Proposal: TLS related fields #6
Conversation
|
@ruflin Good job, the tooling for this repository works great. 🎉 |
schemas/tls.yml
Outdated
| - name: certificates | ||
| type: text | ||
| description: > | ||
| An array of certificates. |
There was a problem hiding this comment.
What would be the format of this field? If one were to use base64-encoded certificates, a keyword field would make more sense than text.
There was a problem hiding this comment.
You are absolutely right for the keyword, I’ll update the PR.
|
@ruflin to move the certificate type from a text field to a keyword I will need to make a small change on the template generator, we have the I don't expect any problems since the ES default is much higher. |
|
@ph We should add support for |
) By default all fields of the type keyword were limitted to 1024 characters, this PR keep the default but allow developers to redefine that limit using the `ignore_above` directive in the field.yml. Ref: elastic/ecs#6
|
@ruflin The required support for |
|
Is there a reason to specify a value for It is very common for certificates to be >4096 bytes, e.g. check out this certificate for elastic.co at 4885 bytes or this certificate for microsoft.com at 5697 bytes. There is no set limit on a certificate's size; e.g. the number of subject alternative names is unbounded. |
|
Right, thanks for enlightening me, I am OK to remove it relies on ES keyword default which will be in this case @ruflin what you think if we make it an explicit choice, so users have to use -1 in the fields.yaml? |
|
@ruflin Also, defining this kind of size limits should be in another document we generated like the CSV, I don't think this information should only be kept in the template. This could be part of a new discussion or issue. |
|
We started to set for some fields index: false and @ph +1 on having the option in the generator to disable it. For the discussion on where these things should show up, let's move it to an other Github issue as proposed. |
|
@ruflin I think it would make sense in that context to set |
|
I would also set |
|
Setting |
|
Created #23 for exposing keyword limit. |
|
My assumption was that there is not going to be a query on the certificate field but as you mentioned above, there are potential queries. So index should be set to true. |
While working on the TCP inputs for beats I am able to extract information about the TLS envelope, this might be useful information for post-mortems or audit. Also, this was a feature requested on the beats input on the Logstash side. We are also extracting some information in [packetbeat](https://github.com/elastic/beats/blob/master/packetbeat/protos/tls/_meta/fields.yml) from the work of @adriansr. Concerning the TCP or the beats input, I think we can extract the following field and provide some useful information. - TLS version - Remote Certificates (mutual auth) - ServerName - Cipher used. Where OR should this information be in the ECS schema? Maybe we could add a `transport` top level key and have something like this. | Field | Description | Type | Example | |---|---|---|---| tls.version| string representation of the tls version| keyword| TLSv1.1 | tls.certificates| array of certificates used by the client.|text| raw certificate| tls.servername| server name requested by client|keyword| localhost[1] tls.ciphersuite| Name of the cipher used| keyword| ECDHE-ECDSA-AES-128-CBC-SHA [1]:https://en.wikipedia.org/wiki/Server_Name_Indication
|
@ruflin updated the PR with the latest review. |
README.md
Outdated
| @@ -358,6 +359,21 @@ Source fields describe details about the source of the event. | |||
| | <a name="source.subdomain"></a>`source.subdomain` | Source subdomain. | keyword | | | | |||
|
|
|||
|
|
|||
| ## <a name="tls"></a> TLS fields | |||
|
|
|||
| The tls fields contains the TLS related data about a specific connection. | |||
schemas/tls.yml
Outdated
| - name: version | ||
| type: keyword | ||
| description: > | ||
| TLS version |
There was a problem hiding this comment.
Can you add a . at the end?
README.md
Outdated
|
|
||
| The tls fields contains the TLS related data about a specific connection. | ||
|
|
||
| As an example in the case of Filebeat and the TCP input, the `version` field would be the version of the TLS protocol in use, the `certificates` would be the chain of certificates provided by the client and the `ciphersuite` is the encryption algorithm used for the communication. |
There was a problem hiding this comment.
Consider tagging as footnote: >to push this example to after the table
|
@ph I think you need to run |
|
@ruflin @karenzone added footnote and run make again, I didn't know about footnote. |
|
@ph |
While working on the TCP inputs for beats I am able to extract information about the TLS envelope,
this might be useful information for post-mortems or audit. Also, this was a feature requested on
the beats input on the Logstash side.
We are also extracting some information in packetbeat from the work of @adriansr.
Concerning the TCP or the beats input, I think we can extract the following field and provide some
useful information.
Where OR should this information be in the ECS schema? Maybe we could add a
transporttop levelkey and have something like this.