x-pack/filebeat/input/netflow: record IPv6 src and dst addresses (#29383

)

CHANGELOG.next.asciidoc

@@ -149,6 +149,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Fix `threatintel.misp` filters configuration. {issue}27970[27970]
 - Fix handling of escaped newlines in the `decode_cef` processor. {issue}16995[16995] {pull}29268[29268]
 - Fix `panw` module ingest errors for GLOBALPROTECT logs {pull}29154[29154]
+- Fix handling of IPv6 addresses in netflow flow events. {issue}19210[19210] {pull}29383[29383]
 
 *Heartbeat*
 

x-pack/filebeat/input/netflow/convert.go

@@ -5,9 +5,11 @@
 package netflow
 
 import (
+	"bytes"
 	"encoding/base64"
 	"encoding/binary"
 	"net"
+	"sort"
 	"strconv"
 	"strings"
 	"time"
@@ -196,6 +198,10 @@ func flowToBeatEvent(flow record.Record, internalNetworks []string) (event beat.
 		ecsSource["ip"] = ip
 		relatedIP = append(relatedIP, ip)
 		ecsSource["locality"] = getIPLocality(internalNetworks, ip).String()
+	} else if ip, found := getKeyIP(flow.Fields, "sourceIPv6Address"); found {
+		ecsSource["ip"] = ip
+		relatedIP = append(relatedIP, ip)
+		ecsSource["locality"] = getIPLocality(internalNetworks, ip).String()
 	}
 	if sourcePort, found := getKeyUint64(flow.Fields, "sourceTransportPort"); found {
 		ecsSource["port"] = sourcePort
@@ -209,6 +215,10 @@ func flowToBeatEvent(flow record.Record, internalNetworks []string) (event beat.
 		ecsDest["ip"] = ip
 		relatedIP = append(relatedIP, ip)
 		ecsDest["locality"] = getIPLocality(internalNetworks, ip).String()
+	} else if ip, found := getKeyIP(flow.Fields, "destinationIPv6Address"); found {
+		ecsDest["ip"] = ip
+		relatedIP = append(relatedIP, ip)
+		ecsDest["locality"] = getIPLocality(internalNetworks, ip).String()
 	}
 	if destPort, found := getKeyUint64(flow.Fields, "destinationTransportPort"); found {
 		ecsDest["port"] = destPort
@@ -321,11 +331,31 @@ func flowToBeatEvent(flow record.Record, internalNetworks []string) (event beat.
 		event.Fields["network"] = ecsNetwork
 	}
 	if len(relatedIP) > 0 {
-		event.Fields["related"] = common.MapStr{"ip": relatedIP}
+		event.Fields["related"] = common.MapStr{"ip": uniqueIPs(relatedIP)}
 	}
 	return
 }
 
+// unique returns ips lexically sorted and with repeated elements
+// omitted.
+func uniqueIPs(ips []net.IP) []net.IP {
+	if len(ips) < 2 {
+		return ips
+	}
+	sort.Slice(ips, func(i, j int) bool { return bytes.Compare(ips[i], ips[j]) < 0 })
+	curr := 0
+	for i, ip := range ips {
+		if ip.Equal(ips[curr]) {
+			continue
+		}
+		curr++
+		if curr < i {
+			ips[curr], ips[i] = ips[i], nil
+		}
+	}
+	return ips[:curr+1]
+}
+
 func getKeyUint64(dict record.Map, key string) (value uint64, found bool) {
 	iface, found := dict[key]
 	if !found {

x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Barracuda-extended-uniflow-template-256.golden.json

@@ -169,8 +169,8 @@
         },
         "related": {
           "ip": [
-            "64.235.151.76",
-            "10.236.5.4"
+            "10.236.5.4",
+            "64.235.151.76"
           ]
         },
         "source": {

x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Barracuda-firewall.golden.json

@@ -145,8 +145,8 @@
         },
         "related": {
           "ip": [
-            "10.99.252.50",
-            "10.99.130.239"
+            "10.99.130.239",
+            "10.99.252.50"
           ]
         },
         "source": {
@@ -225,8 +225,8 @@
         },
         "related": {
           "ip": [
-            "10.99.130.239",
-            "10.98.243.20"
+            "10.98.243.20",
+            "10.99.130.239"
           ]
         },
         "source": {
@@ -385,8 +385,8 @@
         },
         "related": {
           "ip": [
-            "10.99.168.140",
-            "10.98.243.20"
+            "10.98.243.20",
+            "10.99.168.140"
           ]
         },
         "source": {
@@ -545,8 +545,8 @@
         },
         "related": {
           "ip": [
-            "10.99.168.140",
-            "10.98.243.20"
+            "10.98.243.20",
+            "10.99.168.140"
           ]
         },
         "source": {