From 8640d2ae38250b52482def48fa9671f567b0d4a6 Mon Sep 17 00:00:00 2001
From: Mathieu Martin <mathieu.martin@elastic.co>
Date: Thu, 29 Aug 2019 16:56:20 -0400
Subject: [PATCH] Populate dns.type in Zeek pipeline (#13422)

---
 .../filebeat/module/zeek/dns/config/dns.yml   | 10 ++
 .../module/zeek/dns/test/dns-json.log         |  2 +
 .../zeek/dns/test/dns-json.log-expected.json  | 91 +++++++++++++++++++
 3 files changed, 103 insertions(+)

diff --git a/x-pack/filebeat/module/zeek/dns/config/dns.yml b/x-pack/filebeat/module/zeek/dns/config/dns.yml
index aa755d756d9..96e67d9f840 100644
--- a/x-pack/filebeat/module/zeek/dns/config/dns.yml
+++ b/x-pack/filebeat/module/zeek/dns/config/dns.yml
@@ -88,6 +88,15 @@ processors:
             }
         }
 
+        function setDnsType(evt) {
+            var response_code = evt.Get("zeek.dns.rcode_name");
+            if (response_code) {
+              evt.Put("dns.type", "answer");
+            } else {
+              evt.Put("dns.type", "query");
+            }
+        }
+
         function addEventDuration(evt) {
             var rttSec = evt.Get("zeek.dns.rtt");
             if (!rttSec) {
@@ -100,6 +109,7 @@ processors:
             addDnsHeaderFlags(evt);
             addDnsQuestionClass(evt);
             addDnsAnswers(evt);
+            setDnsType(evt);
             addEventDuration(evt);
         }
   - convert:
diff --git a/x-pack/filebeat/module/zeek/dns/test/dns-json.log b/x-pack/filebeat/module/zeek/dns/test/dns-json.log
index 5a5f2534bba..7c6cfced331 100644
--- a/x-pack/filebeat/module/zeek/dns/test/dns-json.log
+++ b/x-pack/filebeat/module/zeek/dns/test/dns-json.log
@@ -1 +1,3 @@
 {"ts":1547188415.857497,"uid":"CAcJw21BbVedgFnYH3","id.orig_h":"192.168.86.167","id.orig_p":38339,"id.resp_h":"192.168.86.1","id.resp_p":53,"proto":"udp","trans_id":15209,"rtt":0.076967,"query":"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io","qclass":1,"qclass_name":"C_INTERNET","qtype":1,"qtype_name":"A","rcode":0,"rcode_name":"NOERROR","AA":false,"TC":false,"RD":true,"RA":true,"Z":0,"answers":["proxy-production-us-west1.gcp.cloud.es.io","proxy-production-us-west1-v1-009.gcp.cloud.es.io","35.199.178.4"],"TTLs":[119.0,119.0,59.0],"rejected":false}
+{"ts":1567095830.680046,"uid":"C19a1k4lTv46YMbeOk","id.orig_h":"fe80::4ef:15cf:769f:ff21","id.orig_p":5353,"id.resp_h":"ff02::fb","id.resp_p":5353,"proto":"udp","trans_id":0,"query":"_googlecast._tcp.local","qclass":1,"qclass_name":"C_INTERNET","qtype":12,"qtype_name":"PTR","AA":false,"TC":false,"RD":false,"RA":false,"Z":0,"rejected":false}
+{"ts":1567095830.734329,"uid":"CdiVAw7jJw6gsX5H","id.orig_h":"192.168.86.237","id.orig_p":5353,"id.resp_h":"224.0.0.251","id.resp_p":5353,"proto":"udp","trans_id":0,"query":"_googlecast._tcp.local","rcode":0,"rcode_name":"NOERROR","AA":true,"TC":false,"RD":false,"RA":false,"Z":0,"answers":["bravia-4k-gb-5c89f865c9d569ab338815b35e3acc56._googlecast._tcp.local"],"TTLs":[120.0],"rejected":false}
diff --git a/x-pack/filebeat/module/zeek/dns/test/dns-json.log-expected.json b/x-pack/filebeat/module/zeek/dns/test/dns-json.log-expected.json
index 8d1052a27b4..a8e2cd94b3a 100644
--- a/x-pack/filebeat/module/zeek/dns/test/dns-json.log-expected.json
+++ b/x-pack/filebeat/module/zeek/dns/test/dns-json.log-expected.json
@@ -31,6 +31,7 @@
             "35.199.178.4"
         ],
         "dns.response_code": "NOERROR",
+        "dns.type": "answer",
         "event.dataset": "zeek.dns",
         "event.duration": 76967000,
         "event.id": "CAcJw21BbVedgFnYH3",
@@ -73,5 +74,95 @@
         "zeek.dns.rtt": 0.076967,
         "zeek.dns.trans_id": 15209,
         "zeek.session_id": "CAcJw21BbVedgFnYH3"
+    },
+    {
+        "@timestamp": "2019-08-29T16:23:50.680Z",
+        "destination.address": "ff02::fb",
+        "destination.ip": "ff02::fb",
+        "destination.port": 5353,
+        "dns.id": 0,
+        "dns.question.class": "IN",
+        "dns.question.name": "_googlecast._tcp.local",
+        "dns.question.registered_domain": "_tcp.local",
+        "dns.question.type": "PTR",
+        "dns.type": "query",
+        "event.dataset": "zeek.dns",
+        "event.id": "C19a1k4lTv46YMbeOk",
+        "event.module": "zeek",
+        "event.original": "{\"ts\":1567095830.680046,\"uid\":\"C19a1k4lTv46YMbeOk\",\"id.orig_h\":\"fe80::4ef:15cf:769f:ff21\",\"id.orig_p\":5353,\"id.resp_h\":\"ff02::fb\",\"id.resp_p\":5353,\"proto\":\"udp\",\"trans_id\":0,\"query\":\"_googlecast._tcp.local\",\"qclass\":1,\"qclass_name\":\"C_INTERNET\",\"qtype\":12,\"qtype_name\":\"PTR\",\"AA\":false,\"TC\":false,\"RD\":false,\"RA\":false,\"Z\":0,\"rejected\":false}",
+        "fileset.name": "dns",
+        "input.type": "log",
+        "log.offset": 566,
+        "network.community_id": "1:Jq0sRtlGSMjsvMBE1ZYybbR2tI0=",
+        "network.transport": "udp",
+        "service.type": "zeek",
+        "source.address": "fe80::4ef:15cf:769f:ff21",
+        "source.ip": "fe80::4ef:15cf:769f:ff21",
+        "source.port": 5353,
+        "tags": [
+            "zeek.dns"
+        ],
+        "zeek.dns.AA": false,
+        "zeek.dns.RA": false,
+        "zeek.dns.RD": false,
+        "zeek.dns.TC": false,
+        "zeek.dns.qclass": 1,
+        "zeek.dns.qclass_name": "C_INTERNET",
+        "zeek.dns.qtype": 12,
+        "zeek.dns.qtype_name": "PTR",
+        "zeek.dns.query": "_googlecast._tcp.local",
+        "zeek.dns.rejected": false,
+        "zeek.dns.trans_id": 0,
+        "zeek.session_id": "C19a1k4lTv46YMbeOk"
+    },
+    {
+        "@timestamp": "2019-08-29T16:23:50.734Z",
+        "destination.address": "224.0.0.251",
+        "destination.ip": "224.0.0.251",
+        "destination.port": 5353,
+        "dns.answers": [
+            {
+                "data": "bravia-4k-gb-5c89f865c9d569ab338815b35e3acc56._googlecast._tcp.local",
+                "ttl": 120
+            }
+        ],
+        "dns.header_flags": "AA",
+        "dns.id": 0,
+        "dns.question.name": "_googlecast._tcp.local",
+        "dns.question.registered_domain": "_tcp.local",
+        "dns.response_code": "NOERROR",
+        "dns.type": "answer",
+        "event.dataset": "zeek.dns",
+        "event.id": "CdiVAw7jJw6gsX5H",
+        "event.module": "zeek",
+        "event.original": "{\"ts\":1567095830.734329,\"uid\":\"CdiVAw7jJw6gsX5H\",\"id.orig_h\":\"192.168.86.237\",\"id.orig_p\":5353,\"id.resp_h\":\"224.0.0.251\",\"id.resp_p\":5353,\"proto\":\"udp\",\"trans_id\":0,\"query\":\"_googlecast._tcp.local\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":true,\"TC\":false,\"RD\":false,\"RA\":false,\"Z\":0,\"answers\":[\"bravia-4k-gb-5c89f865c9d569ab338815b35e3acc56._googlecast._tcp.local\"],\"TTLs\":[120.0],\"rejected\":false}",
+        "fileset.name": "dns",
+        "input.type": "log",
+        "log.offset": 909,
+        "network.community_id": "1:QIR5YXlirWwWA18ZyY/RnvQoaic=",
+        "network.transport": "udp",
+        "service.type": "zeek",
+        "source.address": "192.168.86.237",
+        "source.ip": "192.168.86.237",
+        "source.port": 5353,
+        "tags": [
+            "zeek.dns"
+        ],
+        "zeek.dns.AA": true,
+        "zeek.dns.RA": false,
+        "zeek.dns.RD": false,
+        "zeek.dns.TC": false,
+        "zeek.dns.TTLs": [
+            120
+        ],
+        "zeek.dns.answers": [
+            "bravia-4k-gb-5c89f865c9d569ab338815b35e3acc56._googlecast._tcp.local"
+        ],
+        "zeek.dns.query": "_googlecast._tcp.local",
+        "zeek.dns.rcode": 0,
+        "zeek.dns.rcode_name": "NOERROR",
+        "zeek.dns.rejected": false,
+        "zeek.dns.trans_id": 0,
+        "zeek.session_id": "CdiVAw7jJw6gsX5H"
     }
 ]
\ No newline at end of file