[checkpoint] Expand and fix IANA number handling #13568
Conversation
andrewkroh
added
Integration:checkpoint
|
Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices) |
taylor-swanson
changed the title
| @@ -799,7 +799,9 @@ processors: | |||
| if: ctx?.network?.iana_number != null | |||
| source: | | |||
| def iana_number = ctx.network.iana_number; | |||
| if (iana_number == '0') { | |||
| if (iana_number == '0' && ctx.source?.ip == '0.0.0.0') { | |||
There was a problem hiding this comment.
Will source IP always be 0.0.0.0 or could it be any other IP address in this situation?
There was a problem hiding this comment.
Will source IP always be
0.0.0.0or could it be any other IP address in this situation?
It's the only observed occurrance. I could not determine other cases where iana_number was "0". checkpoint.service (translated to destination.port), checkpoint.s_port (translated to source.port) are also "0" in the observed cases but I chose source.ip as it clearly shows we are dealing with IPv4. dst is also "0.0.0.0"
There was a problem hiding this comment.
I'm currently trying to figure out how to handle service (iana_number) = 4294967295 (2^32-1) (that denotes a port scan apparently). s_port can be "0" with multiple services.
There was a problem hiding this comment.
My concern around the IP is mostly if we get something that isn't 0.0.0.0 and it skips over that if branch since it didn't match. I don't know enough about the product to know if it will always use 0.0.0.0 for this case, hence my hesitation. It would be easier to test for the IPv6 case, since you just need to test if a colon (:) exists in the IP.
Something like this:
if (ctx.source?.ip?.contains(':') && iana_number == '0') {
ctx.network.transport = 'hopopt';
} else if (iana_number == '1') {
I probably wouldn't even bother with setting ip for the alternate case, since ip is both not a transport protocol and isn't a registered IANA protocol. Letting the default case handle it would probably be just as effective.
There was a problem hiding this comment.
I changed the handling in your sense and added handling of "iana_number" 4294967295. setting "iana_number" to null is simply a placeholder as the "if else" can not be empty apparently and "iana_number" is no longer used after this point.
I do not know how to craft those and probably do not have the rights to do it. |
There was a problem hiding this comment.
I do not know how to craft those and probably do not have the rights to do it.
You absolutely can!
Basically, you just need to drop in a few logs that test the various cases into data_stream/firewall/_dev/test/pipeline (test-checkpoint.log) and run the pipeline tests with the generate flag:
cd packages/checkpoint
elastic-package test pipeline -v -g
Verify the newly added lines in the corresponding expected file (test-checkpoint.log-expected.json), then commit everything.
If you don't have elastic-package set up with a stack (I highly recommend you do), I can add this for you, but I do request those logs. I can see at least 4 logs:
- iana_number 0 and an IPv4 address (0.0.0.0 is fine)
- iana_number 0 and an IPv6 address
- iana_number 114
- iana_number not explicitly handled
| @@ -799,7 +799,9 @@ processors: | |||
| if: ctx?.network?.iana_number != null | |||
| source: | | |||
| def iana_number = ctx.network.iana_number; | |||
| if (iana_number == '0') { | |||
| if (iana_number == '0' && ctx.source?.ip == '0.0.0.0') { | |||
There was a problem hiding this comment.
My concern around the IP is mostly if we get something that isn't 0.0.0.0 and it skips over that if branch since it didn't match. I don't know enough about the product to know if it will always use 0.0.0.0 for this case, hence my hesitation. It would be easier to test for the IPv6 case, since you just need to test if a colon (:) exists in the IP.
Something like this:
if (ctx.source?.ip?.contains(':') && iana_number == '0') {
ctx.network.transport = 'hopopt';
} else if (iana_number == '1') {
I probably wouldn't even bother with setting ip for the alternate case, since ip is both not a transport protocol and isn't a registered IANA protocol. Letting the default case handle it would probably be just as effective.
add IPv6 detection, leave proto "0" to the default case. exclude proto = "4294967295", which denotes a detected port scan.
| } else if (iana_number == '132') { | ||
| ctx.network.transport = 'sctp'; | ||
| } else if (iana_number == '4294967295') { |
There was a problem hiding this comment.
Do nothing. "4294967295" is not a protocol number and apparently a placeholder in case of a port scan. Therefore do not fill network.transport with this number.
| @@ -285,6 +285,7 @@ processors: | |||
| type: long | |||
| ignore_failure: true | |||
| ignore_missing: true | |||
| if: "ctx?.destination?.port != '4294967295'" | |||
There was a problem hiding this comment.
This is clearly not a port in the networking sense. This is set as a placeholder if there is a port scan.
|
@taylor-swanson I added two test cases, dereived from real logs to packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log Is that correct and sufficient? |
|
/test |
| @@ -285,6 +285,7 @@ processors: | |||
| type: long | |||
| ignore_failure: true | |||
| ignore_missing: true | |||
| if: "ctx?.destination?.port != '4294967295'" | |||
There was a problem hiding this comment.
| if: "ctx?.destination?.port != '4294967295'" | |
| if: "ctx.checkpoint?.service != '4294967295'" |
I can not do this, as I do not have a complete build environment on my computer. I take it, this is not integrated into this build environment here in github? |
- Bump version to next minor, since this is an enhancement and includes a new field addition - Fix if statement - Generate expected test file - Add new field for 'source' - Update readme
No worries, I can make the changes. |
|
/test |
🚀 Benchmarks reportTo see the full report comment with |
|
💚 Build Succeeded
History
|
|
Package checkpoint - 1.40.0 containing this change is available at https://epr.elastic.co/package/checkpoint/1.40.0/ |
- Add handling of IANA protocol number 114.
- Add handling of unknown IANA numbers. When no protocol.transport is set, dashboards for this integration simply do not show the traffic for that protocol. With adding the number as a fallback, these show up now.
- Fix recognition of IANA protocol number 0. IANA protocol number 0 only translates to "hopopt" if the underlying protocol is IPv6. For IPv4 the number "0" is undefined ("reserved") and according to "/etc/protocols" in most Linux distributions is recognized to denote the internet protocol v4 itself. Labeling protocol number 0 as "hopopt" in general is therefore wrong.
Proposed commit message
Add handling of IANA protocol number 114.
Add handling of unknown IANA numbers. When no protocol.transport is set, dashboards for this integration simply do not show the traffic for that protocol. With adding the number as a fallback, these show up now.
Fix recognition of IANA protocol number 0. IANA protocol number 0 only translates to "hopopt" if the underlying protocol is IPv6. For IPv4 the number "0" is undefined ("reserved") and according to "/etc/protocols" in most Linux distributions is recognized to denote the internet protocol v4 itself. Labeling protocol number 0 as "hopopt" in general is therefore wrong.
Checklist
changelog.ymlfile.How to test this PR locally
Open the dasboard "[Check Point] Time and Traffic" and look at the box "Transport". If you see numeric protocols, these are now visible.