Merge pull request #372 from splunk/feature/null-path

Support drop events by specific IP/subnet
CSVD · Mar 25, 2020 · a1953ed · a1953ed
2 parents 5f0f49b + a6891a1
commit a1953ed
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 0 deletions.
diff --git a/docs/configuration.md b/docs/configuration.md
@@ -225,6 +225,13 @@ For the Docker Swarm runtime, redeploy the updated service using the command:
 docker stack deploy --compose-file docker-compose.yml sc4s
 ```
 
+## Dropping all data by ip or subnet
+
+In some cases rogue or port-probing data can be sent to SC4S from misconfigured devices or vulnerability scanners. Update
+the `vendor_product_by_source.conf` filter `f_catch_first` with one or more ip/subnet masks to drop events without
+logging. Note that drop metrics will be recorded.
+
+
 ## Splunk Connect for Syslog output templates (syslog-ng templates)
 
 Splunk Connect for Syslog utilizes the syslog-ng template mechanism to format the output payload (event) that will be sent to Splunk.  These templates can format the messages in a number of ways (straight text, JSON, etc.) as well as utilize the many syslog-ng "macros" (fields) to specify what gets placed in the payload that is delivered to the destination.  Here is a list of the templates used in SC4S, which can be used in the metadata override section immediately above.  New templates can also be added by the administrator in the "local" section for local destinations; pay careful attention to the syntax as the templates are "live" syslog-ng config code.

diff --git a/package/etc/conf.d/filters/misc/catchfirst.conf b/package/etc/conf.d/filters/misc/catchfirst.conf
@@ -0,0 +1,5 @@
+#f_catch_first
+filter f_catch_first {
+    match("^catch_first", value("fields.sc4s_vendor_product"));
+
+};
diff --git a/package/etc/conf.d/log_paths/lp-aaa-catch_first.conf.tmpl b/package/etc/conf.d/log_paths/lp-aaa-catch_first.conf.tmpl
@@ -0,0 +1,9 @@
+# This log path functions to black hole by IP allowing rogue sources such as 
+# vulnerability scanners to be ignored
+log {
+
+    filter(f_catch_first);
+
+    flags(catchall,final);
+
+};
diff --git a/package/etc/context_templates/vendor_product_by_source.conf.example b/package/etc/context_templates/vendor_product_by_source.conf.example
@@ -2,6 +2,10 @@ filter f_test_test {
     host("testvp-*" type(glob))
     #or netmask(xxx.xxx.xxx.xxx/xx)
 };
+filter f_catch_first {
+   netmask(169.254.100.0/24)
+};
+
 filter f_citrix_netscaler {
     host("test_ctitrixns-*" type(glob))
     #or netmask(xxx.xxx.xxx.xxx/xx)

diff --git a/package/etc/context_templates/vendor_product_by_source.csv.example b/package/etc/context_templates/vendor_product_by_source.csv.example
@@ -1,4 +1,5 @@
 f_test_test,sc4s_vendor_product,"test_test"
+f_catch_first,sc4s_vendor_product,"catch_first"
 f_cisco_meraki,sc4s_vendor_product,"cisco_meraki"
 f_citrix_netscaler,sc4s_vendor_product,"citrix_netscaler"
 f_infoblox,sc4s_vendor_product,"infoblox"