Add support for reading Logstash NetFlow definitions

(cherry picked from commit 3dfd948)

Author: Jochen Schalanda

pom.xml

@@ -42,6 +42,18 @@
         <graylog.plugin-dir>/usr/share/graylog-server/plugin</graylog.plugin-dir>
     </properties>
 
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>com.fasterxml.jackson</groupId>
+                <artifactId>jackson-bom</artifactId>
+                <version>${jackson.version}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
     <dependencies>
         <dependency>
             <groupId>org.graylog2</groupId>
@@ -55,6 +67,10 @@
             <version>${auto-value.version}</version>
             <scope>provided</scope>
         </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.dataformat</groupId>
+            <artifactId>jackson-dataformat-yaml</artifactId>
+        </dependency>
 
         <dependency>
             <groupId>junit</groupId>
@@ -68,12 +84,6 @@
             <version>${assertj-core.version}</version>
             <scope>test</scope>
         </dependency>
-        <dependency>
-            <groupId>com.fasterxml.jackson.dataformat</groupId>
-            <artifactId>jackson-dataformat-yaml</artifactId>
-            <version>${jackson.version}</version>
-            <scope>test</scope>
-        </dependency>
         <dependency>
             <groupId>io.pkts</groupId>
             <artifactId>pkts-core</artifactId>

src/main/java/org/graylog/plugins/netflow/codecs/NetFlowCodec.java

@@ -44,6 +44,9 @@
 import javax.annotation.Nullable;
 import javax.inject.Inject;
 import javax.inject.Named;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.util.Collection;
@@ -59,26 +62,36 @@ public class NetFlowCodec extends AbstractCodec implements MultiMessageCodec {
     static final String CK_CACHE_PATH = "cache_path";
     @VisibleForTesting
     static final String CK_CACHE_SAVE_INTERVAL = "cache_save_interval";
+    @VisibleForTesting
+    static final String CK_NETFLOW9_DEFINITION_PATH = "netflow9_definitions_Path";
 
     private static final int DEFAULT_CACHE_SIZE = 1000;
     private static final String DEFAULT_CACHE_PATH = SystemUtils.getJavaIoTmpDir().toPath().resolve("netflow-templates.json").toString();
     private static final int DEFAULT_CACHE_SAVE_INTERVAL = 15 * 60;
 
     private final NetFlowV9TemplateCache templateCache;
-    private final NetFlowV9FieldTypeRegistry typeRegistry = new NetFlowV9FieldTypeRegistry();
+    private final NetFlowV9FieldTypeRegistry typeRegistry;
 
     @Inject
     protected NetFlowCodec(@Assisted Configuration configuration,
                            @Named("daemonScheduler") ScheduledExecutorService scheduler,
-                           ObjectMapper objectMapper) {
+                           ObjectMapper objectMapper) throws IOException {
         super(configuration);
 
         final int cacheSize = configuration.getInt(CK_CACHE_SIZE, DEFAULT_CACHE_SIZE);
         final int cacheSaveInterval = configuration.getInt(CK_CACHE_SAVE_INTERVAL, DEFAULT_CACHE_SAVE_INTERVAL);
         final String configCachePath = configuration.getString(CK_CACHE_PATH, DEFAULT_CACHE_PATH);
         final Path cachePath = Paths.get(configCachePath);
-
-        templateCache = new NetFlowV9TemplateCache(cacheSize, cachePath, cacheSaveInterval, scheduler, objectMapper);
+        this.templateCache = new NetFlowV9TemplateCache(cacheSize, cachePath, cacheSaveInterval, scheduler, objectMapper);
+
+        final String netFlow9DefinitionsPath = configuration.getString(CK_NETFLOW9_DEFINITION_PATH);
+        if (netFlow9DefinitionsPath == null || netFlow9DefinitionsPath.trim().isEmpty()) {
+            this.typeRegistry = NetFlowV9FieldTypeRegistry.create();
+        } else {
+            try (InputStream inputStream = new FileInputStream(netFlow9DefinitionsPath)) {
+                this.typeRegistry = NetFlowV9FieldTypeRegistry.create(inputStream);
+            }
+        }
     }
 
     @Nullable
@@ -120,9 +133,10 @@ public void overrideDefaultValues(@Nonnull ConfigurationRequest cr) {
         public ConfigurationRequest getRequestedConfiguration() {
             final ConfigurationRequest configuration = super.getRequestedConfiguration();
 
-            configuration.addField(new NumberField(CK_CACHE_SIZE, "Maximum cache size", DEFAULT_CACHE_SIZE, "Maximum number of elements in the NetFlow9 template cache", ConfigurationField.Optional.OPTIONAL));
-            configuration.addField(new TextField(CK_CACHE_PATH, "Cache file path", DEFAULT_CACHE_PATH, "Path to the file persisting the the NetFlow9 template cache", ConfigurationField.Optional.OPTIONAL));
+            configuration.addField(new NumberField(CK_CACHE_SIZE, "Maximum cache size", DEFAULT_CACHE_SIZE, "Maximum number of elements in the NetFlow 9 template cache", ConfigurationField.Optional.OPTIONAL));
+            configuration.addField(new TextField(CK_CACHE_PATH, "Cache file path", DEFAULT_CACHE_PATH, "Path to the file persisting the the NetFlow 9 template cache", ConfigurationField.Optional.OPTIONAL));
             configuration.addField(new NumberField(CK_CACHE_SAVE_INTERVAL, "Cache save interval (seconds)", DEFAULT_CACHE_SAVE_INTERVAL, "Interval in seconds for persisting the cache contents", ConfigurationField.Optional.OPTIONAL));
+            configuration.addField(new TextField(CK_NETFLOW9_DEFINITION_PATH, "Netflow 9 field definitions", "", "Path to the YAML file containing Netflow 9 field definitions", ConfigurationField.Optional.OPTIONAL));
 
             return configuration;
         }

src/main/java/org/graylog/plugins/netflow/v9/NetFlowV9FieldDef.java

@@ -21,6 +21,7 @@
 import com.google.auto.value.AutoValue;
 import io.netty.buffer.ByteBuf;
 
+import java.math.BigInteger;
 import java.net.InetAddress;
 import java.net.UnknownHostException;
 import java.nio.charset.StandardCharsets;
@@ -52,10 +53,18 @@ public Optional<Object> parse(ByteBuf bb) {
                 return Optional.of(bb.readUnsignedShort());
             case INT16:
                 return Optional.of(bb.readShort());
+            case UINT24:
+                return Optional.of(bb.readUnsignedMedium());
+            case INT24:
+                return Optional.of(bb.readMedium());
             case UINT32:
                 return Optional.of(bb.readUnsignedInt());
             case INT32:
                 return Optional.of(bb.readInt());
+            case UINT64:
+                byte[] uint64Bytes = new byte[8];
+                bb.readBytes(uint64Bytes);
+                return Optional.of(new BigInteger(uint64Bytes));
             case INT64:
                 return Optional.of(bb.readLong());
             case VARINT:

src/main/java/org/graylog/plugins/netflow/v9/NetFlowV9FieldType.java

@@ -40,7 +40,9 @@ public static NetFlowV9FieldType create(@JsonProperty("id") int id,
     }
 
     public enum ValueType {
-        UINT8(1), INT8(1), UINT16(2), INT16(2), UINT32(4), INT32(4), INT64(8), IPV4(4), IPV6(16), MAC(6), STRING(0), VARINT(0);
+        UINT8(1), INT8(1), UINT16(2), INT16(2), UINT24(3), INT24(3),
+        UINT32(4), INT32(4), UINT64(8), INT64(8), IPV4(4), IPV6(16),
+        MAC(6), STRING(0), VARINT(0);
 
         private final int defaultLength;
 

src/main/java/org/graylog/plugins/netflow/v9/NetFlowV9FieldTypeRegistry.java

@@ -1,39 +1,178 @@
 package org.graylog.plugins.netflow.v9;
 
-import com.google.common.base.Splitter;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.dataformat.yaml.YAMLFactory;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.io.Resources;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import java.io.IOException;
-import java.io.UncheckedIOException;
+import java.io.InputStream;
 import java.net.URL;
-import java.nio.charset.StandardCharsets;
-import java.util.List;
+import java.util.Iterator;
 import java.util.Map;
 
 public class NetFlowV9FieldTypeRegistry {
+    private static final Logger LOG = LoggerFactory.getLogger(NetFlowV9FieldTypeRegistry.class);
+    private static final String DEFAULT_DEFINITIONS = "/netflow9.yml";
+
     private final Map<Integer, NetFlowV9FieldType> fieldTypes;
 
-    public NetFlowV9FieldTypeRegistry() {
-        final URL url = Resources.getResource(this.getClass(), "/netflow9.csv");
-        final List<String> lines;
+    private NetFlowV9FieldTypeRegistry(InputStream definitions) throws IOException {
+        this(definitions, new ObjectMapper(new YAMLFactory()));
+    }
+
+    private NetFlowV9FieldTypeRegistry(InputStream definitions, ObjectMapper yamlMapper) throws IOException {
         try {
-            lines = Resources.readLines(url, StandardCharsets.UTF_8);
-        } catch (IOException e) {
-            throw new UncheckedIOException(e);
+            this.fieldTypes = parseYaml(definitions, yamlMapper);
+        } catch (Exception e) {
+            throw new IllegalArgumentException("Unable to parse NetFlow 9 definitions", e);
+        }
+    }
+
+    public static NetFlowV9FieldTypeRegistry create() throws IOException {
+        final URL url = Resources.getResource(NetFlowV9FieldTypeRegistry.class, DEFAULT_DEFINITIONS);
+        try (InputStream inputStream = url.openStream()) {
+            return new NetFlowV9FieldTypeRegistry(inputStream);
+        }
+    }
+
+    public static NetFlowV9FieldTypeRegistry create(InputStream definitions) throws IOException {
+        return new NetFlowV9FieldTypeRegistry(definitions);
+    }
+
+    private static Map<Integer, NetFlowV9FieldType> parseYaml(InputStream inputStream, ObjectMapper yamlMapper) throws IOException {
+        final JsonNode node = yamlMapper.readValue(inputStream, JsonNode.class);
+        final ImmutableMap.Builder<Integer, NetFlowV9FieldType> mapBuilder = ImmutableMap.builder();
+        final Iterator<Map.Entry<String, JsonNode>> fields = node.fields();
+        while (fields.hasNext()) {
+            final Map.Entry<String, JsonNode> field = fields.next();
+
+            final Integer id;
+            try {
+                id = Integer.parseInt(field.getKey());
+            } catch (NumberFormatException e) {
+                LOG.debug("Skipping record with invalid id: {}", field.getKey(), e);
+                continue;
+            }
+
+            final JsonNode value = field.getValue();
+
+            if (!value.isArray()) {
+                LOG.debug("Skipping invalid record: {}", field);
+                continue;
+            }
+
+            if (value.size() == 1 && ":skip".equals(value.get(0).asText())) {
+                LOG.debug("Skipping record: {}", field);
+                continue;
+            }
+
+            if (value.size() != 2) {
+                LOG.debug("Skipping incomplete record: {}", field);
+                continue;
+            }
+
+            final JsonNode typeNode = value.get(0);
+            final NetFlowV9FieldType.ValueType type;
+            if (typeNode.isTextual()) {
+                type = symbolToValueType(typeNode.asText());
+            } else if (typeNode.isInt()) {
+                type = intToValueType(typeNode.asInt());
+            } else {
+                LOG.debug("Skipping invalid record type: {}", field);
+                continue;
+            }
+
+            final JsonNode nameNode = value.get(1);
+            if (!nameNode.isTextual()) {
+                LOG.debug("Skipping invalid record type: {}", field);
+                continue;
+            }
+
+            final String symbol = nameNode.asText();
+            final String name = rubySymbolToString(symbol);
+
+            mapBuilder.put(id, NetFlowV9FieldType.create(id, type, name));
+        }
+
+        return mapBuilder.build();
+    }
+
+    private static String rubySymbolToString(String symbol) {
+        if (symbol.charAt(0) == ':') {
+            return symbol.substring(1);
+        } else {
+            return symbol;
         }
+    }
 
-        final Splitter splitter = Splitter.on(',').trimResults().omitEmptyStrings();
-        final ImmutableMap.Builder<Integer, NetFlowV9FieldType> fieldTypesBuilder = ImmutableMap.builder();
-        for (String line : lines) {
-            final List<String> items = splitter.splitToList(line);
-            final int id = Integer.parseInt(items.get(0));
-            final String name = items.get(1);
-            final NetFlowV9FieldType.ValueType type = NetFlowV9FieldType.ValueType.valueOf(items.get(2));
+    private static NetFlowV9FieldType.ValueType symbolToValueType(String type) {
+        switch (type) {
+            case ":int8":
+                return NetFlowV9FieldType.ValueType.INT8;
+            case ":uint8":
+                return NetFlowV9FieldType.ValueType.UINT8;
+            case ":int16":
+                return NetFlowV9FieldType.ValueType.INT16;
+            case ":uint16":
+                return NetFlowV9FieldType.ValueType.UINT16;
+            case ":int24":
+                return NetFlowV9FieldType.ValueType.INT24;
+            case ":uint24":
+                return NetFlowV9FieldType.ValueType.UINT24;
+            case ":int32":
+                return NetFlowV9FieldType.ValueType.INT32;
+            case ":uint32":
+                return NetFlowV9FieldType.ValueType.UINT32;
+            case ":int64":
+                return NetFlowV9FieldType.ValueType.INT64;
+            case ":uint64":
+                return NetFlowV9FieldType.ValueType.UINT64;
+            case ":ip4_addr":
+                return NetFlowV9FieldType.ValueType.IPV4;
+            case ":ip6_addr":
+                return NetFlowV9FieldType.ValueType.IPV6;
+            case ":mac_addr":
+                return NetFlowV9FieldType.ValueType.MAC;
+            case ":string":
+                return NetFlowV9FieldType.ValueType.STRING;
+            // HACK: http://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.html#wp9000935
+            case ":forwarding_status":
+                return NetFlowV9FieldType.ValueType.UINT8;
+            // HACK: http://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.html#wp9000991
+            case ":application_id":
+                return NetFlowV9FieldType.ValueType.VARINT;
+            // HACK: http://www.cisco.com/c/en/us/td/docs/security/asa/special/netflow/guide/asa_netflow.html#pgfId-1331620
+            case ":acl_id_asa":
+                return NetFlowV9FieldType.ValueType.VARINT;
+            // HACK: https://www.iana.org/assignments/ipfix/ipfix.xml
+            case "mpls_label_stack_octets":
+                return NetFlowV9FieldType.ValueType.UINT32;
+            default:
+                LOG.debug("Unknown type: {}", type);
+                return NetFlowV9FieldType.ValueType.STRING;
+        }
+    }
 
-            fieldTypesBuilder.put(id, NetFlowV9FieldType.create(id, type, name));
+    private static NetFlowV9FieldType.ValueType intToValueType(int length) {
+        switch (length) {
+            case 1:
+                return NetFlowV9FieldType.ValueType.UINT8;
+            case 2:
+                return NetFlowV9FieldType.ValueType.UINT16;
+            case 3:
+                return NetFlowV9FieldType.ValueType.UINT24;
+            case 4:
+                return NetFlowV9FieldType.ValueType.UINT32;
+            case 8:
+                return NetFlowV9FieldType.ValueType.UINT64;
+            default:
+                LOG.debug("Unknown type length: " + length);
+                return NetFlowV9FieldType.ValueType.STRING;
         }
-        this.fieldTypes = fieldTypesBuilder.build();
     }
 
     public NetFlowV9FieldType get(int id) {
@@ -43,4 +182,5 @@ public NetFlowV9FieldType get(int id) {
     public Map<Integer, NetFlowV9FieldType> asMap() {
         return fieldTypes;
     }
+
 }