amiracle / homemonitor

Splunk app for home | monitor >
25 stars 5 forks source link

IPv6 with pfSense Broken #2

Closed gsiemon closed 8 years ago

gsiemon commented 8 years ago

Hi, I've recently started playing with Splunk and came across your excellent Homemonitor app. I am using pfSense running V2.2.6. I have a dual stack network with native IPv6 along with IPv4.

I've found that Homemonitor doesn't correctly parse IPv6 data from the System Log due to the fact that the IPv4 and IPv6 syslog formats are different.

I found a thread on the splunk forums from mid 2015 where someone tried to raise this issue but it didn't go anywhere:

https://answers.splunk.com/answers/294585/does-the-home-monitor-app-provide-ipv6-support-for.html

The text below details the differences in the log entries.

Can you please address this in a future release? Ideally, it would be nice to be able to separate IPv4 and IPv6 traffic in the dashboards.

_pfSense Log Format for IPv4 and IPv6 traffic_

These fields are common to both IPv4 and IPv6 Rule Number Sub rule number Anchor Tracker - unique ID per rule, tracker ID is stored with the rule in config.xml for user added rules, or check /tmp/rules.debug Real interface (e.g. em0) Reason for the log entry (e.g. match) Action taken that resulted in the log entry (e.g. block, pass) Direction of the traffic (in/out) IP version (4 for IPv4, 6 for IPv6)

IPv4 then has: TOS ECN TTL ID Offset Flags Protocol ID Protocol text (tcp, udp, etc)

Whereas IPv6 has these fields: Class Flow Label Hop Limit Protocol Protocol ID

Both then have the following fields at the end: Length Source IP Destination IP

And then possibly the following: For TCP and UDP (Proto ID 6 or 17) on IPv4 or IPv6 Source Port Destination Port Data Length

TCP Only: TCP Flags Sequence Number ACK Window URG Options

Details can be found here: https://doc.pfsense.org/index.php/Filter_Log_Format_for_pfSense_2.2

amiracle commented 8 years ago

I'm going to look into this with my setup and start testing the IPv6 functionality within the existing dashboards and reports.

amiracle commented 8 years ago

I've created an alpha version (4.3.1) that has pfsense support with ipv6. We took the data coming from pfsense firewall and extracted the fields based on the IP version. Then, we extracted again based on the protocol. I was only able to test IPv6 and UDP since I don't have any TCP IPv6 traffic, I will need someone to test out that functionality. The alpha release can be found on the releases page : https://github.com/amiracle/homemonitor/releases/tag/4.3.1-alpha

amiracle commented 8 years ago

To install, first backup your current version of the app :

splunk:> tar czvf homemonitor.tgz $SPLUNK_HOME/etc/apps/homemonitor/

Once you have the compressed file, go ahead and overwrite the homemonitor directory with the binary found in the alpha release page.

This should now extract src_ip, dest_ip, src_port and dest_port for IPv6 traffic. So far, I was able to test this on UDP traffic and it worked; I don't have TCP traffic, so I need your help to validate the extractions. I'm sure it will break so if you can provide some sample entries, then I can work on it and get it to work.

amiracle commented 8 years ago

I just found a sample event and tried to set up the TCP extractions for IPv6. I cannot test it, but it should work. Please test it out and let me know. See the same 4.3.1 alpha release, I just updated it.

gsiemon commented 8 years ago

Hi, Thankyou very much for the fast turnaround on this. I eventually got the alpha downloaded and extracted. I wasn't paying attention to you instructions and just cut and pasted. The c flag for tar creates a tar file so it wasn't extracting the files until I realised there was an error. Once I extracted the files correctly it installed OK.

From what I can see, IPv6 seems to be working OK (including IPv6 TCP traffic).. The protocol by direction graph on the Home Network Overview no longer shows IPv6 addresses as protocols as it did in V4.2 when it was incorrectly parsing the syslog data. However, I now seem to have categories for udp and UDP, tcp and TCP, ICMPV6 and icmp. I'm assuming that the capitalised categories are IPv6. Is this correct? Could you perhaps make this a bit clearer?

A couple of other suggestions:

Thanks again.

amiracle commented 8 years ago

I will work on the new requests as additional enhancement requests. Let me close this issue and create a new one. I've been meaning to add a 'catch all' for local addresses and removing the subnet field al together. Let me create the new issue and close this one for now.

amiracle commented 8 years ago

Lastly, yes upper case protocols are IPv6 specific.