Skip to content

Commit

Permalink
netflow: Use internal and external for locality fields
Browse files Browse the repository at this point in the history 
Fixes #24272
  • Loading branch information
@adriansr
adriansr committed Mar 2, 2021
1 parent 34e9bc5 commit 3aeeaa4
Show file tree
Hide file tree
Showing 41 changed files with 1,180 additions and 1,175 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Rename `network.direction` values in crowdstrike/falcon to `ingress`/`egress`. {pull}23041[23041]
- Rename `s3` input to `aws-s3` input. {pull}23469[23469]
- Add `nodes` to filebeat-kubernetes.yaml ClusterRole. {issue}24051[24051] {pull}24052[24052]
- Possible values for Netflow's locality fields (source.locality, destination.locality and flow.locality) are now `internal` and `external`, instead of `private` and `public`. {issue}24272[24272] {pull}24295[24295]

*Heartbeat*
- Adds negative body match. {pull}20728[20728]
Expand Down
18 changes: 11 additions & 7 deletions x-pack/filebeat/input/netflow/convert.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -375,16 +375,20 @@ func fixMacAddresses(dict map[string]interface{}) {
}
}

// Locality is an enum representing the locality of a network address.
type Locality uint8

const (
LocalityPrivate Locality = iota + 1
LocalityPublic
// LocalityInternal identifies addresses that are internal to the organization.
LocalityInternal Locality = iota + 1

// LocalityExternal identifies addresses that are outside of the organization.
LocalityExternal
)

var localityNames = map[Locality]string{
LocalityPrivate: "private",
LocalityPublic: "public",
LocalityInternal: "internal",
LocalityExternal: "external",
}

func (l Locality) String() string {
Expand All @@ -408,14 +412,14 @@ func getIPLocality(internalNetworks []string, ips ...net.IP) Locality {
for _, ip := range ips {
contains, err := conditions.NetworkContains(ip, internalNetworks...)
if err != nil {
return LocalityPublic
return LocalityExternal
}
// always consider loopback/link-local private
if !contains && !isLocal(ip) {
return LocalityPublic
return LocalityExternal
}
}
return LocalityPrivate
return LocalityInternal
}

// TODO: create table from https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
Expand Down
12 changes: 6 additions & 6 deletions ...t/input/netflow/testdata/golden/IPFIX-Barracuda-extended-uniflow-template-256.golden.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
"Fields": {
"destination": {
"ip": "64.235.151.76",
"locality": "public",
"locality": "external",
"port": 443
},
"event": {
Expand All @@ -24,7 +24,7 @@
},
"flow": {
"id": "kSpZ1WuBhjc",
"locality": "public"
"locality": "external"
},
"netflow": {
"audit_counter": 4157725,
Expand Down Expand Up @@ -84,7 +84,7 @@
"source": {
"bytes": 0,
"ip": "10.236.5.4",
"locality": "private",
"locality": "internal",
"mac": "00:50:56:b9:26:46",
"packets": 0,
"port": 51917
Expand All @@ -99,7 +99,7 @@
"Fields": {
"destination": {
"ip": "10.236.5.4",
"locality": "private",
"locality": "internal",
"port": 51917
},
"event": {
Expand All @@ -116,7 +116,7 @@
},
"flow": {
"id": "kSpZ1WuBhjc",
"locality": "public"
"locality": "external"
},
"netflow": {
"audit_counter": 4157725,
Expand Down Expand Up @@ -176,7 +176,7 @@
"source": {
"bytes": 0,
"ip": "64.235.151.76",
"locality": "public",
"locality": "external",
"mac": "00:00:00:00:00:00",
"packets": 0,
"port": 443
Expand Down
48 changes: 24 additions & 24 deletions x-pack/filebeat/input/netflow/testdata/golden/IPFIX-Barracuda-firewall.golden.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
"Fields": {
"destination": {
"ip": "10.99.252.50",
"locality": "private",
"locality": "internal",
"port": 53
},
"event": {
Expand All @@ -24,7 +24,7 @@
},
"flow": {
"id": "2vFIarATx_4",
"locality": "private"
"locality": "internal"
},
"netflow": {
"destination_ipv4_address": "10.99.252.50",
Expand Down Expand Up @@ -72,7 +72,7 @@
"source": {
"bytes": 0,
"ip": "10.99.130.239",
"locality": "private",
"locality": "internal",
"mac": "00:00:00:00:00:00",
"packets": 0,
"port": 65105
Expand All @@ -87,7 +87,7 @@
"Fields": {
"destination": {
"ip": "10.99.130.239",
"locality": "private",
"locality": "internal",
"port": 65105
},
"event": {
Expand All @@ -104,7 +104,7 @@
},
"flow": {
"id": "2vFIarATx_4",
"locality": "private"
"locality": "internal"
},
"netflow": {
"destination_ipv4_address": "10.99.130.239",
Expand Down Expand Up @@ -152,7 +152,7 @@
"source": {
"bytes": 81,
"ip": "10.99.252.50",
"locality": "private",
"locality": "internal",
"mac": "00:00:00:00:00:00",
"packets": 1,
"port": 53
Expand All @@ -167,7 +167,7 @@
"Fields": {
"destination": {
"ip": "10.98.243.20",
"locality": "private",
"locality": "internal",
"port": 53
},
"event": {
Expand All @@ -184,7 +184,7 @@
},
"flow": {
"id": "wU3G8idsscw",
"locality": "private"
"locality": "internal"
},
"netflow": {
"destination_ipv4_address": "10.98.243.20",
Expand Down Expand Up @@ -232,7 +232,7 @@
"source": {
"bytes": 0,
"ip": "10.99.130.239",
"locality": "private",
"locality": "internal",
"mac": "00:00:00:00:00:00",
"packets": 0,
"port": 65105
Expand All @@ -247,7 +247,7 @@
"Fields": {
"destination": {
"ip": "10.99.130.239",
"locality": "private",
"locality": "internal",
"port": 65105
},
"event": {
Expand All @@ -264,7 +264,7 @@
},
"flow": {
"id": "wU3G8idsscw",
"locality": "private"
"locality": "internal"
},
"netflow": {
"destination_ipv4_address": "10.99.130.239",
Expand Down Expand Up @@ -312,7 +312,7 @@
"source": {
"bytes": 81,
"ip": "10.98.243.20",
"locality": "private",
"locality": "internal",
"mac": "00:00:00:00:00:00",
"packets": 1,
"port": 53
Expand All @@ -327,7 +327,7 @@
"Fields": {
"destination": {
"ip": "10.98.243.20",
"locality": "private",
"locality": "internal",
"port": 53
},
"event": {
Expand All @@ -344,7 +344,7 @@
},
"flow": {
"id": "rOmj8EdZ2dc",
"locality": "private"
"locality": "internal"
},
"netflow": {
"destination_ipv4_address": "10.98.243.20",
Expand Down Expand Up @@ -392,7 +392,7 @@
"source": {
"bytes": 0,
"ip": "10.99.168.140",
"locality": "private",
"locality": "internal",
"mac": "00:00:00:00:00:00",
"packets": 0,
"port": 52344
Expand All @@ -407,7 +407,7 @@
"Fields": {
"destination": {
"ip": "10.99.168.140",
"locality": "private",
"locality": "internal",
"port": 52344
},
"event": {
Expand All @@ -424,7 +424,7 @@
},
"flow": {
"id": "rOmj8EdZ2dc",
"locality": "private"
"locality": "internal"
},
"netflow": {
"destination_ipv4_address": "10.99.168.140",
Expand Down Expand Up @@ -472,7 +472,7 @@
"source": {
"bytes": 113,
"ip": "10.98.243.20",
"locality": "private",
"locality": "internal",
"mac": "00:00:00:00:00:00",
"packets": 1,
"port": 53
Expand All @@ -487,7 +487,7 @@
"Fields": {
"destination": {
"ip": "10.98.243.20",
"locality": "private",
"locality": "internal",
"port": 53
},
"event": {
Expand All @@ -504,7 +504,7 @@
},
"flow": {
"id": "JE7pThaMwJY",
"locality": "private"
"locality": "internal"
},
"netflow": {
"destination_ipv4_address": "10.98.243.20",
Expand Down Expand Up @@ -552,7 +552,7 @@
"source": {
"bytes": 0,
"ip": "10.99.168.140",
"locality": "private",
"locality": "internal",
"mac": "00:00:00:00:00:00",
"packets": 0,
"port": 50294
Expand All @@ -567,7 +567,7 @@
"Fields": {
"destination": {
"ip": "10.99.168.140",
"locality": "private",
"locality": "internal",
"port": 50294
},
"event": {
Expand All @@ -584,7 +584,7 @@
},
"flow": {
"id": "JE7pThaMwJY",
"locality": "private"
"locality": "internal"
},
"netflow": {
"destination_ipv4_address": "10.99.168.140",
Expand Down Expand Up @@ -632,7 +632,7 @@
"source": {
"bytes": 113,
"ip": "10.98.243.20",
"locality": "private",
"locality": "internal",
"mac": "00:00:00:00:00:00",
"packets": 1,
"port": 53
Expand Down
Loading

0 comments on commit 3aeeaa4

Please sign in to comment.