elastic / logstash

Logstash - transport and process your logs, events, or other data
https://www.elastic.co/products/logstash
Other
48 stars 3.5k forks source link

Network layer IP spoofing (filter? mutate?) #4715

Open pickworth opened 8 years ago

pickworth commented 8 years ago

Hi All,

I would like to see this feature implemented, where logstash can "Spoof" a Source IP address sent in the Network layer packet.

Is this hard to implement? I know that you can accomplish this using iptables on linux (and winpcap on windows) iptables is not the right solution though, because I need to apply logic (conditional statements) to the filter. Maybe this could be implemented into the "mutate" filter, or something similar.

The problem is device would identify all traffic coming from the logstash server instead of the originating host. The purpose of this feature would be so that other devices on the other side of the output pipe would see this as coming from the spoofed IP and not the actual IP of the logstash server.

This feature is present in a product called "Kiwi Syslog" (described at the bottom of this page http://www.kiwisyslog.com/help/syslog/index.html?action_forward_to_another_host.htm )

I'm working on a big proposal to replace Kiwi Syslog with ELK(B) stack, and this is a feature required

andrewvc commented 8 years ago

Hi @nmors , that's too tricky to do in a cross-platform way. The best thing to do here is to configure IP tables on the box itself.

andrewvc commented 8 years ago

@nmors can you fill us in a bit more as to why you need this? What's your business use case.

jordansissel commented 8 years ago

From an implementation perspective, I'm not sure how useful this is. In many cases, spoofing only works for connectionless protocols (ICMP, UDP, etc), so anything using TCP would probably fail in this area. Sending crafted IP-layer packets requires root/administrative privilege, and one should never run Logstash with such permissions. I agree with @andrewvc that iptables (if on Linux) may be the best solution to mess with network packets.

jordansissel commented 8 years ago

ping @nmors? :)

pickworth commented 8 years ago

Sorry had been waiting until I speak with the client that needs this. I had a meeting with them which let me understand more and have also spoken with symmantec regarding the issue. They are forwarding logs to a symmantec product. Its essentially a black box which forwards logs again to their SOC for analysis. In the case where thier parser does not 'understand' the originating host from the syslog message itself, using 'signatures', it will fallback to use the source ip of the network packet. The client is currently using kiwisyslog to work around this on windows, which utilizes winpcap to spoof the packets, and yes, they are using UDP..

I'm all for best practices, but the only solution I can offer is to use iptables snat rules which watches for traffic on 20 odd ports locally, munges the packets then ships them off. This also involves 20 if statements in logstash and 20 outputs going to different ports in order for iptables to understand what to do. There is probably a better way to do it, but this is the way i designed the proof of concept. Very hacky solution. And who knows if that 20 devices will grow to 50 in a few years. Not very scalable or elegant at all..

I'm trying to pitch to the client replacement of their existing kiwisyslog infrastructure and replace with ELK. Its just a shame that it is not a "drop in" replacement :)

alesnav commented 6 years ago

I have added some info to this issue located in logstash-output-udp.

Maybe it helps to implement this new functionality.

Thanks