From 5d161ab1bf5b15486c76463b06c4730e0346f4d4 Mon Sep 17 00:00:00 2001 From: Christiano Haesbaert Date: Tue, 15 Oct 2024 22:51:53 +0200 Subject: [PATCH] Define base encoding in x509.serial_number (#2383) Narrow the definition of x509.serial_number to be encoded in hexadecimal, otherwise we end up with integrations choosing their own encoding, as noted below, Zeek uses base 16 while the rest of beats is using base 10. --- CHANGELOG.next.md | 2 ++ docs/fields/field-details.asciidoc | 2 +- experimental/generated/beats/fields.ecs.yml | 14 +++++++------- experimental/generated/ecs/ecs_flat.yml | 21 +++++++-------------- experimental/generated/ecs/ecs_nested.yml | 16 ++++++++-------- generated/beats/fields.ecs.yml | 14 +++++++------- generated/ecs/ecs_flat.yml | 21 +++++++-------------- generated/ecs/ecs_nested.yml | 16 ++++++++-------- schemas/x509.yml | 4 ++-- 9 files changed, 49 insertions(+), 61 deletions(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 9613fb89e6..70a4a3e0a6 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -25,6 +25,8 @@ Thanks, you're awesome :-) --> #### Improvements +* Define base encoding of `x509.serial_number`. #2383 + #### Deprecated ### Tooling and Artifact Changes diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc index 23ae02e99a..489828f764 100644 --- a/docs/fields/field-details.asciidoc +++ b/docs/fields/field-details.asciidoc @@ -13803,7 +13803,7 @@ example: `2048` [[field-x509-serial-number]] <> -a| Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be formatted without colons and uppercase characters. +a| Unique serial number issued by the certificate authority. For consistency, this should be encoded in base 16 and formatted without colons and uppercase characters. type: keyword diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index ee0ecb5e3b..932f199061 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -3339,7 +3339,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false @@ -9984,7 +9984,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false @@ -10541,7 +10541,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false @@ -11606,7 +11606,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false @@ -12174,7 +12174,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false @@ -12590,7 +12590,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false @@ -12872,7 +12872,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index e529df5f93..d7b749d18d 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -5510,8 +5510,7 @@ file.x509.public_key_size: file.x509.serial_number: dashed_name: file-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: file.x509.serial_number ignore_above: 1024 @@ -16160,8 +16159,7 @@ threat.enrichments.indicator.file.x509.public_key_size: threat.enrichments.indicator.file.x509.serial_number: dashed_name: threat-enrichments-indicator-file-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.enrichments.indicator.file.x509.serial_number ignore_above: 1024 @@ -17087,8 +17085,7 @@ threat.enrichments.indicator.x509.public_key_size: threat.enrichments.indicator.x509.serial_number: dashed_name: threat-enrichments-indicator-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.enrichments.indicator.x509.serial_number ignore_above: 1024 @@ -18897,8 +18894,7 @@ threat.indicator.file.x509.public_key_size: threat.indicator.file.x509.serial_number: dashed_name: threat-indicator-file-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.indicator.file.x509.serial_number ignore_above: 1024 @@ -19840,8 +19836,7 @@ threat.indicator.x509.public_key_size: threat.indicator.x509.serial_number: dashed_name: threat-indicator-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.indicator.x509.serial_number ignore_above: 1024 @@ -20531,8 +20526,7 @@ tls.client.x509.public_key_size: tls.client.x509.serial_number: dashed_name: tls-client-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: tls.client.x509.serial_number ignore_above: 1024 @@ -21008,8 +21002,7 @@ tls.server.x509.public_key_size: tls.server.x509.serial_number: dashed_name: tls-server-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: tls.server.x509.serial_number ignore_above: 1024 diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index f4a2844515..28fbb237c6 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -6558,7 +6558,7 @@ file: file.x509.serial_number: dashed_name: file-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: file.x509.serial_number @@ -18863,7 +18863,7 @@ threat: threat.enrichments.indicator.file.x509.serial_number: dashed_name: threat-enrichments-indicator-file-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.enrichments.indicator.file.x509.serial_number @@ -19794,7 +19794,7 @@ threat: threat.enrichments.indicator.x509.serial_number: dashed_name: threat-enrichments-indicator-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.enrichments.indicator.x509.serial_number @@ -21606,7 +21606,7 @@ threat: threat.indicator.file.x509.serial_number: dashed_name: threat-indicator-file-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.indicator.file.x509.serial_number @@ -22553,7 +22553,7 @@ threat: threat.indicator.x509.serial_number: dashed_name: threat-indicator-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.indicator.x509.serial_number @@ -23308,7 +23308,7 @@ tls: tls.client.x509.serial_number: dashed_name: tls-client-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: tls.client.x509.serial_number @@ -23788,7 +23788,7 @@ tls: tls.server.x509.serial_number: dashed_name: tls-server-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: tls.server.x509.serial_number @@ -25706,7 +25706,7 @@ x509: x509.serial_number: dashed_name: x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: x509.serial_number diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 3883c5b045..fc1cab5897 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -3289,7 +3289,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false @@ -9934,7 +9934,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false @@ -10491,7 +10491,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false @@ -11556,7 +11556,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false @@ -12124,7 +12124,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false @@ -12540,7 +12540,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false @@ -12822,7 +12822,7 @@ type: keyword ignore_above: 1024 description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA default_field: false diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index bad8611fa7..b58c35d5ff 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -5441,8 +5441,7 @@ file.x509.public_key_size: file.x509.serial_number: dashed_name: file-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: file.x509.serial_number ignore_above: 1024 @@ -16091,8 +16090,7 @@ threat.enrichments.indicator.file.x509.public_key_size: threat.enrichments.indicator.file.x509.serial_number: dashed_name: threat-enrichments-indicator-file-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.enrichments.indicator.file.x509.serial_number ignore_above: 1024 @@ -17018,8 +17016,7 @@ threat.enrichments.indicator.x509.public_key_size: threat.enrichments.indicator.x509.serial_number: dashed_name: threat-enrichments-indicator-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.enrichments.indicator.x509.serial_number ignore_above: 1024 @@ -18828,8 +18825,7 @@ threat.indicator.file.x509.public_key_size: threat.indicator.file.x509.serial_number: dashed_name: threat-indicator-file-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.indicator.file.x509.serial_number ignore_above: 1024 @@ -19771,8 +19767,7 @@ threat.indicator.x509.public_key_size: threat.indicator.x509.serial_number: dashed_name: threat-indicator-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.indicator.x509.serial_number ignore_above: 1024 @@ -20462,8 +20457,7 @@ tls.client.x509.public_key_size: tls.client.x509.serial_number: dashed_name: tls-client-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: tls.client.x509.serial_number ignore_above: 1024 @@ -20939,8 +20933,7 @@ tls.server.x509.public_key_size: tls.server.x509.serial_number: dashed_name: tls-server-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase - characters. + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: tls.server.x509.serial_number ignore_above: 1024 diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index a401fa7b0a..8c8aa6b1a8 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -6478,7 +6478,7 @@ file: file.x509.serial_number: dashed_name: file-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: file.x509.serial_number @@ -18783,7 +18783,7 @@ threat: threat.enrichments.indicator.file.x509.serial_number: dashed_name: threat-enrichments-indicator-file-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.enrichments.indicator.file.x509.serial_number @@ -19714,7 +19714,7 @@ threat: threat.enrichments.indicator.x509.serial_number: dashed_name: threat-enrichments-indicator-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.enrichments.indicator.x509.serial_number @@ -21526,7 +21526,7 @@ threat: threat.indicator.file.x509.serial_number: dashed_name: threat-indicator-file-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.indicator.file.x509.serial_number @@ -22473,7 +22473,7 @@ threat: threat.indicator.x509.serial_number: dashed_name: threat-indicator-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: threat.indicator.x509.serial_number @@ -23228,7 +23228,7 @@ tls: tls.client.x509.serial_number: dashed_name: tls-client-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: tls.client.x509.serial_number @@ -23708,7 +23708,7 @@ tls: tls.server.x509.serial_number: dashed_name: tls-server-x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: tls.server.x509.serial_number @@ -25626,7 +25626,7 @@ x509: x509.serial_number: dashed_name: x509-serial-number description: Unique serial number issued by the certificate authority. For consistency, - if this value is alphanumeric, it should be formatted without colons and uppercase + this should be encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA flat_name: x509.serial_number diff --git a/schemas/x509.yml b/schemas/x509.yml index be03f7c685..40f8aa71da 100644 --- a/schemas/x509.yml +++ b/schemas/x509.yml @@ -52,8 +52,8 @@ type: keyword short: Unique serial number issued by the certificate authority. description: > - Unique serial number issued by the certificate authority. For consistency, if this value is alphanumeric, it should be - formatted without colons and uppercase characters. + Unique serial number issued by the certificate authority. For consistency, this should be + encoded in base 16 and formatted without colons and uppercase characters. example: 55FBB9C7DEBF09809D12CCAA - name: issuer.distinguished_name