Merge pull request #437 from jashah-splunk/master

Added support of AAMW and SECINTEL sourcetype
CSVD · May 7, 2020 · 6616d9e · 6616d9e
2 parents 9d01492 + 30c20f5
commit 6616d9e
Show file tree

Hide file tree

Showing 4 changed files with 70 additions and 2 deletions.
diff --git a/docs/sources/Juniper/index.md b/docs/sources/Juniper/index.md
@@ -12,7 +12,11 @@
 | sourcetype               | notes                                                            |
 |--------------------------|------------------------------------------------------------------|
 | juniper:junos:firewall   | None                                                             |
-| juniper:junos:idp        | None                                                             |
+| juniper:junos:firewall:structured   | None                                                             |
+| juniper:junos:idp   | None                                                             |
+| juniper:junos:idp:structured   | None                                                             |
+| juniper:junos:aamw:structured   | None                                                             |
+| juniper:junos:secintel:structured   | None                                                             |
 
 ### Sourcetype and Index Configuration
 

diff --git a/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl b/package/etc/conf.d/log_paths/lp-juniper_junos_structured.conf.tmpl
@@ -36,6 +36,12 @@ log {
     } elif (program('RT_UTM')) {
         rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netfw")) };
         parser {p_add_context_splunk(key("juniper_junos_utm_structured")); };
+    } elif (program('RT_AAMW')) {
+        rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:aamw:structured"), index("netfw")) };
+        parser {p_add_context_splunk(key("juniper_junos_aamw_structured")); };
+    } elif (program('RT_SECINTEL')) {
+        rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:secintel:structured"), index("netfw")) };
+        parser {p_add_context_splunk(key("juniper_junos_secintel_structured")); };
     }
 # Legacy Netscreen IDP is handled in the "p_rfc3164-juniper-idp.conf" log path
 #
@@ -54,7 +60,7 @@ log {
     #We want to unset the fields we won't need, as this is copied into the
     #disk queue for network destinations. This can be very disk expensive
     #if we don't
-    rewrite { set("$(template ${.splunk.sc4s_template} $(template t_JSON_5424))" value("MSG")); };
+    rewrite { set("$(template ${.splunk.sc4s_template} $(template t_hdr_sdata_msg))" value("MSG")); };
 
 {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_JUNOS_STRUCTURED_HEC" "no")) }}
     destination(d_hec);

diff --git a/package/etc/context_templates/splunk_index.csv.example b/package/etc/context_templates/splunk_index.csv.example
@@ -45,6 +45,8 @@
 #juniper_junos_fw_structured,index,netfw
 #juniper_junos_ids_structured,index,netids
 #juniper_junos_utm_structured,index,netfw
+#juniper_junos_aamw_structured,index,netfw
+#juniper_junos_secintel_structured,index,netfw
 #juniper_junos_fw,index,netfw
 #juniper_junos_ids,index,netids
 #juniper_junos_utm,index,netfw

diff --git a/tests/test_juniper_junos_rfc5124.py b/tests/test_juniper_junos_rfc5124.py
@@ -99,4 +99,60 @@ def test_juniper_junos_fw_structured(record_property, setup_wordlist, get_host_k
 
     assert resultCount == 1
 
+# <165>1 2007-02-15T09:17:15.719Z aamw1 RT_AAMW - AAMW_ACTION_LOG [junos@2636.1.1.1.2.129 hostname="dummy_host" file-category="executable" verdict-number="10" malware-info="Testfile" action="PERMIT" list-hit="N/A" file-hash-lookup="FALSE" source-address="1.1.1.1" source-port="60148" destination-address="10.0.0.1" destination-port="80" protocol-id="6" application="HTTP" nested-application="N/A" policy-name="test-policy" username="N/A" roles="N/A" session-id-32="502156" source-zone-name="Inside" destination-zone-name="Outside" sample-sha256="e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494" file-name="dummy_file" url="dummy_url"]
+# @pytest.mark.xfail
+def test_juniper_junos_aamw_structured(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s):
+    host = get_host_key
+
+    dt = datetime.datetime.now(datetime.timezone.utc)
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    iso = dt.isoformat()[0:23]
+    epoch = epoch[:-3]
+
+    mt = env.from_string(
+        "{{ mark }} {{ iso }}Z {{ host }} RT_AAMW - AAMW_ACTION_LOG [junos@2636.1.1.1.2.129 hostname=\"dummy_host\" file-category=\"executable\" verdict-number=\"10\" malware-info=\"Testfile\" action=\"PERMIT\" list-hit=\"N/A\" file-hash-lookup=\"FALSE\" source-address=\"1.1.1.1\" source-port=\"60148\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" policy-name=\"test-policy\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502156\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" sample-sha256=\"e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494\" file-name=\"dummy_file\" url=\"dummy_url\"]")
+    message = mt.render(mark="<165>1", iso=iso, host=host)
+
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+
+    st = env.from_string("search _time={{ epoch }} index=netfw host=\"{{ host }}\" sourcetype=\"juniper:junos:aamw:structured\"")
+    search = st.render(epoch=epoch, host=host)
+
+    resultCount, eventCount = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", resultCount)
+    record_property("message", message)
+
+    assert resultCount == 1
 
+# <165>1 2007-02-15T09:17:15.719Z secintel1 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@2636.1.1.1.2.129 category="secintel" sub-category="CC" action="BLOCK" action-detail="CLOSE REDIRECT MSG" http-host="dummy_host" threat-severity="10" source-address="1.1.1.1" source-port="36612" destination-address="10.0.0.1" destination-port="80" protocol-id="6" application="HTTP" nested-application="N/A" feed-name="cc_url_data" policy-name="test" profile-name="test-profile" username="N/A" roles="N/A" session-id-32="502362" source-zone-name="Inside" destination-zone-name="Outside" occur-count="0"]
+# @pytest.mark.xfail
+def test_juniper_junos_secintel_structured(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s):
+    host = get_host_key
+
+    dt = datetime.datetime.now(datetime.timezone.utc)
+    iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt)
+
+    # Tune time functions
+    iso = dt.isoformat()[0:23]
+    epoch = epoch[:-3]
+
+    mt = env.from_string(
+        "{{ mark }} {{ iso }}Z {{ host }} RT_SECINTEL - SECINTEL_ACTION_LOG [junos@2636.1.1.1.2.129 category=\"secintel\" sub-category=\"CC\" action=\"BLOCK\" action-detail=\"CLOSE REDIRECT MSG\" http-host=\"dummy_host\" threat-severity=\"10\" source-address=\"1.1.1.1\" source-port=\"36612\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" feed-name=\"cc_url_data\" policy-name=\"test\" profile-name=\"test-profile\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502362\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" occur-count=\"0\"]")
+    message = mt.render(mark="<23>1", iso=iso, host=host)
+
+    sendsingle(message, setup_sc4s[0], setup_sc4s[1][514])
+
+    st = env.from_string("search _time={{ epoch }} index=netfw host=\"{{ host }}\" sourcetype=\"juniper:junos:secintel:structured\"")
+    search = st.render(epoch=epoch, host=host)
+
+    resultCount, eventCount = splunk_single(setup_splunk, search)
+
+    record_property("host", host)
+    record_property("resultCount", resultCount)
+    record_property("message", message)
+
+    assert resultCount == 1