From 82d772d3e51518173a326ec5f5686e3483924811 Mon Sep 17 00:00:00 2001 From: mbonsack Date: Wed, 4 Sep 2019 14:08:28 -0700 Subject: [PATCH] fix/juniper (#80) --- .../conf.d/conflib/vendor_juniper/junos.conf | 5 ++- .../conf.d/conflib/vendor_juniper/legacy.conf | 5 +-- .../log_paths/p_rfc3164-juniper-idp.conf | 4 +-- .../log_paths/p_rfc3164-juniper-junos.conf | 4 +-- .../p_rfc_5424_strict-juniper-junos.conf | 25 ++++++++------ package/etc/context-local/splunk_index.csv | 5 +-- tests/test_juniper_junos_rfc3164.py | 24 ------------- tests/test_juniper_junos_rfc5124.py | 25 -------------- ...test_juniper.py => test_juniper_legacy.py} | 29 ++++++++++++++-- tests/test_juniper_sslvpn.py | 34 +++++++++++++++++++ 10 files changed, 87 insertions(+), 73 deletions(-) rename tests/{test_juniper.py => test_juniper_legacy.py} (71%) create mode 100644 tests/test_juniper_sslvpn.py diff --git a/package/etc/conf.d/conflib/vendor_juniper/junos.conf b/package/etc/conf.d/conflib/vendor_juniper/junos.conf index 49ae1de..4c259e3 100644 --- a/package/etc/conf.d/conflib/vendor_juniper/junos.conf +++ b/package/etc/conf.d/conflib/vendor_juniper/junos.conf @@ -1,8 +1,7 @@ -filter f_juniper_junos { +filter f_juniper_junos_structured { match('^\[junos@2636' value("SDATA")) - or match('syslog@juniper.net' value("SDATA")) }; -filter f_juniper_junos_legacy { +filter f_juniper_junos_standard { program("RT_IDP|RT_FLOW|RT_IDS|RT_UTM|Juniper"); }; \ No newline at end of file diff --git a/package/etc/conf.d/conflib/vendor_juniper/legacy.conf b/package/etc/conf.d/conflib/vendor_juniper/legacy.conf index 8ec73a3..27b3f52 100644 --- a/package/etc/conf.d/conflib/vendor_juniper/legacy.conf +++ b/package/etc/conf.d/conflib/vendor_juniper/legacy.conf @@ -14,6 +14,7 @@ filter f_juniper_netscreen { }; -filter f_juniper_idp { - match("juniper_idp", value("fields.sc4s_vendor_product") type(glob) ); + filter f_juniper_idp { + match("juniper_idp", value("fields.sc4s_vendor_product") type(glob)) + or match('^\[syslog@juniper' value("SDATA")) }; diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper-idp.conf b/package/etc/conf.d/log_paths/p_rfc3164-juniper-idp.conf index 68a37e7..82c9ecd 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-juniper-idp.conf +++ b/package/etc/conf.d/log_paths/p_rfc3164-juniper-idp.conf @@ -1,7 +1,7 @@ log { source(s_default-ports); - filter(f_is_rfc3164); + filter(f_is_rfc5424_strict); filter(f_juniper_idp); rewrite { r_set_splunk_dest_default(sourcetype("juniper:idp"), index("netids"))}; @@ -9,7 +9,7 @@ log { p_add_context_splunk(key("juniper_idp")); }; rewrite { - r_set_splunk(template("t_standard")) + r_set_splunk(template("t_hdr_sdata_msg")) }; destination(d_hec); #--HEC-- flags(flow-control); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper-junos.conf b/package/etc/conf.d/log_paths/p_rfc3164-juniper-junos.conf index 97b67b5..b0106ca 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-juniper-junos.conf +++ b/package/etc/conf.d/log_paths/p_rfc3164-juniper-junos.conf @@ -6,7 +6,7 @@ log { source(s_default-ports); filter(f_is_rfc3164); - filter(f_juniper_junos_legacy); + filter(f_juniper_junos_standard); if (program('RT_IDP')) { rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp"), index("netids"))}; @@ -15,7 +15,7 @@ log { rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"), index("netfw"))}; parser {p_add_context_splunk(key("juniper_junos_flow")); }; } elif (program('RT_IDS')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"), index("netids"))}; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp"), index("netids"))}; parser {p_add_context_splunk(key("juniper_junos_ids")); }; } elif (program('RT_UTM')) { rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall"), index("netids"))}; diff --git a/package/etc/conf.d/log_paths/p_rfc_5424_strict-juniper-junos.conf b/package/etc/conf.d/log_paths/p_rfc_5424_strict-juniper-junos.conf index edb9eb5..36505fb 100644 --- a/package/etc/conf.d/log_paths/p_rfc_5424_strict-juniper-junos.conf +++ b/package/etc/conf.d/log_paths/p_rfc_5424_strict-juniper-junos.conf @@ -6,30 +6,33 @@ log { source(s_default-ports); filter(f_is_rfc5424_strict); - filter(f_juniper_junos); + filter(f_juniper_junos_structured); if (program('RT_IDP')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp:structured"), index("netids"))}; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:idp:structured"), index("netids")) }; parser {p_add_context_splunk(key("juniper_idp")); }; } elif (program('RT_FLOW')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netfw"))}; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netfw")) }; parser {p_add_context_splunk(key("juniper_junos_flow")); }; } elif (program('RT_IDS')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netids"))}; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netids")) }; parser {p_add_context_splunk(key("juniper_junos_ids")); }; } elif (program('RT_UTM')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netids"))}; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:junos:firewall:structured"), index("netids")) }; parser {p_add_context_splunk(key("juniper_junos_utm")); }; - } elif (program('Jnpr')) { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:idp:structured"), index("netids"))}; - parser {p_add_context_splunk(key("juniper_junos_idp")); }; - } + } +# Legacy Netscreen IDP is handled in the "p_rfc3164-juniper-idp.conf" log path +# +# } elif (program('Jnpr')) { +# rewrite { r_set_splunk_dest_default(sourcetype("juniper:idp:structured"), index("netids")) }; +# parser {p_add_context_splunk(key("juniper_junos_idp")); }; +# } else { - rewrite { r_set_splunk_dest_default(sourcetype("juniper:structured"), index("netops"))}; + rewrite { r_set_splunk_dest_default(sourcetype("juniper:structured"), index("netops")) }; parser {p_add_context_splunk(key("juniper_structured")); }; }; - rewrite { r_set_splunk(template("t_hdr_sdata_msg"))}; + rewrite { r_set_splunk(template("t_hdr_sdata_msg")) }; destination(d_hec); #--HEC-- diff --git a/package/etc/context-local/splunk_index.csv b/package/etc/context-local/splunk_index.csv index b734cf1..aa92083 100644 --- a/package/etc/context-local/splunk_index.csv +++ b/package/etc/context-local/splunk_index.csv @@ -9,10 +9,11 @@ #juniper_idp,index,netids #juniper_junos_flow,index,netfw #juniper_junos_ids,index,netids -#juniper_junos_utm,index,netids +#juniper_junos_utm,index,netfw #juniper_sslvpn,index,netfw #juniper_netscreen,index,netfw -#juniper_nsm,index,netids +#juniper_nsm,index,netfw +#juniper_nsm_idp,index,netids #juniper_legacy,index,netops #pan_traffic,index,netfw #pan_threat,index,netproxy diff --git a/tests/test_juniper_junos_rfc3164.py b/tests/test_juniper_junos_rfc3164.py index 5fcca2e..b127814 100644 --- a/tests/test_juniper_junos_rfc3164.py +++ b/tests/test_juniper_junos_rfc3164.py @@ -52,30 +52,6 @@ def test_juniper_firewall_standard(record_property, setup_wordlist, get_host_key assert resultCount == 1 -# <23> Feb 27 15:00:00 vpn-001 Juniper: 2013-02-27 15:00:00 - ive - [000.000.000.000] SAMPLE::xxx@xxx.xxx(Users)[] - Session timed out for xxx@xxx.xxx.xxx/Users (session:00000000) due to inactivity (last access at 13:59:31 2013/02/27). Idle session identified during routine system scan. -# <23> Feb 27 15:00:00 vpn-001 Juniper: 2013-02-27 15:00:00 - ive - [000.000.000.000] SAMPLE::xxx@xxx.xxx(Users)[User_Role] - Remote address for user xxx@xxx.xxx/Users changed from 000.000.000.000 to 000.000.000.000. Access denied. -def test_juniper_sslvpn_standard(record_property, setup_wordlist, get_host_key, setup_splunk): - host = get_host_key - - mt = env.from_string( - "{{ mark }} {% now 'utc', '%b %d %H:%M:%S' %} {{ host }} Juniper: {% now 'utc', '%Y-%m-%d %H:%M:%S' %} - ive - [000.000.000.000] SAMPLE::xxx@xxx.xxx(Users)[User_Role] - Remote address for user xxx@xxx.xxx/Users changed from 000.000.000.000 to 000.000.000.000. Access denied.") - message = mt.render(mark="<23>", host=host) - - sendsingle(message) - - st = env.from_string("search index=netfw host=\"{{ host }}\" sourcetype=\"juniper:sslvpn\" | head 2") - search = st.render(host=host) - - resultCount, eventCount = splunk_single(setup_splunk, search) - - record_property("host", host) - record_property("resultCount", resultCount) - record_property("message", message) - - assert resultCount == 1 - - - def test_juniper_idp_standard(record_property, setup_wordlist, get_host_key, setup_splunk): host = get_host_key diff --git a/tests/test_juniper_junos_rfc5124.py b/tests/test_juniper_junos_rfc5124.py index 978c9a9..2e0b4e1 100644 --- a/tests/test_juniper_junos_rfc5124.py +++ b/tests/test_juniper_junos_rfc5124.py @@ -55,31 +55,6 @@ def test_juniper_junos_idp_structured(record_property, setup_wordlist, get_host_ assert resultCount == 1 -# <165>1 2010-06-23T18:05:55 10.209.83.9 Jnpr Syslog 23414 1 [syslog@juniper.net dayId="20100623" recordId="0" timeRecv="2010/06/23 18:05:55" timeGen="2010/06/23 18:05:51" domain="" devDomVer2="0" device_ip="10.209.83.9" cat="Config" attack="" srcZn="NULL" srcIntf="" srcAddr="0.0.0.0" srcPort="0" natSrcAddr="NULL" natSrcPort="0" dstZn="NULL" dstIntf="NULL" dstAddr="0.0.0.0" dstPort="0" natDstAddr="NULL" natDstPort="0" protocol="IP" ruleDomain="" ruleVer="0" policy="" rulebase="NONE" ruleNo="0" action="NONE" severity="INFO" alert="no" elaspedTime="0" inbytes="0" outbytes="0" totBytes="0" inPak="0" outPak="0" totPak="0" repCount="0" packetData="no" varEnum="0" misc="Interaface eth2,eth3 is in Normal State" user="NULL" app="NULL" uri="NULL"] -# -# -# -# @pytest.mark.xfail -def test_juniper_idp_structured(record_property, setup_wordlist, get_host_key, setup_splunk): - host = get_host_key - - mt = env.from_string( - "{{ mark }} {% now 'utc', '%Y-%m-%dT%H:%M:%S' %}.700Z {{ host }} Jnpr Syslog 23414 [syslog@juniper.net dayId=\"20100623\" recordId=\"0\" timeRecv=\"2010/06/23 18:05:55\" timeGen=\"2010/06/23 18:05:51\" domain=\"\" devDomVer2=\"0\" device_ip=\"10.209.83.9\" cat=\"Config\" attack=\"\" srcZn=\"NULL\" srcIntf=\"\" srcAddr=\"0.0.0.0\" srcPort=\"0\" natSrcAddr=\"NULL\" natSrcPort=\"0\" dstZn=\"NULL\" dstIntf=\"NULL\" dstAddr=\"0.0.0.0\" dstPort=\"0\" natDstAddr=\"NULL\" natDstPort=\"0\" protocol=\"IP\" ruleDomain=\"\" ruleVer=\"0\" policy=\"\" rulebase=\"NONE\" ruleNo=\"0\" action=\"NONE\" severity=\"INFO\" alert=\"no\" elaspedTime=\"0\" inbytes=\"0\" outbytes=\"0\" totBytes=\"0\" inPak=\"0\" outPak=\"0\" totPak=\"0\" repCount=\"0\" packetData=\"no\" varEnum=\"0\" misc=\"Interaface eth2,eth3 is in Normal State\" user=\"NULL\" app=\"NULL\" uri=\"NULL\"]") - message = mt.render(mark="<165>1", host=host) - - sendsingle(message) - - st = env.from_string("search index=netids host=\"{{ host }}\" sourcetype=\"juniper:idp:structured\" | head 2") - search = st.render(host=host) - - resultCount, eventCount = splunk_single(setup_splunk, search) - - record_property("host", host) - record_property("resultCount", resultCount) - record_property("message", message) - - assert resultCount == 1 - # <134> Aug 02 14:45:04 10.0.0.1 65.197.254.193 20090320, 17331, 2009/03/20 14:47:45, 2009/03/20 14:47:50, global, 53, [FW NAME], [FW IP], traffic, traffic log, trust, (NULL), 10.1.1.20, 1725, 82.2.19.2, 2383, untrust, (NULL), 84.5.78.4, 80, 84.53.178.64, 80, tcp, global, 53, [FW NAME], fw/vpn, 4, accepted, info, no, Creation, (NULL), (NULL), (NULL), 0, 0, 0, 0, 0, 0, 0, 1, no, 0, Not Set, sos # @pytest.mark.xfail def test_juniper_junos_fw_structured(record_property, setup_wordlist, get_host_key, setup_splunk): diff --git a/tests/test_juniper.py b/tests/test_juniper_legacy.py similarity index 71% rename from tests/test_juniper.py rename to tests/test_juniper_legacy.py index 46e7468..b2898af 100644 --- a/tests/test_juniper.py +++ b/tests/test_juniper_legacy.py @@ -57,7 +57,7 @@ def test_juniper_nsm_idp_standard(record_property, setup_wordlist, get_host_key, # <23> Apr 24 12:30:05 cs-loki3 RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1303673404, ANOMALY Attack log <64.1.2.1/48397->198.87.233.110/80> for TCP protocol and service HTTP application NONE by rule 3 of rulebase IPS in policy Recommended. attack: repeat=0, action=DROP, threat-severity=HIGH, name=HTTP:INVALID:MSNG-HTTP-VER, NAT <46.0.3.254:55870->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:trust:fe-0/0/2.0->untrust:fe-0/0/3.0, packet-log-id: 0 and misc-message - # <23> Mar 18 17:56:52 [FW IP] [FW Model]: NetScreen device_id=netscreen2 [Root]system-notification-00257(traffic): start_time="2009-03-18 16:07:06" duration=0 policy_id=320001 service=msrpc Endpoint Mapper(tcp) proto=6 src zone=Null dst zone=self action=Deny sent=0 rcvd=16384 src=21.10.90.125 dst=23.16.1.1 -def test_juniper_netscreen(record_property, setup_wordlist, get_host_key, setup_splunk): +def test_juniper_netscreen_fw(record_property, setup_wordlist, get_host_key, setup_splunk): host = get_host_key mt = env.from_string( @@ -77,9 +77,34 @@ def test_juniper_netscreen(record_property, setup_wordlist, get_host_key, setup_ assert resultCount == 1 +# <165>1 2010-06-23T18:05:55 10.209.83.9 Jnpr Syslog 23414 1 [syslog@juniper.net dayId="20100623" recordId="0" timeRecv="2010/06/23 18:05:55" timeGen="2010/06/23 18:05:51" domain="" devDomVer2="0" device_ip="10.209.83.9" cat="Config" attack="" srcZn="NULL" srcIntf="" srcAddr="0.0.0.0" srcPort="0" natSrcAddr="NULL" natSrcPort="0" dstZn="NULL" dstIntf="NULL" dstAddr="0.0.0.0" dstPort="0" natDstAddr="NULL" natDstPort="0" protocol="IP" ruleDomain="" ruleVer="0" policy="" rulebase="NONE" ruleNo="0" action="NONE" severity="INFO" alert="no" elaspedTime="0" inbytes="0" outbytes="0" totBytes="0" inPak="0" outPak="0" totPak="0" repCount="0" packetData="no" varEnum="0" misc="Interaface eth2,eth3 is in Normal State" user="NULL" app="NULL" uri="NULL"] +# +# +# +# @pytest.mark.xfail +def test_juniper_idp_structured(record_property, setup_wordlist, get_host_key, setup_splunk): + host = get_host_key + + mt = env.from_string( + "{{ mark }} {% now 'utc', '%Y-%m-%dT%H:%M:%S' %}.700Z {{ host }} Jnpr Syslog 23414 [syslog@juniper.net dayId=\"20100623\" recordId=\"0\" timeRecv=\"2010/06/23 18:05:55\" timeGen=\"2010/06/23 18:05:51\" domain=\"\" devDomVer2=\"0\" device_ip=\"10.209.83.9\" cat=\"Config\" attack=\"\" srcZn=\"NULL\" srcIntf=\"\" srcAddr=\"0.0.0.0\" srcPort=\"0\" natSrcAddr=\"NULL\" natSrcPort=\"0\" dstZn=\"NULL\" dstIntf=\"NULL\" dstAddr=\"0.0.0.0\" dstPort=\"0\" natDstAddr=\"NULL\" natDstPort=\"0\" protocol=\"IP\" ruleDomain=\"\" ruleVer=\"0\" policy=\"\" rulebase=\"NONE\" ruleNo=\"0\" action=\"NONE\" severity=\"INFO\" alert=\"no\" elaspedTime=\"0\" inbytes=\"0\" outbytes=\"0\" totBytes=\"0\" inPak=\"0\" outPak=\"0\" totPak=\"0\" repCount=\"0\" packetData=\"no\" varEnum=\"0\" misc=\"Interaface eth2,eth3 is in Normal State\" user=\"NULL\" app=\"NULL\" uri=\"NULL\"]") + message = mt.render(mark="<165>1", host=host) + + sendsingle(message) + + st = env.from_string("search index=netids host=\"{{ host }}\" sourcetype=\"juniper:idp\" | head 2") + search = st.render(host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 + # <23> Apr 24 12:30:05 cs-loki3 RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1303673404, ANOMALY Attack log <64.1.2.1/48397->198.87.233.110/80> for TCP protocol and service HTTP application NONE by rule 3 of rulebase IPS in policy Recommended. attack: repeat=0, action=DROP, threat-severity=HIGH, name=HTTP:INVALID:MSNG-HTTP-VER, NAT <46.0.3.254:55870->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:trust:fe-0/0/2.0->untrust:fe-0/0/3.0, packet-log-id: 0 and misc-message - # <23> Mar 18 17:56:52 [FW IP] [FW Model]: NetScreen device_id=netscreen2 [Root]system-notification-00257(traffic): start_time="2009-03-18 16:07:06" duration=0 policy_id=320001 service=msrpc Endpoint Mapper(tcp) proto=6 src zone=Null dst zone=self action=Deny sent=0 rcvd=16384 src=21.10.90.125 dst=23.16.1.1 -def test_juniper_netscreen_singleport(record_property, setup_wordlist, get_host_key, setup_splunk): +def test_juniper_netscreen_fw_singleport(record_property, setup_wordlist, get_host_key, setup_splunk): host = get_host_key mt = env.from_string( diff --git a/tests/test_juniper_sslvpn.py b/tests/test_juniper_sslvpn.py new file mode 100644 index 0000000..e301be1 --- /dev/null +++ b/tests/test_juniper_sslvpn.py @@ -0,0 +1,34 @@ +# Copyright 2019 Splunk, Inc. +# +# Use of this source code is governed by a BSD-2-clause-style +# license that can be found in the LICENSE-BSD2 file or at +# https://opensource.org/licenses/BSD-2-Clause + +from jinja2 import Environment + +from .sendmessage import * +from .splunkutils import * + +env = Environment(extensions=['jinja2_time.TimeExtension']) + +# <23> Feb 27 15:00:00 vpn-001 Juniper: 2013-02-27 15:00:00 - ive - [000.000.000.000] SAMPLE::xxx@xxx.xxx(Users)[] - Session timed out for xxx@xxx.xxx.xxx/Users (session:00000000) due to inactivity (last access at 13:59:31 2013/02/27). Idle session identified during routine system scan. +# <23> Feb 27 15:00:00 vpn-001 Juniper: 2013-02-27 15:00:00 - ive - [000.000.000.000] SAMPLE::xxx@xxx.xxx(Users)[User_Role] - Remote address for user xxx@xxx.xxx/Users changed from 000.000.000.000 to 000.000.000.000. Access denied. +def test_juniper_sslvpn_standard(record_property, setup_wordlist, get_host_key, setup_splunk): + host = get_host_key + + mt = env.from_string( + "{{ mark }} {% now 'utc', '%b %d %H:%M:%S' %} {{ host }} Juniper: {% now 'utc', '%Y-%m-%d %H:%M:%S' %} - ive - [000.000.000.000] SAMPLE::xxx@xxx.xxx(Users)[User_Role] - Remote address for user xxx@xxx.xxx/Users changed from 000.000.000.000 to 000.000.000.000. Access denied.") + message = mt.render(mark="<23>", host=host) + + sendsingle(message) + + st = env.from_string("search index=netfw host=\"{{ host }}\" sourcetype=\"juniper:sslvpn\" | head 2") + search = st.render(host=host) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1