Elasticsearch can't use periods in field names, I think that's part of why
they aren't used generally. I think this is a worthwhile discussion
though, specifically regarding the timestamp and protocol discussion you
On Wed, Sep 21, 2016, 15:52 Yohann Lepage <yoh...@lepage.info> wrote:
> Hi everyone,
> I wanted to solicit some discussion around Metron standard field names.
> I would love to have "convenient" field names. As convenient, I mean:
> short, not ambiguous, well-known, documented.
> Here is my feeling regarding the actual standard field names:
> - ip_src_addr: too long, could be "ip.src"
> - ip_dst_addr: too long, could be "ip.dst"
> - ip_src_port: I prefer tcp.srcport
> - ip_dst_port: I prefer tcp.dstport
> - protocol: ambiguous, I prefer ip.proto
> - timestamp: ambiguous, which timetamp ? When the event happend ? Or
> when the log has been received ? Or when the log has been generated ?
> Also, it would be useful to publish a "reference list" of fields
> (It's helpful when you write correlation rules or new parsers).
> Example: https://www.wireshark.org/docs/dfref/
> Wireshark, as a well-known tool used by SOC investigator, could be a
> good starting point to find convenient field names. Quick
> example (markdown format):
> |Field Name|Description |Type|Example|
> |frame.len| Frame length on the wire| Unsigned integer, 4 bytes|123|
> |ip.src|Source Address|IPv4 address|192.0.2.1|
> |ip.dst|Destination Address|IPv4 address|192.0.2.1|
> |ip.addr|Source or Destination Address|IPv4 address|192.0.2.1|
> |ip.proto|Protocol|Unsigned integer, 1 byte|6|
> |ip.srcport|UDP or TCP source Port|Unsigned integer, 2 bytes|12345|
> |ip.dstport|UDP or TCP destination Port|Unsigned integer, 2 bytes|53|
> |tcp.srcport|TCP source Port|Unsigned integer, 2 bytes|12345|
> |tcp.dstport|TCP destination Port|Unsigned integer, 2 bytes|80|
> |tcp.len|TCP Segment Length|Unsigned integer, 4 bytes|123|
> |udp.srcport|UDP source Port|Unsigned integer, 2 bytes|12345|
> |udp.dstport|UDP destination Port|Unsigned integer, 2 bytes|67|
> |http.host|Host|Character string|example.net|
> |http.referer|Referer|Character string|http://example.net/foo|
> |http.request.method|Request Method|Character string|POST|
> |http.full_uri or uri |Full request URI|Character
> What do you think?
> My 2 cents,
> Yohann L.