From 755e2aa363eed10b3c3292b8dca39301088719f2 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Fri, 22 Feb 2019 10:01:45 +0100 Subject: [PATCH] [Packetbeat] [MongoDB] Report unknown opcodes once (#10878) This changes the mongoDB decoder reporting unknown opcodes to report each unknown opcode only once, to avoid flooding the log file with errors. --- CHANGELOG.next.asciidoc | 1 + packetbeat/protos/mongodb/mongodb_parser.go | 13 ++++++++++++- .../system/pcaps/mongodb_op_msg_opcode.pcap | Bin 0 -> 91849 bytes .../tests/system/test_0025_mongodb_basic.py | 12 ++++++++++++ 4 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 packetbeat/tests/system/pcaps/mongodb_op_msg_opcode.pcap diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 20049780882..59b2424a752 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -173,6 +173,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix DHCPv4 dashboard that wouldn't load in Kibana. {issue}9850[9850] - Fixed a crash when using af_packet capture {pull}10477[10477] - Prevent duplicate packet loss error messages in HTTP events. {pull}10709[10709] +- Avoid reporting unknown MongoDB opcodes more than once. {pull}10878[10878] *Winlogbeat* diff --git a/packetbeat/protos/mongodb/mongodb_parser.go b/packetbeat/protos/mongodb/mongodb_parser.go index 58d6aa145da..59fcbb7c206 100644 --- a/packetbeat/protos/mongodb/mongodb_parser.go +++ b/packetbeat/protos/mongodb/mongodb_parser.go @@ -21,6 +21,7 @@ import ( "encoding/json" "errors" "strings" + "sync" "github.com/elastic/beats/libbeat/common" "github.com/elastic/beats/libbeat/logp" @@ -28,6 +29,11 @@ import ( "gopkg.in/mgo.v2/bson" ) +var ( + unknownOpcodes = map[opCode]struct{}{} + mutex sync.Mutex +) + func mongodbMessageParser(s *stream) (bool, bool) { d := newDecoder(s.data) @@ -56,7 +62,12 @@ func mongodbMessageParser(s *stream) (bool, bool) { opCode := opCode(code) if !validOpcode(opCode) { - logp.Err("Unknown operation code: %v", opCode) + mutex.Lock() + defer mutex.Unlock() + if _, reported := unknownOpcodes[opCode]; !reported { + logp.Err("Unknown operation code: %v", opCode) + unknownOpcodes[opCode] = struct{}{} + } return false, false } diff --git a/packetbeat/tests/system/pcaps/mongodb_op_msg_opcode.pcap b/packetbeat/tests/system/pcaps/mongodb_op_msg_opcode.pcap new file mode 100644 index 0000000000000000000000000000000000000000..46b68e45b57afb5d54d205634f62915216ca8884 GIT binary patch literal 91849 zcmeI5d2|$2zQ;QO1d+jjN;1ko1{98k>>>gRh%Aao5D-+t5|SpgBpv89vM34+gACiC z0udP8mDRQjP=Uy1Ktu@p(lRLoWQ~d}B8pV=zTbr0s^Gktd(M0Bk5_f?oSccBkie(E zpZeWzRWEz}3$##8hWi*M-QiD}{SwDq*T!Q*+!c>ShW5#0X87Qyu?g{quGYtmF%>FS?w0GX+-=pUa`^MTuKjSM{IyTc;{Rg<-k}*i zyunAjDS_ZXZ%WXEpX%W!*`B!6EdL;1dM|Gv+n43{l))F`1`mABgP-Mz9TdpQ^xTZk z8aHX)pb`GpxMhnLEgE^^_=QK)@CAH#&>P4s`u4ax`Fq-@1XGIsv&@~T8N;*j)tPr0G0fOMUk|fx`3qr!G_+5nlptUg{kuy3mN8jFN~!3H9#7KnKq9gDQd1JMy}`s{ z+{251LZUA_(dU0ICBv7Nm=#D&%kpL?`m=(#4W!b%iNlNTpER$hFMd*NYF3)JYYJE< z;J+R%{$t&Xe>Cpghl}n>b~$^OW;iZk^lV`?6m88qk;DVB!LQ;%0TBD z*x-koJW06I`BA)aih1n%jnjqPy5%F$4@T#NCQe3Z{&uyE*f=f0E_7u){%iy4hb2N2 ziyPy7*_qgWcmu_|L!Td?`cpC<&hUBtK@aw_o;d8_diw(2lFcahuyL6wBd@>BbKR!z zKkO3tH{tpp?lkdRindriyn*MufgZt>px1LZe{9y!qMhKs+e;PiOP2y~dvN7PG2Ym= z*W<;$G?!>2(FLyn?{ZHwJKo$SmGB2~QxRf;_Y&}y9h{Yoom?k;Ew<6W+O)?u{{5|u zJ+V!Ge=GLAvDm8??KQ2YP(j>(o(kDsut>uO4&UkX56UV6(Y|E+IymJyZ(>Sf@xJ!= zn_mxp(zRRhTRbtmi`!*q`I81d>rD;z@QwE3-%xz>Bv1iU4NYeb zO@?OnI9UT%_cy~wN5R1LHUoVO4Gru^{jfx6+-TtF@v;UU9c5^_X)v&p%|OER(ZJ>a zNuUCzGSImO4trVFz}z%5d~6U5Txm1#S%!uN_NRVWA~bF^u)`!-1CI?dw9kAn@L`*Q zg!wEDydNM5RKQdQI@iD|Pn4A`jtgGN2~C=f(2TQ+Gsxf5Me9GBcLd$#p6pBX;U14A=x z4b64^c%0|ZEWQe8Q`U_`Grpzl+13+13~h}cg0``SCSk7Y$D!F0f)c0@R1Hn%4$Z%| zku`9Q-wdB>3j-J04D8R)(7>Y8W%kgx(ZFGCWeq&l*3i~w!@yQH0|~P~4QvIF1gZ>l z_%(m-tM2F^Yv9^!GhA372EJ`GZ~#L?0|y~6Tp~1XG;lp&%023)u)d+K8wmrO+YBVk z0W|OdfFw`>Q_Vo<&cOC%DoGZ{g$r{+lixvTMq0&j-E=k^7DryD<`SV%#gPZN3&1N^ z94EgMi7r|Pyo;^kNWAN&vp7Bov_vfMs^VC>I4+;$isHBlncB8Y_H66Ak!JY&+c7lf zSVMC|cOK_CG)o>YDKh1@p-GrcR>+=h{r+}CTR#SZHnoN(VQ%Qoq1hU85~zTwhNd%z zCPTAywXA{b$C%+W+f#DLNaif7#b7c)YgGb+Q7!Ly*+6*Mjo-_~- zgDL_lU@8NhYv73WvIcG#Z-#&T2?kEK8TceaLjyC5{Bya1$s1%1{P8D4`}}1XSkGo4 zVLnL%+X5zmDgzyU>V`9LN>KKSKP|-VdzexM4h;9LM7L5YQ5_z^jU5>EgI_vTKTCnL)B=TR(r<44*rKp*h|f zntAPcoafLC&{r&xDK~Cg%caYnZ9R9y(DLxO--No>&?L;f_8gk+0FpojOto!w?zXjO zhOB{kQ_b*&?J#h(&A<)}4Gk5=|IcnPsB+L#p@L||TpaP~c zuq0o6{<8Iid;uF9l=`yqIff zoA{{1nl=Lovm*^`50C^ZU@8NhYhd$xWUn|b-k%eiz8aw!Y!%16Aa>3$yPIW+O)&7vhT<+hlfq^f)D|^Lp$qzZ98DAhY1FYh>X)v1&iz6RP$t6Og ziX#tjwceAx;yB}rNc6+9z&qb6j>NlZFpJ}(Kug2|uPTnEi{o3?ZCMOKD_cX8FgG{g(CiG5W9=|i zadd8Rd}6+=fm;@v;j76ou#3&WMhp!N9EZSgx!S-QZ^#;WHQCU<`UnPAv>8a4jc6cV z)2|4qfT;|0u7Q`|ku~tEk4!!0Q5e|XW?*B6h6au=^3UZ4Zh2SIK!7x~tt(*Q4K@P_ zvoQ_q0+h4H1bO-Rxv5F({Zcb)#d>m+rSm0H~v2<~qJ;N2naWgVivtn7vS5@7*!qm&$hoSkP zH8i)}$>ThS=F9XIOJvGz#gQ=Izp1R;3j+Y8p>10QL1V3d;u#{pC7r8xl7(DK&;X4GaNVctap zlK_%H1x#h2a}69`P1eBtwWeM^4xy=UGq4UrLj(Ut{jfx6+-P8>cv%C>#~Ir8Jixqc zGmtRr(7w+8U-oS4_B>OsVB$Dm z#~PYjtMfR|p*fwtVu?(-acF+BUG{8i1=G-Wd<*9wDqyOi>D-}N zXP>NrJH9maiiHSG4V!^A7#bS*cj|{FLgPjQ%kP&puwtR1?aT+v^ELwsvjz?90gwbL zU@8NhYv8_vvIg$VH}y&f5SnT>18XugG;jv>!xEu!qk*A+${JYdfT8We#iRH$HUkN> zCJpQfkOV4VDg&Ks;Bl|)6~~X7?~~ z$JvFEXc!NvNSI+2N8;W35R2oJKug2|uPTnEi{pfut|*RQB2(XYkUiVFYqzOa-iYIT zWou~WSK)Dhb2PeMgwO)E^A<%ZfJW70P}>+K*Fp_1A7A` zfeM()K<65GM|W8R_Y|0V)i=f_RJ&?3@D_%K2If#dED;(v8u&3_%3brX`i7zH<*V%- zu^C91x6r_+0FpojOl6>R4P3BK_KIWp(VWohKcm^Sv5I4UQ#KnGM?MLUON2%hM{Y50 z-YD3{ArtnuNKd0*B@^07;+%rW%^g z9h!?O%Nn@vgsE4<8=qA>YcudhhK2^tr+!!>G;TC-_|38gRvT$(`@e&MU)u~M%o}N7 zAAlrK0aF?1Tmw(sB5UCO?@T?x3j8x5RttE_OVl0;kjVg{Tjwz#M zuQ<+&jYOA?0N$6a;z+zZYO^@@1zI8&cvW#MT^xtK?uz2L1)0hkC408@z*$qjy*q~H zVQXmayv*Y~hvvKV6-#8wZ9|hVcaN4m+j@ItG6+WLP$AxfRyj%9ctEQg#M-0s^*3jI2hR1mh&Bge$Tq09$9GZ<9$ewLY z{G*{2;AM~FH(5iIFn6Ef&>RSm1S(*vq3PVA`S!iC1{Rbx^;$Q;zzsG7&oVSLa0&Ip z5}|RUfq`bS2G+X4(2N^l;0Bw4gn5<*rUE2^3Yf}3=Ng#YQr1A@MpLhS0S2zN8F-GN zp@B=OAC?G>8x3sGO4h*I7YywXIzapyn}LLRjs~UyB!LQ;%0TBD_~09|R~(m5&k4PG zJDN=$t2pk#W$InGu{iR@A-F_nRB>c+3<0lPaeVXkNOT3?BIhNmI1=xkiY$&^pe15~ zR~5(7#WD3Ct|*RQAydm2%ARdKRN2(;I*g&Y%o>_|kMcOrp{dhXERiX<4NbzVxmfmW z>s^Np?VDRLG*?+elQ8!l<VBLH}JDdOmKeic2n8#>fIzSSrfT;|0u7RyTku~sef~nt)w;!+e zuFb&X3=IujPW`Y%XxwOE?5DB@-o4t;j{FG*>NW!j^EeG043GpWU@8NhYhb&wAK4oxpm94)#QZUu7hS%!zzw@e_^v>apbGFaEZ{U;>az=YT%VCj&IkA zL_huvct=~sk$Ct1!s6%yS|S#BRdFm`9G`l_HN~+yUT{h7isO+#nR>ki7@G5}p}GG6 zkMkUwE9oni$dnt0=FD{2v#s?O7~0WV7@AA1p-Gtg4{&Hc3y=gVV5*_%+@bl$Oj!eu z)-v__GhyIsHUlFJ4GmmH{jfx6+-P7qzpR1vXByhKbz$H_n}LKGp@BmHl0XGaWuS8n z{4gME;J0;6z2P_*IK^h**9;8}TuuG3L}=V-V0N~wfeptQ+A%!tH~u}FfrR-r4a@*Y z0u?ZofzCB>+DEci96$anC-g4gFQS@N9QU7Ovte=MD=Kk`(5T|b;#dg0a>eo8CXwhT zdw};jt2h$x{*x?@nLta#0a7 zp}CH}Vu?(-ZDYh%Bm9dC@G`Ia>_2{W>lL(>nC1S(*vq3O(_$K=7L}*lTj-`uZ`*&PZ9Ak52&$gayW$MkFVQ6MrL-XJU9_KkU zzo4&JB2#YMwypq7xuMy-nW3F(i=jEw8k&T8a07>C03Zoez*IxixkGdPTv-E8wKeq? zxJ+HmTiU>b8))EW>W3vl<3tD9k9Uz>pp&F3`mOX`OuLgPjQyWsg$ax<{i&4yOk83sp2t{B>PNf?@wtf5Jm1h5BKM(5T|bEyi)+l`D>mdPSnE@y!1O zpH&=*w_rVs<0zmdVu4o`$I`{I*$1vEj;Tv!&$j;Xw5hkt!_aJP4b4LfN`~fM`idno z<;J0T+lR7eTifLs+L?Yh{=HxgO~O31fJ1XMKoY2csfMO=hvto8Sp(1XGxhdi7}&hD zfrl1w+q#eXVTsVV(ZG>_DYtEHA2zffQ(@o;n}G{U4169S2~@yT20GWk+~u+c{+Md& z9p}TqhBgBknuRoQKlQ^Bp>d;ubyvt5*m1t0ogEAVv#&F7A!pzV07;+%rZUjE20nRG z_KM@`gq+Zlfe6h-t2iF|n9YX8kuSx|B|@W$Ba7o4;FT+mO9n=wxeZYq)2!l1yoWw! zaU27*L@e;C;#j&k)?es~;+T(2wZ_Ar|j%WWHN?kU2A9_o>MY3|4Co5M5f#} zGzs$zV9IS}5~zTwhNd%zCPVX0ysUxeGEKcR-krBv zVrc^p&*8SUfcjyH(74gS?g_F6b{=79=L0Zsh|R#cB?jVMh>Cy;n94xs8hHM8Sp&}p zOub7Q3{0>Y$k5ECfku&kE;q3M9kK>?Ni(zyIGn|&UuWQ4&cLxel<}kdHLA)$=Nee9 zi|iH0+=e-!5AjMH@jqC_@i5Q0f6U@I=vr1pXjF0J7Q+j?a>emOe=Xx8Jb70SJsW&)}6Vs zXIr~IVQ4?Sfa71PH8ctH=oAjk@qkI7LQpj{ojWwQu9G$Jrx#4U8(tWoS_PYdQyCg= zTfbEX`jh{@Ue>^FtqtuWULZ5Rzs*3xoJs@#0+E_%|ODOMgu1RCV?sgU0~qEGJlYK zJC4sf=7c^PjnEvoisRAwY&I;8d^vh95gJt-SsZr&uUv8bXmljHrZ0+PvQ-?3_vm~U z$G-wC5evMkIF>Gs)t9=WIBrL#{P)P7ZT)$osrSUgpKtrs8k)z(@Ho$*d78driA=ez zI1=VP^<~et_DnFeOH*+C>un89!aO#HLvtcP5~zTwilZ~Ptqjc_jbshHG{w|=m4kuj zN*j1=3=J%#epn(jZZvQlV9H(d?^VvwewhISd)N$ovBbca0g^xkOl6>R4g5<}Sp$EW zVd}ll!@xqDfeg)yH1Ip>hb2PeMgz|QrksJj&l}pWvtVG-bq2o388`_b2~@yT20GV3 z-!R!Lj%)hngmj*5Fs$NujAt9>vpDkoBDh3oRB_}MV+-)g6-RwyB)T?;;@I0Nj>LOx z8jIuKfR=~_UR4}R7sp#et|^Yk56hly{dJb9Km84c=22^Co(Pl-P0mOzktsJ0%{514 z&$d4OjiFthi{sy8*3cx(69Ep*$pA@y0;U?8&K;T=$7Kz?JlE9wY=eOZZ3bpDG~BkH zqkdQ-G;TETBw)&ITl;J?wBO!@ft_py5@t3HoC1&pDqt!Dooit7X;}k*d(+hWu7ZJk zYz77y8X9<>`eBLCxY5A#fGKBS-&KZoQyJ)71E<|3d&O~W zFekM9RfJ}rRUA)@XR~2(e6#b-19B(8DT@#Cu{qi{mt) zC1QbB701%W@eg5F6vrLNRM{liv#nR&Gxh!-U}$c&hUTe3JkE1yUZSs9B2#V~nuNIx zFy)43{|^k!T!iCaYino{=BYs(n$rQ2Km|-SG@Us#8JaOYWDPVInR?1=Ffh+%U^+uX z1An1@SRyoTG%&HJtbr-78Co<116$e*B+PUg_;-LLPytgJ=v)J*^_Dd-8Z!0Nu`n># zX5e6kh6esh{jfx6TxsA_vIeG(HMFbCVc>l>0||354V(dx1S()E1D$JNEj*S|?!n?$ zmz%m5FAj0r3d_L4WQK+Yn$!zI4@-o`jRxLaS=K;bC!=2M=P*#S z8AzD@Xy9uANuUCzGSHa@?&O)6A(A~1fid+V_rk#WmVw`QWoT$%8GLYw(74S&!c5DM z?SVt?HR_ew3QyJ)71CM9P8dzqtsb~Hf2F|h>n8eV~z_Q9f zfAYwovIb`U*{D|*k4TEIWiya4lW5>97)YSXK!-nRn1}7WY*_=#ZZq|)$}n)+bp|HU rKz?wE(7161b`HuKm{r-RS8f*!tYI^-TZw_Q0g^xkOf>_YIRpO-PctL> literal 0 HcmV?d00001 diff --git a/packetbeat/tests/system/test_0025_mongodb_basic.py b/packetbeat/tests/system/test_0025_mongodb_basic.py index 98acdc4e617..b1ff493377a 100644 --- a/packetbeat/tests/system/test_0025_mongodb_basic.py +++ b/packetbeat/tests/system/test_0025_mongodb_basic.py @@ -219,3 +219,15 @@ def test_request_after_reply(self): o = objs[0] assert o["type"] == "mongodb" assert o["event.duration"] >= 0 + + def test_unknown_opcode_flood(self): + """ + Tests that a repeated unknown opcode is reported just once. + """ + self.render_config_template( + mongodb_ports=[9991] + ) + self.run_packetbeat(pcap="mongodb_op_msg_opcode.pcap", + debug_selectors=["mongodb"]) + num_msgs = self.log_contains_count('Unknown operation code: ') + assert num_msgs == 1, "Unknown opcode reported more than once: {0}".format(num_msgs)