From ecd0f72375e5da3f0a5124e0915dfa8733ad5cf8 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Tue, 12 May 2020 19:10:28 -0400 Subject: [PATCH] Don't set dns.resolved_ip with invalid IP addresses (#18436) Sometimes the DNS IP addresses from Sysmon in `winlog.event_data.QueryResults` are truncated. The leads to mapping exceptions since the value is not of type `ip` in Elasticsearch. To fix this the module will now filter any results that are not valid IP addresses. Fixes #18432 --- CHANGELOG.next.asciidoc | 1 + .../module/sysmon/config/winlogbeat-sysmon.js | 21 +++++++++++-------- .../testdata/sysmon-10.2-dns.evtx.golden.json | 7 +------ 3 files changed, 14 insertions(+), 15 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 2e4ef175643..d189637976d 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -186,6 +186,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Winlogbeat* +- Fix invalid IP addresses in DNS query results from Sysmon data. {issue}18432[18432] {pull}18436{18436} *Functionbeat* diff --git a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js index d9d454ec1fe..8eea4b8a558 100644 --- a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js +++ b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js @@ -16,6 +16,7 @@ var sysmon = (function () { var path = require("path"); var processor = require("processor"); var winlogbeat = require("winlogbeat"); + var net = require("net"); // Windows error codes for DNS. This list was generated using // 'go run gen_dns_error_codes.go'. @@ -432,17 +433,19 @@ var sysmon = (function () { } else { // Convert V4MAPPED addresses. answer = answer.replace("::ffff:", ""); - ips.push(answer); + if (net.isIP(answer)) { + ips.push(answer); - // Synthesize record type based on IP address type. - var type = "A"; - if (answer.indexOf(":") !== -1) { - type = "AAAA"; + // Synthesize record type based on IP address type. + var type = "A"; + if (answer.indexOf(":") !== -1) { + type = "AAAA"; + } + answers.push({ + type: type, + data: answer, + }); } - answers.push({ - type: type, - data: answer, - }); } } diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-10.2-dns.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-10.2-dns.evtx.golden.json index 52fc0fe7f22..ecf9e1b7987 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-10.2-dns.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-10.2-dns.evtx.golden.json @@ -13341,10 +13341,6 @@ { "data": "2001:502:7094::30", "type": "AAAA" - }, - { - "data": "192.5", - "type": "A" } ], "question": { @@ -13403,8 +13399,7 @@ "192.43.172.30", "2001:503:39c1::30", "192.48.79.30", - "2001:502:7094::30", - "192.5" + "2001:502:7094::30" ] }, "event": {