Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Processors] Add named range to network condition for host's IPs #29267

Closed
a03nikki opened this issue Dec 3, 2021 · 3 comments
Closed

[Processors] Add named range to network condition for host's IPs #29267

a03nikki opened this issue Dec 3, 2021 · 3 comments
Labels
libbeat :Processors Stalled Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team

Comments

@a03nikki
Copy link

a03nikki commented Dec 3, 2021
edited
Loading

Describe the enhancement:

https://www.elastic.co/guide/en/beats/auditbeat/7.15/defining-processors.html#condition-network

network
The network condition checks if the field is in a certain IP network range. Both IPv4 and IPv6 addresses are supported. The network range may be specified using CIDR notation, like "192.0.2.0/24" or "2001:db8::/32", or by using one of these named ranges:
...

It would be great if we could have a named range for the IP addresses assigned to a host.

Describe a specific use case for the enhancement or feature:

It would be great if we could exclude (aka drop_event) not only the process communication on the loopback addresses (aka localhost) but communication between processes using the local host's IP address.

For example, host_ip would exclude the host's IP address is 172.16.3.17 (which would be 172.16.3.17/32 by CIDR notation I believe):

processors:
  - drop_event:
      when:
        network:
          destination.ip: [loopback, host_ip]

A work around could be #29266 or #29269, if we could compare source and destination IP addresses on events shipped by the Beats. Another work around would be to manually add the host's IPs using config management tool (e.g. Puppet, Ansible, etc.) to add the ranges such as 172.16.3.17/32 to the list.
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Dec 3, 2021
@jsoriano jsoriano added the Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team label Dec 9, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Dec 9, 2021
@legoguy1000
Copy link
Contributor

loopback is already included

beats/libbeat/conditions/network.go

Line 46 in 055798a

"loopback": func(ip net.IP) bool { return ip.IsLoopback() },
. other host ips not yet.

@botelastic
Copy link

botelastic bot commented Jan 18, 2023

Hi!
We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Jan 18, 2023
@botelastic botelastic bot closed this as completed Jul 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
libbeat :Processors Stalled Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jsoriano @a03nikki @legoguy1000 @elasticmachine