From 30c20f5c651f4c3420f58c34b6757422d6b35e29 Mon Sep 17 00:00:00 2001 From: Jay Shah Date: Thu, 7 May 2020 12:59:41 +0530 Subject: [PATCH] Added support of secintel and aamw sourcetypes --- docs/sources/Juniper/index.md | 6 +- .../lp-juniper_junos_structured.conf.tmpl | 6 ++ .../splunk_index.csv.example | 2 + tests/test_juniper_junos_rfc5124.py | 56 +++++++++++++++++++ 4 files changed, 69 insertions(+), 1 deletion(-) diff --git a/docs/sources/Juniper/index.md b/docs/sources/Juniper/index.md index e497d0c..f8fccff 100644 --- a/docs/sources/Juniper/index.md +++ b/docs/sources/Juniper/index.md @@ -12,7 +12,11 @@ | sourcetype | notes | |--------------------------|------------------------------------------------------------------| | juniper:junos:firewall | None | -| juniper:junos:idp | None | +| juniper:junos:firewall:structured | None | +| juniper:junos:idp | None | +| juniper:junos:idp:structured | None | +| juniper:junos:aamw:structured | None | +| juniper:junos:secintel:structured | None | ### Sourcetype and Index Configuration diff --git a/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl index 48187f0..0927d87 100644 --- a/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl @@ -36,6 +36,12 @@ log { } elif (program('RT_UTM')) { rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netfw")) }; parser {p_add_context_splunk(key("juniper_junos_utm_structured")); }; + } elif (program('RT_AAMW')) { + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:aamw:structured"), index("netfw")) }; + parser {p_add_context_splunk(key("juniper_junos_aamw_structured")); }; + } elif (program('RT_SECINTEL')) { + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:secintel:structured"), index("netfw")) }; + parser {p_add_context_splunk(key("juniper_junos_secintel_structured")); }; } # Legacy Netscreen IDP is handled in the "p_rfc3164-juniper-idp.conf" log path # diff --git a/package/etc/context_templates/splunk_index.csv.example b/package/etc/context_templates/splunk_index.csv.example index 8a77f3d..afffde3 100644 --- a/package/etc/context_templates/splunk_index.csv.example +++ b/package/etc/context_templates/splunk_index.csv.example @@ -44,6 +44,8 @@ #juniper_junos_fw_structured,index,netfw #juniper_junos_ids_structured,index,netids #juniper_junos_utm_structured,index,netfw +#juniper_junos_aamw_structured,index,netfw +#juniper_junos_secintel_structured,index,netfw #juniper_junos_fw,index,netfw #juniper_junos_ids,index,netids #juniper_junos_utm,index,netfw diff --git a/tests/test_juniper_junos_rfc5124.py b/tests/test_juniper_junos_rfc5124.py index 458536c..c7ff8e9 100644 --- a/tests/test_juniper_junos_rfc5124.py +++ b/tests/test_juniper_junos_rfc5124.py @@ -99,4 +99,60 @@ def test_juniper_junos_fw_structured(record_property, setup_wordlist, get_host_k assert resultCount == 1 +# <165>1 2007-02-15T09:17:15.719Z aamw1 RT_AAMW - AAMW_ACTION_LOG [junos@2636.1.1.1.2.129 hostname="dummy_host" file-category="executable" verdict-number="10" malware-info="Testfile" action="PERMIT" list-hit="N/A" file-hash-lookup="FALSE" source-address="1.1.1.1" source-port="60148" destination-address="10.0.0.1" destination-port="80" protocol-id="6" application="HTTP" nested-application="N/A" policy-name="test-policy" username="N/A" roles="N/A" session-id-32="502156" source-zone-name="Inside" destination-zone-name="Outside" sample-sha256="e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494" file-name="dummy_file" url="dummy_url"] +# @pytest.mark.xfail +def test_juniper_junos_aamw_structured(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s): + host = get_host_key + + dt = datetime.datetime.now(datetime.timezone.utc) + iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) + + # Tune time functions + iso = dt.isoformat()[0:23] + epoch = epoch[:-3] + + mt = env.from_string( + "{{ mark }} {{ iso }}Z {{ host }} RT_AAMW - AAMW_ACTION_LOG [junos@2636.1.1.1.2.129 hostname=\"dummy_host\" file-category=\"executable\" verdict-number=\"10\" malware-info=\"Testfile\" action=\"PERMIT\" list-hit=\"N/A\" file-hash-lookup=\"FALSE\" source-address=\"1.1.1.1\" source-port=\"60148\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" policy-name=\"test-policy\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502156\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" sample-sha256=\"e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494\" file-name=\"dummy_file\" url=\"dummy_url\"]") + message = mt.render(mark="<165>1", iso=iso, host=host) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string("search _time={{ epoch }} index=netfw host=\"{{ host }}\" sourcetype=\"juniper:junos:aamw:structured\"") + search = st.render(epoch=epoch, host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 +# <165>1 2007-02-15T09:17:15.719Z secintel1 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@2636.1.1.1.2.129 category="secintel" sub-category="CC" action="BLOCK" action-detail="CLOSE REDIRECT MSG" http-host="dummy_host" threat-severity="10" source-address="1.1.1.1" source-port="36612" destination-address="10.0.0.1" destination-port="80" protocol-id="6" application="HTTP" nested-application="N/A" feed-name="cc_url_data" policy-name="test" profile-name="test-profile" username="N/A" roles="N/A" session-id-32="502362" source-zone-name="Inside" destination-zone-name="Outside" occur-count="0"] +# @pytest.mark.xfail +def test_juniper_junos_secintel_structured(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s): + host = get_host_key + + dt = datetime.datetime.now(datetime.timezone.utc) + iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) + + # Tune time functions + iso = dt.isoformat()[0:23] + epoch = epoch[:-3] + + mt = env.from_string( + "{{ mark }} {{ iso }}Z {{ host }} RT_SECINTEL - SECINTEL_ACTION_LOG [junos@2636.1.1.1.2.129 category=\"secintel\" sub-category=\"CC\" action=\"BLOCK\" action-detail=\"CLOSE REDIRECT MSG\" http-host=\"dummy_host\" threat-severity=\"10\" source-address=\"1.1.1.1\" source-port=\"36612\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" feed-name=\"cc_url_data\" policy-name=\"test\" profile-name=\"test-profile\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502362\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" occur-count=\"0\"]") + message = mt.render(mark="<23>1", iso=iso, host=host) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string("search _time={{ epoch }} index=netfw host=\"{{ host }}\" sourcetype=\"juniper:junos:secintel:structured\"") + search = st.render(epoch=epoch, host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1