{"id":198,"date":"2019-10-05T15:25:29","date_gmt":"2019-10-05T15:25:29","guid":{"rendered":"http:\/\/tonysbit.blog\/?p=198"},"modified":"2019-10-05T15:25:29","modified_gmt":"2019-10-05T15:25:29","slug":"spoofing-udp-traffic-with-logstash","status":"publish","type":"post","link":"https:\/\/tonysbit.blog\/?p=198","title":{"rendered":"Spoofing UDP Traffic with Logstash"},"content":{"rendered":"\n
Solving a 2 year old problem<\/h2>\n
Logs are usually sent via UDP traffic and most commonly available as a syslog message:<\/p>\n
\n
UDP: Best effort process-to-process based communication<\/li>\n
TCP: Reliable host-to-host based communication<\/li>\n<\/ul>\n
These logs in many products (especially SIEM – Security information and event management) have their sources identified using the source-IP of the packet instead of the content of the message (Often the content of the log does not contain source identification information, this is a result of poor logging design), as such in more complex topologies with log caching or staged log propagation, the source of the logs cannot differentiated by the final system.<\/p>\n<\/div>\n\n\n\n