-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Add Proofpoint PPS filter support
- Loading branch information
mbonsack
authored and
Ryan Faircloth
committed
Sep 28, 2019
1 parent
57e7243
commit 991b77e
Showing
9 changed files
with
210 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| # Proofpoint | ||
|
|
||
| filter f_proofpoint_pps_filter { | ||
| match("proofpoint_pps_filter", value("fields.sc4s_vendor_product") type(glob)) or | ||
| ( | ||
| ( | ||
| match('^(background|cvt|filter|pps)_instance\d+$' value("PROGRAM") type("pcre")) or | ||
| match('^\/opt\/proofpoint\/pps-\d\.\d\.\d\.\d+\/\S' value("PROGRAM") type("pcre")) or | ||
| match('^queued-(alert|default|reinject|released)$' value("PROGRAM") type("pcre")) | ||
| ) and | ||
| match('^rprt\s' value(MESSAGE) type("pcre")) | ||
| ); | ||
| }; | ||
|
|
||
| filter f_proofpoint_pps_sendmail { | ||
| match('sendmail' value("PROGRAM") type("pcre")) and | ||
| match("proofpoint_pps_sendmail", value("fields.sc4s_vendor_product") type(glob)); | ||
| }; |
32 changes: 32 additions & 0 deletions
32
package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps_filter.conf.tmpl
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| # Proofpoint | ||
| {{- if (ne (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_FILTER_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_FILTER_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_FILTER_TLS_PORT") "no") "no") }} | ||
| {{ $context := dict "port_id" "PROOFPOINT_PPS_FILTER" "parser" "common" }} | ||
| {{ tmpl.Exec "t/source_network.t" $context }} | ||
| {{- end -}} | ||
| {{ define "log_path" }} | ||
| log { | ||
| {{- if eq (.) "yes" }} | ||
| source(s_default-ports); | ||
| filter(f_proofpoint_pps_filter); | ||
| {{- end }} | ||
| {{- if eq (.) "no" }} | ||
| source (s_dedicated_port_PROOFPOINT_PPS_FILTER); | ||
| {{- end }} | ||
|
|
||
| rewrite { r_set_splunk_dest_default(sourcetype("pps_filter_log"), index("email"), template("t_msg_only"))}; | ||
| parser { | ||
| p_add_context_splunk(key("proofpoint_pps_filter")); | ||
| }; | ||
|
|
||
| destination(d_hec); #--HEC-- | ||
|
|
||
| flags(flow-control); | ||
| }; | ||
| {{- end}} | ||
| {{- if (ne (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_FILTER_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_FILTER_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_FILTER_TLS_PORT") "no") "no") }} | ||
| # Listen on the specified dedicated port(s) for PROOFPOINT_PPS_FILTER traffic | ||
| {{ tmpl.Exec "log_path" "no" }} | ||
| {{- end}} | ||
|
|
||
| # Listen on the default port (typically 514) for PROOFPOINT_PPS_FILTER traffic | ||
| {{ tmpl.Exec "log_path" "yes" }} |
32 changes: 32 additions & 0 deletions
32
package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps_sendmail.conf.tmpl
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| # Proofpoint | ||
| {{- if (ne (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_SENDMAIL_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_SENDMAIL_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_SENDMAIL_TLS_PORT") "no") "no") }} | ||
| {{ $context := dict "port_id" "PROOFPOINT_PPS_SENDMAIL" "parser" "common" }} | ||
| {{ tmpl.Exec "t/source_network.t" $context }} | ||
| {{- end -}} | ||
| {{ define "log_path" }} | ||
| log { | ||
| {{- if eq (.) "yes" }} | ||
| source(s_default-ports); | ||
| filter(f_proofpoint_pps_sendmail); | ||
| {{- end }} | ||
| {{- if eq (.) "no" }} | ||
| source (s_dedicated_port_PROOFPOINT_PPS_SENDMAIL); | ||
| {{- end }} | ||
|
|
||
| rewrite { r_set_splunk_dest_default(sourcetype("pps_mail_log"), index("email"), template("t_msg_only"))}; | ||
| parser { | ||
| p_add_context_splunk(key("proofpoint_pps_sendmail")); | ||
| }; | ||
|
|
||
| destination(d_hec); #--HEC-- | ||
|
|
||
| flags(flow-control); | ||
| }; | ||
| {{- end}} | ||
| {{- if (ne (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_SENDMAIL_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_SENDMAIL_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_PROOFPOINT_PPS_SENDMAIL_TLS_PORT") "no") "no") }} | ||
| # Listen on the specified dedicated port(s) for PROOFPOINT_PPS_SENDMAIL traffic | ||
| {{ tmpl.Exec "log_path" "no" }} | ||
| {{- end}} | ||
|
|
||
| # Listen on the default port (typically 514) for PROOFPOINT_PPS_SENDMAIL traffic | ||
| {{ tmpl.Exec "log_path" "yes" }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| # Copyright 2019 Splunk, Inc. | ||
| # | ||
| # Use of this source code is governed by a BSD-2-clause-style | ||
| # license that can be found in the LICENSE-BSD2 file or at | ||
| # https://opensource.org/licenses/BSD-2-Clause | ||
|
|
||
| from jinja2 import Environment | ||
|
|
||
| from .sendmessage import * | ||
| from .splunkutils import * | ||
|
|
||
| env = Environment(extensions=['jinja2_time.TimeExtension']) | ||
|
|
||
|
|
||
| # Apr 17 18:33:26 aplegw01 filter_instance1[195529]: rprt s=2hdryp02r6 m=1 x=2hdryp02r6-1 cmd=send profile=mail qid=w3HMWjG3039079 rcpts=rfaircloth@splunk.com | ||
| def test_proofpoint_pps_filter(record_property, setup_wordlist, get_host_key, setup_splunk): | ||
| host = get_host_key | ||
|
|
||
| mt = env.from_string( | ||
| "{{ mark }} {% now 'utc', '%b %d %H:%M:%S' %} {{ host }} filter_instance1[195529]: rprt s=2hdryp02r6 m=1 x=2hdryp02r6-1 cmd=send profile=mail qid=w3HMWjG3039079 rcpts=rfaircloth@splunk.com\n") | ||
| message = mt.render(mark="<166>", host=host) | ||
|
|
||
| sendsingle(message) | ||
|
|
||
| st = env.from_string("search index=email host=\"{{ host }}\" sourcetype=\"pps_filter_log\" | head 2") | ||
| search = st.render(host=host) | ||
|
|
||
| resultCount, eventCount = splunk_single(setup_splunk, search) | ||
|
|
||
| record_property("host", host) | ||
| record_property("resultCount", resultCount) | ||
| record_property("message", message) | ||
|
|
||
| assert resultCount == 1 | ||
|
|
||
| # Apr 17 18:35:26 aplegw02 sendmail[56106]: w3HMZPVT056101: to=<rfaircloth@splunk.com>, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, tls_verify=FAIL, pri=133527, relay=mx1.splunk.iphmx.com. [216.71.153.223], dsn=2.0.0, stat=Sent (ok: Message 22675962 accepted) | ||
| def test_proofpoint_pps_mail(record_property, setup_wordlist, get_host_key, setup_splunk): | ||
| host = get_host_key | ||
|
|
||
| mt = env.from_string( | ||
| "{{ mark }} {% now 'utc', '%b %d %H:%M:%S' %} pps-{{ host }} sendmail[195529]: w3HMZPVT056101: to=<rfaircloth@splunk.com>, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, tls_verify=FAIL, pri=133527, relay=mx1.splunk.iphmx.com. [216.71.153.223], dsn=2.0.0, stat=Sent (ok: Message 22675962 accepted)\n") | ||
| message = mt.render(mark="<166>", host=host) | ||
|
|
||
| sendsingle(message) | ||
|
|
||
| st = env.from_string("search index=email host=\"pps-{{ host }}\" sourcetype=\"pps_mail_log\" | head 2") | ||
| search = st.render(host=host) | ||
|
|
||
| resultCount, eventCount = splunk_single(setup_splunk, search) | ||
|
|
||
| record_property("host", host) | ||
| record_property("resultCount", resultCount) | ||
| record_property("message", message) | ||
|
|
||
| assert resultCount == 1 | ||
|
|