logstash-codec-netflow 4.1.2 → 4.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (16) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +6 -0
  3. data/CONTRIBUTORS +2 -0
  4. data/docs/index.asciidoc +2 -0
  5. data/lib/logstash/codecs/netflow/ipfix.yaml +123 -4
  6. data/lib/logstash/codecs/netflow/util.rb +4 -4
  7. data/logstash-codec-netflow.gemspec +1 -1
  8. data/spec/codecs/benchmarks/IP6Addr.rb +19 -5
  9. data/spec/codecs/benchmarks/IPAddr.rb +2 -0
  10. data/spec/codecs/benchmarks/benchmark_fields.rb +65 -0
  11. data/spec/codecs/ipfix_test_ixia_tpldata256.dat +0 -0
  12. data/spec/codecs/ipfix_test_ixia_tpldata271.dat +0 -0
  13. data/spec/codecs/netflow9_test_cisco_aci_data256.dat +0 -0
  14. data/spec/codecs/netflow9_test_cisco_aci_tpl256-258.dat +0 -0
  15. data/spec/codecs/netflow_spec.rb +119 -41
  16. metadata +170 -162
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 4c7ac0e49278603cd5a4f4ffc40824a17aa9db67
4
- data.tar.gz: 5e9d278f6b727985bcc5e851e8f75fa26137a888
3
+ metadata.gz: f2e6d54d4cdca81ee9644aed1eeae50bb8a9d1ee
4
+ data.tar.gz: 6ba6e2b5d731d3307de736e8e56d010e27ad2fcc
5
5
  SHA512:
6
- metadata.gz: 875b0d6ce0f50124fc0fe5e5c3d6f33ecf226e4b764f968ec2fbb6233d08c080a40fd779708364cbda1c5619dc1cf007d61f76d35b6be6eeb0ed435ca266c687
7
- data.tar.gz: a9595b104f90d311745636dc2a26ab83ab72d9a35ec37b625aec4f47b35fd74c1b2b87bf84a4c21b086b92b3a217cc926248d9fd59e7ce46163fb96f5663a325
6
+ metadata.gz: e03f252f4070524376db990d4e5e511bb4eae836f205638f1a0de9a328355b52a571c0805a9a71e9e3eeb0facd840a03acceaf94572087f6dfe2c14ab988643b
7
+ data.tar.gz: 7d355546ea91c3daf872e45cc9a6f9f1e1e00c8b5e5d3a4f16c89ac835bb25d95872f48406d7a2141ef068b545e9b1950ca5b24d6b32c8d9211f512a4242ea63
data/CHANGELOG.md CHANGED
@@ -1,3 +1,9 @@
1
+ ## 4.2.0
2
+
3
+ - Added Cisco ACI to list of known working Netflow v9 exporters
4
+ - Added support for IXIA Packet Broker IPFIX
5
+ - Fixed issue with Procera float fields
6
+
1
7
  ## 4.1.2
2
8
 
3
9
  - Fixed issue where TTL in template registry was not being respected.
data/CONTRIBUTORS CHANGED
@@ -4,6 +4,7 @@ reports, or in general have helped logstash along its way.
4
4
  Contributors:
5
5
  * Aaron Mildenstein (untergeek)
6
6
  * Adam Kaminski (thimslugga)
7
+ * Ana (janniten)
7
8
  * Andrew Cholakian (andrewvc)
8
9
  * Ayden Beeson (abeeson)
9
10
  * Bjørn Ruberg (bruberg)
@@ -27,6 +28,7 @@ Contributors:
27
28
  * Paul Warren (pwarren)
28
29
  * Pedro de Oliveira
29
30
  * Philipp Kahr
31
+ * Philippe Veys
30
32
  * Pier-Hugues Pellerin (ph)
31
33
  * Pulkit Agrawal (propulkit)
32
34
  * Raju Nair (rajutech76)
data/docs/index.asciidoc CHANGED
@@ -36,6 +36,7 @@ The following Netflow/IPFIX exporters have been seen and tested with the most re
36
36
  |===========================================================================================
37
37
  |Netflow exporter | v5 | v9 | IPFIX | Remarks
38
38
  |Barracuda Firewall | | | y | With support for Extended Uniflow
39
+ |Cisco ACI | | y | |
39
40
  |Cisco ASA | | y | |
40
41
  |Cisco ASR 1k | | | N | Fails because of duplicate fields
41
42
  |Cisco ASR 9k | | y | |
@@ -47,6 +48,7 @@ The following Netflow/IPFIX exporters have been seen and tested with the most re
47
48
  |Fortigate FortiOS | | y | |
48
49
  |Huawei Netstream | | y | |
49
50
  |ipt_NETFLOW | y | y | y |
51
+ |IXIA packet broker | | | y |
50
52
  |Juniper MX | y | | y | SW > 12.3R8. Fails to decode IPFIX from Junos 16.1 due to duplicate field names which we currently don't support.
51
53
  |Mikrotik | y | | y | http://wiki.mikrotik.com/wiki/Manual:IP/Traffic_Flow
52
54
  |nProbe | y | y | y | L7 DPI fields now also supported
data/lib/logstash/codecs/netflow/ipfix.yaml CHANGED
@@ -3743,16 +3743,16 @@
3743
3743
  - :string
3744
3744
  - :proceraGgsn
3745
3745
  38:
3746
- - :float32
3746
+ - :float
3747
3747
  - :proceraQoeIncomingInternal
3748
3748
  39:
3749
- - :float32
3749
+ - :float
3750
3750
  - :proceraQoeIncomingExternal
3751
3751
  40:
3752
- - :float32
3752
+ - :float
3753
3753
  - :proceraQoeOutgoingInternal
3754
3754
  41:
3755
- - :float32
3755
+ - :float
3756
3756
  - :proceraQoeOutgoingExternal
3757
3757
  42:
3758
3758
  - :ip4_addr
@@ -3846,3 +3846,122 @@
3846
3846
  12:
3847
3847
  - :uint32
3848
3848
  - :AuditCounter
3849
+ # Ixia Communications (3054)
3850
+ 3054:
3851
+ 110:
3852
+ - :uint32
3853
+ - :ixiaL7AppId
3854
+ 111:
3855
+ - :string
3856
+ - :ixiaL7AppName
3857
+ 120:
3858
+ - :string
3859
+ - :ixiaSrcCountryCode
3860
+ 121:
3861
+ - :string
3862
+ - :ixiaSrcCountryName
3863
+ 122:
3864
+ - :string
3865
+ - :ixiaSrcRegionCode
3866
+ 123:
3867
+ - :string
3868
+ - :ixiaSrcRegionName
3869
+ 125:
3870
+ - :string
3871
+ - :ixiaSrcCityName
3872
+ 126:
3873
+ - :float
3874
+ - :ixiaSrcLatitude
3875
+ 127:
3876
+ - :float
3877
+ - :ixiaSrcLongitude
3878
+ 140:
3879
+ - :string
3880
+ - :ixiaDstCountryCode
3881
+ 141:
3882
+ - :string
3883
+ - :ixiaDstCountryName
3884
+ 142:
3885
+ - :string
3886
+ - :ixiaDstRegionCode
3887
+ 143:
3888
+ - :string
3889
+ - :ixiaDstRegionNode
3890
+ 145:
3891
+ - :string
3892
+ - :ixiaDstCityName
3893
+ 146:
3894
+ - :float
3895
+ - :ixiaDstLatitude
3896
+ 147:
3897
+ - :float
3898
+ - :ixiaDstLongitude
3899
+ 160:
3900
+ - :uint8
3901
+ - :ixiaDeviceId
3902
+ 161:
3903
+ - :string
3904
+ - :ixiaDeviceName
3905
+ 162:
3906
+ - :uint8
3907
+ - :ixiaBrowserId
3908
+ 163:
3909
+ - :string
3910
+ - :ixiaBrowserName
3911
+ 176:
3912
+ - :uint64
3913
+ - :ixiaRevOctetDeltaCount
3914
+ 177:
3915
+ - :uint64
3916
+ - :ixiaRevPacketDeltaCount
3917
+ 178:
3918
+ - :string
3919
+ - :ixiaEncryptType
3920
+ 179:
3921
+ - :string
3922
+ - :ixiaEncryptCipher
3923
+ 180:
3924
+ - :uint16
3925
+ - :ixiaEncryptKeyLength
3926
+ 181:
3927
+ - :string
3928
+ - :ixiaImsiSubscriber
3929
+ 182:
3930
+ - :string
3931
+ - :ixiaHttpUserAgent
3932
+ 183:
3933
+ - :string
3934
+ - :ixiaHttpHostName
3935
+ 184:
3936
+ - :string
3937
+ - :ixiaHttpUri
3938
+ 185:
3939
+ - :string
3940
+ - :ixiaDnsRecordTxt
3941
+ 186:
3942
+ - :string
3943
+ - :ixiaSrcAsName
3944
+ 187:
3945
+ - :string
3946
+ - :ixiaDstAsName
3947
+ 188:
3948
+ - :uint32
3949
+ - :ixiaLatency
3950
+ 189:
3951
+ - :string
3952
+ - :ixiaDnsQuery
3953
+ 190:
3954
+ - :string
3955
+ - :ixiaDnsAnswer
3956
+ 191:
3957
+ - :string
3958
+ - :ixiaDnsClasses
3959
+ 192:
3960
+ - :string
3961
+ - :ixiaThreatType
3962
+ 193:
3963
+ - :ip4_addr
3964
+ - :ixiaThreatIPv4
3965
+ 194:
3966
+ - :ip4_addr
3967
+ - :ixiaThreatIPv6
data/lib/logstash/codecs/netflow/util.rb CHANGED
@@ -36,13 +36,13 @@ class IP6Addr < BinData::Primitive
36
36
  end
37
37
 
38
38
  def get
39
- # There faster implementations, however they come with the
39
+ # There are faster implementations, however they come with the
40
40
  # loss of compressed IPv6 notation.
41
41
  # For benchmarks see spec/codecs/benchmarks/IP6Addr.rb
42
42
  unless self.storage.nil?
43
- IPAddr.new_ntoh((0..7).map { |i|
44
- (self.storage >> (112 - 16 * i)) & 0xffff
45
- }.pack('n8')).to_s
43
+ b = "%032x" % self.storage
44
+ c = b[0..3] + ":" + b[4..7] + ":" + b[8..11] + ":" + b[12..15] + ":" + b[16..19] + ":" + b[20..23] + ":" + b[24..27] + ":" + b[28..31]
45
+ IPAddr.new(c).to_s
46
46
  end
47
47
  end
48
48
  end
data/logstash-codec-netflow.gemspec CHANGED
@@ -1,7 +1,7 @@
1
1
  Gem::Specification.new do |s|
2
2
 
3
3
  s.name = 'logstash-codec-netflow'
4
- s.version = '4.1.2'
4
+ s.version = '4.2.0'
5
5
  s.licenses = ['Apache License (2.0)']
6
6
  s.summary = "Reads Netflow v5, Netflow v9 and IPFIX data"
7
7
  s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
data/spec/codecs/benchmarks/IP6Addr.rb CHANGED
@@ -1,16 +1,28 @@
1
1
  require 'benchmark'
2
2
  require 'ipaddr'
3
+ require 'bindata'
3
4
 
4
5
  Benchmark.bm do |x|
5
6
  x.report {
6
- # Implementation pre v3.11.0
7
+ # Implementation since v0.1
7
8
  ip = 85060308944708794891899627827609206785
8
9
  2000000.times do
9
- IPAddr.new_ntoh([ip].pack('N')).to_s
10
+ IPAddr.new_ntoh((0..7).map { |i|
11
+ (ip >> (112 - 16 * i)) & 0xffff
12
+ }.pack('n8')).to_s
10
13
  end }
11
14
 
12
15
  x.report {
13
- # Implementation as of v3.11.2
16
+ # Implementation since v4.2.0
17
+ ip = 85060308944708794891899627827609206785
18
+ 2000000.times do
19
+ b = "%032x" % ip
20
+ c = b[0..3] + ":" + b[4..7] + ":" + b[8..11] + ":" + b[12..15] + ":" + b[16..19] + ":" + b[20..23] + ":" + b[24..27] + ":" + b[28..31]
21
+ IPAddr.new(c).to_s
22
+ end }
23
+
24
+ x.report {
25
+ # Alternative. Loses compressed IPv6 notation
14
26
  ip = 85060308944708794891899627827609206785
15
27
  2000000.times do
16
28
  b = "%032x" % ip
@@ -20,5 +32,7 @@ Benchmark.bm do |x|
20
32
  end
21
33
 
22
34
  # user system total real
23
- # 21.800000 0.000000 21.800000 ( 21.811893)
24
- # 11.760000 0.000000 11.760000 ( 11.768260)
35
+ # 81.500000 0.000000 81.500000 ( 81.498991)
36
+ # 78.210000 0.000000 78.210000 ( 78.252662)
37
+ # 11.710000 0.010000 11.720000 ( 11.712025)
38
+
data/spec/codecs/benchmarks/IPAddr.rb CHANGED
@@ -30,3 +30,5 @@ end
30
30
  # 4.410000 0.000000 4.410000 ( 4.411973)
31
31
  # 6.450000 0.000000 6.450000 ( 6.446321)
32
32
 
33
+
34
+
data/spec/codecs/benchmarks/benchmark_fields.rb ADDED
@@ -0,0 +1,65 @@
1
+ require 'benchmark'
2
+ require 'bindata'
3
+ require '../../../lib/logstash/codecs/netflow/util.rb'
4
+
5
+ Benchmark.bm(16) do |x|
6
+ x.report("IP4Addr") {
7
+ data = ["344c01f9"].pack("H*")
8
+ 200000.times do
9
+ IP4Addr.read(data)
10
+ end }
11
+
12
+ x.report("IP6Addr") {
13
+ data = ["fe80000000000000e68d8cfffe20ede6"].pack("H*")
14
+ 200000.times do
15
+ IP6Addr.read(data)
16
+ end }
17
+
18
+ x.report("IP6Addr_Test") {
19
+ data = ["fe80000000000000e68d8cfffe20ede6"].pack("H*")
20
+ 200000.times do
21
+ IP6Addr_Test.read(data)
22
+ end }
23
+
24
+ x.report("MacAddr") {
25
+ data = ["005056c00001"].pack("H*")
26
+ 200000.times do
27
+ MacAddr.read(data)
28
+ end }
29
+
30
+ x.report("ACLIdASA") {
31
+ data = ["433a1af1be9efe9600000000"].pack("H*")
32
+ 200000.times do
33
+ ACLIdASA.read(data)
34
+ end }
35
+
36
+ x.report("Application_Id64") {
37
+ data = ["140000304400003dc8"].pack("H*")
38
+ 200000.times do
39
+ Application_Id64.read(data)
40
+ end }
41
+
42
+ x.report("VarString") {
43
+ data = ["184c534e34344031302e3233312e3232332e31313300000000"].pack("H*")
44
+ 200000.times do
45
+ VarString.read(data)
46
+ end }
47
+
48
+ x.report("VarString_Test") {
49
+ data = ["184c534e34344031302e3233312e3232332e31313300000000"].pack("H*")
50
+ 200000.times do
51
+ VarString_Test.read(data)
52
+ end }
53
+
54
+ end
55
+
56
+ # user system total real
57
+ # IP4Addr 24.120000 0.000000 24.120000 ( 24.123782)
58
+ # IP6Addr 37.940000 0.010000 37.950000 ( 37.950464)
59
+ # MacAddr 25.270000 0.000000 25.270000 ( 25.282082)
60
+ # ACLIdASA 24.870000 0.000000 24.870000 ( 24.882335)
61
+ # Application_Id64 41.270000 0.000000 41.270000 ( 41.305001)
62
+ # VarString 39.030000 0.000000 39.030000 ( 39.062235)
63
+
64
+
65
+
data/spec/codecs/netflow_spec.rb CHANGED
@@ -98,7 +98,6 @@ describe LogStash::Codecs::Netflow do
98
98
  }
99
99
  END
100
100
 
101
- events.map{|event| event.gsub(/\s+/, "")}
102
101
  end
103
102
 
104
103
  it "should decode raw data" do
@@ -187,7 +186,6 @@ describe LogStash::Codecs::Netflow do
187
186
  }
188
187
  END
189
188
 
190
- events.map{|event| event.gsub(/\s+/, "")}
191
189
 
192
190
  end
193
191
 
@@ -203,6 +201,8 @@ describe LogStash::Codecs::Netflow do
203
201
 
204
202
  end
205
203
 
204
+
205
+
206
206
  context "Netflow 9 macaddress" do
207
207
  let(:data) do
208
208
  data = []
@@ -231,7 +231,6 @@ describe LogStash::Codecs::Netflow do
231
231
  }
232
232
  END
233
233
 
234
- events.map{|event| event.gsub(/\s+/, "")}
235
234
  end
236
235
 
237
236
  it "should decode the mac address" do
@@ -244,6 +243,54 @@ describe LogStash::Codecs::Netflow do
244
243
  end
245
244
  end
246
245
 
246
+ context "Netflow 9 Cisco ACI" do
247
+ let(:data) do
248
+ data = []
249
+ data << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_cisco_aci_tpl256-258.dat"), :mode => "rb")
250
+ data << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_cisco_aci_data256.dat"), :mode => "rb")
251
+ end
252
+
253
+ let(:json_events) do
254
+ events = []
255
+ events << <<-END
256
+ {
257
+ "@timestamp": "2018-10-15T11:29:00.000Z",
258
+ "netflow": {
259
+ "version": 9,
260
+ "l4_dst_port": 49411,
261
+ "flowset_id": 256,
262
+ "l4_src_port": 179,
263
+ "ipv4_dst_addr": "10.154.231.146",
264
+ "in_pkts": 2,
265
+ "first_switched": "2018-10-15T11:28:05.999Z",
266
+ "protocol": 6,
267
+ "last_switched": "2018-10-15T11:28:24.999Z",
268
+ "ip_protocol_version": 4,
269
+ "in_bytes": 99,
270
+ "flow_seq_num": 36,
271
+ "tcp_flags": 24,
272
+ "input_snmp": 369139712,
273
+ "ipv4_src_addr": "10.154.231.145",
274
+ "src_vlan": 0,
275
+ "direction": 0
276
+ },
277
+ "@version": "1"
278
+ }
279
+ END
280
+
281
+ end
282
+
283
+ it "should decode the mac address" do
284
+ expect(decode.size).to eq(3)
285
+ expect(decode[0].get("[netflow][ipv4_src_addr]")).to eq("10.154.231.145")
286
+ end
287
+
288
+ it "should serialize to json" do
289
+ expect(JSON.parse(decode[0].to_json)).to eq(JSON.parse(json_events[0]))
290
+ end
291
+ end
292
+
293
+
247
294
  context "Netflow 9 Cisco ASA" do
248
295
  let(:data) do
249
296
  packets = []
@@ -287,7 +334,6 @@ describe LogStash::Codecs::Netflow do
287
334
  }
288
335
  END
289
336
 
290
- events.map{|event| event.gsub(/\s+/, "")}
291
337
  end
292
338
 
293
339
  it "should decode raw data" do
@@ -369,7 +415,6 @@ describe LogStash::Codecs::Netflow do
369
415
  }
370
416
  END
371
417
 
372
- events.map{|event| event.gsub(/\s+/, "")}
373
418
  end
374
419
 
375
420
  # These tests will start to fail whenever options template decoding is added.
@@ -423,7 +468,6 @@ describe LogStash::Codecs::Netflow do
423
468
  }
424
469
  END
425
470
 
426
- events.map{|event| event.gsub(/\s+/, "")}
427
471
  end
428
472
 
429
473
  it "should serialize to json" do
@@ -618,7 +662,6 @@ describe LogStash::Codecs::Netflow do
618
662
  }
619
663
  END
620
664
 
621
- events.map{|event| event.gsub(/\s+/, "")}
622
665
  end
623
666
 
624
667
  it "should decode raw data" do
@@ -724,7 +767,6 @@ describe LogStash::Codecs::Netflow do
724
767
  "@version": "1"
725
768
  }
726
769
  END
727
- events.map{|event| event.gsub(/\s+/, "")}
728
770
  end
729
771
 
730
772
  it "should decode raw data" do
@@ -771,7 +813,6 @@ describe LogStash::Codecs::Netflow do
771
813
  "@version": "1"
772
814
  }
773
815
  END
774
- events.map{|event| event.gsub(/\s+/, "")}
775
816
  end
776
817
 
777
818
  it "should decode raw data" do
@@ -829,7 +870,6 @@ describe LogStash::Codecs::Netflow do
829
870
  "@version": "1"
830
871
  }
831
872
  END
832
- events.map{|event| event.gsub(/\s+/, "")}
833
873
  end
834
874
 
835
875
  it "should decode raw data" do
@@ -887,7 +927,6 @@ describe LogStash::Codecs::Netflow do
887
927
  "@version": "1"
888
928
  }
889
929
  END
890
- events.map{|event| event.gsub(/\s+/, "")}
891
930
  end
892
931
 
893
932
  it "should decode raw data" do
@@ -945,7 +984,6 @@ describe LogStash::Codecs::Netflow do
945
984
  }
946
985
  END
947
986
 
948
- events.map{|event| event.gsub(/\s+/, "")}
949
987
  end
950
988
 
951
989
  it "should decode raw data" do
@@ -1009,7 +1047,6 @@ describe LogStash::Codecs::Netflow do
1009
1047
  }
1010
1048
  END
1011
1049
 
1012
- events.map{|event| event.gsub(/\s+/, "")}
1013
1050
  end
1014
1051
 
1015
1052
  it "should decode raw data" do
@@ -1085,7 +1122,6 @@ describe LogStash::Codecs::Netflow do
1085
1122
  "@timestamp": "2017-12-01T17:04:39.000Z"
1086
1123
  }
1087
1124
  END
1088
- events.map{|event| event.gsub(/\s+/, "")}
1089
1125
  end
1090
1126
 
1091
1127
  it "should decode raw data" do
@@ -1141,7 +1177,6 @@ describe LogStash::Codecs::Netflow do
1141
1177
  "@version":"1"
1142
1178
  }
1143
1179
  END
1144
- events.map{|event| event.gsub(/\s+/, "")}
1145
1180
  end
1146
1181
 
1147
1182
  it "should decode raw data" do
@@ -1205,7 +1240,6 @@ describe LogStash::Codecs::Netflow do
1205
1240
  }
1206
1241
  }
1207
1242
  END
1208
- events.map{|event| event.gsub(/\s+/, "")}
1209
1243
  end
1210
1244
 
1211
1245
  it "should decode raw data" do
@@ -1264,7 +1298,6 @@ describe LogStash::Codecs::Netflow do
1264
1298
  "@version": "1"
1265
1299
  }
1266
1300
  END
1267
- events.map{|event| event.gsub(/\s+/, "")}
1268
1301
  end
1269
1302
 
1270
1303
  it "should decode raw data" do
@@ -1280,6 +1313,75 @@ describe LogStash::Codecs::Netflow do
1280
1313
 
1281
1314
  end
1282
1315
 
1316
+
1317
+ context "IPFIX from IXIA something something" do
1318
+ let(:data) do
1319
+ packets = []
1320
+ packets << IO.read(File.join(File.dirname(__FILE__), "ipfix_test_ixia_tpldata256.dat"), :mode => "rb")
1321
+ end
1322
+
1323
+ let(:json_events) do
1324
+ events = []
1325
+ events << <<-END
1326
+ {
1327
+ "@timestamp": "2018-10-25T12:24:43.000Z",
1328
+ "netflow": {
1329
+ "icmpTypeCodeIPv4": 0,
1330
+ "ixiaDstLongitude": 100.33540344238281,
1331
+ "ixiaHttpUserAgent": "",
1332
+ "ixiaDeviceName": "unknown",
1333
+ "flowStartMilliseconds": "2018-10-25T12:24:19.881Z",
1334
+ "destinationIPv4Address": "202.170.60.247",
1335
+ "ixiaDeviceId": 0,
1336
+ "ixiaL7AppName": "unknown",
1337
+ "ixiaBrowserId": 0,
1338
+ "ixiaDstLatitude": 5.411200046539307,
1339
+ "sourceIPv4Address": "119.103.128.175",
1340
+ "ixiaSrcAsName": "CHINANET-BACKBONE No.31,Jin-rong Street, CN",
1341
+ "ixiaThreatIPv4": "0.0.0.0",
1342
+ "ixiaHttpHostName": "",
1343
+ "sourceTransportPort": 51695,
1344
+ "tcpControlBits": 0,
1345
+ "egressInterface": 1,
1346
+ "flowEndReason": 1,
1347
+ "ixiaSrcLongitude": 114.27339935302734,
1348
+ "version": 10,
1349
+ "packetDeltaCount": 4,
1350
+ "destinationTransportPort": 36197,
1351
+ "ixiaRevPacketDeltaCount": 0,
1352
+ "reverseIcmpTypeCodeIPv4": 0,
1353
+ "ixiaRevOctetDeltaCount": 0,
1354
+ "ixiaThreatType": "",
1355
+ "ixiaHttpUri": "",
1356
+ "octetDeltaCount": 360,
1357
+ "ixiaBrowserName": "-",
1358
+ "protocolIdentifier": 17,
1359
+ "bgpSourceAsNumber": 4134,
1360
+ "bgpDestinationAsNumber": 24090,
1361
+ "ixiaDstAsName": "UNISAINS-AS-AP Universiti Sains Malaysia (USM), MY",
1362
+ "ixiaLatency": 0,
1363
+ "ixiaSrcLatitude": 30.58009910583496,
1364
+ "ixiaL7AppId": 0,
1365
+ "ingressInterface": 1,
1366
+ "flowEndMilliseconds": "2018-10-25T12:24:32.022Z"
1367
+ },
1368
+ "@version": "1"
1369
+ }
1370
+ END
1371
+
1372
+ end
1373
+
1374
+ it "should decode raw data" do
1375
+ expect(decode.size).to eq(1)
1376
+ expect(decode[0].get("[netflow][ixiaDstAsName]")).to eq("UNISAINS-AS-AP Universiti Sains Malaysia (USM), MY")
1377
+ end
1378
+
1379
+ it "should serialize to json" do
1380
+ expect(JSON.parse(decode[0].to_json)).to eq(JSON.parse(json_events[0]))
1381
+ end
1382
+
1383
+ end
1384
+
1283
1385
  context "IPFIX options template from Juniper MX240 JunOS 15.1 R6 S3" do
1284
1386
  let(:data) do
1285
1387
  packets = []
@@ -1310,7 +1412,6 @@ describe LogStash::Codecs::Netflow do
1310
1412
  }
1311
1413
  END
1312
1414
 
1313
- events.map{|event| event.gsub(/\s+/, "")}
1314
1415
  end
1315
1416
 
1316
1417
  it "should decode raw data" do
@@ -1354,7 +1455,6 @@ describe LogStash::Codecs::Netflow do
1354
1455
  }
1355
1456
  END
1356
1457
 
1357
- events.map{|event| event.gsub(/\s+/, "")}
1358
1458
  end
1359
1459
 
1360
1460
  it "should decode raw data" do
@@ -1412,7 +1512,6 @@ describe LogStash::Codecs::Netflow do
1412
1512
  }
1413
1513
  END
1414
1514
 
1415
- events.map{|event| event.gsub(/\s+/, "")}
1416
1515
  end
1417
1516
 
1418
1517
  it "should decode raw data" do
@@ -1475,8 +1574,6 @@ describe LogStash::Codecs::Netflow do
1475
1574
  }
1476
1575
  END
1477
1576
 
1478
- events.map{|event| event.gsub(/\s+/, "")}
1479
- events.map{|event| event.gsub(/NormalOperation/, "Normal Operation")}
1480
1577
  end
1481
1578
 
1482
1579
  it "should decode raw data" do
@@ -1540,7 +1637,6 @@ describe LogStash::Codecs::Netflow do
1540
1637
  "@version": "1"
1541
1638
  }
1542
1639
  END
1543
- events.map{|event| event.gsub(/\s+/, "")}
1544
1640
  end
1545
1641
 
1546
1642
  it "should decode raw data" do
@@ -1588,7 +1684,6 @@ describe LogStash::Codecs::Netflow do
1588
1684
  "host": "172.16.32.201"
1589
1685
  }
1590
1686
  END
1591
- events.map{|event| event.gsub(/\s+/, "")}
1592
1687
  end
1593
1688
 
1594
1689
  it "should decode raw data" do
@@ -1658,7 +1753,6 @@ describe LogStash::Codecs::Netflow do
1658
1753
  "@version": "1"
1659
1754
  }
1660
1755
  END
1661
- events.map{|event| event.gsub(/\s+/, "")}
1662
1756
  end
1663
1757
 
1664
1758
  it "should decode raw data" do
@@ -1837,7 +1931,6 @@ describe LogStash::Codecs::Netflow do
1837
1931
  }
1838
1932
  END
1839
1933
 
1840
- events.map{|event| event.gsub(/\s+/, "")}
1841
1934
  end
1842
1935
 
1843
1936
  it "should decode raw data" do
@@ -1912,7 +2005,6 @@ describe LogStash::Codecs::Netflow do
1912
2005
  "@version": "1"
1913
2006
  }
1914
2007
  END
1915
- events.map{|event| event.gsub(/\s+/, "")}
1916
2008
  end
1917
2009
 
1918
2010
  it "should decode raw data" do
@@ -2185,7 +2277,6 @@ describe LogStash::Codecs::Netflow do
2185
2277
  "@version": "1"
2186
2278
  }
2187
2279
  END
2188
- events.map{|event| event.gsub(/\s+/, "")}
2189
2280
  end
2190
2281
 
2191
2282
  it "should decode raw data" do
@@ -2223,7 +2314,6 @@ describe LogStash::Codecs::Netflow do
2223
2314
  "@version":"1"
2224
2315
  }
2225
2316
  END
2226
- events.map{|event| event.gsub(/\s+/, "")}
2227
2317
  end
2228
2318
 
2229
2319
  it "should decode raw data" do
@@ -2274,7 +2364,6 @@ describe LogStash::Codecs::Netflow do
2274
2364
  "@version":"1"
2275
2365
  }
2276
2366
  END
2277
- events.map{|event| event.gsub(/\s+/, "")}
2278
2367
  end
2279
2368
 
2280
2369
  it "should decode raw data" do
@@ -2311,7 +2400,6 @@ describe LogStash::Codecs::Netflow do
2311
2400
  "@version": "1"
2312
2401
  }
2313
2402
  END
2314
- events.map{|event| event.gsub(/\s+/, "")}
2315
2403
  end
2316
2404
 
2317
2405
  it "should decode raw data" do
@@ -2373,7 +2461,6 @@ describe LogStash::Codecs::Netflow do
2373
2461
  "@timestamp": "2018-01-29T03:02:20.000Z"
2374
2462
  }
2375
2463
  END
2376
- events.map{|event| event.gsub(/\s+/, "")}
2377
2464
  end
2378
2465
 
2379
2466
  it "should decode raw data" do
@@ -2423,7 +2510,6 @@ describe LogStash::Codecs::Netflow do
2423
2510
  "@timestamp": "2018-01-16T09:45:02.000Z"
2424
2511
  }
2425
2512
  END
2426
- events.map{|event| event.gsub(/\s+/, "")}
2427
2513
  end
2428
2514
 
2429
2515
  it "should decode raw data" do
@@ -2483,7 +2569,6 @@ describe LogStash::Codecs::Netflow do
2483
2569
  "@version": "1"
2484
2570
  }
2485
2571
  END
2486
- events.map{|event| event.gsub(/\s+/, "")}
2487
2572
  end
2488
2573
 
2489
2574
  it "should decode raw data" do
@@ -2519,7 +2604,6 @@ describe LogStash::Codecs::Netflow do
2519
2604
  "@version": "1"
2520
2605
  }
2521
2606
  END
2522
- events.map{|event| event.gsub(/\s+/, "")}
2523
2607
  end
2524
2608
 
2525
2609
  it "should decode raw data" do
@@ -2579,7 +2663,6 @@ describe LogStash::Codecs::Netflow do
2579
2663
  "@version": "1"
2580
2664
  }
2581
2665
  END
2582
- events.map{|event| event.gsub(/\s+/, "")}
2583
2666
  end
2584
2667
 
2585
2668
  it "should decode raw data" do
@@ -2622,7 +2705,6 @@ describe LogStash::Codecs::Netflow do
2622
2705
  "@version": "1"
2623
2706
  }
2624
2707
  END
2625
- events.map{|event| event.gsub(/\s+/, "")}
2626
2708
  end
2627
2709
 
2628
2710
  it "should decode raw data" do
@@ -2708,7 +2790,6 @@ describe LogStash::Codecs::Netflow do
2708
2790
  "@timestamp": "2017-11-13T14:39:31.000Z"
2709
2791
  }
2710
2792
  END
2711
- events.map{|event| event.gsub(/\s+/, "")}
2712
2793
  end
2713
2794
 
2714
2795
  it "should decode raw data" do
@@ -2762,7 +2843,6 @@ describe LogStash::Codecs::Netflow do
2762
2843
  "@timestamp": "2017-11-21T14:32:15.000Z"
2763
2844
  }
2764
2845
  END
2765
- events.map{|event| event.gsub(/\s+/, "")}
2766
2846
  end
2767
2847
 
2768
2848
  it "should decode raw data" do
@@ -2811,7 +2891,6 @@ describe LogStash::Codecs::Netflow do
2811
2891
  "@version": "1"
2812
2892
  }
2813
2893
  END
2814
- events.map{|event| event.gsub(/\s+/, "")}
2815
2894
  end
2816
2895
 
2817
2896
  it "should decode raw data" do
@@ -2927,7 +3006,6 @@ describe LogStash::Codecs::Netflow do
2927
3006
  "@version": "1"
2928
3007
  }
2929
3008
  END
2930
- events.map{|event| event.gsub(/\s+/, "")}
2931
3009
  end
2932
3010
 
2933
3011
  it "should decode raw data" do
metadata CHANGED
@@ -1,107 +1,135 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: logstash-codec-netflow
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.1.2
4
+ version: 4.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Elastic
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-09-10 00:00:00.000000000 Z
11
+ date: 2018-10-28 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
- name: logstash-core-plugin-api
15
14
  requirement: !ruby/object:Gem::Requirement
16
15
  requirements:
17
16
  - - ~>
18
17
  - !ruby/object:Gem::Version
19
18
  version: '2.0'
20
- type: :runtime
19
+ name: logstash-core-plugin-api
21
20
  prerelease: false
21
+ type: :runtime
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - ~>
25
25
  - !ruby/object:Gem::Version
26
26
  version: '2.0'
27
27
  - !ruby/object:Gem::Dependency
28
- name: bindata
29
28
  requirement: !ruby/object:Gem::Requirement
30
29
  requirements:
31
30
  - - '>='
32
31
  - !ruby/object:Gem::Version
33
32
  version: 1.5.0
34
- type: :runtime
33
+ name: bindata
35
34
  prerelease: false
35
+ type: :runtime
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
38
  - - '>='
39
39
  - !ruby/object:Gem::Version
40
40
  version: 1.5.0
41
41
  - !ruby/object:Gem::Dependency
42
- name: logstash-devutils
43
42
  requirement: !ruby/object:Gem::Requirement
44
43
  requirements:
45
44
  - - '>='
46
45
  - !ruby/object:Gem::Version
47
46
  version: 1.0.0
48
- type: :development
47
+ name: logstash-devutils
49
48
  prerelease: false
49
+ type: :development
50
50
  version_requirements: !ruby/object:Gem::Requirement
51
51
  requirements:
52
52
  - - '>='
53
53
  - !ruby/object:Gem::Version
54
54
  version: 1.0.0
55
- description: This gem is a Logstash plugin required to be installed on top of the
56
- Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This
57
- gem is not a stand-alone program
55
+ description: This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program
58
56
  email: info@elastic.co
59
57
  executables: []
60
58
  extensions: []
61
59
  extra_rdoc_files: []
62
60
  files:
61
+ - CHANGELOG.md
62
+ - CONTRIBUTORS
63
+ - Gemfile
64
+ - LICENSE
65
+ - NOTICE.TXT
66
+ - README.md
67
+ - RFC_COMPLIANCE_IPFIX.md
68
+ - RFC_COMPLIANCE_NETFLOW_v9.md
69
+ - docs/index.asciidoc
70
+ - lib/logstash/codecs/netflow.rb
63
71
  - lib/logstash/codecs/netflow/iana2yaml.rb
64
72
  - lib/logstash/codecs/netflow/ipfix.yaml
65
- - lib/logstash/codecs/netflow/util.rb
66
73
  - lib/logstash/codecs/netflow/netflow.yaml
67
- - lib/logstash/codecs/netflow.rb
74
+ - lib/logstash/codecs/netflow/util.rb
75
+ - logstash-codec-netflow.gemspec
76
+ - spec/codecs/benchmarks/ACLidASA.rb
77
+ - spec/codecs/benchmarks/IP6Addr.rb
78
+ - spec/codecs/benchmarks/IPAddr.rb
79
+ - spec/codecs/benchmarks/MacAddr.rb
80
+ - spec/codecs/benchmarks/benchmark_fields.rb
81
+ - spec/codecs/benchmarks/flowStartMilliseconds.rb
82
+ - spec/codecs/benchmarks/ipfix_bench_sonicwall.py
83
+ - spec/codecs/benchmarks/ipfix_bench_yaf.py
84
+ - spec/codecs/benchmarks/netflow_bench_cisco_asa.py
85
+ - spec/codecs/benchmarks/netflow_bench_cisco_asr.py
68
86
  - spec/codecs/ipfix.dat
87
+ - spec/codecs/ipfix_stress.py
88
+ - spec/codecs/ipfix_test_barracuda_data256.dat
89
+ - spec/codecs/ipfix_test_barracuda_extended_uniflow_data256.dat
90
+ - spec/codecs/ipfix_test_barracuda_extended_uniflow_tpl256.dat
91
+ - spec/codecs/ipfix_test_barracuda_tpl.dat
92
+ - spec/codecs/ipfix_test_ixia_tpldata256.dat
93
+ - spec/codecs/ipfix_test_ixia_tpldata271.dat
94
+ - spec/codecs/ipfix_test_juniper_mx240_junos151r6s3_data512.dat
95
+ - spec/codecs/ipfix_test_juniper_mx240_junos151r6s3_opttpl512.dat
96
+ - spec/codecs/ipfix_test_mikrotik_data258.dat
97
+ - spec/codecs/ipfix_test_mikrotik_data259.dat
98
+ - spec/codecs/ipfix_test_mikrotik_tpl.dat
99
+ - spec/codecs/ipfix_test_netscaler_data.dat
100
+ - spec/codecs/ipfix_test_netscaler_tpl.dat
101
+ - spec/codecs/ipfix_test_nokia_bras_data256.dat
102
+ - spec/codecs/ipfix_test_nokia_bras_tpl.dat
69
103
  - spec/codecs/ipfix_test_openbsd_pflow_data.dat
70
104
  - spec/codecs/ipfix_test_openbsd_pflow_tpl.dat
105
+ - spec/codecs/ipfix_test_procera_data52935.dat
106
+ - spec/codecs/ipfix_test_procera_tpl52935.dat
107
+ - spec/codecs/ipfix_test_viptela_data257.dat
108
+ - spec/codecs/ipfix_test_viptela_tpl257.dat
109
+ - spec/codecs/ipfix_test_vmware_vds_data264.dat
110
+ - spec/codecs/ipfix_test_vmware_vds_data266.dat
111
+ - spec/codecs/ipfix_test_vmware_vds_data266_267.dat
112
+ - spec/codecs/ipfix_test_vmware_vds_tpl.dat
113
+ - spec/codecs/ipfix_test_yaf_data45841.dat
114
+ - spec/codecs/ipfix_test_yaf_data45873.dat
115
+ - spec/codecs/ipfix_test_yaf_data53248.dat
116
+ - spec/codecs/ipfix_test_yaf_tpl45841.dat
117
+ - spec/codecs/ipfix_test_yaf_tpls_option_tpl.dat
71
118
  - spec/codecs/netflow5.dat
72
119
  - spec/codecs/netflow5_test_invalid01.dat
73
120
  - spec/codecs/netflow5_test_invalid02.dat
74
121
  - spec/codecs/netflow5_test_juniper_mx80.dat
75
122
  - spec/codecs/netflow5_test_microtik.dat
123
+ - spec/codecs/netflow9_cisco_asr1001x_tpl259.dat
124
+ - spec/codecs/netflow9_test_0length_fields_tpl_data.dat
125
+ - spec/codecs/netflow9_test_cisco_1941K9.dat
126
+ - spec/codecs/netflow9_test_cisco_aci_data256.dat
127
+ - spec/codecs/netflow9_test_cisco_aci_tpl256-258.dat
76
128
  - spec/codecs/netflow9_test_cisco_asa_1_data.dat
77
129
  - spec/codecs/netflow9_test_cisco_asa_1_tpl.dat
78
130
  - spec/codecs/netflow9_test_cisco_asa_2_data.dat
79
131
  - spec/codecs/netflow9_test_cisco_asa_2_tpl_26x.dat
80
132
  - spec/codecs/netflow9_test_cisco_asa_2_tpl_27x.dat
81
- - spec/codecs/netflow9_test_invalid01.dat
82
- - spec/codecs/netflow9_test_macaddr_data.dat
83
- - spec/codecs/netflow9_test_macaddr_tpl.dat
84
- - spec/codecs/netflow9_test_nprobe_data.dat
85
- - spec/codecs/netflow9_test_nprobe_tpl.dat
86
- - spec/codecs/netflow9_test_softflowd_tpl_data.dat
87
- - spec/codecs/netflow9_test_valid01.dat
88
- - spec/codecs/netflow9_test_ubnt_edgerouter_tpl.dat
89
- - spec/codecs/netflow9_test_ubnt_edgerouter_data1024.dat
90
- - spec/codecs/netflow9_test_ubnt_edgerouter_data1025.dat
91
- - spec/codecs/ipfix_test_netscaler_data.dat
92
- - spec/codecs/ipfix_test_netscaler_tpl.dat
93
- - spec/codecs/ipfix_test_vmware_vds_data264.dat
94
- - spec/codecs/ipfix_test_vmware_vds_data266.dat
95
- - spec/codecs/ipfix_test_vmware_vds_data266_267.dat
96
- - spec/codecs/ipfix_test_vmware_vds_tpl.dat
97
- - spec/codecs/ipfix_test_barracuda_data256.dat
98
- - spec/codecs/ipfix_test_barracuda_tpl.dat
99
- - spec/codecs/ipfix_test_mikrotik_data258.dat
100
- - spec/codecs/ipfix_test_mikrotik_data259.dat
101
- - spec/codecs/ipfix_test_mikrotik_tpl.dat
102
- - spec/codecs/ipfix_test_nokia_bras_tpl.dat
103
- - spec/codecs/netflow9_test_0length_fields_tpl_data.dat
104
- - spec/codecs/netflow_spec.rb
105
133
  - spec/codecs/netflow9_test_cisco_asr9k_data256.dat
106
134
  - spec/codecs/netflow9_test_cisco_asr9k_data260.dat
107
135
  - spec/codecs/netflow9_test_cisco_asr9k_opttpl256.dat
@@ -112,76 +140,51 @@ files:
112
140
  - spec/codecs/netflow9_test_cisco_nbar_data262.dat
113
141
  - spec/codecs/netflow9_test_cisco_nbar_opttpl260.dat
114
142
  - spec/codecs/netflow9_test_cisco_nbar_tpl262.dat
115
- - spec/codecs/netflow9_test_unknown_tpl266_292_data.dat
143
+ - spec/codecs/netflow9_test_cisco_wlc_8510_tpl_262.dat
116
144
  - spec/codecs/netflow9_test_cisco_wlc_data261.dat
117
145
  - spec/codecs/netflow9_test_cisco_wlc_tpl.dat
146
+ - spec/codecs/netflow9_test_field_layer2segmentid_data.dat
147
+ - spec/codecs/netflow9_test_field_layer2segmentid_tpl.dat
118
148
  - spec/codecs/netflow9_test_fortigate_fortios_521_data256.dat
119
149
  - spec/codecs/netflow9_test_fortigate_fortios_521_data257.dat
120
150
  - spec/codecs/netflow9_test_fortigate_fortios_521_tpl.dat
121
- - spec/codecs/netflow9_test_juniper_srx_tplopt.dat
122
- - spec/codecs/netflow9_test_nprobe_dpi.dat
123
- - spec/codecs/netflow9_test_streamcore_tpl_data256.dat
124
- - spec/codecs/netflow9_test_streamcore_tpl_data260.dat
125
- - spec/codecs/ipfix_test_yaf_data45841.dat
126
- - spec/codecs/ipfix_test_yaf_data45873.dat
127
- - spec/codecs/ipfix_test_yaf_data53248.dat
128
- - spec/codecs/ipfix_test_yaf_tpl45841.dat
129
- - spec/codecs/ipfix_test_yaf_tpls_option_tpl.dat
130
- - spec/codecs/netflow9_cisco_asr1001x_tpl259.dat
131
- - spec/codecs/netflow9_test_cisco_1941K9.dat
132
- - spec/codecs/netflow9_test_cisco_wlc_8510_tpl_262.dat
133
- - spec/codecs/netflow9_test_paloalto_panos_data.dat
134
- - spec/codecs/netflow9_test_paloalto_panos_tpl.dat
135
- - spec/codecs/netflow_stress.py
136
- - spec/codecs/ipfix_test_viptela_tpl257.dat
137
- - spec/codecs/ipfix_test_viptela_data257.dat
138
- - spec/codecs/ipfix_test_nokia_bras_data256.dat
139
- - spec/codecs/netflow9_test_field_layer2segmentid_data.dat
140
- - spec/codecs/ipfix_test_procera_tpl52935.dat
141
- - spec/codecs/ipfix_test_procera_data52935.dat
142
- - spec/codecs/ipfix_test_barracuda_extended_uniflow_tpl256.dat
143
- - spec/codecs/benchmarks/ACLidASA.rb
144
- - spec/codecs/benchmarks/MacAddr.rb
145
- - spec/codecs/benchmarks/flowStartMilliseconds.rb
146
- - spec/codecs/benchmarks/IPAddr.rb
147
- - spec/codecs/benchmarks/IP6Addr.rb
148
- - spec/codecs/benchmarks/netflow_bench_cisco_asa.py
149
- - spec/codecs/benchmarks/netflow_bench_cisco_asr.py
150
- - spec/codecs/benchmarks/ipfix_bench_sonicwall.py
151
- - spec/codecs/benchmarks/ipfix_bench_yaf.py
152
- - spec/codecs/ipfix_test_barracuda_extended_uniflow_data256.dat
151
+ - spec/codecs/netflow9_test_fortigate_fortios_542_appid_data258_262.dat
152
+ - spec/codecs/netflow9_test_fortigate_fortios_542_appid_tpl258-269.dat
153
+ - spec/codecs/netflow9_test_h3c_data3281.dat
154
+ - spec/codecs/netflow9_test_h3c_netstream_varstring_data3281.dat
155
+ - spec/codecs/netflow9_test_h3c_netstream_varstring_tpl3281.dat
153
156
  - spec/codecs/netflow9_test_h3c_tpl3281.dat
154
- - spec/codecs/netflow9_test_field_layer2segmentid_tpl.dat
155
- - spec/codecs/netflow9_test_huawei_netstream_tpl.dat
156
157
  - spec/codecs/netflow9_test_huawei_netstream_data.dat
157
- - spec/codecs/ipfix_stress.py
158
+ - spec/codecs/netflow9_test_huawei_netstream_tpl.dat
159
+ - spec/codecs/netflow9_test_invalid01.dat
158
160
  - spec/codecs/netflow9_test_iptnetflow_reduced_size_encoding_tpldata260.dat
159
- - spec/codecs/netflow9_test_h3c_data3281.dat
160
- - spec/codecs/netflow9_test_fortigate_fortios_542_appid_data258_262.dat
161
- - spec/codecs/netflow9_test_fortigate_fortios_542_appid_tpl258-269.dat
162
- - spec/codecs/ipfix_test_juniper_mx240_junos151r6s3_opttpl512.dat
163
- - spec/codecs/ipfix_test_juniper_mx240_junos151r6s3_data512.dat
161
+ - spec/codecs/netflow9_test_juniper_srx_tplopt.dat
162
+ - spec/codecs/netflow9_test_macaddr_data.dat
163
+ - spec/codecs/netflow9_test_macaddr_tpl.dat
164
+ - spec/codecs/netflow9_test_nprobe_data.dat
165
+ - spec/codecs/netflow9_test_nprobe_dpi.dat
166
+ - spec/codecs/netflow9_test_nprobe_tpl.dat
164
167
  - spec/codecs/netflow9_test_paloalto_81_data257_1flowset_in_large_zerofilled_packet.dat
165
168
  - spec/codecs/netflow9_test_paloalto_81_tpl256-263.dat
166
- - spec/codecs/netflow9_test_h3c_netstream_varstring_data3281.dat
167
- - spec/codecs/netflow9_test_h3c_netstream_varstring_tpl3281.dat
168
- - logstash-codec-netflow.gemspec
169
- - CHANGELOG.md
170
- - README.md
171
- - RFC_COMPLIANCE_IPFIX.md
172
- - RFC_COMPLIANCE_NETFLOW_v9.md
173
- - CONTRIBUTORS
174
- - Gemfile
175
- - LICENSE
176
- - NOTICE.TXT
177
- - docs/index.asciidoc
169
+ - spec/codecs/netflow9_test_paloalto_panos_data.dat
170
+ - spec/codecs/netflow9_test_paloalto_panos_tpl.dat
171
+ - spec/codecs/netflow9_test_softflowd_tpl_data.dat
172
+ - spec/codecs/netflow9_test_streamcore_tpl_data256.dat
173
+ - spec/codecs/netflow9_test_streamcore_tpl_data260.dat
174
+ - spec/codecs/netflow9_test_ubnt_edgerouter_data1024.dat
175
+ - spec/codecs/netflow9_test_ubnt_edgerouter_data1025.dat
176
+ - spec/codecs/netflow9_test_ubnt_edgerouter_tpl.dat
177
+ - spec/codecs/netflow9_test_unknown_tpl266_292_data.dat
178
+ - spec/codecs/netflow9_test_valid01.dat
179
+ - spec/codecs/netflow_spec.rb
180
+ - spec/codecs/netflow_stress.py
178
181
  homepage: http://www.elastic.co/guide/en/logstash/current/index.html
179
182
  licenses:
180
183
  - Apache License (2.0)
181
184
  metadata:
182
185
  logstash_plugin: 'true'
183
186
  logstash_group: codec
184
- post_install_message:
187
+ post_install_message:
185
188
  rdoc_options: []
186
189
  require_paths:
187
190
  - lib
@@ -196,49 +199,69 @@ required_rubygems_version: !ruby/object:Gem::Requirement
196
199
  - !ruby/object:Gem::Version
197
200
  version: '0'
198
201
  requirements: []
199
- rubyforge_project:
200
- rubygems_version: 2.0.14.1
201
- signing_key:
202
+ rubyforge_project:
203
+ rubygems_version: 2.4.8
204
+ signing_key:
202
205
  specification_version: 4
203
206
  summary: Reads Netflow v5, Netflow v9 and IPFIX data
204
207
  test_files:
208
+ - spec/codecs/benchmarks/ACLidASA.rb
209
+ - spec/codecs/benchmarks/IP6Addr.rb
210
+ - spec/codecs/benchmarks/IPAddr.rb
211
+ - spec/codecs/benchmarks/MacAddr.rb
212
+ - spec/codecs/benchmarks/benchmark_fields.rb
213
+ - spec/codecs/benchmarks/flowStartMilliseconds.rb
214
+ - spec/codecs/benchmarks/ipfix_bench_sonicwall.py
215
+ - spec/codecs/benchmarks/ipfix_bench_yaf.py
216
+ - spec/codecs/benchmarks/netflow_bench_cisco_asa.py
217
+ - spec/codecs/benchmarks/netflow_bench_cisco_asr.py
205
218
  - spec/codecs/ipfix.dat
219
+ - spec/codecs/ipfix_stress.py
220
+ - spec/codecs/ipfix_test_barracuda_data256.dat
221
+ - spec/codecs/ipfix_test_barracuda_extended_uniflow_data256.dat
222
+ - spec/codecs/ipfix_test_barracuda_extended_uniflow_tpl256.dat
223
+ - spec/codecs/ipfix_test_barracuda_tpl.dat
224
+ - spec/codecs/ipfix_test_ixia_tpldata256.dat
225
+ - spec/codecs/ipfix_test_ixia_tpldata271.dat
226
+ - spec/codecs/ipfix_test_juniper_mx240_junos151r6s3_data512.dat
227
+ - spec/codecs/ipfix_test_juniper_mx240_junos151r6s3_opttpl512.dat
228
+ - spec/codecs/ipfix_test_mikrotik_data258.dat
229
+ - spec/codecs/ipfix_test_mikrotik_data259.dat
230
+ - spec/codecs/ipfix_test_mikrotik_tpl.dat
231
+ - spec/codecs/ipfix_test_netscaler_data.dat
232
+ - spec/codecs/ipfix_test_netscaler_tpl.dat
233
+ - spec/codecs/ipfix_test_nokia_bras_data256.dat
234
+ - spec/codecs/ipfix_test_nokia_bras_tpl.dat
206
235
  - spec/codecs/ipfix_test_openbsd_pflow_data.dat
207
236
  - spec/codecs/ipfix_test_openbsd_pflow_tpl.dat
237
+ - spec/codecs/ipfix_test_procera_data52935.dat
238
+ - spec/codecs/ipfix_test_procera_tpl52935.dat
239
+ - spec/codecs/ipfix_test_viptela_data257.dat
240
+ - spec/codecs/ipfix_test_viptela_tpl257.dat
241
+ - spec/codecs/ipfix_test_vmware_vds_data264.dat
242
+ - spec/codecs/ipfix_test_vmware_vds_data266.dat
243
+ - spec/codecs/ipfix_test_vmware_vds_data266_267.dat
244
+ - spec/codecs/ipfix_test_vmware_vds_tpl.dat
245
+ - spec/codecs/ipfix_test_yaf_data45841.dat
246
+ - spec/codecs/ipfix_test_yaf_data45873.dat
247
+ - spec/codecs/ipfix_test_yaf_data53248.dat
248
+ - spec/codecs/ipfix_test_yaf_tpl45841.dat
249
+ - spec/codecs/ipfix_test_yaf_tpls_option_tpl.dat
208
250
  - spec/codecs/netflow5.dat
209
251
  - spec/codecs/netflow5_test_invalid01.dat
210
252
  - spec/codecs/netflow5_test_invalid02.dat
211
253
  - spec/codecs/netflow5_test_juniper_mx80.dat
212
254
  - spec/codecs/netflow5_test_microtik.dat
255
+ - spec/codecs/netflow9_cisco_asr1001x_tpl259.dat
256
+ - spec/codecs/netflow9_test_0length_fields_tpl_data.dat
257
+ - spec/codecs/netflow9_test_cisco_1941K9.dat
258
+ - spec/codecs/netflow9_test_cisco_aci_data256.dat
259
+ - spec/codecs/netflow9_test_cisco_aci_tpl256-258.dat
213
260
  - spec/codecs/netflow9_test_cisco_asa_1_data.dat
214
261
  - spec/codecs/netflow9_test_cisco_asa_1_tpl.dat
215
262
  - spec/codecs/netflow9_test_cisco_asa_2_data.dat
216
263
  - spec/codecs/netflow9_test_cisco_asa_2_tpl_26x.dat
217
264
  - spec/codecs/netflow9_test_cisco_asa_2_tpl_27x.dat
218
- - spec/codecs/netflow9_test_invalid01.dat
219
- - spec/codecs/netflow9_test_macaddr_data.dat
220
- - spec/codecs/netflow9_test_macaddr_tpl.dat
221
- - spec/codecs/netflow9_test_nprobe_data.dat
222
- - spec/codecs/netflow9_test_nprobe_tpl.dat
223
- - spec/codecs/netflow9_test_softflowd_tpl_data.dat
224
- - spec/codecs/netflow9_test_valid01.dat
225
- - spec/codecs/netflow9_test_ubnt_edgerouter_tpl.dat
226
- - spec/codecs/netflow9_test_ubnt_edgerouter_data1024.dat
227
- - spec/codecs/netflow9_test_ubnt_edgerouter_data1025.dat
228
- - spec/codecs/ipfix_test_netscaler_data.dat
229
- - spec/codecs/ipfix_test_netscaler_tpl.dat
230
- - spec/codecs/ipfix_test_vmware_vds_data264.dat
231
- - spec/codecs/ipfix_test_vmware_vds_data266.dat
232
- - spec/codecs/ipfix_test_vmware_vds_data266_267.dat
233
- - spec/codecs/ipfix_test_vmware_vds_tpl.dat
234
- - spec/codecs/ipfix_test_barracuda_data256.dat
235
- - spec/codecs/ipfix_test_barracuda_tpl.dat
236
- - spec/codecs/ipfix_test_mikrotik_data258.dat
237
- - spec/codecs/ipfix_test_mikrotik_data259.dat
238
- - spec/codecs/ipfix_test_mikrotik_tpl.dat
239
- - spec/codecs/ipfix_test_nokia_bras_tpl.dat
240
- - spec/codecs/netflow9_test_0length_fields_tpl_data.dat
241
- - spec/codecs/netflow_spec.rb
242
265
  - spec/codecs/netflow9_test_cisco_asr9k_data256.dat
243
266
  - spec/codecs/netflow9_test_cisco_asr9k_data260.dat
244
267
  - spec/codecs/netflow9_test_cisco_asr9k_opttpl256.dat
@@ -249,56 +272,41 @@ test_files:
249
272
  - spec/codecs/netflow9_test_cisco_nbar_data262.dat
250
273
  - spec/codecs/netflow9_test_cisco_nbar_opttpl260.dat
251
274
  - spec/codecs/netflow9_test_cisco_nbar_tpl262.dat
252
- - spec/codecs/netflow9_test_unknown_tpl266_292_data.dat
275
+ - spec/codecs/netflow9_test_cisco_wlc_8510_tpl_262.dat
253
276
  - spec/codecs/netflow9_test_cisco_wlc_data261.dat
254
277
  - spec/codecs/netflow9_test_cisco_wlc_tpl.dat
278
+ - spec/codecs/netflow9_test_field_layer2segmentid_data.dat
279
+ - spec/codecs/netflow9_test_field_layer2segmentid_tpl.dat
255
280
  - spec/codecs/netflow9_test_fortigate_fortios_521_data256.dat
256
281
  - spec/codecs/netflow9_test_fortigate_fortios_521_data257.dat
257
282
  - spec/codecs/netflow9_test_fortigate_fortios_521_tpl.dat
258
- - spec/codecs/netflow9_test_juniper_srx_tplopt.dat
259
- - spec/codecs/netflow9_test_nprobe_dpi.dat
260
- - spec/codecs/netflow9_test_streamcore_tpl_data256.dat
261
- - spec/codecs/netflow9_test_streamcore_tpl_data260.dat
262
- - spec/codecs/ipfix_test_yaf_data45841.dat
263
- - spec/codecs/ipfix_test_yaf_data45873.dat
264
- - spec/codecs/ipfix_test_yaf_data53248.dat
265
- - spec/codecs/ipfix_test_yaf_tpl45841.dat
266
- - spec/codecs/ipfix_test_yaf_tpls_option_tpl.dat
267
- - spec/codecs/netflow9_cisco_asr1001x_tpl259.dat
268
- - spec/codecs/netflow9_test_cisco_1941K9.dat
269
- - spec/codecs/netflow9_test_cisco_wlc_8510_tpl_262.dat
270
- - spec/codecs/netflow9_test_paloalto_panos_data.dat
271
- - spec/codecs/netflow9_test_paloalto_panos_tpl.dat
272
- - spec/codecs/netflow_stress.py
273
- - spec/codecs/ipfix_test_viptela_tpl257.dat
274
- - spec/codecs/ipfix_test_viptela_data257.dat
275
- - spec/codecs/ipfix_test_nokia_bras_data256.dat
276
- - spec/codecs/netflow9_test_field_layer2segmentid_data.dat
277
- - spec/codecs/ipfix_test_procera_tpl52935.dat
278
- - spec/codecs/ipfix_test_procera_data52935.dat
279
- - spec/codecs/ipfix_test_barracuda_extended_uniflow_tpl256.dat
280
- - spec/codecs/benchmarks/ACLidASA.rb
281
- - spec/codecs/benchmarks/MacAddr.rb
282
- - spec/codecs/benchmarks/flowStartMilliseconds.rb
283
- - spec/codecs/benchmarks/IPAddr.rb
284
- - spec/codecs/benchmarks/IP6Addr.rb
285
- - spec/codecs/benchmarks/netflow_bench_cisco_asa.py
286
- - spec/codecs/benchmarks/netflow_bench_cisco_asr.py
287
- - spec/codecs/benchmarks/ipfix_bench_sonicwall.py
288
- - spec/codecs/benchmarks/ipfix_bench_yaf.py
289
- - spec/codecs/ipfix_test_barracuda_extended_uniflow_data256.dat
283
+ - spec/codecs/netflow9_test_fortigate_fortios_542_appid_data258_262.dat
284
+ - spec/codecs/netflow9_test_fortigate_fortios_542_appid_tpl258-269.dat
285
+ - spec/codecs/netflow9_test_h3c_data3281.dat
286
+ - spec/codecs/netflow9_test_h3c_netstream_varstring_data3281.dat
287
+ - spec/codecs/netflow9_test_h3c_netstream_varstring_tpl3281.dat
290
288
  - spec/codecs/netflow9_test_h3c_tpl3281.dat
291
- - spec/codecs/netflow9_test_field_layer2segmentid_tpl.dat
292
- - spec/codecs/netflow9_test_huawei_netstream_tpl.dat
293
289
  - spec/codecs/netflow9_test_huawei_netstream_data.dat
294
- - spec/codecs/ipfix_stress.py
290
+ - spec/codecs/netflow9_test_huawei_netstream_tpl.dat
291
+ - spec/codecs/netflow9_test_invalid01.dat
295
292
  - spec/codecs/netflow9_test_iptnetflow_reduced_size_encoding_tpldata260.dat
296
- - spec/codecs/netflow9_test_h3c_data3281.dat
297
- - spec/codecs/netflow9_test_fortigate_fortios_542_appid_data258_262.dat
298
- - spec/codecs/netflow9_test_fortigate_fortios_542_appid_tpl258-269.dat
299
- - spec/codecs/ipfix_test_juniper_mx240_junos151r6s3_opttpl512.dat
300
- - spec/codecs/ipfix_test_juniper_mx240_junos151r6s3_data512.dat
293
+ - spec/codecs/netflow9_test_juniper_srx_tplopt.dat
294
+ - spec/codecs/netflow9_test_macaddr_data.dat
295
+ - spec/codecs/netflow9_test_macaddr_tpl.dat
296
+ - spec/codecs/netflow9_test_nprobe_data.dat
297
+ - spec/codecs/netflow9_test_nprobe_dpi.dat
298
+ - spec/codecs/netflow9_test_nprobe_tpl.dat
301
299
  - spec/codecs/netflow9_test_paloalto_81_data257_1flowset_in_large_zerofilled_packet.dat
302
300
  - spec/codecs/netflow9_test_paloalto_81_tpl256-263.dat
303
- - spec/codecs/netflow9_test_h3c_netstream_varstring_data3281.dat
304
- - spec/codecs/netflow9_test_h3c_netstream_varstring_tpl3281.dat
301
+ - spec/codecs/netflow9_test_paloalto_panos_data.dat
302
+ - spec/codecs/netflow9_test_paloalto_panos_tpl.dat
303
+ - spec/codecs/netflow9_test_softflowd_tpl_data.dat
304
+ - spec/codecs/netflow9_test_streamcore_tpl_data256.dat
305
+ - spec/codecs/netflow9_test_streamcore_tpl_data260.dat
306
+ - spec/codecs/netflow9_test_ubnt_edgerouter_data1024.dat
307
+ - spec/codecs/netflow9_test_ubnt_edgerouter_data1025.dat
308
+ - spec/codecs/netflow9_test_ubnt_edgerouter_tpl.dat
309
+ - spec/codecs/netflow9_test_unknown_tpl266_292_data.dat
310
+ - spec/codecs/netflow9_test_valid01.dat
311
+ - spec/codecs/netflow_spec.rb
312
+ - spec/codecs/netflow_stress.py