Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Locality values mismatch between Netflow input and ingest pipeline #24272

Closed
adriansr opened this issue Mar 1, 2021 · 3 comments · Fixed by #24295
Closed

Locality values mismatch between Netflow input and ingest pipeline #24272

adriansr opened this issue Mar 1, 2021 · 3 comments · Fixed by #24295
Labels
bug discuss Issue needs further discussion.

Comments

@adriansr
Copy link
Contributor

adriansr commented Mar 1, 2021

For confirmed bugs, please report:

  • Version: 7.11
  • Operating System: -
  • Discuss Forum URL: -
  • Steps to Reproduce: -

Netflow input will populate {source,destination,flow}.locality fields with values either private or public, depending on the internal_networks configuration option.

The ingest pipeline for the netflow module uses those fields to populate network.direction. However, it is expecting the values to be internal or external, which causes network.direction to always be unknown.
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@adriansr
Copy link
Contributor Author

adriansr commented Mar 1, 2021

To clarify the issue:

The Netflow input will set locality fields to one of two possible values: private or public.

beats/x-pack/filebeat/input/netflow/convert.go

Lines 385 to 388 in 6986c84

var localityNames = map[Locality]string{
LocalityPrivate: "private",
LocalityPublic: "public",
}

The Netflow module ingest pipeline uses those values to set network.direction, but it expects either internal or external:

beats/x-pack/filebeat/module/netflow/log/ingest/pipeline.yml

Lines 54 to 73 in 6986c84

- set:
field: network.direction
value: inbound
if: 'ctx?.source?.locality == "external" && ctx?.destination?.locality == "internal"'
- set:
field: network.direction
value: outbound
if: 'ctx?.source?.locality == "internal" && ctx?.destination?.locality == "external"'
- set:
field: network.direction
value: internal
if: 'ctx?.source?.locality == "internal" && ctx?.destination?.locality == "internal"'
- set:
field: network.direction
value: external
if: 'ctx?.source?.locality == "external" && ctx?.destination?.locality == "external"'
- set:
field: network.direction
value: unknown
if: 'ctx?.network?.direction == null'

We need to choose which pair of values to use, private/public or internal/external.

@andrewkroh
Copy link
Member

andrewkroh commented Mar 1, 2021
edited
Loading

In addition to the mismatch of values, there is another bug that could be at play #24110 since this would cause there to be no default value for internal_networks CIDRs.

adriansr added a commit to adriansr/beats that referenced this issue Mar 2, 2021
@adriansr
netflow: Use internal and external for locality fields
3aeeaa4 
Fixes elastic#24272
@adriansr adriansr mentioned this issue Mar 2, 2021
Merged
3 tasks
adriansr added a commit that referenced this issue Mar 10, 2021
@adriansr
netflow: Use internal and external for locality fields (#24295)
0c6acc9 
Changes netflow input to use internal and external for locality fields:
- source.locality
- destination.locality
- flow.locality

Previously it was using public and private.
Fixes #24272
adriansr added a commit to adriansr/beats that referenced this issue Mar 10, 2021
@adriansr
netflow: Use internal and external for locality fields (elastic#24295)
0bae12b 
Changes netflow input to use internal and external for locality fields:
- source.locality
- destination.locality
- flow.locality

Previously it was using public and private.
Fixes elastic#24272

(cherry picked from commit 0c6acc9)
@adriansr adriansr mentioned this issue Mar 10, 2021
Merged
3 tasks
adriansr added a commit to adriansr/beats that referenced this issue Mar 10, 2021
@adriansr
netflow: Use internal and external for locality fields (elastic#24295)
711c169 
Changes netflow input to use internal and external for locality fields:
- source.locality
- destination.locality
- flow.locality

Previously it was using public and private.
Fixes elastic#24272

(cherry picked from commit 0c6acc9)
@adriansr adriansr mentioned this issue Mar 10, 2021
Merged
3 tasks
adriansr added a commit that referenced this issue Mar 18, 2021
@adriansr
netflow: Use internal and external for locality fields (#24295) (#24460)
d91c70b 
Changes netflow input to use internal and external for locality fields:
- source.locality
- destination.locality
- flow.locality

Previously it was using public and private.
Fixes #24272

(cherry picked from commit 0c6acc9)
adriansr added a commit that referenced this issue Mar 22, 2021
@adriansr
netflow: Use internal and external for locality fields (#24295) (#24461)
98a5f97 
Changes netflow input to use internal and external for locality fields:
- source.locality
- destination.locality
- flow.locality

Previously it was using public and private.
Fixes #24272

(cherry picked from commit 0c6acc9)
leweafan pushed a commit to leweafan/beats that referenced this issue Apr 28, 2023
@adriansr
netflow: Use internal and external for locality fields (elastic#24295) (
3300d64 
elastic#24461)

Changes netflow input to use internal and external for locality fields:
- source.locality
- destination.locality
- flow.locality

Previously it was using public and private.
Fixes elastic#24272

(cherry picked from commit a1a8d7a)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug discuss Issue needs further discussion.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

netflow: Use internal and external for locality fields adriansr/beats
3 participants
@andrewkroh @adriansr @elasticmachine