From 1976140b907a7fc52b9104f019681bd4dc2636bf Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Tue, 5 May 2020 15:56:52 -0400 Subject: [PATCH] Some work towards sub typing with eventclass --- .../context/common_event_format_class.csv | 5 ++++ .../context/common_event_format_source.csv | 2 ++ .../lp-common_event_format.conf.tmpl | 18 ++++++++++++-- tests/test_imperva_waf.py | 24 +++++++++---------- 4 files changed, 35 insertions(+), 14 deletions(-) create mode 100644 package/etc/conf.d/context/common_event_format_class.csv diff --git a/package/etc/conf.d/context/common_event_format_class.csv b/package/etc/conf.d/context/common_event_format_class.csv new file mode 100644 index 0000000..f25ca12 --- /dev/null +++ b/package/etc/conf.d/context/common_event_format_class.csv @@ -0,0 +1,5 @@ +Imperva Inc._SecureSphere_Firewall,sourcetype,imperva:waf:firewall:cef +Imperva Inc._SecureSphere_Signature,sourcetype,imperva:waf:security:cef +Imperva Inc._SecureSphere_Protocol,sourcetype,imperva:waf:security:cef +Imperva Inc._SecureSphere_Worm,sourcetype,imperva:waf:security:cef +unknown,source,CEF:unknown diff --git a/package/etc/conf.d/context/common_event_format_source.csv b/package/etc/conf.d/context/common_event_format_source.csv index 1aaa666..eae9966 100644 --- a/package/etc/conf.d/context/common_event_format_source.csv +++ b/package/etc/conf.d/context/common_event_format_source.csv @@ -11,4 +11,6 @@ Microsoft_Microsoft Windows,source,CEFEventLog:Microsoft Windows Microsoft_Microsoft Windows,index,oswinsec Incapsula_SIEMintegration,source,Imperva:Incapsula Incapsula_SIEMintegration,index,netwaf +Imperva Inc._SecureSphere,sourcetype,imperva:waf +Imperva Inc._SecureSphere,index,netwaf unknown,source,CEF:unknown diff --git a/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl b/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl index bcf3667..1cc91bc 100644 --- a/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl @@ -36,6 +36,16 @@ parser p_cef_source { ); }; +parser p_cef_class { + add-contextual-data( + selector("${fields.cef_device_vendor}_${fields.cef_device_product}_${fields.cef_device_event_class}"), + database("conf.d/context/common_event_format_class.csv") + ignore-case(yes) + prefix(".splunk.") + default-selector("unknown") + ); +}; + log { junction { {{- if or (or (getenv (print "SC4S_LISTEN_CEF_TCP_PORT")) (getenv (print "SC4S_LISTEN_CEF_UDP_PORT"))) (getenv (print "SC4S_LISTEN_CEF_TLS_PORT")) }} @@ -74,8 +84,12 @@ log { }; #Do nothing this is allows for both rt and end to be missing and still pass with the message ts #CEF TAs use the source as their bounds in props.conf - parser(p_cef_source); - + if { + parser(p_cef_source); + }; + if { + parser(p_cef_class); + }; parser { p_add_context_splunk(key("${fields.cef_device_vendor}_${fields.cef_device_product}")); }; diff --git a/tests/test_imperva_waf.py b/tests/test_imperva_waf.py index 36dac61..175901a 100644 --- a/tests/test_imperva_waf.py +++ b/tests/test_imperva_waf.py @@ -16,8 +16,8 @@ # Nov 15 23:57:28 3.3.3.3 CEF:0|Imperva Inc.|SecureSphere|13.5.0.10_0|Custom|custom-policy-violation|High|act=block dst=1.1.1.1 dpt=80 duser=GeritaMija3s src=1.0.0.1 spt=59774 proto=TCP rt=Nov 15 2019 15:52:28 cat=Alert cs1=Suspicious File Access Attempt - 1 cs1Label=Policy cs2=WebCloud (simulation) cs2Label=ServerGroup cs3=WebCloud HTTP Service (simulation) cs3Label=ServiceName cs4=english.hku.hk Application cs4Label=ApplicationName cs5=custom-policy-violation cs5Label=Description cs6=POST cs6Label=HTTPHeaderRequest-URLMethod cs7=/uploads/dede/sys_verifies.php cs7Label=HTTPHeaderRequest-URLPath cs8=Connection, Content-Type, Accept, Referer, User-Agent, Content-Length, Host Keep-Alive, application/x-www-form-urlencoded, */*, http://aaaaa.bbb.cc/uploads/dede/sys_verifies.php?action=down, Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2), 231, english.hku.hk cs8Label=HttpHeaderRequest-Header cs9=down action cs9Label=HttpHeaderRequest-Parameters cs10=6704543119945989736 cs10Label=EventID cs11=7500662780438769543 cs11Label=SessionID # Nov 15 23:45:44 3.3.3.3 CEF:0|Imperva Inc.|SecureSphere|13.5.0.10_0|Correlation|sql-injection|High|act=block dst=1.1.1.1 dpt=80 duser=Marcelavms src=1.0.0.1 spt=46814 proto=TCP rt=Nov 15 2019 15:45:42 cat=Alert cs1=Web Correlation Policy cs1Label=Policy cs2=AAA Wildcard (Dept) (simulation cs2Label=ServerGroup cs3=AAA Wildcard (Dept) HTTP Service (simulation) cs3Label=ServiceName cs4=aaa.bbb.hk Application cs4Label=ApplicationName cs5=sql-injection cs5Label=Description cs6=GET cs6Label=HTTPHeaderRequest-URLMethod cs7=/cdblog/wp-trackback.php cs7Label=HTTPHeaderRequest-URLPath cs8=Accept-Language, Accept-Charset, Accept, User-Agent, Host, Connection en-us,en, utf-8,*, text/html,image/jpeg,image/gif,text/xml,text/plain,image/png, Opera/9.27, aaa.bbb.hk, close cs8Label=HttpHeaderRequest-Header cs9=555&&BeNChMaRK(2999999,MD5(NOW())) p cs9Label=HttpHeaderRequest-Parameters cs10=6704543119945954386 cs10Label=EventID cs11= cs11Label=SessionID test_fallback_events = [ - '{{ mark }} {{ host }} CEF:0|Imperva Inc.|SecureSphere|13.5.0.10_0|Custom|custom-policy-violation|High|act=block dst=1.1.1.1 dpt=80 duser=GeritaMija3s src=1.0.0.1 spt=59774 proto=TCP rt=Nov 15 2019 15:52:28 cat=Alert cs1=Suspicious File Access Attempt - 1 cs1Label=Policy cs2=WebCloud (simulation) cs2Label=ServerGroup cs3=WebCloud HTTP Service (simulation) cs3Label=ServiceName cs4=aaaa.bbb.cc Application cs4Label=ApplicationName cs5=custom-policy-violation cs5Label=Description cs6=POST cs6Label=HTTPHeaderRequest-URLMethod cs7=/uploads/dede/sys_verifies.php cs7Label=HTTPHeaderRequest-URLPath cs8=Connection, Content-Type, Accept, Referer, User-Agent, Content-Length, Host Keep-Alive, application/x-www-form-urlencoded, */*, http://aaaaa.bbb.cc/uploads/dede/sys_verifies.php?action=down, Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2), 231, aaaa.bbb.cc cs8Label=HttpHeaderRequest-Header cs9=down action cs9Label=HttpHeaderRequest-Parameters cs10=6704543119945989736 cs10Label=EventID cs11=7500662780438769543 cs11Label=SessionID', - '{{ mark }} {{ host }} CEF:0|Imperva Inc.|SecureSphere|13.5.0.10_0|Correlation|sql-injection|High|act=block dst=1.1.1.1 dpt=80 duser=Marcelavms src=1.0.0.1 spt=46814 proto=TCP rt=Nov 15 2019 15:45:42 cat=Alert cs1=Web Correlation Policy cs1Label=Policy cs2=AAA Wildcard (Dept) (simulation cs2Label=ServerGroup cs3=AAA Wildcard (Dept) HTTP Service (simulation) cs3Label=ServiceName cs4=aaa.bbb.hk Application cs4Label=ApplicationName cs5=sql-injection cs5Label=Description cs6=GET cs6Label=HTTPHeaderRequest-URLMethod cs7=/cdblog/wp-trackback.php cs7Label=HTTPHeaderRequest-URLPath cs8=Accept-Language, Accept-Charset, Accept, User-Agent, Host, Connection en-us,en, utf-8,*, text/html,image/jpeg,image/gif,text/xml,text/plain,image/png, Opera/9.27, aaa.bbb.hk, close cs8Label=HttpHeaderRequest-Header cs9=555&&BeNChMaRK(2999999,MD5(NOW())) p cs9Label=HttpHeaderRequest-Parameters cs10=6704543119945954386 cs10Label=EventID cs11= cs11Label=SessionID', + '{{ mark }} {{ bsd }} {{ host }} CEF:0|Imperva Inc.|SecureSphere|13.5.0.10_0|Custom|custom-policy-violation|High|act=block dst=1.1.1.1 dpt=80 duser=GeritaMija3s src=1.0.0.1 spt=59774 proto=TCP rt={{ bsd }} cat=Alert cs1=Suspicious File Access Attempt - 1 cs1Label=Policy cs2=WebCloud (simulation) cs2Label=ServerGroup cs3=WebCloud HTTP Service (simulation) cs3Label=ServiceName cs4=aaaa.bbb.cc Application cs4Label=ApplicationName cs5=custom-policy-violation cs5Label=Description cs6=POST cs6Label=HTTPHeaderRequest-URLMethod cs7=/uploads/dede/sys_verifies.php cs7Label=HTTPHeaderRequest-URLPath cs8=Connection, Content-Type, Accept, Referer, User-Agent, Content-Length, Host Keep-Alive, application/x-www-form-urlencoded, */*, http://aaaaa.bbb.cc/uploads/dede/sys_verifies.php?action=down, Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2), 231, aaaa.bbb.cc cs8Label=HttpHeaderRequest-Header cs9=down action cs9Label=HttpHeaderRequest-Parameters cs10=6704543119945989736 cs10Label=EventID cs11=7500662780438769543 cs11Label=SessionID', + '{{ mark }} {{ bsd }} {{ host }} CEF:0|Imperva Inc.|SecureSphere|13.5.0.10_0|Correlation|sql-injection|High|act=block dst=1.1.1.1 dpt=80 duser=Marcelavms src=1.0.0.1 spt=46814 proto=TCP rt={{ bsd }} cat=Alert cs1=Web Correlation Policy cs1Label=Policy cs2=AAA Wildcard (Dept) (simulation cs2Label=ServerGroup cs3=AAA Wildcard (Dept) HTTP Service (simulation) cs3Label=ServiceName cs4=aaa.bbb.hk Application cs4Label=ApplicationName cs5=sql-injection cs5Label=Description cs6=GET cs6Label=HTTPHeaderRequest-URLMethod cs7=/cdblog/wp-trackback.php cs7Label=HTTPHeaderRequest-URLPath cs8=Accept-Language, Accept-Charset, Accept, User-Agent, Host, Connection en-us,en, utf-8,*, text/html,image/jpeg,image/gif,text/xml,text/plain,image/png, Opera/9.27, aaa.bbb.hk, close cs8Label=HttpHeaderRequest-Header cs9=555&&BeNChMaRK(2999999,MD5(NOW())) p cs9Label=HttpHeaderRequest-Parameters cs10=6704543119945954386 cs10Label=EventID cs11= cs11Label=SessionID', ] @pytest.mark.parametrize("event", test_fallback_events) def test_imperva_waf_fallback(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event): @@ -30,12 +30,12 @@ def test_imperva_waf_fallback(record_property, setup_wordlist, get_host_key, set epoch = epoch[:-7] mt = env.from_string(event + "\n") - message = mt.render(bsd=bsd, host=host) + message = mt.render(mark="<11>", bsd=bsd, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( - "search index=netops _time={{ epoch }} sourcetype=\"imperva:waf\" host=\"{{ host }}\"") + "search index=netwaf _time={{ epoch }} sourcetype=\"imperva:waf\" host=\"{{ host }}\"") search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -50,9 +50,9 @@ def test_imperva_waf_fallback(record_property, setup_wordlist, get_host_key, set # Jan 30 14:50:39 146.222.1.43 CEF:0|Imperva Inc.|SecureSphere|13.0.0|Protocol|Extremely Long SQL Request|High|act=None dst=146.222.96.180 dpt=0 duser=n/a src=10.222.57.18 spt=46205 proto=TCP rt=Jan 30 2020 04:50:35 cat=Alert cs1=SQL Protocol Policy cs1Label=Policy cs2=hklp743p cs2Label=ServerGroup cs3=hklp743p_oracle cs3Label=ServiceName cs4=Default Oracle Application cs4Label=ApplicationName cs5=Multiple Extremely Long SQL Request from 10.222.57.18 cs5Label=Description # Jul 16 18:19:52 3.3.3.3 CEF:0|Imperva Inc.|SecureSphere|10.5.0|Worm|Web Worm|High|act=Block dst=1.1.1.1 dpt=80 duser=n/a src=1.0.0.1 spt=65535 proto=TCP rt=Jul 16 2015 18:19:50 cat=Alert cs1=Web Worm Policy cs1Label=Policy cs2=Server3 cs2Label=ServerGroup cs3=ServiceName3 cs3Label=ServiceName cs4=ApplicationName3 cs4Label=ApplicationName cs5=Access to: /cgi-system/rtpd.cgi cs5Label=Description test_security_events = [ - '{{ mark }} {{ host }} CEF:0|Imperva Inc.|SecureSphere|13.0.0|Signature|Sql Signature Violation|Low|act=None dst=10.222.17.15 dpt=1521 duser=Multiple src=10.222.17.15 spt=51462 proto=TCP rt=Jan 30 2020 08:43:15 cat=Alert cs1=Recommended Signatures Policy for Database Applications cs1Label=Policy cs2=hklp320p cs2Label=ServerGroup cs3=Multiple EXECUTE IMMEDIATE attempt(+) from 10.222.17.15 cs3Label=Description', - '{{ mark }} {{ host }} CEF:0|Imperva Inc.|SecureSphere|13.0.0|Protocol|Extremely Long SQL Request|High|act=None dst=146.222.96.180 dpt=0 duser=n/a src=10.222.57.18 spt=46205 proto=TCP rt=Jan 30 2020 04:50:35 cat=Alert cs1=SQL Protocol Policy cs1Label=Policy cs2=hklp743p cs2Label=ServerGroup cs3=hklp743p_oracle cs3Label=ServiceName cs4=Default Oracle Application cs4Label=ApplicationName cs5=Multiple Extremely Long SQL Request from 10.222.57.18 cs5Label=Description', - '{{ mark }} {{ host }} CEF:0|Imperva Inc.|SecureSphere|10.5.0|Worm|Web Worm|High|act=Block dst=1.1.1.1 dpt=80 duser=n/a src=1.0.0.1 spt=65535 proto=TCP rt=Jul 16 2015 18:19:50 cat=Alert cs1=Web Worm Policy cs1Label=Policy cs2=Server3 cs2Label=ServerGroup cs3=ServiceName3 cs3Label=ServiceName cs4=ApplicationName3 cs4Label=ApplicationName cs5=Access to: /cgi-system/rtpd.cgi cs5Label=Description', + '{{ mark }}{{ bsd }} {{ host }} CEF:0|Imperva Inc.|SecureSphere|13.0.0|Signature|Sql Signature Violation|Low|act=None dst=10.222.17.15 dpt=1521 duser=Multiple src=10.222.17.15 spt=51462 proto=TCP rt={{ bsd }} cat=Alert cs1=Recommended Signatures Policy for Database Applications cs1Label=Policy cs2=hklp320p cs2Label=ServerGroup cs3=Multiple EXECUTE IMMEDIATE attempt(+) from 10.222.17.15 cs3Label=Description', + '{{ mark }}{{ bsd }} {{ host }} CEF:0|Imperva Inc.|SecureSphere|13.0.0|Protocol|Extremely Long SQL Request|High|act=None dst=146.222.96.180 dpt=0 duser=n/a src=10.222.57.18 spt=46205 proto=TCP rt={{ bsd }} cat=Alert cs1=SQL Protocol Policy cs1Label=Policy cs2=hklp743p cs2Label=ServerGroup cs3=hklp743p_oracle cs3Label=ServiceName cs4=Default Oracle Application cs4Label=ApplicationName cs5=Multiple Extremely Long SQL Request from 10.222.57.18 cs5Label=Description', + '{{ mark }}{{ bsd }} {{ host }} CEF:0|Imperva Inc.|SecureSphere|10.5.0|Worm|Web Worm|High|act=Block dst=1.1.1.1 dpt=80 duser=n/a src=1.0.0.1 spt=65535 proto=TCP rt={{ epoch }} cat=Alert cs1=Web Worm Policy cs1Label=Policy cs2=Server3 cs2Label=ServerGroup cs3=ServiceName3 cs3Label=ServiceName cs4=ApplicationName3 cs4Label=ApplicationName cs5=Access to: /cgi-system/rtpd.cgi cs5Label=Description', ] @pytest.mark.parametrize("event", test_security_events) def test_imperva_waf_security(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event): @@ -65,12 +65,12 @@ def test_imperva_waf_security(record_property, setup_wordlist, get_host_key, set epoch = epoch[:-7] mt = env.from_string(event + "\n") - message = mt.render(bsd=bsd, host=host) + message = mt.render(mark="<111>", bsd=bsd, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( - "search index=netops _time={{ epoch }} sourcetype=\"imperva:waf:security:cef\" host=\"{{ host }}\"") + "search index=netwaf _time={{ epoch }} sourcetype=\"imperva:waf:security:cef\" host=\"{{ host }}\"") search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -92,13 +92,13 @@ def test_imperva_waf_firewall(record_property, setup_wordlist, get_host_key, set epoch = epoch[:-7] mt = env.from_string( - '{{ bsd }} {{ host }} CEF:0|Imperva Inc.|SecureSphere|12.0.0|Firewall|SSL Untraceable Connection|Medium|act=Block dst=160.131.222.235 dpt=2157 duser=Mathbelliin src=49.93.221.243 spt=11286 proto=TCP rt=Jan 30 2020 14:41:23 cat=Alert cs1=Automated Vulnerability Scanning cs1Label=Policy cs2=IRIS_1 cs2Label=ServerGroup cs3=app1-5.host1.com [Multi_VIP] cs3Label=ServiceName cs4=For Monitor ONLY cs4Label=ApplicationName cs5=Distributed Too Many Headers per Response cs5Label=Description') + '{{ bsd }}{{ host }} CEF:0|Imperva Inc.|SecureSphere|12.0.0|Firewall|SSL Untraceable Connection|Medium|act=Block dst=160.131.222.235 dpt=2157 duser=Mathbelliin src=49.93.221.243 spt=11286 proto=TCP rt={{ bsd }} cat=Alert cs1=Automated Vulnerability Scanning cs1Label=Policy cs2=IRIS_1 cs2Label=ServerGroup cs3=app1-5.host1.com [Multi_VIP] cs3Label=ServiceName cs4=For Monitor ONLY cs4Label=ApplicationName cs5=Distributed Too Many Headers per Response cs5Label=Description') message = mt.render(bsd=bsd, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( - "search index=netops _time={{ epoch }} sourcetype=\"imperva:waf:firewall:cef\" host=\"{{ host }}\"") + "search index=netwaf _time={{ epoch }} sourcetype=\"imperva:waf:firewall:cef\" host=\"{{ host }}\"") search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -127,7 +127,7 @@ def test_imperva_waf_system(record_property, setup_wordlist, get_host_key, setup sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( - "search index=netops _time={{ epoch }} sourcetype=\"imperva:waf:system:cef\" host=\"{{ host }}\"") + "search index=netwaf _time={{ epoch }} sourcetype=\"imperva:waf:system:cef\" host=\"{{ host }}\"") search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search)