Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Update flow classification rules to match either the src or dst ports

Description

The "pre-defined" classification rules we provide for flows are currently configured to only match the destination port, which leads to a large number of flows being unclassified.

We should update the rule-set to match either the source OR destination ports by default. i.e. a flow should be classified as HTTP if either the src port or the dst port is 80.

Acceptance / Success Criteria

None

Lucidchart Diagrams

Activity

Show:

fooker January 30, 2019 at 1:43 PM

Jesse White December 12, 2018 at 2:23 PM

I wasn't considering updating the logic behind the classification engine, only updating the rule-set to include additional rules that would effectively match either the src or dst ports. In this case, there would not need to be any change to the existing src/dst address behavior.

fooker December 9, 2018 at 5:37 PM

How do we handle src / dst addresses?

There are a couple of options I can imagine:

  • Leave it as is is (which is kinda useless, as it suffers the same problems as the ports)

  • Also have just a single address and match against src and dst

  • Interpreting the side with the matching port as desination and match address accordingly (has a lot of corner-cases to think about)

Feedback is welcome...

Jesse White December 8, 2018 at 5:23 PM

In my test setup I used the following script to duplicate the existing rules, copying over the dst_port column to the src_port column in a new row:

INSERT INTO classification_rules (id,name,src_port,protocol,position,groupid) SELECT id+100000,name,dst_port,protocol,position+100000,groupid FROM classification_rules WHERE groupid = 1;
Fixed

Details

Assignee

Reporter

Labels

Sprint

Fix versions

Affects versions

Priority

PagerDuty

Created December 8, 2018 at 5:14 PM
Updated February 6, 2019 at 10:46 AM
Resolved February 6, 2019 at 10:46 AM

Flag notifications