Network direction processor

Network direction processor

Calculates the network direction given a source IP address, destination IP address, and a list of internal networks.

The network direction processor reads IP addresses from Elastic Common Schema (ECS) fields by default. If you use the ECS, only the internal_networks option must be specified.

Table 30. Network Direction Options

NameRequiredDefaultDescription

source_ip

no

source.ip

Field containing the source IP address.

destination_ip

no

destination.ip

Field containing the destination IP address.

target_field

no

network.direction

Output field for the network direction.

internal_networks

yes

List of internal networks. Supports IPv4 and IPv6 addresses and ranges in CIDR notation. Also supports the named ranges listed below. These may be constructed with template snippets. Must specify only one of internal_networks or internal_networks_field.

internal_networks_field

no

A field on the given document to read the internal_networks configuration from.

ignore_missing

no

true

If true and any required fields are missing, the processor quietly exits without modifying the document.

description

no

-

Description of the processor. Useful for describing the purpose of the processor or its configuration.

if

no

-

Conditionally execute the processor. See Conditionally run a processor.

ignore_failure

no

false

Ignore failures for the processor. See Handling pipeline failures.

on_failure

no

-

Handle failures for the processor. See Handling pipeline failures.

tag

no

-

Identifier for the processor. Useful for debugging and metrics.

One of either internal_networks or internal_networks_field must be specified. If internal_networks_field is specified, it follows the behavior specified by ignore_missing.

Supported named network ranges

The named ranges supported for the internal_networks option are:

  • loopback - Matches loopback addresses in the range of 127.0.0.0/8 or ::1/128.
  • unicast or global_unicast - Matches global unicast addresses defined in RFC 1122, RFC 4632, and RFC 4291 with the exception of the IPv4 broadcast address (255.255.255.255). This includes private address ranges.
  • multicast - Matches multicast addresses.
  • interface_local_multicast - Matches IPv6 interface-local multicast addresses.
  • link_local_unicast - Matches link-local unicast addresses.
  • link_local_multicast - Matches link-local multicast addresses.
  • private - Matches private address ranges defined in RFC 1918 (IPv4) and RFC 4193 (IPv6).
  • public - Matches addresses that are not loopback, unspecified, IPv4 broadcast, link local unicast, link local multicast, interface local multicast, or private.
  • unspecified - Matches unspecified addresses (either the IPv4 address “0.0.0.0” or the IPv6 address “::”).
Examples

The following example illustrates the use of the network direction processor:

  1. POST _ingest/pipeline/_simulate
  2. {
  3. "pipeline": {
  4. "processors": [
  5. {
  6. "network_direction": {
  7. "internal_networks": ["private"]
  8. }
  9. }
  10. ]
  11. },
  12. "docs": [
  13. {
  14. "_source": {
  15. "source": {
  16. "ip": "128.232.110.120"
  17. },
  18. "destination": {
  19. "ip": "192.168.1.1"
  20. }
  21. }
  22. }
  23. ]
  24. }

Which produces the following result:

  1. {
  2. "docs": [
  3. {
  4. "doc": {
  5. ...
  6. "_type": "_doc",
  7. "_source": {
  8. "destination": {
  9. "ip": "192.168.1.1"
  10. },
  11. "source": {
  12. "ip": "128.232.110.120"
  13. },
  14. "network": {
  15. "direction": "inbound"
  16. }
  17. }
  18. }
  19. }
  20. ]
  21. }