Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
f5_bigip: handle x_forwarded_for_header_value fields with multiple IP…
Browse files Browse the repository at this point in the history
… addresses (elastic#10718)
efd6 authored and James Valente committed Aug 21, 2024

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
1 parent ffdfd44 commit 20de2fe
Showing 7 changed files with 175 additions and 26 deletions.
5 changes: 5 additions & 0 deletions packages/f5_bigip/changelog.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "1.19.0"
changes:
- description: Handle `x_forwarded_for_header_value` fields with multiple IP addresses.
type: enhancement
link: https://github.com/elastic/integrations/pull/10718
- version: "1.18.1"
changes:
- description: Update event.kind values based on severity.
Original file line number Diff line number Diff line change
@@ -2,3 +2,4 @@
{"hostname":"hostname","management_ip_address":"10.0.1.4","management_ip_address_2":"","http_class_name":"/Common/app.app/app_policy","web_application_name":"/Common/app.app/app_policy","policy_name":"/Common/app.app/app_policy","policy_apply_date":"2018-11-19 22:17:57","violations":"Evasion technique detected","support_id":"1730614276869062795","request_status":"blocked","response_code":"0","ip_client":"192.168.0.1","route_domain":"0","method":"GET","protocol":"HTTP","query_string":"","x_forwarded_for_header_value":"192.168.0.1","sig_ids":"","sig_names":"","date_time":"2018-11-19 22:34:40","severity":"Critical","attack_type":"Detection Evasion,Path Traversal","geo_location":"US","ip_address_intelligence":"N/A","username":"N/A","session_id":"f609d8a924419638","src_port":"49804","dest_port":"80","dest_ip":"10.0.2.10","sub_violations":"Evasion technique detected:Directory traversals","virus_name":"N/A","violation_rating":"3","websocket_direction":"N/A","websocket_message_type":"N/A","device_id":"N/A","staged_sig_ids":"","staged_sig_names":"","threat_campaign_names":"","staged_threat_campaign_names":"","blocking_exception_reason":"N/A","captcha_result":"not_received","uri":"/directory/file","fragment":"","request":"GET /admin/..%2F..%2F..%2Fdirectory/file HTTP/1.0\\r\\nHost: host.westus.cloudapp.azure.com\\r\\nConnection: keep-alive\\r\\nCache-Control: max-age","tenant":"Common","application":"app.app","telemetryEventCategory":"ASM"}
{"attack_type":"Test Attack","date_time":"2018-11-19 22:34:40","dest_ip":"10.160.77.77","dest_port":"80","geo_info":"info","headers":"Host: 231213","http_class":"/Common/Test","ip_addr_intelli":"host1","ip_client":"81.2.69.142","ip_route_domain":"example.com","is_trunct":"no","manage_ip_addr":"81.2.69.142","method":"POST","policy_apply_date":"2021-09-30 02:51:31","policy_name":"/Common/Test","protocol":"HTTP","query_string":"","req":"POST /login.php HTTP/1.1\\r\\nHost: 81.2.69.142","req_status":"passed","resp":"HTTP/1.1 302 Found\\r\\nDate: Tue, 05 Oct 2021 17:30:14 ","resp_code":"302","route_domain":"example.com","session_id":"ab32bda123","severity":"Informational","sig_ids":"1abcd23bdc","sig_names":"test","src_port":"49744","sub_violates":"Sub-violation","support_id":"5438760667957952540","unit_host":"hostname","uri":"/login.php","username":"Test User","violate_details":"This is a details.","violate_rate":"0","violations":"deny","virus_name":"abcd","x_fwd_hdr_val":"test","telemetryEventCategory":"ASM","hostname":"localhost.localdomain","tenant":"Common","microservice": "N/A","response": "Response logging disabled","sig_cves": "N/A","staged_sig_cves": "N/A","tap_event_id": "N/A","tap_vid": "N/A","vs_name": "/Common/Server1_DVWA"}
{"compression_method":"test_method","client_type":"test_client","conviction_traps":"test","credential_stuffing_lookup_result":"pass","enforced_by":"test","enforcement_action":"test_action","epoch_time":"1665576701","ip_with_route_domain":"example.com","is_truncated":"","likely_false_positive_sig_ids":"12345678","login_result":"success","mobile_application_name":"test_application","mobile_application_version":"test1.1","operation_id":"12345","password_hash_prefix":"test","protocol_info":"test_info","sig_set_names":"test_sig_name","slot_number":"1234","staged_sig_set_names":"test_staged_sig_name","tap_requested_actions":"test_tap_action","tap_sent_token":"20334","tap_transaction_id":"12345","unit_hostname":"hostname","violation_details":"test_detail","telemetryEventCategory":"ASM"}
{"attack_type":"N/A","blocking_exception_reason":"N/A","captcha_result":"not_received","date_time":"2024-08-06T10:03:36.000Z","dest_ip":"10.30.4.56","dest_port":"443","device_id":"N/A","fragment":"","geo_location":"N/A","hostname":"f5qa","http_class_name":"/Common/asmpolicy_lampqa","ip_address_intelligence":"N/A","ip_client":"10.43.24.23","management_ip_address":"10.52.34.33","management_ip_address_2":"N/A","method":"HEAD","microservice":"N/A","originalRawData":"<134>Aug 6 12:03:36 f5qa ASM:unit_hostname=\"f5qa\",management_ip_address=\"10.52.34.33\",management_ip_address_2=\"N/A\",http_class_name=\"/Common/asmpolicy_lampqa\",web_application_name=\"/Common/asmpolicy_lampqa\",policy_name=\"/Common/asmpolicy_lampqa\",policy_apply_date=\"2024-07-02 16:43:55\",violations=\"N/A\",support_id=\"5410866668007843666\",request_status=\"passed\",response_code=\"200\",ip_client=\"10.43.24.23\",route_domain=\"0\",method=\"HEAD\",protocol=\"HTTPS\",query_string=\"\",x_forwarded_for_header_value=\"10.43.24.23, 10.43.24.23\",sig_ids=\"N/A\",sig_names=\"N/A\",date_time=\"2024-08-06 12:03:36\",severity=\"Informational\",attack_type=\"N/A\",geo_location=\"N/A\",ip_address_intelligence=\"N/A\",username=\"N/A\",session_id=\"7a60af492530220b\",src_port=\"50668\",dest_port=\"443\",dest_ip=\"10.30.4.56\",sub_violations=\"N/A\",virus_name=\"N/A\",violation_rating=\"0\",websocket_direction=\"N/A\",websocket_message_type=\"N/A\",device_id=\"N/A\",staged_sig_ids=\"\",staged_sig_names=\"\",threat_campaign_names=\"N/A\",staged_threat_campaign_names=\"N/A\",blocking_exception_reason=\"N/A\",captcha_result=\"not_received\",microservice=\"N/A\",tap_event_id=\"N/A\",tap_vid=\"N/A\",vs_name=\"/Common/vs_externalqa13_443\",sig_cves=\"N/A\",staged_sig_cves=\"N/A\",uri=\"/repository/maven-public/io/netty/netty-codec-haproxy/4.1.110.Final/netty-codec-haproxy-4.1.110.Final.jar\",fragment=\"\",request=\"HEAD /repository/maven-public/io/netty/netty-codec-haproxy/4.1.110.Final/netty-codec-haproxy-4.1.110.Final.jar HTTP/1.1\\r\\nCache-Control: no-cache, no-store\\r\\nPragma: no-cache\\r\\nHost: domain.gent\\r\\nConnection: Keep-Alive\\r\\nUser-Agent: Apache-Maven/3.9.7 (Java 17.0.12; Windows 11 10.0)\\r\\nAccept-Encoding: gzip,deflate\\r\\nAuthorization: Basic dc2VydmljZWZhY3Rvcnk6TE1YaHZwRUxhRjJodEFScWFQkkk=\\r\\nX-Forwarded-For: 10.43.24.23, 10.43.24.23\\r\\nX-Forwarded-Proto: https\\r\\n\\r\\n\",response=\"Response logging disabled\"","policy_apply_date":"2024-07-02 16:43:55","policy_name":"/Common/asmpolicy_lampqa","protocol":"HTTPS","query_string":"","request":"HEAD /repository/maven-public/io/netty/netty-codec-haproxy/4.1.110.Final/netty-codec-haproxy-4.1.110.Final.jar HTTP/1.1\\r\\nCache-Control: no-cache, no-store\\r\\nPragma: no-cache\\r\\nHost: domain.gent\\r\\nConnection: Keep-Alive\\r\\nUser-Agent: Apache-Maven/3.9.7 (Java 17.0.12; Windows 11 10.0)\\r\\nAccept-Encoding: gzip,deflate\\r\\nAuthorization: Basic dc2VydmljZWZhY3Rvcnk6TE1YaHZwRUxhRjJodEFScWFQkkk=\\r\\nX-Forwarded-For: 10.43.24.23, 10.43.24.24\\r\\nX-Forwarded-Proto: https\\r\\n\\r\\n","request_status":"passed","response":"Response logging disabled","response_code":"200","route_domain":"0","session_id":"7a60af492530220b","severity":"Informational","sig_cves":"N/A","sig_ids":"N/A","sig_names":"N/A","src_port":"50668","staged_sig_cves":"N/A","staged_sig_ids":"","staged_sig_names":"","staged_threat_campaign_names":"N/A","sub_violations":"N/A","support_id":"5410868666607846666","tap_event_id":"N/A","tap_vid":"N/A","telemetryEventCategory":"ASM","tenant":"Common","threat_campaign_names":"N/A","uri":"/repository/maven-public/io/netty/netty-codec-haproxy/4.1.110.Final/netty-codec-haproxy-4.1.110.Final.jar","username":"N/A","violation_rating":"0","violations":"N/A","virus_name":"N/A","vs_name":"/Common/vs_externalqa13_443","web_application_name":"/Common/asmpolicy_lampqa","websocket_direction":"N/A","websocket_message_type":"N/A","x_forwarded_for_header_value":"10.43.24.23, 10.43.24.24"}
Original file line number Diff line number Diff line change
@@ -126,7 +126,9 @@
"direction": "Test",
"message_type": "test"
},
"x_forwarded_for_header_value": "81.2.69.144"
"x_forwarded_for_header_value": [
"81.2.69.144"
]
}
},
"host": {
@@ -293,7 +295,9 @@
},
"violations": "Evasion technique detected",
"web_application_name": "/Common/app.app/app_policy",
"x_forwarded_for_header_value": "192.168.0.1"
"x_forwarded_for_header_value": [
"192.168.0.1"
]
}
},
"host": {
@@ -344,7 +348,6 @@
],
"url": {
"domain": "host.westus.cloudapp.azure.com",
"extension": "/directory/file",
"original": "http://host.westus.cloudapp.azure.com/admin/..%2F..%2F..%2Fdirectory/file",
"path": "/admin/../../../directory/file",
"scheme": "http"
@@ -561,6 +564,134 @@
"preserve_original_event",
"preserve_duplicate_custom_fields"
]
},
{
"@timestamp": "2024-08-06T10:03:36.000Z",
"client": {
"ip": "10.43.24.23",
"port": 50668
},
"destination": {
"ip": "10.30.4.56",
"port": 443
},
"ecs": {
"version": "8.11.0"
},
"event": {
"category": [
"network"
],
"kind": "event",
"original": "{\"attack_type\":\"N/A\",\"blocking_exception_reason\":\"N/A\",\"captcha_result\":\"not_received\",\"date_time\":\"2024-08-06T10:03:36.000Z\",\"dest_ip\":\"10.30.4.56\",\"dest_port\":\"443\",\"device_id\":\"N/A\",\"fragment\":\"\",\"geo_location\":\"N/A\",\"hostname\":\"f5qa\",\"http_class_name\":\"/Common/asmpolicy_lampqa\",\"ip_address_intelligence\":\"N/A\",\"ip_client\":\"10.43.24.23\",\"management_ip_address\":\"10.52.34.33\",\"management_ip_address_2\":\"N/A\",\"method\":\"HEAD\",\"microservice\":\"N/A\",\"originalRawData\":\"<134>Aug 6 12:03:36 f5qa ASM:unit_hostname=\\\"f5qa\\\",management_ip_address=\\\"10.52.34.33\\\",management_ip_address_2=\\\"N/A\\\",http_class_name=\\\"/Common/asmpolicy_lampqa\\\",web_application_name=\\\"/Common/asmpolicy_lampqa\\\",policy_name=\\\"/Common/asmpolicy_lampqa\\\",policy_apply_date=\\\"2024-07-02 16:43:55\\\",violations=\\\"N/A\\\",support_id=\\\"5410866668007843666\\\",request_status=\\\"passed\\\",response_code=\\\"200\\\",ip_client=\\\"10.43.24.23\\\",route_domain=\\\"0\\\",method=\\\"HEAD\\\",protocol=\\\"HTTPS\\\",query_string=\\\"\\\",x_forwarded_for_header_value=\\\"10.43.24.23, 10.43.24.23\\\",sig_ids=\\\"N/A\\\",sig_names=\\\"N/A\\\",date_time=\\\"2024-08-06 12:03:36\\\",severity=\\\"Informational\\\",attack_type=\\\"N/A\\\",geo_location=\\\"N/A\\\",ip_address_intelligence=\\\"N/A\\\",username=\\\"N/A\\\",session_id=\\\"7a60af492530220b\\\",src_port=\\\"50668\\\",dest_port=\\\"443\\\",dest_ip=\\\"10.30.4.56\\\",sub_violations=\\\"N/A\\\",virus_name=\\\"N/A\\\",violation_rating=\\\"0\\\",websocket_direction=\\\"N/A\\\",websocket_message_type=\\\"N/A\\\",device_id=\\\"N/A\\\",staged_sig_ids=\\\"\\\",staged_sig_names=\\\"\\\",threat_campaign_names=\\\"N/A\\\",staged_threat_campaign_names=\\\"N/A\\\",blocking_exception_reason=\\\"N/A\\\",captcha_result=\\\"not_received\\\",microservice=\\\"N/A\\\",tap_event_id=\\\"N/A\\\",tap_vid=\\\"N/A\\\",vs_name=\\\"/Common/vs_externalqa13_443\\\",sig_cves=\\\"N/A\\\",staged_sig_cves=\\\"N/A\\\",uri=\\\"/repository/maven-public/io/netty/netty-codec-haproxy/4.1.110.Final/netty-codec-haproxy-4.1.110.Final.jar\\\",fragment=\\\"\\\",request=\\\"HEAD /repository/maven-public/io/netty/netty-codec-haproxy/4.1.110.Final/netty-codec-haproxy-4.1.110.Final.jar HTTP/1.1\\\\r\\\\nCache-Control: no-cache, no-store\\\\r\\\\nPragma: no-cache\\\\r\\\\nHost: domain.gent\\\\r\\\\nConnection: Keep-Alive\\\\r\\\\nUser-Agent: Apache-Maven/3.9.7 (Java 17.0.12; Windows 11 10.0)\\\\r\\\\nAccept-Encoding: gzip,deflate\\\\r\\\\nAuthorization: Basic dc2VydmljZWZhY3Rvcnk6TE1YaHZwRUxhRjJodEFScWFQkkk=\\\\r\\\\nX-Forwarded-For: 10.43.24.23, 10.43.24.23\\\\r\\\\nX-Forwarded-Proto: https\\\\r\\\\n\\\\r\\\\n\\\",response=\\\"Response logging disabled\\\"\",\"policy_apply_date\":\"2024-07-02 16:43:55\",\"policy_name\":\"/Common/asmpolicy_lampqa\",\"protocol\":\"HTTPS\",\"query_string\":\"\",\"request\":\"HEAD /repository/maven-public/io/netty/netty-codec-haproxy/4.1.110.Final/netty-codec-haproxy-4.1.110.Final.jar HTTP/1.1\\\\r\\\\nCache-Control: no-cache, no-store\\\\r\\\\nPragma: no-cache\\\\r\\\\nHost: domain.gent\\\\r\\\\nConnection: Keep-Alive\\\\r\\\\nUser-Agent: Apache-Maven/3.9.7 (Java 17.0.12; Windows 11 10.0)\\\\r\\\\nAccept-Encoding: gzip,deflate\\\\r\\\\nAuthorization: Basic dc2VydmljZWZhY3Rvcnk6TE1YaHZwRUxhRjJodEFScWFQkkk=\\\\r\\\\nX-Forwarded-For: 10.43.24.23, 10.43.24.24\\\\r\\\\nX-Forwarded-Proto: https\\\\r\\\\n\\\\r\\\\n\",\"request_status\":\"passed\",\"response\":\"Response logging disabled\",\"response_code\":\"200\",\"route_domain\":\"0\",\"session_id\":\"7a60af492530220b\",\"severity\":\"Informational\",\"sig_cves\":\"N/A\",\"sig_ids\":\"N/A\",\"sig_names\":\"N/A\",\"src_port\":\"50668\",\"staged_sig_cves\":\"N/A\",\"staged_sig_ids\":\"\",\"staged_sig_names\":\"\",\"staged_threat_campaign_names\":\"N/A\",\"sub_violations\":\"N/A\",\"support_id\":\"5410868666607846666\",\"tap_event_id\":\"N/A\",\"tap_vid\":\"N/A\",\"telemetryEventCategory\":\"ASM\",\"tenant\":\"Common\",\"threat_campaign_names\":\"N/A\",\"uri\":\"/repository/maven-public/io/netty/netty-codec-haproxy/4.1.110.Final/netty-codec-haproxy-4.1.110.Final.jar\",\"username\":\"N/A\",\"violation_rating\":\"0\",\"violations\":\"N/A\",\"virus_name\":\"N/A\",\"vs_name\":\"/Common/vs_externalqa13_443\",\"web_application_name\":\"/Common/asmpolicy_lampqa\",\"websocket_direction\":\"N/A\",\"websocket_message_type\":\"N/A\",\"x_forwarded_for_header_value\":\"10.43.24.23, 10.43.24.24\"}",
"type": [
"info"
]
},
"f5_bigip": {
"log": {
"captcha_result": "not_received",
"client": {
"ip": "10.43.24.23"
},
"date_time": "2024-08-06T10:03:36.000Z",
"dest": {
"ip": "10.30.4.56",
"port": 443
},
"hostname": "f5qa",
"http": {
"class_name": "/Common/asmpolicy_lampqa"
},
"management": {
"ip_address": "10.52.34.33"
},
"method": "HEAD",
"policy": {
"apply_date": "2024-07-02T16:43:55.000Z",
"name": "/Common/asmpolicy_lampqa"
},
"protocol": "HTTPS",
"request": {
"detail": "HEAD /repository/maven-public/io/netty/netty-codec-haproxy/4.1.110.Final/netty-codec-haproxy-4.1.110.Final.jar HTTP/1.1\\r\\nCache-Control: no-cache, no-store\\r\\nPragma: no-cache\\r\\nHost: domain.gent\\r\\nConnection: Keep-Alive\\r\\nUser-Agent: Apache-Maven/3.9.7 (Java 17.0.12; Windows 11 10.0)\\r\\nAccept-Encoding: gzip,deflate\\r\\nAuthorization: Basic dc2VydmljZWZhY3Rvcnk6TE1YaHZwRUxhRjJodEFScWFQkkk=\\r\\nX-Forwarded-For: 10.43.24.23, 10.43.24.24\\r\\nX-Forwarded-Proto: https\\r\\n\\r\\n",
"status": "passed"
},
"response": {
"code": 200,
"value": "Response logging disabled"
},
"route_domain": "0",
"session": {
"id": "7a60af492530220b"
},
"severity": {
"name": "Informational"
},
"src": {
"port": 50668
},
"support": {
"id": "5410868666607846666"
},
"telemetry": {
"event": {
"category": "ASM"
}
},
"tenant": "Common",
"uri": "/repository/maven-public/io/netty/netty-codec-haproxy/4.1.110.Final/netty-codec-haproxy-4.1.110.Final.jar",
"violation": {
"rating": 0
},
"vs_name": "/Common/vs_externalqa13_443",
"web_application_name": "/Common/asmpolicy_lampqa",
"x_forwarded_for_header_value": [
"10.43.24.23",
"10.43.24.24"
]
}
},
"host": {
"name": "f5qa"
},
"http": {
"request": {
"method": "HEAD"
}
},
"log": {
"level": "informational"
},
"network": {
"protocol": "https"
},
"observer": {
"product": "Application Security Module",
"vendor": "F5"
},
"related": {
"hosts": [
"f5qa"
],
"ip": [
"10.43.24.23",
"10.30.4.56",
"10.52.34.33",
"10.43.24.24"
]
},
"server": {
"ip": "10.30.4.56",
"port": 443
},
"source": {
"ip": "10.43.24.23",
"port": 50668
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields"
]
}
]
}
Original file line number Diff line number Diff line change
@@ -521,6 +521,10 @@ processors:
tag: rename_websocket_message_type
target_field: f5_bigip.log.websocket.message_type
ignore_missing: true
- split:
field: json.x_forwarded_for_header_value
separator: ',\s*'
ignore_missing: true
- convert:
field: json.x_forwarded_for_header_value
tag: convert_x_forwarded_for_header_value_to_ip
@@ -532,12 +536,16 @@ processors:
- append:
field: error.message
value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
- append:
field: related.ip
tag: append_related_ip
value: '{{{f5_bigip.log.x_forwarded_for_header_value}}}'
allow_duplicates: false
ignore_failure: true
- foreach:
field: f5_bigip.log.x_forwarded_for_header_value
if: ctx.f5_bigip?.log?.x_forwarded_for_header_value instanceof List
processor:
append:
field: related.ip
tag: append_related_ip
value: '{{{_ingest._value}}}'
allow_duplicates: false
ignore_failure: true
- rename:
field: json.geo_info
tag: rename_geo_info
Loading

0 comments on commit 20de2fe

Please sign in to comment.