From c135629bc3fa030b4a245fdb3f94a0996c21ee39 Mon Sep 17 00:00:00 2001 From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com> Date: Mon, 2 Aug 2021 12:25:37 -0400 Subject: [PATCH] decode_cef - allow MACs without separators (#27109) (#27195) Accept MAC addresses that do not contain separators (i.e. `000D60AF1B61`). Fixes #27050 (cherry picked from commit 88d854c088924c160a635949b2db5bacfb2e8d26) Co-authored-by: Andrew Kroh --- CHANGELOG.next.asciidoc | 1 + .../processors/decode_cef/cef/types.go | 30 ++++++++++++++++++- .../processors/decode_cef/cef/types_test.go | 21 +++++++++++++ 3 files changed, 51 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 4e103d3c25dc..9c54c476c192 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -632,6 +632,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Use default add_locale for fortinet.firewall {issue}20300[20300] {pull}26524[26524] - Add new template functions and `value_type` parameter to `httpjson` transforms. {pull}26847[26847] - Add support to merge registry updates in the filestream input across multiple ACKed batches in case of backpressure in the registry or disk. {pull}25976[25976] +- Add support to `decode_cef` for MAC addresses that do not contain separator characters. {issue}27050[27050] {pull}27109[27109] - Update Elasticsearch module's ingest pipeline for parsing new deprecation logs {issue}26857[26857] {pull}26880[26880] *Heartbeat* diff --git a/x-pack/filebeat/processors/decode_cef/cef/types.go b/x-pack/filebeat/processors/decode_cef/cef/types.go index a0e39c27b4cd..e5573aa46c4e 100644 --- a/x-pack/filebeat/processors/decode_cef/cef/types.go +++ b/x-pack/filebeat/processors/decode_cef/cef/types.go @@ -7,6 +7,7 @@ package cef import ( "net" "strconv" + "strings" "time" "github.com/pkg/errors" @@ -93,13 +94,40 @@ func toIP(v string) (string, error) { func toMACAddress(v string) (string, error) { // CEF specifies that MAC addresses are colon separated, but this will be a // little more liberal. - hw, err := net.ParseMAC(v) + hw, err := net.ParseMAC(insertMACSeparators(v)) if err != nil { return "", err } return hw.String(), nil } +// insertMACSeparators adds colon separators to EUI-48 and EUI-64 addresses that +// have no separators. +func insertMACSeparators(v string) string { + const ( + eui48HexLength = 48 / 4 + eui64HexLength = 64 / 4 + eui64HexWithSeparatorMaxLength = eui64HexLength + eui64HexLength/2 - 1 + ) + + // Check that the length is correct for a MAC address without separators. + // And check that there isn't already a separator in the string. + if len(v) != eui48HexLength && len(v) != eui64HexLength || v[2] == ':' || v[2] == '-' || v[4] == '.' { + return v + } + + var sb strings.Builder + sb.Grow(eui64HexWithSeparatorMaxLength) + + for i := 0; i < len(v); i++ { + sb.WriteByte(v[i]) + if i < len(v)-1 && i%2 != 0 { + sb.WriteByte(':') + } + } + return sb.String() +} + var timeLayouts = []string{ // MMM dd HH:mm:ss.SSS zzz "Jan _2 15:04:05.000 MST", diff --git a/x-pack/filebeat/processors/decode_cef/cef/types_test.go b/x-pack/filebeat/processors/decode_cef/cef/types_test.go index fe44c13abb88..6c93eb3317fd 100644 --- a/x-pack/filebeat/processors/decode_cef/cef/types_test.go +++ b/x-pack/filebeat/processors/decode_cef/cef/types_test.go @@ -65,3 +65,24 @@ func TestToTimestamp(t *testing.T) { assert.NoError(t, err, timeValue) } } + +func TestToMACAddress(t *testing.T) { + var macs = []string{ + // EUI-48 (with and without separators). + "00:0D:60:AF:1B:61", + "00-0D-60-AF-1B-61", + "000D.60AF.1B61", + "000D60AF1B61", + + // EUI-64 (with and without separators). + "00:0D:60:FF:FE:AF:1B:61", + "00-0D-60-FF-FE-AF-1B-61", + "000D.60FF.FEAF.1B61", + "000D60FFEEAF1B61", + } + + for _, mac := range macs { + _, err := toMACAddress(mac) + assert.NoError(t, err, mac) + } +}