Update Suricata for ECS DNS

[andrewkroh]

This updates the Suricata module to populate the ECS DNS fields. It does not remove existing suricata.eve.dns.* fields to preserve backward compatibility.

This also enhances the pipeline to handle the Suricata detailed DNS format (aka version 2). It requires that when using EVE DNS version: 2 that formats: [detailed] is used (grouped can be enabled too but it is ignored).

log.original is now populated with the original JSON log data.

source.address and destination.address are now populated.

event.end is populated with the flow.end value now and hence some events that did not contain flow.end no longer have an event.end.

Relates #13320

Needs:

• dns.question.registered_domain

[webmat]

Looking good so far!

I agree with populating event.end strictly with flow.end for flow events.

Can't wait to see the final version!

Have one important comment on DNS v1 answers, afaict it's a non-issue.

[webmat]

If it's a DNS version 1 event, this will continue to create a single event per DNS answer still, correct?

I guess for backwards compatibility for users that use Suricata as a source, we don't really have a choice to keep it like that. But the semantics for DNS answers will not match ECS, therefore I'm not sure we'll be able to depend on Suricata DNS version 1 as a source for DNS answers.

I think for now SIEM only looks at queries, however. Correct?

cc @cwurm

[cwurm]

The SIEM app has two DNS queries:

1. Top DNS domains table: Terms agg on dns.question.etld_plus_one, sub-aggs on dns.question.name, source.bytes, and destination.bytes
2. DNS queries KPI: Checks if dns.question.name exists among other things.

Since there is no filter on just queries or just answers I think we will miscount if there are several documents (for query and answer or one per answer).

[webmat]

Is this a straight JSON to YAML conversion, or were there other changes to this pipeline?

[andrewkroh]

I added a lowercase filter for the network.transport. And made the aforementioned event.end change.

[webmat]

❤️

[elasticmachine]

Pinging @elastic/siem

[webmat]

LGTM, once Changelog is rebased

[webmat]

Travis flailing with the exact same error as #13324, so pretty sure it's unrelated:

======================================================================
ERROR: Test stopping filebeat under load: wait for all events being published.
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/go/src/github.com/elastic/beats/filebeat/tests/system/test_shutdown.py", line 57, in test_shutdown_wait_ok
    max_timeout=15)
  File "/go/src/github.com/elastic/beats/filebeat/tests/system/../../../libbeat/tests/system/beat/beat.py", line 387, in wait_log_contains
    name=name)
  File "/go/src/github.com/elastic/beats/filebeat/tests/system/../../../libbeat/tests/system/beat/beat.py", line 352, in wait_until
    "Waited {} seconds.".format(max_timeout))
TimeoutError: Timeout waiting for 'log_contains' to be true. Waited 15 seconds.
----------------------------------------------------------------------
XML: /go/src/github.com/elastic/beats/filebeat/build/TEST-system.xml
[success] 17.56% test_autodiscover.TestAutodiscover.test_default_settings: 93.9637s
[success] 8.25% test_autodiscover.TestAutodiscover.test_docker: 44.1770s
[error] 4.71% test_shutdown.Test.test_shutdown_wait_ok: 25.2150s