-
Notifications
You must be signed in to change notification settings - Fork 392
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cef,infoblox_nios,keycloak,modsecurity,panw,pfsense,qnap_nas,snort,sonicwall: ensure timezones are strings #5051
Conversation
🌐 Coverage report
|
/test |
These all pass locally, so I'm not sure what is going on.
|
/test |
1 similar comment
/test |
…ap_nas,snort,sonicwall: ensure timezones are strings
811eabe
to
a89bf1c
Compare
This depends on each stream container spawn getting a unique port and so distinguishing the docs.
This depends on file name differences.
ᕙ(⇀‸↼‶)ᕗ |
cdd3ad4
to
87ec81f
Compare
I'm going to back out the ms-dhcp, the error makes no sense. |
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Everything but modsecurity looks good. I think the modsecurity pipeline needs updated to use the event.timezone
produced by add_locale
.
@@ -9,9 +9,6 @@ tags: | |||
{{#each tags as |tag i|}} | |||
- {{tag}} | |||
{{/each}} | |||
fields_under_root: true | |||
fields: | |||
tz_offset: {{tz_offset}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This raises the question of what should the behavior be. This field was not used in a pipeline (or presenting the manifest). And the event.timezone
produced by the add_locale
processor does not appear to be used anywhere.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, this was my confusion here. I saw it wasn't being used. I'll add time zone config to the processor.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking into this further, it looks like the logs always have a time zone. So I think the removal is the correct thing to do here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The time_stamp
field in this test file does not have a TZ. And I think that time value is being parsed in the nginx-modsec pipeline. Maybe the value is always reported in UTC?
integrations/packages/modsecurity/data_stream/auditlog/_dev/test/pipeline/test-audit.log
Line 1 in e001c86
{"transaction":{"client_ip":"67.43.156.14","time_stamp":"Fri May 14 14:52:47 2021","server_id":"c06217c4ac0d6f8892d2489cd5d92aaceec2508e","client_port":44464,"host_ip":"67.43.156.14","host_port":443,"id":"162100396753.595789","request":{"method":"GET","http_version":1.1,"uri":"/owa/","headers":{"Host":"34.87.56.16","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36","Accept":"*/*","Accept-Encoding":"gzip"}},"response":{"http_code":404,"headers":{"Strict-Transport-Security":"max-age=31536000; includeSubDomains","X-Runtime":"0.003894","X-Powered-By":"Phusion Passenger 6.0.2","Connection":"keep-alive","Content-Encoding":"gzip","Vary":"Origin","Status":"404 Not Found","X-Request-Id":"435c78d3-c122-4dee-8ca5-101397fab368","Server":"nginx/1.14.0","Content-Type":"text/html; charset=utf-8","Date":"Fri, 14 May 2021 14:52:47 GMT","Via":"1.1 google"}},"producer":{"modsecurity":"ModSecurity v3.0.2 (Linux)","connector":"ModSecurity-nginx v0.1.1-beta","secrules_engine":"Enabled","components":["OWASP_CRS/3.0.2\""]},"messages":[{"message":"Host header is a numeric IP address","details":{"match":"Matched \"Operator `Rx' with parameter `^[\\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `34.87.56.16' )","reference":"o0,11v25,11","ruleId":"920350","file":"/etc/nginx/modsec/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf","lineNumber":"733","data":"34.87.56.16","severity":"4","ver":"OWASP_CRS/3.0.0","rev":"2","tags":["application-multi","language-multi","platform-multi","attack-protocol","OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST","WASCTC/WASC-21","OWASP_TOP_10/A7","PCI/6.5.10"],"maturity":"9","accuracy":"9"}}]}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Package cef - 2.6.1 containing this change is available at https://epr.elastic.co/search?package=cef |
Package infoblox_nios - 1.6.1 containing this change is available at https://epr.elastic.co/search?package=infoblox_nios |
Package keycloak - 1.7.1 containing this change is available at https://epr.elastic.co/search?package=keycloak |
Package modsecurity - 1.5.1 containing this change is available at https://epr.elastic.co/search?package=modsecurity |
Package panw - 3.5.1 containing this change is available at https://epr.elastic.co/search?package=panw |
Package pfsense - 1.6.2 containing this change is available at https://epr.elastic.co/search?package=pfsense |
Package qnap_nas - 1.7.1 containing this change is available at https://epr.elastic.co/search?package=qnap_nas |
Package snort - 1.4.1 containing this change is available at https://epr.elastic.co/search?package=snort |
Package sonicwall_firewall - 1.3.1 containing this change is available at https://epr.elastic.co/search?package=sonicwall_firewall |
What does this PR do?
This ensures that timezone offsets in the form "+0n00" are not interpreted as octal integers.
Checklist
changelog.yml
file.Author's Checklist
How to test this PR locally
Related issues
Screenshots