search

elastic / integrations

Elastic Integrations
https://www.elastic.co/integrations
Other
201 stars 433 forks source link

[suricata] Extra commas not handled properly in TLS subject and issuer fields #11538

Closed taylor-swanson closed 37 minutes ago

taylor-swanson commented 1 hour ago

The Suricata integation doesn't handle extra commas in fields of a distinguished name (subject or issuer).

For the subject field, the kv split happens successfully, but leaves a trailing comma:

"subject": {
    "common_name": [
        "*.google.com"
    ],
    "country": [
        "US,"
    ],
    "locality": [
        "Mountain View,"
    ],
    "organization": [
        "Google Inc,"
    ],
    "state_or_province": [
        "California,"
    ]
}

For the issuer field, the kv split fails with an error:

message:field [suricata.eve.tls.issuerdn] does not contain value_split [=]

The field_split for the subject kv processor is a good start, and just needs to begin with a , to properly trim the comma from extracted values. The issuer kv processor's field_split needs to be updated to use the same pattern as the subject kv processor.

elasticmachine commented 1 hour ago

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)