Packetbeat: add COMMAND, COMMANDREPLY mongodb opcodes

[dolftax]

Ref: #6191

r? @adriansr

Signed-off-by: Jaipradeesh jaipradeesh@gmail.com

[elasticmachine]

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

[ruflin]

@jaipradeesh Could you add some tests with pcap files for this if possible? Also please add a line to the changelog file.

Still needs review from probably @adriansr

[dolftax]

Ref: #6191 (comment)

[andrewkroh]

LGTM, but I would feel better about merging if there were a test covering these opcodes. Would you be able to add a test case? Like in either of:

• https://github.com/elastic/beats/blob/master/packetbeat/tests/system/test_0025_mongodb_basic.py
• https://github.com/elastic/beats/blob/master/packetbeat/protos/mongodb/mongodb_test.go

[dolftax]

@andrewkroh I was waiting for @adriansr 's input on this because (when looking for a sample pcap file with OP_COMMAND and OP_COMMANDREPLY codes) Derick from MongoDB team suggested not to whitelist any opcodes as it might change without warning. An example scenario from Wireshark who did the same (whitelist opcodes on wire protocol) - https://derickrethans.nl/wireshark-mongo-36.html

For example: OP_COMPRESSED isn't documented on Wire protocol opcode docs - https://docs.mongodb.com/manual/reference/mongodb-wire-protocol/ but it is a valid one.

Ref: #6191 (comment)

[dolftax]

Since we don't have a solid list of opcodes, I'm not sure if we really need to add a pcap file and test for the same here. If you think we should, could someone please add a pcap file which has opcodes OP_COMMAND and OP_COMMANDREPLY because I wasn't able to find them as they're internal to mongo cluster.

[adriansr]

Hi @jaipradeesh

How do you feel about adding the test?

I think best is adding a system-test (the python ones) that reads a pcap file and checks that no warning/errors are printed to the log (self.assert_no_logged_warnings()).

[adriansr]

This needs rebasing with current master and a test

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[botelastic]

Hi!
We just realized that we haven't looked into this PR in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it in as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

[botelastic]

Hi!
This PR has been stale for a while and we're going to close it as part of our cleanup procedure.
We appreciate your contribution and would like to apologize if we have not been able to review it, due to the current heavy load of the team.
Feel free to re-open this PR if you think it should stay open and is worth rebasing.
Thank you for your contribution!