From 04423b08cb4a0ea36f609359f172c7449a2dd650 Mon Sep 17 00:00:00 2001 From: Christiano Haesbaert Date: Tue, 17 Sep 2024 20:52:04 +0200 Subject: [PATCH 1/2] Define base encoding in x509.serial_number Narrow the definition of x509.serial_number to be encoded in hexadecimal, otherwise we end up with integrations choosing their own encoding, as noted below, Zeek uses base 16 while the rest of beats is using base 10. Related to https://github.com/elastic/sdh-beats/issues/5089. Reasoning in: https://github.com/elastic/sdh-beats/issues/5089#issuecomment-2349046226 --- docs/fields/field-details.asciidoc | 2 +- experimental/generated/beats/fields.ecs.yml | 14 +++++++------- experimental/generated/ecs/ecs_flat.yml | 21 +++++++-------------- experimental/generated/ecs/ecs_nested.yml | 16 ++++++++-------- generated/beats/fields.ecs.yml | 14 +++++++------- generated/ecs/ecs_flat.yml | 21 +++++++-------------- generated/ecs/ecs_nested.yml | 16 ++++++++-------- schemas/x509.yml | 4 ++-- 8 files changed, 47 insertions(+), 61 deletions(-) diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc index f2259fb87e..0ccd02ff7e 100644 --- a/docs/fields/field-details.asciidoc +++ b/docs/fields/field-details.asciidoc @@ -13803,7 +13803,7 @@ example: `2048` [[field-x509-serial-number]] <> -a| Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. +a| Unique serial number issued by the certificate authority. For consistency, this should be encoded in base 16 and formatted without colons and uppercase characters. type: keyword diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 625206235f..d85bee1af8 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -3337,7 +3337,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false @@ -9979,7 +9979,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false @@ -10536,7 +10536,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false @@ -11600,7 +11600,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false @@ -12168,7 +12168,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false @@ -12584,7 +12584,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false @@ -12866,7 +12866,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 6e09b7f52f..c37be261b3 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -5508,8 +5508,7 @@ file.x509.public_key_size: file.x509.serial_number: dashed_name: file-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: file.x509.serial_number ignore_above: 1024 @@ -16155,8 +16154,7 @@ threat.enrichments.indicator.file.x509.public_key_size: threat.enrichments.indicator.file.x509.serial_number: dashed_name: threat-enrichments-indicator-file-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.enrichments.indicator.file.x509.serial_number ignore_above: 1024 @@ -17082,8 +17080,7 @@ threat.enrichments.indicator.x509.public_key_size: threat.enrichments.indicator.x509.serial_number: dashed_name: threat-enrichments-indicator-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.enrichments.indicator.x509.serial_number ignore_above: 1024 @@ -18891,8 +18888,7 @@ threat.indicator.file.x509.public_key_size: threat.indicator.file.x509.serial_number: dashed_name: threat-indicator-file-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.indicator.file.x509.serial_number ignore_above: 1024 @@ -19834,8 +19830,7 @@ threat.indicator.x509.public_key_size: threat.indicator.x509.serial_number: dashed_name: threat-indicator-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.indicator.x509.serial_number ignore_above: 1024 @@ -20525,8 +20520,7 @@ tls.client.x509.public_key_size: tls.client.x509.serial_number: dashed_name: tls-client-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: tls.client.x509.serial_number ignore_above: 1024 @@ -21002,8 +20996,7 @@ tls.server.x509.public_key_size: tls.server.x509.serial_number: dashed_name: tls-server-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: tls.server.x509.serial_number ignore_above: 1024 diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 1f7f9648b7..a6d5efd58d 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -6555,7 +6555,7 @@ file: file.x509.serial_number: dashed_name: file-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: file.x509.serial_number @@ -18857,7 +18857,7 @@ threat: threat.enrichments.indicator.file.x509.serial_number: dashed_name: threat-enrichments-indicator-file-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.enrichments.indicator.file.x509.serial_number @@ -19788,7 +19788,7 @@ threat: threat.enrichments.indicator.x509.serial_number: dashed_name: threat-enrichments-indicator-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.enrichments.indicator.x509.serial_number @@ -21599,7 +21599,7 @@ threat: threat.indicator.file.x509.serial_number: dashed_name: threat-indicator-file-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.indicator.file.x509.serial_number @@ -22546,7 +22546,7 @@ threat: threat.indicator.x509.serial_number: dashed_name: threat-indicator-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.indicator.x509.serial_number @@ -23301,7 +23301,7 @@ tls: tls.client.x509.serial_number: dashed_name: tls-client-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: tls.client.x509.serial_number @@ -23781,7 +23781,7 @@ tls: tls.server.x509.serial_number: dashed_name: tls-server-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: tls.server.x509.serial_number @@ -25699,7 +25699,7 @@ x509: x509.serial_number: dashed_name: x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: x509.serial_number diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 77f9536d95..69686d1720 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -3287,7 +3287,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false @@ -9929,7 +9929,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false @@ -10486,7 +10486,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false @@ -11550,7 +11550,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false @@ -12118,7 +12118,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false @@ -12534,7 +12534,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false @@ -12816,7 +12816,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 7e504589db..8191abbb60 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -5439,8 +5439,7 @@ file.x509.public_key_size: file.x509.serial_number: dashed_name: file-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: file.x509.serial_number ignore_above: 1024 @@ -16086,8 +16085,7 @@ threat.enrichments.indicator.file.x509.public_key_size: threat.enrichments.indicator.file.x509.serial_number: dashed_name: threat-enrichments-indicator-file-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.enrichments.indicator.file.x509.serial_number ignore_above: 1024 @@ -17013,8 +17011,7 @@ threat.enrichments.indicator.x509.public_key_size: threat.enrichments.indicator.x509.serial_number: dashed_name: threat-enrichments-indicator-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.enrichments.indicator.x509.serial_number ignore_above: 1024 @@ -18822,8 +18819,7 @@ threat.indicator.file.x509.public_key_size: threat.indicator.file.x509.serial_number: dashed_name: threat-indicator-file-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.indicator.file.x509.serial_number ignore_above: 1024 @@ -19765,8 +19761,7 @@ threat.indicator.x509.public_key_size: threat.indicator.x509.serial_number: dashed_name: threat-indicator-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.indicator.x509.serial_number ignore_above: 1024 @@ -20456,8 +20451,7 @@ tls.client.x509.public_key_size: tls.client.x509.serial_number: dashed_name: tls-client-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: tls.client.x509.serial_number ignore_above: 1024 @@ -20933,8 +20927,7 @@ tls.server.x509.public_key_size: tls.server.x509.serial_number: dashed_name: tls-server-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: tls.server.x509.serial_number ignore_above: 1024 diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index b08955b69b..26e6e9a304 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -6475,7 +6475,7 @@ file: file.x509.serial_number: dashed_name: file-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: file.x509.serial_number @@ -18777,7 +18777,7 @@ threat: threat.enrichments.indicator.file.x509.serial_number: dashed_name: threat-enrichments-indicator-file-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.enrichments.indicator.file.x509.serial_number @@ -19708,7 +19708,7 @@ threat: threat.enrichments.indicator.x509.serial_number: dashed_name: threat-enrichments-indicator-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.enrichments.indicator.x509.serial_number @@ -21519,7 +21519,7 @@ threat: threat.indicator.file.x509.serial_number: dashed_name: threat-indicator-file-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.indicator.file.x509.serial_number @@ -22466,7 +22466,7 @@ threat: threat.indicator.x509.serial_number: dashed_name: threat-indicator-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.indicator.x509.serial_number @@ -23221,7 +23221,7 @@ tls: tls.client.x509.serial_number: dashed_name: tls-client-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: tls.client.x509.serial_number @@ -23701,7 +23701,7 @@ tls: tls.server.x509.serial_number: dashed_name: tls-server-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: tls.server.x509.serial_number @@ -25619,7 +25619,7 @@ x509: x509.serial_number: dashed_name: x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: x509.serial_number diff --git a/schemas/x509.yml b/schemas/x509.yml index be03f7c685..40f8aa71da 100644 --- a/schemas/x509.yml +++ b/schemas/x509.yml @@ -52,8 +52,8 @@ type: keyword short: Unique serial number issued by the certificate authority. description: > - Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be - formatted without colons and uppercase characters. + Unique serial number issued by the certificate authority. For consistency, this should be + encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA - name: issuer.distinguished_name From 89f9df534b3a061317f923c96669f1d5d7535e05 Mon Sep 17 00:00:00 2001 From: Christiano Haesbaert Date: Tue, 17 Sep 2024 22:19:49 +0200 Subject: [PATCH 2/2] CHANGELOG.next.md entry --- CHANGELOG.next.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 9613fb89e6..70a4a3e0a6 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -25,6 +25,8 @@ Thanks, you're awesome :-) --> #### Improvements +* Define base encoding of `x509.serial_number`. #2383 + #### Deprecated ### Tooling and Artifact Changes