logstash-codec-netflow 2.0.5 → 2.1.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (27) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +15 -0
  3. data/CONTRIBUTORS +12 -0
  4. data/Gemfile +1 -1
  5. data/LICENSE +1 -1
  6. data/README.md +12 -3
  7. data/lib/logstash/codecs/netflow.rb +314 -32
  8. data/lib/logstash/codecs/netflow/iana2yaml.rb +77 -0
  9. data/lib/logstash/codecs/netflow/ipfix.yaml +2333 -0
  10. data/lib/logstash/codecs/netflow/netflow.yaml +86 -2
  11. data/lib/logstash/codecs/netflow/util.rb +77 -10
  12. data/logstash-codec-netflow.gemspec +4 -3
  13. data/spec/codecs/ipfix.dat +0 -0
  14. data/spec/codecs/netflow5_test_invalid01.dat +0 -0
  15. data/spec/codecs/netflow5_test_invalid02.dat +0 -0
  16. data/spec/codecs/netflow9_test_invalid01.dat +0 -0
  17. data/spec/codecs/netflow9_test_macaddr_data.dat +0 -0
  18. data/spec/codecs/netflow9_test_macaddr_tpl.dat +0 -0
  19. data/spec/codecs/netflow9_test_nprobe_data.dat +0 -0
  20. data/spec/codecs/netflow9_test_nprobe_tpl.dat +0 -0
  21. data/spec/codecs/netflow9_test_softflowd_tpl_data.dat +0 -0
  22. data/spec/codecs/netflow9_test_valid01.dat +0 -0
  23. data/spec/codecs/netflow9_test_valid_cisco_asa_data.dat +0 -0
  24. data/spec/codecs/netflow9_test_valid_cisco_asa_tpl.dat +0 -0
  25. data/spec/codecs/netflow_spec.rb +524 -53
  26. metadata +49 -25
  27. data/spec/codecs/netflow9.dat +0 -0
data/lib/logstash/codecs/netflow/netflow.yaml CHANGED
@@ -164,10 +164,10 @@
164
164
  - :dst_tos
165
165
  56:
166
166
  - :mac_addr
167
- - :in_src_max
167
+ - :in_src_mac
168
168
  57:
169
169
  - :mac_addr
170
- - :out_dst_max
170
+ - :out_dst_mac
171
171
  58:
172
172
  - :uint16
173
173
  - :src_vlan
@@ -213,3 +213,87 @@
213
213
  83:
214
214
  - :string
215
215
  - :if_desc
216
+ 84:
217
+ - :string
218
+ - :sampler_name
219
+ 85:
220
+ - :uint32
221
+ - :in_permanent_bytes
222
+ 86:
223
+ - :uint32
224
+ - :in_permanent_pkts
225
+ 148:
226
+ - :uint32
227
+ - :conn_id
228
+ 176:
229
+ - :uint8
230
+ - :icmp_type
231
+ 177:
232
+ - :uint8
233
+ - :icmp_code
234
+ 178:
235
+ - :uint8
236
+ - :icmp_type_ipv6
237
+ 179:
238
+ - :uint8
239
+ - :icmp_code_ipv6
240
+ 225:
241
+ - :ip4_addr
242
+ - :xlate_src_addr_ipv4
243
+ 226:
244
+ - :ip4_addr
245
+ - :xlate_dst_addr_ipv4
246
+ 227:
247
+ - :uint16
248
+ - :xlate_src_port
249
+ 228:
250
+ - :uint16
251
+ - :xlate_dst_port
252
+ 233:
253
+ - :uint8
254
+ - :fw_event
255
+ 281:
256
+ - :ip6_addr
257
+ - :xlate_src_addr_ipv6
258
+ 282:
259
+ - :ip6_addr
260
+ - :xlate_dst_addr_ipv6
261
+ 33002:
262
+ - :uint16
263
+ - :fw_ext_event
264
+ 323:
265
+ - 8
266
+ - :event_time_msec
267
+ 152:
268
+ - 8
269
+ - :flow_start_msec
270
+ 231:
271
+ - :uint32
272
+ - :fwd_flow_delta_bytes
273
+ 232:
274
+ - :uint32
275
+ - :rev_flow_delta_bytes
276
+ 33000:
277
+ - :acl_id_asa
278
+ - :ingress_acl_id
279
+ 33001:
280
+ - :acl_id_asa
281
+ - egress_acl_id
282
+ 40000:
283
+ - :string
284
+ - :username
285
+ 40001:
286
+ - :ip4_addr
287
+ - :xlate_src_addr_ipv4
288
+ 40002:
289
+ - :ip4_addr
290
+ - :xlate_dst_addr_ipv4
291
+ 40003:
292
+ - :uint16
293
+ - :xlate_src_port
294
+ 40004:
295
+ - :uint16
296
+ - :xlate_dst_port
297
+ 40005:
298
+ - :uint8
299
+ - :fw_event
data/lib/logstash/codecs/netflow/util.rb CHANGED
@@ -47,7 +47,20 @@ class MacAddr < BinData::Primitive
47
47
  end
48
48
 
49
49
  def get
50
- self.bytes.collect { |byte| byte.to_s(16) }.join(":")
50
+ self.bytes.collect { |byte| byte.value.to_s(16).rjust(2,'0') }.join(":")
51
+ end
52
+ end
53
+
54
+ class ACLIdASA < BinData::Primitive
55
+ array :bytes, :type => :uint8, :initial_length => 12
56
+
57
+ def set(val)
58
+ self.bytes = val.split("-").collect { |aclid| aclid.scan(/../).collect { |hex| hex.to_i(16)} }.flatten
59
+ end
60
+
61
+ def get
62
+ hexstring = self.bytes.collect { |byte| byte.value.to_s(16).rjust(2,'0') }.join
63
+ hexstring.scan(/......../).collect { |aclid| aclid }.join("-")
51
64
  end
52
65
  end
53
66
 
@@ -59,7 +72,7 @@ end
59
72
  class Netflow5PDU < BinData::Record
60
73
  endian :big
61
74
  uint16 :version
62
- uint16 :flow_records
75
+ uint16 :flow_records, :assert => lambda { flow_records.value.between?(1,30) }
63
76
  uint32 :uptime
64
77
  uint32 :unix_sec
65
78
  uint32 :unix_nsec
@@ -68,7 +81,7 @@ class Netflow5PDU < BinData::Record
68
81
  uint8 :engine_id
69
82
  bit2 :sampling_algorithm
70
83
  bit14 :sampling_interval
71
- array :records, :initial_length => :flow_records do
84
+ array :records, :initial_length => :flow_records do
72
85
  ip4_addr :ipv4_src_addr
73
86
  ip4_addr :ipv4_dst_addr
74
87
  ip4_addr :ipv4_next_hop
@@ -92,7 +105,7 @@ class Netflow5PDU < BinData::Record
92
105
  end
93
106
  end
94
107
 
95
- class TemplateFlowset < BinData::Record
108
+ class NetflowTemplateFlowset < BinData::Record
96
109
  endian :big
97
110
  array :templates, :read_until => lambda { array.num_bytes == flowset_length - 4 } do
98
111
  uint16 :template_id
@@ -104,7 +117,7 @@ class TemplateFlowset < BinData::Record
104
117
  end
105
118
  end
106
119
 
107
- class OptionFlowset < BinData::Record
120
+ class NetflowOptionFlowset < BinData::Record
108
121
  endian :big
109
122
  array :templates, :read_until => lambda { flowset_length - 4 - array.num_bytes <= 2 } do
110
123
  uint16 :template_id
@@ -131,12 +144,66 @@ class Netflow9PDU < BinData::Record
131
144
  uint32 :flow_seq_num
132
145
  uint32 :source_id
133
146
  array :records, :read_until => :eof do
134
- uint16 :flowset_id
135
- uint16 :flowset_length
147
+ uint16 :flowset_id, :assert => lambda { [0, 1, *(256..65535)].include?(flowset_id) }
148
+ uint16 :flowset_length, :assert => lambda { flowset_length > 4 }
149
+ choice :flowset_data, :selection => :flowset_id do
150
+ netflow_template_flowset 0
151
+ netflow_option_flowset 1
152
+ string :default, :read_length => lambda { flowset_length - 4 }
153
+ end
154
+ end
155
+ end
156
+
157
+ class IpfixTemplateFlowset < BinData::Record
158
+ endian :big
159
+ array :templates, :read_until => lambda { flowset_length - 4 - array.num_bytes <= 2 } do
160
+ uint16 :template_id
161
+ uint16 :field_count
162
+ array :fields, :initial_length => :field_count do
163
+ bit1 :enterprise
164
+ bit15 :field_type
165
+ uint16 :field_length
166
+ uint32 :enterprise_id, :onlyif => lambda { enterprise != 0 }
167
+ end
168
+ end
169
+ # skip :length => lambda { flowset_length - 4 - set.num_bytes } ?
170
+ end
171
+
172
+ class IpfixOptionFlowset < BinData::Record
173
+ endian :big
174
+ array :templates, :read_until => lambda { flowset_length - 4 - array.num_bytes <= 2 } do
175
+ uint16 :template_id
176
+ uint16 :field_count
177
+ uint16 :scope_count, :assert => lambda { scope_count > 0 }
178
+ array :scope_fields, :initial_length => lambda { scope_count } do
179
+ bit1 :enterprise
180
+ bit15 :field_type
181
+ uint16 :field_length
182
+ uint32 :enterprise_id, :onlyif => lambda { enterprise != 0 }
183
+ end
184
+ array :option_fields, :initial_length => lambda { field_count - scope_count } do
185
+ bit1 :enterprise
186
+ bit15 :field_type
187
+ uint16 :field_length
188
+ uint32 :enterprise_id, :onlyif => lambda { enterprise != 0 }
189
+ end
190
+ end
191
+ end
192
+
193
+ class IpfixPDU < BinData::Record
194
+ endian :big
195
+ uint16 :version
196
+ uint16 :pdu_length
197
+ uint32 :unix_sec
198
+ uint32 :flow_seq_num
199
+ uint32 :observation_domain_id
200
+ array :records, :read_until => lambda { array.num_bytes == pdu_length - 16 } do
201
+ uint16 :flowset_id, :assert => lambda { [2, 3, *(256..65535)].include?(flowset_id) }
202
+ uint16 :flowset_length, :assert => lambda { flowset_length > 4 }
136
203
  choice :flowset_data, :selection => :flowset_id do
137
- template_flowset 0
138
- option_flowset 1
139
- string :default, :read_length => lambda { flowset_length - 4 }
204
+ ipfix_template_flowset 2
205
+ ipfix_option_flowset 3
206
+ string :default, :read_length => lambda { flowset_length - 4 }
140
207
  end
141
208
  end
142
209
  end
data/logstash-codec-netflow.gemspec CHANGED
@@ -1,10 +1,10 @@
1
1
  Gem::Specification.new do |s|
2
2
 
3
3
  s.name = 'logstash-codec-netflow'
4
- s.version = '2.0.5'
4
+ s.version = '2.1.0'
5
5
  s.licenses = ['Apache License (2.0)']
6
- s.summary = "The netflow codec is for decoding Netflow v5/v9 flows."
7
- s.description = "This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program"
6
+ s.summary = "The netflow codec is for decoding Netflow v5/v9/IPFIX flows."
7
+ s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
8
8
  s.authors = ["Elastic"]
9
9
  s.email = 'info@elastic.co'
10
10
  s.homepage = "http://www.elastic.co/guide/en/logstash/current/index.html"
@@ -25,3 +25,4 @@ Gem::Specification.new do |s|
25
25
  s.add_development_dependency 'logstash-devutils'
26
26
  end
27
27
 
28
+
data/spec/codecs/ipfix.dat ADDED
Binary file
data/spec/codecs/netflow_spec.rb CHANGED
@@ -13,16 +13,19 @@ describe LogStash::Codecs::Netflow do
13
13
 
14
14
  let(:decode) do
15
15
  [].tap do |events|
16
- subject.decode(data){|event| events << event}
16
+ data.each { |packet| subject.decode(packet){|event| events << event}}
17
17
  end
18
18
  end
19
19
 
20
- context "Netflow 5" do
20
+ ### NETFLOW v5
21
+
22
+ context "Netflow 5 valid 01" do
21
23
  let(:data) do
22
24
  # this netflow raw data was produced with softflowd and captured with netcat
23
25
  # softflowd -D -i eth0 -v 5 -t maxlife=1 -n 127.0.01:8765
24
26
  # nc -k -4 -u -l 127.0.0.1 8765 > netflow5.dat
25
- IO.read(File.join(File.dirname(__FILE__), "netflow5.dat"), :mode => "rb")
27
+ data = []
28
+ data << IO.read(File.join(File.dirname(__FILE__), "netflow5.dat"), :mode => "rb")
26
29
  end
27
30
 
28
31
  let(:json_events) do
@@ -123,61 +126,162 @@ describe LogStash::Codecs::Netflow do
123
126
  end
124
127
  end
125
128
 
126
- context "Netflow 9" do
129
+ context "Netflow 5 invalid 01 " do
130
+ let(:data) do
131
+ data = []
132
+ data << IO.read(File.join(File.dirname(__FILE__), "netflow5_test_invalid01.dat"), :mode => "rb")
133
+ end
134
+
135
+ it "should not raise_error " do
136
+ expect{decode.size}.not_to raise_error
137
+ end
138
+ end
139
+
140
+ context "Netflow 5 invalid 02 " do
141
+ let(:data) do
142
+ data = []
143
+ data << IO.read(File.join(File.dirname(__FILE__), "netflow5_test_invalid02.dat"), :mode => "rb")
144
+ end
145
+
146
+ it "should not raise_error" do
147
+ expect{decode.size}.not_to raise_error
148
+ end
149
+ end
150
+
151
+ ### NETFLOW v9
152
+
153
+ context "Netflow 9 valid 01" do
127
154
  let(:data) do
128
155
  # this netflow raw data was produced with softflowd and captured with netcat
129
- # softflowd -D -i eth0 -v 9 -t maxlife=1 -n 127.0.01:8765
130
- # nc -k -4 -u -l 127.0.0.1 8765 > netflow9.dat
131
- IO.read(File.join(File.dirname(__FILE__), "netflow9.dat"), :mode => "rb")
156
+ # softflowd -v 9 -n 172.16.32.202:2055
157
+ # nc -4 -u -l 172.16.32.202 8765 > netflow9_test_valid01.dat
158
+ data = []
159
+ data << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_valid01.dat"), :mode => "rb")
132
160
  end
133
161
 
134
162
  let(:json_events) do
135
163
  events = []
136
164
  events << <<-END
137
165
  {
138
- "@timestamp": "2015-05-02T22:10:07.000Z",
166
+ "@timestamp": "2015-10-08T19:04:30.000Z",
139
167
  "netflow": {
140
168
  "version": 9,
141
- "flow_seq_num": 0,
142
- "flowset_id": 1024,
143
- "ipv4_src_addr": "10.0.2.2",
144
- "ipv4_dst_addr": "10.0.2.15",
145
- "last_switched": "2015-05-02T22:10:07.999Z",
146
- "first_switched": "2015-06-21T15:12:49.999Z",
147
- "in_bytes": 230,
148
- "in_pkts": 5,
149
- "input_snmp": 0,
150
- "output_snmp": 0,
151
- "l4_src_port": 57369,
152
- "l4_dst_port": 22,
153
- "protocol": 6,
154
- "tcp_flags": 16,
155
- "ip_protocol_version": 4
169
+ "flow_seq_num":1,
170
+ "flowset_id":1024,
171
+ "ipv4_src_addr": "172.16.32.100",
172
+ "ipv4_dst_addr":"172.16.32.248",
173
+ "last_switched":"2015-10-08T19:03:47.999Z",
174
+ "first_switched":"2015-10-08T19:03:47.999Z",
175
+ "in_bytes":76,
176
+ "in_pkts":1,
177
+ "input_snmp":0,
178
+ "output_snmp":0,
179
+ "l4_src_port":123,
180
+ "l4_dst_port":123,
181
+ "protocol":17,
182
+ "tcp_flags":0,
183
+ "ip_protocol_version":4,
184
+ "src_tos":0
156
185
  },
157
186
  "@version": "1"
158
187
  }
159
188
  END
160
189
 
190
+ events.map{|event| event.gsub(/\s+/, "")}
191
+
192
+ end
193
+
194
+ it "should decode raw data" do
195
+ expect(decode.size).to eq(7)
196
+ expect(decode[0]["[netflow][version]"]).to eq(9)
197
+ end
198
+
199
+ it "should serialize to json" do
200
+ # generated json order can change with different implementation, convert back to hash to compare.
201
+ expect(JSON.parse(decode[0].to_json)).to eq(JSON.parse(json_events[0]))
202
+ end
203
+
204
+ end
205
+
206
+ context "Netflow 9 macaddress" do
207
+ let(:data) do
208
+ data = []
209
+ data << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_macaddr_tpl.dat"), :mode => "rb")
210
+ data << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_macaddr_data.dat"), :mode => "rb")
211
+ end
212
+
213
+ let(:json_events) do
214
+ events = []
215
+ events << <<-END
216
+ {
217
+ "@timestamp":"2015-10-10T08:47:01.000Z",
218
+ "netflow":{
219
+ "version":9,
220
+ "flow_seq_num":2,
221
+ "flowset_id":257,
222
+ "protocol":6,
223
+ "l4_src_port":65058,
224
+ "ipv4_src_addr":"172.16.32.1",
225
+ "l4_dst_port":22,
226
+ "ipv4_dst_addr":"172.16.32.201",
227
+ "in_src_mac":"00:50:56:c0:00:01",
228
+ "in_dst_mac":"00:0c:29:70:86:09"
229
+ },
230
+ "@version":"1"
231
+ }
232
+ END
233
+
234
+ events.map{|event| event.gsub(/\s+/, "")}
235
+ end
236
+
237
+ it "should decode the mac address" do
238
+ expect(decode[1]["[netflow][in_src_mac]"]).to eq("00:50:56:c0:00:01")
239
+ expect(decode[1]["[netflow][in_dst_mac]"]).to eq("00:0c:29:70:86:09")
240
+ end
241
+
242
+ it "should serialize to json" do
243
+ expect(JSON.parse(decode[1].to_json)).to eq(JSON.parse(json_events[0]))
244
+ end
245
+ end
246
+
247
+ context "Netflow 9 Cisco ASA" do
248
+ let(:data) do
249
+ packets = []
250
+ packets << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_valid_cisco_asa_tpl.dat"), :mode => "rb")
251
+ packets << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_valid_cisco_asa_data.dat"), :mode => "rb")
252
+ end
253
+
254
+ let(:json_events) do
255
+ events = []
161
256
  events << <<-END
162
257
  {
163
- "@timestamp": "2015-05-02T22:10:07.000Z",
258
+ "@timestamp": "2015-10-09T09:47:51.000Z",
164
259
  "netflow": {
165
260
  "version": 9,
166
- "flow_seq_num": 0,
167
- "flowset_id": 1024,
168
- "ipv4_src_addr": "10.0.2.15",
169
- "ipv4_dst_addr": "10.0.2.2",
170
- "last_switched": "2015-05-02T22:10:07.999Z",
171
- "first_switched": "2015-06-21T15:12:49.999Z",
172
- "in_bytes": 352,
173
- "in_pkts": 4,
174
- "input_snmp": 0,
175
- "output_snmp": 0,
176
- "l4_src_port": 22,
177
- "l4_dst_port": 57369,
178
- "protocol": 6,
179
- "tcp_flags": 24,
180
- "ip_protocol_version": 4
261
+ "flow_seq_num": 662,
262
+ "flowset_id": 265,
263
+ "conn_id": 8501,
264
+ "ipv4_src_addr": "192.168.23.22",
265
+ "l4_src_port": 17549,
266
+ "input_snmp": 2,
267
+ "ipv4_dst_addr": "164.164.37.11",
268
+ "l4_dst_port": 0,
269
+ "output_snmp": 3,
270
+ "protocol": 1,
271
+ "icmp_type": 8,
272
+ "icmp_code": 0,
273
+ "xlate_src_addr_ipv4": "192.168.23.22",
274
+ "xlate_dst_addr_ipv4": "164.164.37.11",
275
+ "xlate_src_port": 17549,
276
+ "xlate_dst_port": 0,
277
+ "fw_event": 2,
278
+ "fw_ext_event": 2025,
279
+ "event_time_msec": 1444384070179,
280
+ "in_permanent_bytes": 56,
281
+ "flow_start_msec": 1444384068169,
282
+ "ingress_acl_id": "0f8e7ff3-fc1a030f-00000000",
283
+ "egress_acl_id": "00000000-00000000-00000000",
284
+ "username": ""
181
285
  },
182
286
  "@version": "1"
183
287
  }
@@ -187,27 +291,394 @@ describe LogStash::Codecs::Netflow do
187
291
  end
188
292
 
189
293
  it "should decode raw data" do
190
- expect(decode.size).to eq(2)
294
+ expect(decode.size).to eq(14)
295
+ expect(decode[1]["[netflow][version]"]).to eq(9)
296
+ end
191
297
 
192
- expect(decode[0]["[netflow][version]"]).to eq(9)
193
- expect(decode[0]["[netflow][ipv4_src_addr]"]).to eq("10.0.2.2")
194
- expect(decode[0]["[netflow][ipv4_dst_addr]"]).to eq("10.0.2.15")
195
- expect(decode[0]["[netflow][l4_src_port]"]).to eq(57369)
196
- expect(decode[0]["[netflow][l4_dst_port]"]).to eq(22)
197
- expect(decode[0]["[netflow][tcp_flags]"]).to eq(16)
298
+ it "should serialize to json" do
299
+ expect(JSON.parse(decode[1].to_json)).to eq(JSON.parse(json_events[0]))
300
+ end
301
+ end
198
302
 
199
- expect(decode[1]["[netflow][version]"]).to eq(9)
200
- expect(decode[1]["[netflow][ipv4_src_addr]"]).to eq("10.0.2.15")
201
- expect(decode[1]["[netflow][ipv4_dst_addr]"]).to eq("10.0.2.2")
202
- expect(decode[1]["[netflow][l4_src_port]"]).to eq(22)
203
- expect(decode[1]["[netflow][l4_dst_port]"]).to eq(57369)
204
- expect(decode[1]["[netflow][tcp_flags]"]).to eq(24)
303
+ context "Netflow 9 multple netflow exporters" do
304
+ let(:data) do
305
+ # This tests whether a template from a 2nd netflow exporter overwrites the template sent from the first.
306
+ # In this test the 3rd packet (from nprobe) should still decode succesfully.
307
+ # Note that in this case the SourceID from exporter 1 is different from exporter 2, otherwise we hit issue #9
308
+ data = []
309
+ data << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_nprobe_tpl.dat"), :mode => "rb")
310
+ data << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_softflowd_tpl_data.dat"), :mode => "rb")
311
+ data << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_nprobe_data.dat"), :mode => "rb")
312
+ end
313
+
314
+ let(:json_events) do
315
+ events = []
316
+ events << <<-END
317
+ {
318
+ "@timestamp": "2015-10-08T19:04:30.000Z",
319
+ "netflow": {
320
+ "version":9,
321
+ "flow_seq_num":1,
322
+ "flowset_id":1024,
323
+ "ipv4_src_addr":"172.16.32.100",
324
+ "ipv4_dst_addr":"172.16.32.248",
325
+ "last_switched":"2015-10-08T19:03:47.999Z",
326
+ "first_switched":"2015-10-08T19:03:47.999Z",
327
+ "in_bytes":76,
328
+ "in_pkts":1,
329
+ "input_snmp":0,
330
+ "output_snmp":0,
331
+ "l4_src_port":123,
332
+ "l4_dst_port":123,
333
+ "protocol":17,
334
+ "tcp_flags":0,
335
+ "ip_protocol_version":4,
336
+ "src_tos":0
337
+ },
338
+ "@version":"1"
339
+ }
340
+ END
341
+
342
+ events << <<-END
343
+ {
344
+ "@timestamp":"2015-10-08T19:06:29.000Z",
345
+ "netflow": {
346
+ "version":9,
347
+ "flow_seq_num":1,
348
+ "flowset_id":257,
349
+ "in_bytes":200,
350
+ "in_pkts":2,
351
+ "protocol":6,
352
+ "src_tos":16,
353
+ "tcp_flags":24,
354
+ "l4_src_port":22,
355
+ "ipv4_src_addr":"172.16.32.201",
356
+ "src_mask":0,
357
+ "input_snmp":0,
358
+ "l4_dst_port":65058,
359
+ "ipv4_dst_addr":"172.16.32.1",
360
+ "dst_mask":0,
361
+ "output_snmp":0,
362
+ "ipv4_next_hop":"0.0.0.0",
363
+ "src_as":0,
364
+ "dst_as":0,
365
+ "last_switched":"2015-10-08T19:05:56.999Z",
366
+ "first_switched":"2015-10-08T19:05:56.999Z"
367
+ },
368
+ "@version":"1"
369
+ }
370
+ END
371
+
372
+ events.map{|event| event.gsub(/\s+/, "")}
373
+ end
374
+
375
+ # These tests will start to fail whenever options template decoding is added.
376
+ # Nprobe includes options templates, which this test included a sample from.
377
+ # Currently it is not decoded, but if it is, decode.size will be 9, and
378
+ # the packet currently identified with decode[7] will be decode[8]
379
+
380
+ it "should decode raw data" do
381
+ expect(decode.size).to eq(9)
382
+ expect(decode[1]["[netflow][l4_src_port]"]).to eq(123)
383
+ expect(decode[8]["[netflow][l4_src_port]"]).to eq(22)
384
+ end
385
+
386
+ it "should serialize to json" do
387
+ expect(JSON.parse(decode[1].to_json)).to eq(JSON.parse(json_events[0]))
388
+ expect(JSON.parse(decode[8].to_json)).to eq(JSON.parse(json_events[1]))
389
+ end
390
+ end
391
+
392
+ context "Netflow 9 invalid 01 " do
393
+ let(:data) do
394
+ data = []
395
+ data << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_invalid01.dat"), :mode => "rb")
396
+ end
397
+
398
+ it "should not raise_error" do
399
+ expect{decode.size}.not_to raise_error
400
+ end
401
+ end
402
+
403
+ context "Netflow 9 options template with scope fields" do
404
+ let(:data) do
405
+ data = []
406
+ data << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_nprobe_tpl.dat"), :mode => "rb")
407
+ end
408
+
409
+ let(:json_events) do
410
+ events = []
411
+ events << <<-END
412
+ {
413
+ "@timestamp":"2015-10-08T19:06:29.000Z",
414
+ "netflow": {
415
+ "version":9,
416
+ "flow_seq_num":0,
417
+ "flowset_id":259,
418
+ "scope_system":0,
419
+ "total_flows_exp":1,
420
+ "total_pkts_exp":0
421
+ },
422
+ "@version":"1"
423
+ }
424
+ END
425
+
426
+ events.map{|event| event.gsub(/\s+/, "")}
427
+ end
428
+
429
+ it "should serialize to json" do
430
+ expect(JSON.parse(decode[0].to_json)).to eq(JSON.parse(json_events[0]))
431
+ end
432
+
433
+ it "should decode raw data" do
434
+ expect(decode[0]["[netflow][scope_system]"]).to eq(0)
435
+ expect(decode[0]["[netflow][total_flows_exp]"]).to eq(1)
436
+ end
437
+ end
438
+
439
+ context "IPFIX" do
440
+ let(:data) do
441
+ # this netflow raw data was produced with softflowd and captured with netcat
442
+ # softflowd -D -i eth0 -v 10 -t maxlife=1 -n 127.0.01:8765
443
+ # nc -k -4 -u -l 127.0.0.1 8765 > ipfix.dat
444
+ data = []
445
+ data << IO.read(File.join(File.dirname(__FILE__), "ipfix.dat"), :mode => "rb")
446
+ end
447
+
448
+ let(:json_events) do
449
+ events = []
450
+ events << <<-END
451
+ {
452
+ "@timestamp": "2015-05-13T11:20:26.000Z",
453
+ "netflow": {
454
+ "version": 10,
455
+ "meteringProcessId": 2679,
456
+ "systemInitTimeMilliseconds": 1431516013506,
457
+ "selectorAlgorithm": 1,
458
+ "samplingPacketInterval": 1,
459
+ "samplingPacketSpace": 0
460
+ },
461
+ "@version": "1"
462
+ }
463
+ END
464
+
465
+ events << <<-END
466
+ {
467
+ "@timestamp": "2015-05-13T11:20:26.000Z",
468
+ "netflow": {
469
+ "version": 10,
470
+ "sourceIPv4Address": "192.168.253.1",
471
+ "destinationIPv4Address": "192.168.253.128",
472
+ "octetDeltaCount": 260,
473
+ "packetDeltaCount": 5,
474
+ "ingressInterface": 0,
475
+ "egressInterface": 0,
476
+ "sourceTransportPort": 60560,
477
+ "destinationTransportPort": 22,
478
+ "protocolIdentifier": 6,
479
+ "tcpControlBits": 16,
480
+ "ipVersion": 4,
481
+ "ipClassOfService": 0,
482
+ "icmpTypeCodeIPv4": 0,
483
+ "vlanId": 0,
484
+ "flowStartSysUpTime": 0,
485
+ "flowEndSysUpTime": 12726
486
+ },
487
+ "@version": "1"
488
+ }
489
+ END
490
+
491
+ events << <<-END
492
+ {
493
+ "@timestamp": "2015-05-13T11:20:26.000Z",
494
+ "netflow": {
495
+ "version": 10,
496
+ "sourceIPv4Address": "192.168.253.128",
497
+ "destinationIPv4Address": "192.168.253.1",
498
+ "octetDeltaCount": 1000,
499
+ "packetDeltaCount": 6,
500
+ "ingressInterface": 0,
501
+ "egressInterface": 0,
502
+ "sourceTransportPort": 22,
503
+ "destinationTransportPort": 60560,
504
+ "protocolIdentifier": 6,
505
+ "tcpControlBits": 24,
506
+ "ipVersion": 4,
507
+ "ipClassOfService": 0,
508
+ "icmpTypeCodeIPv4": 0,
509
+ "vlanId": 0,
510
+ "flowStartSysUpTime": 0,
511
+ "flowEndSysUpTime": 12726
512
+ },
513
+ "@version": "1"
514
+ }
515
+ END
516
+
517
+ events << <<-END
518
+ {
519
+ "@timestamp": "2015-05-13T11:20:26.000Z",
520
+ "netflow": {
521
+ "version": 10,
522
+ "sourceIPv4Address": "192.168.253.2",
523
+ "destinationIPv4Address": "192.168.253.132",
524
+ "octetDeltaCount": 601,
525
+ "packetDeltaCount": 2,
526
+ "ingressInterface": 0,
527
+ "egressInterface": 0,
528
+ "sourceTransportPort": 53,
529
+ "destinationTransportPort": 35262,
530
+ "protocolIdentifier": 17,
531
+ "tcpControlBits": 0,
532
+ "ipVersion": 4,
533
+ "ipClassOfService": 0,
534
+ "icmpTypeCodeIPv4": 0,
535
+ "vlanId": 0,
536
+ "flowStartSysUpTime": 1104,
537
+ "flowEndSysUpTime": 1142
538
+ },
539
+ "@version": "1"
540
+ }
541
+ END
542
+
543
+ events << <<-END
544
+ {
545
+ "@timestamp": "2015-05-13T11:20:26.000Z",
546
+ "netflow": {
547
+ "version": 10,
548
+ "sourceIPv4Address": "192.168.253.132",
549
+ "destinationIPv4Address": "192.168.253.2",
550
+ "octetDeltaCount": 148,
551
+ "packetDeltaCount": 2,
552
+ "ingressInterface": 0,
553
+ "egressInterface": 0,
554
+ "sourceTransportPort": 35262,
555
+ "destinationTransportPort": 53,
556
+ "protocolIdentifier": 17,
557
+ "tcpControlBits": 0,
558
+ "ipVersion": 4,
559
+ "ipClassOfService": 0,
560
+ "icmpTypeCodeIPv4": 0,
561
+ "vlanId": 0,
562
+ "flowStartSysUpTime": 1104,
563
+ "flowEndSysUpTime": 1142
564
+ },
565
+ "@version": "1"
566
+ }
567
+ END
568
+
569
+ events << <<-END
570
+ {
571
+ "@timestamp": "2015-05-13T11:20:26.000Z",
572
+ "netflow": {
573
+ "version": 10,
574
+ "sourceIPv4Address": "54.214.9.161",
575
+ "destinationIPv4Address": "192.168.253.132",
576
+ "octetDeltaCount": 5946,
577
+ "packetDeltaCount": 14,
578
+ "ingressInterface": 0,
579
+ "egressInterface": 0,
580
+ "sourceTransportPort": 443,
581
+ "destinationTransportPort": 49935,
582
+ "protocolIdentifier": 6,
583
+ "tcpControlBits": 26,
584
+ "ipVersion": 4,
585
+ "ipClassOfService": 0,
586
+ "icmpTypeCodeIPv4": 0,
587
+ "vlanId": 0,
588
+ "flowStartSysUpTime": 1142,
589
+ "flowEndSysUpTime": 2392
590
+ },
591
+ "@version": "1"
592
+ }
593
+ END
594
+
595
+ events << <<-END
596
+ {
597
+ "@timestamp": "2015-05-13T11:20:26.000Z",
598
+ "netflow": {
599
+ "version": 10,
600
+ "sourceIPv4Address": "192.168.253.132",
601
+ "destinationIPv4Address": "54.214.9.161",
602
+ "octetDeltaCount": 2608,
603
+ "packetDeltaCount": 13,
604
+ "ingressInterface": 0,
605
+ "egressInterface": 0,
606
+ "sourceTransportPort": 49935,
607
+ "destinationTransportPort": 443,
608
+ "protocolIdentifier": 6,
609
+ "tcpControlBits": 26,
610
+ "ipVersion": 4,
611
+ "ipClassOfService": 0,
612
+ "icmpTypeCodeIPv4": 0,
613
+ "vlanId": 0,
614
+ "flowStartSysUpTime": 1142,
615
+ "flowEndSysUpTime": 2392
616
+ },
617
+ "@version": "1"
618
+ }
619
+ END
620
+
621
+ events.map{|event| event.gsub(/\s+/, "")}
622
+ end
623
+
624
+ it "should decode raw data" do
625
+ expect(decode.size).to eq(7)
626
+
627
+ expect(decode[0]["[netflow][version]"]).to eq(10)
628
+ expect(decode[0]["[netflow][systemInitTimeMilliseconds]"]).to eq(1431516013506)
629
+
630
+ expect(decode[1]["[netflow][version]"]).to eq(10)
631
+ expect(decode[1]["[netflow][sourceIPv4Address]"]).to eq("192.168.253.1")
632
+ expect(decode[1]["[netflow][destinationIPv4Address]"]).to eq("192.168.253.128")
633
+ expect(decode[1]["[netflow][sourceTransportPort]"]).to eq(60560)
634
+ expect(decode[1]["[netflow][destinationTransportPort]"]).to eq(22)
635
+ expect(decode[1]["[netflow][protocolIdentifier]"]).to eq(6)
636
+ expect(decode[1]["[netflow][tcpControlBits]"]).to eq(16)
637
+
638
+ expect(decode[2]["[netflow][version]"]).to eq(10)
639
+ expect(decode[2]["[netflow][sourceIPv4Address]"]).to eq("192.168.253.128")
640
+ expect(decode[2]["[netflow][destinationIPv4Address]"]).to eq("192.168.253.1")
641
+ expect(decode[2]["[netflow][sourceTransportPort]"]).to eq(22)
642
+ expect(decode[2]["[netflow][destinationTransportPort]"]).to eq(60560)
643
+ expect(decode[2]["[netflow][protocolIdentifier]"]).to eq(6)
644
+ expect(decode[2]["[netflow][tcpControlBits]"]).to eq(24)
645
+
646
+ expect(decode[3]["[netflow][sourceIPv4Address]"]).to eq("192.168.253.2")
647
+ expect(decode[3]["[netflow][destinationIPv4Address]"]).to eq("192.168.253.132")
648
+ expect(decode[3]["[netflow][sourceTransportPort]"]).to eq(53)
649
+ expect(decode[3]["[netflow][destinationTransportPort]"]).to eq(35262)
650
+ expect(decode[3]["[netflow][protocolIdentifier]"]).to eq(17)
651
+
652
+ expect(decode[4]["[netflow][sourceIPv4Address]"]).to eq("192.168.253.132")
653
+ expect(decode[4]["[netflow][destinationIPv4Address]"]).to eq("192.168.253.2")
654
+ expect(decode[4]["[netflow][sourceTransportPort]"]).to eq(35262)
655
+ expect(decode[4]["[netflow][destinationTransportPort]"]).to eq(53)
656
+ expect(decode[4]["[netflow][protocolIdentifier]"]).to eq(17)
657
+
658
+ expect(decode[5]["[netflow][sourceIPv4Address]"]).to eq("54.214.9.161")
659
+ expect(decode[5]["[netflow][destinationIPv4Address]"]).to eq("192.168.253.132")
660
+ expect(decode[5]["[netflow][sourceTransportPort]"]).to eq(443)
661
+ expect(decode[5]["[netflow][destinationTransportPort]"]).to eq(49935)
662
+ expect(decode[5]["[netflow][protocolIdentifier]"]).to eq(6)
663
+ expect(decode[5]["[netflow][tcpControlBits]"]).to eq(26)
664
+
665
+ expect(decode[6]["[netflow][sourceIPv4Address]"]).to eq("192.168.253.132")
666
+ expect(decode[6]["[netflow][destinationIPv4Address]"]).to eq("54.214.9.161")
667
+ expect(decode[6]["[netflow][sourceTransportPort]"]).to eq(49935)
668
+ expect(decode[6]["[netflow][destinationTransportPort]"]).to eq(443)
669
+ expect(decode[6]["[netflow][protocolIdentifier]"]).to eq(6)
670
+ expect(decode[6]["[netflow][tcpControlBits]"]).to eq(26)
205
671
  end
206
672
 
207
673
  it "should serialize to json" do
208
- # generated json order can change with different implementation, convert back to hash to compare.
209
674
  expect(JSON.parse(decode[0].to_json)).to eq(JSON.parse(json_events[0]))
210
675
  expect(JSON.parse(decode[1].to_json)).to eq(JSON.parse(json_events[1]))
676
+ expect(JSON.parse(decode[2].to_json)).to eq(JSON.parse(json_events[2]))
677
+ expect(JSON.parse(decode[3].to_json)).to eq(JSON.parse(json_events[3]))
678
+ expect(JSON.parse(decode[4].to_json)).to eq(JSON.parse(json_events[4]))
679
+ expect(JSON.parse(decode[5].to_json)).to eq(JSON.parse(json_events[5]))
680
+ expect(JSON.parse(decode[6].to_json)).to eq(JSON.parse(json_events[6]))
211
681
  end
212
682
  end
683
+
213
684
  end