Skip to content

Commit

Permalink
fix/juniper (#80)
Browse files Browse the repository at this point in the history
  • Loading branch information
mbonsack authored and Ryan Faircloth committed Sep 4, 2019
1 parent ae7d5c2 commit 82d772d
Show file tree
Hide file tree
Showing 10 changed files with 87 additions and 73 deletions.
5 changes: 2 additions & 3 deletions package/etc/conf.d/conflib/vendor_juniper/junos.conf
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
filter f_juniper_junos {
filter f_juniper_junos_structured {
match('^\[junos@2636' value("SDATA"))
or match('syslog@juniper.net' value("SDATA"))
};

filter f_juniper_junos_legacy {
filter f_juniper_junos_standard {
program("RT_IDP|RT_FLOW|RT_IDS|RT_UTM|Juniper");
};
5 changes: 3 additions & 2 deletions package/etc/conf.d/conflib/vendor_juniper/legacy.conf
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ filter f_juniper_netscreen {

};

filter f_juniper_idp {
match("juniper_idp", value("fields.sc4s_vendor_product") type(glob) );
filter f_juniper_idp {
match("juniper_idp", value("fields.sc4s_vendor_product") type(glob))
or match('^\[syslog@juniper' value("SDATA"))
};
4 changes: 2 additions & 2 deletions package/etc/conf.d/log_paths/p_rfc3164-juniper-idp.conf
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
log {

source(s_default-ports);
filter(f_is_rfc3164);
filter(f_is_rfc5424_strict);
filter(f_juniper_idp);

rewrite { r_set_splunk_dest_default(sourcetype("juniper:idp"), index("netids"))};
parser {
p_add_context_splunk(key("juniper_idp"));
};
rewrite {
r_set_splunk(template("t_standard"))
r_set_splunk(template("t_hdr_sdata_msg"))
};
destination(d_hec); #--HEC--
flags(flow-control);
Expand Down
4 changes: 2 additions & 2 deletions package/etc/conf.d/log_paths/p_rfc3164-juniper-junos.conf
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ log {

source(s_default-ports);
filter(f_is_rfc3164);
filter(f_juniper_junos_legacy);
filter(f_juniper_junos_standard);

if (program('RT_IDP')) {
rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp"), index("netids"))};
Expand All @@ -15,7 +15,7 @@ log {
rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"), index("netfw"))};
parser {p_add_context_splunk(key("juniper_junos_flow")); };
} elif (program('RT_IDS')) {
rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"), index("netids"))};
rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp"), index("netids"))};
parser {p_add_context_splunk(key("juniper_junos_ids")); };
} elif (program('RT_UTM')) {
rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"), index("netids"))};
Expand Down
25 changes: 14 additions & 11 deletions package/etc/conf.d/log_paths/p_rfc_5424_strict-juniper-junos.conf
Original file line number Diff line number Diff line change
Expand Up @@ -6,30 +6,33 @@ log {

source(s_default-ports);
filter(f_is_rfc5424_strict);
filter(f_juniper_junos);
filter(f_juniper_junos_structured);

if (program('RT_IDP')) {
rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp:structured"), index("netids"))};
rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp:structured"), index("netids")) };
parser {p_add_context_splunk(key("juniper_idp")); };
} elif (program('RT_FLOW')) {
rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netfw"))};
rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netfw")) };
parser {p_add_context_splunk(key("juniper_junos_flow")); };
} elif (program('RT_IDS')) {
rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netids"))};
rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netids")) };
parser {p_add_context_splunk(key("juniper_junos_ids")); };
} elif (program('RT_UTM')) {
rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netids"))};
rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netids")) };
parser {p_add_context_splunk(key("juniper_junos_utm")); };
} elif (program('Jnpr')) {
rewrite { r_set_splunk_dest_default(sourcetype("juniper:idp:structured"), index("netids"))};
parser {p_add_context_splunk(key("juniper_junos_idp")); };
}
}
# Legacy Netscreen IDP is handled in the "p_rfc3164-juniper-idp.conf" log path
#
# } elif (program('Jnpr')) {
# rewrite { r_set_splunk_dest_default(sourcetype("juniper:idp:structured"), index("netids")) };
# parser {p_add_context_splunk(key("juniper_junos_idp")); };
# }
else {
rewrite { r_set_splunk_dest_default(sourcetype("juniper:structured"), index("netops"))};
rewrite { r_set_splunk_dest_default(sourcetype("juniper:structured"), index("netops")) };
parser {p_add_context_splunk(key("juniper_structured")); };
};

rewrite { r_set_splunk(template("t_hdr_sdata_msg"))};
rewrite { r_set_splunk(template("t_hdr_sdata_msg")) };
destination(d_hec); #--HEC--


Expand Down
5 changes: 3 additions & 2 deletions package/etc/context-local/splunk_index.csv
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,11 @@
#juniper_idp,index,netids
#juniper_junos_flow,index,netfw
#juniper_junos_ids,index,netids
#juniper_junos_utm,index,netids
#juniper_junos_utm,index,netfw
#juniper_sslvpn,index,netfw
#juniper_netscreen,index,netfw
#juniper_nsm,index,netids
#juniper_nsm,index,netfw
#juniper_nsm_idp,index,netids
#juniper_legacy,index,netops
#pan_traffic,index,netfw
#pan_threat,index,netproxy
Expand Down
24 changes: 0 additions & 24 deletions tests/test_juniper_junos_rfc3164.py
Original file line number Diff line number Diff line change
Expand Up @@ -52,30 +52,6 @@ def test_juniper_firewall_standard(record_property, setup_wordlist, get_host_key

assert resultCount == 1

# <23> Feb 27 15:00:00 vpn-001 Juniper: 2013-02-27 15:00:00 - ive - [000.000.000.000] SAMPLE::xxx@xxx.xxx(Users)[] - Session timed out for xxx@xxx.xxx.xxx/Users (session:00000000) due to inactivity (last access at 13:59:31 2013/02/27). Idle session identified during routine system scan.
# <23> Feb 27 15:00:00 vpn-001 Juniper: 2013-02-27 15:00:00 - ive - [000.000.000.000] SAMPLE::xxx@xxx.xxx(Users)[User_Role] - Remote address for user xxx@xxx.xxx/Users changed from 000.000.000.000 to 000.000.000.000. Access denied.
def test_juniper_sslvpn_standard(record_property, setup_wordlist, get_host_key, setup_splunk):
host = get_host_key

mt = env.from_string(
"{{ mark }} {% now 'utc', '%b %d %H:%M:%S' %} {{ host }} Juniper: {% now 'utc', '%Y-%m-%d %H:%M:%S' %} - ive - [000.000.000.000] SAMPLE::xxx@xxx.xxx(Users)[User_Role] - Remote address for user xxx@xxx.xxx/Users changed from 000.000.000.000 to 000.000.000.000. Access denied.")
message = mt.render(mark="<23>", host=host)

sendsingle(message)

st = env.from_string("search index=netfw host=\"{{ host }}\" sourcetype=\"juniper:sslvpn\" | head 2")
search = st.render(host=host)

resultCount, eventCount = splunk_single(setup_splunk, search)

record_property("host", host)
record_property("resultCount", resultCount)
record_property("message", message)

assert resultCount == 1



def test_juniper_idp_standard(record_property, setup_wordlist, get_host_key, setup_splunk):
host = get_host_key

Expand Down
25 changes: 0 additions & 25 deletions tests/test_juniper_junos_rfc5124.py
Original file line number Diff line number Diff line change
Expand Up @@ -55,31 +55,6 @@ def test_juniper_junos_idp_structured(record_property, setup_wordlist, get_host_

assert resultCount == 1

# <165>1 2010-06-23T18:05:55 10.209.83.9 Jnpr Syslog 23414 1 [syslog@juniper.net dayId="20100623" recordId="0" timeRecv="2010/06/23 18:05:55" timeGen="2010/06/23 18:05:51" domain="" devDomVer2="0" device_ip="10.209.83.9" cat="Config" attack="" srcZn="NULL" srcIntf="" srcAddr="0.0.0.0" srcPort="0" natSrcAddr="NULL" natSrcPort="0" dstZn="NULL" dstIntf="NULL" dstAddr="0.0.0.0" dstPort="0" natDstAddr="NULL" natDstPort="0" protocol="IP" ruleDomain="" ruleVer="0" policy="" rulebase="NONE" ruleNo="0" action="NONE" severity="INFO" alert="no" elaspedTime="0" inbytes="0" outbytes="0" totBytes="0" inPak="0" outPak="0" totPak="0" repCount="0" packetData="no" varEnum="0" misc="Interaface eth2,eth3 is in Normal State" user="NULL" app="NULL" uri="NULL"]
# <THIS TEST TENTATIVE PENDING A VALID DATA SAMPLE; NEEDED TO OMIT THE "1" IN THIS TEST SAMPLE (BEFORE [] BLOCK) TO GET IT TO PARSE 5424>
# <VALIDATE BEFORE SHIPPING!>
# <THIS TEST MAY NEED TO BE REWRITTEN AS A "STANDARD" TEST IF THE DATA IS ACTUALLY SENT IN 3164 FORMAT>
# @pytest.mark.xfail
def test_juniper_idp_structured(record_property, setup_wordlist, get_host_key, setup_splunk):
host = get_host_key

mt = env.from_string(
"{{ mark }} {% now 'utc', '%Y-%m-%dT%H:%M:%S' %}.700Z {{ host }} Jnpr Syslog 23414 [syslog@juniper.net dayId=\"20100623\" recordId=\"0\" timeRecv=\"2010/06/23 18:05:55\" timeGen=\"2010/06/23 18:05:51\" domain=\"\" devDomVer2=\"0\" device_ip=\"10.209.83.9\" cat=\"Config\" attack=\"\" srcZn=\"NULL\" srcIntf=\"\" srcAddr=\"0.0.0.0\" srcPort=\"0\" natSrcAddr=\"NULL\" natSrcPort=\"0\" dstZn=\"NULL\" dstIntf=\"NULL\" dstAddr=\"0.0.0.0\" dstPort=\"0\" natDstAddr=\"NULL\" natDstPort=\"0\" protocol=\"IP\" ruleDomain=\"\" ruleVer=\"0\" policy=\"\" rulebase=\"NONE\" ruleNo=\"0\" action=\"NONE\" severity=\"INFO\" alert=\"no\" elaspedTime=\"0\" inbytes=\"0\" outbytes=\"0\" totBytes=\"0\" inPak=\"0\" outPak=\"0\" totPak=\"0\" repCount=\"0\" packetData=\"no\" varEnum=\"0\" misc=\"Interaface eth2,eth3 is in Normal State\" user=\"NULL\" app=\"NULL\" uri=\"NULL\"]")
message = mt.render(mark="<165>1", host=host)

sendsingle(message)

st = env.from_string("search index=netids host=\"{{ host }}\" sourcetype=\"juniper:idp:structured\" | head 2")
search = st.render(host=host)

resultCount, eventCount = splunk_single(setup_splunk, search)

record_property("host", host)
record_property("resultCount", resultCount)
record_property("message", message)

assert resultCount == 1

# <134> Aug 02 14:45:04 10.0.0.1 65.197.254.193 20090320, 17331, 2009/03/20 14:47:45, 2009/03/20 14:47:50, global, 53, [FW NAME], [FW IP], traffic, traffic log, trust, (NULL), 10.1.1.20, 1725, 82.2.19.2, 2383, untrust, (NULL), 84.5.78.4, 80, 84.53.178.64, 80, tcp, global, 53, [FW NAME], fw/vpn, 4, accepted, info, no, Creation, (NULL), (NULL), (NULL), 0, 0, 0, 0, 0, 0, 0, 1, no, 0, Not Set, sos
# @pytest.mark.xfail
def test_juniper_junos_fw_structured(record_property, setup_wordlist, get_host_key, setup_splunk):
Expand Down
29 changes: 27 additions & 2 deletions tests/test_juniper.py → tests/test_juniper_legacy.py
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ def test_juniper_nsm_idp_standard(record_property, setup_wordlist, get_host_key,

# <23> Apr 24 12:30:05 cs-loki3 RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1303673404, ANOMALY Attack log <64.1.2.1/48397->198.87.233.110/80> for TCP protocol and service HTTP application NONE by rule 3 of rulebase IPS in policy Recommended. attack: repeat=0, action=DROP, threat-severity=HIGH, name=HTTP:INVALID:MSNG-HTTP-VER, NAT <46.0.3.254:55870->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:trust:fe-0/0/2.0->untrust:fe-0/0/3.0, packet-log-id: 0 and misc-message -
# <23> Mar 18 17:56:52 [FW IP] [FW Model]: NetScreen device_id=netscreen2 [Root]system-notification-00257(traffic): start_time="2009-03-18 16:07:06" duration=0 policy_id=320001 service=msrpc Endpoint Mapper(tcp) proto=6 src zone=Null dst zone=self action=Deny sent=0 rcvd=16384 src=21.10.90.125 dst=23.16.1.1
def test_juniper_netscreen(record_property, setup_wordlist, get_host_key, setup_splunk):
def test_juniper_netscreen_fw(record_property, setup_wordlist, get_host_key, setup_splunk):
host = get_host_key

mt = env.from_string(
Expand All @@ -77,9 +77,34 @@ def test_juniper_netscreen(record_property, setup_wordlist, get_host_key, setup_

assert resultCount == 1

# <165>1 2010-06-23T18:05:55 10.209.83.9 Jnpr Syslog 23414 1 [syslog@juniper.net dayId="20100623" recordId="0" timeRecv="2010/06/23 18:05:55" timeGen="2010/06/23 18:05:51" domain="" devDomVer2="0" device_ip="10.209.83.9" cat="Config" attack="" srcZn="NULL" srcIntf="" srcAddr="0.0.0.0" srcPort="0" natSrcAddr="NULL" natSrcPort="0" dstZn="NULL" dstIntf="NULL" dstAddr="0.0.0.0" dstPort="0" natDstAddr="NULL" natDstPort="0" protocol="IP" ruleDomain="" ruleVer="0" policy="" rulebase="NONE" ruleNo="0" action="NONE" severity="INFO" alert="no" elaspedTime="0" inbytes="0" outbytes="0" totBytes="0" inPak="0" outPak="0" totPak="0" repCount="0" packetData="no" varEnum="0" misc="Interaface eth2,eth3 is in Normal State" user="NULL" app="NULL" uri="NULL"]
# <THIS TEST IS TENTATIVE PENDING A VALID DATA SAMPLE; NEEDED TO OMIT THE "1" IN THIS TEST SAMPLE (BEFORE [] BLOCK) TO GET IT TO PARSE 5424>
# <VALIDATE BEFORE SHIPPING!>
# <THIS TEST MAY NEED TO BE REWRITTEN AS A "STANDARD" TEST IF THE DATA IS ACTUALLY SENT IN 3164 FORMAT>
# @pytest.mark.xfail
def test_juniper_idp_structured(record_property, setup_wordlist, get_host_key, setup_splunk):
host = get_host_key

mt = env.from_string(
"{{ mark }} {% now 'utc', '%Y-%m-%dT%H:%M:%S' %}.700Z {{ host }} Jnpr Syslog 23414 [syslog@juniper.net dayId=\"20100623\" recordId=\"0\" timeRecv=\"2010/06/23 18:05:55\" timeGen=\"2010/06/23 18:05:51\" domain=\"\" devDomVer2=\"0\" device_ip=\"10.209.83.9\" cat=\"Config\" attack=\"\" srcZn=\"NULL\" srcIntf=\"\" srcAddr=\"0.0.0.0\" srcPort=\"0\" natSrcAddr=\"NULL\" natSrcPort=\"0\" dstZn=\"NULL\" dstIntf=\"NULL\" dstAddr=\"0.0.0.0\" dstPort=\"0\" natDstAddr=\"NULL\" natDstPort=\"0\" protocol=\"IP\" ruleDomain=\"\" ruleVer=\"0\" policy=\"\" rulebase=\"NONE\" ruleNo=\"0\" action=\"NONE\" severity=\"INFO\" alert=\"no\" elaspedTime=\"0\" inbytes=\"0\" outbytes=\"0\" totBytes=\"0\" inPak=\"0\" outPak=\"0\" totPak=\"0\" repCount=\"0\" packetData=\"no\" varEnum=\"0\" misc=\"Interaface eth2,eth3 is in Normal State\" user=\"NULL\" app=\"NULL\" uri=\"NULL\"]")
message = mt.render(mark="<165>1", host=host)

sendsingle(message)

st = env.from_string("search index=netids host=\"{{ host }}\" sourcetype=\"juniper:idp\" | head 2")
search = st.render(host=host)

resultCount, eventCount = splunk_single(setup_splunk, search)

record_property("host", host)
record_property("resultCount", resultCount)
record_property("message", message)

assert resultCount == 1

# <23> Apr 24 12:30:05 cs-loki3 RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1303673404, ANOMALY Attack log <64.1.2.1/48397->198.87.233.110/80> for TCP protocol and service HTTP application NONE by rule 3 of rulebase IPS in policy Recommended. attack: repeat=0, action=DROP, threat-severity=HIGH, name=HTTP:INVALID:MSNG-HTTP-VER, NAT <46.0.3.254:55870->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:trust:fe-0/0/2.0->untrust:fe-0/0/3.0, packet-log-id: 0 and misc-message -
# <23> Mar 18 17:56:52 [FW IP] [FW Model]: NetScreen device_id=netscreen2 [Root]system-notification-00257(traffic): start_time="2009-03-18 16:07:06" duration=0 policy_id=320001 service=msrpc Endpoint Mapper(tcp) proto=6 src zone=Null dst zone=self action=Deny sent=0 rcvd=16384 src=21.10.90.125 dst=23.16.1.1
def test_juniper_netscreen_singleport(record_property, setup_wordlist, get_host_key, setup_splunk):
def test_juniper_netscreen_fw_singleport(record_property, setup_wordlist, get_host_key, setup_splunk):
host = get_host_key

mt = env.from_string(
Expand Down
34 changes: 34 additions & 0 deletions tests/test_juniper_sslvpn.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# Copyright 2019 Splunk, Inc.
#
# Use of this source code is governed by a BSD-2-clause-style
# license that can be found in the LICENSE-BSD2 file or at
# https://opensource.org/licenses/BSD-2-Clause

from jinja2 import Environment

from .sendmessage import *
from .splunkutils import *

env = Environment(extensions=['jinja2_time.TimeExtension'])

# <23> Feb 27 15:00:00 vpn-001 Juniper: 2013-02-27 15:00:00 - ive - [000.000.000.000] SAMPLE::xxx@xxx.xxx(Users)[] - Session timed out for xxx@xxx.xxx.xxx/Users (session:00000000) due to inactivity (last access at 13:59:31 2013/02/27). Idle session identified during routine system scan.
# <23> Feb 27 15:00:00 vpn-001 Juniper: 2013-02-27 15:00:00 - ive - [000.000.000.000] SAMPLE::xxx@xxx.xxx(Users)[User_Role] - Remote address for user xxx@xxx.xxx/Users changed from 000.000.000.000 to 000.000.000.000. Access denied.
def test_juniper_sslvpn_standard(record_property, setup_wordlist, get_host_key, setup_splunk):
host = get_host_key

mt = env.from_string(
"{{ mark }} {% now 'utc', '%b %d %H:%M:%S' %} {{ host }} Juniper: {% now 'utc', '%Y-%m-%d %H:%M:%S' %} - ive - [000.000.000.000] SAMPLE::xxx@xxx.xxx(Users)[User_Role] - Remote address for user xxx@xxx.xxx/Users changed from 000.000.000.000 to 000.000.000.000. Access denied.")
message = mt.render(mark="<23>", host=host)

sendsingle(message)

st = env.from_string("search index=netfw host=\"{{ host }}\" sourcetype=\"juniper:sslvpn\" | head 2")
search = st.render(host=host)

resultCount, eventCount = splunk_single(setup_splunk, search)

record_property("host", host)
record_property("resultCount", resultCount)
record_property("message", message)

assert resultCount == 1

0 comments on commit 82d772d

Please sign in to comment.