Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
packlogic-generic(3)		SiLK Tool Suite		  packlogic-generic(3)

NAME
       packlogic-generic.so - Packing logic for	the generic site

SYNOPSIS
	rwflowpack --packing-logic=packlogic-generic.so	...

DESCRIPTION
       This manual page	describes the packlogic-generic.so plug-in that
       defines the packing logic that rwflowpack(8) may	use to categorize flow
       records.	 (This document	uses the term plug-in, but the builder of SiLK
       may choose to compile the packing logic into rwflowpack.	 See the SiLK
       Installation Handbook for details.)

   General Overview of rwflowpack
       The primary job of rwflowpack is	to categorize flow records into	one or
       more class and type pairs.  The class and type pair (also called	a
       flowtype) are used by the analyst when selecting	flow records from the
       data store using	rwfilter(1).

       The settings that rwflowpack uses to categorize each flow record	are
       determined by two textual configuration files and a compiled plug-in
       that is referred	to as the packing logic.

       The first of the	configuration files is silk.conf(5) which specifies
       the classes, types, and sensors that rwflowpack uses when writing files
       and that	rwfilter uses when selecting flow files.

       The second configuration	file is	the sensor.conf(5) file.  This file
       contains	multiple sensor	blocks,	where each block contains information
       which the packing logic uses to categorize flow records collected by
       the probes specified for	that sensor.

       The combination of a silk.conf file and a particular packing logic
       plug-in define a	site.  By having the configuration and packing logic
       outside of the core tools, users	can more easily	configure SiLK for
       their particular	installation and a single installation of SiLK can
       support multiple	sites.

       This manual page	describes the packing logic for	the generic site.  For
       a description of	the packing logic at another site, see that site's
       manual page.

       o   packlogic-twoway(3)

   Networks, Classes, and Types	for the	"generic" Site
       The packlogic-generic.so	plug-in	uses three network names to describe
       the logical address spaces that border the sensor:

       internal
	   the space that is being monitored

       external
	   the space outside the monitored network

       null
	   the destination network for a flow that does	not leave the router,
	   because either the flow was blocked by the router's access control
	   list	or its destination was the router itself---e.g., a BGP message

       The generic site	assumes	that all packets are either blocked by the
       sensor (that is,	their destination is the null network),	or that	the
       packets cross the sensor	so the source and destination networks always
       differ.

       The packing logic also assumes that the above networks completely
       describe	the space around the sensor.  Since the	null network is
       strictly	a destination network, any flow	that does not originate	from
       the external network must originate from	the internal network.

       This allows the generic site to categorizes a flow record primarily by
       comparing a flow	record's source	to the external	network, and the
       packing logic contains no comparisons to	the internal network

       The silk.conf file and packlogic-generic.so plug-in define a single
       class, all.

       The type	assigned to a flow record within the all class is one of:

       in, inweb
	   Records whose source	is the external	network	and whose destination
	   is not the null network represent incoming traffic.	The traffic is
	   split into multiple types, and these	types allow the	analysts to
	   query a subset of the flow records depending	on their needs.	 Each
	   incoming flow record	is split into the one of incoming types	using
	   the following rules:

	   inweb
	       Contains	traffic	where the protocol is TCP (6) and either the
	       source port or the destination port is one of 80, 443, or 8080

	   in  Contains	all other incoming traffic.

       out, outweb
	   Records whose source	is not the external network and	whose
	   destination is not the null network represent outgoing traffic.
	   The traffic is split	among the types	using rules similar to those
	   for incoming	traffic.

       innull
	   Records whose source	is the external	network	and whose destination
	   is the null network represent blocked incoming traffic.

       outnull
	   Records whose source	is not the external network and	whose
	   destination is the null network represent blocked outgoing traffic.

   Assigning a flow to source and destination networks
       Since the generic site uses the external	network	to determine a flow
       record's	type, each sensor block	in the sensor.conf(5) file must
       specify a definition for	the external network.

       The sensor.conf file provides two ways to define	a network: use the
       NET-ipblocks statement to specify the NET network as a list of IP
       address blocks, or use the NET-interfaces statement to specify the NET
       network using a list of SNMP interfaces.

       For the source network of a flow	record to be considered	external,
       either the source IP (SiLK field	"sIP") must appear in the list of
       external-ipblocks or the	incoming SNMP interface	(SiLK field "in") must
       appear in the list of external-interfaces.  Note: If the	probe block
       that specifies where the	flow was collected contains an interface-
       values vlan statement, the SiLK "in" field contains the VLAN ID.

       For the destination network of a	flow record to be considered null,
       either the destination IP ("dIP") must appear in	the list of null-
       ipblocks	or the outgoing	SNMP interface ("out") must appear in the list
       of null-interfaces.

       Consider	the following two sensors:

	sensor S2
	  ipfix-probes S2
	  external-ipblocks 172.16.0.0/16
	  internal-ipblocks 172.20.0.0/16
	end sensor

	sensor S3
	  ipfix-probes S3
	  external-interfaces 17,18,19
	  internal-interfaces 21,22,23
	end sensor

       A flow record collected at probe	S2 whose "sIP" is 172.16.1.1 is
       considered incoming, regardless of the destination IP.

       A flow record collected at probe	S3 whose "in" is 27 is considered
       outgoing.  (Since "in" does not match the external-interfaces, the
       record is considered outgoing even though "in" does not match the
       internal-interfaces either.)

       There are two constructs	in the sensor.conf file	that help when
       specifying these	lists:

       1.  The NET-interfaces or NET-ipblocks statement	in a sensor block may
	   use remainder to denote interfaces or IP blocks that	do not appear
	   elsewhere in	the block.

       2.  A group block can be	used to	give a name to a set of	IP blocks or
	   SNMP	interfaces which a sensor block	can reference.

       For details, see	the sensor.conf(5) manual page.

   Valid sensors
       When using the packlogic-generic.so plug-in, the	sensor blocks in the
       sensor.conf file	supports the following types of	probes:

       o   ipfix

       o   netflow-v5

       o   netflow-v9

       In addition, each sensor	block must meet	the following rules:

       o   Either external-interfaces or external-ipblocks must	be specified.
	   And,

       o   A sensor cannot mix NET-ipblocks and	NET-interfaces,	with the
	   exception that null-interfaces are always allowed.  And,

       o   Only	one network on the sensor may use remainder.  And,

       o   If a	sensor contains	only one NET-ipblocks statement, that
	   statement may not use remainder.  (The NET-interfaces statement
	   does	not have this restriction.)

   Packing logic code
       This section provides the logic used to assign the class	and type at
       the generic site.

       A single	sensor block will assign the flow record to a single class and
       type, and processing of the flow	for that sensor	block stops as soon as
       a type is assigned.  When multiple sensor blocks	reference the same
       probe, the flow records collected by that probe are processed by	each
       of those	sensor blocks.

       A flow record is	always assigned	to the class all.

       A textual description of	the code used to assign	the type is shown
       here.  As of SiLK 3.8.0,	the type may be	determined by the presence of
       certain IPFIX or	NetFlowV9 information elements.

       o   If "sIP" matches external-ipblocks or "in" matches external-
	   interfaces, then

	   o   If "dIP"	matches	null-ipblocks or "out" matches null-
	       interfaces, pack	as innull.  Else,

	   o   Pack as in or inweb.

       o   If "dIP" matches null-ipblocks or "out" matches null-interfaces,
	   pack	as outnull.  Else,

       o   Pack	as out or outweb.

       o   Potentially modify the type:	If the probe has a quirks setting that
	   includes "firewall-event" and if the	incoming record	contains the
	   "firewallEvent" or "NF_F_FW_EVENT" information element whose	value
	   is 3	(flow denied), change the type where the flow is packed	as
	   follows:

	   o   If the flow was denied due to an	ingress	ACL
	       ("NF_F_FW_EXT_EVENT" of 1001), pack as innull.

	   o   If the flow was denied due to an	egress ACL
	       ("NF_F_FW_EXT_EVENT" of 1002), pack as outnull.

	   o   If the flow's current type is innull, in, or inweb, pack	as
	       innull.

	   o   If the flow's current type is outnull, out, or outweb, pack as
	       outnull.

SEE ALSO
       rwfilter(1), rwflowpack(8), sensor.conf(5), silk.conf(5),
       packlogic-twoway(3), silk(7), SiLK Installation Handbook

SiLK 3.19.1			  2020-08-27		  packlogic-generic(3)
NAME | SYNOPSIS | DESCRIPTION | SEE ALSO

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=packlogic-generic&sektion=3&manpath=FreeBSD+12.2-RELEASE+and+Ports>

home | help