Query about Fingerprinting plugin - What exactly does it include when source is set to one field?


(The Zeke) #1

What else is in the data variable within anonymize_openssl(data) that might be included in the hex digest that I'm not including in my PHP in order to make it generate the same fingerprint that logstash does? Does it include the field name and some delimiter or quotations or something? like data = "ip:<value>"?

I'm using the fingerprint plugin to calculate a fingerprint of an IP address. I'm using a key. All is well there. This is configured as:

...
  fingerprint {
    method => "MD5"
    key => "<redacted>"
    source => "ip"
    target => "@ipfingerprint"
  }
...

If someone wants to search for that IP address I don't want them to use the IP address itself because they could search for IP addresses that they have no business searching for. I want to be able to generate a hash to give to them that they can use to search. I'm doing this in PHP.

The problem is when I use an IP address to generate a hash with PHP's hash_hmac() function the result I get doesn't match the one produced by logstash's fingerprint plugin. I tried going through the Ruby code in logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-fingerprint-3.0.3/lib/logstash/filters/fingerprint.rb and found where it is generated. It is the 'else' section of this:

  def anonymize_openssl(data)
    # in JRuby 1.7.11 outputs as ASCII-8BIT
    if @base64encode
      hash  = OpenSSL::HMAC.digest(@digest, @key, data.to_s)
      Base64.strict_encode64(hash).force_encoding(Encoding::UTF_8)
    else
      OpenSSL::HMAC.hexdigest(@digest, @key, data.to_s).force_encoding(Encoding::UTF_8)
    end
  end

I know the key/data parameter order is reversed in the PHP hash_hmac() function. That's not what I'm dealing with here. It seems like there's other information in the data that logstash is fingerprinting that I am not fingerprinting in PHP.

I did a test to see if it was me or something else was going on. I see these are equivalent as expected:

$ ruby
require "openssl"
print OpenSSL::HMAC.hexdigest('md5', 'asdf', '123456').force_encoding(Encoding::UTF_8)
be84e0d8db02c36025bfaff677d3a6a3

$ php
<?php
print hash_hmac('md5', '123456', 'asdf');
?>
be84e0d8db02c36025bfaff677d3a6a3

(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.