ip.version inconsistencies #11884

RagnarSTS · 2023-11-29T05:15:58Z

RagnarSTS
Nov 29, 2023

Version

2.4.30

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

12

RAM

28

Storage for /

200

Storage for /nsm

120

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Yes...I know...nobody cares about IPv6...until it sneaks around your monitoring... :)

This is potentially just a more general information seeking discussion.
For giggles I've always wanted to slowly watch the increase of IPv6 traffic over time. Moderately recently there seems to be a field available called ip.version.
One can graph against this ip.version - In a given amount of time it showed 80% ipv4 and 20% ipv6. Cool enough.
Closer inspection showed it was always 2601: and fe80:: addresses. So it seems to function and tag all local autoconfig ipv6 stuff as ipv6 properly.
It does NOT count general legitimate ipv6 traffic that actually moves north/south as ipv6 traffic.

At first I thought it was just the monitored home ranges; but even if that was the case I'd at least see the sources/destinations tagged appropriately just not see alerts triggered.

For giggles on a workstation I disabled ipv4 and just watched youtube videos for 30 minutes. Filtering for ip.version: 6 yielded exactly no records whatsoever. Just seems like a small tweak needs to happen in the pipeline somewhere but I'm not smart enough to locate where.

Guidelines

I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

Answered by dougburks

Nov 30, 2023

For these logs that have the ip.version field, what is the event.dataset field set to? Is it pfsense.firewall?

View full answer

dougburks · 2023-11-30T14:35:04Z

dougburks
Nov 30, 2023
Maintainer

For these logs that have the ip.version field, what is the event.dataset field set to? Is it pfsense.firewall?

2 replies

RagnarSTS Dec 1, 2023
Author

Indeed they are.
Now I have two separate frustrations that have nothing to do with security onion directly.
Why isn't pfsense categorizing normal IPv6 traffic reliably?
How can I magic a repeatable method to categorize it on the ELK metadata side?

dougburks Dec 4, 2023
Maintainer

There is an Elastic Integration for pfSense that might be more comprehensive than our simple parser. You might want to try it and see if it helps.
https://docs.securityonion.net/en/2.4/elastic-fleet.html#integrations
https://docs.elastic.co/integrations/pfsense

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

ip.version inconsistencies #11884

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 2 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

ip.version inconsistencies #11884

Uh oh!

RagnarSTS Nov 29, 2023

Version

Installation Method

Description

Installation Type

Location

Hardware Specs

CPU

RAM

Storage for /

Storage for /nsm

Network Traffic Collection

Network Traffic Speeds

Status

Salt Status

Logs

Detail

Guidelines

Replies: 1 comment · 2 replies

Uh oh!

dougburks Nov 30, 2023 Maintainer

Uh oh!

RagnarSTS Dec 1, 2023 Author

Uh oh!

dougburks Dec 4, 2023 Maintainer

RagnarSTS
Nov 29, 2023

Replies: 1 comment 2 replies

dougburks
Nov 30, 2023
Maintainer

RagnarSTS Dec 1, 2023
Author

dougburks Dec 4, 2023
Maintainer