Does Cribl provide functionality to compute a network flow hash?
Hey, sorry for all the messages asks but curious here: Does Cribl provide functionality to compute a network flow hash according to the Community ID Flow Hash specification for given fields and provide the output to a new field? https://www.elastic.co/guide/en/beats/filebeat/current/community-id.html
Answers
-
This is not a built-in function. Possibly(?) you could accomplish it in a Code function. Would depend heavily on if you could do it with base Typescript (JS) functions, or require external libraries (not good)
0 -
<@ULBGHDPNY> Any potential for this to be included in future releases of Cribl? This seems to be a common function that would be really useful for customers
0 -
From what i can gather (1st time ever running across it), it seems like a pretty simple function. A Code function would not be required. Assuming you have `srcIp`, `dstIp`, `proto`, `srcPort`, `dstPort` and a seed value, very straightforward to do this with Eval: `cidfh` => `C.Mask.sha1(seed + srcIp + dstIp + proto + 0 + srcPort + dstPort,16)`
0
