add citrix_waf package #3425
add citrix_waf package #3425
Conversation
efd6
added
enhancement
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
🤖 GitHub commentsTo re-run your PR in the CI, just comment with:
|
efd6
force-pushed
the
1308-citrix_waf
branch
3 times, most recently
from
aa0aa06
to
7414d01
Compare
🌐 Coverage report
|
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
efd6
force-pushed
the
1308-citrix_waf
branch
2 times, most recently
from
fead6ac
to
700931e
Compare
packages/citrix_waf/data_stream/log/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
| "message": "CEF:0|Citrix|NetScaler|NS11.0|APPFW|APPFW_STARTURL|6|src=175.16.199.1 spt=47606 method=GET request=http://aaron.stratum8.net/FFC/login.html msg=Disallow Illegal URL. cn1=1340 cn2=653 cs1=pr_ffc cs2=PPE1 cs3=EsdGd3VD0OaaURLcZnj05Y6DOmE0002 cs4=ALERT cs5=2015 act=blocked", | ||
| "severity": 6, | ||
| "timezone": "UTC", | ||
| "url": { |
There was a problem hiding this comment.
I think this is an error event.url?
| - rename: | ||
| # request – request URL | ||
| field: citrix.extended_kv.request | ||
| target_field: event.url.original |
There was a problem hiding this comment.
probably should be url.original
| - uri_parts: | ||
| field: event.url.original | ||
| target_field: event.url | ||
| ignore_failure: true |
There was a problem hiding this comment.
same about the url not event.url??
packages/citrix_waf/changelog.yml
Outdated
| @@ -0,0 +1,6 @@ | |||
| # newer versions go on top | |||
| - version: "0.0.1" | |||
There was a problem hiding this comment.
Any specific reason we would want to start off with experimental, compared to beta or ga?
There was a problem hiding this comment.
I usually release mine as GA as long as you have functional system and pipeline tests with good test data.
If not then I release as beta, unless again it has new functionality like a new filebeat input.
There was a problem hiding this comment.
I will bump to beta until I have the dashboard in place — next PR.
| description: Pipeline for Citrix CEF messages | ||
| processors: | ||
| - set: | ||
| field: event.cef_format |
There was a problem hiding this comment.
Please dont use ECS root fields for non ECS fields, better then to use citrix.*
| override: false | ||
| - set: | ||
| field: event.timezone | ||
| value: '{{{_conf.tz_offset}}}' |
There was a problem hiding this comment.
You could also use copy_from rather than using a template value, as it is safer.
| field: _tmp.timestamp | ||
| if: ctx._tmp?.timestamp != null && ctx.citrix?.event_year != null | ||
| value: "{{{citrix.event_year}}} {{{_tmp.timestamp}}}" | ||
| - date: |
There was a problem hiding this comment.
Date formats are quite expensive, are you sure we need all of them?
There was a problem hiding this comment.
I have seen a wide variety in the documentation and it is deeply underspecified.
| description: Pipeline for Citrix Native messages | ||
| processors: | ||
| - set: | ||
| field: event.cef_format |
There was a problem hiding this comment.
Same here with using a non ECS root field
| value: false | ||
| - grok: | ||
| description: Extract native header and message. | ||
| field: event.message |
There was a problem hiding this comment.
Same here with using a non ECS root field
| field: citrix.event_year | ||
| ignore_failure: true | ||
|
|
||
| - geoip: |
There was a problem hiding this comment.
We have a common set of geoip processors that we reuse on a lot of our ingest pipelines, is this something we could use instead? Feel free to modify it to fit your usecase.
# IP Geolocation Lookup
- geoip:
field: source.ip
target_field: source.geo
ignore_missing: true
- geoip:
field: destination.ip
target_field: destination.geo
ignore_missing: true
# IP Autonomous System (AS) Lookup
- geoip:
database_file: GeoLite2-ASN.mmdb
field: source.ip
target_field: source.as
properties:
- asn
- organization_name
ignore_missing: true
- geoip:
database_file: GeoLite2-ASN.mmdb
field: destination.ip
target_field: destination.as
properties:
- asn
- organization_name
ignore_missing: true
- rename:
field: source.as.asn
target_field: source.as.number
ignore_missing: true
- rename:
field: source.as.organization_name
target_field: source.as.organization.name
ignore_missing: true
- rename:
field: destination.as.asn
target_field: destination.as.number
ignore_missing: true
- rename:
field: destination.as.organization_name
target_field: destination.as.organization.name
ignore_missing: true
| - uri_parts: | ||
| field: url.original | ||
| target_field: url | ||
| ignore_failure: true |
There was a problem hiding this comment.
We usually try to not use ignore_failures, as both the CI and the end user wont tell us if there are any errors. Are there any other ways we can do this? like a IF statement?
| field: | ||
| - _tmp | ||
| - _conf | ||
| ignore_failure: true |
There was a problem hiding this comment.
Could you change this to ignore_missing?
packages/citrix_waf/data_stream/log/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
| required: false | ||
| show_user: false | ||
| default: | | ||
| #max_connections: 1 |
There was a problem hiding this comment.
One setting I recommend for both UDP and TCP is to include a max_message_size. IIRC the default value is like 20 MiB which is way too big and wastes memory.
There was a problem hiding this comment.
The WAF messages are fairly small, so I've suggested 10kB and also added a udp_options field.
There was a problem hiding this comment.
Sounds good. I suggest having that option uncommented so most users are using it by default when they enable this.
| show_user: false | ||
| default: | | ||
| max_message_size: 10KiB | ||
| read_buffer_size: 10KiB |
There was a problem hiding this comment.
I didn't find any evidence that this read_buffer_size parameter exists. Do you know where this is used in the code?
There was a problem hiding this comment.
This is used in the UDP package. Apparently it is useless there too. Nope, called read_buffer in beats.
What does this PR do?
Checklist
changelog.ymlfile.Author's Checklist
How to test this PR locally
Related issues
Screenshots