Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify where to place x509 field set #1044

Closed
andrewkroh opened this issue Oct 22, 2020 · 1 comment · Fixed by #1114
Closed

Clarify where to place x509 field set #1044

andrewkroh opened this issue Oct 22, 2020 · 1 comment · Fixed by #1114
Labels
1.7.0 1.8.0 bug Something isn't working ready Issues we'd like to address in the future.

Comments

@andrewkroh
Copy link
Member

Description of the issue:

The ECS docs say

When only a single certificate is logged in an event, it should be nested under file.

This could be interpreted to apply when dealing with a TLS connection where only the server presents a certificate. The text here could be reworked to clarify when to use file vs tls.server/client.
@andrewkroh andrewkroh added the bug Something isn't working label Oct 22, 2020
@webmat
Copy link
Contributor

webmat commented Oct 22, 2020

Yes, that comment was for other kinds of events, like file events that also refer to a cert, like code signatures.

If it's a TLS, it should indeed be either tls.server or .client.

@webmat webmat added 1.7.0 1.8.0 ready Issues we'd like to address in the future. labels Oct 22, 2020
@webmat webmat mentioned this issue Nov 12, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1.7.0 1.8.0 bug Something isn't working ready Issues we'd like to address in the future.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Clarify x509 definition guidance for network events with only one cert webmat/ecs
2 participants
@webmat @andrewkroh