Enabling Community ID on OPNsense
As of version 1.16, Zenarmor supports Community ID, which is an open standard providing a hashed value for a specific traffic flow. You may apply a filter according to a specific community ID to Live Sessions and Reports.
The Community Flow ID specification was created to make it easier to connect events produced by different security tools like Suricata, Elasticsearch, Bro, Zeek, Arkime, Wireshark, ntopng, and others. It does this by standardizing the creation of a shared string identifier that corresponds to a specific network flow.
What is Community ID?
The Community ID refers to a cryptographic hash function that is derived from the network connection characteristics. Its purpose is to facilitate the correlation of connections across different monitoring systems that are compatible with this hash. It is possible to correlate all network events associated with a single flow using the flow hash.
In order to construct a Community ID, a cryptographic hash function is applied to the source and destination IP addresses and ports, as well as the protocol and a predetermined seed value. As an illustration, suppose Zenarmor identifies malicious activity; the details of the alert will contain a distinct hash value for Community ID. The hash that is produced is deterministic and can be compared across different software implementations.
It is often advantageous to transition rapidly between datasets when processing flow data from various monitoring applications (e.g., Zeek and Suricata). Although the necessary flow tuple information is typically included in the datasets, the intricacies of these "joins" can be laborious, especially when dealing with rare circumstances. The Community ID flow hashing standard simplifies the pivot operation to a string comparison by standardizing the generation of a string identifier that corresponds to a specific network flow. Suppose, for instance, you wish to query your logs for all TCP traffic between port 2345 of 2607:f8b0:400c:c03::1a and port 443 of 2001:470:e5bf:dead:4956:2174:e82c:4887. Deriving and accurately matching this flow tuple across various log formats presents a significantly greater challenge than assigning Community IDs to log records and conducting a simple search for the resulting tag, which is "1:RXd76pOsi7yyeZ2PEv0Udb8vEXs=".
Enable Community ID flow hashing
To enable Community ID on your Zenarmor NGFW, you may follow the steps given below:
- Click Zenarmor on your OPNsense UI.
- Click Settings menu on the left-hand sidebar.
- Click Community ID item under the Reporting & Data menu.
- Click Enable Community ID flow hashing toggle bar to activate community ID..
By configuring this option, the generation of a connection identifier in accordance with the Community ID specification is enabled.
Figure 1. Enabling Community ID flow hashing
Video on Zenarmor Community ID Capabilities
Here is a video about the Zenarmor Community ID Capabilities