We have updated our Terms of Service, Code of Conduct, and Addendum.

Does Cribl provide functionality to compute a network flow hash?

Options
wcall_cribl
wcall_cribl Posts: 6 mod
in General Discussions

Hey, sorry for all the messages asks but curious here: Does Cribl provide functionality to compute a network flow hash according to the Community ID Flow Hash specification for given fields and provide the output to a new field? https://www.elastic.co/guide/en/beats/filebeat/current/community-id.html

Answers

  • Jon Rust
    Jon Rust Posts: 439 mod
    Options

    This is not a built-in function. Possibly(?) you could accomplish it in a Code function. Would depend heavily on if you could do it with base Typescript (JS) functions, or require external libraries (not good)

  • wcall_cribl
    wcall_cribl Posts: 6 mod
    Options

    <@ULBGHDPNY&gt; Any potential for this to be included in future releases of Cribl? This seems to be a common function that would be really useful for customers

  • Jon Rust
    Jon Rust Posts: 439 mod
    Options

    From what i can gather (1st time ever running across it), it seems like a pretty simple function. A Code function would not be required. Assuming you have `srcIp`, `dstIp`, `proto`, `srcPort`, `dstPort` and a seed value, very straightforward to do this with Eval: `cidfh` => `C.Mask.sha1(seed + srcIp + dstIp + proto + 0 + srcPort + dstPort,16)`

Categories