Giter Site home page Giter Site logo

Comments (2)

robcowart avatar robcowart commented on July 25, 2024

geoip_dst, geoip_src, geoip_client, and geoip_server are the GeoIP data that correspond respectively to dst_addr, src_addr, client_addr, server_addr.

NOTE: GeoIP related fields are populated only if the IP address is not a private IP. This is determined using the CIDR filter to match against the standard private IP blocks.

geoip is a kind of overall value for records where at least one end of the connection is to/from a public IP. If only one end of the connection is public, then that end would be used to set geoip fields. If both ends are public, e.g. internet facing interfaces at the edge of your private network, then the source end of the connection is used to set geoip. As the majority of use-case tend to be concerned with inbound traffic from the public space hitting the edge of a private network.

In your case it sounds like you would want to filter on traffic using geoip_dst fields. There is however some nuance to this.

Consider access to a web site from you browser. For the request you would be source (src_addr) and the website would be the destination (dst_addr). When the site sends the response, it is the source and you are the destination. So is you wanted to filter on traffic both to and from a website in China, using geoip_dst.country_name: China would not work. This would only match the requests from your browser to the website, not the responses.

For this reason ElastiFlow also attempts to determine which end of the connection is the client and which is the server. In the above example, your browser would be the client (client_addr), and the website would be the server (server_addr) for both the request and response traffic flows. The service_port would be the same for both as well (probably 80 or 443). This allows you to filter on geoip_server.country_name: China and match both requests to China as well as responses from China.

Basically I was trying to give you options, since I can't predict ahead of time all of the scenarios and use-cases you might have.

Hopefully this helps explain the different fields and how/why you might use them.

from elastiflow.

bluefangs avatar bluefangs commented on July 25, 2024

Thanks Rob, for the detailed explanation!

from elastiflow.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.