Comments (2)
geoip_dst
, geoip_src
, geoip_client
, and geoip_server
are the GeoIP data that correspond respectively to dst_addr
, src_addr
, client_addr
, server_addr
.
NOTE: GeoIP related fields are populated only if the IP address is not a private IP. This is determined using the CIDR filter to match against the standard private IP blocks.
geoip
is a kind of overall value for records where at least one end of the connection is to/from a public IP. If only one end of the connection is public, then that end would be used to set geoip
fields. If both ends are public, e.g. internet facing interfaces at the edge of your private network, then the source end of the connection is used to set geoip
. As the majority of use-case tend to be concerned with inbound traffic from the public space hitting the edge of a private network.
In your case it sounds like you would want to filter on traffic using geoip_dst
fields. There is however some nuance to this.
Consider access to a web site from you browser. For the request you would be source (src_addr
) and the website would be the destination (dst_addr
). When the site sends the response, it is the source and you are the destination. So is you wanted to filter on traffic both to and from a website in China, using geoip_dst.country_name: China
would not work. This would only match the requests from your browser to the website, not the responses.
For this reason ElastiFlow also attempts to determine which end of the connection is the client and which is the server. In the above example, your browser would be the client (client_addr
), and the website would be the server (server_addr
) for both the request and response traffic flows. The service_port
would be the same for both as well (probably 80 or 443). This allows you to filter on geoip_server.country_name: China
and match both requests to China as well as responses from China.
Basically I was trying to give you options, since I can't predict ahead of time all of the scenarios and use-cases you might have.
Hopefully this helps explain the different fields and how/why you might use them.
from elastiflow.
Thanks Rob, for the detailed explanation!
from elastiflow.
Related Issues (20)
- Import PCAP file from a USB File to ElasticFlow HOT 1
- RISKIQ behind proxy HOT 1
- Can't access ElastiFlow 5.0.0 in Docker HOT 2
- Centos 7 Install Logstsh sFlow codec fails HOT 1
- ElasticFlow : Netflow VLAN data is not populated in elastiflow HOT 2
- Elastiflow : Not generating enough data in Elastic HOT 2
- ElasticSearch 7.12 ... just checking :) HOT 3
- I can't see data (elastiflow) in kibana HOT 1
- docker image - flowcoll should recover once elasticsearch become available HOT 3
- index-pattern remain elastiflow empty HOT 8
- Invalid request payload JSON format HOT 4
- Elastic upgrade from 7.10 to 7.12 HOT 5
- source.as.organization.name always public HOT 2
- logstash is running but not able to see Sflow data HOT 3
- netflowv5 mikrotik no data in dashboard HOT 6
- kibana terms list might be incomplete because the request is taking to long HOT 1
- Mapper_parsing_exception HOT 2
- No matching indices found: No indices match pattern "elastiflow-flow-codex-*" HOT 2
- no data in threats HOT 2
- The legacy ElastiFlow is deprecated. TRY THE NEW ELASTIFLOW!!!
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from elastiflow.