[checkpoint] Expand and fix IANA number handling (#13568)

- Add handling of IANA protocol number 114. - Add handling of unknown IANA numbers. When no protocol.transport is set, dashboards for this integration simply do not show the traffic for that protocol. With adding the number as a fallback, these show up now. - Fix recognition of IANA protocol number 0. IANA protocol number 0 only translates to "hopopt" if the underlying protocol is IPv6. For IPv4 the number "0" is undefined ("reserved") and according to "/etc/protocols" in most Linux distributions is recognized to denote the internet protocol v4 itself. Labeling protocol number 0 as "hopopt" in general is therefore wrong.

Author: ash-darin

packages/checkpoint/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.40.0"
+ changes:
+ - description: Expand and fix iana number handling. Handle "iana_numer"/"port" 4294967295
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/13568
 - version: "1.39.0"
  changes:
  - description: Support stack version 9.0.

packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log

@@ -33,3 +33,5 @@
 <134>1 2025-01-21T09:36:10Z TEST_HOSTNAME CheckPoint 16953 - [action:"Prevent"; flags:"313600"; ifdir:"outbound"; ifname:"eth3-01"; loguid:"{0xae027eed,0xef89f5a0,0x5b806530,0x8b665bef}"; origin:"192.168.1.102"; originsicname:"CN=TESTWA022B001,O=TESTWM002001..t2z5yx"; sequencenum:"2"; time:"1737452170"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={C09DCBFA-7A2D-3C4C-AED3-92799BF04FA4};mgmt=TEST_HOSTNAME;date=1737129819;policy_name=TEST_Policy]"; dst:"192.168.5.152"; http_host:"192.168.32.48"; log_id:"2"; malware_rule_id:"{313A7B1F-5FB8-4608-B0F8-05A2311B6FFF}"; method:"GET"; policy:"TEST_Policy"; policy_time:"1737409154"; product:"SmartDefense"; proto:"6"; proxy_src_ip:"192.168.211.208"; reject_id_kid:"678f6a8a-30000-48715ce7-e71d8eea"; resource:"http://192.168.32.48/manager/html"; rule_name:"ITP-1402-3"; rule_uid:"e497b418-91b9-4514-b784-4809e3d5dbc2"; s_port:"35428"; ser_agent_kid:"Other: Mozilla/5.0 zgrab/0.x"; service:"80"; session_id:"{0x678f6a8a,0x30001,0x48715ce7,0xe71d8eea}"; smartdefense_profile:"Optimized"; src:"192.168.211.208"; layer_uuid:"{31A46FFD-A526-4318-BA17-49CBCDC38A14}"; malware_rule_id:"{313A7B1F-5FB8-4608-B0F8-05A2311B6FFF}"; smartdefense_profile:"Optimized"]
 <134>1 2025-01-21T09:37:10Z TEST_HOSTNAME CheckPoint 16953 - [flags:"278528"; ifdir:"inbound"; loguid:"{0xae027eed,0xef89f5a0,0x5b806530,0x8b665bef}"; origin:"192.168.1.102"; originsicname:"CN=TESTWA022B001,O=TESTWM002001..t2z5yx"; sequencenum:"2"; time:"1737452230"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={C09DCBFA-7A2D-3C4C-AED3-92799BF04FA4};mgmt=TEST_HOSTNAME;date=1737129819;policy_name=TEST_Policy]"; log_id:"2"; product:"SmartDefense"; received_bytes:"60"; sent_bytes:"0"; suppressed_logs:"1"]
 <134>1 2025-02-18T10:01:41Z TEST_HOSTNAME CheckPoint 10038 - [action:"Log In"; flags:"18688"; ifdir:"inbound"; loguid:"{0xae027eed,0xef89f5a0,0x5b806530,0x8b665bef}"; origin:"192.168.1.102"; originsicname:"CN=TESTWA022B001,O=TESTWM002001..t2z5yx"; sequencenum:"270"; time:"1739872901"; version:"5"; auth_method:"Password"; auth_method2:"DynamicID"; client_build:"986102607"; client_name:"Test Client"; client_version:"E123.123"; cvpn_category:"Session"; device_identification:"{313A7B1F-5FB8-4608-B0F8-05A2311B6FFF}"; domain_name:"EXAMPLE.LOCAL"; event_type:"Login"; failed_login_factor_num:"0"; host_ip:"10.1.1.1"; host_type:"PC"; hostname:"TEST_HOSTNAME"; lastupdatetime:"1739872901"; login_option:"two-way"; login_timestamp:"1739872901"; mac_address:"ab:cd:ef:01:23:45"; more:"authenticated_machine= (CN=TESTHOST1,OU=Test 2.0,OU=Testcomputers,DC=TEST,DC=LOCAL)"; office_mode_ip:"192.168.1.1"; os_bits:"64bit"; os_build:"19045"; os_edition:"Enterprise"; os_name:"Windows"; os_version:"10"; product:"Test Product"; proto:"6"; proxy_src_ip:"0.0.0.0"; s_port:"0"; service:"443"; session_timeout:"43174"; session_uid:"{31A46FFD-A526-4318-BA17-49CBCDC38A14}"; src:"192.168.211.208"; status:"Success"; suppressed_logs:"0"; tunnel_protocol:"IPSec"; user:" Test User "; user_dn:"CN=Test User,OU=Users,DC=test,DC=local"; user_group:"Users"]
+<134>1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 8363 - [action:"Reject"; flags:"44676"; ifdir:"inbound"; ifname:"daemon"; loguid:"{0x5e8148f5,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.0.1"; originsicname:"CN=cp_mgmt,O=gw-da58d3..tmn8s8"; sequencenum:"22"; time:"1746521905"; version:"5"; dst:"0.0.0.0"; encryption_failure::"no response from peer."; fw_subproduct:"VPN-1"; peer_gateway:"192.168.10.1"; proto:"0"; reject_category:"IKE failure"; rule:"0"; s_port:"0"; scheme::"IKE"; service:"0"; src:"0.0.0.0"; vpn_feature_name:"IKE"]
+<134>1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 8363 - [action:"Detect"; flags:"44676"; ifdir:"inbound"; ifname:"eth0"; loguid:"{0x5e8148f5,0x0,0x6401a8c0,0x108620ab}"; origin:"192.168.0.1"; originsicname:"CN=cp_mgmt,O=gw-da58d3..tmn8s8"; sequencenum:"22"; time:"1746491278"; version:"5"; __policy_id_tag:"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1746456871;policy_name=Standard\]"; attack:"Port Scan"; attack_info:"Host Port Scan"; confidence_level:"5"; dst:"192.168.10.1"; performance_impact:"2"; product:"SmartDefense"; protection_id:"HostPortScan"; protection_name:"Host Port Scan"; protection_type:"anomaly"; proto:"4294967295"; s_port:"0"; service:"4294967295"; severity:"1"; smartdefense_profile:"Standard"; source:"Distinct"; src:"192.168.12.1"]

packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint.log-expected.json

@@ -2335,6 +2335,125 @@
  "user": {
  "name": "test user"
  }
+ },
+ {
+ "@timestamp": "2025-05-06T08:58:25.000Z",
+ "checkpoint": {
+ "encryption_failure": "no response from peer.",
+ "fw_subproduct": "VPN-1",
+ "origin_sic_name": "CN=cp_mgmt,O=gw-da58d3..tmn8s8",
+ "peer_gateway": "192.168.10.1",
+ "reject_category": "IKE failure",
+ "rule": "0",
+ "scheme": "IKE",
+ "vpn_feature_name": "IKE"
+ },
+ "destination": {
+ "ip": "0.0.0.0",
+ "port": 0
+ },
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "Reject",
+ "category": [
+ "network"
+ ],
+ "id": "{0x5e8148f5,0x0,0x6401a8c0,0x108620ab}",
+ "kind": "event",
+ "original": "<134>1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 8363 - [action:\"Reject\"; flags:\"44676\"; ifdir:\"inbound\"; ifname:\"daemon\"; loguid:\"{0x5e8148f5,0x0,0x6401a8c0,0x108620ab}\"; origin:\"192.168.0.1\"; originsicname:\"CN=cp_mgmt,O=gw-da58d3..tmn8s8\"; sequencenum:\"22\"; time:\"1746521905\"; version:\"5\"; dst:\"0.0.0.0\"; encryption_failure::\"no response from peer.\"; fw_subproduct:\"VPN-1\"; peer_gateway:\"192.168.10.1\"; proto:\"0\"; reject_category:\"IKE failure\"; rule:\"0\"; s_port:\"0\"; scheme::\"IKE\"; service:\"0\"; src:\"0.0.0.0\"; vpn_feature_name:\"IKE\"]",
+ "sequence": 22,
+ "timezone": "UTC"
+ },
+ "network": {
+ "direction": "inbound",
+ "iana_number": "0",
+ "transport": "0"
+ },
+ "observer": {
+ "ingress": {
+ "interface": {
+ "name": "daemon"
+ }
+ },
+ "name": "192.168.0.1",
+ "type": "firewall",
+ "vendor": "Checkpoint"
+ },
+ "related": {
+ "ip": [
+ "0.0.0.0"
+ ]
+ },
+ "source": {
+ "ip": "0.0.0.0",
+ "port": 0
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2025-05-06T00:27:58.000Z",
+ "checkpoint": {
+ "attack": "Port Scan",
+ "attack_info": "Host Port Scan",
+ "confidence_level": "5",
+ "origin_sic_name": "CN=cp_mgmt,O=gw-da58d3..tmn8s8",
+ "performance_impact": "2",
+ "protection_id": "HostPortScan",
+ "protection_name": "Host Port Scan",
+ "protection_type": "anomaly",
+ "smartdefense_profile": "Standard",
+ "source": "Distinct"
+ },
+ "destination": {
+ "ip": "192.168.10.1"
+ },
+ "ecs": {
+ "version": "8.17.0"
+ },
+ "event": {
+ "action": "Detect",
+ "category": [
+ "network"
+ ],
+ "id": "{0x5e8148f5,0x0,0x6401a8c0,0x108620ab}",
+ "kind": "event",
+ "original": "<134>1 2020-03-30T07:20:35Z gw-da58d3 CheckPoint 8363 - [action:\"Detect\"; flags:\"44676\"; ifdir:\"inbound\"; ifname:\"eth0\"; loguid:\"{0x5e8148f5,0x0,0x6401a8c0,0x108620ab}\"; origin:\"192.168.0.1\"; originsicname:\"CN=cp_mgmt,O=gw-da58d3..tmn8s8\"; sequencenum:\"22\"; time:\"1746491278\"; version:\"5\"; __policy_id_tag:\"product=VPN-1 & FireWall-1[db_tag={880771B0-FD92-2C4F-82FC-B96FC3DE5A07};mgmt=gw-da58d3;date=1746456871;policy_name=Standard\\]\"; attack:\"Port Scan\"; attack_info:\"Host Port Scan\"; confidence_level:\"5\"; dst:\"192.168.10.1\"; performance_impact:\"2\"; product:\"SmartDefense\"; protection_id:\"HostPortScan\"; protection_name:\"Host Port Scan\"; protection_type:\"anomaly\"; proto:\"4294967295\"; s_port:\"0\"; service:\"4294967295\"; severity:\"1\"; smartdefense_profile:\"Standard\"; source:\"Distinct\"; src:\"192.168.12.1\"]",
+ "sequence": 22,
+ "severity": 1,
+ "timezone": "UTC"
+ },
+ "network": {
+ "direction": "inbound",
+ "iana_number": "4294967295"
+ },
+ "observer": {
+ "ingress": {
+ "interface": {
+ "name": "eth0"
+ }
+ },
+ "name": "192.168.0.1",
+ "product": "SmartDefense",
+ "type": "firewall",
+ "vendor": "Checkpoint"
+ },
+ "related": {
+ "ip": [
+ "192.168.12.1",
+ "192.168.10.1"
+ ]
+ },
+ "source": {
+ "ip": "192.168.12.1",
+ "port": 0
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
  }
  ]
 }

packages/checkpoint/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml

@@ -285,6 +285,7 @@ processors:
  type: long
  ignore_failure: true
  ignore_missing: true
+ if: "ctx.checkpoint?.service != '4294967295'"
  - convert:
  field: checkpoint.xlatedport
  target_field: destination.nat.port
@@ -799,7 +800,7 @@ processors:
  if: ctx?.network?.iana_number != null
  source: |
  def iana_number = ctx.network.iana_number;
- if (iana_number == '0') {
+ if (iana_number == '0' && ctx.source?.ip?.contains(':')) {
  ctx.network.transport = 'hopopt';
  } else if (iana_number == '1') {
  ctx.network.transport = 'icmp';
@@ -819,8 +820,14 @@ processors:
  ctx.network.transport = 'ipv6-icmp';
  } else if (iana_number == '112') {
  ctx.network.transport = 'vrrp';
+ } else if (iana_number == '114') {
+ ctx.network.transport = '0-hop';
  } else if (iana_number == '132') {
  ctx.network.transport = 'sctp';
+ } else if (iana_number == '4294967295') {
+ iana_number = null;
+ } else {
+ ctx.network.transport = iana_number;
  }
  - date:
  field: checkpoint.subs_exp

packages/checkpoint/data_stream/firewall/fields/fields.yml

@@ -1509,6 +1509,10 @@
  type: keyword
  description: |
  The Check Point session ID.
+ - name: source
+ type: keyword
+ description: |
+ Provides additional context for the source of the event.
  - name: source_object
  type: keyword
  description: |

packages/checkpoint/docs/README.md

@@ -547,6 +547,7 @@ An example event for `firewall` looks as following:
 | checkpoint.site_name | Site name. | keyword |
 | checkpoint.smartdefense_profile | | keyword |
 | checkpoint.snid | The Check Point session ID. | keyword |
+| checkpoint.source | Provides additional context for the source of the event. | keyword |
 | checkpoint.source_interface | External Interface name for source interface or Null if not found. | keyword |
 | checkpoint.source_object | Matched object name on source column. | keyword |
 | checkpoint.source_os | OS which generated the attack. | keyword |

packages/checkpoint/manifest.yml

@@ -1,6 +1,6 @@
 name: checkpoint
 title: Check Point
-version: "1.39.0"
+version: "1.40.0"
 description: Collect logs from Check Point with Elastic Agent.
 type: integration
 format_version: "3.0.3"