{"id":198,"date":"2019-10-05T15:25:29","date_gmt":"2019-10-05T15:25:29","guid":{"rendered":"http:\/\/tonysbit.blog\/?p=198"},"modified":"2019-10-05T15:25:29","modified_gmt":"2019-10-05T15:25:29","slug":"spoofing-udp-traffic-with-logstash","status":"publish","type":"post","link":"https:\/\/tonysbit.blog\/?p=198","title":{"rendered":"Spoofing UDP Traffic with Logstash"},"content":{"rendered":"\n<div class=\"wp-block-jetpack-markdown\"><h2>Solving a 2 year old problem<\/h2>\n<p>Logs are usually sent via UDP traffic and most commonly available as a syslog message:<\/p>\n<ul>\n<li>UDP: Best effort process-to-process based communication<\/li>\n<li>TCP: Reliable host-to-host based communication<\/li>\n<\/ul>\n<p>These logs in many products (especially SIEM &#8211; Security information and event management) have their sources identified using the source-IP of the packet instead of the content of the message (Often the content of the log does not contain source identification information, this is a result of poor logging design), as such in more complex topologies with log caching or staged log propagation, the source of the logs cannot differentiated by the final system.<\/p>\n<\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"144\" src=\"https:\/\/tonysbit.files.wordpress.com\/2019\/10\/example-single-log.png?w=650&#038;resize=640%2C144\" alt=\"\" class=\"wp-image-200\" srcset=\"https:\/\/i0.wp.com\/tonysbit.blog\/wp-content\/uploads\/2019\/10\/example-single-log.png?w=650&amp;ssl=1 650w, https:\/\/i0.wp.com\/tonysbit.blog\/wp-content\/uploads\/2019\/10\/example-single-log.png?resize=300%2C67&amp;ssl=1 300w\" sizes=\"(max-width: 640px) 100vw, 640px\" data-recalc-dims=\"1\" \/><figcaption>Figure 1: Example of simple caching<\/figcaption><\/figure>\n\n\n\n<div class=\"wp-block-jetpack-markdown\"><p>This may not matter in a environment where the cache is only caching logs from a single device, however if the cache is centralizing logs from multiple sources, it makes it impossible for the SIEM to differentiate device sources for the logs impacting the functionality available.<\/p>\n<\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"289\" src=\"https:\/\/tonysbit.files.wordpress.com\/2019\/10\/example-multiple-log.png?w=651&#038;resize=640%2C289\" alt=\"\" class=\"wp-image-202\" srcset=\"https:\/\/i0.wp.com\/tonysbit.blog\/wp-content\/uploads\/2019\/10\/example-multiple-log.png?w=651&amp;ssl=1 651w, https:\/\/i0.wp.com\/tonysbit.blog\/wp-content\/uploads\/2019\/10\/example-multiple-log.png?resize=300%2C135&amp;ssl=1 300w\" sizes=\"(max-width: 640px) 100vw, 640px\" data-recalc-dims=\"1\" \/><figcaption> Figure 2: Example of more complex caching <\/figcaption><\/figure>\n\n\n\n<div class=\"wp-block-jetpack-markdown\"><p>This has been a <a href=\"https:\/\/github.com\/logstash-plugins\/logstash-output-udp\/issues\/8\">ticket<\/a> since 04\/05\/2017.<\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-jetpack-markdown\"><h2>The ELK Log Forwarding Topology<\/h2>\n<\/div>\n\n\n\n<div class=\"wp-block-jetpack-markdown\"><p>Elasticsearch is commonly used as a centralization point for logs due to its high ingestion capability as well as the extensive libraries of plugins that can be used for collecting, transforming and forwarding almost all types of data. This is especially important for Service Providers who may have a responsibility such as to both store a copy of logs as well as send a copy to customers for their usage in their own SIEM solutions.<\/p>\n<\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"222\" src=\"https:\/\/tonysbit.files.wordpress.com\/2019\/10\/elasticsearch-forwarding-topology.png?w=847&#038;resize=640%2C222\" alt=\"\" class=\"wp-image-206\" srcset=\"https:\/\/i0.wp.com\/tonysbit.blog\/wp-content\/uploads\/2019\/10\/elasticsearch-forwarding-topology.png?w=847&amp;ssl=1 847w, https:\/\/i0.wp.com\/tonysbit.blog\/wp-content\/uploads\/2019\/10\/elasticsearch-forwarding-topology.png?resize=300%2C104&amp;ssl=1 300w, https:\/\/i0.wp.com\/tonysbit.blog\/wp-content\/uploads\/2019\/10\/elasticsearch-forwarding-topology.png?resize=768%2C267&amp;ssl=1 768w\" sizes=\"(max-width: 640px) 100vw, 640px\" data-recalc-dims=\"1\" \/><figcaption>Figure 3: Example of customer forwarding topology using the ELK stack<\/figcaption><\/figure>\n\n\n\n<div class=\"wp-block-jetpack-markdown\"><h2>Logstash Output Plugin &#8211; Spoof<\/h2>\n<p>The default UDP Logstash output plugin does not allow for spoofing the source device (IP Address, Port and MAC). I have written a new Logstash output to enable this behavior. The plugin is able to, on every individual message spoof the Source IP, Source Port and Source MAC Address of the packet. To use the plugin you need to specify additional information about the target device:<\/p>\n<ul>\n<li>Destination MAC Address (This cannot be resolved from the ARP table at this point in time)<\/li>\n<li>Interface the traffic is intended to be spoofed from<\/li>\n<\/ul>\n<\/div>\n\n\n\n<div class=\"wp-block-jetpack-markdown\"><h2>Getting Started<\/h2>\n<h3>Pre-Requisites<\/h3>\n<p>The plugin uses the jnetpcap library and therefore requires a number of pre-requisites on the host to be completed:<\/p>\n<ul>\n<li>Add jnetpcap library to OS<\/li>\n<li>Install Plugin<\/li>\n<\/ul>\n<h4>JNetPCAP<\/h4>\n<p>It is possible to run the library on different operating systems, I have tested on Ubuntu 18.04. For instructions on how to run it on other operating systems, there are notes in the <a href=\"https:\/\/downloads.sourceforge.net\/project\/jnetpcap\/jnetpcap\/Latest\/jnetpcap-1.4.r1425-1.linux64.x86_64.tgz\">Release Notes<\/a> of the library.<\/p>\n<p>After deploying a new Ubuntu Server with the default Logstash installation, complete the following steps:<\/p>\n<ol>\n<li>Download the jnetpcap library:<\/li>\n<\/ol>\n<p><code>wget -O jnetpcap-1.4.r1425 https:\/\/downloads.sourceforge.net\/project\/jnetpcap\/jnetpcap\/Latest\/jnetpcap-1.4.r1425-1.linux64.x86_64.tgz<\/code><\/p>\n<ol start=\"2\">\n<li>Unzip the files<\/li>\n<\/ol>\n<p><code>tar -xvf jnetpcap-1.4.r1425<\/code><\/p>\n<ol start=\"3\">\n<li>Copy the library to the \/lib folder<\/li>\n<\/ol>\n<p><code>cp jnetpcap-1.4.r1425\/libjnetpcap.so \/lib\/<\/code><\/p>\n<ol start=\"4\">\n<li>Install libpcap-dev (Ubuntu)<\/li>\n<\/ol>\n<p><code>sudo apt-get install libpcap-dev<\/code><\/p>\n<p>Note: Using Centos, the package is only available via the <a href=\"https:\/\/serverfault.com\/questions\/828370\/redhat-6-how-to-install-libpcap-devel\/828384\">RHEL optional channel<\/a>.<\/p>\n<p>Note: If you are running logstash as a service, the default permissions for the logstash user are not sufficient, run the service as root (If anyone knows the exact permissions to harden please DM me).<\/p>\n<p>This can be done by editing \/etc\/systemd\/system\/logstash.service if you are using systemctl.<\/p>\n<h4>Installing the plugin<\/h4>\n<p>You can download the <a href=\"https:\/\/github.com\/xucito\/logstash-output-spoof\">source code<\/a> and build the code yourself. Alternatively you can download the gem directly from <a href=\"https:\/\/www.dropbox.com\/s\/u1xnxhcp8yonp37\/logstash-output-spoof-0.1.0.gem?dl=0\">here<\/a>.<\/p>\n<ol>\n<li>Move to the logstash folder<\/li>\n<\/ol>\n<p><code>cd \/usr\/share\/logstash<\/code><\/p>\n<ol start=\"2\">\n<li>Install the plugin<\/li>\n<\/ol>\n<p><code>.\/bin\/logstash-plugin install --no-verify &lt;path-to-gem&gt;\/logstash-output-spoof-0.1.0.gem<\/code><\/p>\n<h4>Testing the plugin<\/h4>\n<ol>\n<li>Create a test pipeline to test<\/li>\n<\/ol>\n<p><code>vi \/usr\/share\/logstash\/test.conf<\/code><\/p>\n<ol start=\"2\">\n<li>Copy the following pipeline into the file<\/li>\n<\/ol>\n<p>Note: Remember to replace the values marked to be replaced<\/p>\n<pre><code>input {\n  generator { message =&gt; &quot;Hello world!&quot; count =&gt; 1 }\n}\nfilter {\n  mutate {\n   add_field =&gt; {\n      &quot;extra_field&quot; =&gt; &quot;this is the test field&quot;\n      &quot;src_host&quot; =&gt; &quot;3.3.3.3&quot;\n   }\n   update =&gt; {&quot;message&quot; =&gt; &quot;this should be the new message&quot;}\n  }\n}\noutput {\n  spoof {\n    dest_host =&gt; &quot;&lt;REPLACE WITH YOUR DESTINATION IP&gt;&quot;\n    dest_port =&gt; &quot;&lt;REPLACE WITH YOUR DESTINATION PORT&gt;&quot;\n    src_host =&gt; &quot;%{src_host}&quot;\n    src_port =&gt; &quot;2222&quot;\n    dest_mac =&gt;  &quot;&lt;REPLACE WITH YOUR DESTINATION MAC ADDRESS&gt;&quot;\n    src_mac =&gt; &quot;&lt;REPLACE WITH YOUR MAC ADDRESS&gt;&quot;\n    message =&gt; &quot;%{message}&quot;\n    interface =&gt; &quot;ens32&quot;\n  }\n}\n<\/code><\/pre>\n<ol start=\"3\">\n<li>On the DESTINATION device, you can run tcpdump to collect and observe the traffic<\/li>\n<\/ol>\n<p><code>sudo tcpdump -A -i any src 3.3.3.3 -v<\/code><\/p>\n<p>Note: You may need to install tcpdump<\/p>\n<ol start=\"4\">\n<li>On the server hosting the logstash from the \/usr\/share\/logstash path, start the pipeline<\/li>\n<\/ol>\n<p><code>.\/bin\/logstash -f test.conf<\/code><\/p>\n<p>Note: Be patient, Logstash is very slow to start up<\/p>\n<p>On the target system you are capturing traffic from you should see the source of the packet is coming from 3.3.3.3! Congratulations on spoofing your first message.<\/p>\n<\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"101\" src=\"https:\/\/tonysbit.files.wordpress.com\/2019\/10\/final-1.png?w=878&#038;resize=640%2C101\" alt=\"\" class=\"wp-image-215\" srcset=\"https:\/\/i0.wp.com\/tonysbit.blog\/wp-content\/uploads\/2019\/10\/final-1.png?w=878&amp;ssl=1 878w, https:\/\/i0.wp.com\/tonysbit.blog\/wp-content\/uploads\/2019\/10\/final-1.png?resize=300%2C47&amp;ssl=1 300w, https:\/\/i0.wp.com\/tonysbit.blog\/wp-content\/uploads\/2019\/10\/final-1.png?resize=768%2C121&amp;ssl=1 768w\" sizes=\"(max-width: 640px) 100vw, 640px\" data-recalc-dims=\"1\" \/><figcaption>Figure 4: Sample of captured data<\/figcaption><\/figure>\n\n\n\n<div class=\"wp-block-jetpack-markdown\"><h2>Conclusion<\/h2>\n<p>In this post I have demonstrated how you can use the new Logstash Plugin to spoof traffic, as this can be done using event based data this plugin can be used to support many exotic deployment topologies that are SIEM compliant.<\/p>\n<p>Using this plugin, hopefully you can support complex log forwarding topologies regardless of what technologies the end device uses.<\/p>\n<\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"345\" src=\"https:\/\/tonysbit.files.wordpress.com\/2019\/10\/advanced-log-forwarding-topology-2.png?w=847&#038;resize=640%2C345\" alt=\"\" class=\"wp-image-220\" srcset=\"https:\/\/i0.wp.com\/tonysbit.blog\/wp-content\/uploads\/2019\/10\/advanced-log-forwarding-topology-2.png?w=847&amp;ssl=1 847w, https:\/\/i0.wp.com\/tonysbit.blog\/wp-content\/uploads\/2019\/10\/advanced-log-forwarding-topology-2.png?resize=300%2C162&amp;ssl=1 300w, https:\/\/i0.wp.com\/tonysbit.blog\/wp-content\/uploads\/2019\/10\/advanced-log-forwarding-topology-2.png?resize=768%2C413&amp;ssl=1 768w\" sizes=\"(max-width: 640px) 100vw, 640px\" data-recalc-dims=\"1\" \/><figcaption>Figure 5: Sample of Advanced Log Forwarding Topology<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Using a new Logstash output plugin to dynamically route UDP Traffic from a Spoofed IP and MAC Address.<\/p>\n","protected":false},"author":1,"featured_media":220,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"nf_dc_page":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[7],"tags":[14,16],"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"https:\/\/i0.wp.com\/tonysbit.blog\/wp-content\/uploads\/2019\/10\/advanced-log-forwarding-topology-2.png?fit=847%2C456&ssl=1","_links":{"self":[{"href":"https:\/\/tonysbit.blog\/index.php?rest_route=\/wp\/v2\/posts\/198"}],"collection":[{"href":"https:\/\/tonysbit.blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tonysbit.blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tonysbit.blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tonysbit.blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=198"}],"version-history":[{"count":0,"href":"https:\/\/tonysbit.blog\/index.php?rest_route=\/wp\/v2\/posts\/198\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/tonysbit.blog\/index.php?rest_route=\/wp\/v2\/media\/220"}],"wp:attachment":[{"href":"https:\/\/tonysbit.blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=198"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tonysbit.blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=198"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tonysbit.blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=198"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}