added source/destination port 0 check to community id processor to pr…

[peterydzynski]

Proposed commit message

There are rare cases where a Zeek log has a "network.transport" of "tcp" but the source and destination port values are 0 which breaks the community_id processor as it requires a non zero value in both port fields. This appears to happen when the "zeek.connection.history" is just "R" but otherwise I cannot explain why this happens. Since this pipeline calls the custom Zeek Connection pipeline, failure at this stage means that the custom pipelines are never called.

To fix this I added a check on the community_id processor in the Zeek connection pipeline to ensure source and destination port are not 0.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

• [ ]

How to test this PR locally

Related issues

Screenshots

[elasticmachine]

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

[pkoutsovasilis]

@peterydzynski please do the following:

• please add a log entry in this file that captures what you describe in the issue and then following these guidelines run the pipeline test
• update the changelog and the manifest accordingly

[peterydzynski]

@pkoutsovasilis Let me know if those updates are what you're looking for!

[pkoutsovasilis]

/test

[elasticmachine]

🚀 Benchmarks report

Package zeek 👍(37) 💚(2) 💔(4)

Expand to view

Data stream	Previous EPS	New EPS	Diff (%)	Result
mysql	30303.03	10638.3	-19664.73 (-64.89%)	💔
pe	26315.79	14925.37	-11390.42 (-43.28%)	💔
smb_mapping	30303.03	23255.81	-7047.22 (-23.26%)	💔
dce_rpc	24390.24	13513.51	-10876.73 (-44.59%)	💔

To see the full report comment with /test benchmark fullreport

[peterydzynski]

🚀 Benchmarks report

Package zeek 👍(37) 💚(2) 💔(4)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
mysql30303.03 10638.3 -19664.73 (-64.89%) 💔
pe26315.79 14925.37 -11390.42 (-43.28%) 💔
smb_mapping30303.03 23255.81 -7047.22 (-23.26%) 💔
dce_rpc24390.24 13513.51 -10876.73 (-44.59%) 💔
To see the full report comment with /test benchmark fullreport

@pkoutsovasilis Is the EPS diff something to be concerned about?

[pkoutsovasilis]

@pkoutsovasilis Is the EPS diff something to be concerned about?

I think that it is just a hiccup but let me invoke the testing one more time just to be sure

[pkoutsovasilis]

/test

[peterydzynski]

@pkoutsovasilis i dont see the new test results, did they get published yet?

[pkoutsovasilis]

/test

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: a8ea0ef

History

• 💚 Build #13142 succeeded a8ea0ef

[elastic-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
28.6% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[pkoutsovasilis]

LGTM

[peterydzynski]

@pkoutsovasilis sorry to keep pinging but really need this bugfix to get deployed. can we get this merged in please?

[taylor-swanson]

@peterydzynski, @pkoutsovasilis is out this week, but I went ahead and merged the fix.

[elasticmachine]

Package zeek - 2.24.2 containing this change is available at https://epr.elastic.co/search?package=zeek

[peterydzynski]

Thank you so much!