Normalize DNS related fields across entities

[dainperkins]

Adding fields to standardize domain name representations & features for:
dns, client, destination, host, server, source fields.

Closes #728

[webmat]

Tip: I added Closes #728 to the end of the PR text. This will automatically close the related issue when we merge this. Please do this, when a PR addresses an issue in full. When it addresses part of an issue, just mentioning the issue number in the description or a comment is useful as well, as it links the two together.

[webmat]

Thanks Dain! Here's a first round of review.

I've made a few comments on the "client" field set, which apply to the equivalent fields in the other field sets as well.

[webmat]

Please add back this line

[dainperkins]

so for future clarification - when I update from source, I should just add a line to CHANGELOG.next.md?

[webmat]

Yes, just add your line and don't touch the rest :-)

[ebeahan]

Looks the conflicts with the CHANGELOG.next are still outstanding.

[webmat]

I'm not sure if we should go all the way to adding country_code.

I understand the value, but even just parsing out the eTLD and the registered_domain reliably puts a high burden on implementations, IMO.

Asking them to also figure out the country code (only when appropriate, so not when it's a ".com", ".org" or ".beer") opens up other cans of worm: what about the region? Being from Quebec Canada I'm thinking of our beloved ".qc.ca" tld and the like.

@andrewkroh What do you think? Does the public suffix list help fill this country code (aka it's not much more of a burden)? Or does it not help with country code?

If we decide to keep it, we should at least say in the description that it should be filled only when there's a country code :-)

[dainperkins]

I feel like parsing issues shouldn't be a consideration in terms of the availability of accurate sub fields. I'll update the description to say it should only be filled in when there is a country code.

[andrewkroh]

The country code TLDs are a subset of all TLDs. And we already have a top_level_domain field so this will be duplicated. If is useful to know that a TLD is a country code then maybe that's a boolean flag like is_country_code to indicate the top_level_domain is a country.

Similarly I had thought other attributes of the domain name could be flags. Like whether it contains puny codes with is_internationalized (elastic/beats#5809 (comment)).

[dainperkins]

@andrewkroh that leaves me wondering 2 things (and I'm serious... not just pondering to be annoying, which I may have been known to do on occasion :)

1. where do we draw the line for cutting up aggregate things (like a fqdn) into its component parts?

tld is part of a fqdn - and we duplicates it, but cc (and apparently ?region code? thanks for that Quebec!) are also part of a tld... should we be cutting a fqdn up into all of its component parts? or just the major ones? what criteria should we use for "major"?

I can't see visualizing cc against tld, but I could potentially see utilizing cc as a feature, or as an influencer / bucket for analysis (region code should result in the creators immediate relegation to their own personal purgatory as far as I am concerned :)

2. I love the "is_internationalized" flag idea, and think theres probably some others we could consider as atomic features (digit ratio, number of special characters, entropy, levenstein distance to similar popular domains, subdomain count, subdomain length, etc.) but, well where do we draw the line with that too?

[dainperkins]

added is_internationalized, removed country_code and added to the tld description ti indicate its the spot to tld/cctld

[webmat]

What is this field's relationship to client.domain?

[dainperkins]

domain is listed under host as being e.g. the windows domain (e.g. netbios name - "CONTOSO"); name is used elsewhere (dns.question.name) as being specific to the domain name...

Up until digging thru this I had expected to lobby for fqdn, but based on the fact that its next to impossible to determine from information gathered about a dns request if a name is partially or fully qualified, I went with the ECS dns fields as the baseline for consistency

[dainperkins]

@webmat - did I answer the question? I'm not 100% sure I understood your original question (as I looked at the other references)

[webmat]

What is this field's relationship to client.subdomain?

[dainperkins]

I would consider it to be the first in a multi-level name in a p/fqdn

Thinking about dns analysis, I might like to be able to analyze the host portion of a name (various features could be useful) as well as the [subdomains] as it stands (host + subdomains)

trying to avoid thinking about features etc., and just thinking about e.g. show me every domain name (requested or accessed) for a particular domain, and bucket by subdomain (assuming first name is a host designation - which even if its a subdomain with an a record, its still effectively a specific host...

[webmat]

I'm not sure I would add all of these fields in the DNS answers array of object.

@MikePaquette Do you think we have a need for that?

@leehinman & @andrewkroh What do you think about implementing this on DNS answers? Sounds to me like adding this here may be problematic, considering the different kinds of DNS answers we can get, or even just for performance reasons: a query for a domain name can yield many CNAMEs as an answer, so worst case this could be multiple public suffix list lookups per DNS answer event. WDYT?

[dainperkins]

Looking at a packetbeat dns request there's 1 request for www.microsoft.com, which gets answered with 3 CNAMES and an A record. (reference below). As the A record is effectively a recursive, automatic request - it seems like the name should be parsed out and treated like a straight up dns.question??

{
"data": "www.microsoft.com-c-3.edgekey.net",
"name": "www.microsoft.com",
"type": "CNAME",
"class": "IN",
"ttl": "2726"
},
{
"data": "www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net",
"name": "www.microsoft.com-c-3.edgekey.net",
"type": "CNAME",
"ttl": "21204",
"class": "IN"
},
{
"data": "e13678.dspb.akamaiedge.net",
"name": "www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net",
"type": "CNAME",
"ttl": "900",
"class": "IN"
},
{
"data": "23.33.58.14",
"name": "e13678.dspb.akamaiedge.net",
"type": "A",
"class": "IN",
"ttl": "20"
}

[ebeahan]

@dainperkins Have you had a chance to take a look at the feedback here? We would like to get this added in for 1.6.

[dainperkins]

@ebeahan,
hadn't heard again from anyone but just pushed updates including single example domains, pulled country code fields and beefed up examples to show tld/reg'd domain as being the appropriate place (e.g. co.uk, mydomain.co.uk)

Added is_internationalized (boolean) and hopefully fixed the changelog.md

I also pulled the breakdown for answers, I'm not 100% sure thats the right way to go, but its easy enough to add back in.

[antcodd]

I'm not sure of excluding the "hostname" from the subdomain, or assuming it should populate the hostname field.

What happens when the the "hostname" is not the hostname of the machine as with most publicly facing URLs?

For example mail.google.com is unlikely to be a machine whose actual hostname is "mail". It could be more than one machine load balanced where an individual host responded, or more than one subdomain hosted by the same machine. Is this what ..or if the qualification level of the full name cannot be determined is supposed to cover? There seem to be different schools of thought on whether the leftmost part of a domain counts as a hostname, or always a subdomain, or sometimes one or the other depending on the context that can't be determined from just looking at the url.

This is particularly important in fields set groups outside url and dns (like client and server) where you might be recording the machines actual hostname based on network traffic and not the url, but copying from url.domain to server.domain. If you drop mail from the subdomain but have hostname as the real internal IP based one the information is inconsistent.

[dainperkins]

So this one is annoyingly specific to a number of criteria...

FQDN/PQDN - I am actually using PQDN wrong in the docs (mail vs. mail.google.com, or specifically an a record for a subdomain - mail.google.com where there is an A or CNAME record for the subdomain, but also hosts in mail.google.com) I'll fix that first. I'm not 100% sure it matters, but will check and revise if necessary. (Oddly a pqdn - e.g. looking up sharepoint, and having an added domain suffix, will typically show up as an FQDN in the DNS lookup, but may not in the Uri (https://sharepoint should do a lookup on sharepoint.contoso.com for example)

• Locality (local hostname vs. host portion of a fqdn)
• Record Type (CName(s) vs A record)
• Truth (dns "host"/"A Record" that resolves to 1 or multiple hosts (could be lb, could be load balancing, etc)

I was trying to adjust, with minimal breaks, dns info across multiple fields and I think the valid concerns come down to frame of reference.

Maybe as you said there needs to be some delineation between dns related events (url, dns lookup) and device information (literal system hostname for client/server - potentially pulling from source/dest all together)

[antcodd]

How would whether this is a domain name or a custom name be determined? By whether the name contains a dot?

Perhaps "name" should work like "address" and you copy the best available name from more specific fields, or have a custom user supplied one? It feels somewhat overloaded here, it's a shame domain is used for other purposes in some field set groups.

[dainperkins]

This one comes down to processing - I'm honestly not sure what the results would look like for a partial domain in the logstash tld filter (will test and see)

[antcodd]

I'm not sure www is a good example of a hostname, especially outside of the url field set. See my comments on subdomain.

[dainperkins]

Like you said, relates back to the subdomain, but I can go back and replace www with something less obviously a virtual name for the sake of the example, I think that makes sense.

[ebeahan]

Thanks @dainperkins for revisiting so quickly! Just a couple of observations, but I think we'll probably need to perform a rebase on your branch to fix some of the predicted merge conflicts.

[ebeahan]

Looks the conflicts with the CHANGELOG.next are still outstanding.

[ebeahan]

I like the idea of is_internationalized, and I think Andrew's use case from elastic/beats#5809 makes a lot of sense. Do we have a mechanism that will be able to populate this field today or in the near future?

Just wonder if we should perhaps hold it back until we have a more immediate use. Going along with the internationalized domain name use case, it'd be more useful to a user if the punycode-to-unicode translation was captured as well as setting the is_internationalized flag.

[dainperkins]

found a simple regex to check ^(.+[-_.])??xn--), contains ".xn--" in the registered / tld would also do it

From a machine learning standpoint I think the unicode translation would definitely be interesting (looks like apple, but its not!) but the is_internationalized flag seems easy enough to implement.

[dainperkins]

Per ECS Team discussion - closing this PR and opening 2 new PRs to separate:

1. DNS specifics (related to dns name queries observed or logged)
2. Host specifics (related to internal host naming conventions - logical name, system hostname, dns/directory name)

[ebeahan]

@dainperkins Is the plan still to split this into two new PRs as mentioned above? If so, can this PR be closed?

[dainperkins]

@ebeahan I think its probably for the best to close this one, and I'll tackle the individual items in a future one.

I do think normalizing the dns domain fields throughout would be a good thing, and probably one of those potentially breaking changes to be considered for 2.0

[dainperkins]

• closing to split into multiple, scope limited PRs