline/default.yml | 15 + .../data_stream/tls/sample_event.json | 266 +++++++++++----- packages/network_traffic/docs/README.md | 296 ++++++++++++------ packages/network_traffic/manifest.yml | 2 +- 7 files changed, 437 insertions(+), 191 deletions(-) diff --git a/packages/network_traffic/changelog.yml b/packages/network_traffic/changelog.yml index 0e42de3f494..25207429be5 100644 --- a/packages/network_traffic/changelog.yml +++ b/packages/network_traffic/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.0.2" + changes: + - description: Remove invalid value from `event.category` for TLS and Thrift + type: bugfix + link: https://github.com/elastic/integrations/pull/1 - version: "1.0.1" changes: - description: Remove invalid value from `event.category`. diff --git a/packages/network_traffic/data_stream/thrift/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/data_stream/thrift/elasticsearch/ingest_pipeline/default.yml index 608bb7e6a56..987bedd7308 100644 --- a/packages/network_traffic/data_stream/thrift/elasticsearch/ingest_pipeline/default.yml +++ b/packages/network_traffic/data_stream/thrift/elasticsearch/ingest_pipeline/default.yml @@ -21,6 +21,20 @@ processors: - uppercase: field: host.mac ignore_missing: true +- script: + description: Remove invalid "network_traffic" term added by packetbeat prior to v8. + # This string-based comparison is valid while versions are below v10.x. + if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' + lang: painless + source: > + if (ctx.event?.category != null) { + for (int i=ctx.event.category.length-1; i>=0; i--) { + if (ctx.event.category[i] == "network_traffic") { + ctx.event.category.remove(i); + } + } + } + on_failure: - set: field: error.message diff --git a/packages/network_traffic/data_stream/thrift/sample_event.json b/packages/network_traffic/data_stream/thrift/sample_event.json index 4c1640a50de..523e6958a6d 100644 --- a/packages/network_traffic/data_stream/thrift/sample_event.json +++ b/packages/network_traffic/data_stream/thrift/sample_event.json @@ -1,11 +1,11 @@ { - "@timestamp": "2022-03-09T08:33:31.022Z", + "@timestamp": "2022-05-23T10:59:35.668Z", "agent": { - "ephemeral_id": "de52c04f-60dd-4ed1-a501-b297caa5c67c", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "ephemeral_id": "016dcea4-c82a-4499-9069-e4e0ff6d04ff", + "id": "0488c467-eaa0-4733-a81a-326734926bc2", "name": "docker-fleet-agent", "type": "packetbeat", - "version": "8.0.0" + "version": "8.2.0" }, "client": { "bytes": 25, @@ -26,9 +26,9 @@ "version": "8.2.0" }, "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "id": "0488c467-eaa0-4733-a81a-326734926bc2", "snapshot": false, - "version": "8.0.0" + "version": "8.2.0" }, "event": { "agent_id_status": "verified", @@ -36,11 +36,11 @@ "network" ], "dataset": "network_traffic.thrift", - "duration": 1394000, - "end": "2022-03-09T08:33:31.023Z", - "ingested": "2022-03-09T08:33:32Z", + "duration": 1275700, + "end": "2022-05-23T10:59:35.669Z", + "ingested": "2022-05-23T10:59:36Z", "kind": "event", - "start": "2022-03-09T08:33:31.022Z", + "start": "2022-05-23T10:59:35.668Z", "type": [ "connection", "protocol" @@ -48,23 +48,23 @@ }, "host": { "architecture": "x86_64", - "containerized": true, + "containerized": false, "hostname": "docker-fleet-agent", "ip": [ - "192.168.176.7" + "192.168.224.7" ], "mac": [ - "02-42-C0-A8-B0-07" + "02-42-C0-A8-E0-07" ], "name": "docker-fleet-agent", "os": { "codename": "focal", "family": "debian", - "kernel": "5.10.47-linuxkit", + "kernel": "5.10.104-linuxkit", "name": "Ubuntu", "platform": "ubuntu", "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" + "version": "20.04.4 LTS (Focal Fossa)" } }, "method": "testByte", diff --git a/packages/network_traffic/data_stream/tls/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/data_stream/tls/elasticsearch/ingest_pipeline/default.yml index 788c1210efd..bd7f3b2b61d 100644 --- a/packages/network_traffic/data_stream/tls/elasticsearch/ingest_pipeline/default.yml +++ b/packages/network_traffic/data_stream/tls/elasticsearch/ingest_pipeline/default.yml @@ -49,6 +49,21 @@ processors: - tls.server.x509.subject.province # Duplicated as tls.server.x509.subject.state_or_province. - tls.server.x509.version # Duplicated as tls.server.x509.version_number. ignore_missing: true + +- script: + description: Remove invalid "network_traffic" term added by packetbeat prior to v8. + # This string-based comparison is valid while versions are below v10.x. + if: 'ctx.agent?.version == null || ctx.agent.version.compareTo("8.") < 0' + lang: painless + source: > + if (ctx.event?.category != null) { + for (int i=ctx.event.category.length-1; i>=0; i--) { + if (ctx.event.category[i] == "network_traffic") { + ctx.event.category.remove(i); + } + } + } + on_failure: - set: field: error.message diff --git a/packages/network_traffic/data_stream/tls/sample_event.json b/packages/network_traffic/data_stream/tls/sample_event.json index f325b87dbbd..6c9779651e4 100644 --- a/packages/network_traffic/data_stream/tls/sample_event.json +++ b/packages/network_traffic/data_stream/tls/sample_event.json @@ -1,15 +1,15 @@ { - "@timestamp": "2022-03-09T08:34:08.391Z", + "@timestamp": "2022-05-23T11:01:14.376Z", "agent": { - "ephemeral_id": "5f0bae3e-11e9-4578-9a69-fa5e61bd6b09", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "ephemeral_id": "d7d5fdf6-998d-488e-bfb7-176a86d6860d", + "id": "0488c467-eaa0-4733-a81a-326734926bc2", "name": "docker-fleet-agent", "type": "packetbeat", - "version": "8.0.0" + "version": "8.2.0" }, "client": { - "ip": "192.168.1.36", - "port": 60946 + "ip": "192.168.1.35", + "port": 59455 }, "data_stream": { "dataset": "network_traffic.tls", @@ -17,17 +17,17 @@ "type": "logs" }, "destination": { - "domain": "play.google.com", - "ip": "216.58.201.174", + "domain": "example.net", + "ip": "93.184.216.34", "port": 443 }, "ecs": { "version": "8.2.0" }, "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "id": "0488c467-eaa0-4733-a81a-326734926bc2", "snapshot": false, - "version": "8.0.0" + "version": "8.2.0" }, "event": { "agent_id_status": "verified", @@ -35,11 +35,11 @@ "network" ], "dataset": "network_traffic.tls", - "duration": 14861200, - "end": "2022-03-09T08:34:08.406Z", - "ingested": "2022-03-09T08:34:09Z", + "duration": 365887700, + "end": "2022-05-23T11:01:14.741Z", + "ingested": "2022-05-23T11:01:17Z", "kind": "event", - "start": "2022-03-09T08:34:08.391Z", + "start": "2022-05-23T11:01:14.376Z", "type": [ "connection", "protocol" @@ -47,27 +47,27 @@ }, "host": { "architecture": "x86_64", - "containerized": true, + "containerized": false, "hostname": "docker-fleet-agent", "ip": [ - "192.168.176.7" + "192.168.224.7" ], "mac": [ - "02-42-C0-A8-B0-07" + "02-42-C0-A8-E0-07" ], "name": "docker-fleet-agent", "os": { "codename": "focal", "family": "debian", - "kernel": "5.10.47-linuxkit", + "kernel": "5.10.104-linuxkit", "name": "Ubuntu", "platform": "ubuntu", "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" + "version": "20.04.4 LTS (Focal Fossa)" } }, "network": { - "community_id": "1:hfsK5r0tJm7av4j7BtSxA6oH9xA=", + "community_id": "1:fx1jENdlg6r3LIvBRG3wEboWbPY=", "direction": "unknown", "protocol": "tls", "transport": "tcp", @@ -75,59 +75,74 @@ }, "related": { "ip": [ - "192.168.1.36", - "216.58.201.174" + "192.168.1.35", + "93.184.216.34" ] }, "server": { - "domain": "play.google.com", - "ip": "216.58.201.174", + "domain": "example.net", + "ip": "93.184.216.34", "port": 443 }, "source": { - "ip": "192.168.1.36", - "port": 60946 + "ip": "192.168.1.35", + "port": 59455 }, "status": "OK", "tls": { - "cipher": "TLS_AES_128_GCM_SHA256", + "cipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "client": { - "ja3": "d470a3fa301d80227bc5650c75567d25", - "server_name": "play.google.com", + "ja3": "e6573e91e6eb777c0933c5b8f97f10cd", + "server_name": "example.net", "supported_ciphers": [ - "TLS_AES_128_GCM_SHA256", - "TLS_CHACHA20_POLY1305_SHA256", - "TLS_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", + "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", + "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", + "(unknown:0xff85)", + "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256", + "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA", + "TLS_GOSTR341001_WITH_28147_CNT_IMIT", + "TLS_RSA_WITH_AES_256_GCM_SHA384", + "TLS_RSA_WITH_AES_256_CBC_SHA256", + "TLS_RSA_WITH_AES_256_CBC_SHA", + "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256", + "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", + "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", + "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA", + "TLS_RSA_WITH_AES_128_GCM_SHA256", + "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA", - "TLS_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_3DES_EDE_CBC_SHA" + "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256", + "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA", + "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", + "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA", + "TLS_RSA_WITH_3DES_EDE_CBC_SHA", + "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" ] }, "detailed": { "client_certificate_requested": false, "client_hello": { "extensions": { - "_unparsed_": [ - "23", - "renegotiation_info", - "status_request", - "51", - "45", - "28", - "41" - ], "application_layer_protocol_negotiation": [ "h2", "http/1.1" @@ -136,60 +151,151 @@ "uncompressed" ], "server_name_indication": [ - "play.google.com" + "example.net" ], "signature_algorithms": [ - "ecdsa_secp256r1_sha256", - "ecdsa_secp384r1_sha384", + "rsa_pkcs1_sha512", "ecdsa_secp521r1_sha512", - "rsa_pss_sha256", - "rsa_pss_sha384", - "rsa_pss_sha512", - "rsa_pkcs1_sha256", + "(unknown:0xefef)", "rsa_pkcs1_sha384", - "rsa_pkcs1_sha512", - "ecdsa_sha1", - "rsa_pkcs1_sha1" + "ecdsa_secp384r1_sha384", + "rsa_pkcs1_sha256", + "ecdsa_secp256r1_sha256", + "(unknown:0xeeee)", + "(unknown:0xeded)", + "(unknown:0x0301)", + "(unknown:0x0303)", + "rsa_pkcs1_sha1", + "ecdsa_sha1" ], "supported_groups": [ "x25519", "secp256r1", - "secp384r1", - "secp521r1", - "ffdhe2048", - "ffdhe3072" - ], - "supported_versions": [ - "TLS 1.3", - "TLS 1.2", - "TLS 1.1", - "TLS 1.0" + "secp384r1" ] }, - "session_id": "5d2b9f80d34143b5764ba6b23e1d4f9d1f172148b6fd83c81f42663459eaf6f6", + "random": "d7c809b4ac3a60b62f53c9d9366ca89a703d25491ff2a246a89f32f945f7b42b", "supported_compression_methods": [ "NULL" ], "version": "3.3" }, - "resumption_method": "id", + "server_certificate_chain": [ + { + "issuer": { + "common_name": "DigiCert Global Root CA", + "country": "US", + "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", + "organization": "DigiCert Inc", + "organizational_unit": "www.digicert.com" + }, + "not_after": "2023-03-08T12:00:00.000Z", + "not_before": "2013-03-08T12:00:00.000Z", + "public_key_algorithm": "RSA", + "public_key_size": 2048, + "serial_number": "2646203786665923649276728595390119057", + "signature_algorithm": "SHA256-RSA", + "subject": { + "common_name": "DigiCert SHA2 Secure Server CA", + "country": "US", + "distinguished_name": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", + "organization": "DigiCert Inc" + }, + "version_number": 3 + }, + { + "issuer": { + "common_name": "DigiCert Global Root CA", + "country": "US", + "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", + "organization": "DigiCert Inc", + "organizational_unit": "www.digicert.com" + }, + "not_after": "2031-11-10T00:00:00.000Z", + "not_before": "2006-11-10T00:00:00.000Z", + "public_key_algorithm": "RSA", + "public_key_size": 2048, + "serial_number": "10944719598952040374951832963794454346", + "signature_algorithm": "SHA1-RSA", + "subject": { + "common_name": "DigiCert Global Root CA", + "country": "US", + "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", + "organization": "DigiCert Inc", + "organizational_unit": "www.digicert.com" + }, + "version_number": 3 + } + ], "server_hello": { "extensions": { "_unparsed_": [ - "41", - "51" + "renegotiation_info", + "server_name_indication" + ], + "application_layer_protocol_negotiation": [ + "h2" ], - "supported_versions": "TLS 1.3" + "ec_points_formats": [ + "uncompressed", + "ansiX962_compressed_prime", + "ansiX962_compressed_char2" + ] }, + "random": "d1fd553a5a270f08e09eda6690fb3c8f9884e9a9fe7949e9444f574e47524401", "selected_compression_method": "NULL", - "session_id": "5d2b9f80d34143b5764ba6b23e1d4f9d1f172148b6fd83c81f42663459eaf6f6", + "session_id": "23bb2aed5d215e1228220b0a51d7aa220785e9e4b83b4f430229117971e9913f", "version": "3.3" }, - "version": "TLS 1.3" + "version": "TLS 1.2" }, "established": true, - "resumed": true, - "version": "1.3", + "next_protocol": "h2", + "resumed": false, + "server": { + "hash": { + "sha1": "7BB698386970363D2919CC5772846984FFD4A889" + }, + "issuer": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", + "not_after": "2020-12-02T12:00:00.000Z", + "not_before": "2018-11-28T00:00:00.000Z", + "subject": "CN=www.example.org,OU=Technology,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US", + "x509": { + "alternative_names": [ + "www.example.org", + "example.com", + "example.edu", + "example.net", + "example.org", + "www.example.com", + "www.example.edu", + "www.example.net" + ], + "issuer": { + "common_name": "DigiCert SHA2 Secure Server CA", + "country": "US", + "distinguished_name": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", + "organization": "DigiCert Inc" + }, + "not_after": "2020-12-02T12:00:00.000Z", + "not_before": "2018-11-28T00:00:00.000Z", + "public_key_algorithm": "RSA", + "public_key_size": 2048, + "serial_number": "21020869104500376438182461249190639870", + "signature_algorithm": "SHA256-RSA", + "subject": { + "common_name": "www.example.org", + "country": "US", + "distinguished_name": "CN=www.example.org,OU=Technology,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US", + "locality": "Los Angeles", + "organization": "Internet Corporation for Assigned Names and Numbers", + "organizational_unit": "Technology", + "state_or_province": "California" + }, + "version_number": "3" + } + }, + "version": "1.2", "version_protocol": "tls" }, "type": "tls" diff --git a/packages/network_traffic/docs/README.md b/packages/network_traffic/docs/README.md index adadb4cf1d5..ce006deddc3 100644 --- a/packages/network_traffic/docs/README.md +++ b/packages/network_traffic/docs/README.md @@ -3446,13 +3446,13 @@ An example event for `thrift` looks as following: ```json { - "@timestamp": "2022-03-09T08:33:31.022Z", + "@timestamp": "2022-05-23T10:59:35.668Z", "agent": { - "ephemeral_id": "de52c04f-60dd-4ed1-a501-b297caa5c67c", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "ephemeral_id": "016dcea4-c82a-4499-9069-e4e0ff6d04ff", + "id": "0488c467-eaa0-4733-a81a-326734926bc2", "name": "docker-fleet-agent", "type": "packetbeat", - "version": "8.0.0" + "version": "8.2.0" }, "client": { "bytes": 25, @@ -3473,9 +3473,9 @@ An example event for `thrift` looks as following: "version": "8.2.0" }, "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "id": "0488c467-eaa0-4733-a81a-326734926bc2", "snapshot": false, - "version": "8.0.0" + "version": "8.2.0" }, "event": { "agent_id_status": "verified", @@ -3483,11 +3483,11 @@ An example event for `thrift` looks as following: "network" ], "dataset": "network_traffic.thrift", - "duration": 1394000, - "end": "2022-03-09T08:33:31.023Z", - "ingested": "2022-03-09T08:33:32Z", + "duration": 1275700, + "end": "2022-05-23T10:59:35.669Z", + "ingested": "2022-05-23T10:59:36Z", "kind": "event", - "start": "2022-03-09T08:33:31.022Z", + "start": "2022-05-23T10:59:35.668Z", "type": [ "connection", "protocol" @@ -3495,23 +3495,23 @@ An example event for `thrift` looks as following: }, "host": { "architecture": "x86_64", - "containerized": true, + "containerized": false, "hostname": "docker-fleet-agent", "ip": [ - "192.168.176.7" + "192.168.224.7" ], "mac": [ - "02-42-C0-A8-B0-07" + "02-42-C0-A8-E0-07" ], "name": "docker-fleet-agent", "os": { "codename": "focal", "family": "debian", - "kernel": "5.10.47-linuxkit", + "kernel": "5.10.104-linuxkit", "name": "Ubuntu", "platform": "ubuntu", "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" + "version": "20.04.4 LTS (Focal Fossa)" } }, "method": "testByte", @@ -3758,17 +3758,17 @@ An example event for `tls` looks as following: ```json { - "@timestamp": "2022-03-09T08:34:08.391Z", + "@timestamp": "2022-05-23T11:01:14.376Z", "agent": { - "ephemeral_id": "5f0bae3e-11e9-4578-9a69-fa5e61bd6b09", - "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "ephemeral_id": "d7d5fdf6-998d-488e-bfb7-176a86d6860d", + "id": "0488c467-eaa0-4733-a81a-326734926bc2", "name": "docker-fleet-agent", "type": "packetbeat", - "version": "8.0.0" + "version": "8.2.0" }, "client": { - "ip": "192.168.1.36", - "port": 60946 + "ip": "192.168.1.35", + "port": 59455 }, "data_stream": { "dataset": "network_traffic.tls", @@ -3776,17 +3776,17 @@ An example event for `tls` looks as following: "type": "logs" }, "destination": { - "domain": "play.google.com", - "ip": "216.58.201.174", + "domain": "example.net", + "ip": "93.184.216.34", "port": 443 }, "ecs": { "version": "8.2.0" }, "elastic_agent": { - "id": "f789afb0-558d-48bd-b448-0fc838efd730", + "id": "0488c467-eaa0-4733-a81a-326734926bc2", "snapshot": false, - "version": "8.0.0" + "version": "8.2.0" }, "event": { "agent_id_status": "verified", @@ -3794,11 +3794,11 @@ An example event for `tls` looks as following: "network" ], "dataset": "network_traffic.tls", - "duration": 14861200, - "end": "2022-03-09T08:34:08.406Z", - "ingested": "2022-03-09T08:34:09Z", + "duration": 365887700, + "end": "2022-05-23T11:01:14.741Z", + "ingested": "2022-05-23T11:01:17Z", "kind": "event", - "start": "2022-03-09T08:34:08.391Z", + "start": "2022-05-23T11:01:14.376Z", "type": [ "connection", "protocol" @@ -3806,27 +3806,27 @@ An example event for `tls` looks as following: }, "host": { "architecture": "x86_64", - "containerized": true, + "containerized": false, "hostname": "docker-fleet-agent", "ip": [ - "192.168.176.7" + "192.168.224.7" ], "mac": [ - "02-42-C0-A8-B0-07" + "02-42-C0-A8-E0-07" ], "name": "docker-fleet-agent", "os": { "codename": "focal", "family": "debian", - "kernel": "5.10.47-linuxkit", + "kernel": "5.10.104-linuxkit", "name": "Ubuntu", "platform": "ubuntu", "type": "linux", - "version": "20.04.3 LTS (Focal Fossa)" + "version": "20.04.4 LTS (Focal Fossa)" } }, "network": { - "community_id": "1:hfsK5r0tJm7av4j7BtSxA6oH9xA=", + "community_id": "1:fx1jENdlg6r3LIvBRG3wEboWbPY=", "direction": "unknown", "protocol": "tls", "transport": "tcp", @@ -3834,59 +3834,74 @@ An example event for `tls` looks as following: }, "related": { "ip": [ - "192.168.1.36", - "216.58.201.174" + "192.168.1.35", + "93.184.216.34" ] }, "server": { - "domain": "play.google.com", - "ip": "216.58.201.174", + "domain": "example.net", + "ip": "93.184.216.34", "port": 443 }, "source": { - "ip": "192.168.1.36", - "port": 60946 + "ip": "192.168.1.35", + "port": 59455 }, "status": "OK", "tls": { - "cipher": "TLS_AES_128_GCM_SHA256", + "cipher": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "client": { - "ja3": "d470a3fa301d80227bc5650c75567d25", - "server_name": "play.google.com", + "ja3": "e6573e91e6eb777c0933c5b8f97f10cd", + "server_name": "example.net", "supported_ciphers": [ - "TLS_AES_128_GCM_SHA256", - "TLS_CHACHA20_POLY1305_SHA256", - "TLS_AES_256_GCM_SHA384", - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", + "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", + "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", + "(unknown:0xff85)", + "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256", + "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA", + "TLS_GOSTR341001_WITH_28147_CNT_IMIT", + "TLS_RSA_WITH_AES_256_GCM_SHA384", + "TLS_RSA_WITH_AES_256_CBC_SHA256", + "TLS_RSA_WITH_AES_256_CBC_SHA", + "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256", + "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", + "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256", + "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA", + "TLS_RSA_WITH_AES_128_GCM_SHA256", + "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA", - "TLS_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_3DES_EDE_CBC_SHA" + "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256", + "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA", + "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", + "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA", + "TLS_RSA_WITH_3DES_EDE_CBC_SHA", + "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" ] }, "detailed": { "client_certificate_requested": false, "client_hello": { "extensions": { - "_unparsed_": [ - "23", - "renegotiation_info", - "status_request", - "51", - "45", - "28", - "41" - ], "application_layer_protocol_negotiation": [ "h2", "http/1.1" @@ -3895,60 +3910,151 @@ An example event for `tls` looks as following: "uncompressed" ], "server_name_indication": [ - "play.google.com" + "example.net" ], "signature_algorithms": [ - "ecdsa_secp256r1_sha256", - "ecdsa_secp384r1_sha384", + "rsa_pkcs1_sha512", "ecdsa_secp521r1_sha512", - "rsa_pss_sha256", - "rsa_pss_sha384", - "rsa_pss_sha512", - "rsa_pkcs1_sha256", + "(unknown:0xefef)", "rsa_pkcs1_sha384", - "rsa_pkcs1_sha512", - "ecdsa_sha1", - "rsa_pkcs1_sha1" + "ecdsa_secp384r1_sha384", + "rsa_pkcs1_sha256", + "ecdsa_secp256r1_sha256", + "(unknown:0xeeee)", + "(unknown:0xeded)", + "(unknown:0x0301)", + "(unknown:0x0303)", + "rsa_pkcs1_sha1", + "ecdsa_sha1" ], "supported_groups": [ "x25519", "secp256r1", - "secp384r1", - "secp521r1", - "ffdhe2048", - "ffdhe3072" - ], - "supported_versions": [ - "TLS 1.3", - "TLS 1.2", - "TLS 1.1", - "TLS 1.0" + "secp384r1" ] }, - "session_id": "5d2b9f80d34143b5764ba6b23e1d4f9d1f172148b6fd83c81f42663459eaf6f6", + "random": "d7c809b4ac3a60b62f53c9d9366ca89a703d25491ff2a246a89f32f945f7b42b", "supported_compression_methods": [ "NULL" ], "version": "3.3" }, - "resumption_method": "id", + "server_certificate_chain": [ + { + "issuer": { + "common_name": "DigiCert Global Root CA", + "country": "US", + "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", + "organization": "DigiCert Inc", + "organizational_unit": "www.digicert.com" + }, + "not_after": "2023-03-08T12:00:00.000Z", + "not_before": "2013-03-08T12:00:00.000Z", + "public_key_algorithm": "RSA", + "public_key_size": 2048, + "serial_number": "2646203786665923649276728595390119057", + "signature_algorithm": "SHA256-RSA", + "subject": { + "common_name": "DigiCert SHA2 Secure Server CA", + "country": "US", + "distinguished_name": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", + "organization": "DigiCert Inc" + }, + "version_number": 3 + }, + { + "issuer": { + "common_name": "DigiCert Global Root CA", + "country": "US", + "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", + "organization": "DigiCert Inc", + "organizational_unit": "www.digicert.com" + }, + "not_after": "2031-11-10T00:00:00.000Z", + "not_before": "2006-11-10T00:00:00.000Z", + "public_key_algorithm": "RSA", + "public_key_size": 2048, + "serial_number": "10944719598952040374951832963794454346", + "signature_algorithm": "SHA1-RSA", + "subject": { + "common_name": "DigiCert Global Root CA", + "country": "US", + "distinguished_name": "CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US", + "organization": "DigiCert Inc", + "organizational_unit": "www.digicert.com" + }, + "version_number": 3 + } + ], "server_hello": { "extensions": { "_unparsed_": [ - "41", - "51" + "renegotiation_info", + "server_name_indication" + ], + "application_layer_protocol_negotiation": [ + "h2" ], - "supported_versions": "TLS 1.3" + "ec_points_formats": [ + "uncompressed", + "ansiX962_compressed_prime", + "ansiX962_compressed_char2" + ] }, + "random": "d1fd553a5a270f08e09eda6690fb3c8f9884e9a9fe7949e9444f574e47524401", "selected_compression_method": "NULL", - "session_id": "5d2b9f80d34143b5764ba6b23e1d4f9d1f172148b6fd83c81f42663459eaf6f6", + "session_id": "23bb2aed5d215e1228220b0a51d7aa220785e9e4b83b4f430229117971e9913f", "version": "3.3" }, - "version": "TLS 1.3" + "version": "TLS 1.2" }, "established": true, - "resumed": true, - "version": "1.3", + "next_protocol": "h2", + "resumed": false, + "server": { + "hash": { + "sha1": "7BB698386970363D2919CC5772846984FFD4A889" + }, + "issuer": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", + "not_after": "2020-12-02T12:00:00.000Z", + "not_before": "2018-11-28T00:00:00.000Z", + "subject": "CN=www.example.org,OU=Technology,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US", + "x509": { + "alternative_names": [ + "www.example.org", + "example.com", + "example.edu", + "example.net", + "example.org", + "www.example.com", + "www.example.edu", + "www.example.net" + ], + "issuer": { + "common_name": "DigiCert SHA2 Secure Server CA", + "country": "US", + "distinguished_name": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", + "organization": "DigiCert Inc" + }, + "not_after": "2020-12-02T12:00:00.000Z", + "not_before": "2018-11-28T00:00:00.000Z", + "public_key_algorithm": "RSA", + "public_key_size": 2048, + "serial_number": "21020869104500376438182461249190639870", + "signature_algorithm": "SHA256-RSA", + "subject": { + "common_name": "www.example.org", + "country": "US", + "distinguished_name": "CN=www.example.org,OU=Technology,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US", + "locality": "Los Angeles", + "organization": "Internet Corporation for Assigned Names and Numbers", + "organizational_unit": "Technology", + "state_or_province": "California" + }, + "version_number": "3" + } + }, + "version": "1.2", "version_protocol": "tls" }, "type": "tls" diff --git a/packages/network_traffic/manifest.yml b/packages/network_traffic/manifest.yml index b880e36b617..a6f662b05df 100644 --- a/packages/network_traffic/manifest.yml +++ b/packages/network_traffic/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: network_traffic title: Network Packet Capture -version: 1.0.1 +version: 1.0.2 license: basic description: Capture and analyze network traffic from a host with Elastic Agent. type: integration From 6dcff0509b180745e202a681b35af08638425586 Mon Sep 17 00:00:00 2001 From: Dan Kortschak <90160302+efd6@users.noreply.github.com> Date: Mon, 23 May 2022 21:14:28 +0930 Subject: [PATCH 2/2] Update packages/network_traffic/changelog.yml --- packages/network_traffic/changelog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/network_traffic/changelog.yml b/packages/network_traffic/changelog.yml index 25207429be5..96ea05032b3 100644 --- a/packages/network_traffic/changelog.yml +++ b/packages/network_traffic/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Remove invalid value from `event.category` for TLS and Thrift type: bugfix - link: https://github.com/elastic/integrations/pull/1 + link: https://github.com/elastic/integrations/pull/3409 - version: "1.0.1" changes: - description: Remove invalid value from `event.category`.