The silk.conf file and packlogic-twoway.so plug-in categorize a flow record based on how the packets that comprise the flow record moved between different networks.
The packlogic-twoway.so plug-in specifies three network names to describe the logical address spaces that border the sensor:
There is an implicit fourth network, unknown, which is anything that does not match the three networks above.
internal the space that is being monitored external the space outside the monitored network null the destination network for a flow that does not leave the router, because either the flow was blocked by the routers access control list or its destination was the router itself---e.g., a BGP message
Given these networks, the following table describes how flows can move between the networks. Traffic between the networks is successfully routed unless the description explicitly says blocked.
SOURCE DESTINATION DESCRIPTION external internal incoming traffic internal external outgoing traffic external null blocked incoming traffic internal null blocked outgoing traffic external external strictly external traffic internal internal strictly internal traffic null any unclear: null should never be a source external unknown unclear internal unknown unclear unknown any unclear
The silk.conf file and packlogic-twoway.so plug-in define a single class, all.
The type assigned to a flow record within the all class depends on the how the record moves between the networks, and the types follow from the table above:
in, inicmp, inweb Incoming traffic. The traffic is split into multiple types, and these types allow the analysts to query a subset of the flow records depending on their needs. Each incoming flow record is split into the one of incoming types using the following rules:
inweb Contains traffic where the protocol is TCP \fIs0(6) and either the source port or the destination port is one of 80, 443, or 8080 inicmp Contains flow records where either the protocol is ICMP \fIs0(1) or the flow record is IPv6 and the protocol is ICMPV6 (58). By default, the inicmp and outicmp types are not used by the packlogic-twoway.so plug-in. in Contains all other incoming traffic. out, outicmp, outweb Outgoing traffic. The traffic is split among the types using rules similar to those for incoming traffic. innull Blocked incoming traffic outnull Blocked outgoing traffic ext2ext Strictly external traffic int2int Strictly internal traffic other Either traffic from the null network or traffic to or from the unknown network
Each sensor block in the sensor.conf(5) file must specify how to determine the source and destination networks for each flow record collected by the probes specified for that sensor. There are two ways to do this.
The first method sets the source and destination of all records to particular networks. This can be used, for example, when the physical network device at the sensor only sees one direction of the traffic. To do this, use the source-network and destination-network statements in the sensor block. The following sensor, S1, considers all traffic as blocked incoming:
sensor S1 ipfix-probes S1 source-network external destination-network null end sensor
The second method to determine how a flow record moves between the networks is to define the networks and use characteristics of the flow record to determine its source and destination networks.
The sensor.conf file provides two ways to define a network: use the NET-ipblocks statement to specify the NET network as a list of IP address blocks, or use the NET-interfaces statement to specify the NET network using a list of SNMP interfaces.
For the source network of a flow record to be considered external, either the source IP (SiLK field sIP) must appear in the list of external-ipblocks or the incoming SNMP interface (SiLK field in) must appear in the list of external-interfaces. Note: If the probe block that specifies where the flow was collected contains an interface-values vlan statement, the SiLK in field contains the VLAN ID.
For the destination network of a flow record to be considered null, either the destination IP (dIP) must appear in the list of null-ipblocks or the outgoing SNMP interface (out) must appear in the list of null-interfaces.
Consider the following two sensors:
sensor S2 ipfix-probes S2 external-ipblocks 172.16.0.0/16 internal-ipblocks 172.20.0.0/16 end sensor sensor S3 ipfix-probes S3 external-interfaces 17,18,19 internal-interfaces 21,22,23 end sensor
A flow record collected at probe S2 whose sIP is 172.16.1.1 and whose dIP is 172.20.2.2 is considered incoming.
A flow record collected at probe S3 whose in is 23 and whose out is 18 is considered outgoing. A flow on S3 whose in is 23 and whose out is 27 is written to other since the out field is not matched.
There are two constructs in the sensor.conf file that help when specifying these lists:
For details, see the sensor.conf(5) manual page.
1. The NET-interfaces or NET-ipblocks statement in a sensor block may use remainder to denote interfaces or IP blocks that do not appear elsewhere in the block. 2. A group block can be used to give a name to a set of IP blocks or SNMP interfaces which a sensor block can reference.
When using the packlogic-twoway.so plug-in, the sensor blocks in the sensor.conf file supports the following types of probes:
In addition, each sensor block must meet the following rules:
o ipfix o netflow-v5 o netflow-v9 o sflow o silk
o If the sensor has the source-network and destination-network explicitly set, the sensor is valid and none of the following checks are performed. Otherwise, o At least one of NET-interfaces or NET-ipblocks must be specified, where NET is either internal or external. And, o A sensor cannot mix NET-ipblocks and NET-interfaces, with the exception that null-interfaces are always allowed. And, o Only one network on the sensor may use remainder. And, o If a sensor contains only one NET-ipblocks statement, that statement may not use remainder. (The NET-interfaces statement does not have this restriction.) And, o When the remainder keyword is not used and only one of the internal or external networks is defined, the external or internal network, respectively, is defined as having the remainder.
This section provides the logic used to assign the class and type at the twoway site.
A single sensor block will assign the flow record to a single class and type, and processing of the flow for that sensor block stops as soon as a type is assigned. When multiple sensor blocks reference the same probe, the flow records collected by that probe are processed by each of those sensor blocks.
A flow record is always assigned to the class all unless the flow is ignored.
A textual description of the code used to assign the type is shown here. As of SiLK 3.8.0, the type may be determined by the presence of certain IPFIX or NetFlowV9 information elements.
o Ignore any flow record that matches a discard-when statement or does not match a discard-unless statement. o If source-network is external, if sIP matches external-ipblocks, or if in matches external-interfaces, then
o If destination-network is null, if dIP matches null-ipblocks, or if out matches null-interfaces, pack as innull. Else, o If destination-network is internal, if dIP matches internal-ipblocks, or if out matches internal-interfaces, pack as in, inicmp, or inweb. Else, o If destination-network is external, if dIP matches external-ipblocks, or if out matches external-interfaces, pack as ext2ext. Else, o Pack as other. o Else, if source-network is internal, if sIP matches internal-ipblocks, or if in matches internal-interfaces, then
o If destination-network is null, if dIP matches null-ipblocks, or if out matches null-interfaces, pack as outnull. Else, o If destination-network is external, if dIP matches external-ipblocks, or if out matches external-interfaces, pack as out, outicmp, or outweb. Else, o If destination-network is internal, if dIP matches internal-ipblocks, or if out matches internal-interfaces, pack as int2int. Else, o Pack as other. o Else, pack as other. o Potentially modify the type: If the probe has a quirks setting that includes firewall-event and if the incoming record contains the firewallEvent or NF_F_FW_EVENT information element whose value is 3 (flow denied), change the type where the flow is packed as follows:
o If the flow was denied due to an ingress ACL (NF_F_FW_EXT_EVENT of 1001), pack as innull. o If the flow was denied due to an egress ACL (NF_F_FW_EXT_EVENT of 1002), pack as outnull. o If the flows current type is in, inweb, inicmp, or ext2ext, pack as innull. o If the flows current type is out, outweb, outicmp, or int2int, pack as outnull. o Else leave the type as is (innull, outnull, or other).
rwfilter(1), rwflowpack(8), sensor.conf(5), silk.conf(5), packlogic-generic(3), silk(7), SiLK Installation Handbook
|SiLK 126.96.36.199||PACKLOGIC-TWOWAY (3)||2016-04-05|