From 3562fae03ca0c4f2f817d572c79e8e40bc3151d4 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Mon, 13 Dec 2021 12:38:41 +1030 Subject: [PATCH 1/2] x-pack/filebeat/input/netflow: record IPv6 src and dst addresses --- CHANGELOG.next.asciidoc | 1 + x-pack/filebeat/input/netflow/convert.go | 8 + ...IPFIX-Mikrotik-RouterOS-6.39.2.golden.json | 252 +++++++++++++++--- ...are-virtual-distributed-switch.golden.json | 14 +- ...w-9-multiple-netflow-exporters.golden.json | 14 +- .../golden/Netflow-9-valid-01.golden.json | 14 +- 6 files changed, 261 insertions(+), 42 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 3f99e29360f..27cabbfcbdd 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -198,6 +198,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix opening files on Windows in filestream so open files can be deleted. {issue}29113[29113] {pull}29180[29180] - Fix handling of escaped newlines in the `decode_cef` processor. {issue}16995[16995] {pull}29268[29268] - Fix `panw` module ingest errors for GLOBALPROTECT logs {pull}29154[29154] +- Fix handling of IPv6 addresses in netflow flow events. {issue}19210[19210] {pull}29383[29383] *Heartbeat* diff --git a/x-pack/filebeat/input/netflow/convert.go b/x-pack/filebeat/input/netflow/convert.go index 465cd3efd02..16874d6d5fc 100644 --- a/x-pack/filebeat/input/netflow/convert.go +++ b/x-pack/filebeat/input/netflow/convert.go @@ -196,6 +196,10 @@ func flowToBeatEvent(flow record.Record, internalNetworks []string) (event beat. ecsSource["ip"] = ip relatedIP = append(relatedIP, ip) ecsSource["locality"] = getIPLocality(internalNetworks, ip).String() + } else if ip, found := getKeyIP(flow.Fields, "sourceIPv6Address"); found { + ecsSource["ip"] = ip + relatedIP = append(relatedIP, ip) + ecsSource["locality"] = getIPLocality(internalNetworks, ip).String() } if sourcePort, found := getKeyUint64(flow.Fields, "sourceTransportPort"); found { ecsSource["port"] = sourcePort @@ -209,6 +213,10 @@ func flowToBeatEvent(flow record.Record, internalNetworks []string) (event beat. ecsDest["ip"] = ip relatedIP = append(relatedIP, ip) ecsDest["locality"] = getIPLocality(internalNetworks, ip).String() + } else if ip, found := getKeyIP(flow.Fields, "destinationIPv6Address"); found { + ecsDest["ip"] = ip + relatedIP = append(relatedIP, ip) + ecsDest["locality"] = getIPLocality(internalNetworks, ip).String() } if destPort, found := getKeyUint64(flow.Fields, "destinationTransportPort"); found { ecsDest["port"] = destPort diff --git a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Mikrotik-RouterOS-6.39.2.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Mikrotik-RouterOS-6.39.2.golden.json index 36fea0d68e1..4afa86b85fc 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Mikrotik-RouterOS-6.39.2.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Mikrotik-RouterOS-6.39.2.golden.json @@ -2190,6 +2190,8 @@ "Meta": null, "Fields": { "destination": { + "ip": "fe80::ff:fe00:401", + "locality": "internal", "port": 5678 }, "event": { @@ -2204,7 +2206,7 @@ ] }, "flow": { - "id": "RlrAo_U1Y14", + "id": "b7SlZfUSuVA", "locality": "internal" }, "netflow": { @@ -2233,7 +2235,7 @@ }, "network": { "bytes": 555, - "community_id": "1:I4DlCbWgyxRiNPVj5ntu1L7Z0hw=", + "community_id": "1:jPPsu6xuLKidwts3HEFDcMotUV4=", "direction": "unknown", "iana_number": 17, "packets": 3, @@ -2242,8 +2244,16 @@ "observer": { "ip": "192.0.2.1" }, + "related": { + "ip": [ + "fe80::ff:fe00:401", + "fe80::ff:fe00:401" + ] + }, "source": { "bytes": 555, + "ip": "fe80::ff:fe00:401", + "locality": "internal", "packets": 3, "port": 5678 } @@ -2256,6 +2266,8 @@ "Meta": null, "Fields": { "destination": { + "ip": "fe80::ff:fe00:401", + "locality": "internal", "port": 5678 }, "event": { @@ -2270,7 +2282,7 @@ ] }, "flow": { - "id": "RlrAo_U1Y14", + "id": "b7SlZfUSuVA", "locality": "internal" }, "netflow": { @@ -2299,7 +2311,7 @@ }, "network": { "bytes": 370, - "community_id": "1:I4DlCbWgyxRiNPVj5ntu1L7Z0hw=", + "community_id": "1:jPPsu6xuLKidwts3HEFDcMotUV4=", "direction": "unknown", "iana_number": 17, "packets": 2, @@ -2308,8 +2320,16 @@ "observer": { "ip": "192.0.2.1" }, + "related": { + "ip": [ + "fe80::ff:fe00:401", + "fe80::ff:fe00:401" + ] + }, "source": { "bytes": 370, + "ip": "fe80::ff:fe00:401", + "locality": "internal", "packets": 2, "port": 5678 } @@ -2322,6 +2342,8 @@ "Meta": null, "Fields": { "destination": { + "ip": "fe80::ff:fe00:501", + "locality": "internal", "port": 5678 }, "event": { @@ -2336,7 +2358,7 @@ ] }, "flow": { - "id": "RlrAo_U1Y14", + "id": "VSgWWLDT0B0", "locality": "internal" }, "netflow": { @@ -2365,7 +2387,7 @@ }, "network": { "bytes": 495, - "community_id": "1:I4DlCbWgyxRiNPVj5ntu1L7Z0hw=", + "community_id": "1:5591MHyJIXcwUkG4sl3Rs9ro+Ng=", "direction": "unknown", "iana_number": 17, "packets": 3, @@ -2374,8 +2396,16 @@ "observer": { "ip": "192.0.2.1" }, + "related": { + "ip": [ + "fe80::ff:fe00:501", + "fe80::ff:fe00:501" + ] + }, "source": { "bytes": 495, + "ip": "fe80::ff:fe00:501", + "locality": "internal", "packets": 3, "port": 5678 } @@ -2388,6 +2418,8 @@ "Meta": null, "Fields": { "destination": { + "ip": "fe80::ff:fe00:501", + "locality": "internal", "port": 5678 }, "event": { @@ -2402,7 +2434,7 @@ ] }, "flow": { - "id": "RlrAo_U1Y14", + "id": "VSgWWLDT0B0", "locality": "internal" }, "netflow": { @@ -2431,7 +2463,7 @@ }, "network": { "bytes": 330, - "community_id": "1:I4DlCbWgyxRiNPVj5ntu1L7Z0hw=", + "community_id": "1:5591MHyJIXcwUkG4sl3Rs9ro+Ng=", "direction": "unknown", "iana_number": 17, "packets": 2, @@ -2440,8 +2472,16 @@ "observer": { "ip": "192.0.2.1" }, + "related": { + "ip": [ + "fe80::ff:fe00:501", + "fe80::ff:fe00:501" + ] + }, "source": { "bytes": 330, + "ip": "fe80::ff:fe00:501", + "locality": "internal", "packets": 2, "port": 5678 } @@ -2454,6 +2494,8 @@ "Meta": null, "Fields": { "destination": { + "ip": "fe80::ff:fe00:601", + "locality": "internal", "port": 5678 }, "event": { @@ -2468,7 +2510,7 @@ ] }, "flow": { - "id": "RlrAo_U1Y14", + "id": "LZgYFJ0tL2g", "locality": "internal" }, "netflow": { @@ -2497,7 +2539,7 @@ }, "network": { "bytes": 555, - "community_id": "1:I4DlCbWgyxRiNPVj5ntu1L7Z0hw=", + "community_id": "1:0uFiK83G7mZT66yRsishu3GrI+Y=", "direction": "unknown", "iana_number": 17, "packets": 3, @@ -2506,8 +2548,16 @@ "observer": { "ip": "192.0.2.1" }, + "related": { + "ip": [ + "fe80::ff:fe00:601", + "fe80::ff:fe00:601" + ] + }, "source": { "bytes": 555, + "ip": "fe80::ff:fe00:601", + "locality": "internal", "packets": 3, "port": 5678 } @@ -2520,6 +2570,8 @@ "Meta": null, "Fields": { "destination": { + "ip": "fe80::ff:fe00:601", + "locality": "internal", "port": 5678 }, "event": { @@ -2534,7 +2586,7 @@ ] }, "flow": { - "id": "RlrAo_U1Y14", + "id": "LZgYFJ0tL2g", "locality": "internal" }, "netflow": { @@ -2563,7 +2615,7 @@ }, "network": { "bytes": 370, - "community_id": "1:I4DlCbWgyxRiNPVj5ntu1L7Z0hw=", + "community_id": "1:0uFiK83G7mZT66yRsishu3GrI+Y=", "direction": "unknown", "iana_number": 17, "packets": 2, @@ -2572,8 +2624,16 @@ "observer": { "ip": "192.0.2.1" }, + "related": { + "ip": [ + "fe80::ff:fe00:601", + "fe80::ff:fe00:601" + ] + }, "source": { "bytes": 370, + "ip": "fe80::ff:fe00:601", + "locality": "internal", "packets": 2, "port": 5678 } @@ -2586,6 +2646,8 @@ "Meta": null, "Fields": { "destination": { + "ip": "fe80::ff:fe00:701", + "locality": "internal", "port": 5678 }, "event": { @@ -2600,7 +2662,7 @@ ] }, "flow": { - "id": "RlrAo_U1Y14", + "id": "dmeH14jqz_U", "locality": "internal" }, "netflow": { @@ -2629,7 +2691,7 @@ }, "network": { "bytes": 555, - "community_id": "1:I4DlCbWgyxRiNPVj5ntu1L7Z0hw=", + "community_id": "1:GHzTYB/S+swKAM+TWkXhIHekjME=", "direction": "unknown", "iana_number": 17, "packets": 3, @@ -2638,8 +2700,16 @@ "observer": { "ip": "192.0.2.1" }, + "related": { + "ip": [ + "fe80::ff:fe00:701", + "fe80::ff:fe00:701" + ] + }, "source": { "bytes": 555, + "ip": "fe80::ff:fe00:701", + "locality": "internal", "packets": 3, "port": 5678 } @@ -2652,6 +2722,8 @@ "Meta": null, "Fields": { "destination": { + "ip": "fe80::ff:fe00:701", + "locality": "internal", "port": 5678 }, "event": { @@ -2666,7 +2738,7 @@ ] }, "flow": { - "id": "RlrAo_U1Y14", + "id": "dmeH14jqz_U", "locality": "internal" }, "netflow": { @@ -2695,7 +2767,7 @@ }, "network": { "bytes": 370, - "community_id": "1:I4DlCbWgyxRiNPVj5ntu1L7Z0hw=", + "community_id": "1:GHzTYB/S+swKAM+TWkXhIHekjME=", "direction": "unknown", "iana_number": 17, "packets": 2, @@ -2704,8 +2776,16 @@ "observer": { "ip": "192.0.2.1" }, + "related": { + "ip": [ + "fe80::ff:fe00:701", + "fe80::ff:fe00:701" + ] + }, "source": { "bytes": 370, + "ip": "fe80::ff:fe00:701", + "locality": "internal", "packets": 2, "port": 5678 } @@ -2718,6 +2798,8 @@ "Meta": null, "Fields": { "destination": { + "ip": "fe80::ff:fe00:801", + "locality": "internal", "port": 5678 }, "event": { @@ -2732,7 +2814,7 @@ ] }, "flow": { - "id": "RlrAo_U1Y14", + "id": "Il9O6oJGqRk", "locality": "internal" }, "netflow": { @@ -2761,7 +2843,7 @@ }, "network": { "bytes": 555, - "community_id": "1:I4DlCbWgyxRiNPVj5ntu1L7Z0hw=", + "community_id": "1:Y0L0KaggvOgNiQSbjBDXSANtIRo=", "direction": "unknown", "iana_number": 17, "packets": 3, @@ -2770,8 +2852,16 @@ "observer": { "ip": "192.0.2.1" }, + "related": { + "ip": [ + "fe80::ff:fe00:801", + "fe80::ff:fe00:801" + ] + }, "source": { "bytes": 555, + "ip": "fe80::ff:fe00:801", + "locality": "internal", "packets": 3, "port": 5678 } @@ -2784,6 +2874,8 @@ "Meta": null, "Fields": { "destination": { + "ip": "fe80::ff:fe00:801", + "locality": "internal", "port": 5678 }, "event": { @@ -2798,7 +2890,7 @@ ] }, "flow": { - "id": "RlrAo_U1Y14", + "id": "Il9O6oJGqRk", "locality": "internal" }, "netflow": { @@ -2827,7 +2919,7 @@ }, "network": { "bytes": 370, - "community_id": "1:I4DlCbWgyxRiNPVj5ntu1L7Z0hw=", + "community_id": "1:Y0L0KaggvOgNiQSbjBDXSANtIRo=", "direction": "unknown", "iana_number": 17, "packets": 2, @@ -2836,8 +2928,16 @@ "observer": { "ip": "192.0.2.1" }, + "related": { + "ip": [ + "fe80::ff:fe00:801", + "fe80::ff:fe00:801" + ] + }, "source": { "bytes": 370, + "ip": "fe80::ff:fe00:801", + "locality": "internal", "packets": 2, "port": 5678 } @@ -2850,6 +2950,8 @@ "Meta": null, "Fields": { "destination": { + "ip": "fe80::ff:fe00:901", + "locality": "internal", "port": 5678 }, "event": { @@ -2864,7 +2966,7 @@ ] }, "flow": { - "id": "RlrAo_U1Y14", + "id": "fA2V7HT45yo", "locality": "internal" }, "netflow": { @@ -2893,7 +2995,7 @@ }, "network": { "bytes": 555, - "community_id": "1:I4DlCbWgyxRiNPVj5ntu1L7Z0hw=", + "community_id": "1:ckujBEtohW0WnvxDVLoLAfkwHeE=", "direction": "unknown", "iana_number": 17, "packets": 3, @@ -2902,8 +3004,16 @@ "observer": { "ip": "192.0.2.1" }, + "related": { + "ip": [ + "fe80::ff:fe00:901", + "fe80::ff:fe00:901" + ] + }, "source": { "bytes": 555, + "ip": "fe80::ff:fe00:901", + "locality": "internal", "packets": 3, "port": 5678 } @@ -2916,6 +3026,8 @@ "Meta": null, "Fields": { "destination": { + "ip": "fe80::ff:fe00:901", + "locality": "internal", "port": 5678 }, "event": { @@ -2930,7 +3042,7 @@ ] }, "flow": { - "id": "RlrAo_U1Y14", + "id": "fA2V7HT45yo", "locality": "internal" }, "netflow": { @@ -2959,7 +3071,7 @@ }, "network": { "bytes": 370, - "community_id": "1:I4DlCbWgyxRiNPVj5ntu1L7Z0hw=", + "community_id": "1:ckujBEtohW0WnvxDVLoLAfkwHeE=", "direction": "unknown", "iana_number": 17, "packets": 2, @@ -2968,8 +3080,16 @@ "observer": { "ip": "192.0.2.1" }, + "related": { + "ip": [ + "fe80::ff:fe00:901", + "fe80::ff:fe00:901" + ] + }, "source": { "bytes": 370, + "ip": "fe80::ff:fe00:901", + "locality": "internal", "packets": 2, "port": 5678 } @@ -2982,6 +3102,8 @@ "Meta": null, "Fields": { "destination": { + "ip": "fe80::ff:fe00:1001", + "locality": "internal", "port": 5678 }, "event": { @@ -2996,7 +3118,7 @@ ] }, "flow": { - "id": "RlrAo_U1Y14", + "id": "r9myTc0ZAtE", "locality": "internal" }, "netflow": { @@ -3025,7 +3147,7 @@ }, "network": { "bytes": 555, - "community_id": "1:I4DlCbWgyxRiNPVj5ntu1L7Z0hw=", + "community_id": "1:3MYYQzFTLjghJ6R8FULtQ6M3TY4=", "direction": "unknown", "iana_number": 17, "packets": 3, @@ -3034,8 +3156,16 @@ "observer": { "ip": "192.0.2.1" }, + "related": { + "ip": [ + "fe80::ff:fe00:1001", + "fe80::ff:fe00:1001" + ] + }, "source": { "bytes": 555, + "ip": "fe80::ff:fe00:1001", + "locality": "internal", "packets": 3, "port": 5678 } @@ -3048,6 +3178,8 @@ "Meta": null, "Fields": { "destination": { + "ip": "fe80::ff:fe00:1001", + "locality": "internal", "port": 5678 }, "event": { @@ -3062,7 +3194,7 @@ ] }, "flow": { - "id": "RlrAo_U1Y14", + "id": "r9myTc0ZAtE", "locality": "internal" }, "netflow": { @@ -3091,7 +3223,7 @@ }, "network": { "bytes": 370, - "community_id": "1:I4DlCbWgyxRiNPVj5ntu1L7Z0hw=", + "community_id": "1:3MYYQzFTLjghJ6R8FULtQ6M3TY4=", "direction": "unknown", "iana_number": 17, "packets": 2, @@ -3100,8 +3232,16 @@ "observer": { "ip": "192.0.2.1" }, + "related": { + "ip": [ + "fe80::ff:fe00:1001", + "fe80::ff:fe00:1001" + ] + }, "source": { "bytes": 370, + "ip": "fe80::ff:fe00:1001", + "locality": "internal", "packets": 2, "port": 5678 } @@ -3114,6 +3254,8 @@ "Meta": null, "Fields": { "destination": { + "ip": "fe80::ff:fe00:1101", + "locality": "internal", "port": 5678 }, "event": { @@ -3128,7 +3270,7 @@ ] }, "flow": { - "id": "RlrAo_U1Y14", + "id": "we4v-M4gTEo", "locality": "internal" }, "netflow": { @@ -3157,7 +3299,7 @@ }, "network": { "bytes": 555, - "community_id": "1:I4DlCbWgyxRiNPVj5ntu1L7Z0hw=", + "community_id": "1:RCaNdj14AFbHfSM4MQquuPjYpgs=", "direction": "unknown", "iana_number": 17, "packets": 3, @@ -3166,8 +3308,16 @@ "observer": { "ip": "192.0.2.1" }, + "related": { + "ip": [ + "fe80::ff:fe00:1101", + "fe80::ff:fe00:1101" + ] + }, "source": { "bytes": 555, + "ip": "fe80::ff:fe00:1101", + "locality": "internal", "packets": 3, "port": 5678 } @@ -3180,6 +3330,8 @@ "Meta": null, "Fields": { "destination": { + "ip": "fe80::ff:fe00:1101", + "locality": "internal", "port": 5678 }, "event": { @@ -3194,7 +3346,7 @@ ] }, "flow": { - "id": "RlrAo_U1Y14", + "id": "we4v-M4gTEo", "locality": "internal" }, "netflow": { @@ -3223,7 +3375,7 @@ }, "network": { "bytes": 370, - "community_id": "1:I4DlCbWgyxRiNPVj5ntu1L7Z0hw=", + "community_id": "1:RCaNdj14AFbHfSM4MQquuPjYpgs=", "direction": "unknown", "iana_number": 17, "packets": 2, @@ -3232,8 +3384,16 @@ "observer": { "ip": "192.0.2.1" }, + "related": { + "ip": [ + "fe80::ff:fe00:1101", + "fe80::ff:fe00:1101" + ] + }, "source": { "bytes": 370, + "ip": "fe80::ff:fe00:1101", + "locality": "internal", "packets": 2, "port": 5678 } @@ -3246,6 +3406,8 @@ "Meta": null, "Fields": { "destination": { + "ip": "fe80::ff:fe00:1201", + "locality": "internal", "port": 5678 }, "event": { @@ -3260,7 +3422,7 @@ ] }, "flow": { - "id": "RlrAo_U1Y14", + "id": "N9KUKy-eIwc", "locality": "internal" }, "netflow": { @@ -3289,7 +3451,7 @@ }, "network": { "bytes": 555, - "community_id": "1:I4DlCbWgyxRiNPVj5ntu1L7Z0hw=", + "community_id": "1:AL2CtUGKb1BgJM4KclloxlRQdRc=", "direction": "unknown", "iana_number": 17, "packets": 3, @@ -3298,8 +3460,16 @@ "observer": { "ip": "192.0.2.1" }, + "related": { + "ip": [ + "fe80::ff:fe00:1201", + "fe80::ff:fe00:1201" + ] + }, "source": { "bytes": 555, + "ip": "fe80::ff:fe00:1201", + "locality": "internal", "packets": 3, "port": 5678 } @@ -3312,6 +3482,8 @@ "Meta": null, "Fields": { "destination": { + "ip": "fe80::ff:fe00:1201", + "locality": "internal", "port": 5678 }, "event": { @@ -3326,7 +3498,7 @@ ] }, "flow": { - "id": "RlrAo_U1Y14", + "id": "N9KUKy-eIwc", "locality": "internal" }, "netflow": { @@ -3355,7 +3527,7 @@ }, "network": { "bytes": 370, - "community_id": "1:I4DlCbWgyxRiNPVj5ntu1L7Z0hw=", + "community_id": "1:AL2CtUGKb1BgJM4KclloxlRQdRc=", "direction": "unknown", "iana_number": 17, "packets": 2, @@ -3364,8 +3536,16 @@ "observer": { "ip": "192.0.2.1" }, + "related": { + "ip": [ + "fe80::ff:fe00:1201", + "fe80::ff:fe00:1201" + ] + }, "source": { "bytes": 370, + "ip": "fe80::ff:fe00:1201", + "locality": "internal", "packets": 2, "port": 5678 } diff --git a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-VMware-virtual-distributed-switch.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-VMware-virtual-distributed-switch.golden.json index dc8f538dfee..3396c5ef794 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-VMware-virtual-distributed-switch.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-VMware-virtual-distributed-switch.golden.json @@ -338,6 +338,8 @@ "Meta": null, "Fields": { "destination": { + "ip": "ff02::1:3", + "locality": "internal", "port": 5355 }, "event": { @@ -352,7 +354,7 @@ ] }, "flow": { - "id": "y_Vml2vPNtw", + "id": "iOQ1bg2JOLM", "locality": "internal" }, "netflow": { @@ -388,7 +390,7 @@ }, "network": { "bytes": 144, - "community_id": "1:Nl0K3f1AqKrkGYEhoNHcgFAr/EY=", + "community_id": "1:pr+rxLjqBu9/jT6yJoAEy7/fgdY=", "direction": "outbound", "iana_number": 17, "packets": 2, @@ -397,8 +399,16 @@ "observer": { "ip": "192.0.2.1" }, + "related": { + "ip": [ + "fe80::5187:5cd8:d750:cdc9", + "ff02::1:3" + ] + }, "source": { "bytes": 144, + "ip": "fe80::5187:5cd8:d750:cdc9", + "locality": "internal", "packets": 2, "port": 61329 } diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-multiple-netflow-exporters.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-multiple-netflow-exporters.golden.json index 4238292f250..5d871d6b080 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-multiple-netflow-exporters.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-multiple-netflow-exporters.golden.json @@ -516,6 +516,8 @@ "Meta": null, "Fields": { "destination": { + "ip": "ff02::1", + "locality": "internal", "port": 34304 }, "event": { @@ -533,7 +535,7 @@ ] }, "flow": { - "id": "tYpw8DU5u10", + "id": "hsSxbBU-M1o", "locality": "internal" }, "netflow": { @@ -562,7 +564,7 @@ }, "network": { "bytes": 672, - "community_id": "1:vK+Zeop1Y3GHxfFGVF2/COcNBWw=", + "community_id": "1:z1qoJyUMuKy3HX8rkIDvBK/vyL8=", "direction": "unknown", "iana_number": 58, "packets": 7, @@ -571,8 +573,16 @@ "observer": { "ip": "192.0.2.1" }, + "related": { + "ip": [ + "fe80::20c:29ff:fe83:3b6e", + "ff02::1" + ] + }, "source": { "bytes": 672, + "ip": "fe80::20c:29ff:fe83:3b6e", + "locality": "internal", "packets": 7, "port": 0 } diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-valid-01.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-valid-01.golden.json index 20ea4e61d31..1d2963edaf2 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-valid-01.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-valid-01.golden.json @@ -480,6 +480,8 @@ "Meta": null, "Fields": { "destination": { + "ip": "ff02::1", + "locality": "internal", "port": 34304 }, "event": { @@ -497,7 +499,7 @@ ] }, "flow": { - "id": "tYpw8DU5u10", + "id": "hsSxbBU-M1o", "locality": "internal" }, "netflow": { @@ -526,7 +528,7 @@ }, "network": { "bytes": 672, - "community_id": "1:vK+Zeop1Y3GHxfFGVF2/COcNBWw=", + "community_id": "1:z1qoJyUMuKy3HX8rkIDvBK/vyL8=", "direction": "unknown", "iana_number": 58, "packets": 7, @@ -535,8 +537,16 @@ "observer": { "ip": "192.0.2.1" }, + "related": { + "ip": [ + "fe80::20c:29ff:fe83:3b6e", + "ff02::1" + ] + }, "source": { "bytes": 672, + "ip": "fe80::20c:29ff:fe83:3b6e", + "locality": "internal", "packets": 7, "port": 0 } From 5228ab719cb959c0f8fd9ffaa123a18bc30f626e Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Mon, 13 Dec 2021 13:25:15 +1030 Subject: [PATCH 2/2] x-pack/filebeat/input/netflow: make IP addresses unique in document --- x-pack/filebeat/input/netflow/convert.go | 24 ++++++- ...-extended-uniflow-template-256.golden.json | 4 +- .../IPFIX-Barracuda-firewall.golden.json | 16 ++--- ...IPFIX-Mikrotik-RouterOS-6.39.2.golden.json | 34 +++------- ...er-with-variable-length-fields.golden.json | 8 +-- .../golden/IPFIX-Nokia-BRAS.golden.json | 4 +- .../golden/IPFIX-OpenBSD-pflow.golden.json | 52 +++++++------- .../testdata/golden/IPFIX-Procera.golden.json | 22 +++--- .../IPFIX-YAF-basic-with-applabel.golden.json | 4 +- ...igured-with-include_flowset_id.golden.json | 8 +-- .../netflow/testdata/golden/IPFIX.golden.json | 24 +++---- ...w-9-Cisco-1941-K9-release-15.1.golden.json | 68 +++++++++---------- .../golden/Netflow-9-Cisco-ASA.golden.json | 28 ++++---- ...o-ASR-9000-series-template-260.golden.json | 44 ++++++------ .../Netflow-9-Cisco-ASR1001--X.golden.json | 48 ++++++------- ...flow-9-Fortigate-FortiOS-5.2.1.golden.json | 4 +- ...-9-Fortigate-FortiOS-54x-appid.golden.json | 36 +++++----- .../testdata/golden/Netflow-9-H3C.golden.json | 48 ++++++------- .../golden/Netflow-9-IE150-IE151.golden.json | 4 +- ...et-in-large-zero-filled-packet.golden.json | 4 +- ...Palo-Alto-PAN--OS-with-app--id.golden.json | 16 ++--- .../golden/Netflow-9-Streamcore.golden.json | 8 +-- ...ti-Edgerouter-with-MPLS-labels.golden.json | 12 ++-- ...etflow-9-field-layer2segmentid.golden.json | 4 +- ..._netflow-reduced-size-encoding.golden.json | 8 +-- .../golden/Netflow-9-macaddress.golden.json | 56 +++++++-------- ...w-9-multiple-netflow-exporters.golden.json | 16 ++--- .../Netflow-9-nprobe-DPI-L7.golden.json | 1 - ...-template-with-0-length-fields.golden.json | 20 +++--- .../golden/Netflow-9-valid-01.golden.json | 12 ++-- ...netflow9_e10s_4_7byte_pad.pcap.golden.json | 12 ++-- ...flow9_ubiquiti_edgerouter.pcap.golden.json | 4 +- 32 files changed, 327 insertions(+), 326 deletions(-) diff --git a/x-pack/filebeat/input/netflow/convert.go b/x-pack/filebeat/input/netflow/convert.go index 16874d6d5fc..2f10b33c238 100644 --- a/x-pack/filebeat/input/netflow/convert.go +++ b/x-pack/filebeat/input/netflow/convert.go @@ -5,9 +5,11 @@ package netflow import ( + "bytes" "encoding/base64" "encoding/binary" "net" + "sort" "strconv" "strings" "time" @@ -329,11 +331,31 @@ func flowToBeatEvent(flow record.Record, internalNetworks []string) (event beat. event.Fields["network"] = ecsNetwork } if len(relatedIP) > 0 { - event.Fields["related"] = common.MapStr{"ip": relatedIP} + event.Fields["related"] = common.MapStr{"ip": uniqueIPs(relatedIP)} } return } +// unique returns ips lexically sorted and with repeated elements +// omitted. +func uniqueIPs(ips []net.IP) []net.IP { + if len(ips) < 2 { + return ips + } + sort.Slice(ips, func(i, j int) bool { return bytes.Compare(ips[i], ips[j]) < 0 }) + curr := 0 + for i, ip := range ips { + if ip.Equal(ips[curr]) { + continue + } + curr++ + if curr < i { + ips[curr], ips[i] = ips[i], nil + } + } + return ips[:curr+1] +} + func getKeyUint64(dict record.Map, key string) (value uint64, found bool) { iface, found := dict[key] if !found { diff --git a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Barracuda-extended-uniflow-template-256.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Barracuda-extended-uniflow-template-256.golden.json index fbc2f5e3d2a..a983b980e1d 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Barracuda-extended-uniflow-template-256.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Barracuda-extended-uniflow-template-256.golden.json @@ -169,8 +169,8 @@ }, "related": { "ip": [ - "64.235.151.76", - "10.236.5.4" + "10.236.5.4", + "64.235.151.76" ] }, "source": { diff --git a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Barracuda-firewall.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Barracuda-firewall.golden.json index ec4f36b10fa..4fae641f637 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Barracuda-firewall.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Barracuda-firewall.golden.json @@ -145,8 +145,8 @@ }, "related": { "ip": [ - "10.99.252.50", - "10.99.130.239" + "10.99.130.239", + "10.99.252.50" ] }, "source": { @@ -225,8 +225,8 @@ }, "related": { "ip": [ - "10.99.130.239", - "10.98.243.20" + "10.98.243.20", + "10.99.130.239" ] }, "source": { @@ -385,8 +385,8 @@ }, "related": { "ip": [ - "10.99.168.140", - "10.98.243.20" + "10.98.243.20", + "10.99.168.140" ] }, "source": { @@ -545,8 +545,8 @@ }, "related": { "ip": [ - "10.99.168.140", - "10.98.243.20" + "10.98.243.20", + "10.99.168.140" ] }, "source": { diff --git a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Mikrotik-RouterOS-6.39.2.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Mikrotik-RouterOS-6.39.2.golden.json index 4afa86b85fc..99fb1859cfc 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Mikrotik-RouterOS-6.39.2.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Mikrotik-RouterOS-6.39.2.golden.json @@ -454,8 +454,8 @@ }, "related": { "ip": [ - "172.20.4.199", - "172.20.4.1" + "172.20.4.1", + "172.20.4.199" ] }, "source": { @@ -610,8 +610,8 @@ }, "related": { "ip": [ - "172.20.4.30", - "10.10.8.34" + "10.10.8.34", + "172.20.4.30" ] }, "source": { @@ -766,8 +766,8 @@ }, "related": { "ip": [ - "172.20.4.30", - "10.10.8.105" + "10.10.8.105", + "172.20.4.30" ] }, "source": { @@ -1078,8 +1078,8 @@ }, "related": { "ip": [ - "172.20.5.191", - "10.10.8.220" + "10.10.8.220", + "172.20.5.191" ] }, "source": { @@ -2246,7 +2246,6 @@ }, "related": { "ip": [ - "fe80::ff:fe00:401", "fe80::ff:fe00:401" ] }, @@ -2322,7 +2321,6 @@ }, "related": { "ip": [ - "fe80::ff:fe00:401", "fe80::ff:fe00:401" ] }, @@ -2398,7 +2396,6 @@ }, "related": { "ip": [ - "fe80::ff:fe00:501", "fe80::ff:fe00:501" ] }, @@ -2474,7 +2471,6 @@ }, "related": { "ip": [ - "fe80::ff:fe00:501", "fe80::ff:fe00:501" ] }, @@ -2550,7 +2546,6 @@ }, "related": { "ip": [ - "fe80::ff:fe00:601", "fe80::ff:fe00:601" ] }, @@ -2626,7 +2621,6 @@ }, "related": { "ip": [ - "fe80::ff:fe00:601", "fe80::ff:fe00:601" ] }, @@ -2702,7 +2696,6 @@ }, "related": { "ip": [ - "fe80::ff:fe00:701", "fe80::ff:fe00:701" ] }, @@ -2778,7 +2771,6 @@ }, "related": { "ip": [ - "fe80::ff:fe00:701", "fe80::ff:fe00:701" ] }, @@ -2854,7 +2846,6 @@ }, "related": { "ip": [ - "fe80::ff:fe00:801", "fe80::ff:fe00:801" ] }, @@ -2930,7 +2921,6 @@ }, "related": { "ip": [ - "fe80::ff:fe00:801", "fe80::ff:fe00:801" ] }, @@ -3006,7 +2996,6 @@ }, "related": { "ip": [ - "fe80::ff:fe00:901", "fe80::ff:fe00:901" ] }, @@ -3082,7 +3071,6 @@ }, "related": { "ip": [ - "fe80::ff:fe00:901", "fe80::ff:fe00:901" ] }, @@ -3158,7 +3146,6 @@ }, "related": { "ip": [ - "fe80::ff:fe00:1001", "fe80::ff:fe00:1001" ] }, @@ -3234,7 +3221,6 @@ }, "related": { "ip": [ - "fe80::ff:fe00:1001", "fe80::ff:fe00:1001" ] }, @@ -3310,7 +3296,6 @@ }, "related": { "ip": [ - "fe80::ff:fe00:1101", "fe80::ff:fe00:1101" ] }, @@ -3386,7 +3371,6 @@ }, "related": { "ip": [ - "fe80::ff:fe00:1101", "fe80::ff:fe00:1101" ] }, @@ -3462,7 +3446,6 @@ }, "related": { "ip": [ - "fe80::ff:fe00:1201", "fe80::ff:fe00:1201" ] }, @@ -3538,7 +3521,6 @@ }, "related": { "ip": [ - "fe80::ff:fe00:1201", "fe80::ff:fe00:1201" ] }, diff --git a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Netscaler-with-variable-length-fields.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Netscaler-with-variable-length-fields.golden.json index e27655fe1ed..9d0ddb6a2fd 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Netscaler-with-variable-length-fields.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Netscaler-with-variable-length-fields.golden.json @@ -87,8 +87,8 @@ }, "related": { "ip": [ - "192.168.0.1", - "10.0.0.1" + "10.0.0.1", + "192.168.0.1" ] }, "source": { @@ -277,8 +277,8 @@ }, "related": { "ip": [ - "192.168.0.1", - "10.0.0.1" + "10.0.0.1", + "192.168.0.1" ] }, "source": { diff --git a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Nokia-BRAS.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Nokia-BRAS.golden.json index f21438c20ee..3f50095a6c0 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Nokia-BRAS.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Nokia-BRAS.golden.json @@ -57,8 +57,8 @@ }, "related": { "ip": [ - "10.0.1.228", - "10.0.0.34" + "10.0.0.34", + "10.0.1.228" ] }, "source": { diff --git a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-OpenBSD-pflow.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-OpenBSD-pflow.golden.json index 4961f7d0a25..04c22e39df4 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-OpenBSD-pflow.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-OpenBSD-pflow.golden.json @@ -60,8 +60,8 @@ }, "related": { "ip": [ - "192.168.0.17", - "192.168.0.1" + "192.168.0.1", + "192.168.0.17" ] }, "source": { @@ -208,8 +208,8 @@ }, "related": { "ip": [ - "192.168.0.17", - "192.168.0.1" + "192.168.0.1", + "192.168.0.17" ] }, "source": { @@ -356,8 +356,8 @@ }, "related": { "ip": [ - "192.168.0.17", - "192.168.0.1" + "192.168.0.1", + "192.168.0.17" ] }, "source": { @@ -504,8 +504,8 @@ }, "related": { "ip": [ - "192.168.0.17", - "192.168.0.1" + "192.168.0.1", + "192.168.0.17" ] }, "source": { @@ -652,8 +652,8 @@ }, "related": { "ip": [ - "192.168.0.17", - "192.168.0.1" + "192.168.0.1", + "192.168.0.17" ] }, "source": { @@ -800,8 +800,8 @@ }, "related": { "ip": [ - "192.168.0.17", - "192.168.0.1" + "192.168.0.1", + "192.168.0.17" ] }, "source": { @@ -948,8 +948,8 @@ }, "related": { "ip": [ - "192.168.0.17", - "192.168.0.1" + "192.168.0.1", + "192.168.0.17" ] }, "source": { @@ -1096,8 +1096,8 @@ }, "related": { "ip": [ - "192.168.0.17", - "192.168.0.1" + "192.168.0.1", + "192.168.0.17" ] }, "source": { @@ -1244,8 +1244,8 @@ }, "related": { "ip": [ - "192.168.0.17", - "192.168.0.1" + "192.168.0.1", + "192.168.0.17" ] }, "source": { @@ -1392,8 +1392,8 @@ }, "related": { "ip": [ - "192.168.0.17", - "192.168.0.1" + "192.168.0.1", + "192.168.0.17" ] }, "source": { @@ -1540,8 +1540,8 @@ }, "related": { "ip": [ - "192.168.0.17", - "192.168.0.1" + "192.168.0.1", + "192.168.0.17" ] }, "source": { @@ -1688,8 +1688,8 @@ }, "related": { "ip": [ - "192.168.0.17", - "192.168.0.1" + "192.168.0.1", + "192.168.0.17" ] }, "source": { @@ -1836,8 +1836,8 @@ }, "related": { "ip": [ - "192.168.0.17", - "192.168.0.1" + "192.168.0.1", + "192.168.0.17" ] }, "source": { diff --git a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Procera.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Procera.golden.json index 30acfdf29c5..4c2a0fa8253 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Procera.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Procera.golden.json @@ -69,8 +69,8 @@ }, "related": { "ip": [ - "181.214.87.71", - "138.44.161.14" + "138.44.161.14", + "181.214.87.71" ] }, "source": { @@ -150,7 +150,6 @@ }, "related": { "ip": [ - "0.0.0.0", "0.0.0.0" ] }, @@ -312,8 +311,8 @@ }, "related": { "ip": [ - "206.117.25.89", - "138.44.161.14" + "138.44.161.14", + "206.117.25.89" ] }, "source": { @@ -393,7 +392,6 @@ }, "related": { "ip": [ - "0.0.0.0", "0.0.0.0" ] }, @@ -474,8 +472,8 @@ }, "related": { "ip": [ - "185.232.29.199", - "138.44.161.14" + "138.44.161.14", + "185.232.29.199" ] }, "source": { @@ -555,8 +553,8 @@ }, "related": { "ip": [ - "177.188.228.137", - "138.44.161.14" + "138.44.161.14", + "177.188.228.137" ] }, "source": { @@ -636,8 +634,8 @@ }, "related": { "ip": [ - "138.44.161.14", - "138.44.161.13" + "138.44.161.13", + "138.44.161.14" ] }, "source": { diff --git a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-YAF-basic-with-applabel.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-YAF-basic-with-applabel.golden.json index 5b2b4b01ac3..6c77e7a0fa9 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-YAF-basic-with-applabel.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-YAF-basic-with-applabel.golden.json @@ -70,8 +70,8 @@ }, "related": { "ip": [ - "172.16.32.201", - "172.16.32.100" + "172.16.32.100", + "172.16.32.201" ] }, "source": { diff --git a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-configured-with-include_flowset_id.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-configured-with-include_flowset_id.golden.json index 0c2dbd22d5e..c3934c5e32b 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-configured-with-include_flowset_id.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX-configured-with-include_flowset_id.golden.json @@ -87,8 +87,8 @@ }, "related": { "ip": [ - "192.168.0.1", - "10.0.0.1" + "10.0.0.1", + "192.168.0.1" ] }, "source": { @@ -277,8 +277,8 @@ }, "related": { "ip": [ - "192.168.0.1", - "10.0.0.1" + "10.0.0.1", + "192.168.0.1" ] }, "source": { diff --git a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX.golden.json index 72dd4072ef9..7ba0ecb0713 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/IPFIX.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/IPFIX.golden.json @@ -180,8 +180,8 @@ }, "related": { "ip": [ - "192.168.253.128", - "192.168.253.1" + "192.168.253.1", + "192.168.253.128" ] }, "source": { @@ -336,8 +336,8 @@ }, "related": { "ip": [ - "192.168.253.132", - "192.168.253.2" + "192.168.253.2", + "192.168.253.132" ] }, "source": { @@ -492,8 +492,8 @@ }, "related": { "ip": [ - "192.168.253.132", - "54.214.9.161" + "54.214.9.161", + "192.168.253.132" ] }, "source": { @@ -570,8 +570,8 @@ }, "related": { "ip": [ - "192.168.253.130", - "10.4.36.64" + "10.4.36.64", + "192.168.253.130" ] }, "source": { @@ -726,8 +726,8 @@ }, "related": { "ip": [ - "192.168.253.128", - "192.168.253.1" + "192.168.253.1", + "192.168.253.128" ] }, "source": { @@ -882,8 +882,8 @@ }, "related": { "ip": [ - "192.168.253.128", - "192.168.253.1" + "192.168.253.1", + "192.168.253.128" ] }, "source": { diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-1941-K9-release-15.1.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-1941-K9-release-15.1.golden.json index 448709e5c41..834efbc7df6 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-1941-K9-release-15.1.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-1941-K9-release-15.1.golden.json @@ -63,8 +63,8 @@ }, "related": { "ip": [ - "192.168.0.111", - "62.217.193.1" + "62.217.193.1", + "192.168.0.111" ] }, "source": { @@ -141,8 +141,8 @@ }, "related": { "ip": [ - "192.168.0.111", - "62.217.193.65" + "62.217.193.65", + "192.168.0.111" ] }, "source": { @@ -219,8 +219,8 @@ }, "related": { "ip": [ - "192.168.0.111", - "62.217.193.1" + "62.217.193.1", + "192.168.0.111" ] }, "source": { @@ -297,8 +297,8 @@ }, "related": { "ip": [ - "192.168.0.111", - "62.217.193.65" + "62.217.193.65", + "192.168.0.111" ] }, "source": { @@ -531,8 +531,8 @@ }, "related": { "ip": [ - "216.58.212.195", - "192.168.0.88" + "192.168.0.88", + "216.58.212.195" ] }, "source": { @@ -687,8 +687,8 @@ }, "related": { "ip": [ - "216.58.201.106", - "192.168.1.201" + "192.168.1.201", + "216.58.201.106" ] }, "source": { @@ -843,8 +843,8 @@ }, "related": { "ip": [ - "192.168.3.34", - "52.216.130.237" + "52.216.130.237", + "192.168.3.34" ] }, "source": { @@ -921,8 +921,8 @@ }, "related": { "ip": [ - "209.197.3.19", - "192.168.3.34" + "192.168.3.34", + "209.197.3.19" ] }, "source": { @@ -1077,8 +1077,8 @@ }, "related": { "ip": [ - "192.168.0.157", - "172.217.23.232" + "172.217.23.232", + "192.168.0.157" ] }, "source": { @@ -1311,8 +1311,8 @@ }, "related": { "ip": [ - "192.168.3.178", - "107.21.232.174" + "107.21.232.174", + "192.168.3.178" ] }, "source": { @@ -1389,8 +1389,8 @@ }, "related": { "ip": [ - "192.168.2.118", - "95.0.145.242" + "95.0.145.242", + "192.168.2.118" ] }, "source": { @@ -1545,8 +1545,8 @@ }, "related": { "ip": [ - "192.168.0.79", - "23.5.100.66" + "23.5.100.66", + "192.168.0.79" ] }, "source": { @@ -1623,8 +1623,8 @@ }, "related": { "ip": [ - "192.168.0.79", - "23.5.100.66" + "23.5.100.66", + "192.168.0.79" ] }, "source": { @@ -1857,8 +1857,8 @@ }, "related": { "ip": [ - "192.168.0.61", - "170.251.180.15" + "170.251.180.15", + "192.168.0.61" ] }, "source": { @@ -1935,8 +1935,8 @@ }, "related": { "ip": [ - "192.168.3.34", - "74.119.119.84" + "74.119.119.84", + "192.168.3.34" ] }, "source": { @@ -2091,8 +2091,8 @@ }, "related": { "ip": [ - "192.168.3.200", - "185.60.218.15" + "185.60.218.15", + "192.168.3.200" ] }, "source": { @@ -2247,8 +2247,8 @@ }, "related": { "ip": [ - "192.168.0.95", - "169.45.214.246" + "169.45.214.246", + "192.168.0.95" ] }, "source": { diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASA.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASA.golden.json index 135aa56d0d4..d8ebc7e8eaa 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASA.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASA.golden.json @@ -69,8 +69,8 @@ }, "related": { "ip": [ - "192.168.14.1", - "2.2.2.11" + "2.2.2.11", + "192.168.14.1" ] }, "source": { @@ -151,8 +151,8 @@ }, "related": { "ip": [ - "192.168.23.22", - "164.164.37.11" + "164.164.37.11", + "192.168.23.22" ] }, "source": { @@ -315,8 +315,8 @@ }, "related": { "ip": [ - "192.168.23.20", - "164.164.37.11" + "164.164.37.11", + "192.168.23.20" ] }, "source": { @@ -479,8 +479,8 @@ }, "related": { "ip": [ - "192.168.14.11", - "2.2.2.11" + "2.2.2.11", + "192.168.14.11" ] }, "source": { @@ -725,8 +725,8 @@ }, "related": { "ip": [ - "192.168.14.1", - "2.2.2.11" + "2.2.2.11", + "192.168.14.1" ] }, "source": { @@ -889,8 +889,8 @@ }, "related": { "ip": [ - "192.168.23.22", - "164.164.37.11" + "164.164.37.11", + "192.168.23.22" ] }, "source": { @@ -1053,8 +1053,8 @@ }, "related": { "ip": [ - "192.168.23.20", - "164.164.37.11" + "164.164.37.11", + "192.168.23.20" ] }, "source": { diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASR-9000-series-template-260.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASR-9000-series-template-260.golden.json index 9922cc10d66..70cfcfdd14e 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASR-9000-series-template-260.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASR-9000-series-template-260.golden.json @@ -421,8 +421,8 @@ }, "related": { "ip": [ - "10.0.34.71", - "10.0.20.242" + "10.0.20.242", + "10.0.34.71" ] }, "source": { @@ -595,8 +595,8 @@ }, "related": { "ip": [ - "10.0.37.29", - "10.0.6.24" + "10.0.6.24", + "10.0.37.29" ] }, "source": { @@ -682,8 +682,8 @@ }, "related": { "ip": [ - "10.0.32.176", - "10.0.11.113" + "10.0.11.113", + "10.0.32.176" ] }, "source": { @@ -856,8 +856,8 @@ }, "related": { "ip": [ - "10.0.4.212", - "10.0.3.110" + "10.0.3.110", + "10.0.4.212" ] }, "source": { @@ -943,8 +943,8 @@ }, "related": { "ip": [ - "10.0.33.122", - "10.0.1.136" + "10.0.1.136", + "10.0.33.122" ] }, "source": { @@ -1204,8 +1204,8 @@ }, "related": { "ip": [ - "10.0.25.59", - "10.0.2.18" + "10.0.2.18", + "10.0.25.59" ] }, "source": { @@ -1465,8 +1465,8 @@ }, "related": { "ip": [ - "10.0.28.150", - "10.0.24.13" + "10.0.24.13", + "10.0.28.150" ] }, "source": { @@ -1552,8 +1552,8 @@ }, "related": { "ip": [ - "10.0.26.188", - "10.0.21.200" + "10.0.21.200", + "10.0.26.188" ] }, "source": { @@ -1639,8 +1639,8 @@ }, "related": { "ip": [ - "10.0.29.34", - "10.0.15.38" + "10.0.15.38", + "10.0.29.34" ] }, "source": { @@ -1726,8 +1726,8 @@ }, "related": { "ip": [ - "10.0.8.200", - "10.0.5.224" + "10.0.5.224", + "10.0.8.200" ] }, "source": { @@ -1813,8 +1813,8 @@ }, "related": { "ip": [ - "10.0.29.46", - "10.0.15.38" + "10.0.15.38", + "10.0.29.46" ] }, "source": { diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASR1001--X.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASR1001--X.golden.json index 9049d551304..b548a68d523 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASR1001--X.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Cisco-ASR1001--X.golden.json @@ -63,8 +63,8 @@ }, "related": { "ip": [ - "10.111.111.242", - "10.12.100.13" + "10.12.100.13", + "10.111.111.242" ] }, "source": { @@ -294,8 +294,8 @@ }, "related": { "ip": [ - "10.12.104.239", - "10.10.11.21" + "10.10.11.21", + "10.12.104.239" ] }, "source": { @@ -448,8 +448,8 @@ }, "related": { "ip": [ - "10.100.101.45", - "10.15.131.98" + "10.15.131.98", + "10.100.101.45" ] }, "source": { @@ -525,8 +525,8 @@ }, "related": { "ip": [ - "10.100.101.43", - "10.12.105.23" + "10.12.105.23", + "10.100.101.43" ] }, "source": { @@ -602,8 +602,8 @@ }, "related": { "ip": [ - "31.13.71.7", - "10.11.31.108" + "10.11.31.108", + "31.13.71.7" ] }, "source": { @@ -833,8 +833,8 @@ }, "related": { "ip": [ - "10.100.105.86", - "10.11.21.60" + "10.11.21.60", + "10.100.105.86" ] }, "source": { @@ -987,8 +987,8 @@ }, "related": { "ip": [ - "10.12.106.83", - "10.10.11.21" + "10.10.11.21", + "10.12.106.83" ] }, "source": { @@ -1064,8 +1064,8 @@ }, "related": { "ip": [ - "172.217.11.5", - "10.12.92.102" + "10.12.92.102", + "172.217.11.5" ] }, "source": { @@ -1295,8 +1295,8 @@ }, "related": { "ip": [ - "10.14.121.98", - "10.12.100.13" + "10.12.100.13", + "10.14.121.98" ] }, "source": { @@ -1526,8 +1526,8 @@ }, "related": { "ip": [ - "10.12.102.125", - "10.10.11.21" + "10.10.11.21", + "10.12.102.125" ] }, "source": { @@ -1603,8 +1603,8 @@ }, "related": { "ip": [ - "10.100.105.86", - "10.11.21.60" + "10.11.21.60", + "10.100.105.86" ] }, "source": { @@ -1757,8 +1757,8 @@ }, "related": { "ip": [ - "10.100.105.85", - "10.10.4.151" + "10.10.4.151", + "10.100.105.85" ] }, "source": { diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Fortigate-FortiOS-5.2.1.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Fortigate-FortiOS-5.2.1.golden.json index 8dc5747704a..962a60d4efd 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Fortigate-FortiOS-5.2.1.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Fortigate-FortiOS-5.2.1.golden.json @@ -102,8 +102,8 @@ }, "related": { "ip": [ - "192.168.99.7", - "31.13.87.36" + "31.13.87.36", + "192.168.99.7" ] }, "source": { diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Fortigate-FortiOS-54x-appid.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Fortigate-FortiOS-54x-appid.golden.json index dd90fa13b6d..a6d193432de 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Fortigate-FortiOS-54x-appid.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Fortigate-FortiOS-54x-appid.golden.json @@ -71,8 +71,8 @@ }, "related": { "ip": [ - "192.168.100.151", - "182.50.136.239" + "182.50.136.239", + "192.168.100.151" ] }, "source": { @@ -156,8 +156,8 @@ }, "related": { "ip": [ - "208.100.17.187", - "192.168.100.151" + "192.168.100.151", + "208.100.17.187" ] }, "source": { @@ -326,8 +326,8 @@ }, "related": { "ip": [ - "208.100.17.189", - "192.168.100.151" + "192.168.100.151", + "208.100.17.189" ] }, "source": { @@ -581,8 +581,8 @@ }, "related": { "ip": [ - "192.168.100.151", - "178.255.83.1" + "178.255.83.1", + "192.168.100.151" ] }, "source": { @@ -751,8 +751,8 @@ }, "related": { "ip": [ - "192.168.100.151", - "178.255.83.1" + "178.255.83.1", + "192.168.100.151" ] }, "source": { @@ -913,8 +913,8 @@ }, "related": { "ip": [ - "192.168.100.150", - "192.168.100.111" + "192.168.100.111", + "192.168.100.150" ] }, "source": { @@ -1075,8 +1075,8 @@ }, "related": { "ip": [ - "192.168.100.150", - "192.168.100.111" + "192.168.100.111", + "192.168.100.150" ] }, "source": { @@ -1237,8 +1237,8 @@ }, "related": { "ip": [ - "192.168.100.150", - "192.168.100.111" + "192.168.100.111", + "192.168.100.150" ] }, "source": { @@ -1399,8 +1399,8 @@ }, "related": { "ip": [ - "192.168.100.150", - "192.168.100.111" + "192.168.100.111", + "192.168.100.150" ] }, "source": { diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-H3C.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-H3C.golden.json index a69dbeea386..b75a1c2ba3b 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-H3C.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-H3C.golden.json @@ -76,8 +76,8 @@ }, "related": { "ip": [ - "10.22.166.30", - "10.22.163.21" + "10.22.163.21", + "10.22.166.30" ] }, "source": { @@ -166,8 +166,8 @@ }, "related": { "ip": [ - "10.22.166.12", - "10.21.3.172" + "10.21.3.172", + "10.22.166.12" ] }, "source": { @@ -346,8 +346,8 @@ }, "related": { "ip": [ - "10.22.166.35", - "10.20.100.253" + "10.20.100.253", + "10.22.166.35" ] }, "source": { @@ -436,8 +436,8 @@ }, "related": { "ip": [ - "10.22.166.36", - "10.20.136.36" + "10.20.136.36", + "10.22.166.36" ] }, "source": { @@ -526,8 +526,8 @@ }, "related": { "ip": [ - "10.22.166.36", - "10.20.147.28" + "10.20.147.28", + "10.22.166.36" ] }, "source": { @@ -616,8 +616,8 @@ }, "related": { "ip": [ - "10.22.166.28", - "10.20.141.16" + "10.20.141.16", + "10.22.166.28" ] }, "source": { @@ -706,8 +706,8 @@ }, "related": { "ip": [ - "10.22.166.35", - "10.20.162.17" + "10.20.162.17", + "10.22.166.35" ] }, "source": { @@ -796,8 +796,8 @@ }, "related": { "ip": [ - "10.22.166.15", - "10.20.171.36" + "10.20.171.36", + "10.22.166.15" ] }, "source": { @@ -1156,8 +1156,8 @@ }, "related": { "ip": [ - "10.22.166.25", - "10.20.166.26" + "10.20.166.26", + "10.22.166.25" ] }, "source": { @@ -1246,8 +1246,8 @@ }, "related": { "ip": [ - "10.22.166.12", - "10.21.3.117" + "10.21.3.117", + "10.22.166.12" ] }, "source": { @@ -1336,8 +1336,8 @@ }, "related": { "ip": [ - "10.22.166.17", - "10.22.145.26" + "10.22.145.26", + "10.22.166.17" ] }, "source": { @@ -1426,8 +1426,8 @@ }, "related": { "ip": [ - "10.22.166.36", - "10.21.75.38" + "10.21.75.38", + "10.22.166.36" ] }, "source": { diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-IE150-IE151.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-IE150-IE151.golden.json index 3aed82dc6f9..3db18648d08 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-IE150-IE151.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-IE150-IE151.golden.json @@ -63,8 +63,8 @@ }, "related": { "ip": [ - "192.168.0.3", - "192.168.0.2" + "192.168.0.2", + "192.168.0.3" ] }, "source": { diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Palo-Alto-1-flowset-in-large-zero-filled-packet.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Palo-Alto-1-flowset-in-large-zero-filled-packet.golden.json index d0207ba3192..60f97f06495 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Palo-Alto-1-flowset-in-large-zero-filled-packet.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Palo-Alto-1-flowset-in-large-zero-filled-packet.golden.json @@ -69,8 +69,8 @@ }, "related": { "ip": [ - "134.220.2.6", - "134.220.1.156" + "134.220.1.156", + "134.220.2.6" ] }, "source": { diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Palo-Alto-PAN--OS-with-app--id.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Palo-Alto-PAN--OS-with-app--id.golden.json index 79e31dd7f6b..98d496c0a7a 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Palo-Alto-PAN--OS-with-app--id.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Palo-Alto-PAN--OS-with-app--id.golden.json @@ -69,8 +69,8 @@ }, "related": { "ip": [ - "23.35.171.27", - "10.32.91.205" + "10.32.91.205", + "23.35.171.27" ] }, "source": { @@ -318,8 +318,8 @@ }, "related": { "ip": [ - "23.209.52.99", - "10.130.145.44" + "10.130.145.44", + "23.209.52.99" ] }, "source": { @@ -401,8 +401,8 @@ }, "related": { "ip": [ - "10.50.97.57", - "10.50.96.20" + "10.50.96.20", + "10.50.97.57" ] }, "source": { @@ -567,8 +567,8 @@ }, "related": { "ip": [ - "34.234.173.147", - "10.48.208.209" + "10.48.208.209", + "34.234.173.147" ] }, "source": { diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Streamcore.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Streamcore.golden.json index 1319ba663cc..ebfde635048 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Streamcore.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Streamcore.golden.json @@ -64,8 +64,8 @@ }, "related": { "ip": [ - "100.78.40.201", - "10.231.128.150" + "10.231.128.150", + "100.78.40.201" ] }, "source": { @@ -220,8 +220,8 @@ }, "related": { "ip": [ - "100.78.40.201", - "10.27.8.20" + "10.27.8.20", + "100.78.40.201" ] }, "source": { diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Ubiquiti-Edgerouter-with-MPLS-labels.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Ubiquiti-Edgerouter-with-MPLS-labels.golden.json index e6cb0fb4112..fec0ac80498 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Ubiquiti-Edgerouter-with-MPLS-labels.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-Ubiquiti-Edgerouter-with-MPLS-labels.golden.json @@ -420,8 +420,8 @@ }, "related": { "ip": [ - "10.5.0.91", - "10.4.0.251" + "10.4.0.251", + "10.5.0.91" ] }, "source": { @@ -767,8 +767,8 @@ }, "related": { "ip": [ - "192.168.1.98", - "10.0.0.73" + "10.0.0.73", + "192.168.1.98" ] }, "source": { @@ -1362,8 +1362,8 @@ }, "related": { "ip": [ - "192.168.1.102", - "10.2.0.95" + "10.2.0.95", + "192.168.1.102" ] }, "source": { diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-field-layer2segmentid.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-field-layer2segmentid.golden.json index 879714e24c0..73d4e4e7fdf 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-field-layer2segmentid.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-field-layer2segmentid.golden.json @@ -68,8 +68,8 @@ }, "related": { "ip": [ - "192.168.200.136", - "80.82.237.40" + "80.82.237.40", + "192.168.200.136" ] }, "source": { diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-ipt_netflow-reduced-size-encoding.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-ipt_netflow-reduced-size-encoding.golden.json index 2b7dded5bd6..4e6b375574b 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-ipt_netflow-reduced-size-encoding.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-ipt_netflow-reduced-size-encoding.golden.json @@ -333,8 +333,8 @@ }, "related": { "ip": [ - "193.151.192.46", - "10.236.8.4" + "10.236.8.4", + "193.151.192.46" ] }, "source": { @@ -942,8 +942,8 @@ }, "related": { "ip": [ - "23.43.139.27", - "10.232.8.45" + "10.232.8.45", + "23.43.139.27" ] }, "source": { diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-macaddress.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-macaddress.golden.json index 7db570f5db1..e1385446903 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-macaddress.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-macaddress.golden.json @@ -157,8 +157,8 @@ }, "related": { "ip": [ - "172.16.32.201", - "172.16.32.100" + "172.16.32.100", + "172.16.32.201" ] }, "source": { @@ -358,8 +358,8 @@ }, "related": { "ip": [ - "172.16.32.201", - "172.16.32.1" + "172.16.32.1", + "172.16.32.201" ] }, "source": { @@ -492,8 +492,8 @@ }, "related": { "ip": [ - "172.16.32.201", - "172.16.32.1" + "172.16.32.1", + "172.16.32.201" ] }, "source": { @@ -626,8 +626,8 @@ }, "related": { "ip": [ - "172.16.32.201", - "172.16.32.1" + "172.16.32.1", + "172.16.32.201" ] }, "source": { @@ -760,8 +760,8 @@ }, "related": { "ip": [ - "172.16.32.201", - "172.16.32.1" + "172.16.32.1", + "172.16.32.201" ] }, "source": { @@ -894,8 +894,8 @@ }, "related": { "ip": [ - "172.16.32.201", - "172.16.32.1" + "172.16.32.1", + "172.16.32.201" ] }, "source": { @@ -1028,8 +1028,8 @@ }, "related": { "ip": [ - "172.16.32.201", - "172.16.32.1" + "172.16.32.1", + "172.16.32.201" ] }, "source": { @@ -1162,8 +1162,8 @@ }, "related": { "ip": [ - "172.16.32.201", - "172.16.32.1" + "172.16.32.1", + "172.16.32.201" ] }, "source": { @@ -1296,8 +1296,8 @@ }, "related": { "ip": [ - "172.16.32.201", - "172.16.32.1" + "172.16.32.1", + "172.16.32.201" ] }, "source": { @@ -1430,8 +1430,8 @@ }, "related": { "ip": [ - "172.16.32.201", - "172.16.32.1" + "172.16.32.1", + "172.16.32.201" ] }, "source": { @@ -1564,8 +1564,8 @@ }, "related": { "ip": [ - "172.16.32.201", - "172.16.32.1" + "172.16.32.1", + "172.16.32.201" ] }, "source": { @@ -1698,8 +1698,8 @@ }, "related": { "ip": [ - "172.16.32.201", - "172.16.32.1" + "172.16.32.1", + "172.16.32.201" ] }, "source": { @@ -1832,8 +1832,8 @@ }, "related": { "ip": [ - "172.16.32.201", - "172.16.32.1" + "172.16.32.1", + "172.16.32.201" ] }, "source": { @@ -1966,8 +1966,8 @@ }, "related": { "ip": [ - "172.16.32.201", - "172.16.32.1" + "172.16.32.1", + "172.16.32.201" ] }, "source": { diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-multiple-netflow-exporters.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-multiple-netflow-exporters.golden.json index 5d871d6b080..f75a3893975 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-multiple-netflow-exporters.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-multiple-netflow-exporters.golden.json @@ -180,8 +180,8 @@ }, "related": { "ip": [ - "172.16.32.248", - "172.16.32.100" + "172.16.32.100", + "172.16.32.248" ] }, "source": { @@ -338,8 +338,8 @@ }, "related": { "ip": [ - "172.16.32.201", - "172.16.32.100" + "172.16.32.100", + "172.16.32.201" ] }, "source": { @@ -496,8 +496,8 @@ }, "related": { "ip": [ - "172.16.32.202", - "172.16.32.100" + "172.16.32.100", + "172.16.32.202" ] }, "source": { @@ -658,8 +658,8 @@ }, "related": { "ip": [ - "172.16.32.201", - "172.16.32.1" + "172.16.32.1", + "172.16.32.201" ] }, "source": { diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-nprobe-DPI-L7.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-nprobe-DPI-L7.golden.json index 3e6a1d03719..ddb22d837b5 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-nprobe-DPI-L7.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-nprobe-DPI-L7.golden.json @@ -59,7 +59,6 @@ }, "related": { "ip": [ - "0.0.0.0", "0.0.0.0" ] }, diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-template-with-0-length-fields.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-template-with-0-length-fields.golden.json index 65a849e632a..64a7ea5e948 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-template-with-0-length-fields.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-template-with-0-length-fields.golden.json @@ -69,8 +69,8 @@ }, "related": { "ip": [ - "239.255.255.250", - "192.168.1.80" + "192.168.1.80", + "239.255.255.250" ] }, "source": { @@ -235,8 +235,8 @@ }, "related": { "ip": [ - "239.255.255.250", - "192.168.1.95" + "192.168.1.95", + "239.255.255.250" ] }, "source": { @@ -401,8 +401,8 @@ }, "related": { "ip": [ - "239.255.255.250", - "192.168.1.95" + "192.168.1.95", + "239.255.255.250" ] }, "source": { @@ -567,8 +567,8 @@ }, "related": { "ip": [ - "239.255.255.250", - "192.168.1.33" + "192.168.1.33", + "239.255.255.250" ] }, "source": { @@ -733,8 +733,8 @@ }, "related": { "ip": [ - "239.255.255.250", - "192.168.1.33" + "192.168.1.33", + "239.255.255.250" ] }, "source": { diff --git a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-valid-01.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-valid-01.golden.json index 1d2963edaf2..b65cc125f57 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-valid-01.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/Netflow-9-valid-01.golden.json @@ -144,8 +144,8 @@ }, "related": { "ip": [ - "172.16.32.248", - "172.16.32.100" + "172.16.32.100", + "172.16.32.248" ] }, "source": { @@ -302,8 +302,8 @@ }, "related": { "ip": [ - "172.16.32.201", - "172.16.32.100" + "172.16.32.100", + "172.16.32.201" ] }, "source": { @@ -460,8 +460,8 @@ }, "related": { "ip": [ - "172.16.32.202", - "172.16.32.100" + "172.16.32.100", + "172.16.32.202" ] }, "source": { diff --git a/x-pack/filebeat/input/netflow/testdata/golden/netflow9_e10s_4_7byte_pad.pcap.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/netflow9_e10s_4_7byte_pad.pcap.golden.json index 82a9efb87aa..869aefe8629 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/netflow9_e10s_4_7byte_pad.pcap.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/netflow9_e10s_4_7byte_pad.pcap.golden.json @@ -61,8 +61,8 @@ }, "related": { "ip": [ - "10.127.32.11", - "10.36.236.100" + "10.36.236.100", + "10.127.32.11" ] }, "source": { @@ -286,8 +286,8 @@ }, "related": { "ip": [ - "52.206.251.4", - "10.36.236.100" + "10.36.236.100", + "52.206.251.4" ] }, "source": { @@ -436,8 +436,8 @@ }, "related": { "ip": [ - "10.36.237.22", - "10.36.228.103" + "10.36.228.103", + "10.36.237.22" ] }, "source": { diff --git a/x-pack/filebeat/input/netflow/testdata/golden/netflow9_ubiquiti_edgerouter.pcap.golden.json b/x-pack/filebeat/input/netflow/testdata/golden/netflow9_ubiquiti_edgerouter.pcap.golden.json index ea23d1283ad..48a368eed06 100644 --- a/x-pack/filebeat/input/netflow/testdata/golden/netflow9_ubiquiti_edgerouter.pcap.golden.json +++ b/x-pack/filebeat/input/netflow/testdata/golden/netflow9_ubiquiti_edgerouter.pcap.golden.json @@ -836,8 +836,8 @@ }, "related": { "ip": [ - "192.168.1.4", - "10.100.0.1" + "10.100.0.1", + "192.168.1.4" ] }, "source": {