I'm working on system whereby Vulnerability Analysis (VA) scanners are polling various LAN segments, which is resulting in garbage data being ingested by indexers legitimately listening on 9997, as the VA scanners do their job and try to identify known vulnerabilities.
inputs.conf caters for this and allows a list of IP's to block followed by an accept all, and quoting the example:
* You can also prefix an entry with '!' to cause the rule to reject the connection. The input applies rules in order, and uses the first one that matches. For example, "!10.1/16, *" allows connections from everywhere except the 10.1.*.* network.
In the instance that I am working on there are ~40 individual /32 IP's before the * catch all permit in the format below (I have obfuscated the actual IP's for placeholders for the purpose of publishing here).
[default]
acceptFrom = "!10.1.x.x, !10.2.x.x, !10.3.x.x, *"
However this has not worked and all traffic is being dropped which can be seen via a simple UI search
index=_internal host=xxxxx log_level=WARN component=TcpInputProc
It reliably tells me data is rejected due to acceptFrom. This leads me to two possible solutions:
My next steps beyond the community will be to try to recreate in a lab instance and experiment with altered syntax.
Solution:
We removed the inverted commas and everything works as it should, I submitted feedback to the docs page for inputs.conf.
- I still don't know the maximum block list size however.
Solution:
We removed the inverted commas and everything works as it should, I submitted feedback to the docs page for inputs.conf.
- I still don't know the maximum block list size however.