Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issues with colons after IP and Ports #76

Open
bryant-smith opened this issue Sep 20, 2023 · 1 comment
Open

Issues with colons after IP and Ports #76

bryant-smith opened this issue Sep 20, 2023 · 1 comment

Comments

@bryant-smith
Copy link
Contributor

There looks to be an issue with :: after an IP address and a : after the port. Sagan doesn't parse properly using parse_src_ip and parse_dst_ip.

Original Log without modification:

X10.100.128.104|user|info|info|systemName.local.org|2022-09-12T08:00:56Z|2022-09-12T08:00:53Z|ModifiedLog| id=fw_remote_000 sn=11111111 time="2023-09-18 14:26:13" fw=192.168.1.68 pri=6 c=16 m=29 msg="Administrator login allowed" sess="Web" dur=0 n=14 usr="admin" src=10.9.5.120::TO_TEST dst=10.9.0.1:55443:X0 proto=tcp/55443 note="User: admin" fw_action="NA"

[D] [139695594993216:1] --[Lookup Cache Array]----
[D] -- ARRAY: Position: 0, Status: 1, IP: 192.168.1.68, Port: 0

Removed one : from src=10.9.5.120::TO_EPICDC

10.100.128.104|user|info|info|systemName.local.org|2022-09-12T08:00:56Z|2022-09-12T08:00:53Z|ModifiedLog| id=fw_remote_000 sn=11111111 time="2023-09-18 14:26:13" fw=192.168.1.68 pri=6 c=16 m=29 msg="Administrator login allowed" sess="Web" dur=0 n=14 usr="admin" src=10.9.5.120:TO_TEST dst=10.9.0.1:55443:X0 proto=tcp/55443 note="User: admin" fw_action="NA"

[D] [139631356290624:2] --[Lookup Cache Array]----
[D] -- ARRAY: Position: 0, Status: 1, IP: 192.168.1.68, Port: 0
[D] -- ARRAY: Position: 1, Status: 1, IP: 10.9.5.120, Port: 514

Removed a : from src=10.9.5.120::TO_EPICDC and the last : from dst=10.9.0.1:55443:X0

10.100.128.104|user|info|info|systemName.local.org|2022-09-12T08:00:56Z|2022-09-12T08:00:53Z|ModifiedLog| id=fw_remote_000 sn=11111111 time="2023-09-18 14:26:13" fw=192.168.1.68 pri=6 c=16 m=29 msg="Administrator login allowed" sess="Web" dur=0 n=14 usr="admin" src=10.9.5.120:TO_TEST dst=10.9.0.1:55443 X0 proto=tcp/55443 note="User: admin" fw_action="NA"

[D] [139725124986432:3] --[Lookup Cache Array]----
[D] -- ARRAY: Position: 0, Status: 1, IP: 192.168.1.68, Port: 0
[D] -- ARRAY: Position: 1, Status: 1, IP: 10.9.5.120, Port: 514
[D] -- ARRAY: Position: 2, Status: 1, IP: 10.9.0.1, Port: 55443
@quadrantsec
Copy link
Collaborator

This issue is how it tries to parse IPv6 vs IPv4.... For example:

``
/* Stand alone IPv6 */

        if ( num_colons > 2 )
            {

                valid = inet_pton(AF_INET6, ptr1,  &(sa.sin_addr));

``

If Sagan "see's" more than 2 ::'s, it switches to IPv6 parsing.

I really don't like programming for edge cases. These look like Fortigate logs. Is there maybe a better way to get the ip src/dest with liblognorm? I might be able to look for 2 trailing ::'s in the IPv4 section, but then it will do double the work. That is, have to iterate through IPv4 for this edge case then switch to IPv6.

Let me know your thoughts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bryant-smith