f5_bigip: url decode user agent strings (#11222)

efd6 · web-flow · commit e1fd1ea670f3 · 2024-09-27T18:36:07.000+09:30
Care is taken not to interpret the + mark for SURT prefix as a URL-encoded space[1]. [1]§6.1.1. http://crawler.archive.org/articles/user_manual/config.html
diff --git a/packages/f5_bigip/changelog.yml b/packages/f5_bigip/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.20.0"
+  changes:
+    - description: URL decode user agent strings.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/11222
 - version: "1.19.1"
   changes:
     - description: Fix ASM script processor when `event.original` is absent.
diff --git a/packages/f5_bigip/data_stream/log/_dev/test/pipeline/test-pipeline-bigip-apm.log b/packages/f5_bigip/data_stream/log/_dev/test/pipeline/test-pipeline-bigip-apm.log
@@ -1,3 +1,4 @@
 {"hostname":"example.com","errdefs_msgno":"01490102:5:","partition_name":"Common","session_id":"acb12bdc","Access_Profile":"/Common/test/abc","Partition":"Common","Session_Id":"ab32cda23","Access_Policy_Result":"Logon_Deny","tenant":"Common","application":"Test application","telemetryEventCategory":"APM","f5telemetry_timestamp":"2020-12-03T22:10:07.783Z"}
 {"hostname":"example.com","errdefs_msgno":"01490511:5:","partition_name":"/Common","session_id":"ab32cdba231","Access_Profile":"/Common/abc","Partition":"/Common","Session_ID":"ab231bcda","Max_concurrent_Users":"2","telemetryEventCategory":"APM","f5telemetry_timestamp":"2021-10-01T08:00:03.319Z","tenant":"Common"}
 {"Bytes_In":"12","Bytes_Out":"0","User_Agent":"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1","Client_IP":"81.2.69.144","Continent":"Asia","Country":"India","Listener":"test_listener","Reputation":"test_reputation","State":"test","Virtual_IP":"81.2.69.192","telemetryEventCategory":"APM"}
+{"Bytes_In":"12","Bytes_Out":"0","User_Agent":"SonyEricssonK750i%2FR1CA%20Browser%2FSEMC-Browser%2F4.2%20Profile%2FMIDP-2.0%20Configuration%2FCLDC-1.1","Client_IP":"81.2.69.144","Continent":"Asia","Country":"India","Listener":"test_listener","Reputation":"test_reputation","State":"test","Virtual_IP":"81.2.69.192","telemetryEventCategory":"APM"}
diff --git a/packages/f5_bigip/data_stream/log/_dev/test/pipeline/test-pipeline-bigip-apm.log-expected.json b/packages/f5_bigip/data_stream/log/_dev/test/pipeline/test-pipeline-bigip-apm.log-expected.json
@@ -209,6 +209,83 @@
                 },
                 "version": "12.0"
             }
+        },
+        {
+            "client": {
+                "ip": "81.2.69.144"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "category": [
+                    "network"
+                ],
+                "kind": "event",
+                "original": "{\"Bytes_In\":\"12\",\"Bytes_Out\":\"0\",\"User_Agent\":\"SonyEricssonK750i%2FR1CA%20Browser%2FSEMC-Browser%2F4.2%20Profile%2FMIDP-2.0%20Configuration%2FCLDC-1.1\",\"Client_IP\":\"81.2.69.144\",\"Continent\":\"Asia\",\"Country\":\"India\",\"Listener\":\"test_listener\",\"Reputation\":\"test_reputation\",\"State\":\"test\",\"Virtual_IP\":\"81.2.69.192\",\"telemetryEventCategory\":\"APM\"}",
+                "type": [
+                    "info"
+                ]
+            },
+            "f5_bigip": {
+                "log": {
+                    "bytes": {
+                        "in": 12,
+                        "out": 0
+                    },
+                    "client": {
+                        "ip": "81.2.69.144"
+                    },
+                    "continent": "Asia",
+                    "country": "India",
+                    "listener": "test_listener",
+                    "reputation": "test_reputation",
+                    "state": "test",
+                    "telemetry": {
+                        "event": {
+                            "category": "APM"
+                        }
+                    },
+                    "user": {
+                        "agent": "SonyEricssonK750i/R1CA Browser/SEMC-Browser/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1"
+                    },
+                    "virtual": {
+                        "ip": "81.2.69.192"
+                    }
+                }
+            },
+            "host": {
+                "geo": {
+                    "continent_name": "Asia",
+                    "country_name": "India"
+                }
+            },
+            "network": {
+                "bytes": 12,
+                "direction": "ingress"
+            },
+            "observer": {
+                "product": "Application Performance Monitoring",
+                "vendor": "F5"
+            },
+            "related": {
+                "ip": [
+                    "81.2.69.144",
+                    "81.2.69.192"
+                ]
+            },
+            "tags": [
+                "preserve_original_event",
+                "preserve_duplicate_custom_fields"
+            ],
+            "user_agent": {
+                "device": {
+                    "name": "Ericsson K750i"
+                },
+                "name": "SEMC-Browser",
+                "original": "SonyEricssonK750i/R1CA Browser/SEMC-Browser/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1",
+                "version": "4.2"
+            }
         }
     ]
 }
diff --git a/packages/f5_bigip/data_stream/log/elasticsearch/ingest_pipeline/pipeline_bigip_bot_and_dos.yml b/packages/f5_bigip/data_stream/log/elasticsearch/ingest_pipeline/pipeline_bigip_bot_and_dos.yml
@@ -643,6 +643,15 @@ processors:
       field: f5_bigip.log.http.request
       pattern: '%{f5_bigip.log.http.method} %{f5_bigip.log.http.path} %{f5_bigip.log.http.version}\r\nHost: %{f5_bigip.log.http.host}\r\nConnection: %{f5_bigip.log.http.connection}\r\nPragma: %{f5_bigip.log.http.pragma}\r\nCache-Control: %{f5_bigip.log.http.cache_control}\r\nUser-Agent: %{f5_bigip.log.http.user_agent}\r\n%{f5_bigip.log.http.other_headers}\r\n'
       ignore_failure: true
+  - gsub:
+      field: f5_bigip.log.http.user_agent
+      pattern: '(\([^)]*)\+(https?://)'
+      replacement: '$1%2b$2'
+      ignore_missing: true
+  - urldecode:
+      field: f5_bigip.log.http.user_agent
+      ignore_missing: true
+      ignore_failure: true
   - user_agent:
       field: f5_bigip.log.http.user_agent
       ignore_missing: true
diff --git a/packages/f5_bigip/data_stream/log/elasticsearch/ingest_pipeline/pipeline_bigipapm.yml b/packages/f5_bigip/data_stream/log/elasticsearch/ingest_pipeline/pipeline_bigipapm.yml
@@ -75,6 +75,15 @@ processors:
       tag: rename_user_agent
       target_field: f5_bigip.log.user.agent
       ignore_missing: true
+  - gsub:
+      field: f5_bigip.log.user.agent
+      pattern: '(\([^)]*)\+(https?://)'
+      replacement: '$1%2b$2'
+      ignore_missing: true
+  - urldecode:
+      field: f5_bigip.log.user.agent
+      ignore_missing: true
+      ignore_failure: true
   - user_agent:
       field: f5_bigip.log.user.agent
       tag: user_agent_processor
diff --git a/packages/f5_bigip/data_stream/log/elasticsearch/ingest_pipeline/pipeline_bigipasm.yml b/packages/f5_bigip/data_stream/log/elasticsearch/ingest_pipeline/pipeline_bigipasm.yml
@@ -364,6 +364,15 @@ processors:
       field: related.hosts
       tag: lowercase_related_hosts
       ignore_missing: true
+  - gsub:
+      field: f5_bigip.log.request.user_agent
+      pattern: '(\([^)]*)\+(https?://)'
+      replacement: '$1%2b$2'
+      ignore_missing: true
+  - urldecode:
+      field: f5_bigip.log.request.user_agent
+      ignore_missing: true
+      ignore_failure: true
   - user_agent:
       field: f5_bigip.log.request.user_agent
       ignore_missing: true
diff --git a/packages/f5_bigip/data_stream/log/elasticsearch/ingest_pipeline/pipeline_bigipavr.yml b/packages/f5_bigip/data_stream/log/elasticsearch/ingest_pipeline/pipeline_bigipavr.yml
@@ -273,6 +273,15 @@ processors:
       tag: rename_user_agent
       target_field: f5_bigip.log.user.agent
       ignore_missing: true
+  - gsub:
+      field: f5_bigip.log.user.agent
+      pattern: '(\([^)]*)\+(https?://)'
+      replacement: '$1%2b$2'
+      ignore_missing: true
+  - urldecode:
+      field: f5_bigip.log.user.agent
+      ignore_missing: true
+      ignore_failure: true
   - user_agent:
       field: f5_bigip.log.user.agent
       tag: user_agent_log_user_agent
diff --git a/packages/f5_bigip/data_stream/log/elasticsearch/ingest_pipeline/pipeline_bigipltm.yml b/packages/f5_bigip/data_stream/log/elasticsearch/ingest_pipeline/pipeline_bigipltm.yml
@@ -137,6 +137,15 @@ processors:
       tag: rename_http_user_agent
       target_field: f5_bigip.log.http.user_agent
       ignore_missing: true
+  - gsub:
+      field: f5_bigip.log.http.user_agent
+      pattern: '(\([^)]*)\+(https?://)'
+      replacement: '$1%2b$2'
+      ignore_missing: true
+  - urldecode:
+      field: f5_bigip.log.http.user_agent
+      ignore_missing: true
+      ignore_failure: true
   - user_agent:
       field: f5_bigip.log.http.user_agent
       tag: user_agent_on_http_user_agent
diff --git a/packages/f5_bigip/manifest.yml b/packages/f5_bigip/manifest.yml
@@ -1,7 +1,7 @@
 format_version: "3.0.2"
 name: f5_bigip
 title: F5 BIG-IP
-version: "1.19.1"
+version: "1.20.0"
 description: Collect logs from F5 BIG-IP with Elastic Agent.
 type: integration
 categories:
