Skip to content

Commit

Permalink
idaholab#542 add 'public' pseudo-segment for source/destination publi…
Browse files Browse the repository at this point in the history 
…c IP addresses
  • Loading branch information
@mmguero
mmguero committed Aug 15, 2024
1 parent 9dee43b commit ea014c2
Show file tree
Hide file tree
Showing 4 changed files with 18 additions and 9 deletions.
4 changes: 2 additions & 2 deletions dashboards/dashboards/677ee170-809e-11ed-8d5b-07069f823b6f.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -641,7 +641,7 @@
"updated_at": "2024-06-12T16:50:47.700Z",
"version": "WzQzMiwxXQ==",
"attributes": {
"title": "NetBox Enrichment - Candidate Logs",
"title": "NetBox Enrichment - Logs",
"description": "",
"hits": 0,
"columns": [
Expand All @@ -650,7 +650,7 @@
"sort": [],
"version": 1,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"(NOT event.provider:arkime) AND ((NOT event.provider:zeek) OR event.dataset:(conn OR notice OR weird OR signatures OR software OR known*)) AND (network.direction:(internal OR inbound OR outbound))\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
"searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"query\":\"tags:netbox\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
}
},
"references": [
Expand Down
2 changes: 2 additions & 0 deletions docs/asset-interaction-analysis.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,8 @@ For Malcolm's purposes, both physical devices and virtualized hosts will be stor

NetBox has the concept of [sites](https://demo.netbox.dev/static/docs/core-functionality/sites-and-racks/). Sites can have overlapping IP address ranges. The site to associate with network traffic can be specified when [PCAP is uploaded](upload.md#Upload), when configuring [live analysis](live-analysis.md#LiveAnalysis), and when [configuring forwarding from Hedgehog Linux](malcolm-hedgehog-e2e-iso-install.md#Hedgehogfilebeat). If not otherwise specified, the value of the `NETBOX_DEFAULT_SITE` variable in [environment variable in `netbox-common.env`](malcolm-config.md#MalcolmConfigEnvVars) will be used for these enrichment lookups.

When NetBox enrichment is attempted for a log, the value `netbox` is automatically added to its `tags` field.

## <a name="NetBoxCompare"></a>Compare and highlight discrepancies between NetBox inventory and observed network traffic

As Malcolm cross-checks network traffic with NetBox's model (as described [above](#NetBoxEnrichment)), the resulting enrichment data (or lack thereof) can highlight devices and services observed in network traffic for which there is no corresponding entry in the list of inventoried assets.
Expand Down
11 changes: 4 additions & 7 deletions logstash/pipelines/enrichment/11_lookups.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,8 @@ filter {
mutate { id => "mutate_add_field_srcASN"
add_field => { "[source][as][full]" => "AS%{[@metadata][orig_asn][asn]} %{[@metadata][orig_asn][as_org]}" } }
}
mutate { id => "mutate_add_field_external_source_segment_public"
add_field => { "[source][segment][name]" => "public" } }

# if reverse DNS for public IP addresses is enabled (via environment variable) do it
mutate {
Expand Down Expand Up @@ -208,6 +210,8 @@ filter {
mutate { id => "mutate_add_field_dstASN"
add_field => { "[destination][as][full]" => "AS%{[@metadata][resp_asn][asn]} %{[@metadata][resp_asn][as_org]}" } }
}
mutate { id => "mutate_add_field_external_destination_segment_public"
add_field => { "[destination][segment][name]" => "public" } }

# if reverse DNS for public IP addresses is enabled (via environment variable) do it
if (![@metadata][ENV_LOGSTASH_REVERSE_DNS]) {
Expand Down Expand Up @@ -260,19 +264,12 @@ filter {
} else if ("internal_source" in [tags]) and ("external_destination" in [tags]) {
mutate { id => "mutate_add_field_metadata_network_direction_outbound"
add_field => { "[network][direction]" => "outbound" } }
mutate { id => "mutate_add_field_direction_outbound_destination_segment"
add_field => { "[destination][segment][name]" => "public" } }
} else if ("external_source" in [tags]) and ("internal_destination" in [tags]) {
mutate { id => "mutate_add_field_metadata_network_direction_inbound"
add_field => { "[network][direction]" => "inbound" } }
mutate { id => "mutate_add_field_direction_inbound_source_segment"
add_field => { "[source][segment][name]" => "public" } }
} else if ("external_source" in [tags]) and ("external_destination" in [tags]) {
mutate { id => "mutate_add_field_metadata_network_direction_external"
add_field => { "[network][direction]" => "external" } }
mutate { id => "mutate_add_field_direction_external_segments"
add_field => { "[source][segment][name]" => "public"
"[destination][segment][name]" => "public" } }
} else if ("external_source" in [tags]) or ("external_destination" in [tags]) {
mutate { id => "mutate_add_field_metadata_network_direction_external_one_sided"
add_field => { "[network][direction]" => "external" } }
Expand Down
10 changes: 10 additions & 0 deletions logstash/pipelines/enrichment/21_netbox.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ filter {
ruby {
id => "ruby_netbox_enrich_dns_ip_to_host"
path => "/usr/share/logstash/malcolm-ruby/netbox_enrich.rb"
add_tag => [ "netbox" ]
script_params => {
"lookup_type" => "ip_device"
"source" => "[dns][resolved_ip]"
Expand All @@ -70,6 +71,7 @@ filter {
ruby {
id => "ruby_netbox_enrich_ntlm_host_to_ip"
path => "/usr/share/logstash/malcolm-ruby/netbox_enrich.rb"
add_tag => [ "netbox" ]
script_params => {
"lookup_type" => "ip_device"
"source" => "[source][ip]"
Expand All @@ -95,6 +97,7 @@ filter {
ruby {
id => "ruby_netbox_enrich_ntlm_server_nb_computer_to_ip"
path => "/usr/share/logstash/malcolm-ruby/netbox_enrich.rb"
add_tag => [ "netbox" ]
script_params => {
"lookup_type" => "ip_device"
"source" => "[destination][ip]"
Expand All @@ -117,6 +120,7 @@ filter {
ruby {
id => "ruby_netbox_enrich_ntlm_server_dns_computer_to_ip"
path => "/usr/share/logstash/malcolm-ruby/netbox_enrich.rb"
add_tag => [ "netbox" ]
script_params => {
"lookup_type" => "ip_device"
"source" => "[destination][ip]"
Expand Down Expand Up @@ -145,6 +149,7 @@ filter {
ruby {
id => "ruby_netbox_enrich_dhcp_client_fqdn_to_ip"
path => "/usr/share/logstash/malcolm-ruby/netbox_enrich.rb"
add_tag => [ "netbox" ]
script_params => {
"lookup_type" => "ip_device"
"source" => "[zeek][dhcp][assigned_addr]"
Expand All @@ -167,6 +172,7 @@ filter {
ruby {
id => "ruby_netbox_enrich_dhcp_host_name_to_ip"
path => "/usr/share/logstash/malcolm-ruby/netbox_enrich.rb"
add_tag => [ "netbox" ]
script_params => {
"lookup_type" => "ip_device"
"source" => "[zeek][dhcp][assigned_addr]"
Expand Down Expand Up @@ -196,6 +202,7 @@ filter {
ruby {
id => "ruby_netbox_enrich_source_ip_segment"
path => "/usr/share/logstash/malcolm-ruby/netbox_enrich.rb"
add_tag => [ "netbox" ]
script_params => {
"source" => "[source][ip]"
"target" => "[source][segment]"
Expand All @@ -214,6 +221,7 @@ filter {
ruby {
id => "ruby_netbox_enrich_source_ip_device"
path => "/usr/share/logstash/malcolm-ruby/netbox_enrich.rb"
add_tag => [ "netbox" ]
script_params => {
"lookup_type" => "ip_device"
"source" => "[source][ip]"
Expand Down Expand Up @@ -243,6 +251,7 @@ filter {
ruby {
id => "ruby_netbox_enrich_destination_ip_segment"
path => "/usr/share/logstash/malcolm-ruby/netbox_enrich.rb"
add_tag => [ "netbox" ]
script_params => {
"lookup_type" => "ip_prefix"
"source" => "[destination][ip]"
Expand All @@ -261,6 +270,7 @@ filter {
ruby {
id => "ruby_netbox_enrich_destination_ip_device"
path => "/usr/share/logstash/malcolm-ruby/netbox_enrich.rb"
add_tag => [ "netbox" ]
script_params => {
"lookup_type" => "ip_device"
"source" => "[destination][ip]"
Expand Down

0 comments on commit ea014c2

Please sign in to comment.