Getting Data In

inputs.conf - acceptFrom - Maximum number of blocked IP's?

NullZero
New Member

I'm working on system whereby Vulnerability Analysis (VA) scanners are polling various LAN segments, which is resulting in garbage data being ingested by indexers legitimately listening on 9997, as the VA scanners do their job and try to identify known vulnerabilities.

inputs.conf caters for this and allows a list of IP's to block followed by an accept all, and quoting the example:

* You can also prefix an entry with '!' to cause the rule to reject the
  connection. The input applies rules in order, and uses the first one that
  matches.
  For example, "!10.1/16, *" allows connections from everywhere except
  the 10.1.*.* network.

 

In the instance that I am working on there are ~40 individual /32 IP's before the * catch all permit in the format below (I have obfuscated the actual IP's for placeholders for the purpose of publishing here).

[default]

acceptFrom = "!10.1.x.x, !10.2.x.x, !10.3.x.x, *"

 

However this has not worked and all traffic is being dropped which can be seen via a simple UI search

index=_internal host=xxxxx log_level=WARN component=TcpInputProc

It reliably tells me data is rejected due to acceptFrom. This leads me to two possible solutions:

  • A: My syntax is incorrect and the " are not required, despite being shown in the example.
  • B: The excessive length of blocked IP's may be too long to be processed, but I have no way of knowing what the max length is?
  • C: Community answer...

My next steps beyond the community will be to try to recreate in a lab instance and experiment with altered syntax.

Labels (1)
0 Karma

NullZero
New Member

Solution:

We removed the inverted commas and everything works as it should. 

- I still don't know the maximum block list size however.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!