spec/codecs/netflow_spec.rb in logstash-codec-netflow-4.1.2 vs spec/codecs/netflow_spec.rb in logstash-codec-netflow-4.2.0
- old
+ new
@@ -96,11 +96,10 @@
},
"@version": "1"
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should decode raw data" do
expect(decode.size).to eq(2)
@@ -185,11 +184,10 @@
},
"@version": "1"
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should decode raw data" do
expect(decode.size).to eq(7)
@@ -201,10 +199,12 @@
expect(JSON.parse(decode[0].to_json)).to eq(JSON.parse(json_events[0]))
end
end
+
+
context "Netflow 9 macaddress" do
let(:data) do
data = []
data << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_macaddr_tpl.dat"), :mode => "rb")
data << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_macaddr_data.dat"), :mode => "rb")
@@ -229,11 +229,10 @@
},
"@version":"1"
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should decode the mac address" do
expect(decode[1].get("[netflow][in_src_mac]")).to eq("00:50:56:c0:00:01")
expect(decode[1].get("[netflow][in_dst_mac]")).to eq("00:0c:29:70:86:09")
@@ -242,10 +241,58 @@
it "should serialize to json" do
expect(JSON.parse(decode[1].to_json)).to eq(JSON.parse(json_events[0]))
end
end
+ context "Netflow 9 Cisco ACI" do
+ let(:data) do
+ data = []
+ data << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_cisco_aci_tpl256-258.dat"), :mode => "rb")
+ data << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_cisco_aci_data256.dat"), :mode => "rb")
+ end
+
+ let(:json_events) do
+ events = []
+ events << <<-END
+ {
+ "@timestamp": "2018-10-15T11:29:00.000Z",
+ "netflow": {
+ "version": 9,
+ "l4_dst_port": 49411,
+ "flowset_id": 256,
+ "l4_src_port": 179,
+ "ipv4_dst_addr": "10.154.231.146",
+ "in_pkts": 2,
+ "first_switched": "2018-10-15T11:28:05.999Z",
+ "protocol": 6,
+ "last_switched": "2018-10-15T11:28:24.999Z",
+ "ip_protocol_version": 4,
+ "in_bytes": 99,
+ "flow_seq_num": 36,
+ "tcp_flags": 24,
+ "input_snmp": 369139712,
+ "ipv4_src_addr": "10.154.231.145",
+ "src_vlan": 0,
+ "direction": 0
+ },
+ "@version": "1"
+ }
+ END
+
+ end
+
+ it "should decode the mac address" do
+ expect(decode.size).to eq(3)
+ expect(decode[0].get("[netflow][ipv4_src_addr]")).to eq("10.154.231.145")
+ end
+
+ it "should serialize to json" do
+ expect(JSON.parse(decode[0].to_json)).to eq(JSON.parse(json_events[0]))
+ end
+ end
+
+
context "Netflow 9 Cisco ASA" do
let(:data) do
packets = []
packets << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_cisco_asa_1_tpl.dat"), :mode => "rb")
packets << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_cisco_asa_1_data.dat"), :mode => "rb")
@@ -285,11 +332,10 @@
},
"@version": "1"
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should decode raw data" do
expect(decode.size).to eq(14)
expect(decode[1].get("[netflow][version]")).to eq(9)
@@ -367,11 +413,10 @@
},
"@version":"1"
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
# These tests will start to fail whenever options template decoding is added.
# Nprobe includes options templates, which this test included a sample from.
# Currently it is not decoded, but if it is, decode.size will be 9, and
@@ -421,11 +466,10 @@
},
"@version":"1"
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should serialize to json" do
expect(JSON.parse(decode[0].to_json)).to eq(JSON.parse(json_events[0]))
end
@@ -616,11 +660,10 @@
},
"@version": "1"
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should decode raw data" do
expect(decode.size).to eq(7)
@@ -722,11 +765,10 @@
"flow_start_msec":1469109036395
},
"@version": "1"
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should decode raw data" do
expect(decode.size).to eq(19)
expect(decode[18].get("[netflow][ipv4_src_addr]")).to eq("192.168.0.1")
@@ -769,11 +811,10 @@
"protocolIdentifier": 6
},
"@version": "1"
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should decode raw data" do
expect(decode.size).to eq(26)
expect(decode[25].get("[netflow][sourceIPv4Address]")).to eq("192.168.0.1")
@@ -827,11 +868,10 @@
"dst_mask": 0
},
"@version": "1"
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should decode raw data" do
expect(decode.size).to eq(30)
expect(decode[29].get("[netflow][ipv4_src_addr]")).to eq("10.0.8.1")
@@ -885,11 +925,10 @@
"dst_mask": 24
},
"@version": "1"
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should decode raw data" do
expect(decode.size).to eq(29)
expect(decode[28].get("[netflow][ipv4_src_addr]")).to eq("66.249.92.75")
@@ -943,11 +982,10 @@
"@timestamp": "2018-02-18T05:47:09.000Z",
"@version": "1"
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should decode raw data" do
expect(decode.size).to eq(12)
expect(decode[11].get("[netflow][in_dst_mac]")).to eq("00:1b:21:bc:24:dd")
@@ -1007,11 +1045,10 @@
"@version": "1",
"@timestamp": "2018-05-21T09:25:04.000Z"
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should decode raw data" do
expect(decode.size).to eq(16)
expect(decode[11].get("[netflow][dst_traffic_index]")).to eq(4294967295)
@@ -1083,11 +1120,10 @@
"direction": 1
},
"@timestamp": "2017-12-01T17:04:39.000Z"
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should decode raw data" do
expect(decode.size).to eq(2)
expect(decode[1].get("[netflow][flowStartSeconds]")).to eq(1512147869)
@@ -1139,11 +1175,10 @@
},
"@timestamp":"2018-06-06T13:20:17.000Z",
"@version":"1"
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should decode raw data" do
expect(decode.size).to eq(1)
expect(decode[0].get("[netflow][app_id]")).to eq("kerberos")
@@ -1203,11 +1238,10 @@
"in_bytes": 702,
"src_traffic_index": 0
}
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should decode raw data" do
expect(decode.size).to eq(1)
expect(decode[0].get("[netflow][VRFname]")).to eq("")
@@ -1262,11 +1296,10 @@
},
"@timestamp": "2018-05-11T00:54:11.000Z",
"@version": "1"
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should decode raw data" do
expect(decode.size).to eq(17)
expect(decode[1].get("[netflow][application_id]")).to eq("20..12356..40568")
@@ -1278,10 +1311,79 @@
expect(JSON.parse(decode[0].to_json)).to eq(JSON.parse(json_events[0]))
end
end
+
+ context "IPFIX from IXIA something something" do
+ let(:data) do
+ packets = []
+ packets << IO.read(File.join(File.dirname(__FILE__), "ipfix_test_ixia_tpldata256.dat"), :mode => "rb")
+ end
+
+ let(:json_events) do
+ events = []
+ events << <<-END
+ {
+ "@timestamp": "2018-10-25T12:24:43.000Z",
+ "netflow": {
+ "icmpTypeCodeIPv4": 0,
+ "ixiaDstLongitude": 100.33540344238281,
+ "ixiaHttpUserAgent": "",
+ "ixiaDeviceName": "unknown",
+ "flowStartMilliseconds": "2018-10-25T12:24:19.881Z",
+ "destinationIPv4Address": "202.170.60.247",
+ "ixiaDeviceId": 0,
+ "ixiaL7AppName": "unknown",
+ "ixiaBrowserId": 0,
+ "ixiaDstLatitude": 5.411200046539307,
+ "sourceIPv4Address": "119.103.128.175",
+ "ixiaSrcAsName": "CHINANET-BACKBONE No.31,Jin-rong Street, CN",
+ "ixiaThreatIPv4": "0.0.0.0",
+ "ixiaHttpHostName": "",
+ "sourceTransportPort": 51695,
+ "tcpControlBits": 0,
+ "egressInterface": 1,
+ "flowEndReason": 1,
+ "ixiaSrcLongitude": 114.27339935302734,
+ "version": 10,
+ "packetDeltaCount": 4,
+ "destinationTransportPort": 36197,
+ "ixiaRevPacketDeltaCount": 0,
+ "reverseIcmpTypeCodeIPv4": 0,
+ "ixiaRevOctetDeltaCount": 0,
+ "ixiaThreatType": "",
+ "ixiaHttpUri": "",
+ "octetDeltaCount": 360,
+ "ixiaBrowserName": "-",
+ "protocolIdentifier": 17,
+ "bgpSourceAsNumber": 4134,
+ "bgpDestinationAsNumber": 24090,
+ "ixiaDstAsName": "UNISAINS-AS-AP Universiti Sains Malaysia (USM), MY",
+ "ixiaLatency": 0,
+ "ixiaSrcLatitude": 30.58009910583496,
+ "ixiaL7AppId": 0,
+ "ingressInterface": 1,
+ "flowEndMilliseconds": "2018-10-25T12:24:32.022Z"
+ },
+ "@version": "1"
+ }
+ END
+
+ end
+
+ it "should decode raw data" do
+ expect(decode.size).to eq(1)
+ expect(decode[0].get("[netflow][ixiaDstAsName]")).to eq("UNISAINS-AS-AP Universiti Sains Malaysia (USM), MY")
+ end
+
+ it "should serialize to json" do
+ expect(JSON.parse(decode[0].to_json)).to eq(JSON.parse(json_events[0]))
+ end
+
+ end
+
context "IPFIX options template from Juniper MX240 JunOS 15.1 R6 S3" do
let(:data) do
packets = []
packets << IO.read(File.join(File.dirname(__FILE__), "ipfix_test_juniper_mx240_junos151r6s3_opttpl512.dat"), :mode => "rb")
packets << IO.read(File.join(File.dirname(__FILE__), "ipfix_test_juniper_mx240_junos151r6s3_data512.dat"), :mode => "rb")
@@ -1308,11 +1410,10 @@
"exporterIPv4Address": "10.0.0.1"
}
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should decode raw data" do
expect(decode.size).to eq(1)
expect(decode[0].get("[netflow][exporterIPv4Address]")).to eq("10.0.0.1")
@@ -1352,11 +1453,10 @@
},
"@timestamp": "2017-12-14T07:23:45.000Z"
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should decode raw data" do
expect(decode.size).to eq(1)
expect(decode[0].get("[netflow][natInsideSvcid]")).to eq(100)
@@ -1410,11 +1510,10 @@
"destinationIPv4Address": "138.44.161.13"
}
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should decode raw data" do
expect(decode.size).to eq(8)
expect(decode[7].get("[netflow][sourceIPv4Address]")).to eq("138.44.161.14")
@@ -1473,12 +1572,10 @@
"@version": "1",
"@timestamp": "2018-04-18T08:16:47.000Z"
}
END
- events.map{|event| event.gsub(/\s+/, "")}
- events.map{|event| event.gsub(/NormalOperation/, "Normal Operation")}
end
it "should decode raw data" do
expect(decode.size).to eq(2)
expect(decode[1].get("[netflow][FW_Rule]")).to eq("MTH:MTH-MC-to-Inet")
@@ -1538,11 +1635,10 @@
"direction": 1
},
"@version": "1"
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should decode raw data" do
expect(decode.size).to eq(16)
expect(decode[0].get("[netflow][ipv4_src_addr]")).to eq("10.1.0.135")
@@ -1586,11 +1682,10 @@
"@timestamp": "1970-01-01T00:08:22.000Z",
"@version": "1",
"host": "172.16.32.201"
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should decode raw data" do
expect(decode.size).to eq(1)
expect(decode[0].get("[netflow][nprobe_proto]")).to eq(82)
@@ -1656,11 +1751,10 @@
},
"@timestamp": "2017-07-18T05:41:59.000Z",
"@version": "1"
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should decode raw data" do
expect(decode.size).to eq(2)
expect(decode[0].get("[netflow][total_bytes_exp]")).to eq(6871319015)
@@ -1835,11 +1929,10 @@
"@timestamp": "2017-01-11T11:23:51.000Z",
"@version": "1"
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should decode raw data" do
expect(decode.size).to eq(4)
expect(decode[0].get("[netflow][streamcore_id_rule_1]")).to eq(1171)
@@ -1910,11 +2003,10 @@
},
"@timestamp": "2017-07-19T16:18:08.000Z",
"@version": "1"
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should decode raw data" do
expect(decode.size).to eq(46)
expect(decode[0].get("[netflow][postNATDestinationIPv4Address]")).to eq("192.168.128.17")
@@ -2183,11 +2275,10 @@
},
"@timestamp": "2016-12-22T12:26:04.000Z",
"@version": "1"
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should decode raw data" do
expect(decode.size).to eq(5)
expect(decode[4].get("[netflow][sourceIPv6Address]")).to eq("fe80::5187:5cd8:d750:cdc9")
@@ -2221,11 +2312,10 @@
},
"@timestamp":"2016-11-29T00:21:56.000Z",
"@version":"1"
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should decode raw data" do
expect(decode.size).to eq(1)
expect(decode[0].get("[netflow][sampling_algorithm]")).to eq(2)
@@ -2272,11 +2362,10 @@
},
"@timestamp":"2016-12-23T01:35:31.000Z",
"@version":"1"
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should decode raw data" do
expect(decode.size).to eq(10)
expect(decode[9].get("[netflow][ipv4_src_addr]")).to eq("192.168.1.33")
@@ -2309,11 +2398,10 @@
},
"@timestamp": "2016-12-06T10:09:48.000Z",
"@version": "1"
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should decode raw data" do
expect(decode.size).to eq(19)
expect(decode[18].get("[netflow][if_desc]")).to eq("TenGigE0_6_0_2")
@@ -2371,11 +2459,10 @@
"bgp_ipv4_next_hop": "0.0.0.0"
},
"@timestamp": "2018-01-29T03:02:20.000Z"
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should decode raw data" do
expect(decode.size).to eq(1)
expect(decode[0].get("[netflow][rev_flow_delta_bytes]")).to eq(0)
@@ -2421,11 +2508,10 @@
"direction": 0
},
"@timestamp": "2018-01-16T09:45:02.000Z"
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should decode raw data" do
expect(decode.size).to eq(1)
expect(decode[0].get("[netflow][layer2SegmentId]")).to eq(0)
@@ -2481,11 +2567,10 @@
},
"@timestamp": "2016-12-06T10:09:24.000Z",
"@version": "1"
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should decode raw data" do
expect(decode.size).to eq(21)
expect(decode[20].get("[netflow][egressVRFID]")).to eq(1610612736)
@@ -2517,11 +2602,10 @@
},
"@timestamp": "2017-02-14T11:09:59.000Z",
"@version": "1"
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should decode raw data" do
expect(decode.size).to eq(15)
expect(decode[14].get("[netflow][application_id]")).to eq("1..13")
@@ -2577,11 +2661,10 @@
},
"@timestamp": "2017-02-14T11:10:36.000Z",
"@version": "1"
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should decode raw data" do
expect(decode.size).to eq(5)
expect(decode[4].get("[netflow][application_id]")).to eq("5..38")
@@ -2620,11 +2703,10 @@
},
"@timestamp": "2017-06-22T06:31:14.000Z",
"@version": "1"
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should decode raw data" do
expect(decode.size).to eq(19)
expect(decode[18].get("[netflow][application_id]")).to eq("13..431")
@@ -2706,11 +2788,10 @@
},
"@version": "1",
"@timestamp": "2017-11-13T14:39:31.000Z"
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should decode raw data" do
expect(decode.size).to eq(8)
expect(decode[7].get("[netflow][app_id]")).to eq("incomplete")
@@ -2760,11 +2841,10 @@
"packetTotalCount": 8
},
"@timestamp": "2017-11-21T14:32:15.000Z"
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should decode raw data" do
expect(decode.size).to eq(1)
expect(decode[0].get("[netflow][viptelaVPNId]")).to eq(100)
@@ -2809,11 +2889,10 @@
},
"@timestamp": "2017-06-29T13:58:28.000Z",
"@version": "1"
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should decode raw data" do
expect(decode.size).to eq(8)
expect(decode[7].get("[netflow][firewallEvent]")).to eq(2)
@@ -2925,10 +3004,9 @@
},
"@timestamp": "2016-12-25T13:03:33.000Z",
"@version": "1"
}
END
- events.map{|event| event.gsub(/\s+/, "")}
end
it "should decode raw data" do
expect(decode.size).to eq(3)
expect(decode[0].get("[netflow][silkAppLabel]")).to eq(53)