Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Netflow module v7.6 doesn’t support 4-7 byte pad in IPFIX template sets #18098

Closed
bortok opened this issue Apr 29, 2020 · 1 comment · Fixed by #19131
Closed

Netflow module v7.6 doesn’t support 4-7 byte pad in IPFIX template sets #18098

bortok opened this issue Apr 29, 2020 · 1 comment · Fixed by #19131
Assignees
@adriansr @marc-gr

Comments

@bortok
Copy link

bortok commented Apr 29, 2020

The Filebeat Netflow module ver 7.6 doesn't support 4-7 byte pad in template sets when parsing IPFIX. I have Ixia Vision E10S packet broker that can export IPFIX and the module is not compatible with the padding E10S uses for template with ID 256 - which is 4 byte long. Looking at the decoder.go code, maximum padding length allowed is 3 bytes:

140                 if buf.Len() < 4 {
141                         return templates, nil
142                 }

While RFC 7011, Section 3.3.1 allows Padding to be shorter than any allowable record in the set. The smallest allowable template record has a Record Header and at least one Field inside. This leads to minimum size of 8 bytes. Hence any bytes following a valid template in a set which are less than 8 should be unequivocally considered as pad.

I have two pcap files, one original which filebeat fails to parse, and another edited with padding removed. The original pcap causes the following error while parsing the template packet:

2020-04-20T13:29:32.605-0700 DEBUG  [netflow]              netflow/input.go:80        [ipfix] Unable to read V9 header: EOF
2020-04-20T13:29:32.605-0700 WARN   [netflow]              netflow/input.go:244     Error parsing NetFlow packet of length 138 from 172.20.100.132:47404: error reading header: EOF

While edited pcap works just fine

2020-04-20T14:51:39.583-0700 DEBUG  [netflow]              netflow/input.go:80        [ipfix] Packet from:172.20.100.132:43922 src:1 seq:438237
2020-04-20T14:51:39.583-0700 DEBUG  [netflow]              netflow/input.go:80        [ipfix] FlowSet ID 2 length 57
2020-04-20T14:51:39.583-0700 DEBUG  [netflow]              netflow/input.go:80        [ipfix] state 0xc0000c4740 addTemplate 256 0xc0000c4800
2020-04-20T14:51:39.583-0700 DEBUG  [netflow]              netflow/input.go:80        [ipfix] FlowSet ID 2 length 57
2020-04-20T14:51:39.583-0700 DEBUG  [netflow]              netflow/input.go:80        [ipfix] state 0xc0000c4740 addTemplate 257 0xc0000c4c80

Wireshark seem to have similar problem, as it interprets 4-byte padding as another template with ID=0.

Summary of my environment:

  • Version: 7.6
  • Operating System: Debian 10
  • Discuss Forum URL

Steps to Reproduce:

Enable netflow module

sudo filebeat modules enable netflow

Configure an available network interface with an IP used in the provided pcaps. This is what I have on my system

3: ens2f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:1e:67:6d:d0:7f brd ff:ff:ff:ff:ff:ff
    inet 172.20.100.132/24 brd 172.20.100.255 scope global dynamic ens2f1
       valid_lft 544sec preferred_lft 544sec

Configure netflow module in /etc/filebeat/modules.d/netflow.yml with the IP and port used in the provided pcaps

- module: netflow
  log:
    enabled: true
    var:
      netflow_host: 172.20.100.132
      netflow_port: 2055

Configure filebeat with console output in /etc/filebeat/filebeat.yml

output.console:
  pretty: true

Run filebeat in foreground with debug on

sudo filebeat -d netflow -e -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat

Replay original and fixed pcap files using udpreplay (change -i parameter to the NIC with 172.20.100.132):

sudo udpreplay -i ens2f1 -l e10s.netflow.orig.pcap
sudo udpreplay -i ens2f1 -l e10s.netflow.fixed.pcap

PCAP files
e10s.netflow.orig.pcap
e10s.netflow.fixed.pcap

Thanks!
Alex
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Apr 29, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label May 2, 2020
@adriansr adriansr self-assigned this May 4, 2020
@marc-gr marc-gr self-assigned this Jun 11, 2020
@marc-gr marc-gr mentioned this issue Jun 11, 2020
Merged
3 tasks
marc-gr added a commit to marc-gr/beats that referenced this issue Jun 12, 2020
@marc-gr
Support up to 7 bytepad for Netflow IPFIX template
2f8adcc 
Fixes elastic#18098
marc-gr added a commit that referenced this issue Jun 15, 2020
@marc-gr
Support up to 7 bytepad for Netflow IPFIX template (#19131)
fb94175 
Fixes #18098
@marc-gr marc-gr mentioned this issue Jun 15, 2020
Merged
3 tasks
marc-gr added a commit to marc-gr/beats that referenced this issue Jun 15, 2020
@marc-gr
Support up to 7 bytepad for Netflow IPFIX template (elastic#19131)
c681f16 
Fixes elastic#18098

(cherry picked from commit fb94175)
@marc-gr marc-gr mentioned this issue Jun 15, 2020
Merged
3 tasks
marc-gr added a commit to marc-gr/beats that referenced this issue Jun 15, 2020
@marc-gr
Support up to 7 bytepad for Netflow IPFIX template (elastic#19131)
d61819f 
Fixes elastic#18098

(cherry picked from commit fb94175)
@marc-gr marc-gr mentioned this issue Jun 15, 2020
Merged
3 tasks
marc-gr added a commit to marc-gr/beats that referenced this issue Jun 15, 2020
@marc-gr
Support up to 7 bytepad for Netflow IPFIX template (elastic#19131)
0ff09ac 
Generate golden file for 7.7

Fixes elastic#18098

(cherry picked from commit fb94175)
marc-gr added a commit that referenced this issue Jun 15, 2020
@marc-gr
Support up to 7 bytepad for Netflow IPFIX template (#19131) (#19189)
3c5b8cb 
Generate golden file for 7.7

Fixes #18098

(cherry picked from commit fb94175)
marc-gr added a commit that referenced this issue Jun 15, 2020
@marc-gr
Support up to 7 bytepad for Netflow IPFIX template (#19131) (#19191)
8e8a7a2 
Fixes #18098

(cherry picked from commit fb94175)
marc-gr added a commit that referenced this issue Jun 15, 2020
@marc-gr
Support up to 7 bytepad for Netflow IPFIX template (#19131) (#19190)
2535ca5 
Fixes #18098

(cherry picked from commit fb94175)
melchiormoulin pushed a commit to melchiormoulin/beats that referenced this issue Oct 14, 2020
@marc-gr @melchiormoulin
Support up to 7 bytepad for Netflow IPFIX template (elastic#19131)
c7c1035 
Fixes elastic#18098
leweafan pushed a commit to leweafan/beats that referenced this issue Apr 28, 2023
@marc-gr
Support up to 7 bytepad for Netflow IPFIX template (elastic#19131) (e…
a00fe6d 
…lastic#19189)

Generate golden file for 7.7

Fixes elastic#18098

(cherry picked from commit 6b28f97)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@adriansr adriansr

@marc-gr marc-gr

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[filebeat][netflow] Support up to 7 bytepad for Netflow IPFIX template marc-gr/beats
5 participants
@bortok @andresrc @adriansr @marc-gr @elasticmachine