Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

grok pattern IPTABLES does not always match #316

Open
jdelker opened this issue Aug 6, 2022 · 3 comments · May be fixed by #318
Open

grok pattern IPTABLES does not always match #316

jdelker opened this issue Aug 6, 2022 · 3 comments · May be fixed by #318
Labels
bug

Comments

@jdelker
Copy link

jdelker commented Aug 6, 2022

This applies to logstash-patterns-core 4.3.4:

The provided grok pattern for IPTABLES in patterns/ecs-v1/firewalls is incomplete and does not match all variants.
Obviously that applies for logged ICMP packages, which show less attributes (missing SPT, DPT, ...).

The following message does not match `%{IPTABLES}':

IN=eth6 OUT=eth1.13 MAC=00:1a:8c:17:da:4e:30:e4:db:34:88:31:08:00 SRC=1.2.3.4 DST=5.6.7.8 LEN=578 TOS=0x00 PREC=0x00 TTL=49 ID=29312 DF PROTO=47

Reason: The IPTABLES pattern expects SPT and DPT fields, which are not present for ICMP packets.

Suggestion for corrected pattern:

IPTABLES IN=(?:%{NOTSPACE:[observer][ingress][interface][name]})?\s+OUT=(?:%{NOTSPACE:[observer][egress][interface][name]})?\s+(?:MAC=(?:%{COMMONMAC:[destination][mac]})?(?::%{COMMONMAC:[source][mac]})?(?::[A-Fa-f0-9]{2}:[A-Fa-f0-9]{2})?\s+)?(:?%{IPTABLES4_PART}|%{IPTABLES6_PART}).*?PROTO=(?:%{WORD:[network][transport]})?(?:\s+SPT=(?:%{INT:[source][port]:int})?\s+DPT=(?:%{INT:[destination][port]:int})?\s+(?:%{IPTABLES_TCP_PART})?)?

This basically makes everything after PROTO optional.
@jdelker jdelker added the bug label Aug 6, 2022
@jsvd
Copy link
Member

jsvd commented Aug 10, 2022

Hi @jdelker, any chance you could submit a PR, adding the fix to the regex and using your example line as a test?
You can see a couple of example PRs that do a similar task (fix + add or update tests) here: https://github.com/logstash-plugins/logstash-patterns-core/pull/313/files and https://github.com/logstash-plugins/logstash-patterns-core/pull/311/files

@jdelker
Copy link
Author

jdelker commented Aug 11, 2022

I'm sorry, @jsvd. While I respect your request - and generally like to contribute - I'm not into Ruby at all.
Providing a diff for the ecs-v1 pattern is no problem (basically it's exchanging the provided line above), but coding the particular test is beyond what I can provide.

@jsvd
Copy link
Member

jsvd commented Aug 12, 2022

@jdelker that's ok, can I ask you to just create a PR with the change to the grok pattern so that we can attribute this change to you? I'll carry it forward from there.

@jdelker jdelker linked a pull request Aug 13, 2022 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fixed IPTABLES pattern jdelker/logstash-patterns-core
2 participants
@jsvd @jdelker