search

Security-Onion-Solutions / securityonion

Security Onion is a free and open platform for threat hunting, enterprise security monitoring, and log management. It includes our own interfaces for alerting, dashboards, hunting, PCAP, detections, and case management. It also includes other tools such as osquery, CyberChef, Elasticsearch, Logstash, Kibana, Suricata, and Zeek.
https://securityonion.net
3.28k stars 507 forks source link

Investigate if it's possible to have Zeek include tunnel IPs and internal IPs for VXLAN packets #807

Closed jertel closed 4 years ago

jertel commented 4 years ago

From Wes:

One way to handle VXLAN pcaps from conn logs with inner ip:

Each conn log that is associated with a tunnel has a log.id.tunnel_parents field, which is represented as log.id.uid in the actual tunnel log.

The idea is to check if log.id.tunnel_parents is in our original response from Elasticsearch. If so, query for that, and for a conn log with service type of vxlan (the conn log containing the outer ips), then parse that and use it for the BPF/Steno query

Pseudocode below:

    tunnel_parents = elastic_response[_source][log.id.tunnel_parents]
    if tunnel_parents:
      es_query_vxlan = log.id.uid:tunnel_parents[0] AND event.dataset:conn AND (network.protocol:vxlan OR tunnel.type:Tunnel:\\:VXLAN)
      if es_query_vxlan:
        destination_ip = es_query_vxlan_response[_source][destination.ip]
        destination_port = es_query_vxlan_response[_source][destination.port]
        source_ip = es_query_vxlan_response[_source][source.ip]
        source_port = es_query_vxlan_response[_source][source.port]

Could also be more generic (take off network.protocol:vxlan OR tunnel.type:Tunnel\:\:VXLAN) if we want to do with ALL tunnel types

jertel commented 4 years ago

This is implemented, however there's a known risk that long-running tunnels could results in very large PCAPs. Additional filtering criteria can be defined in a new issue, if this becomes an issue.