Sort an array of sources before calculating hash?

Question

Sort an array of sources before calculating hash?

Closed this issue 4 years ago · 1 comments

Is it possible to patch this filter so that I can sort the sources before hash is calculated?

I have netflow data and I'd like to identify top talkers.
In my events, I have bidirectional flows.

Version:
5.1
Operating System:
ubuntu 16.04
Config File (if you have sensitive info, please remove it):

        fingerprint {
                concatenate_sources => true
                method => "SHA1"
                source => [ "[flow][Talkers]" ]
                # Talkers = "[flow][Source IP]", "[flow][Destination IP]"
                target => "fingerprint"
                }

Sample Data:

    "Talkers": [ "172.16.179.5", "172.16.179.4" ],
    "fingerprint": "c3374bad1abbb41b6c7c8512aa80ab781a738ca4",

    "Talkers": [ "172.16.179.4", "172.16.179.5" ],
    "fingerprint": "61a5ca2a59b0542e81be8e452badaa568ee7fc28",

If there was an option to sort the source before the hash is calculated, I would get what I want, the same fingerprint.

Answer 1 · 2020-06-18T11:19:02.000Z

There are probably other filters that can sort a list before using the fingerprint filter. Closing issue.