diff --git a/docs/configuration.md b/docs/configuration.md index 7544efb..c498ea9 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -157,15 +157,11 @@ page in this section: | key | sourcetype | index | notes | |------------------------|---------------------|----------------|---------------| | juniper_netscreen | netscreen:firewall | netfw | none | -| juniper_idp | juniper:idp | netfw | none | Here is a snippet from the `splunk_indexes.csv` file: ```bash -#juniper_sslvpn,index,netfw juniper_netscreen,index,ns_index -#juniper_nsm,index,netfw - ``` The columns in this file are `key`, `metadata`, and `value`. By default, the keys in this file are "commented out", but in reality CSV files diff --git a/docs/sources/Juniper/index.md b/docs/sources/Juniper/index.md index f8fccff..a94aedf 100644 --- a/docs/sources/Juniper/index.md +++ b/docs/sources/Juniper/index.md @@ -59,59 +59,6 @@ index= sourcetype=juniper:junos:idp | stats count by host Verify timestamp, and host values match as expected -## Product - Juniper NSM - -| Ref | Link | -|----------------|-------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2847/ | -| NSM syslog KB | http://kb.juniper.net/InfoCenter/index?page=content&id=KB11810 | - -### Sourcetypes - -| sourcetype | notes | -|------------------|-----------------------------------------------------------------------| -| juniper:nsm | None | -| juniper:nsm:idp | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|------------------------|---------------------|----------------|---------------| -| juniper_nsm | juniper:nsm | netfw | none | -| juniper_nsm_idp | juniper:nsm:idp | netids | none | - -### Filter type - -* Juniper NSM products must be identified by host or ip assignment. Update the filter `f_juniper_nsm` or `f_juniper_nsm_idp` as required - - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index as required. -* Follow vendor configuration steps per Product Manual - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_JUNIPER_NSM_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_JUNIPER_NSM_TLS_PORT | empty string | Enable at TLS port for this specific vendor product using the number defined | -| SC4S_LISTEN_JUNIPER_NSM_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | -| SC4S_ARCHIVE_JUNIPER_NSM | no | Enable archive to disk for this specific source | -| SC4S_DEST_JUNIPER_NSM_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -Use the following search to validate events are present; for Juniper NSM ensure each host filter condition is verified - -``` -index= sourcetype=juniper:nsm | stats count by host -index= sourcetype=juniper:nsm:idp | stats count by host -``` - -Verify timestamp, and host values match as expected - ## Product - Juniper Netscreen | Ref | Link | @@ -124,18 +71,16 @@ Verify timestamp, and host values match as expected | sourcetype | notes | |-------------------------|------------------------------------------------------------------------------------------------| | netscreen:firewall | None | -| juniper:idp | None | ### Sourcetype and Index Configuration | key | sourcetype | index | notes | |------------------------|---------------------|----------------|---------------| | juniper_netscreen | netscreen:firewall | netfw | none | -| juniper_idp | juniper:idp | netfw | none | ### Filter type -* Juniper Netscreen products must be identified by host or ip assignment. Update the filter `f_juniper_netscreen` or `f_juniper_idp` as required +* Juniper Netscreen products must be identified by host or ip assignment. Update the filter `f_juniper_netscreen` as required ### Setup and Configuration @@ -160,57 +105,6 @@ Use the following search to validate events are present; for Juniper Netscreen p ``` index= sourcetype=netscreen:firewall | stats count by host -index= sourcetype=juniper:idp | stats count by host -``` - -Verify timestamp, and host values match as expected - -## Product - Juniper SSLVPN - -| Ref | Link | -|------------------|-------------------------------------------------------------------------| -| Splunk Add-on | https://splunkbase.splunk.com/app/2847/ | -| Pulse Secure KB | https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB22227 | - -### Sourcetypes - -| sourcetype | notes | -|------------------|-----------------------------------------------------------------------| -| juniper:sslvpn | None | - -### Sourcetype and Index Configuration - -| key | sourcetype | index | notes | -|------------------------|---------------------|----------------|---------------| -| juniper_sslvpn | juniper:sslvpn | netfw | none | - -### Filter type - -* MSG Parse: This filter parses message content - - -### Setup and Configuration - -* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer. -* Review and update the splunk_index.csv file and set the index as required. -* Follow vendor configuration steps per referenced Product Manual - -### Options - -| Variable | default | description | -|----------------|----------------|----------------| -| SC4S_LISTEN_JUNIPER_JUNOS_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | -| SC4S_LISTEN_JUNIPER_JUNOS_TLS_PORT | empty string | Enable a TLS port for this specific vendor product using the number defined | -| SC4S_LISTEN_JUNIPER_JUNOS_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using the number defined | -| SC4S_ARCHIVE_JUNIPER_JUNOS | no | Enable archive to disk for this specific source | -| SC4S_DEST_JUNIPER_JUNOS_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | - -### Verification - -Use the following search to validate events are present; for Juniper SSL VPN ensure each host filter condition is verified - -``` -index= sourcetype=juniper:sslvpn | stats count by host ``` Verify timestamp, and host values match as expected diff --git a/package/etc/conf.d/filters/juniper/legacy.conf b/package/etc/conf.d/filters/juniper/legacy.conf index 50383ab..c86b219 100644 --- a/package/etc/conf.d/filters/juniper/legacy.conf +++ b/package/etc/conf.d/filters/juniper/legacy.conf @@ -1,20 +1,6 @@ -filter f_juniper_nsm { - match("^juniper_nsm$", value("fields.sc4s_vendor_product")); - -}; -filter f_juniper_nsm_idp { - match("juniper_nsm_idp", value("fields.sc4s_vendor_product") type(glob) ); - -}; - filter f_juniper_netscreen { match("juniper_netscreen", value("fields.sc4s_vendor_product") type(glob) ); }; - -filter f_juniper_idp { - match("juniper_idp", value("fields.sc4s_vendor_product") type(glob)) - or match('^\[syslog@juniper' value("SDATA")) -}; diff --git a/package/etc/conf.d/log_paths/lp-juniper_idp.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_idp.conf.tmpl deleted file mode 100644 index 969c250..0000000 --- a/package/etc/conf.d/log_paths/lp-juniper_idp.conf.tmpl +++ /dev/null @@ -1,49 +0,0 @@ -# Juniper IDP -{{- /* The following provides a unique port source configuration if env var(s) are set */}} -{{- $context := dict "port_id" "JUNIPER_IDP" "parser" "rfc5424_strict" }} -{{- tmpl.Exec "t/source_network.t" $context }} - -log { - junction { -{{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_IDP_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_IDP_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_IDP_TLS_PORT")) }} - channel { - # Listen on the specified dedicated port(s) for JUNIPER_IDP traffic - source (s_JUNIPER_IDP); - flags (final); - }; -{{- end}} - channel { - # Listen on the default port (typically 514) for JUNIPER_IDP traffic - source (s_DEFAULT); - filter(f_is_rfc5424_strict); - filter(f_juniper_idp); - flags(final); - }; - }; - - rewrite { - set("juniper_idp", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("juniper:idp"), index("netids")) - }; - parser { p_add_context_splunk(key("juniper_idp")); }; - parser (compliance_meta_by_source); - rewrite { set("$(template ${.splunk.sc4s_template} $(template t_hdr_sdata_msg))" value("MSG")); }; - -{{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_JUNIPER_IDP_HEC" "no")) }} - destination(d_hec); -{{- end}} - -{{- if or (conv.ToBool (getenv "SC4S_ARCHIVE_GLOBAL" "no")) (conv.ToBool (getenv "SC4S_ARCHIVE_JUNIPER_IDP" "no")) }} - destination(d_archive); -{{- end}} - -{{- if (print (getenv "SC4S_DEST_GLOBAL_ALTERNATES")) }} - {{ getenv "SC4S_DEST_GLOBAL_ALTERNATES" | regexp.ReplaceLiteral "^" "destination(" | regexp.ReplaceLiteral "[, ]+" ");\n destination(" }}); -{{- end }} - -{{- if (print (getenv "SC4S_DEST_JUNIPER_IDP_ALTERNATES")) }} - {{ getenv "SC4S_DEST_JUNIPER_IDP_ALTERNATES" | regexp.ReplaceLiteral "^" "destination(" | regexp.ReplaceLiteral "[, ]+" ");\n destination(" }}); -{{- end }} - - flags(flow-control,final); -}; diff --git a/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl index f2a7120..432c393 100644 --- a/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-juniper_junos.conf.tmpl @@ -37,9 +37,6 @@ log { } elif (program('RT_UTM')) { rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"), index("netids"))}; parser {p_add_context_splunk(key("juniper_junos_utm")); }; - } elif (program('Juniper')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:sslvpn"), index("netfw"))}; - parser {p_add_context_splunk(key("juniper_sslvpn")); }; } else { rewrite { r_set_splunk_dest_default(sourcetype("juniper:legacy"), index("netops"))}; parser {p_add_context_splunk(key("juniper_legacy")); }; diff --git a/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl index 0927d87..8f4371b 100644 --- a/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl @@ -42,14 +42,7 @@ log { } elif (program('RT_SECINTEL')) { rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:secintel:structured"), index("netfw")) }; parser {p_add_context_splunk(key("juniper_junos_secintel_structured")); }; - } -# Legacy Netscreen IDP is handled in the "p_rfc3164-juniper-idp.conf" log path -# -# } elif (program('Jnpr')) { -# rewrite { r_set_splunk_dest_default(sourcetype("juniper:idp:structured"), index("netids")) }; -# parser {p_add_context_splunk(key("juniper_junos_idp")); }; -# } - else { + } else { rewrite { r_set_splunk_dest_default(sourcetype("juniper:structured"), index("netops")) }; parser {p_add_context_splunk(key("juniper_structured")); }; }; diff --git a/package/etc/conf.d/log_paths/lp-juniper_nsm.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_nsm.conf.tmpl deleted file mode 100644 index 9ac7cfd..0000000 --- a/package/etc/conf.d/log_paths/lp-juniper_nsm.conf.tmpl +++ /dev/null @@ -1,49 +0,0 @@ -# Juniper NSM -{{- /* The following provides a unique port source configuration if env var(s) are set */}} -{{- $context := dict "port_id" "JUNIPER_NSM" "parser" "rfc3164" }} -{{- tmpl.Exec "t/source_network.t" $context }} - -log { - junction { -{{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_NSM_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_NSM_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_NSM_TLS_PORT")) }} - channel { - # Listen on the specified dedicated port(s) for JUNIPER_NSM traffic - source (s_JUNIPER_NSM); - flags (final); - }; -{{- end}} - channel { - # Listen on the default port (typically 514) for JUNIPER_NSM traffic - source (s_DEFAULT); - filter(f_is_rfc3164); - filter(f_juniper_nsm); - flags(final); - }; - }; - - rewrite { - set("juniper_nsm", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("juniper:nsm"), index("netfw")) - }; - parser { p_add_context_splunk(key("juniper_nsm")); }; - parser (compliance_meta_by_source); - rewrite { set("$(template ${.splunk.sc4s_template} $(template t_hdr_msg))" value("MSG")); }; - -{{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_JUNIPER_NSM_HEC" "no")) }} - destination(d_hec); -{{- end}} - -{{- if or (conv.ToBool (getenv "SC4S_ARCHIVE_GLOBAL" "no")) (conv.ToBool (getenv "SC4S_ARCHIVE_JUNIPER_NSM" "no")) }} - destination(d_archive); -{{- end}} - -{{- if (print (getenv "SC4S_DEST_GLOBAL_ALTERNATES")) }} - {{ getenv "SC4S_DEST_GLOBAL_ALTERNATES" | regexp.ReplaceLiteral "^" "destination(" | regexp.ReplaceLiteral "[, ]+" ");\n destination(" }}); -{{- end }} - -{{- if (print (getenv "SC4S_DEST_JUNIPER_NSM_ALTERNATES")) }} - {{ getenv "SC4S_DEST_JUNIPER_NSM_ALTERNATES" | regexp.ReplaceLiteral "^" "destination(" | regexp.ReplaceLiteral "[, ]+" ");\n destination(" }}); -{{- end }} - - flags(flow-control,final); -}; diff --git a/package/etc/conf.d/log_paths/lp-juniper_nsm_idp.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_nsm_idp.conf.tmpl deleted file mode 100644 index e9f58e0..0000000 --- a/package/etc/conf.d/log_paths/lp-juniper_nsm_idp.conf.tmpl +++ /dev/null @@ -1,48 +0,0 @@ -# Juniper NSM IDP -{{- /* The following provides a unique port source configuration if env var(s) are set */}} -{{- $context := dict "port_id" "JUNIPER_NSM_IDP" "parser" "rfc3164" }} -{{- tmpl.Exec "t/source_network.t" $context }} - -log { - junction { -{{- if or (or (getenv (print "SC4S_LISTEN_JUNIPER_NSM_IDP_TCP_PORT")) (getenv (print "SC4S_LISTEN_JUNIPER_NSM_IDP_UDP_PORT"))) (getenv (print "SC4S_LISTEN_JUNIPER_NSM_IDP_TLS_PORT")) }} - channel { - # Listen on the specified dedicated port(s) for JUNIPER_NSM_IDP traffic - source (s_JUNIPER_NSM_IDP); - flags (final); - }; -{{- end}} - channel { - # Listen on the default port (typically 514) for JUNIPER_NSM_IDP traffic - source (s_DEFAULT); - filter(f_is_rfc3164); - filter(f_juniper_nsm_idp); - flags(final); - }; - }; - - rewrite { - set("juniper_nsm_idp", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("juniper:nsm:idp"), index("netids")) - }; - parser { p_add_context_splunk(key("juniper_nsm_idp")); }; - rewrite { set("$(template ${.splunk.sc4s_template} $(template t_standard))" value("MSG")); }; - -{{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_JUNIPER_NSM_IDP_HEC" "no")) }} - destination(d_hec); -{{- end}} - -{{- if or (conv.ToBool (getenv "SC4S_ARCHIVE_GLOBAL" "no")) (conv.ToBool (getenv "SC4S_ARCHIVE_JUNIPER_NSM_IDP" "no")) }} - destination(d_archive); -{{- end}} - -{{- if (print (getenv "SC4S_DEST_GLOBAL_ALTERNATES")) }} - {{ getenv "SC4S_DEST_GLOBAL_ALTERNATES" | regexp.ReplaceLiteral "^" "destination(" | regexp.ReplaceLiteral "[, ]+" ");\n destination(" }}); -{{- end }} - -{{- if (print (getenv "SC4S_DEST_JUNIPER_NSM_IDP_ALTERNATES")) }} - {{ getenv "SC4S_DEST_JUNIPER_NSM_IDP_ALTERNATES" | regexp.ReplaceLiteral "^" "destination(" | regexp.ReplaceLiteral "[, ]+" ");\n destination(" }}); -{{- end }} - - flags(flow-control,final); -}; diff --git a/package/etc/context_templates/splunk_index.csv.example b/package/etc/context_templates/splunk_index.csv.example index f447021..4165197 100644 --- a/package/etc/context_templates/splunk_index.csv.example +++ b/package/etc/context_templates/splunk_index.csv.example @@ -50,10 +50,7 @@ #juniper_junos_fw,index,netfw #juniper_junos_ids,index,netids #juniper_junos_utm,index,netfw -#juniper_sslvpn,index,netfw #juniper_netscreen,index,netfw -#juniper_nsm,index,netfw -#juniper_nsm_idp,index,netids #juniper_legacy,index,netops #mcafee_epo,index,epav #nix_syslog,index,osnix diff --git a/package/etc/context_templates/vendor_product_by_source.conf.example b/package/etc/context_templates/vendor_product_by_source.conf.example index 8e27762..7e4af94 100644 --- a/package/etc/context_templates/vendor_product_by_source.conf.example +++ b/package/etc/context_templates/vendor_product_by_source.conf.example @@ -19,22 +19,10 @@ filter f_dell_rsa_secureid { host("test_rsasecureid*" type(glob)) #or netmask(xxx.xxx.xxx.xxx/xx) }; -filter f_juniper_idp { - host("jnpidp-*" type(glob)) - #or netmask(xxx.xxx.xxx.xxx/xx) -}; filter f_juniper_netscreen { host("jnpns-*" type(glob)) #or netmask(xxx.xxx.xxx.xxx/xx) }; -filter f_juniper_nsm { - host("jnpnsm-*" type(glob)) - #or netmask(xxx.xxx.xxx.xxx/xx) -}; -filter f_juniper_nsm_idp { - host("jnpnsmidp-*" type(glob)) - #or netmask(xxx.xxx.xxx.xxx/xx) -}; filter f_cisco_meraki { host("testcm-*" type(glob)) #or netmask(xxx.xxx.xxx.xxx/xx) diff --git a/package/etc/context_templates/vendor_product_by_source.csv.example b/package/etc/context_templates/vendor_product_by_source.csv.example index d1e29bd..7792118 100644 --- a/package/etc/context_templates/vendor_product_by_source.csv.example +++ b/package/etc/context_templates/vendor_product_by_source.csv.example @@ -8,9 +8,6 @@ f_citrix_netscaler,sc4s_vendor_product,"citrix_netscaler" f_dell_rsa_secureid,sc4s_vendor_product,"dell_rsa_secureid" f_f5_bigip,sc4s_vendor_product,"f5_bigip" f_infoblox,sc4s_vendor_product,"infoblox" -f_juniper_nsm,sc4s_vendor_product,"juniper_nsm" -f_juniper_nsm_idp,sc4s_vendor_product,"juniper_nsm_idp" -f_juniper_idp,sc4s_vendor_product,"juniper_idp" f_juniper_netscreen,sc4s_vendor_product,"juniper_netscreen" f_cisco_nx_os,sc4s_vendor_product,"cisco_nx_os" f_pfsense,sc4s_vendor_product,"pfsense" diff --git a/tests/test_juniper_legacy.py b/tests/test_juniper_legacy.py index 3d19206..32cd91b 100644 --- a/tests/test_juniper_legacy.py +++ b/tests/test_juniper_legacy.py @@ -12,61 +12,6 @@ env = Environment() -# <134> Aug 02 14:45:04 10.0.0.1 65.197.254.193 20090320, 17331, 2009/03/20 14:47:45, 2009/03/20 14:47:50, global, 53, [FW NAME], [FW IP], traffic, traffic log, trust, (NULL), 10.1.1.20, 1725, 82.2.19.2, 2383, untrust, (NULL), 84.5.78.4, 80, 84.53.178.64, 80, tcp, global, 53, [FW NAME], fw/vpn, 4, accepted, info, no, Creation, (NULL), (NULL), (NULL), 0, 0, 0, 0, 0, 0, 0, 1, no, 0, Not Set, sos -def test_juniper_nsm_standard(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s): - host = get_host_key - - dt = datetime.datetime.now() - iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) - - # Tune time functions - epoch = epoch[:-7] - - mt = env.from_string( - "{{ mark }} {{ bsd }} jnpnsm-{{ host }} 65.197.254.193 20090320, 17331, 2009/03/20 14:47:45, 2009/03/20 14:47:50, global, 53, [FW NAME], [FW IP], traffic, traffic log, trust, (NULL), 10.1.1.20, 1725, 82.2.19.2, 2383, untrust, (NULL), 84.5.78.4, 80, 84.53.178.64, 80, tcp, global, 53, [FW NAME], fw/vpn, 4, accepted, info, no, Creation, (NULL), (NULL), (NULL), 0, 0, 0, 0, 0, 0, 0, 1, no, 0, Not Set, sos") - message = mt.render(mark="<134>", bsd=bsd, host=host) - - sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - - st = env.from_string("search _time={{ epoch }} index=netfw host=\"jnpnsm-{{ host }}\" sourcetype=\"juniper:nsm\"") - search = st.render(epoch=epoch, host=host) - - resultCount, eventCount = splunk_single(setup_splunk, search) - - record_property("host", host) - record_property("resultCount", resultCount) - record_property("message", message) - - assert resultCount == 1 - -# THE LOG SAMPLE BELOW IS IMPLIED FROM THE JUNIPER DOCS; need to obtain a real sample. -# <134> Aug 02 14:45:04 10.0.0.1 65.197.254.193 20090320, 17331, 2009/03/20 14:47:45, 2009/03/20 14:47:50, global, 53, [IDP NAME], [IDP IP], predefined, rule, trust, (NULL), 10.1.1.20, 1725, 82.2.19.2, 2383, untrust, (NULL), 84.5.78.4, 80, 84.53.178.64, 80, tcp, global, 53, [IDP NAME], fw/vpn, 4, accepted, info, no, Creation, (NULL), (NULL), (NULL), 0, 0, 0, 0, 0, 0, 0, 1, no, 0, Not Set, sos -def test_juniper_nsm_idp_standard(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s): - host = get_host_key - - dt = datetime.datetime.now() - iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) - - # Tune time functions - epoch = epoch[:-7] - - mt = env.from_string( - "{{ mark }} {{ bsd }} jnpnsmidp-{{ host }} 65.197.254.193 20090320, 17331, 2009/03/20 14:47:45, 2009/03/20 14:47:50, global, 53, [IDP NAME], [IDP IP], predefined, rule, trust, (NULL), 10.1.1.20, 1725, 82.2.19.2, 2383, untrust, (NULL), 84.5.78.4, 80, 84.53.178.64, 80, tcp, global, 53, [IDP NAME], fw/vpn, 4, accepted, info, no, Creation, (NULL), (NULL), (NULL), 0, 0, 0, 0, 0, 0, 0, 1, no, 0, Not Set, sos") - message = mt.render(mark="<134>", bsd=bsd, host=host) - - sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - - st = env.from_string("search _time={{ epoch }} index=netids host=\"jnpnsmidp-{{ host }}\" sourcetype=\"juniper:nsm:idp\"") - search = st.render(epoch=epoch, host=host) - - resultCount, eventCount = splunk_single(setup_splunk, search) - - record_property("host", host) - record_property("resultCount", resultCount) - record_property("message", message) - - assert resultCount == 1 - # <23> Apr 24 12:30:05 cs-loki3 RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1303673404, ANOMALY Attack log <64.1.2.1/48397->198.87.233.110/80> for TCP protocol and service HTTP application NONE by rule 3 of rulebase IPS in policy Recommended. attack: repeat=0, action=DROP, threat-severity=HIGH, name=HTTP:INVALID:MSNG-HTTP-VER, NAT <46.0.3.254:55870->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:trust:fe-0/0/2.0->untrust:fe-0/0/3.0, packet-log-id: 0 and misc-message - # <23> Mar 18 17:56:52 [FW IP] [FW Model]: NetScreen device_id=netscreen2 [Root]system-notification-00257(traffic): start_time="2009-03-18 16:07:06" duration=0 policy_id=320001 service=msrpc Endpoint Mapper(tcp) proto=6 src zone=Null dst zone=self action=Deny sent=0 rcvd=16384 src=21.10.90.125 dst=23.16.1.1 def test_juniper_netscreen_fw(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s): @@ -95,38 +40,6 @@ def test_juniper_netscreen_fw(record_property, setup_wordlist, get_host_key, set assert resultCount == 1 -# <165>1 2010-06-23T18:05:55 10.209.83.9 Jnpr Syslog 23414 1 [syslog@juniper.net dayId="20100623" recordId="0" timeRecv="2010/06/23 18:05:55" timeGen="2010/06/23 18:05:51" domain="" devDomVer2="0" device_ip="10.209.83.9" cat="Config" attack="" srcZn="NULL" srcIntf="" srcAddr="0.0.0.0" srcPort="0" natSrcAddr="NULL" natSrcPort="0" dstZn="NULL" dstIntf="NULL" dstAddr="0.0.0.0" dstPort="0" natDstAddr="NULL" natDstPort="0" protocol="IP" ruleDomain="" ruleVer="0" policy="" rulebase="NONE" ruleNo="0" action="NONE" severity="INFO" alert="no" elaspedTime="0" inbytes="0" outbytes="0" totBytes="0" inPak="0" outPak="0" totPak="0" repCount="0" packetData="no" varEnum="0" misc="Interaface eth2,eth3 is in Normal State" user="NULL" app="NULL" uri="NULL"] -# -# -# -# @pytest.mark.xfail -def test_juniper_idp_structured(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s): - host = get_host_key - - dt = datetime.datetime.now(datetime.timezone.utc) - iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) - - # Tune time functions - iso = dt.isoformat()[0:23] - epoch = epoch[:-3] - - mt = env.from_string( - "{{ mark }} {{ iso }}Z {{ host }} Jnpr Syslog 23414 [syslog@juniper.net dayId=\"20100623\" recordId=\"0\" timeRecv=\"2010/06/23 18:05:55\" timeGen=\"2010/06/23 18:05:51\" domain=\"\" devDomVer2=\"0\" device_ip=\"10.209.83.9\" cat=\"Config\" attack=\"\" srcZn=\"NULL\" srcIntf=\"\" srcAddr=\"0.0.0.0\" srcPort=\"0\" natSrcAddr=\"NULL\" natSrcPort=\"0\" dstZn=\"NULL\" dstIntf=\"NULL\" dstAddr=\"0.0.0.0\" dstPort=\"0\" natDstAddr=\"NULL\" natDstPort=\"0\" protocol=\"IP\" ruleDomain=\"\" ruleVer=\"0\" policy=\"\" rulebase=\"NONE\" ruleNo=\"0\" action=\"NONE\" severity=\"INFO\" alert=\"no\" elaspedTime=\"0\" inbytes=\"0\" outbytes=\"0\" totBytes=\"0\" inPak=\"0\" outPak=\"0\" totPak=\"0\" repCount=\"0\" packetData=\"no\" varEnum=\"0\" misc=\"Interaface eth2,eth3 is in Normal State\" user=\"NULL\" app=\"NULL\" uri=\"NULL\"]") - message = mt.render(mark="<165>1", iso=iso, host=host) - - sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - - st = env.from_string("search _time={{ epoch }} index=netids host=\"{{ host }}\" sourcetype=\"juniper:idp\"") - search = st.render(epoch=epoch, host=host) - - resultCount, eventCount = splunk_single(setup_splunk, search) - - record_property("host", host) - record_property("resultCount", resultCount) - record_property("message", message) - - assert resultCount == 1 - # <23> Apr 24 12:30:05 cs-loki3 RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1303673404, ANOMALY Attack log <64.1.2.1/48397->198.87.233.110/80> for TCP protocol and service HTTP application NONE by rule 3 of rulebase IPS in policy Recommended. attack: repeat=0, action=DROP, threat-severity=HIGH, name=HTTP:INVALID:MSNG-HTTP-VER, NAT <46.0.3.254:55870->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:trust:fe-0/0/2.0->untrust:fe-0/0/3.0, packet-log-id: 0 and misc-message - # <23> Mar 18 17:56:52 [FW IP] [FW Model]: NetScreen device_id=netscreen2 [Root]system-notification-00257(traffic): start_time="2009-03-18 16:07:06" duration=0 policy_id=320001 service=msrpc Endpoint Mapper(tcp) proto=6 src zone=Null dst zone=self action=Deny sent=0 rcvd=16384 src=21.10.90.125 dst=23.16.1.1 def test_juniper_netscreen_fw_singleport(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s): diff --git a/tests/test_juniper_sslvpn.py b/tests/test_juniper_sslvpn.py deleted file mode 100644 index df1b55a..0000000 --- a/tests/test_juniper_sslvpn.py +++ /dev/null @@ -1,42 +0,0 @@ -# Copyright 2019 Splunk, Inc. -# -# Use of this source code is governed by a BSD-2-clause-style -# license that can be found in the LICENSE-BSD2 file or at -# https://opensource.org/licenses/BSD-2-Clause - -from jinja2 import Environment - -from .sendmessage import * -from .splunkutils import * -from .timeutils import * - -env = Environment() - -# <23> Feb 27 15:00:00 vpn-001 Juniper: 2013-02-27 15:00:00 - ive - [000.000.000.000] SAMPLE::xxx@xxx.xxx(Users)[] - Session timed out for xxx@xxx.xxx.xxx/Users (session:00000000) due to inactivity (last access at 13:59:31 2013/02/27). Idle session identified during routine system scan. -# <23> Feb 27 15:00:00 vpn-001 Juniper: 2013-02-27 15:00:00 - ive - [000.000.000.000] SAMPLE::xxx@xxx.xxx(Users)[User_Role] - Remote address for user xxx@xxx.xxx/Users changed from 000.000.000.000 to 000.000.000.000. Access denied. -def test_juniper_sslvpn_standard(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s): - host = get_host_key - - dt = datetime.datetime.now() - iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) - - # Tune time functions - time = time[:-7] - epoch = epoch[:-7] - - mt = env.from_string( - "{{ mark }} {{ bsd }} {{ host }} Juniper: {{ date }} {{ time }} - ive - [000.000.000.000] SAMPLE::xxx@xxx.xxx(Users)[User_Role] - Remote address for user xxx@xxx.xxx/Users changed from 000.000.000.000 to 000.000.000.000. Access denied.") - message = mt.render(mark="<23>", bsd=bsd, host=host, date=date, time=time) - - sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - - st = env.from_string("search _time={{ epoch }} index=netfw host=\"{{ host }}\" sourcetype=\"juniper:sslvpn\"") - search = st.render(epoch=epoch, host=host) - - resultCount, eventCount = splunk_single(setup_splunk, search) - - record_property("host", host) - record_property("resultCount", resultCount) - record_property("message", message) - - assert resultCount == 1