Skip to content

Commit

Permalink
Change x509 mappings from file. to tls.server. (#22097)
Browse files Browse the repository at this point in the history
  • Loading branch information
marc-gr authored Oct 23, 2020
1 parent eb695ef commit 155dfda
Show file tree
Hide file tree
Showing 3 changed files with 54 additions and 54 deletions.
32 changes: 16 additions & 16 deletions x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml
Original file line number Diff line number Diff line change
Expand Up @@ -247,27 +247,27 @@ processors:
ignore_missing: true
- rename:
field: suricata.eve.tls.kv_issuerdn.C
target_field: file.x509.issuer.country
target_field: tls.server.x509.issuer.country
ignore_missing: true
- rename:
field: suricata.eve.tls.kv_issuerdn.CN
target_field: file.x509.issuer.common_name
target_field: tls.server.x509.issuer.common_name
ignore_missing: true
- rename:
field: suricata.eve.tls.kv_issuerdn.L
target_field: file.x509.issuer.locality
target_field: tls.server.x509.issuer.locality
ignore_missing: true
- rename:
field: suricata.eve.tls.kv_issuerdn.O
target_field: file.x509.issuer.organization
target_field: tls.server.x509.issuer.organization
ignore_missing: true
- rename:
field: suricata.eve.tls.kv_issuerdn.OU
target_field: file.x509.issuer.organizational_unit
target_field: tls.server.x509.issuer.organizational_unit
ignore_missing: true
- rename:
field: suricata.eve.tls.kv_issuerdn.ST
target_field: file.x509.issuer.state_or_province
target_field: tls.server.x509.issuer.state_or_province
ignore_missing: true
- gsub:
field: suricata.eve.tls.subject
Expand All @@ -282,34 +282,34 @@ processors:
ignore_missing: true
- rename:
field: suricata.eve.tls.kv_subject.C
target_field: file.x509.subject.country
target_field: tls.server.x509.subject.country
ignore_missing: true
- rename:
field: suricata.eve.tls.kv_subject.CN
target_field: file.x509.subject.common_name
target_field: tls.server.x509.subject.common_name
ignore_missing: true
- rename:
field: suricata.eve.tls.kv_subject.L
target_field: file.x509.subject.locality
target_field: tls.server.x509.subject.locality
ignore_missing: true
- rename:
field: suricata.eve.tls.kv_subject.O
target_field: file.x509.subject.organization
target_field: tls.server.x509.subject.organization
ignore_missing: true
- rename:
field: suricata.eve.tls.kv_subject.OU
target_field: file.x509.subject.organizational_unit
target_field: tls.server.x509.subject.organizational_unit
ignore_missing: true
- rename:
field: suricata.eve.tls.kv_subject.ST
target_field: file.x509.subject.state_or_province
target_field: tls.server.x509.subject.state_or_province
ignore_missing: true
- set:
field: file.x509.serial_number
field: tls.server.x509.serial_number
value: '{{suricata.eve.tls.serial}}'
ignore_empty_value: true
- gsub:
field: file.x509.serial_number
field: tls.server.x509.serial_number
pattern: ':'
replacement: ''
ignore_missing: true
Expand All @@ -326,11 +326,11 @@ processors:
- ISO8601
if: ctx.suricata?.eve?.tls?.notbefore != null
- set:
field: file.x509.not_after
field: tls.server.x509.not_after
value: '{{tls.server.not_after}}'
ignore_empty_value: true
- set:
field: file.x509.not_before
field: tls.server.x509.not_before
value: '{{tls.server.not_before}}'
ignore_empty_value: true
- append:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1633,17 +1633,6 @@
"event.type": [
"protocol"
],
"file.x509.issuer.common_name": "Google Internet Authority G2",
"file.x509.issuer.country": "US",
"file.x509.issuer.organization": "Google Inc",
"file.x509.not_after": "2024-07-16T14:52:35.000Z",
"file.x509.not_before": "2019-07-17T14:52:35.000Z",
"file.x509.serial_number": "001122334455667788",
"file.x509.subject.common_name": "*.google.com",
"file.x509.subject.country": "US",
"file.x509.subject.locality": "Mountain View",
"file.x509.subject.organization": "Google Inc",
"file.x509.subject.state_or_province": "California",
"fileset.name": "eve",
"input.type": "log",
"log.offset": 16546,
Expand Down Expand Up @@ -1687,6 +1676,17 @@
"tls.server.not_after": "2024-07-16T14:52:35.000Z",
"tls.server.not_before": "2019-07-17T14:52:35.000Z",
"tls.server.subject": "C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com",
"tls.server.x509.issuer.common_name": "Google Internet Authority G2",
"tls.server.x509.issuer.country": "US",
"tls.server.x509.issuer.organization": "Google Inc",
"tls.server.x509.not_after": "2024-07-16T14:52:35.000Z",
"tls.server.x509.not_before": "2019-07-17T14:52:35.000Z",
"tls.server.x509.serial_number": "001122334455667788",
"tls.server.x509.subject.common_name": "*.google.com",
"tls.server.x509.subject.country": "US",
"tls.server.x509.subject.locality": "Mountain View",
"tls.server.x509.subject.organization": "Google Inc",
"tls.server.x509.subject.state_or_province": "California",
"tls.version": "1.2",
"tls.version_protocol": "tls"
},
Expand All @@ -1711,21 +1711,6 @@
"event.type": [
"allowed"
],
"file.x509.issuer.common_name": "Unknown",
"file.x509.issuer.country": "Unknown",
"file.x509.issuer.locality": "Unknown",
"file.x509.issuer.organization": "Unknown",
"file.x509.issuer.organizational_unit": "Unknown",
"file.x509.issuer.state_or_province": "Unknown",
"file.x509.not_after": "2026-06-25T17:36:29.000Z",
"file.x509.not_before": "2016-06-27T17:36:29.000Z",
"file.x509.serial_number": "72A92C51",
"file.x509.subject.common_name": "Unknown",
"file.x509.subject.country": "Unknown",
"file.x509.subject.locality": "Unknown",
"file.x509.subject.organization": "Unknown",
"file.x509.subject.organizational_unit": "Unknown",
"file.x509.subject.state_or_province": "Unknown",
"fileset.name": "eve",
"input.type": "log",
"log.offset": 17541,
Expand Down Expand Up @@ -1781,6 +1766,21 @@
"tls.server.not_after": "2026-06-25T17:36:29.000Z",
"tls.server.not_before": "2016-06-27T17:36:29.000Z",
"tls.server.subject": "C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown",
"tls.server.x509.issuer.common_name": "Unknown",
"tls.server.x509.issuer.country": "Unknown",
"tls.server.x509.issuer.locality": "Unknown",
"tls.server.x509.issuer.organization": "Unknown",
"tls.server.x509.issuer.organizational_unit": "Unknown",
"tls.server.x509.issuer.state_or_province": "Unknown",
"tls.server.x509.not_after": "2026-06-25T17:36:29.000Z",
"tls.server.x509.not_before": "2016-06-27T17:36:29.000Z",
"tls.server.x509.serial_number": "72A92C51",
"tls.server.x509.subject.common_name": "Unknown",
"tls.server.x509.subject.country": "Unknown",
"tls.server.x509.subject.locality": "Unknown",
"tls.server.x509.subject.organization": "Unknown",
"tls.server.x509.subject.organizational_unit": "Unknown",
"tls.server.x509.subject.state_or_province": "Unknown",
"tls.version": "1.2",
"tls.version_protocol": "tls"
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -430,18 +430,6 @@
"event.type": [
"protocol"
],
"file.x509.issuer.common_name": "Apple IST CA 2 - G1",
"file.x509.issuer.country": "US",
"file.x509.issuer.organization": "Apple Inc.",
"file.x509.issuer.organizational_unit": "Certification Authority",
"file.x509.not_after": "2019-03-29T17:54:31.000Z",
"file.x509.not_before": "2017-02-27T17:54:31.000Z",
"file.x509.serial_number": "5C9CE1097887F807",
"file.x509.subject.common_name": "*.icloud.com",
"file.x509.subject.country": "US",
"file.x509.subject.organization": "Apple Inc.",
"file.x509.subject.organizational_unit": "management:idms.group.506364",
"file.x509.subject.state_or_province": "California",
"fileset.name": "eve",
"input.type": "log",
"log.offset": 4683,
Expand Down Expand Up @@ -479,6 +467,18 @@
"tls.server.not_after": "2019-03-29T17:54:31.000Z",
"tls.server.not_before": "2017-02-27T17:54:31.000Z",
"tls.server.subject": "CN=*.icloud.com, OU=management:idms.group.506364, O=Apple Inc., ST=California, C=US",
"tls.server.x509.issuer.common_name": "Apple IST CA 2 - G1",
"tls.server.x509.issuer.country": "US",
"tls.server.x509.issuer.organization": "Apple Inc.",
"tls.server.x509.issuer.organizational_unit": "Certification Authority",
"tls.server.x509.not_after": "2019-03-29T17:54:31.000Z",
"tls.server.x509.not_before": "2017-02-27T17:54:31.000Z",
"tls.server.x509.serial_number": "5C9CE1097887F807",
"tls.server.x509.subject.common_name": "*.icloud.com",
"tls.server.x509.subject.country": "US",
"tls.server.x509.subject.organization": "Apple Inc.",
"tls.server.x509.subject.organizational_unit": "management:idms.group.506364",
"tls.server.x509.subject.state_or_province": "California",
"tls.version": "1.2",
"tls.version_protocol": "tls"
},
Expand Down

0 comments on commit 155dfda

Please sign in to comment.