RubyGems - logstash-codec-netflow - Versions diffs - 2.0.5 → 2.1.0 - Mend

logstash-codec-netflow 2.0.5 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (27) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +15 -0
data/CONTRIBUTORS +12 -0
data/Gemfile +1 -1
data/LICENSE +1 -1
data/README.md +12 -3
data/lib/logstash/codecs/netflow.rb +314 -32
data/lib/logstash/codecs/netflow/iana2yaml.rb +77 -0
data/lib/logstash/codecs/netflow/ipfix.yaml +2333 -0
data/lib/logstash/codecs/netflow/netflow.yaml +86 -2
data/lib/logstash/codecs/netflow/util.rb +77 -10
data/logstash-codec-netflow.gemspec +4 -3
data/spec/codecs/ipfix.dat +0 -0
data/spec/codecs/netflow5_test_invalid01.dat +0 -0
data/spec/codecs/netflow5_test_invalid02.dat +0 -0
data/spec/codecs/netflow9_test_invalid01.dat +0 -0
data/spec/codecs/netflow9_test_macaddr_data.dat +0 -0
data/spec/codecs/netflow9_test_macaddr_tpl.dat +0 -0
data/spec/codecs/netflow9_test_nprobe_data.dat +0 -0
data/spec/codecs/netflow9_test_nprobe_tpl.dat +0 -0
data/spec/codecs/netflow9_test_softflowd_tpl_data.dat +0 -0
data/spec/codecs/netflow9_test_valid01.dat +0 -0
data/spec/codecs/netflow9_test_valid_cisco_asa_data.dat +0 -0
data/spec/codecs/netflow9_test_valid_cisco_asa_tpl.dat +0 -0
data/spec/codecs/netflow_spec.rb +524 -53
metadata +49 -25
data/spec/codecs/netflow9.dat +0 -0

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 0ae020958c2421c6319d6f7b0ad7d9889329d988
-  data.tar.gz: 68ed6e1be5662bf00cc4d59aae6be8315485cb33
+  metadata.gz: 918358ce2cdaac6c82befb4288a60dbf12bd582d
+  data.tar.gz: 801135d166dc217611ca6a079eee87f27df9a0d5
 SHA512:
-  metadata.gz: d93c9c1608d2d4c838d9ce4f6625461c537e8009f75730c54e4fd2ccd77a867f758562b39e9aca1e17472bb00c70d8d40b7e11b22a3f745d41271dfe99e2ace6
-  data.tar.gz: f388c2d88d5e9a21da0c4966d2c7c2780e10665b60d83ddff636e384c0b8b422e7651493fa7933c39ac88455bf3aacfdb08cfabdd72d89002d14a7019b4029aa
+  metadata.gz: 4eb4a32af83f1485e23aca07ad96795988980e4da059c328e3870fb346482d7d0709248ff3d9c78e559f85f7b26b40ca036cbf80a7e6d406b83dab844a725b33
+  data.tar.gz: 6e9b9e41db2f5df5483eb66b0657a58ea4ff2ce594d64bb22d04337004bd3e68cb96057a86273ce73d77136d9d71cac3d6e53d0841e7ef74f0d5dbd4c290c367

data/CHANGELOG.md CHANGED

@@ -1,11 +1,26 @@
+## 2.1.0
+  - Added IPFIX support
+  - Fixed exception if Netflow data contains MAC addresses (issue #26, issue #34)
+  - Fixed exceptions when receiving invalid Netflow v5 and v9 data (issue #17, issue 18)
+  - Fixed decoding Netflow templates from multiple (non-identical) exporters
+  - Add support for Cisco ASA fields
+  - Add support for Netflow 9 options template with scope fields
 # 2.0.5
   - Depend on logstash-core-plugin-api instead of logstash-core, removing the need to mass update plugins on major releases of logstash
 # 2.0.4
   - New dependency requirements for logstash-core for the 5.0 release
 ## 2.0.3
  - Fixed JSON compare flaw in specs
 ## 2.0.0
  - Plugins were updated to follow the new shutdown semantic, this mainly allows Logstash to instruct input plugins to terminate gracefully,
    instead of using Thread.raise on the plugins' threads. Ref: https://github.com/elastic/logstash/pull/3895
  - Dependency on logstash-core update to 2.0

data/CONTRIBUTORS CHANGED

@@ -3,12 +3,24 @@ reports, or in general have helped logstash along its way.
 Contributors:
 * Aaron Mildenstein (untergeek)
+* Adam Kaminski (thimslugga)
 * Colin Surprenant (colinsurprenant)
 * Jordan Sissel (jordansissel)
+* Jorrit Folmer (jorritfolmer)
 * Matt Dainty (bodgit)
+* Paul Warren (pwarren)
 * Pier-Hugues Pellerin (ph)
+* Pulkit Agrawal (propulkit)
 * Richard Pijnenburg (electrical)
+* Salvador Ferrer (salva-ferrer)
+* Will Rigby (wrigby)
+* Rojuinex
 * debadair
+* hkshirish
+* jstopinsek
+Maintainer:
+* Jorrit Folmer (jorritfolmer)
 Note: If you've sent us patches, bug reports, or otherwise contributed to
 Logstash, and you aren't on the list above and want to be, please let us know

data/Gemfile CHANGED

@@ -1,2 +1,2 @@
 source 'https://rubygems.org'
-gemspec
+gemspec

data/LICENSE CHANGED

@@ -1,4 +1,4 @@
-Copyright (c) 2012–2015 Elasticsearch <http://www.elastic.co>
+Copyright (c) 2012–2016 Elasticsearch <http://www.elastic.co>
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

data/README.md CHANGED

@@ -1,7 +1,6 @@
 # Logstash Plugin
-[![Build
-Status](http://build-eu-00.elastic.co/view/LS%20Plugins/view/LS%20Codecs/job/logstash-plugin-codec-netflow-unit/badge/icon)](http://build-eu-00.elastic.co/view/LS%20Plugins/view/LS%20Codecs/job/logstash-plugin-codec-netflow-unit/)
+[![Travis Build Status](https://travis-ci.org/logstash-plugins/logstash-codec-netflow.svg)](https://travis-ci.org/logstash-plugins/logstash-codec-netflow)
 This is a plugin for [Logstash](https://github.com/elastic/logstash).
@@ -56,7 +55,12 @@ gem "logstash-filter-awesome", :path => "/your/local/logstash-filter-awesome"
 ```
 - Install plugin
 ```sh
+# Logstash 2.3 and higher
+bin/logstash-plugin install --no-verify
+# Prior to Logstash 2.3
 bin/plugin install --no-verify
 ```
 - Run Logstash with your plugin
 ```sh
@@ -74,7 +78,12 @@ gem build logstash-filter-awesome.gemspec
 ```
 - Install the plugin from the Logstash home
 ```sh
-bin/plugin install /your/local/plugin/logstash-filter-awesome.gem
+# Logstash 2.3 and higher
+bin/logstash-plugin install --no-verify
+# Prior to Logstash 2.3
+bin/plugin install --no-verify
 ```
 - Start Logstash and proceed to test the plugin

data/lib/logstash/codecs/netflow.rb CHANGED

@@ -3,7 +3,59 @@ require "logstash/filters/base"
 require "logstash/namespace"
 require "logstash/timestamp"
-# The "netflow" codec is for decoding Netflow v5/v9 flows.
+# The "netflow" codec is used for decoding Netflow v5/v9/v10 (IPFIX) flows.
+#
+# ==== Supported Netflow/IPFIX exporters
+#
+# The following Netflow/IPFIX exporters are known to work with the most recent version of the netflow codec:
+#
+# [cols="6,^2,^2,^2,12",options="header"]
+# |===========================================================================================
+# |Netflow exporter | v5 | v9 | IPFIX | Remarks
+# |Softflowd        |  y | y  |   y   | IPFIX supported in https://github.com/djmdjm/softflowd
+# |nProbe           |  y | y  |   y   |
+# |ipt_NETFLOW      |  y | y  |   y   |
+# |Cisco ASA        |    | y  |       |
+# |Cisco IOS 12.x   |    | y  |       |
+# |fprobe           |  y |    |       |
+# |===========================================================================================
+#
+# ==== Usage
+#
+# Example Logstash configuration:
+#
+# [source]
+# -----------------------------
+# input {
+#   udp {
+#     host => localhost
+#     port => 2055
+#     codec => netflow {
+#       versions => [5, 9]
+#     }
+#     type => netflow
+#   }
+#   udp {
+#     host => localhost
+#         port => 4739
+#         codec => netflow {
+#       versions => [10]
+#       target => ipfix
+#     }
+#     type => ipfix
+#   }
+#   tcp {
+#     host => localhost
+#     port => 4739
+#     codec => netflow {
+#       versions => [10]
+#           target => ipfix
+#     }
+#     type => ipfix
+#   }
+# }
+# -----------------------------
 class LogStash::Codecs::Netflow < LogStash::Codecs::Base
   config_name "netflow"
@@ -14,7 +66,7 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
   config :target, :validate => :string, :default => "netflow"
   # Specify which Netflow versions you will accept.
-  config :versions, :validate => :array, :default => [5, 9]
+  config :versions, :validate => :array, :default => [5, 9, 10]
   # Override YAML file containing Netflow field definitions
   #
@@ -31,10 +83,36 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
   #    - :skip
   #
   # See <https://github.com/logstash-plugins/logstash-codec-netflow/blob/master/lib/logstash/codecs/netflow/netflow.yaml> for the base set.
-  config :definitions, :validate => :path
+  config :netflow_definitions, :validate => :path
+  # Override YAML file containing IPFIX field definitions
+  #
+  # Very similar to the Netflow version except there is a top level Private
+  # Enterprise Number (PEN) key added:
+  #
+  #    ---
+  #    pen:
+  #      id:
+  #      - :uintN or :ip4_addr or :ip6_addr or :mac_addr or :string
+  #      - :name
+  #      id:
+  #      - :skip
+  #
+  # There is an implicit PEN 0 for the standard fields.
+  #
+  # See <https://github.com/logstash-plugins/logstash-codec-netflow/blob/master/lib/logstash/codecs/netflow/ipfix.yaml> for the base set.
+  config :ipfix_definitions, :validate => :path
   NETFLOW5_FIELDS = ['version', 'flow_seq_num', 'engine_type', 'engine_id', 'sampling_algorithm', 'sampling_interval', 'flow_records']
   NETFLOW9_FIELDS = ['version', 'flow_seq_num']
+  NETFLOW9_SCOPES = {
+    1 => :scope_system,
+    2 => :scope_interface,
+    3 => :scope_line_card,
+    4 => :scope_netflow_cache,
+    5 => :scope_template,
+  }
+  IPFIX_FIELDS = ['version']
   SWITCHED = /_switched$/
   FLOWSET_ID = "flowset_id"
@@ -45,29 +123,19 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
   def register
     require "logstash/codecs/netflow/util"
-    @templates = Vash.new()
+    @netflow_templates = Vash.new()
+    @ipfix_templates = Vash.new()
     # Path to default Netflow v9 field definitions
     filename = ::File.expand_path('netflow/netflow.yaml', ::File.dirname(__FILE__))
+    @netflow_fields = load_definitions(filename, @netflow_definitions)
-    begin
-      @fields = YAML.load_file(filename)
-    rescue Exception => e
-      raise "#{self.class.name}: Bad syntax in definitions file #{filename}"
-    end
-    # Allow the user to augment/override/rename the supported Netflow fields
-    if @definitions
-      raise "#{self.class.name}: definitions file #{@definitions} does not exists" unless File.exists?(@definitions)
-      begin
-        @fields.merge!(YAML.load_file(@definitions))
-      rescue Exception => e
-        raise "#{self.class.name}: Bad syntax in definitions file #{@definitions}"
-      end
-    end
+    # Path to default IPFIX field definitions
+    filename = ::File.expand_path('netflow/ipfix.yaml', ::File.dirname(__FILE__))
+    @ipfix_fields = load_definitions(filename, @ipfix_definitions)
   end # def register
-  def decode(payload, &block)
+  def decode(payload, metadata = nil, &block)
     header = Header.read(payload)
     unless @versions.include?(header.version)
@@ -83,11 +151,22 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
     elsif header.version == 9
       flowset = Netflow9PDU.read(payload)
       flowset.records.each do |record|
-        decode_netflow9(flowset, record).each{|event| yield(event)}
+        if metadata != nil
+          decode_netflow9(flowset, record, metadata).each{|event| yield(event)}
+        else
+          decode_netflow9(flowset, record).each{|event| yield(event)}
+        end
+      end
+    elsif header.version == 10
+      flowset = IpfixPDU.read(payload)
+      flowset.records.each do |record|
+        decode_ipfix(flowset, record).each { |event| yield(event) }
       end
     else
       @logger.warn("Unsupported Netflow version v#{header.version}")
     end
+  rescue BinData::ValidityError, IOError => e
+    @logger.warn("Invalid netflow packet received (#{e})")
   end
   private
@@ -125,9 +204,11 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
     end
     LogStash::Event.new(event)
+  rescue BinData::ValidityError, IOError => e
+    @logger.warn("Invalid netflow packet received (#{e})")
   end
-  def decode_netflow9(flowset, record)
+  def decode_netflow9(flowset, record, metadata = nil)
     events = []
     case record.flowset_id
@@ -143,10 +224,14 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
           end
           # We get this far, we have a list of fields
           #key = "#{flowset.source_id}|#{event["source"]}|#{template.template_id}"
-          key = "#{flowset.source_id}|#{template.template_id}"
-          @templates[key, @cache_ttl] = BinData::Struct.new(:endian => :big, :fields => fields)
+          if metadata != nil
+            key = "#{flowset.source_id}|#{template.template_id}|#{metadata["host"]}|#{metadata["port"]}"
+          else
+            key = "#{flowset.source_id}|#{template.template_id}"
+          end
+          @netflow_templates[key, @cache_ttl] = BinData::Struct.new(:endian => :big, :fields => fields)
           # Purge any expired templates
-          @templates.cleanup!
+          @netflow_templates.cleanup!
         end
       end
     when 1
@@ -154,6 +239,9 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
       record.flowset_data.templates.each do |template|
         catch (:field) do
           fields = []
+          template.scope_fields.each do |field|
+            fields << [uint_field(0, field.field_length), NETFLOW9_SCOPES[field.field_type]]
+          end
           template.option_fields.each do |field|
             entry = netflow_field_for(field.field_type, field.field_length)
             throw :field unless entry
@@ -161,17 +249,25 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
           end
           # We get this far, we have a list of fields
           #key = "#{flowset.source_id}|#{event["source"]}|#{template.template_id}"
-          key = "#{flowset.source_id}|#{template.template_id}"
-          @templates[key, @cache_ttl] = BinData::Struct.new(:endian => :big, :fields => fields)
+          if metadata != nil
+            key = "#{flowset.source_id}|#{template.template_id}|#{metadata["host"]}|#{metadata["port"]}"
+          else
+            key = "#{flowset.source_id}|#{template.template_id}"
+          end
+          @netflow_templates[key, @cache_ttl] = BinData::Struct.new(:endian => :big, :fields => fields)
           # Purge any expired templates
-          @templates.cleanup!
+          @netflow_templates.cleanup!
         end
       end
     when 256..65535
       # Data flowset
       #key = "#{flowset.source_id}|#{event["source"]}|#{record.flowset_id}"
-      key = "#{flowset.source_id}|#{record.flowset_id}"
-      template = @templates[key]
+      if metadata != nil
+        key = "#{flowset.source_id}|#{record.flowset_id}|#{metadata["host"]}|#{metadata["port"]}"
+      else
+        key = "#{flowset.source_id}|#{record.flowset_id}"
+      end
+      template = @netflow_templates[key]
       unless template
         #@logger.warn("No matching template for flow id #{record.flowset_id} from #{event["source"]}")
@@ -224,6 +320,158 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
     end
     events
+  rescue BinData::ValidityError, IOError => e
+    @logger.warn("Invalid netflow packet received (#{e})")
+  end
+  def decode_ipfix(flowset, record)
+    events = []
+    case record.flowset_id
+    when 2
+      # Template flowset
+      record.flowset_data.templates.each do |template|
+        catch (:field) do
+          fields = []
+          template.fields.each do |field|
+            field_type = field.field_type
+            field_length = field.field_length
+            enterprise_id = field.enterprise ? field.enterprise_id : 0
+            if field.field_length == 0xffff
+              # FIXME
+              @logger.warn("Cowardly refusing to deal with variable length encoded field", :type => field_type, :enterprise => enterprise_id)
+              throw :field
+            end
+            if enterprise_id == 0
+              case field_type
+              when 291, 292, 293
+                # FIXME
+                @logger.warn("Cowardly refusing to deal with complex data types", :type => field_type, :enterprise => enterprise_id)
+                throw :field
+              end
+            end
+            entry = ipfix_field_for(field_type, enterprise_id, field.field_length)
+            throw :field unless entry
+            fields += entry
+          end
+          # FIXME Source IP address required in key
+          key = "#{flowset.observation_domain_id}|#{template.template_id}"
+          @ipfix_templates[key, @cache_ttl] = BinData::Struct.new(:endian => :big, :fields => fields)
+          # Purge any expired templates
+          @ipfix_templates.cleanup!
+        end
+      end
+    when 3
+      # Options template flowset
+      record.flowset_data.templates.each do |template|
+        catch (:field) do
+          fields = []
+          (template.scope_fields.to_ary + template.option_fields.to_ary).each do |field|
+            field_type = field.field_type
+            field_length = field.field_length
+            enterprise_id = field.enterprise ? field.enterprise_id : 0
+            if field.field_length == 0xffff
+              # FIXME
+              @logger.warn("Cowardly refusing to deal with variable length encoded field", :type => field_type, :enterprise => enterprise_id)
+              throw :field
+            end
+            if enterprise_id == 0
+              case field_type
+              when 291, 292, 293
+                # FIXME
+                @logger.warn("Cowardly refusing to deal with complex data types", :type => field_type, :enterprise => enterprise_id)
+                throw :field
+              end
+            end
+            entry = ipfix_field_for(field_type, enterprise_id, field.field_length)
+            throw :field unless entry
+            fields += entry
+          end
+          # FIXME Source IP address required in key
+          key = "#{flowset.observation_domain_id}|#{template.template_id}"
+          @ipfix_templates[key, @cache_ttl] = BinData::Struct.new(:endian => :big, :fields => fields)
+          # Purge any expired templates
+          @ipfix_templates.cleanup!
+        end
+      end
+    when 256..65535
+      # Data flowset
+      key = "#{flowset.observation_domain_id}|#{record.flowset_id}"
+      template = @ipfix_templates[key]
+      unless template
+        @logger.warn("No matching template for flow id #{record.flowset_id}")
+        next
+      end
+      array = BinData::Array.new(:type => template, :read_until => :eof)
+      records = array.read(record.flowset_data)
+      records.each do |r|
+        event = {
+          LogStash::Event::TIMESTAMP => LogStash::Timestamp.at(flowset.unix_sec),
+          @target => {}
+        }
+        IPFIX_FIELDS.each do |f|
+          event[@target][f] = flowset[f].snapshot
+        end
+        r.each_pair do |k, v|
+          case k.to_s
+          when /^flow(?:Start|End)Seconds$/
+            event[@target][k.to_s] = LogStash::Timestamp.at(v.snapshot).to_iso8601
+          when /^flow(?:Start|End)(Milli|Micro|Nano)seconds$/
+            divisor =
+              case $1
+              when 'Milli'
+                1_000
+              when 'Micro'
+                1_000_000
+              when 'Nano'
+                1_000_000_000
+              end
+            event[@target][k.to_s] = LogStash::Timestamp.at(v.snapshot.to_f / divisor).to_iso8601
+          else
+            event[@target][k.to_s] = v.snapshot
+          end
+        end
+        events << LogStash::Event.new(event)
+      end
+    else
+      @logger.warn("Unsupported flowset id #{record.flowset_id}")
+    end
+    events
+  rescue BinData::ValidityError => e
+    @logger.warn("Invalid IPFIX packet received (#{e})")
+  end
+  def load_definitions(defaults, extra)
+    begin
+      fields = YAML.load_file(defaults)
+    rescue Exception => e
+      raise "#{self.class.name}: Bad syntax in definitions file #{defaults}"
+    end
+    # Allow the user to augment/override/rename the default fields
+    if extra
+      raise "#{self.class.name}: definitions file #{extra} does not exist" unless File.exists?(extra)
+      begin
+        fields.merge!(YAML.load_file(extra))
+      rescue Exception => e
+        raise "#{self.class.name}: Bad syntax in definitions file #{extra}"
+      end
+    end
+    fields
   end
   def uint_field(length, default)
@@ -232,8 +480,8 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
   end # def uint_field
   def netflow_field_for(type, length)
-    if @fields.include?(type)
-      field = @fields[type]
+    if @netflow_fields.include?(type)
+      field = @netflow_fields[type].clone
       if field.is_a?(Array)
         field[0] = uint_field(length, field[0]) if field[0].is_a?(Integer)
@@ -259,4 +507,38 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
       nil
     end
   end # def netflow_field_for
+  def ipfix_field_for(type, enterprise, length)
+    if @ipfix_fields.include?(enterprise)
+      if @ipfix_fields[enterprise].include?(type)
+        field = @ipfix_fields[enterprise][type].clone
+      else
+        @logger.warn("Unsupported enterprise field", :type => type, :enterprise => enterprise, :length => length)
+      end
+    else
+      @logger.warn("Unsupported enterprise", :enterprise => enterprise)
+    end
+    return nil unless field
+    if field.is_a?(Array)
+      case field[0]
+      when :skip
+        field += [nil, {:length => length}]
+      when :string
+        field += [{:length => length, :trim_padding => true}]
+      when :uint64
+        field[0] = uint_field(length, 8)
+      when :uint32
+        field[0] = uint_field(length, 4)
+      when :uint16
+        field[0] = uint_field(length, 2)
+      end
+      @logger.debug("Definition complete", :field => field)
+      [field]
+    else
+      @logger.warn("Definition should be an array", :field => field)
+    end
+  end
 end # class LogStash::Filters::Netflow