Skip to content
This repository has been archived by the owner on Nov 3, 2021. It is now read-only.

Normalization Effort: Part 1: Remove string ip fields **WIP** #734

Closed
wants to merge 9 commits into from
Closed

Normalization Effort: Part 1: Remove string ip fields **WIP** #734

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
14784ac
Removing ipv4 and ipv6 fields from mq plugins
Phrozyn Aug 13, 2018
301c481
merging fixes from previous commit
Phrozyn Aug 13, 2018
d1e5e59
removing erroneous line from previous commit
Phrozyn Aug 13, 2018
d56cd06
Adding modified unit test with string ip fields removed.
Phrozyn Aug 13, 2018
a308113
Modifying test for unknown ips being replaced with zeroed address.
Phrozyn Aug 13, 2018
59d69fd
Removal of IPv4 and IPv6 string field additions, and comment updates.
Aug 17, 2018
9cd2bd3
Adding ipv6 to initial population of sourceipaddress field in details.
Aug 17, 2018
6690e6d
removing sourceipv4address from default event, it is not used here.
Aug 17, 2018
739730e
Merge remote-tracking branch 'origin/master' into remove_string_ip_fi…
pwnbus Oct 25, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
3 changes: 0 additions & 3 deletions examples/demo/sampleData2MozDef.py
View file
Open in desktop
Expand Up @@ -145,7 +145,6 @@ def makeEvents():
if 'details' not in event.keys():
event['details'] = dict()
event['details']['sourceipaddress'] = randomIP
event['details']['sourceipv4address'] = randomIP

#print(event['timestamp'], event['tags'], event['summary'])

Expand Down Expand Up @@ -209,7 +208,6 @@ def makeAlerts():
if 'details' not in event.keys():
event['details'] = dict()
event['details']['sourceipaddress'] = randomIP
event['details']['sourceipv4address'] = randomIP

if 'duplicate' in event.keys():
# send this event multiple times to trigger an alert
Expand Down Expand Up @@ -278,7 +276,6 @@ def makeAttackers():
if 'details' not in event.keys():
event['details'] = dict()
event['details']['sourceipaddress'] = randomIP
event['details']['sourceipv4address'] = randomIP

if 'duplicate' in event.keys():
# send this event multiple times to trigger an alert
Expand Down
1 change: 0 additions & 1 deletion examples/demo/sampleevents/alertcreating-bro-intel.json
View file
Open in desktop
Expand Up @@ -18,7 +18,6 @@
"seenindicatortype": "HTTP::IN_X_FORWARDED_FOR_HEADER",
"destinationport": 443,
"sourceport": 58969,
"destinationipv4address": "0.0.82.27",
"severity": "NOTICE"
}
}
Expand Down
4 changes: 0 additions & 4 deletions examples/demo/sampleevents/events-logins-failure.json
View file
Open in desktop
Expand Up @@ -9,7 +9,6 @@
"details": {
"dn": "john@example.com,o=com,dc=example",
"success": false,
"sourceipv4address": "10.20.70.200",
"result": "LDAP_INVALID_CREDENTIALS",
"srcip": "10.20.0.200",
"sourceipaddress": "10.20.0.200"
Expand All @@ -25,7 +24,6 @@
"details": {
"dn": "bob@example.com,o=com,dc=example",
"success": false,
"sourceipv4address": "10.20.70.200",
"result": "LDAP_INVALID_CREDENTIALS",
"srcip": "10.20.0.200",
"sourceipaddress": "10.20.0.200"
Expand All @@ -41,7 +39,6 @@
"details": {
"dn": "mary@example.com,o=com,dc=example",
"success": false,
"sourceipv4address": "10.20.70.200",
"result": "LDAP_INVALID_CREDENTIALS",
"srcip": "10.20.0.200",
"sourceipaddress": "10.20.0.200"
Expand All @@ -57,7 +54,6 @@
"details": {
"dn": "sue@example.com,o=com,dc=example",
"success": false,
"sourceipv4address": "10.20.70.200",
"result": "LDAP_INVALID_CREDENTIALS",
"srcip": "10.20.0.200",
"sourceipaddress": "10.20.0.200"
Expand Down
4 changes: 1 addition & 3 deletions examples/demo/sampleevents/events-network.json
View file
Open in desktop
Expand Up @@ -7,7 +7,6 @@
"file": "networklogs",
"details": {
"protocol": "6",
"sourceipv4address": "10.2.2.59",
"payload": "",
"sourceipaddress": "10.2.2.59",
"service": "junos-https",
Expand All @@ -17,8 +16,7 @@
"policy": "any--any",
"destinationnatrule": "None",
"destinationipaddress": "63.245.215.25",
"destinationzone": "external",
"destinationipv4address": "63.245.215.25"
"destinationzone": "external"
}
},
{
Expand Down
12 changes: 0 additions & 12 deletions examples/es-docs/bro_intel.json
View file
Open in desktop
Expand Up @@ -18,12 +18,10 @@
"ts": "1405546326.853474",
"seenindicator": "0.0.139.213",
"sources": "CIF - need-to-know",
"sourceipv4address": "0.0.82.208",
"seenindicatortype": "HTTP::IN_X_FORWARDED_FOR_HEADER",
"destinationport": 443,
"sourceport": 58969,
"sourceipaddress": "0.0.82.208",
"destinationipv4address": "0.0.82.27",
"severity": "NOTICE"
}
},
Expand All @@ -46,12 +44,10 @@
"seenindicator": "0.0.139.213",
"ts": "1405546326.853474",
"sources": "CIF - need-to-know",
"sourceipv4address": "0.0.82.208",
"seenindicatortype": "HTTP::IN_X_FORWARDED_FOR_HEADER",
"destinationport": 443,
"sourceport": 13711,
"sourceipaddress": "0.0.82.208",
"destinationipv4address": "0.0.82.28",
"severity": "NOTICE"
}
},
Expand All @@ -74,12 +70,10 @@
"seenindicator": "0.0.139.213",
"ts": "1405546326.853474",
"sources": "CIF - need-to-know",
"sourceipv4address": "0.0.82.208",
"seenindicatortype": "HTTP::IN_X_FORWARDED_FOR_HEADER",
"destinationport": 443,
"sourceport": 13711,
"sourceipaddress": "0.0.82.208",
"destinationipv4address": "0.0.82.28",
"severity": "NOTICE"
}
},
Expand All @@ -102,12 +96,10 @@
"seenindicator": "0.0.139.213",
"ts": "1405546326.853474",
"sources": "CIF - need-to-know",
"sourceipv4address": "0.0.82.208",
"seenindicatortype": "HTTP::IN_X_FORWARDED_FOR_HEADER",
"destinationport": 443,
"sourceport": 13711,
"sourceipaddress": "0.0.82.208",
"destinationipv4address": "0.0.82.28",
"severity": "NOTICE"
}
},
Expand All @@ -130,12 +122,10 @@
"seenindicator": "0.0.139.213",
"ts": "1405546326.853474",
"sources": "CIF - need-to-know",
"sourceipv4address": "0.0.82.208",
"seenindicatortype": "HTTP::IN_X_FORWARDED_FOR_HEADER",
"destinationport": 443,
"sourceport": 13711,
"sourceipaddress": "0.0.82.208",
"destinationipv4address": "0.0.82.28",
"severity": "NOTICE"
}
},
Expand All @@ -158,12 +148,10 @@
"seenindicator": "0.0.139.213",
"ts": "1405546326.853474",
"sources": "CIF - need-to-know",
"sourceipv4address": "0.0.82.208",
"seenindicatortype": "HTTP::IN_X_FORWARDED_FOR_HEADER",
"destinationport": 443,
"sourceport": 13711,
"sourceipaddress": "0.0.82.208",
"destinationipv4address": "0.0.82.28",
"severity": "NOTICE"
}
}
Expand Down
3 changes: 0 additions & 3 deletions examples/es-docs/bruteforce_ssh.json
View file
Open in desktop
Expand Up @@ -11,7 +11,6 @@
"eventsource": "systemslogs",
"details": {
"processid": "",
"sourceipv4address": "0.0.72.113",
"timestamp": "Jul 17 14:00:13",
"hostname": "example.com",
"program": "sshd",
Expand Down Expand Up @@ -46,7 +45,6 @@
"eventsource": "systemslogs",
"details": {
"processid": "",
"sourceipv4address": "0.0.72.113",
"timestamp": "Jul 17 14:00:10",
"hostname": "example.com",
"program": "sshd",
Expand Down Expand Up @@ -81,7 +79,6 @@
"eventsource": "systemslogs",
"details": {
"processid": "",
"sourceipv4address": "0.0.72.113",
"timestamp": "Jul 17 14:00:07",
"hostname": "example.com",
"program": "sshd",
Expand Down
1 change: 0 additions & 1 deletion examples/es-docs/fail2ban.json
View file
Open in desktop
Expand Up @@ -11,7 +11,6 @@
"eventsource": "systemslogs",
"details": {
"processid": "",
"sourceipv4address": "0.0.141.210",
"timestamp": "Jul 17 15:57:16",
"hostname": "pbx1",
"program": "fail2ban",
Expand Down
17 changes: 6 additions & 11 deletions mq/plugins/broFixup.py
View file
Open in desktop
Expand Up @@ -386,31 +386,26 @@ def onMessage(self, message, metadata):
newmessage[u'details'][u'indicators'].append(newmessage[u'details'][u'src'])
# If details.src is present overwrite the source IP address with it
newmessage[u'details'][u'sourceipaddress'] = newmessage[u'details'][u'src']
newmessage[u'details'][u'sourceipv4address'] = newmessage[u'details'][u'src']
if isIPv6(newmessage[u'details'][u'src']):
newmessage[u'details'][u'indicators'].append(newmessage[u'details'][u'src'])
# If details.src is present overwrite the source IP address with it
newmessage[u'details'][u'sourceipv6address'] = newmessage[u'details'][u'src']
newmessage[u'details'][u'sourceipaddress'] = newmessage[u'details'][u'src']
del newmessage[u'details'][u'src']
sumstruct = {}
sumstruct['note'] = newmessage['details'][u'note']
if 'sourceipv6address' in newmessage['details']:
sumstruct['src'] = newmessage['details']['sourceipv6address']
if 'sourceipaddress' in newmessage['details']:
sumstruct['src'] = newmessage['details']['sourceipaddress']
else:
if 'sourceipv4address' in newmessage['details']:
sumstruct['src'] = newmessage['details']['sourceipv4address']
else:
sumstruct['src'] = u'unknown'
sumstruct['src'] = u'0.0.0.0'
if 'dst' in newmessage['details']:
sumstruct['dst'] = newmessage['details']['dst']
del(newmessage[u'details'][u'dst'])
if isIPv4(sumstruct[u'dst']):
newmessage['details'][u'destinationipaddress'] = sumstruct['dst']
newmessage['details'][u'destinationipv4address'] = sumstruct['dst']
if isIPv6(sumstruct[u'dst']):
newmessage['details'][u'destinationipv6address'] = sumstruct['dst']
newmessage['details'][u'destinationipaddress'] = sumstruct['dst']
else:
sumstruct['dst'] = u'unknown'
sumstruct['dst'] = u'0.0.0.0'
if 'p' in newmessage['details']:
sumstruct['p'] = newmessage['details']['p']
else:
Expand Down
9 changes: 3 additions & 6 deletions mq/plugins/fluentdSqsFixup.py
View file
Open in desktop
Expand Up @@ -66,21 +66,18 @@ def onMessage(self, message, metadata):

# host is used to store dns-style-ip entries in AWS, for ex
# ip-10-162-8-26 is 10.162.8.26. obviously there is no strong guarantee
# that this is always trusted. It's better than nothing though. At the
# time of writing, there is no ipv6 support AWS-side for this kind of
# field. It may be overridden later by a better field, if any exists
# that this is always trusted. It's better than nothing though. As of
# 2018, AWS does not provide ipv6 DNS style hostnames for ipv6 instances.
# It may be overridden later by a better field, if this changes.
if 'host' in message.keys():
tmp = message['host']
if tmp.startswith('ip-'):
ipText = tmp.split('ip-')[1].replace('-', '.')
if isIPv4(ipText):
if 'destinationipaddress' not in message.keys():
message['details']['destinationipaddress'] = ipText
if 'destinationipv4address' not in message.keys():
message['details']['destinationipv4address'] = ipText
else:
message['details']['destinationipaddress'] = '0.0.0.0'
message['details']['destinationipv4address'] = '0.0.0.0'
addError(message,
'plugin: {0} error: {1}:{2}'.format(
'fluentSqsFixUp.py',
Expand Down
50 changes: 13 additions & 37 deletions mq/plugins/ipFixup.py
View file
Open in desktop
Expand Up @@ -45,15 +45,9 @@ def onMessage(self, message, metadata):
ipv6 in an ipv4 field
ipv4 in another field
'-' or other invalid ip in the ip field
Also sets ipv4 in two fields:
ipaddress (decimal mapping IP)
ipv4address (string mapping)
Elastic search is inconsistent about returning IPs as
decimal or IPs.
In a query an IP field is returned as string.
In a facets an IP field is returned as decimal.
No ES field type exists for ipv6, so always having
a string version is the most flexible option.
Sets two ip fields since ES now supports ipv6:
sourceipaddress (decimal mapping IP)
destinationipaddress (decimal mapping IP)
'''

if 'details' in message.keys():
Expand All @@ -64,67 +58,49 @@ def onMessage(self, message, metadata):
ipText = message['details']['http_x_forwarded_for'].split(',')[0]
if isIPv4(ipText) and 'sourceipaddress' not in message['details'].keys():
message['details']['sourceipaddress'] = ipText
if isIPv4(ipText) and 'sourceipv4address' not in message['details'].keys():
message['details']['sourceipv4address'] = ipText
if isIPv6(ipText) and 'sourceipv6address' not in message['details'].keys():
message['details']['sourceipv6address'] = ipText
if isIPv6(ipText) and 'sourceipaddress' not in message['details'].keys():
message['details']['sourceipaddress'] = ipText

if 'sourceipaddress' in message['details'].keys():
ipText = message['details']['sourceipaddress']
if isIPv6(ipText):
message['details']['sourceipv6address'] = ipText
message['details']['sourceipaddress'] = '0.0.0.0'
addError(message, 'plugin: {0} error: {1}'.format('ipFixUp.py', 'sourceipaddress is ipv6, moved'))
elif isIPv4(ipText):
message['details']['sourceipv4address'] = ipText
else:
if not (isIPv6(ipText) or isIPv4(ipText)):
# Smells like a hostname, let's save it as source field
message['details']['source'] = message['details']['sourceipaddress']
message['details']['sourceipaddress'] = None
message['details']['sourceipaddress'] = '0.0.0.0'

if 'destinationipaddress' in message['details'].keys():
ipText = message['details']['destinationipaddress']
if isIPv6(ipText):
message['details']['destinationipv6address'] = ipText
message['details']['destinationipaddress'] = '0.0.0.0'
addError(message, 'plugin: {0} error: {1}'.format('ipFixUp.py', 'destinationipaddress is ipv6, moved'))
elif isIPv4(ipText):
message['details']['destinationipv4address'] = ipText
else:
if not (isIPv6(ipText) or isIPv4(ipText)):
# Smells like a hostname, let's save it as destination field
message['details']['destination'] = message['details']['destinationipaddress']
message['details']['destinationipaddress'] = None
message['details']['destinationipaddress'] = '0.0.0.0'

if 'src' in message['details'].keys():
ipText = message['details']['src']
if isIPv4(ipText):
message['details']['sourceipaddress'] = ipText
message['details']['sourceipv4address'] = ipText
if isIPv6(ipText):
message['details']['sourceipv6address'] = ipText
message['details']['sourceipaddress'] = ipText

if 'srcip' in message['details'].keys():
ipText = message['details']['srcip']
if isIPv4(ipText):
message['details']['sourceipaddress'] = ipText
message['details']['sourceipv4address'] = ipText
if isIPv6(ipText):
message['details']['sourceipv6address'] = ipText
message['details']['sourceipaddress'] = ipText
if 'dst' in message['details'].keys():
ipText = message['details']['dst']
if isIPv4(ipText):
message['details']['destinationipaddress'] = ipText
message['details']['destinationipv4address'] = ipText
if isIPv6(ipText):
message['details']['destinationipv6address'] = ipText
message['details']['destinationipaddress'] = ipText

if 'dstip' in message['details'].keys():
ipText = message['details']['dstip']
if isIPv4(ipText):
message['details']['destinationipaddress'] = ipText
message['details']['destinationipv4address'] = ipText
if isIPv6(ipText):
message['details']['destinationipv6address'] = ipText
message['details']['destinationipaddress'] = ipText

if 'cluster_client_ip' in message['details'].keys():
ipText = message['details']['cluster_client_ip']
Expand Down