Skip to content

Commit

Permalink
Remove parsed dates from suricata events
Browse files Browse the repository at this point in the history 
These dates fail to parse after recent changes in Elasticsearch for date
formatting, see elastic/elasticsearch#36363

Information is still stored in parsed ECS fields.
  • Loading branch information
@jsoriano
jsoriano committed Jan 25, 2019
1 parent 2bb0a34 commit 4f22939
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 52 deletions.
15 changes: 14 additions & 1 deletion x-pack/filebeat/module/suricata/eve/ingest/pipeline.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,10 @@
, "formats": ["ISO8601"]
}
}

, {"remove":
{"field": "suricata.eve.timestamp"
}
}
, { "lowercase":
{ "field": "suricata.eve.event_type"
, "target_field": "event.type"
Expand Down Expand Up @@ -181,6 +184,16 @@
,"ignore_failure": true
}
}
, {"remove":
{"field": "suricata.eve.flow.start"
,"ignore_missing": true
}
}
, {"remove":
{"field": "suricata.eve.flow.end"
,"ignore_missing": true
}
}
, {"set":
{"field": "event.end"
,"value": "{{@timestamp}}"
Expand Down
40 changes: 0 additions & 40 deletions x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,6 @@
"suricata.eve.flow.bytes_toserver": 347,
"suricata.eve.flow.pkts_toclient": 3,
"suricata.eve.flow.pkts_toserver": 4,
"suricata.eve.flow.start": "2018-10-03T14:42:44.613469+0000",
"suricata.eve.flow_id": 2191386088856669,
"suricata.eve.http.hostname": "example.net",
"suricata.eve.http.http_content_type": "text/html",
Expand All @@ -67,7 +66,6 @@
"suricata.eve.proto": "TCP",
"suricata.eve.src_ip": "192.168.1.146",
"suricata.eve.src_port": 32858,
"suricata.eve.timestamp": "2018-10-03T14:42:44.836744+0000",
"suricata.eve.tx_id": 0,
"tags": [
"suricata"
Expand Down Expand Up @@ -136,7 +134,6 @@
"suricata.eve.flow.bytes_toserver": 347,
"suricata.eve.flow.pkts_toclient": 3,
"suricata.eve.flow.pkts_toserver": 4,
"suricata.eve.flow.start": "2018-10-03T16:16:26.467217+0000",
"suricata.eve.flow_id": 678269478904081,
"suricata.eve.http.hostname": "example.net",
"suricata.eve.http.http_content_type": "text/html",
Expand All @@ -150,7 +147,6 @@
"suricata.eve.proto": "TCP",
"suricata.eve.src_ip": "192.168.1.146",
"suricata.eve.src_port": 32864,
"suricata.eve.timestamp": "2018-10-03T16:16:26.711841+0000",
"suricata.eve.tx_id": 0,
"tags": [
"suricata"
Expand Down Expand Up @@ -219,7 +215,6 @@
"suricata.eve.flow.bytes_toserver": 347,
"suricata.eve.flow.pkts_toclient": 3,
"suricata.eve.flow.pkts_toserver": 4,
"suricata.eve.flow.start": "2018-10-03T16:44:50.580866+0000",
"suricata.eve.flow_id": 1170030461115650,
"suricata.eve.http.hostname": "example.net",
"suricata.eve.http.http_content_type": "text/html",
Expand All @@ -233,7 +228,6 @@
"suricata.eve.proto": "TCP",
"suricata.eve.src_ip": "192.168.1.146",
"suricata.eve.src_port": 32870,
"suricata.eve.timestamp": "2018-10-03T16:44:50.813100+0000",
"suricata.eve.tx_id": 0,
"tags": [
"suricata"
Expand Down Expand Up @@ -302,7 +296,6 @@
"suricata.eve.flow.bytes_toserver": 347,
"suricata.eve.flow.pkts_toclient": 3,
"suricata.eve.flow.pkts_toserver": 4,
"suricata.eve.flow.start": "2018-10-03T16:45:09.036620+0000",
"suricata.eve.flow_id": 49628113637132,
"suricata.eve.http.hostname": "example.org",
"suricata.eve.http.http_content_type": "text/html",
Expand All @@ -316,7 +309,6 @@
"suricata.eve.proto": "TCP",
"suricata.eve.src_ip": "192.168.1.146",
"suricata.eve.src_port": 32872,
"suricata.eve.timestamp": "2018-10-03T16:45:09.267308+0000",
"suricata.eve.tx_id": 0,
"tags": [
"suricata"
Expand Down Expand Up @@ -385,7 +377,6 @@
"suricata.eve.flow.bytes_toserver": 347,
"suricata.eve.flow.pkts_toclient": 3,
"suricata.eve.flow.pkts_toserver": 4,
"suricata.eve.flow.start": "2018-10-03T16:45:34.252519+0000",
"suricata.eve.flow_id": 116307482565223,
"suricata.eve.http.hostname": "example.org",
"suricata.eve.http.http_content_type": "text/html",
Expand All @@ -399,7 +390,6 @@
"suricata.eve.proto": "TCP",
"suricata.eve.src_ip": "192.168.1.146",
"suricata.eve.src_port": 32876,
"suricata.eve.timestamp": "2018-10-03T16:45:34.481113+0000",
"suricata.eve.tx_id": 0,
"tags": [
"suricata"
Expand Down Expand Up @@ -468,7 +458,6 @@
"suricata.eve.flow.bytes_toserver": 347,
"suricata.eve.flow.pkts_toclient": 3,
"suricata.eve.flow.pkts_toserver": 4,
"suricata.eve.flow.start": "2018-10-03T17:02:38.599426+0000",
"suricata.eve.flow_id": 1205867738178946,
"suricata.eve.http.hostname": "example.org",
"suricata.eve.http.http_content_type": "text/html",
Expand All @@ -482,7 +471,6 @@
"suricata.eve.proto": "TCP",
"suricata.eve.src_ip": "192.168.1.146",
"suricata.eve.src_port": 32892,
"suricata.eve.timestamp": "2018-10-03T17:02:38.900976+0000",
"suricata.eve.tx_id": 0,
"tags": [
"suricata"
Expand Down Expand Up @@ -551,7 +539,6 @@
"suricata.eve.flow.bytes_toserver": 497,
"suricata.eve.flow.pkts_toclient": 3,
"suricata.eve.flow.pkts_toserver": 4,
"suricata.eve.flow.start": "2018-10-04T09:34:58.924536+0000",
"suricata.eve.flow_id": 764842923400056,
"suricata.eve.http.hostname": "security.ubuntu.com",
"suricata.eve.http.http_method": "GET",
Expand All @@ -564,7 +551,6 @@
"suricata.eve.proto": "TCP",
"suricata.eve.src_ip": "192.168.1.146",
"suricata.eve.src_port": 37742,
"suricata.eve.timestamp": "2018-10-04T09:34:59.009897+0000",
"suricata.eve.tx_id": 0,
"tags": [
"suricata"
Expand Down Expand Up @@ -632,7 +618,6 @@
"suricata.eve.flow.bytes_toserver": 487,
"suricata.eve.flow.pkts_toclient": 3,
"suricata.eve.flow.pkts_toserver": 4,
"suricata.eve.flow.start": "2018-10-04T09:34:58.926006+0000",
"suricata.eve.flow_id": 112424506237238,
"suricata.eve.http.hostname": "archive.ubuntu.com",
"suricata.eve.http.http_method": "GET",
Expand All @@ -645,7 +630,6 @@
"suricata.eve.proto": "TCP",
"suricata.eve.src_ip": "192.168.1.146",
"suricata.eve.src_port": 52340,
"suricata.eve.timestamp": "2018-10-04T09:34:59.168340+0000",
"suricata.eve.tx_id": 0,
"tags": [
"suricata"
Expand Down Expand Up @@ -713,7 +697,6 @@
"suricata.eve.flow.bytes_toserver": 842,
"suricata.eve.flow.pkts_toclient": 5,
"suricata.eve.flow.pkts_toserver": 6,
"suricata.eve.flow.start": "2018-10-04T09:34:58.926006+0000",
"suricata.eve.flow_id": 112424506237238,
"suricata.eve.http.hostname": "archive.ubuntu.com",
"suricata.eve.http.http_method": "GET",
Expand All @@ -726,7 +709,6 @@
"suricata.eve.proto": "TCP",
"suricata.eve.src_ip": "192.168.1.146",
"suricata.eve.src_port": 52340,
"suricata.eve.timestamp": "2018-10-04T09:34:59.288862+0000",
"suricata.eve.tx_id": 1,
"tags": [
"suricata"
Expand Down Expand Up @@ -794,7 +776,6 @@
"suricata.eve.flow.bytes_toserver": 4810,
"suricata.eve.flow.pkts_toclient": 62,
"suricata.eve.flow.pkts_toserver": 64,
"suricata.eve.flow.start": "2018-10-04T09:34:58.924536+0000",
"suricata.eve.flow_id": 764842923400056,
"suricata.eve.http.hostname": "security.ubuntu.com",
"suricata.eve.http.http_method": "GET",
Expand All @@ -807,7 +788,6 @@
"suricata.eve.proto": "TCP",
"suricata.eve.src_ip": "192.168.1.146",
"suricata.eve.src_port": 37742,
"suricata.eve.timestamp": "2018-10-04T09:34:59.289324+0000",
"suricata.eve.tx_id": 1,
"tags": [
"suricata"
Expand Down Expand Up @@ -875,7 +855,6 @@
"suricata.eve.flow.bytes_toserver": 6591,
"suricata.eve.flow.pkts_toclient": 98,
"suricata.eve.flow.pkts_toserver": 87,
"suricata.eve.flow.start": "2018-10-04T09:34:58.924536+0000",
"suricata.eve.flow_id": 764842923400056,
"suricata.eve.http.hostname": "security.ubuntu.com",
"suricata.eve.http.http_method": "GET",
Expand All @@ -888,7 +867,6 @@
"suricata.eve.proto": "TCP",
"suricata.eve.src_ip": "192.168.1.146",
"suricata.eve.src_port": 37742,
"suricata.eve.timestamp": "2018-10-04T09:34:59.356132+0000",
"suricata.eve.tx_id": 2,
"tags": [
"suricata"
Expand Down Expand Up @@ -956,7 +934,6 @@
"suricata.eve.flow.bytes_toserver": 11460,
"suricata.eve.flow.pkts_toclient": 221,
"suricata.eve.flow.pkts_toserver": 156,
"suricata.eve.flow.start": "2018-10-04T09:34:58.924536+0000",
"suricata.eve.flow_id": 764842923400056,
"suricata.eve.http.hostname": "security.ubuntu.com",
"suricata.eve.http.http_method": "GET",
Expand All @@ -969,7 +946,6 @@
"suricata.eve.proto": "TCP",
"suricata.eve.src_ip": "192.168.1.146",
"suricata.eve.src_port": 37742,
"suricata.eve.timestamp": "2018-10-04T09:34:59.456919+0000",
"suricata.eve.tx_id": 3,
"tags": [
"suricata"
Expand Down Expand Up @@ -1037,7 +1013,6 @@
"suricata.eve.flow.bytes_toserver": 4895,
"suricata.eve.flow.pkts_toclient": 67,
"suricata.eve.flow.pkts_toserver": 64,
"suricata.eve.flow.start": "2018-10-04T09:34:58.926006+0000",
"suricata.eve.flow_id": 112424506237238,
"suricata.eve.http.hostname": "archive.ubuntu.com",
"suricata.eve.http.http_method": "GET",
Expand All @@ -1050,7 +1025,6 @@
"suricata.eve.proto": "TCP",
"suricata.eve.src_ip": "192.168.1.146",
"suricata.eve.src_port": 52340,
"suricata.eve.timestamp": "2018-10-04T09:34:59.747122+0000",
"suricata.eve.tx_id": 2,
"tags": [
"suricata"
Expand Down Expand Up @@ -1118,7 +1092,6 @@
"suricata.eve.flow.bytes_toserver": 6932,
"suricata.eve.flow.pkts_toclient": 119,
"suricata.eve.flow.pkts_toserver": 91,
"suricata.eve.flow.start": "2018-10-04T09:34:58.926006+0000",
"suricata.eve.flow_id": 112424506237238,
"suricata.eve.http.hostname": "archive.ubuntu.com",
"suricata.eve.http.http_method": "GET",
Expand All @@ -1131,7 +1104,6 @@
"suricata.eve.proto": "TCP",
"suricata.eve.src_ip": "192.168.1.146",
"suricata.eve.src_port": 52340,
"suricata.eve.timestamp": "2018-10-04T09:34:59.953886+0000",
"suricata.eve.tx_id": 3,
"tags": [
"suricata"
Expand Down Expand Up @@ -1199,7 +1171,6 @@
"suricata.eve.flow.bytes_toserver": 11679,
"suricata.eve.flow.pkts_toclient": 253,
"suricata.eve.flow.pkts_toserver": 159,
"suricata.eve.flow.start": "2018-10-04T09:34:58.926006+0000",
"suricata.eve.flow_id": 112424506237238,
"suricata.eve.http.hostname": "archive.ubuntu.com",
"suricata.eve.http.http_method": "GET",
Expand All @@ -1212,7 +1183,6 @@
"suricata.eve.proto": "TCP",
"suricata.eve.src_ip": "192.168.1.146",
"suricata.eve.src_port": 52340,
"suricata.eve.timestamp": "2018-10-04T09:35:00.250560+0000",
"suricata.eve.tx_id": 4,
"tags": [
"suricata"
Expand Down Expand Up @@ -1280,7 +1250,6 @@
"suricata.eve.flow.bytes_toserver": 13986,
"suricata.eve.flow.pkts_toclient": 314,
"suricata.eve.flow.pkts_toserver": 190,
"suricata.eve.flow.start": "2018-10-04T09:34:58.926006+0000",
"suricata.eve.flow_id": 112424506237238,
"suricata.eve.http.hostname": "archive.ubuntu.com",
"suricata.eve.http.http_method": "GET",
Expand All @@ -1293,7 +1262,6 @@
"suricata.eve.proto": "TCP",
"suricata.eve.src_ip": "192.168.1.146",
"suricata.eve.src_port": 52340,
"suricata.eve.timestamp": "2018-10-04T09:35:00.401788+0000",
"suricata.eve.tx_id": 5,
"tags": [
"suricata"
Expand Down Expand Up @@ -1361,7 +1329,6 @@
"suricata.eve.flow.bytes_toserver": 23361,
"suricata.eve.flow.pkts_toclient": 588,
"suricata.eve.flow.pkts_toserver": 328,
"suricata.eve.flow.start": "2018-10-04T09:34:58.926006+0000",
"suricata.eve.flow_id": 112424506237238,
"suricata.eve.http.hostname": "archive.ubuntu.com",
"suricata.eve.http.http_method": "GET",
Expand All @@ -1374,7 +1341,6 @@
"suricata.eve.proto": "TCP",
"suricata.eve.src_ip": "192.168.1.146",
"suricata.eve.src_port": 52340,
"suricata.eve.timestamp": "2018-10-04T09:35:00.776438+0000",
"suricata.eve.tx_id": 6,
"tags": [
"suricata"
Expand Down Expand Up @@ -1442,7 +1408,6 @@
"suricata.eve.flow.bytes_toserver": 23758,
"suricata.eve.flow.pkts_toclient": 591,
"suricata.eve.flow.pkts_toserver": 330,
"suricata.eve.flow.start": "2018-10-04T09:34:58.926006+0000",
"suricata.eve.flow_id": 112424506237238,
"suricata.eve.http.hostname": "archive.ubuntu.com",
"suricata.eve.http.http_method": "GET",
Expand All @@ -1455,7 +1420,6 @@
"suricata.eve.proto": "TCP",
"suricata.eve.src_ip": "192.168.1.146",
"suricata.eve.src_port": 52340,
"suricata.eve.timestamp": "2018-10-04T09:35:00.897009+0000",
"suricata.eve.tx_id": 7,
"tags": [
"suricata"
Expand Down Expand Up @@ -1522,7 +1486,6 @@
"suricata.eve.flow.bytes_toserver": 36819,
"suricata.eve.flow.pkts_toclient": 979,
"suricata.eve.flow.pkts_toserver": 524,
"suricata.eve.flow.start": "2018-10-04T09:34:58.926006+0000",
"suricata.eve.flow_id": 112424506237238,
"suricata.eve.http.hostname": "archive.ubuntu.com",
"suricata.eve.http.http_method": "GET",
Expand All @@ -1534,7 +1497,6 @@
"suricata.eve.proto": "TCP",
"suricata.eve.src_ip": "192.168.1.146",
"suricata.eve.src_port": 52340,
"suricata.eve.timestamp": "2018-10-04T09:35:01.362208+0000",
"suricata.eve.tx_id": 8,
"tags": [
"suricata"
Expand Down Expand Up @@ -1601,7 +1563,6 @@
"suricata.eve.flow.bytes_toserver": 40452,
"suricata.eve.flow.pkts_toclient": 1079,
"suricata.eve.flow.pkts_toserver": 575,
"suricata.eve.flow.start": "2018-10-04T09:34:58.926006+0000",
"suricata.eve.flow_id": 112424506237238,
"suricata.eve.http.hostname": "archive.ubuntu.com",
"suricata.eve.http.http_method": "GET",
Expand All @@ -1613,7 +1574,6 @@
"suricata.eve.proto": "TCP",
"suricata.eve.src_ip": "192.168.1.146",
"suricata.eve.src_port": 52340,
"suricata.eve.timestamp": "2018-10-04T09:35:01.575088+0000",
"suricata.eve.tx_id": 9,
"tags": [
"suricata"
Expand Down
Loading

0 comments on commit 4f22939

Please sign in to comment.