Enhance Suricata pipeline to handle destination.domain being set #10861
Conversation
| { | ||
| "script": { | ||
| "source": "def domain = ctx.destination?.domain; if (domain instanceof Collection) { if (domain.length == 1) { ctx.destination.domain = domain[0]; } else { ctx.destination.domain = ctx.destination.domain.stream().distinct().collect(Collectors.toList()); } }", | ||
| "ignore_failure": true |
There was a problem hiding this comment.
I wonder if domain containing an array will be a problem.
Suggestion: dedupe before if (domain.length == 1).
There was a problem hiding this comment.
I've been sending in arrays for a few weeks and have made the team aware that this can be an array.
There was a problem hiding this comment.
And I implemented your suggestion. Good idea.
There was a problem hiding this comment.
Yeah we'll need to start looking into defining this more clearly in ECS.
But I agree that we have to support arrays here, because of the reverse DNS possibility.
There was a problem hiding this comment.
Ah wait. You're only keeping the first of the array? 🤔How do you know it's the interesting entry?
There was a problem hiding this comment.
No. This is the code. It doesn't drop any data.
def domain = ctx.destination?.domain;
if (domain instanceof Collection) {
// Deduplicate
ctx.destination.domain = ctx.destination.domain.stream().distinct().collect(Collectors.toList());
// Make it a plain old string if there's only one item.
if (domain.length == 1) {
ctx.destination.domain = domain[0];
}
}
There was a problem hiding this comment.
Can the reverse DNS processor return more than one DNS entry for a given IP?
If so, this only keeps the first one, right?
Or does the processor always return an array of one?
There was a problem hiding this comment.
Oh, I see the problem. When I refactored it from the initial version I broke it. The fixed version is:
def domain = ctx.destination?.domain;
if (domain instanceof Collection) {
// Deduplicate
domain = domain.stream().distinct().collect(Collectors.toList());
// Make it a plain old string if there's only one item.
if (domain.length == 1) {
domain = domain[0];
}
// Set the value
ctx.destination.domain = domain;
}Does this address your concern?
There was a problem hiding this comment.
Ah, happy to see we weren't just going around in circles :-)
Yes, this makes sense now :-)
andrewkroh
force-pushed
the
feature/fb/suricata-dest-domain
branch
2 times, most recently
from
4e9e41b to
06ab068
Compare
This replaces the usage of a `rename` processor with an `append` + `remove` processor. Then a script processor is used to deduplicate the domains. Fixes elastic#10510
andrewkroh
force-pushed
the
feature/fb/suricata-dest-domain
branch
from
06ab068 to
a95e713
Compare
This replaces the usage of a
renameprocessor with anappend+removeprocessor.Then a script processor is used to deduplicate the domains.
This makes the pipeline compatible with the reverse dns processor being used on the Beat side.
Fixes #10510