Merge pull request #66 from redBorder/development

Release 2.7.0
redBorder · Sep 30, 2024 · bcb5baa · bcb5baa
2 parents 367022d + 0356641
commit bcb5baa
Show file tree

Hide file tree

Showing 6 changed files with 73 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,11 @@
 cookbook-logstash CHANGELOG
 ===============
 
+## 2.7.0
+
+  - David Vanhoucke
+    - [c64ad3d] add method to activate the split of the traffic through logstash
+
 ## 2.6.0
 
   - Miguel Negrón

diff --git a/resources/metadata.rb b/resources/metadata.rb
@@ -3,4 +3,4 @@
 maintainer_email '[email protected]'
 license          'AGPL-3.0'
 description      'Installs/Configures cookbook-logstash'
-version          '2.6.0'
+version          '2.7.0'
diff --git a/resources/providers/config.rb b/resources/providers/config.rb
@@ -9,13 +9,15 @@
     logstash_dir = new_resource.logstash_dir
     pipelines_dir = new_resource.pipelines_dir
     flow_nodes = new_resource.flow_nodes
+    proxy_nodes = new_resource.proxy_nodes
     device_nodes = new_resource.device_nodes
     namespaces = new_resource.namespaces
     memcached_server = new_resource.memcached_server
     mac_vendors = new_resource.mac_vendors
     mongo_cve_database = new_resource.mongo_cve_database
     mongo_port = new_resource.mongo_port
     logstash_pipelines = new_resource.logstash_pipelines
+    split_traffic_logstash = new_resource.split_traffic_logstash
     incidents_priority_filter = new_resource.incidents_priority_filter
     is_proxy = is_proxy?
     is_manager = is_manager?
@@ -238,7 +240,7 @@
         mode '0644'
         ignore_failure true
         cookbook 'logstash'
-        variables(flow_nodes: flow_nodes)
+        variables(flow_nodes: flow_nodes, proxy_nodes: proxy_nodes, split_traffic_logstash: split_traffic_logstash)
         notifies :restart, 'service[logstash]', :delayed
       end
 
@@ -259,7 +261,7 @@
         mode '0644'
         ignore_failure true
         cookbook 'logstash'
-        variables(flow_nodes: flow_nodes)
+        variables(flow_nodes: flow_nodes, split_traffic_logstash: split_traffic_logstash)
         notifies :restart, 'service[logstash]', :delayed
       end
 

diff --git a/resources/resources/config.rb b/resources/resources/config.rb
@@ -10,6 +10,7 @@
 attribute :cdomain, kind_of: String, default: 'redborder.cluster'
 attribute :managers_all, kind_of: Array, default: []
 attribute :flow_nodes, kind_of: Array, default: []
+attribute :proxy_nodes, kind_of: Array, default: []
 attribute :scanner_nodes, kind_of: Array, default: []
 attribute :vault_nodes, kind_of: Array, default: []
 attribute :device_nodes, kind_of: Array, default: []
@@ -19,4 +20,5 @@
 attribute :mongo_cve_database, kind_of: String, default: 'cvedb'
 attribute :mongo_port, kind_of: String, default: '27017'
 attribute :logstash_pipelines, kind_of: Array, default: []
+attribute :split_traffic_logstash, kind_of: [TrueClass, FalseClass], default: false
 attribute :incidents_priority_filter, kind_of: String, default: 'high'
diff --git a/resources/templates/default/sflow_enrichment.conf.erb b/resources/templates/default/sflow_enrichment.conf.erb
@@ -1,7 +1,9 @@
 filter {
   <% @flow_nodes.each do |flow_node| %>
     <% if !flow_node[:ipaddress].nil? and !flow_node["redborder"].nil? and flow_node["redborder"]["blocked"]!=true %>
-     if [sensor_ip] ==  "<%=flow_node[:ipaddress].to_s%>" {
+    <% if @split_traffic_logstash %>
+    if [sensor_ip] ==  "<%=flow_node[:ipaddress].to_s%>" {
+    <% end %>
      <% @observation_id = (flow_node["redborder"]["observation_id"] and !flow_node["redborder"]["observation_id"].empty?) ? flow_node["redborder"]["observation_id"] : "default" %>
        if [observation_id] == "<%=@observation_id%>" {
          mutate {
@@ -17,7 +19,9 @@ filter {
            }
          }
        }
-     }
+     <% if @split_traffic_logstash %>
+     } # if [sensor_ip] ==  "<%=flow_node[:ipaddress].to_s%>"
+     <% end %>
     <% end %>
   <% end %>
 }
diff --git a/resources/templates/default/sflow_tagging.conf.erb b/resources/templates/default/sflow_tagging.conf.erb
@@ -32,4 +32,59 @@ filter {
   } else if [tag] == 3 {
       mutate { add_field => { "direction" => "internal" } }
   }
+
+  <% if @split_traffic_logstash %>
+  if [tag2] {
+    <% @proxy_nodes.each do |proxy_node| %>
+      <% if !proxy_node["redborder"].nil? and proxy_node["redborder"]["blocked"]!=true %>
+      #if [peer_ip_src] == "<%=proxy_node[:ipaddress]%>" {
+        ruby {
+          code => "
+            require 'ipaddr'
+
+            ip_src = IPAddr.new(event.get('ip_src'))
+            ip_dst = IPAddr.new(event.get('ip_dst'))
+
+            tag2 = event.get('tag2')
+            observation_tag2 = tag2
+
+            <% if proxy_node['interfaces'] && !proxy_node['interfaces'].empty? %>
+              <% proxy_node['interfaces'].each do |iface_key, _orig_iface| %>
+              <% unless proxy_node['interfaces'][iface_key]['observation_id_filters'].empty? %>
+              observation_id_filters = <%= proxy_node['interfaces'][iface_key]['observation_id_filters'].to_s.gsub('"', "'") %>
+
+              observation_id_filters.each do |filter|
+                subnet = IPAddr.new(filter['subnet'])
+                observation_id = filter['observation_id']
+
+                if subnet.include?(ip_src)
+                  observation_tag2 = observation_id
+                  break
+                end
+              end
+
+              if observation_tag2 == tag2
+                observation_id_filters.each do |filter|
+                  subnet = IPAddr.new(filter['subnet'])
+                  observation_id = filter['observation_id']
+
+                  if subnet.include?(ip_dst)
+                    observation_tag2 = observation_id
+                    break
+                  end
+                end
+              end
+              <% end %>
+              <% end %>
+            <%end %>
+
+            event.set('tag2', observation_tag2) if tag2 != observation_tag2
+
+            "
+          }
+        #}
+      <% end %>
+    <% end %>
+    }
+  <% end %>
 }