Hi,
I made several modifications to the latest source code of nfdump
(1.6.14-b1) to include support for PaloAlto netflow v9 extensions for
userid and appid.
I expect that can be of use to people with palo alto firewalls. Attached is
a diff with the modifications that I made to the code.
Best Regards,
Jose
--
Jose Manuel Agudo Cuesta (SI-CPD) Unidad de Redes - Seguridad
Telf. +34-923-294400 Ext 1398 Fax +34-923-294594
Edificio Facultad de Derecho Pza. Universidad de Bolonia s/n
37007 SALAMANCA - ESPAÑA (SPAIN)
diff -c nfdump-1.6.14-b1/bin/netflow_v9.c nfdump-1.6.14-b1-pan/bin/netflow_v9.c
*** nfdump-1.6.14-b1/bin/netflow_v9.c 2015-10-03 16:05:30.000000000 +0200
--- nfdump-1.6.14-b1-pan/bin/netflow_v9.c 2015-10-28 10:02:01.000000000 +0100
***************
*** 123,128 ****
--- 123,130 ----
#define zero64 24
#define zero96 25
#define zero128 26
+ #define move_appid_32 27
+ #define move_userid_64 28
uint32_t id; // sequence ID as defined above
uint16_t input_offset; // copy/process data at this input offset
***************
*** 357,362 ****
--- 359,368 ----
{ NF9_NPROBE_SERVER_NW_DELAY_SEC, "NPROBE server lat sec", _4bytes, _8bytes, move_slatency, nop, EX_LATENCY },
{ NF9_NPROBE_APPL_LATENCY_SEC, "NPROBE appl lat sec", _4bytes, _8bytes, move_slatency, nop, EX_LATENCY },
+ // Palo Alto Firewall Extension
+ { NF9_PAN_APPID, "Palo Alto Firewall App-ID", _32bytes, _32bytes, move_appid_32, zero32, EX_PAN_APPID },
+ { NF9_PAN_USERID, "Palo Alto Firewall User-ID", _64bytes, _64bytes, move_userid_64, zero32, EX_PAN_USERID },
+
{0, "NULL", 0, 0}
};
***************
*** 1040,1045 ****
--- 1046,1057 ----
case EX_NSEL_USER_MAX:
PushSequence( table, NF_F_USERNAME, &offset, NULL, 0);
break;
+ case EX_PAN_APPID:
+ PushSequence( table, NF9_PAN_APPID, &offset, NULL, 0);
+ break;
+ case EX_PAN_USERID:
+ PushSequence( table, NF9_PAN_USERID, &offset, NULL, 0);
+ break;
case EX_NEL_COMMON:
PushSequence( table, NF_N_NAT_EVENT, &offset, NULL, 0);
offset += 3;
***************
*** 1699,1704 ****
--- 1711,1724 ----
memcpy((void *)&out[output_offset],(void *)&in[input_offset],65);
out[output_offset+65] = 0; // trailing 0 for string
break;
+ case move_appid_32:
+ memcpy((void *)&out[output_offset],(void *)&in[input_offset],32);
+ out[output_offset+32] = 0; // trailing 0 for string
+ break;
+ case move_userid_64:
+ memcpy((void *)&out[output_offset],(void *)&in[input_offset],64);
+ out[output_offset+64] = 0; // trailing 0 for string
+ break;
case TimeMsec:
{ uint64_t DateMiliseconds = Get_val64((void *)&in[input_offset]);
*(uint64_t *)stack = DateMiliseconds;
diff -c nfdump-1.6.14-b1/bin/netflow_v9.h nfdump-1.6.14-b1-pan/bin/netflow_v9.h
*** nfdump-1.6.14-b1/bin/netflow_v9.h 2015-10-03 16:05:30.000000000 +0200
--- nfdump-1.6.14-b1-pan/bin/netflow_v9.h 2015-10-22 13:53:59.000000000 +0200
***************
*** 164,169 ****
--- 164,171 ----
#define _16bytes 16
#define _20bytes 20
#define _24bytes 24
+ #define _32bytes 32
+ #define _64bytes 64
#define _65bytes 65
#define _72bytes 72
***************
*** 297,302 ****
--- 299,308 ----
#define NF9_NPROBE_APPL_LATENCY_SEC 57558
#define NF9_NPROBE_APPL_LATENCY_USEC 57559
+ // Palo Alto Firewall
+ #define NF9_PAN_APPID 56701
+ #define NF9_PAN_USERID 56702
+
/* prototypes */
int Init_v9(void);
diff -c nfdump-1.6.14-b1/bin/nf_common.c nfdump-1.6.14-b1-pan/bin/nf_common.c
*** nfdump-1.6.14-b1/bin/nf_common.c 2015-10-03 16:05:30.000000000 +0200
--- nfdump-1.6.14-b1-pan/bin/nf_common.c 2015-10-26 12:48:08.000000000 +0100
***************
*** 220,225 ****
--- 220,229 ----
static void String_ExpSysID(master_record_t *r, char *string);
+ static void String_AppID(master_record_t *r, char *string);
+
+ static void String_UserID(master_record_t *r, char *string);
+
#ifdef NSEL
static void String_EventTime(master_record_t *r, char *string);
***************
*** 375,380 ****
--- 379,389 ----
{ "%sl", 0, "S latency", String_ServerLatency }, // server latency
{ "%al", 0, "A latency", String_AppLatency }, // app latency
+ // Palo Alto Firewall
+ { "%userid", 0, "User-ID", String_UserID }, // User-ID
+ { "%appid", 0, "App-ID", String_AppID }, // App-ID
+
+
{ NULL, 0, NULL, NULL }
};
***************
*** 1074,1079 ****
--- 1083,1104 ----
_s = data_string + _slen;
slen = STRINGSIZE - _slen;
break;
+ case EX_PAN_APPID:
+ snprintf(_s, slen-1,
+ " App ID = %s\n"
+ , r->appid[0] ? r->appid : " <empty>");
+ _slen = strlen(data_string);
+ _s = data_string + _slen;
+ slen = STRINGSIZE - _slen;
+ break;
+ case EX_PAN_USERID:
+ snprintf(_s, slen-1,
+ " User ID = %s\n"
+ , r->userid[0] ? r->userid : " <empty>");
+ _slen = strlen(data_string);
+ _s = data_string + _slen;
+ slen = STRINGSIZE - _slen;
+ break;
#ifdef NSEL
case EX_NSEL_COMMON: {
char *event = "UNKNOWN";
***************
*** 2883,2887 ****
--- 2908,2933 ----
} // End of String_PortBlockSize
+ static void String_UserID(master_record_t *r, char *string) {
+
+ if ( r->userid[0] == '\0' )
+ snprintf(string, MAX_STRING_LENGTH-1 ,"%s", "<empty>");
+ else
+ snprintf(string, MAX_STRING_LENGTH-1 ,"%s", r->userid);
+
+ string[MAX_STRING_LENGTH-1] = '\0';
+
+ } // End of String_UserID
+
+ static void String_AppID(master_record_t *r, char *string) {
+
+ if ( r->appid[0] == '\0' )
+ snprintf(string, MAX_STRING_LENGTH-1 ,"%s", "<empty>");
+ else
+ snprintf(string, MAX_STRING_LENGTH-1 ,"%s", r->appid);
+
+ string[MAX_STRING_LENGTH-1] = '\0';
+
+ } // End of String_AppID
#endif
diff -c nfdump-1.6.14-b1/bin/nffile.h nfdump-1.6.14-b1-pan/bin/nffile.h
*** nfdump-1.6.14-b1/bin/nffile.h 2015-10-03 16:05:30.000000000 +0200
--- nfdump-1.6.14-b1-pan/bin/nffile.h 2015-10-23 12:56:54.000000000 +0200
***************
*** 1177,1182 ****
--- 1177,1227 ----
#define EX_NEL_RESERVED_1 49
+ /*
+ * Palo Alto Firewall App-ID
+ * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+
+ * | 0 | APPID(56701) |
+ * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+
+ * | 1 | |
+ * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+
+ * | 2 | |
+ * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+
+ * | 3 | |
+ * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+
+ */
+ #define EX_PAN_APPID 50
+ typedef struct tpl_ext_50_s {
+ char appid[32];
+ uint8_t data[4]; // points to further data
+ } tpl_ext_50_t;
+
+
+ /*
+ * Palo Alto Firewall User-ID
+ * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+
+ * | 0 | USERID(56702) |
+ * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+
+ * | 1 | |
+ * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+
+ * | 2 | |
+ * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+
+ * | 3 | |
+ * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+
+ * | 4 | |
+ * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+
+ * | 5 | |
+ * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+
+ * | 6 | |
+ * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+
+ * | 7 | |
+ * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+
+ */
+ #define EX_PAN_USERID 51
+ typedef struct tpl_ext_51_s {
+ char userid[64];
+ uint8_t data[4]; // points to further data
+ } tpl_ext_51_t;
+
/*
*
***************
*** 2070,2075 ****
--- 2115,2128 ----
* - the extension map must be updated accordingly
*/
+ #define OffsetAppID (offsetof(master_record_t, appid) >> 3)
+ char appid[32];
+
+ #define OffsetUserID (offsetof(master_record_t, userid) >> 3)
+ char userid[64];
+
+
+
#ifdef USER_EXTENSION_1
uint64_t u64_1;
# define Offset_BASE_U1 offsetof(master_record_t, u64_1)
diff -c nfdump-1.6.14-b1/bin/nffile_inline.c nfdump-1.6.14-b1-pan/bin/nffile_inline.c
*** nfdump-1.6.14-b1/bin/nffile_inline.c 2015-10-03 16:05:30.000000000 +0200
--- nfdump-1.6.14-b1-pan/bin/nffile_inline.c 2015-10-26 12:55:34.000000000 +0100
***************
*** 367,372 ****
--- 367,384 ----
output_record->appl_latency_usec = tpl->appl_latency_usec;
p = (void *)tpl->data;
} break;
+ case EX_PAN_APPID: {
+ tpl_ext_50_t *tpl = (tpl_ext_50_t *)p;
+ strncpy((void *)output_record->appid, (void *)tpl->appid, sizeof(output_record->appid));
+ output_record->appid[sizeof(output_record->appid)-1] = '\0'; // safety 0
+ p = (void *)tpl->data;
+ } break;
+ case EX_PAN_USERID: {
+ tpl_ext_51_t *tpl = (tpl_ext_51_t *)p;
+ strncpy((void *)output_record->userid, (void *)tpl->userid, sizeof(output_record->userid));
+ output_record->userid[sizeof(output_record->userid)-1] = '\0'; // safety 0
+ p = (void *)tpl->data;
+ } break;
case EX_RECEIVED: {
tpl_ext_27_t *tpl = (tpl_ext_27_t *)p;
value64_t v;
***************
*** 730,735 ****
--- 742,759 ----
tpl->bgpPrevAdjacentAS = master_record->bgpPrevAdjacentAS;
p = (void *)tpl->data;
} break;
+ case EX_PAN_APPID: {
+ tpl_ext_50_t *tpl = (tpl_ext_50_t *)p;
+ strncpy((void *)tpl->appid, (void *)master_record->appid, sizeof(tpl->appid));
+ tpl->appid[sizeof(tpl->appid)-1] = '\0'; // safety 0
+ p = (void *)tpl->data;
+ } break;
+ case EX_PAN_USERID: {
+ tpl_ext_51_t *tpl = (tpl_ext_51_t *)p;
+ strncpy((void *)tpl->userid, (void *)master_record->userid, sizeof(tpl->userid));
+ tpl->userid[sizeof(tpl->userid)-1] = '\0'; // safety 0
+ p = (void *)tpl->data;
+ } break;
case EX_RECEIVED: {
tpl_ext_27_t *tpl = (tpl_ext_27_t *)p;
tpl->received = master_record->received;
diff -c nfdump-1.6.14-b1/bin/nfx.c nfdump-1.6.14-b1-pan/bin/nfx.c
*** nfdump-1.6.14-b1/bin/nfx.c 2015-10-03 16:05:30.000000000 +0200
--- nfdump-1.6.14-b1-pan/bin/nfx.c 2015-10-27 13:55:10.000000000 +0100
***************
*** 126,138 ****
// nprobe extensions
{ EX_LATENCY, 24, 64, 0, "nprobe latency"},
!
// NAT - Network Event Logging
{ EX_NEL_COMMON, 12, 31, 0, "NEL Common block"},
{ EX_NEL_GLOBAL_IP_v4, 0, 0, 0, "Compat NEL IPv4"},
{ EX_PORT_BLOCK_ALLOC, 8, 32, 0, "NAT Port Block Allocation"},
{ EX_NEL_RESERVED_1, 0, 0, 0, NULL},
// last entry
{ 0, 0, 0, 0, NULL }
};
--- 126,142 ----
// nprobe extensions
{ EX_LATENCY, 24, 64, 0, "nprobe latency"},
!
// NAT - Network Event Logging
{ EX_NEL_COMMON, 12, 31, 0, "NEL Common block"},
{ EX_NEL_GLOBAL_IP_v4, 0, 0, 0, "Compat NEL IPv4"},
{ EX_PORT_BLOCK_ALLOC, 8, 32, 0, "NAT Port Block Allocation"},
{ EX_NEL_RESERVED_1, 0, 0, 0, NULL},
+ // Palo Alto Firewall
+ { EX_PAN_APPID, 32, 65, 0, "Palo Alto App-ID"},
+ { EX_PAN_USERID, 64, 66, 0, "Palo Alto User-ID"},
+
// last entry
{ 0, 0, 0, 0, NULL }
};
------------------------------------------------------------------------------
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
