search

elastic / beats

:tropical_fish: Beats - Lightweight shippers for Elasticsearch & Logstash
https://www.elastic.co/products/beats
Other
12.13k stars 4.91k forks source link

add_cloud_metadata should not store random payload returned by lookup #12169

Open jakommo opened 5 years ago

jakommo commented 5 years ago

When using the add_cloud_metadata processor, it does run lookups against API endpoints, trying to identify if it's running in a cloud environment and if so, in which one.

If a firewall is responding to those requests, i.e. with a HTML, to let the user know the request was blocked, the HTML is stored as payload in the cloud meta data fields.

If it's not getting the expected response, it should not store anything.

Example where the request was blocked, but a HTML was returned and stored in meta.cloud.instance_id:

"meta": {
"cloud": {
"instance_id": "<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 4.01//EN\">\n<html><head><meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"><style 
...
Firewall Notification</h1><h2>Your access has been blocked by firewall policy XXX.<br>If you have any further concerns, please contact your network administrator for more information.</h2></form></div></div></body></html>\r\n",
"provider": "ecs"
}
},
botelastic[bot] commented 4 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

jakommo commented 4 years ago

I still think this is valid, but haven't tested if it still happens on recent version.

botelastic[bot] commented 3 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

jakommo commented 3 years ago

Still an issue. Just two weeks ago I saw this causing trouble to a user again.

botelastic[bot] commented 2 years ago

Hi! We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

VimCommando commented 2 years ago

👍

botelastic[bot] commented 1 year ago

Hi! We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

jonny-mcc commented 7 months ago

+1

aspacca commented 6 months ago

the issue does not seems to be addressed, re-opening it for triage