update source ip/port pairs for nat

elastic · Jun 7, 2024 · c1ebedd · c1ebedd
1 parent 458377c
commit c1ebedd
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 5 deletions.
diff --git a/packages/stormshield/data_stream/log/_dev/test/pipeline/test-firewall.log-expected.json b/packages/stormshield/data_stream/log/_dev/test/pipeline/test-firewall.log-expected.json
@@ -1519,7 +1519,8 @@
                 "ip": "89.160.20.128",
                 "mac": "00-0C-29-8D-6C-55",
                 "nat": {
-                    "ip": "192.168.197.134"
+                    "ip": "192.168.197.134",
+                    "port": 55008
                 },
                 "port": 55008
             },

diff --git a/packages/stormshield/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/stormshield/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -101,6 +101,9 @@ processors:
       name: '{{ IngestPipeline "count" }}'
       if: ctx.stormshield?.logtype == 'count'
 
+  #########################################################
+  # Now rename things to ECS
+
   - convert:
       field: stormshield.modsrc
       target_field: source.nat.ip
@@ -123,7 +126,7 @@ processors:
       field: stormshield.modsrcport
       target_field: source.nat.port
       type: long
-      if: ctx.stormshield?.modsrcport != null && ctx.stormshield?.modsrcport != ctx.stormshield?.srcport
+      if: ctx.stormshield?.modsrcport != null && ctx.source?.nat?.ip != null
   - convert:
       field: stormshield.srcport
       target_field: source.port
@@ -199,9 +202,6 @@ processors:
       target_field: source.as.organization.name
       ignore_missing: true
 
-  #########################################################
-  # Now rename things to ECS
-
   - rename:
       field: stormshield.action
       target_field: event.action

diff --git a/packages/stormshield/data_stream/log/fields/ecs.yml b/packages/stormshield/data_stream/log/fields/ecs.yml
@@ -74,6 +74,8 @@
   name: source.ip
 - external: ecs
   name: source.nat.ip
+- external: ecs
+  name: source.nat.port
 - external: ecs
   name: source.port
 - external: ecs

diff --git a/packages/stormshield/docs/README.md b/packages/stormshield/docs/README.md
@@ -212,6 +212,7 @@ An example event for `log` looks as following:
 | source.ip | IP address of the source (IPv4 or IPv6). | ip |
 | source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
 | source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip |
+| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long |
 | source.port | Port of the source. | long |
 | stormshield.dstif | Name of the destination interface. String of characters in UTF-8 format. Example: Ethernet 1 Available from: SNS v1.0.0. | keyword |
 | stormshield.dstifname | Name of the object representing the traffics destination interface. String of characters in UTF-8 format. Example: dmz1 Available from: SNS v1.0.0. | keyword |