logstash-codec-netflow 4.0.1 → 4.0.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/CONTRIBUTORS +1 -0
- data/lib/logstash/codecs/netflow.rb +5 -0
- data/lib/logstash/codecs/netflow/util.rb +3 -2
- data/logstash-codec-netflow.gemspec +1 -1
- data/spec/codecs/netflow9_test_paloalto_81_data257_1flowset_in_large_zerofilled_packet.dat +0 -0
- data/spec/codecs/netflow9_test_paloalto_81_tpl256-263.dat +0 -0
- data/spec/codecs/netflow_spec.rb +54 -0
- metadata +6 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: c084b2195cdbabfc99579731def8db53f698c55f
|
|
4
|
+
data.tar.gz: 29cc163ea5580dfd7b1ee509284d0bbb7dd50892
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 3d667327d46d640196d68ed90664f1af9eb257e0a0768f9f7bb548483a7de3fa29561db84cd6e09a5e5be26e1dd11c7d9a42d18df82348c40ba883e17283ce64
|
|
7
|
+
data.tar.gz: 87d7ff7dc82dae754633f58849c4a08beae62722cdb24b2eba6fe5d3fc94c19f3ddb1e6ffbcd046b6044560be74e7784aa434b20331ab8a26c7f9c2765b9657d
|
data/CHANGELOG.md
CHANGED
data/CONTRIBUTORS
CHANGED
|
@@ -183,6 +183,11 @@ class LogStash::Codecs::Netflow < LogStash::Codecs::Base
|
|
|
183
183
|
def decode_netflow9(flowset, record, metadata = nil)
|
|
184
184
|
events = []
|
|
185
185
|
|
|
186
|
+
# Check for block of trailing padding
|
|
187
|
+
if record.flowset_length == 0
|
|
188
|
+
return events
|
|
189
|
+
end
|
|
190
|
+
|
|
186
191
|
case record.flowset_id
|
|
187
192
|
when 0..1
|
|
188
193
|
# Template flowset
|
|
@@ -379,7 +379,7 @@ end
|
|
|
379
379
|
|
|
380
380
|
class NetflowTemplateFlowset < BinData::Record
|
|
381
381
|
endian :big
|
|
382
|
-
array :templates, :read_until => lambda { array.num_bytes == flowset_length - 4 } do
|
|
382
|
+
array :templates, :read_until => lambda { flowset_length == 0 || array.num_bytes == flowset_length - 4 } do
|
|
383
383
|
uint16 :template_id
|
|
384
384
|
uint16 :field_count
|
|
385
385
|
array :record_fields, :initial_length => :field_count do
|
|
@@ -387,6 +387,7 @@ class NetflowTemplateFlowset < BinData::Record
|
|
|
387
387
|
uint16 :field_length
|
|
388
388
|
end
|
|
389
389
|
end
|
|
390
|
+
rest :rest, :onlyif => lambda { flowset_length == 0 }
|
|
390
391
|
end
|
|
391
392
|
|
|
392
393
|
class NetflowOptionFlowset < BinData::Record
|
|
@@ -417,7 +418,7 @@ class Netflow9PDU < BinData::Record
|
|
|
417
418
|
uint32 :source_id
|
|
418
419
|
array :records, :read_until => :eof do
|
|
419
420
|
uint16 :flowset_id, :assert => lambda { [0, 1, *(256..65535)].include?(flowset_id) }
|
|
420
|
-
uint16 :flowset_length, :assert => lambda { flowset_length > 4 }
|
|
421
|
+
uint16 :flowset_length, :assert => lambda { flowset_length == 0 || flowset_length > 4 }
|
|
421
422
|
choice :flowset_data, :selection => :flowset_id do
|
|
422
423
|
netflow_template_flowset 0
|
|
423
424
|
netflow_option_flowset 1
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
Gem::Specification.new do |s|
|
|
2
2
|
|
|
3
3
|
s.name = 'logstash-codec-netflow'
|
|
4
|
-
s.version = '4.0.
|
|
4
|
+
s.version = '4.0.2'
|
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
|
6
6
|
s.summary = "Reads Netflow v5, Netflow v9 and IPFIX data"
|
|
7
7
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
|
Binary file
|
|
Binary file
|
data/spec/codecs/netflow_spec.rb
CHANGED
|
@@ -1101,6 +1101,60 @@ describe LogStash::Codecs::Netflow do
|
|
|
1101
1101
|
|
|
1102
1102
|
end
|
|
1103
1103
|
|
|
1104
|
+
context "Netflow 9 Palo Alto 1 flowset in large zero filled packet" do
|
|
1105
|
+
let(:data) do
|
|
1106
|
+
packets = []
|
|
1107
|
+
packets << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_paloalto_81_tpl256-263.dat"), :mode => "rb")
|
|
1108
|
+
packets << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_paloalto_81_data257_1flowset_in_large_zerofilled_packet.dat"), :mode => "rb")
|
|
1109
|
+
end
|
|
1110
|
+
|
|
1111
|
+
let(:json_events) do
|
|
1112
|
+
events = []
|
|
1113
|
+
events << <<-END
|
|
1114
|
+
{
|
|
1115
|
+
"netflow": {
|
|
1116
|
+
"output_snmp":500010002,
|
|
1117
|
+
"icmp_type":0,
|
|
1118
|
+
"in_pkts":3,
|
|
1119
|
+
"src_tos":0,
|
|
1120
|
+
"ipv4_dst_addr":"134.220.1.156",
|
|
1121
|
+
"first_switched":"2018-06-06T13:20:03.000Z",
|
|
1122
|
+
"flowset_id":257,
|
|
1123
|
+
"l4_src_port":88,
|
|
1124
|
+
"fw_event":2,
|
|
1125
|
+
"version":9,
|
|
1126
|
+
"flow_seq_num":970830115,
|
|
1127
|
+
"ipv4_src_addr":"134.220.2.6",
|
|
1128
|
+
"in_bytes":363,
|
|
1129
|
+
"protocol":6,
|
|
1130
|
+
"tcp_flags":94,
|
|
1131
|
+
"input_snmp":500010024,
|
|
1132
|
+
"last_switched":"2018-06-06T13:20:03.000Z",
|
|
1133
|
+
"user_id":"unknown",
|
|
1134
|
+
"conn_id":1428388,
|
|
1135
|
+
"privateEnterpriseNumber":25461,
|
|
1136
|
+
"l4_dst_port":50234,
|
|
1137
|
+
"app_id":"kerberos",
|
|
1138
|
+
"direction":0
|
|
1139
|
+
},
|
|
1140
|
+
"@timestamp":"2018-06-06T13:20:17.000Z",
|
|
1141
|
+
"@version":"1"
|
|
1142
|
+
}
|
|
1143
|
+
END
|
|
1144
|
+
events.map{|event| event.gsub(/\s+/, "")}
|
|
1145
|
+
end
|
|
1146
|
+
|
|
1147
|
+
it "should decode raw data" do
|
|
1148
|
+
expect(decode.size).to eq(1)
|
|
1149
|
+
expect(decode[0].get("[netflow][app_id]")).to eq("kerberos")
|
|
1150
|
+
expect(decode[0].get("[netflow][ipv4_src_addr]")).to eq("134.220.2.6")
|
|
1151
|
+
end
|
|
1152
|
+
|
|
1153
|
+
it "should serialize to json" do
|
|
1154
|
+
expect(JSON.parse(decode[0].to_json)).to eq(JSON.parse(json_events[0]))
|
|
1155
|
+
end
|
|
1156
|
+
|
|
1157
|
+
end
|
|
1104
1158
|
|
|
1105
1159
|
context "Netflow 9 Fortigate FortiOS 54x appid" do
|
|
1106
1160
|
let(:data) do
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: logstash-codec-netflow
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.0.
|
|
4
|
+
version: 4.0.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Elastic
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2018-06-
|
|
11
|
+
date: 2018-06-24 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -154,6 +154,8 @@ files:
|
|
|
154
154
|
- spec/codecs/netflow9_test_nprobe_data.dat
|
|
155
155
|
- spec/codecs/netflow9_test_nprobe_dpi.dat
|
|
156
156
|
- spec/codecs/netflow9_test_nprobe_tpl.dat
|
|
157
|
+
- spec/codecs/netflow9_test_paloalto_81_data257_1flowset_in_large_zerofilled_packet.dat
|
|
158
|
+
- spec/codecs/netflow9_test_paloalto_81_tpl256-263.dat
|
|
157
159
|
- spec/codecs/netflow9_test_paloalto_panos_data.dat
|
|
158
160
|
- spec/codecs/netflow9_test_paloalto_panos_tpl.dat
|
|
159
161
|
- spec/codecs/netflow9_test_softflowd_tpl_data.dat
|
|
@@ -274,6 +276,8 @@ test_files:
|
|
|
274
276
|
- spec/codecs/netflow9_test_nprobe_data.dat
|
|
275
277
|
- spec/codecs/netflow9_test_nprobe_dpi.dat
|
|
276
278
|
- spec/codecs/netflow9_test_nprobe_tpl.dat
|
|
279
|
+
- spec/codecs/netflow9_test_paloalto_81_data257_1flowset_in_large_zerofilled_packet.dat
|
|
280
|
+
- spec/codecs/netflow9_test_paloalto_81_tpl256-263.dat
|
|
277
281
|
- spec/codecs/netflow9_test_paloalto_panos_data.dat
|
|
278
282
|
- spec/codecs/netflow9_test_paloalto_panos_tpl.dat
|
|
279
283
|
- spec/codecs/netflow9_test_softflowd_tpl_data.dat
|