Add "dns" field set #438
Add "dns" field set #438
Conversation
This way tests about field type=object (when it's explicitly declared) will make more sense.
|
Here's my take on some of the points above. core vs extended I think we should at least mark the etld_plus_one I'd like to rename it. Here's some ideas. More are welcome:
opt @andrewkroh What does it stand for, "optional"? When are |
|
Array of objects For any given DNS query, the response may contain more than one answer. However arrays of objects are problematic. My preference would be to denormalize it like Suricata does, and have one event emitted per query, and one event per answer to that query. The query/answers can always be tied back via an event ID such as a flow ID Suricata example (has both a DNS-specific ID and a flow ID):
|
|
I would have all fields in extended as they are protocol specific. No nested objects in ECS, so +1 on your idea. |
|
Thanks for the review, @ruflin. Looking at Suricata's dramatically simpler support for DNS, I wonder if we shouldn't leave a lot of these fields out of ECS. Packetbeat can still populate all of them, and they'll be custom fields. Also, I can't easily give some of examples we're missing, because my instance of Packetbeat isn't filling all of these fields... Another sign that they may be too corner case for addition in the schema. We should find the common denominator of what the core of DNS events are. I like the "flags" idea as an array field with predefined values. If we go this route, should we actually call it |
I think There is a Public Suffix List (which is eTLD), which consist of domain names controlled by registrars and could not be registered by internet users. So next level (+1) is something which could be registered. And if we consider looking for events based on this field, it's about Probably
|
|
We could also use I would be +1 for |
|
We have +1 on reducing the number of fields. |
|
Excellent thanks for the feedback. I agree with you @ruflin that we could make them all extended for now. I still have many things I'd like people's opinion on, the exhaustive list is in the body of the issue. But in summary:
I'll ponder some more by taking a closer look at how Suricata and Zeek do it. I'll see if I can put together a more specific proposal that would work for all of them. I'd like to find an approach that can work (at least in part) with both approaches (1 event vs 1 event per answer) |
+1
+1
No comment on usefulness, but suggest changing
+1 |
|
@andrewkroh @MikePaquette @dainperkins @cwurm The fruit of our recent discussions. |
|
I haven't had time to create an issue per thing affected by DNS getting into ECS. But off the top of my head:
|
- removed pre-calculated counts/lengths - removed grouped.domain - renamed grouped.ip to resolved_ip
|
@elasticmachine, run elasticsearch-ci/docs |
There was a problem hiding this comment.
I'm good with this as it is. To recap (there've been many changes following our discussions), my understanding is that a "canonical ECS" DNS event would now look like this:
{
dns: {
type: "answer",
id: "40269",
op_code: "QUERY",
flags: ["RA", "RD"],
response_code: "NOERROR",
question: {
name: "client.dropbox.com",
type: "A",
class: "IN",
registered_domain: "dropbox.com",
},
answers: [
{
name: "client.dropbox.com",
type: "CNAME",
class: "IN",
ttl: 11,
data: "client.dropbox-dns.com"
},
{
name: "client.dropbox-dns.com",
type: "A",
class: "IN",
ttl: 59,
data: "162.125.11.3"
}
],
resolved_ip: [162.125.11.3]
}
}
That looks good to me.
|
Yes, that's precisely how it should look. And a second example, in case an event source only logs queries and not answers (e.g. as DNS server logs are often configured), the event should look like this: |
|
We need to circumvent the conflict with Packetbeat's definition for Welcome to the compromise land ;-) So DNS in ECS could use another name for this, to avoid the conflict. Some ideas:
I don't think we can simply nest it elsewhere, such as I'm open to other suggestions for field names. But for now, |
|
dns.header_flag
- Pro: It's legit DNS terminology
Legit terminology is, imo, the way to go
/D
…On Thu, Aug 15, 2019, 2:15 PM Mathieu Martin ***@***.***> wrote:
Some ideas to circumvent the conflict with Packetbeat's definition for
dns.flags (object containing booleans), which conflicts with ECS' array
of keywords. It's pains me to set the future in stone with a less good name
because of a temporary (in the grand scheme of things) conflict. But we
need DNS now, not in Stack v8.0.
*Welcome to the compromise land* ;-)
So DNS in ECS could use another name for this, to avoid the conflict. Some
ideas:
- dns.flag
- Con: I think it will be confusing to people, because it's just
one letter apart from Packetbeat's field name. So which one's the right one
will be difficult to remember.
- Con: Other flags fields in ECS should be named flags, not flag.
We strive for proper pluralization. So this will become an inconsistency vs
other uses of flags.
- Pro: It's really short
- Pro: It'll be the first choice in the autocomplete, vs dns.flags,
so laziness can become the mnemonic to remember this is the right field?
- dns.header_flag
- Pro: It's legit DNS terminology.
- Pro: As soon as people get used to it, it'll be different enough
that it'll be easy to remember, I think.
- Con: It's longer.
- dns.tags
- Pro: flags are semantically similar to tags, in their usage.
- Con: It's not at all in line with the DNS lingo, so it will be
confusing to people
I don't think we can simply nest it elsewhere, such as dns.question.flags,
as some of the flags are provided on DNS answers (e.g. AA, RA), not on the
query.
I'm open to other suggestions for field names.
But for now, dns.header_flag sounds to me like the best compromise.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#438?email_source=notifications&email_token=AJMZFSMA2MLGQZ23LVJ5YGDQEWMKHA5CNFSM4HG7N7JKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD4MSLCI#issuecomment-521741705>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AJMZFSMZE2GB7OPXGMQOG5TQEWMKHANCNFSM4HG7N7JA>
.
|
|
+1 on |
There was a problem hiding this comment.
Had a quick chat with @webmat to clarify some of my questions. I'm good with getting this in as is.
One concerned I raised that needs investigation is why in the template nowhere "nested" shows up because I thought that is need for nested object. But this is not a blocker for this PR and can be followed up with.
|
Thanks @ruflin! I'll follow up and confirm whether we need to change the datatype for |
This PR takes contribution #180 by @yugoslavskiy and adjusts it to the latest developments in the ECS repo.
This pull request was worked on for a long time, amidst many other priorities. For the sake of simplicity, I'm nuking the body of the PR to reflect the current thinking, as of the July 23rd push.
opt,authoritiesandadditionals. ECS doesn't include them for now. These Packetbeat fields are to be considered custom fields (they don't need to be removed).dns.question.etld_plus_onetodns.question.registered_domaindns.flags(an object containing boolean fields) is being replaced by an array of keywords, that should be populated by standard DNS flags, such as "AA", "DD", etc. It's more compact to visualize, and can be used to create tag clouds. The new field isdns.header_flags. The name is longer, unfortunately, but we didn't want to introduce a breaking change mid cycle.level: extendedfor now. They can be promoted tocorelater, if need be.dns.resolved_ip, to make the IP addresses easy to get to, and have them the be in theipdatatype.phaseattribute, it's no longer used.boolean.type=objectsparent fields + explicitly defined leaf fields under them (likedns.answers).Ping @andrewkroh, @MikePaquette, @ruflin
Closes #180