-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Ryan Faircloth
authored and
GitHub
committed
Oct 15, 2019
1 parent
6c6fb2a
commit 2fb4009
Showing
16 changed files
with
174 additions
and
99 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| # Meraki | ||
|
|
||
| filter f_cisco_meraki { | ||
| match("cisco_meraki", value("fields.sc4s_vendor_product") type(glob)) | ||
| }; | ||
|
|
||
| parser p_cisco_meraki { | ||
| channel { | ||
| filter { | ||
| match( | ||
| #'(?<SYSLOGMSG>(?<HEADER>(?<PRI><\d{1,3}>)(?<VERSION>[1-9][0-9]?) (?<TIMESTAMP>(?<EPOCH>\d{10})(?:.(?<TIMESECFRAC>\d{1,9})?)) (?<HOST>[^ ]+ )(?<MESSAGE>.*))' | ||
| '(?:(?:<(?<PRI>\d{1,3})>(?<VERSION>[1-9][0-9]?) (?:(?<EPOCH>\d{10})(?:.(?<TIMESECFRAC>\d{1,9})?)) (?<HOST>[^ ]+) )(?<MESSAGE>.*))' | ||
| flags(store-matches) | ||
| ); | ||
| }; | ||
| parser { | ||
| date-parser(format('%s') | ||
| template("${EPOCH}")); | ||
| }; | ||
| }; | ||
|
|
||
| }; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| This file exists to preserve the path for plugin use |
5 changes: 0 additions & 5 deletions
5
package/etc/conf.d/local/context/compliance_meta_by_source.conf
This file was deleted.
Oops, something went wrong.
2 changes: 0 additions & 2 deletions
2
package/etc/conf.d/local/context/compliance_meta_by_source.csv
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
37 changes: 0 additions & 37 deletions
37
package/etc/conf.d/local/context/vendor_product_by_source.conf
This file was deleted.
Oops, something went wrong.
8 changes: 0 additions & 8 deletions
8
package/etc/conf.d/local/context/vendor_product_by_source.csv
This file was deleted.
Oops, something went wrong.
42 changes: 42 additions & 0 deletions
42
package/etc/conf.d/log_paths/p_rfc5424_epoch-cisco_merkai.conf.tmpl
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| # Checkpoint Splunk format | ||
| {{- if (ne (getenv (print "SC4S_LISTEN_CISCO_MERAKI_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_CISCO_MERAKI_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_CISCO_MERAKI_TLS_PORT") "no") "no") }} | ||
| {{ $context := dict "port_id" "CISCO_MERAKI" "parser" "common" }} | ||
| {{ tmpl.Exec "t/source_network.t" $context }} | ||
| {{- end -}} | ||
| {{ define "log_path" }} | ||
| log { | ||
| {{- if eq (.) "yes"}} | ||
| source(s_default-ports); | ||
| filter(f_cisco_meraki); | ||
| {{- end}} | ||
| {{- if eq (.) "no"}} | ||
| source (s_dedicated_port_CISCO_MERAKI); | ||
| {{- end}} | ||
|
|
||
| #parser { | ||
| # kv-parser(prefix(".kv.") pair-separator("|") template("${MSGHDR} ${MSG}")); | ||
| # date-parser(format("%s") template("${.kv.time}") time-zone({{- getenv "SC4S_DEFAULT_TIMEZONE" "GMT"}})); | ||
| # | ||
| # }; | ||
|
|
||
| #rewrite { set("${.kv.hostname}", value("HOST")); }; | ||
|
|
||
| rewrite { r_set_splunk_dest_default(sourcetype("meraki"), index("netfw"), template("t_hdr_msg"))}; | ||
| parser {p_add_context_splunk(key("cisco_meraki")); }; | ||
|
|
||
|
|
||
|
|
||
| parser (compliance_meta_by_source); | ||
|
|
||
| destination(d_hec); #--HEC-- | ||
|
|
||
| flags(flow-control); | ||
| }; | ||
| {{- end}} | ||
| {{- if (ne (getenv (print "SC4S_LISTEN_CISCO_MERAKI_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_CISCO_MERAKI_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_CISCO_MERAKI_TLS_PORT") "no") "no") }} | ||
| # Listen on the specified dedicated port(s) for CISCO_MERAKI traffic | ||
| {{ tmpl.Exec "log_path" "no" }} | ||
| {{- end}} | ||
|
|
||
| # Listen on the default port (typically 514) for CISCO_MERAKI traffic | ||
| {{ tmpl.Exec "log_path" "yes" }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| # Copyright 2019 Splunk, Inc. | ||
| # | ||
| # Use of this source code is governed by a BSD-2-clause-style | ||
| # license that can be found in the LICENSE-BSD2 file or at | ||
| # https://opensource.org/licenses/BSD-2-Clause | ||
| import random | ||
|
|
||
| from jinja2 import Environment | ||
|
|
||
| from .sendmessage import * | ||
| from .splunkutils import * | ||
|
|
||
| env = Environment(extensions=['jinja2_time.TimeExtension']) | ||
|
|
||
| #<134>1 1563249630.774247467 devicename security_event ids_alerted signature=1:28423:1 priority=1 timestamp=1468531589.810079 dhost=98:5A:EB:E1:81:2F direction=ingress protocol=tcp/ip src=151.101.52.238:80 dst=192.168.128.2:53023 message: EXPLOIT-KIT Multiple exploit kit single digit exe detection | ||
| def test_cisco_meraki_security_event(record_property, setup_wordlist, setup_splunk): | ||
| host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) | ||
|
|
||
| mt = env.from_string( | ||
| "{{ mark }}1 {% now 'utc', '%s' %}.123456789 testcm-{{ host }} security_event ids_alerted signature=1:28423:1 priority=1 timestamp={% now 'utc', '%s' %}.123456 dhost=98:5A:EB:E1:81:2F direction=ingress protocol=tcp/ip src=151.101.52.238:80 dst=192.168.128.2:53023 message: EXPLOIT-KIT Multiple exploit kit single digit exe detection\n") | ||
| message = mt.render(mark="<134>", host=host) | ||
|
|
||
| sendsingle(message) | ||
|
|
||
| st = env.from_string("search index=netfw host=\"testcm-{{ host }}\" sourcetype=\"meraki\" | head 2") | ||
| search = st.render(host=host) | ||
|
|
||
| resultCount, eventCount = splunk_single(setup_splunk, search) | ||
|
|
||
| record_property("host", host) | ||
| record_property("resultCount", resultCount) | ||
| record_property("message", message) | ||
|
|
||
| assert resultCount == 1 | ||
| #<134>1 Dec 6 08:41:44 192.168.1.1 1 1386337316.207232138 MX84 events Cellular connection up |