Add tunnel fields to Suricata shaper #2370
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nwt
approved these changes
Mar 18, 2021
brim-bot
pushed a commit
to brimdata/zui
that referenced
this pull request
Mar 18, 2021
This is an auto-generated commit with a zq dependency update. The zq PR brimdata/zed#2370, authored by @philrz, has been merged. Add tunnel fields to Suricata shaper brimdata/zed#2369 describes a problem where missing NDJSON typing config for rarely-seen Suricata fields generated a user-facing warning. This PR adds the additional config to the Suricata shaper to cover these fields. Our switchover from legacy `types.json` to the new shaping configs in the time since the user reported the issue actually changes the symptom, so before I show the fix having its impact, I'll take a step back and show how the symptom was looking as of Brim commit 8569148 which pointed at `zqd` commit 8ab4607. In that case, because of the change in brimdata/zed#2309, the user no longer was shown a warning, but the additional fields were silently imported with inferred types. So for instance, notice how the `tunnel` fields are shown in black font that's used for strings, rather than the blue that's used for the `ip` type fields.  More importantly, if the user doesn't notice this subtle difference and tries to treat them like the IP addresses they otherwise _appear_ to be, they get unexpected behavior, such as this failing CIDR match.  Of course, if they catch the problem and do the cast at query time, they can fix it. But this is what we want the shaper to do, hence the changes in this PR.  If I start from the same Brim commit 8569148 and advance my `zq` pointer to 6613aba to use the shaper in this branch, then re-import, now we get the correct typing out of the gate.   A couple additional details: 1. The sample data I'm using from brimdata/zed#2369 doesn't happen to generate the `tunnel.src_port` and `tunnel.dest_port` fields in the Suricata EVE JSON. However, since the original user's issue showed these being generated, I've included them here in the shaping config. 2. Since we've been through so many example pcaps before seeing Suricata generates this field, some may wonder if it makes sense to make the current single schema even wider to always make room for them as opposed to letting multiple shapes get created. However, we've had users recently be confused by the disappearing columns that result from unexpected multiple shapes (#967). Therefore, until we have new UX in Brim that makes it easier for users to browse their data in such situations and/or also apply+modify their own shaper modifications, I'm keen to maintain the single schema. 3. While this now covers us for all Suricata fields we're aware of for `alert` events, the fact the user was not being informed these `tunnel` fields were being imported with inferred types seems hazardous. I've opened separate issue brimsec/brim#1519 regarding this, as it seems like something we'll need to address in the wider context of shaper UX. Fixes brimdata/zed#2369
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
#2369 describes a problem where missing NDJSON typing config for rarely-seen Suricata fields generated a user-facing warning. This PR adds the additional config to the Suricata shaper to cover these fields.
Our switchover from legacy
types.jsonto the new shaping configs in the time since the user reported the issue actually changes the symptom, so before I show the fix having its impact, I'll take a step back and show how the symptom was looking as of Brim commit brimdata/zui@8569148 which pointed atzqdcommit 8ab4607. In that case, because of the change in #2309, the user no longer was shown a warning, but the additional fields were silently imported with inferred types. So for instance, notice how thetunnelfields are shown in black font that's used for strings, rather than the blue that's used for theiptype fields.More importantly, if the user doesn't notice this subtle difference and tries to treat them like the IP addresses they otherwise appear to be, they get unexpected behavior, such as this failing CIDR match.
Of course, if they catch the problem and do the cast at query time, they can fix it. But this is what we want the shaper to do, hence the changes in this PR.
If I start from the same Brim commit brimdata/zui@8569148 and advance my
zqpointer to 6613aba to use the shaper in this branch, then re-import, now we get the correct typing out of the gate.A couple additional details:
tunnel.src_portandtunnel.dest_portfields in the Suricata EVE JSON. However, since the original user's issue showed these being generated, I've included them here in the shaping config.alertevents, the fact the user was not being informed thesetunnelfields were being imported with inferred types seems hazardous. I've opened separate issue brimsec/brim#1519 regarding this, as it seems like something we'll need to address in the wider context of shaper UX.Fixes #2369