TA_netfilter - REGEX used by netfilter_flags trans...

chris_barrett · ‎12-20-2020

I've found that the REGEX used by [netfilter_flags] will break if the event contains a sequence of uppercase characters before the actuals flags within the event. This can occur if the event contains an action of DROP, ACCEPT or REJECT with whitespace before and after the action. In these cases, the FLAGS and tcp_flags fields will be set to the action.

My fix was to change the REGEX line within the netfilter_flags stanza to:

REGEX = \s((?:(ACK|FIN|PSH|RST|SYN|URG)\s)+)

doksu · ‎01-21-2021

Cool, thanks @chris_barrett . Perhaps it should also support the few other more unusual flags (see https://en.wikipedia.org/wiki/Transmission_Control_Protocol), including 'NS'. What do you reckon?

chris_barrett · ‎01-21-2021

Hi @doksu

I haven't encountered those other 3 flags (NS,CWR,ECE) in the environments that I'm working in at the moment but I agree that the TA should cater for any and all of the flags that it could encounter.

chris_barrett · ‎07-26-2021

Hi @doksu,

I have now seen the ECE and CWR flags "in the wild" so I've locally updated the REGEX for [netfilter_flags] to now be:

REGEX = \s((?:(ACK|CWR|ECE|FIN|NS|PSH|RST|SYN|URG)\s)+)

TA_netfilter - REGEX used by netfilter_flags transform breaks under certain conditions

other

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor