From 146c12b10cf0afab8820baab30afa144d6755e68 Mon Sep 17 00:00:00 2001 From: Mark Bonsack Date: Thu, 20 Feb 2020 17:05:00 -0800 Subject: [PATCH] Fix time generation in tests * Perform all time operations from within each test; issue surfaced when tests were run in parallel --- tests/test_cisco_acs.py | 58 +++++++++++++++++------------------ tests/test_fortinet_ngfw.py | 60 +++++++++++++++++++++---------------- tests/test_fortinet_web.py | 60 ++++++++++++++++++++----------------- 3 files changed, 94 insertions(+), 84 deletions(-) diff --git a/tests/test_cisco_acs.py b/tests/test_cisco_acs.py index 7c5e3d0..f83e4ea 100644 --- a/tests/test_cisco_acs.py +++ b/tests/test_cisco_acs.py @@ -18,40 +18,42 @@ def insert_char(string, char, integer): return string[0:integer] + char + string[integer:] -# Generate current datetime structure -dt = datetime.datetime.now() +def time_operations(dt): + # Generate an ISO 8601 (RFC 5424) compliant timestamp with local timezone offset (2020-02-12T12:46:39.323-08:00) + # See https://stackoverflow.com/questions/2150739/iso-time-iso-8601-in-python + iso = dt.astimezone().isoformat(sep='T', timespec='milliseconds') + # Generate an BSD-style (RFC 3164) compliant timestamp with no timezone (Oct 25 13:08:00) + bsd = dt.strftime("%b %d %H:%M:%S") -# Generate an ISO 8601 (RFC 5424) compliant timestamp with local timezone offset (2020-02-12T12:46:39.323-08:00) -# See https://stackoverflow.com/questions/2150739/iso-time-iso-8601-in-python -iso = dt.astimezone().isoformat(sep='T', timespec='milliseconds') + # Other variants of timestamps needed for this log sample + time = dt.strftime("%H:%M:%S.%f")[:-3] + date = dt.strftime("%Y-%m-%d") + # Insert colon in tzoffset string; normally just 'tzoffset = dt.astimezone().strftime("%z")' + # Could use helper function above; e.g. 'tzoffset = insert_char(dt.astimezone().strftime("%z"), ":", 3)' + tzoffset = dt.astimezone().strftime("%z")[0:3] + ":" + dt.astimezone().strftime("%z")[3:] -# Generate an BSD-style (RFC 3164) compliant timestamp with no timezone (Oct 25 13:08:00) -bsd = dt.strftime("%b %d %H:%M:%S") + # Derive epoch timestamp for use in search string + # NOTE: There are caveats with 'strftime("%s")', see references below -# Other variants of timestamps needed for this log sample -time = dt.strftime("%H:%M:%S.%f")[:-3] -date = dt.strftime("%Y-%m-%d") -# Insert colon in tzoffset string; normally just 'tzoffset = dt.astimezone().strftime("%z")' -# Could use helper function above; e.g. 'tzoffset = insert_char(dt.astimezone().strftime("%z"), ":", 3)' -tzoffset = dt.astimezone().strftime("%z")[0:3] + ":" + dt.astimezone().strftime("%z")[3:] + # See https://stackoverflow.com/questions/11743019/convert-python-datetime-to-epoch-with-strftime + # See https://docs.python.org/3/library/datetime.html#datetime-objects + # Basically: Don't use 'utcnow()' -# Derive epoch timestamp for use in search string -# NOTE: There are caveats with 'strftime("%s")', see references below + # Strict way to get epoch as a string (rather than float) avoiding naive objects + # epoch = dt.fromtimestamp(dt.timestamp()).strftime('%s') -# See https://stackoverflow.com/questions/11743019/convert-python-datetime-to-epoch-with-strftime -# See https://docs.python.org/3/library/datetime.html#datetime-objects -# Basically: Don't use 'utcnow()' + # Since datetime.now().astimezone() is aware, strftime() should be safe and form below OK + # Trim last 3 digits of microsecond resolution to obtain milliseconds + epoch = dt.astimezone().strftime("%s.%f")[:-3] -# Strict way to get epoch as a string (rather than float) avoiding naive objects -# epoch = dt.fromtimestamp(dt.timestamp()).strftime('%s') - -# Since datetime.now().astimezone() is aware, strftime() should be safe and form below OK -# Trim last 3 digits of microsecond resolution to obtain milliseconds -epoch = dt.astimezone().strftime("%s.%f")[:-3] + return iso, bsd, time, date, tzoffset, epoch def test_cisco_acs_single(record_property, setup_wordlist, setup_splunk, setup_sc4s): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + dt = datetime.datetime.now() + iso, bsd, time, date, tzoffset, epoch = time_operations(dt) + mt = env.from_string( "{{ mark }} {{ bsd }} {{ host }} CSCOacs_Passed_Authentications 0765855540 1 0 {{ date }} {{ time }} {{ tzoffset }} 0178632943 5202 NOTICE Device-Administration: Command Authorization succeeded, ACSVersion=acs-5.8.1.4-B.462.x86_64, ConfigVersionId=16489, Device IP Address=10.0.0.93, DestinationIPAddress=10.0.0.10, DestinationPort=49, UserName=nsdevman, CmdSet=[ CmdAV=show CmdArgAV=vpn-sessiondb CmdArgAV=full CmdArgAV=ra-ikev2-ipsec ], Protocol=Tacacs, MatchedCommandSet=fw3, RequestLatency=11, Type=Authorization, Privilege-Level=15, Authen-Type=ASCII, Service=None, User=nsdevman, Port=443, Remote-Address=10.0.0.15, Authen-Method=TacacsPlus, Service-Argument=shell, AcsSessionID=mnsvdcfpiuac03/359448835/9871764, AuthenticationIdentityStore=AD1, AuthenticationMethod=Lookup, SelectedAccessService=Default Device Admin, SelectedCommandSet=fw3, IdentityGroup=IdentityGroup:All Groups:SystemID, Step=13005 , Step=15008 , Step=15004 , Step=15012 , Step=15041 , Step=15004 , Step=15013 , Step=24210 , Step=24212 , Step=24432 , Step=24325 , Step=24313 , Step=24319 , Step=24323 , Step=24420 , Step=24355 , Step=24416 , Step=22037 , Step=15044 , Step=15035 , Step=15042 , Step=15036 , Step=15004 , Step=15018 , Step=13024 , Step=13034 , SelectedAuthenticationIdentityStores=Internal Users, NetworkDeviceName=devicenamehere, NetworkDeviceGroups=Device Type:All Device Types:Firewall:Cisco Systems:Firewall:ASA5545, NetworkDeviceGroups=Location:All Locations:MN, ServiceSelectionMatchedRule=TACACS, IdentityPolicyMatchedRule=Firewall, AuthorizationPolicyMatchedRule=nsdevman, AD-User-Candidate-Identities=nsdevman@ent.example.corp, AD-User-DNS-Domain=ent.example.corp, AD-User-NetBios-Name=AD-ENT, AD-User-Resolved-Identities=nsdevman@ent.example.corp, AD-User-Join-Point=ENT.example.CORP, AD-User-Resolved-DNs=CN=nsdevman\,OU=Service Accounts\,OU=CAO\,OU=ENT\,DC=ent\,DC=wfb\,DC=example\,DC=corp, StepData=10=nsdevman, StepData=11=ent.example.corp, StepData=12=example.corp, StepData=15=ent.example.corp, AD-Domain=ent.example.corp, IdentityAccessRestricted=false, UserIdentityGroup=IdentityGroup:All Groups:SystemID, Cisco-Firewall=Superuser, Firewall=Superuser, NetSec-CSM=User, NetSec-Logging=Engineer, Response={Type=Authorization; Author-Reply-Status=PassAdd; ExternalIdentityStoreName=AD1; }\n") message = mt.render(mark="<165>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset) @@ -72,12 +74,8 @@ def test_cisco_acs_single(record_property, setup_wordlist, setup_splunk, setup_s def test_cisco_acs_multi(record_property, setup_wordlist, setup_splunk, setup_sc4s): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) -# Generate an ISO 8601 compliant timestamp with local timezone offset (2020-02-12 12:46:39.323-08:00) - dt = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).astimezone().isoformat(sep=' ', timespec='milliseconds') - -# Function to insert a space between the time and TZ offset (2020-02-12 12:46:39.323 -08:00) - def insert_space(string, integer): - return string[0:integer] + ' ' + string[integer:] + dt = datetime.datetime.now() + iso, bsd, time, date, tzoffset, epoch = time_operations(dt) mt = env.from_string( "{{ mark }} {{ bsd }} {{ host }} CSCOacs_Passed_Authentications 0000000002 2 0 {{ date }} {{ time }} {{ tzoffset }} 0000008450 5203 NOTICE Device-Administration: Session Authorization succeeded, ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=117, Device IP Address=192.168.26.137, UserName=edward, CmdSet=[ CmdAV= ], Protocol=Tacacs, RequestLatency=10, NetworkDeviceName=switch, Type=Authorization, Privilege-Level=1, Authen-Type=ASCII, Service=Login, User=edward, Port=tty2, Remote-Address=10.78.167.190, Authen-Method=TacacsPlus, Service-Argument=shell, AcsSessionID=ACS41/101085887/112, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=Lookup, SelectedAccessService=Default Device Admin, SelectedShellProfile=Permit Access, IdentityGroup=IdentityGroup:All Groups, Step=13005 , Step=15008 , Step=15004 , Step=15012 , Step=15041 , Step=15006 , Step=15013 , Step=24210 , Step=24212 , Step=22037 , Step=15044 , Step=15035 , Step=15042 , Step=15036 , Step=15004 , Step=15017 , Step=13034 ,\n") diff --git a/tests/test_fortinet_ngfw.py b/tests/test_fortinet_ngfw.py index 95a8d39..6d63bc7 100644 --- a/tests/test_fortinet_ngfw.py +++ b/tests/test_fortinet_ngfw.py @@ -23,42 +23,44 @@ def insert_char(string, char, integer): def removeZero(tz): return re.sub(r'\b0+(\d)(?=:)', r'\1', tz) -# Generate current datetime structure -dt = datetime.datetime.now() +def time_operations(dt): + # Generate an ISO 8601 (RFC 5424) compliant timestamp with local timezone offset (2020-02-12T12:46:39.323-08:00) + # See https://stackoverflow.com/questions/2150739/iso-time-iso-8601-in-python + iso = dt.astimezone().isoformat(sep='T', timespec='milliseconds') + # Generate an BSD-style (RFC 3164) compliant timestamp with no timezone (Oct 25 13:08:00) + bsd = dt.strftime("%b %d %H:%M:%S") -# Generate an ISO 8601 (RFC 5424) compliant timestamp with local timezone offset (2020-02-12T12:46:39.323-08:00) -# See https://stackoverflow.com/questions/2150739/iso-time-iso-8601-in-python -iso = dt.astimezone().isoformat(sep='T', timespec='milliseconds') -# Generate an BSD-style (RFC 3164) compliant timestamp with no timezone (Oct 25 13:08:00) -bsd = dt.strftime("%b %d %H:%M:%S") + # Other variants of timestamps needed for this log sample + time = dt.strftime("%H:%M:%S") + date = dt.strftime("%Y-%m-%d") + # Insert colon in tzoffset string; normally just 'tzoffset = dt.astimezone().strftime("%z")' + # Could use helper function above; e.g. 'tzoffset = insert_char(dt.astimezone().strftime("%z"), ":", 3)' + tzoffset = dt.astimezone().strftime("%z") -# Other variants of timestamps needed for this log sample -time = dt.strftime("%H:%M:%S") -date = dt.strftime("%Y-%m-%d") -# Insert colon in tzoffset string; normally just 'tzoffset = dt.astimezone().strftime("%z")' -# Could use helper function above; e.g. 'tzoffset = insert_char(dt.astimezone().strftime("%z"), ":", 3)' -# tzoffset = dt.astimezone().strftime("%z")[0:3] + ":" + dt.astimezone().strftime("%z")[3:] -tzoffset = dt.astimezone().strftime("%z") + # Derive epoch timestamp for use in search string + # NOTE: There are caveats with 'strftime("%s")', see references below -# Derive epoch timestamp for use in search string -# NOTE: There are caveats with 'strftime("%s")', see references below + # See https://stackoverflow.com/questions/11743019/convert-python-datetime-to-epoch-with-strftime + # See https://docs.python.org/3/library/datetime.html#datetime-objects + # Basically: Don't use 'utcnow()' -# See https://stackoverflow.com/questions/11743019/convert-python-datetime-to-epoch-with-strftime -# See https://docs.python.org/3/library/datetime.html#datetime-objects -# Basically: Don't use 'utcnow()' + # Strict way to get epoch as a string (rather than float) avoiding naive objects + # epoch = dt.fromtimestamp(dt.timestamp()).strftime('%s') -# Strict way to get epoch as a string (rather than float) avoiding naive objects -# epoch = dt.fromtimestamp(dt.timestamp()).strftime('%s') + # Since datetime.now().astimezone() is aware, strftime() should be safe and form below OK + # Trim last 3 digits of microsecond resolution to obtain milliseconds + epoch = dt.astimezone().strftime("%s.%f")[:-7] -# Since datetime.now().astimezone() is aware, strftime() should be safe and form below OK -# Trim last 3 or 7 digits of microsecond resolution to obtain milliseconds or whole seconds respectively -epoch = dt.astimezone().strftime("%s.%f")[:-7] + return iso, bsd, time, date, tzoffset, epoch # <111> Aug 17 00:00:00 fortigate date=2015-08-11 time=19:19:43 devname=Nosey devid=FG800C3912801080 logid=0004000017 type=traffic subtype=sniffer level=notice vd=root srcip=fe80::20c:29ff:fe77:20d4 srcintf="port3" dstip=ff02::1:ff77:20d4 dstintf="port3" sessionid=408903 proto=58 action=accept policyid=2 dstcountry="Reserved" srccountry="Reserved" trandisp=snat transip=:: transport=0 service="icmp6/131/0" duration=36 sentbyte=0 rcvdbyte=40 sentpkt=0 rcvdpkt=0 appid=16321 app="IPv6.ICMP" appcat="Network.Service" apprisk=elevated applist="sniffer-profile" appact=detected utmaction=allow countapp=1 def test_fortinet_fgt_event(record_property, setup_wordlist, setup_splunk, setup_sc4s): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + dt = datetime.datetime.now() + iso, bsd, time, date, tzoffset, epoch = time_operations(dt) + mt = env.from_string( # "{{ mark }} {{ bsd }} fortigate date={{ date }} time={{ time }} devname={{ host }} devid=FGT60D4614044725 logid=0100040704 type=event subtype=system level=notice tz=\"{{ tzoffset }}\" vd=root logdesc=\"System performance statistics\" action=\"perf-stats\" cpu=2 mem=35 totalsession=61 disk=2 bandwidth=158/138 setuprate=2 disklograte=0 fazlograte=0 msg=\"Performance statistics: average CPU: 2, memory: 35, concurrent sessions: 61, setup-rate: 2\"\n") "{{ mark }} {{ bsd }} fortigate date={{ date }} time={{ time }} devname={{ host }} devid=FGT60D4614044725 logid=0100040704 type=event subtype=system level=notice vd=root logdesc=\"System performance statistics\" action=\"perf-stats\" cpu=2 mem=35 totalsession=61 disk=2 bandwidth=158/138 setuprate=2 disklograte=0 fazlograte=0 msg=\"Performance statistics: average CPU: 2, memory: 35, concurrent sessions: 61, setup-rate: 2\"\n") @@ -67,8 +69,7 @@ def test_fortinet_fgt_event(record_property, setup_wordlist, setup_splunk, setup sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( -# "search _time={{ epoch }} index=netops host=\"{{ host }}\" sourcetype=\"fgt_event\"") - "search index=netops host=\"{{ host }}\" sourcetype=\"fgt_event\"") + "search _time={{ epoch }} index=netops host=\"{{ host }}\" sourcetype=\"fgt_event\"") search = st.render(host=host, epoch=epoch) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -84,6 +85,9 @@ def test_fortinet_fgt_traffic(record_property, setup_wordlist, setup_splunk, set host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + dt = datetime.datetime.now() + iso, bsd, time, date, tzoffset, epoch = time_operations(dt) + mt = env.from_string( "{{ mark }} {{ bsd }} fortigate date={{ date }} time={{ time }} devname={{ host }} devid=FG800C3912801080 logid=0004000017 type=traffic subtype=sniffer level=notice vd=root srcip=fe80::20c:29ff:fe77:20d4 srcintf=\"port3\" dstip=ff02::1:ff77:20d4 dstintf=\"port3\" sessionid=408903 proto=58 action=accept policyid=2 dstcountry=\"Reserved\" srccountry=\"Reserved\" trandisp=snat transip=:: transport=0 service=\"icmp6/131/0\" duration=36 sentbyte=0 rcvdbyte=40 sentpkt=0 rcvdpkt=0 appid=16321 app=\"IPv6.ICMP\" appcat=\"Network.Service\" apprisk=elevated applist=\"sniffer-profile\" appact=detected utmaction=allow countapp=1\n") message = mt.render(mark="<111>", bsd=bsd, date=date, time=time, host=host) @@ -106,6 +110,9 @@ def test_fortinet_fgt_utm(record_property, setup_wordlist, setup_splunk, setup_s host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + dt = datetime.datetime.now() + iso, bsd, time, date, tzoffset, epoch = time_operations(dt) + mt = env.from_string( "{{ mark }} {{ bsd }} fortigate date={{ date }} time={{ time }} devname={{ host }} devid=FGT37D4613800138 logid=0317013312 type=utm subtype=webfilter eventtype=ftgd_allow level=notice vd=root sessionid=1490845588 user=\"\" srcip=172.30.16.119 srcport=53235 srcintf=\"Internal\" dstip=114.112.67.75 dstport=80 dstintf=\"External-SDC\" proto=6 service=HTTP hostname=\"popo.wan.ijinshan.com\" profile=\"scan\" action=passthrough reqtype=direct url=\"/popo/launch?c=cHA9d29vZHMxOTgyQGhvdG1haWwuY29tJnV1aWQ9NDBiNDkyZDRmNzdhNjFmOTNlMjQwMjhiYjE3ZGRlYTYmY29tcGl\" sentbyte=525 rcvdbyte=325 direction=outgoing msg=\"URL belongs to an allowed category in policy\" method=domain cat=52 catdesc=\"Information Technology\"\n") message = mt.render(mark="<111>", bsd=bsd, date=date, time=time, host=host) @@ -122,3 +129,4 @@ def test_fortinet_fgt_utm(record_property, setup_wordlist, setup_splunk, setup_s record_property("message", message) assert resultCount == 1 + diff --git a/tests/test_fortinet_web.py b/tests/test_fortinet_web.py index 24ed1ac..abc92b0 100644 --- a/tests/test_fortinet_web.py +++ b/tests/test_fortinet_web.py @@ -22,45 +22,43 @@ def insert_colon(string, integer): def removeZero(tz): return re.sub(r'\b0+(\d)(?=:)', r'\1', tz) +def time_operations(dt): + # Generate an ISO 8601 (RFC 5424) compliant timestamp with local timezone offset (2020-02-12T12:46:39.323-08:00) + # See https://stackoverflow.com/questions/2150739/iso-time-iso-8601-in-python + iso = dt.astimezone().isoformat(sep='T', timespec='milliseconds') + # Generate an BSD-style (RFC 3164) compliant timestamp with no timezone (Oct 25 13:08:00) + bsd = dt.strftime("%b %d %H:%M:%S") -# Generate current datetime structure -dt = datetime.datetime.now() + # Other variants of timestamps needed for this log sample + time = dt.strftime("%H:%M:%S") + date = dt.strftime("%Y-%m-%d") + # Insert colon in tzoffset string; normally just 'tzoffset = dt.astimezone().strftime("%z")' + # Could use helper function above; e.g. 'tzoffset = insert_char(dt.astimezone().strftime("%z"), ":", 3)' + tzoffset = removeZero(insert_colon((dt.astimezone().strftime("%z")), 3)) -# Generate an ISO 8601 (RFC 5424) compliant timestamp with local timezone offset (2020-02-12T12:46:39.323-08:00) -# See https://stackoverflow.com/questions/2150739/iso-time-iso-8601-in-python -iso = dt.astimezone().isoformat(sep='T', timespec='milliseconds') -# Generate an BSD-style (RFC 3164) compliant timestamp with no timezone (Oct 25 13:08:00) -bsd = dt.strftime("%b %d %H:%M:%S") + # Derive epoch timestamp for use in search string + # NOTE: There are caveats with 'strftime("%s")', see references below -# Other variants of timestamps needed for this log sample -time = dt.strftime("%H:%M:%S") -date = dt.strftime("%Y-%m-%d") -# Insert colon in tzoffset string; normally just 'tzoffset = dt.astimezone().strftime("%z")' -# Could use helper function above; e.g. 'tzoffset = insert_char(dt.astimezone().strftime("%z"), ":", 3)' -# tzoffset = dt.astimezone().strftime("%z")[0:3] + ":" + dt.astimezone().strftime("%z")[3:] -tzoffset = dt.astimezone().strftime("%z") + # See https://stackoverflow.com/questions/11743019/convert-python-datetime-to-epoch-with-strftime + # See https://docs.python.org/3/library/datetime.html#datetime-objects + # Basically: Don't use 'utcnow()' -# Derive epoch timestamp for use in search string -# NOTE: There are caveats with 'strftime("%s")', see references below + # Strict way to get epoch as a string (rather than float) avoiding naive objects + # epoch = dt.fromtimestamp(dt.timestamp()).strftime('%s') -# See https://stackoverflow.com/questions/11743019/convert-python-datetime-to-epoch-with-strftime -# See https://docs.python.org/3/library/datetime.html#datetime-objects -# Basically: Don't use 'utcnow()' + # Since datetime.now().astimezone() is aware, strftime() should be safe and form below OK + # Trim last 3 digits of microsecond resolution to obtain milliseconds + epoch = dt.astimezone().strftime("%s.%f")[:-7] -# Strict way to get epoch as a string (rather than float) avoiding naive objects -# epoch = dt.fromtimestamp(dt.timestamp()).strftime('%s') - -# Since datetime.now().astimezone() is aware, strftime() should be safe and form below OK -# Trim last 3 or 7 digits of microsecond resolution to obtain milliseconds or whole seconds respectively -epoch = dt.astimezone().strftime("%s.%f")[:-7] - -# Generate Timezone in "-08:00" format (with HH:MM colon; no leading zero for hour < 10) -tzoffset = removeZero(insert_colon((dt.astimezone().strftime("%z")), 3)) + return iso, bsd, time, date, tzoffset, epoch # <111> Oct 25 13:08:00 fortiweb date=2013-10-07 time=11:30:53 devname=FortiWeb-A log_id=10000017 msg_id=000000001117 device_id=FVVM040000010871 vd="root" timezone="(GMT-5:00)Eastern Time(US & Canada)" type=event subtype="system" pri=information trigger_policy="" user=admin ui=GUI action=login status=success msg="User admin login successfully from GUI(172.20.120.47)" def test_fortinet_fwb_event(record_property, setup_wordlist, setup_splunk, setup_sc4s): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + dt = datetime.datetime.now() + iso, bsd, time, date, tzoffset, epoch = time_operations(dt) + mt = env.from_string( "{{ mark }} {{ bsd }} fortiweb date={{ date }} time={{ time }} devname={{ host }} log_id=10000017 msg_id=000000001117 device_id=FVVM040000010871 vd=\"root\" timezone=\"(GMT{{ tzoffset }})Region,City\" type=event subtype=\"system\" pri=information trigger_policy=\"\" user=admin ui=GUI action=login status=success msg=\"User admin login successfully from GUI(172.20.120.47)\"") message = mt.render(mark="<111>", bsd=bsd, host=host, time=time, date=date, tzoffset=tzoffset) @@ -82,6 +80,9 @@ def test_fortinet_fwb_event(record_property, setup_wordlist, setup_splunk, setup def test_fortinet_fwb_traffic(record_property, setup_wordlist, setup_splunk, setup_sc4s): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + dt = datetime.datetime.now() + iso, bsd, time, date, tzoffset, epoch = time_operations(dt) + mt = env.from_string( "{{ mark }} {{ bsd }} fortiweb date={{ date }} time={{ time }} devname={{ host }} log_id=30000000 msg_id=000001351251 device_id=FV-1KD3A14800059 vd=\"root\" timezone=\"(GMT{{ tzoffset }})Region,City\" type=traffic subtype=\"http\" pri=notice proto=tcp service=http status=success reason=none policy=Auto-policy src=10.0.8.103 src_port=8142 dst=10.20.8.22 dst_port=80 http_request_time=0 http_response_time=0 http_request_bytes=444 http_response_bytes=401 http_method=get http_url=\"/\" http_host=\"10.0.8.22\" http_agent=\"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; \" http_retcode=200 msg=\"HTTP GET request from 10.0.8.103:8142 to 10.20.8.22:80\" srccountry=\"Reserved\" content_switch_name=\"testa\" server_pool_name=\"Auto-ServerFarm\"") message = mt.render(mark="<111>", bsd=bsd, host=host, time=time, date=date, tzoffset=tzoffset) @@ -103,6 +104,9 @@ def test_fortinet_fwb_traffic(record_property, setup_wordlist, setup_splunk, set def test_fortinet_fwb_attack(record_property, setup_wordlist, setup_splunk, setup_sc4s): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + dt = datetime.datetime.now() + iso, bsd, time, date, tzoffset, epoch = time_operations(dt) + mt = env.from_string( "{{ mark }} {{ bsd }} fortiweb date={{ date }} time={{ time }} devname={{ host }} log_id=20000010 msg_id=000139289631 device_id=FV-1KD3A15800072 vd=\"root\" timezone=\"(GMT{{ tzoffset }})Region,City\" type=attack subtype=\"waf_signature_detection\" pri=alert trigger_policy=\"\" severity_level=Medium proto=tcp service=http action=Alert policy=\"123\" src=172.22.6.234 src_port=60554 dst=10.0.9.13 dst_port=80 http_method=get http_url=\"/preview.php?file==../\" http_host=\"10.0.9.123\" http_agent=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0\" http_session_id=3B9864AEKNQSLLODNTILCG37M2FZ6A88 msg=\"[Signatures name: 123] [main class name: Generic Attacks(Extended)] [sub class name: Directory Traversal]: 060150002\" signature_subclass=\"Directory Traversal\" signature_id=\"060150002\" srccountry=\"Reserved\" content_switch_name=\"none\" server_pool_name=\"123\" false_positive_mitigation=\"none\" log_type=LOG_TYPE_SCORE_SUM event_score=3 score_message=\"[score_type: total_score] [score_scope: TCP Session] [score_threshold: 5] [score_sum: 7]\" entry_sequence=\"000139289630\"") message = mt.render(mark="<111>", bsd=bsd, host=host, time=time, date=date, tzoffset=tzoffset)