Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Endace Integration #10308

Closed
wants to merge 24 commits into from
Closed
Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
c307a2c
base intergation
jamesagarside May 31, 2024
c01b125
Netflow tests complete
jamesagarside Jun 20, 2024
d72723d
Added tests
jamesagarside Jun 21, 2024
14ece87
Fixed tests for flow
jamesagarside Jul 1, 2024
7e7dd97
Merge branch 'main' into endace
jamesagarside Jul 1, 2024
b4bb6a8
Modified owner in manifest
jamesagarside Jul 1, 2024
76544db
Removed test data scripts
jamesagarside Jul 1, 2024
2ccdfd8
Extended test coverage
jamesagarside Jul 2, 2024
03697e0
Update changelog.yml
jamesagarside Jul 4, 2024
ec2ddea
Update changelog.yml
jamesagarside Jul 4, 2024
e945227
Update packages/endace/_dev/deploy/docker/docker-compose.yml
jamesagarside Jul 4, 2024
540056a
Fixed proposed changes
jamesagarside Jul 5, 2024
d5afd1e
Updated README
jamesagarside Jul 8, 2024
7d07ffb
Update packages/endace/data_stream/flow/elasticsearch/ingest_pipeline…
jamesagarside Jul 15, 2024
d4ab3f8
Able to create P2V when just one IP is present - Fixed start&end time…
rcesar999 Jul 22, 2024
0c95395
Fixed duplicate tags
jamesagarside Jul 22, 2024
7e1735f
Corrected typo in agent config
jamesagarside Jul 22, 2024
667677b
Updated owners of this package to include upstream owener of the Flow…
jamesagarside Jul 22, 2024
04cb6d4
updated docs
jamesagarside Jul 22, 2024
d6d4672
Added reference field
jamesagarside Jul 22, 2024
154d45f
Fixed pipeline tags, operator grouping and tests
jamesagarside Jul 22, 2024
fafac50
Removed redundant ? operators
jamesagarside Jul 22, 2024
505622d
Update CODEOWNERS
jamesagarside Jul 22, 2024
f1405b0
Add failure
jamesagarside Jul 26, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/CODEOWNERS
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,7 @@
/packages/elastic_agent @elastic/elastic-agent
/packages/elastic_package_registry @elastic/ecosystem
/packages/elasticsearch @elastic/stack-monitoring
/packages/endace @elastic/sec-deployment-and-devices
jamesagarside marked this conversation as resolved.
Show resolved Hide resolved
/packages/enterprisesearch @elastic/stack-monitoring
/packages/entityanalytics_ad @elastic/security-service-integrations
/packages/entityanalytics_entra_id @elastic/security-service-integrations
Expand Down
93 changes: 93 additions & 0 deletions packages/endace/LICENSE.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
Elastic License 2.0

URL: https://www.elastic.co/licensing/elastic-license

## Acceptance

By using the software, you agree to all of the terms and conditions below.

## Copyright License

The licensor grants you a non-exclusive, royalty-free, worldwide,
non-sublicensable, non-transferable license to use, copy, distribute, make
available, and prepare derivative works of the software, in each case subject to
the limitations and conditions below.

## Limitations

You may not provide the software to third parties as a hosted or managed
service, where the service provides users with access to any substantial set of
the features or functionality of the software.

You may not move, change, disable, or circumvent the license key functionality
in the software, and you may not remove or obscure any functionality in the
software that is protected by the license key.

You may not alter, remove, or obscure any licensing, copyright, or other notices
of the licensor in the software. Any use of the licensor’s trademarks is subject
to applicable law.

## Patents

The licensor grants you a license, under any patent claims the licensor can
license, or becomes able to license, to make, have made, use, sell, offer for
sale, import and have imported the software, in each case subject to the
limitations and conditions in this license. This license does not cover any
patent claims that you cause to be infringed by modifications or additions to
the software. If you or your company make any written claim that the software
infringes or contributes to infringement of any patent, your patent license for
the software granted under these terms ends immediately. If your company makes
such a claim, your patent license ends immediately for work on behalf of your
company.

## Notices

You must ensure that anyone who gets a copy of any part of the software from you
also gets a copy of these terms.

If you modify the software, you must include in any modified copies of the
software prominent notices stating that you have modified the software.

## No Other Rights

These terms do not imply any licenses other than those expressly granted in
these terms.

## Termination

If you use the software in violation of these terms, such use is not licensed,
and your licenses will automatically terminate. If the licensor provides you
with a notice of your violation, and you cease all violation of this license no
later than 30 days after you receive that notice, your licenses will be
reinstated retroactively. However, if you violate these terms after such
reinstatement, any additional violation of these terms will cause your licenses
to terminate automatically and permanently.

## No Liability

*As far as the law allows, the software comes as is, without any warranty or
condition, and the licensor will not be liable to you for any damages arising
out of these terms or the use or nature of the software, under any kind of
legal claim.*

## Definitions

The **licensor** is the entity offering these terms, and the **software** is the
software the licensor makes available under these terms, including any portion
of it.

**you** refers to the individual or entity agreeing to these terms.

**your company** is any legal entity, sole proprietorship, or other kind of
organization that you work for, plus all organizations that have control over,
are under the control of, or are under common control with that
organization. **control** means ownership of substantially all the assets of an
entity, or the power to direct its management and policies by vote, contract, or
otherwise. Control can be direct or indirect.

**your licenses** are all the licenses granted to you for the software under
these terms.

**use** means anything you do with the software requiring one of your licenses.

**trademark** means trademarks, service marks, and similar rights.
4 changes: 4 additions & 0 deletions packages/endace/_dev/build/build.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
dependencies:
ecs:
reference: "[email protected]"
import_mappings: true
171 changes: 171 additions & 0 deletions packages/endace/_dev/build/docs/README.md
mjwolf marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
@@ -0,0 +1,171 @@
# Network Packet Capture Integration

This integration sniffs network packets on a host and dissects
known protocols.

Monitoring your network traffic is critical to gaining observability and
securing your environment — ensuring high levels of performance and security.
The Network Packet Capture integration captures the network traffic between
your application servers, decodes common application layer protocols and
records the interesting fields for each transaction.

## Supported Protocols

Currently, Network Packet Capture supports the following protocols:

- ICMP (v4 and v6)
- DHCP (v4)
- DNS
- HTTP
- AMQP 0.9.1
- Cassandra
- Mysql
- PostgreSQL
- Redis
- Thrift-RPC
- MongoDB
- Memcache
- NFS
- TLS
- SIP/SDP (beta)

### Common protocol options

The following options are available for all protocols:

#### `map_to_ecs`

Remap any non-ECS Packetbeat fields in root to their correct ECS fields.
This will rename fields that are moved so the fields will not be present
at the root of the document and so any rules that depend on the fields
will need to be updated.

The legacy behaviour of this option is to not remap to ECS. This behaviour
is still the default, but is deprecated and users are encouraged to set
this option to true.

ECS remapping may have an impact on workflows that depend on the identity
of non-ECS fields, and users should assess their use of these fields before
making the change. Users who need to retain data collected with the legacy
mappings may need to re-index their older documents. Instructions for doing
this are available [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-reindex.html).
The pipeline used to perform ECS remapping for each data stream can be found
in `Stack Management`›`Ingest Pipelines` and and searching for
"logs-network_traffic compatibility".

The deprecation and retirement timeline for legacy behavior is available
[here](https://github.com/elastic/integrations/issues/8185).

#### `enabled`

The enabled setting is a boolean setting to enable or disable protocols
without having to comment out configuration sections. If set to false,
the protocol is disabled.

The default value is true.

#### `ports`

Exception: For ICMP the option `enabled` has to be used instead.

The ports where Network Packet Capture will look to capture traffic for specific
protocols. Network Packet Capture installs a
[BPF](https://en.wikipedia.org/wiki/Berkeley_Packet_Filter) filter based
on the ports specified in this section. If a packet doesn’t match the
filter, very little CPU is required to discard the packet. Network Packet Capture
also uses the ports specified here to determine which parser to use for
each packet.

#### `monitor_processes`

If this option is enabled then network traffic events will be enriched
with information about the process associated with the events.

The default value is false.

#### `send_request`

If this option is enabled, the raw message of the request (`request`
field) is sent to Elasticsearch. The default is false. This option is
useful when you want to index the whole request. Note that for HTTP, the
body is not included by default, only the HTTP headers.

#### `send_response`

If this option is enabled, the raw message of the response (`response`
field) is sent to Elasticsearch. The default is false. This option is
useful when you want to index the whole response. Note that for HTTP,
the body is not included by default, only the HTTP headers.

#### `transaction_timeout`

The per protocol transaction timeout. Expired transactions will no
longer be correlated to incoming responses, but sent to Elasticsearch
immediately.

#### `tags`

A list of tags that will be sent with the transaction event. This
setting is optional.

#### `processors`

A list of processors to apply to the data generated by the protocol.

#### `keep_null`

If this option is set to true, fields with `null` values will be
published in the output document. By default, `keep_null` is set to
`false`.


## Network Flows

Overall flow information about the network connections on a
host.

You can configure Network Packet Capture to collect and report statistics
on network flows. A *flow* is a group of packets sent over the same time
period that share common properties, such as the same source and destination
address and protocol. You can use this feature to analyze network
traffic over specific protocols on your network.

For each flow, Network Packet Capture reports the number of packets and the
total number of bytes sent from the source to the destination. Each flow event
also contains information about the source and destination hosts, such
as their IP address. For bi-directional flows, Network Packet Capture reports
statistics for the reverse flow.

Network Packet Capture collects and reports statistics up to and including the
transport layer.

**Configuration options**

You can specify the following options for capturing flows.

#### `enabled`

Enables flows support if set to true. Set to false to disable network
flows support without having to delete or comment out the flows section.
The default value is true.

#### `timeout`

Timeout configures the lifetime of a flow. If no packets have been
received for a flow within the timeout time window, the flow is killed
and reported. The default value is 30s.

#### `period`

Configure the reporting interval. All flows are reported at the very
same point in time. Periodical reporting can be disabled by setting the
value to -1. If disabled, flows are still reported once being timed out.
The default value is 10s.

{{fields "flow"}}

{{event "flow"}}

## Licensing for Windows Systems

The Network Packet Capture Integration incorporates a bundled Npcap installation on Windows hosts. The installation is provided under an [OEM license](https://npcap.com/oem/redist.html) from Insecure.Com LLC ("The Nmap Project").
13 changes: 13 additions & 0 deletions packages/endace/_dev/deploy/docker/docker-compose.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
version: "2.3"
services:
endace:
image: alpine
volumes:
- ./pcaps:/sample_pcaps:ro
- ${SERVICE_LOGS_DIR}:/pcaps
command: /bin/sh -c "cp /sample_pcaps/* /pcaps/"
netflow-log-netflow:
image: akroh/stream:v0.0.1
jamesagarside marked this conversation as resolved.
Show resolved Hide resolved
volumes:
- ./sample_logs:/sample_logs:ro
command: pcap --start-signal=SIGHUP --delay=5s --addr elastic-agent:2055 -p=udp /sample_logs/ipfix_cisco.pcap
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file added packages/endace/_dev/deploy/docker/pcaps/dns_mx.pcap
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file added packages/endace/_dev/deploy/docker/pcaps/nfs_v3.pcap
Binary file not shown.
Binary file added packages/endace/_dev/deploy/docker/pcaps/nfs_v4.pcap
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file added packages/endace/_dev/deploy/docker/pcaps/sip.pcap
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
16 changes: 16 additions & 0 deletions packages/endace/changelog.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# newer versions go on top
jamesagarside marked this conversation as resolved.
Show resolved Hide resolved
- version: "0.0.4"
changes:
- description: Initial draft of the package
type: enhancement
link: https://github.com/elastic/integrations/pull/1 # FIXME Replace with the real PR link
- version: "0.0.3"
changes:
- description: Initial draft of the package
type: enhancement
link: https://github.com/elastic/integrations/pull/1 # FIXME Replace with the real PR link
- version: "0.0.1"
changes:
- description: Initial draft of the package
type: enhancement
link: https://github.com/elastic/integrations/pull/1 # FIXME Replace with the real PR link
Loading