Enabling Community ID on OPNsense
As of version 1.16, Zenarmor supports Community ID, which is an open standard providing a hashed value for a specific traffic flow. You may apply a filter according to a specific community ID to Live Sessions and Reports.
The Community Flow ID specification was created to make it easier to connect events produced by different security tools like Suricata, Elasticsearch, Bro, Zeek, Arkime, Wireshark, ntopng, and others. It does this by standardizing the creation of a shared string identifier that corresponds to a specific network flow. the Community Flow ID specification was developed in order to facilitate the connection of events generated by various security tools (e.g., Suricata, Elasticsearch, Bro, Zeek, Arkime, Wireshark, ntopng). Standardizing the generation of a shared string identifier that is associated with a particular network flow accomplishes this.
What is Community ID?
The Community ID is denoted by a cryptographic hash function whose parameters are extracted from the attributes of the network connection. The primary function of this cipher is to enable the correlation of connections among various monitoring systems that are compatible with it. Using the flow hash, it is possible to correlate all network events associated with a singular flow.
A cryptographic hash function is utilized to generate a Community ID by preprocessing the protocol, source and destination IP addresses and ports, and a predetermined seed value. As an illustration, suppose Zenarmor identifies malicious activity; the details of the alert will contain a distinct hash value for Community ID. The hash that is produced is deterministic and can be compared across different software implementations.
It is often advantageous to transition rapidly between datasets when processing flow data from various monitoring applications (e.g., Zeek and Suricata). Although the necessary flow tuple information is typically included in the datasets, the intricacies of these "joins" can be laborious, especially when dealing with rare circumstances. The Community ID flow hashing standard simplifies the pivot operation to a string comparison by standardizing the generation of a string identifier that corresponds to a specific network flow. Suppose, for instance, you wish to query your logs for all TCP traffic between port 2345 of 2607:f8b0:400c:c03::1a and port 443 of 2001:470:e5bf:dead:4956:2174:e82c:4887. Deriving and accurately matching this flow tuple across various log formats presents a significantly greater challenge than assigning Community IDs to log records and conducting a simple search for the resulting tag, which is "1:RXd76pOsi7yyeZ2PEv0Udb8vEXs=".
Enable Community ID flow hashing
To enable Community ID via Zenconsole, you may follow the steps given below:
- Select the firewall that you want to enable Community ID on your Zenconsole UI.
- Click Settings menu on the left-hand sidebar.
- Click Community ID item under Reporting & Data menu.
- Click Enable Community ID flow hashing toggle bar to activate community ID.
By configuring this option, the generation of a connection identifier in accordance with the Community ID specification is enabled.
Figure 1. Enabling Community ID flow hashing
Video on Zenarmor Community ID Capabilities
Here is a video about the Zenarmor Community ID Capabilities