lowercase causes missed detections and broken searches #18154

neu5ron · 2020-05-02T05:21:15Z

In the Zeek HTTP file, there is a lowercasing of http.request.method - shown here:

beats/x-pack/filebeat/module/zeek/http/ingest/pipeline.yml

Line 53 in f39d869

- lowercase:

http.request.method will have values of POST, GET, OPTIONS, etc... the vast majority of dashboards, visualizations, searches, threat hunts, etc.. are all built on how the vast majority of HTTP requests work ie: the value of GET for outbound stuff or POST for inbound web attacks.
couple this with values being case sensitive, there is no even "fail safe" that would have made this not such an impactful thing.
also, this field can be used for anomalous variations of the above, such as looking for PoST.

The text was updated successfully, but these errors were encountered:

elasticmachine · 2020-05-02T11:02:24Z

Pinging @elastic/siem (Team:SIEM)

leehinman · 2020-05-04T14:26:14Z

I definitely should have marked this as a breaking change, I'll fix that.

The reason for making it lowercase is because it is an ECS field and the doc for the field is:

HTTP request method.

The field value must be normalized to lowercase for querying.
See the documentation section "Implementing ECS".

type: keyword

example: get, post, put

@webmat & @MikePaquette thoughts?

What do you think about having "zeek.http.method" as the unmodified request method?

neu5ron · 2020-05-05T18:07:27Z

cross reference for Suricata too, same scenario -

beats/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml

Line 5 in 6d7d919

- lowercase:

leehinman · 2020-05-05T18:09:21Z

And Apache & nginx

ECS previously specified normalizing http.request.method to lowercase. This resulted in the loss of information. Affects filesets from the following versions: - apache/access (7.7 - 7.8) - elasticsearch/audit (7.7 - 7.8) - iis/access (7.7 - 7.8) - iis/error (7.7 - 7.8) - nginx/access (7.8) - nginx/ingress_controller (7.8) - aws/elb (7.7 - 7.8) - suricata/eve (7.4 - 7.8) - zeek/http (7.8) Closes elastic#18154

* Preserve case of http.request.method ECS previously specified normalizing http.request.method to lowercase. This resulted in the loss of information. Affects filesets from the following versions: - apache/access (7.7 - 7.8) - elasticsearch/audit (7.7 - 7.8) - iis/access (7.7 - 7.8) - iis/error (7.7 - 7.8) - nginx/access (7.8) - nginx/ingress_controller (7.8) - aws/elb (7.7 - 7.8) - suricata/eve (7.4 - 7.8) - zeek/http (7.8) Closes #18154

* Preserve case of http.request.method ECS previously specified normalizing http.request.method to lowercase. This resulted in the loss of information. Affects filesets from the following versions: - apache/access (7.7 - 7.8) - elasticsearch/audit (7.7 - 7.8) - iis/access (7.7 - 7.8) - iis/error (7.7 - 7.8) - nginx/access (7.8) - nginx/ingress_controller (7.8) - aws/elb (7.7 - 7.8) - suricata/eve (7.4 - 7.8) - zeek/http (7.8) Closes elastic#18154 (cherry picked from commit 87c3ad3)

* Preserve case of http.request.method ECS previously specified normalizing http.request.method to lowercase. This resulted in the loss of information. Affects filesets from the following versions: - apache/access (7.7 - 7.8) - elasticsearch/audit (7.7 - 7.8) - iis/access (7.7 - 7.8) - iis/error (7.7 - 7.8) - nginx/access (7.8) - nginx/ingress_controller (7.8) - aws/elb (7.7 - 7.8) - suricata/eve (7.4 - 7.8) - zeek/http (7.8) Closes #18154 (cherry picked from commit 87c3ad3)

…tic#18788) * Preserve case of http.request.method ECS previously specified normalizing http.request.method to lowercase. This resulted in the loss of information. Affects filesets from the following versions: - apache/access (7.7 - 7.8) - elasticsearch/audit (7.7 - 7.8) - iis/access (7.7 - 7.8) - iis/error (7.7 - 7.8) - nginx/access (7.8) - nginx/ingress_controller (7.8) - aws/elb (7.7 - 7.8) - suricata/eve (7.4 - 7.8) - zeek/http (7.8) Closes elastic#18154 (cherry picked from commit 5490eb4)

botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label May 2, 2020

andresrc added the Team:SIEM label May 2, 2020

botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label May 2, 2020

andrewkroh added the ecs label May 2, 2020

leehinman self-assigned this May 7, 2020

leehinman mentioned this issue May 7, 2020

[Filebeat] Preserve case of http.request.method #18359

Merged

3 tasks

leehinman closed this as completed in #18359 May 27, 2020

leehinman mentioned this issue May 27, 2020

Cherry-pick #18359 to 7.x: [Filebeat] Preserve case of http.request.method #18782

Merged

3 tasks

leehinman mentioned this issue May 27, 2020

Cherry-pick #18359 to 7.8: [Filebeat] Preserve case of http.request.method #18783

Merged

3 tasks

leehinman mentioned this issue May 27, 2020

Cherry-pick #18359 to 7.7: [Filebeat] Preserve case of http.request.method #18788

Merged

3 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

lowercase causes missed detections and broken searches #18154

lowercase causes missed detections and broken searches #18154

neu5ron commented May 2, 2020 •

edited

elasticmachine commented May 2, 2020

leehinman commented May 4, 2020

neu5ron commented May 5, 2020

leehinman commented May 5, 2020

lowercase causes missed detections and broken searches #18154

lowercase causes missed detections and broken searches #18154

Comments

neu5ron commented May 2, 2020 • edited

elasticmachine commented May 2, 2020

leehinman commented May 4, 2020

neu5ron commented May 5, 2020

leehinman commented May 5, 2020

neu5ron commented May 2, 2020 •

edited