diff --git a/docs/configuration.md b/docs/configuration.md index d4e8af5..16305cc 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -103,6 +103,7 @@ and/or move them to an archival system to avoid exhaustion of disk space. | SC4S_SOURCE_TCP_IW_SIZE | 20000000 | Initial Window size | | SC4S_SOURCE_TCP_FETCH_LIMIT | 2000 | Number of events to fetch from server buffer at once | | SC4S_SOURCE_UDP_SO_RCVBUFF | 1703936 | UDP server buffer size in bytes. Make sure that the host OS kernel is configured [similarly](gettingstarted/index.md#prerequisites). | +| SC4S_SOURCE_LISTEN_UDP_SOCKETS | 5 | Number of kernel sockets per active UDP port, which configures multi-threading of the UDP input buffer in the kernel to prevent packet loss. Total UDP input buffer is the multiple of SC4S_SOURCE_LISTEN_UDP_SOCKETS * SC4S_SOURCE_UDP_SO_RCVBUFF | | SC4S_SOURCE_STORE_RAWMSG | undefined or "no" | Store unprocessed "on the wire" raw message in the RAWMSG macro for use with the "fallback" sourcetype. Do _not_ set this in production; substantial memory and disk overhead will result. Use for log path/filter development only. | ## Syslog Source TLS Certificate Configuration @@ -228,7 +229,7 @@ docker stack deploy --compose-file docker-compose.yml sc4s ## Dropping all data by ip or subnet In some cases rogue or port-probing data can be sent to SC4S from misconfigured devices or vulnerability scanners. Update -the `vendor_product_by_source.conf` filter `f_catch_first` with one or more ip/subnet masks to drop events without +the `vendor_product_by_source.conf` filter `f_null_queue` with one or more ip/subnet masks to drop events without logging. Note that drop metrics will be recorded. diff --git a/docs/sources/Cisco/index.md b/docs/sources/Cisco/index.md index ae72697..bec8942 100644 --- a/docs/sources/Cisco/index.md +++ b/docs/sources/Cisco/index.md @@ -97,7 +97,7 @@ index= sourcetype=cisco:apic:* Verify timestamp, and host values match as expected -## Product - ASA (Pre Firepower) +## Product - ASA AND FTD (Firepower) | Ref | Link | |----------------|---------------------------------------------------------------------------------------------------------| @@ -109,7 +109,7 @@ Verify timestamp, and host values match as expected | sourcetype | notes | |----------------|---------------------------------------------------------------------------------------------------------| -| cisco:asa | None | +| cisco:asa | cisco FTD Firepower will also use this source type | | cisco:pix | Not supported | | cisco:fwsm | Not supported | diff --git a/package/etc/conf.d/filters/checkpoint/splunk.conf b/package/etc/conf.d/filters/checkpoint/splunk.conf index 87643d1..df1919b 100644 --- a/package/etc/conf.d/filters/checkpoint/splunk.conf +++ b/package/etc/conf.d/filters/checkpoint/splunk.conf @@ -1,6 +1,8 @@ filter f_checkpoint_splunk { match('\|(?:origin_sic_name|originsicname)\=[cC][nN]|\|product\=SmartConsole\|' value("MSG") type("pcre")) or - match('\|(?:origin_sic_name|originsicname)\=[cC][nN]|\|product\=SmartConsole\|' value("LEGACY_MSGHDR") type("pcre")); + match('\|(?:origin_sic_name|originsicname)\=[cC][nN]|\|product\=SmartConsole\|' value("LEGACY_MSGHDR") type("pcre")) or + match('|product\=Syslog\|ifdir=inbound\|loguid\=' value("MSG") type("pcre")) or + match('|product\=Syslog\|ifdir=inbound\|loguid\=' value("LEGACY_MSGHDR") type("pcre")); }; filter f_checkpoint_splunk_alerts { @@ -55,4 +57,7 @@ filter f_checkpoint_splunk_NetworkTraffic { }; filter f_checkpoint_splunk_Web { match('*Url Filtering*' value('.kv.product') type('glob')) +}; +filter f_checkpoint_splunk_syslog { + match('Syslog' value('.kv.product') type('glob')) }; \ No newline at end of file diff --git a/package/etc/conf.d/filters/cisco/asa.conf b/package/etc/conf.d/filters/cisco/asa.conf index a7ac9b7..cda9eed 100644 --- a/package/etc/conf.d/filters/cisco/asa.conf +++ b/package/etc/conf.d/filters/cisco/asa.conf @@ -1,8 +1,11 @@ filter f_cisco_asa { message('^%ASA-\d+-\d{1,10}: ') or - match('^%ASA-\d+-\d{1,10}:', value("LEGACY_MSGHDR")); + match('^%ASA-\d+-\d{1,10}:', value("LEGACY_MSGHDR")) or + message('^%FTD-\d+-\d{1,10}: ') or + match('^%FTD-\d+-\d{1,10}:', value("LEGACY_MSGHDR")); }; filter f_cisco_asa_nohost { - match('^%ASA-\d+-\d{1,10}:', value("LEGACY_MSGHDR")); + match('^%ASA-\d+-\d{1,10}:', value("LEGACY_MSGHDR")) + or match('^%FTD-\d+-\d{1,10}:', value("LEGACY_MSGHDR")); }; diff --git a/package/etc/conf.d/filters/misc/catchfirst.conf b/package/etc/conf.d/filters/misc/catchfirst.conf deleted file mode 100644 index 9005f11..0000000 --- a/package/etc/conf.d/filters/misc/catchfirst.conf +++ /dev/null @@ -1,5 +0,0 @@ -#f_catch_first -filter f_catch_first { - match("^catch_first", value("fields.sc4s_vendor_product")); - -}; \ No newline at end of file diff --git a/package/etc/conf.d/filters/misc/null_queue.conf b/package/etc/conf.d/filters/misc/null_queue.conf new file mode 100644 index 0000000..561a2a8 --- /dev/null +++ b/package/etc/conf.d/filters/misc/null_queue.conf @@ -0,0 +1,5 @@ +#f_null_queue +filter f_null_queue { + match("^null_queue", value("fields.sc4s_vendor_product")); + +}; \ No newline at end of file diff --git a/package/etc/conf.d/log_paths/lp-aaa-catch_first.conf.tmpl b/package/etc/conf.d/log_paths/lp-aaa-null_queue.conf.tmpl similarity index 85% rename from package/etc/conf.d/log_paths/lp-aaa-catch_first.conf.tmpl rename to package/etc/conf.d/log_paths/lp-aaa-null_queue.conf.tmpl index b8fac16..41ce1ee 100644 --- a/package/etc/conf.d/log_paths/lp-aaa-catch_first.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-aaa-null_queue.conf.tmpl @@ -2,7 +2,7 @@ # vulnerability scanners to be ignored log { - filter(f_catch_first); + filter(f_null_queue); flags(catchall,final); diff --git a/package/etc/conf.d/log_paths/lp-checkpoint_splunk.conf.tmpl b/package/etc/conf.d/log_paths/lp-checkpoint_splunk.conf.tmpl index 07f0aff..673b11c 100644 --- a/package/etc/conf.d/log_paths/lp-checkpoint_splunk.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-checkpoint_splunk.conf.tmpl @@ -22,9 +22,70 @@ log { }; if { + parser { + kv-parser(prefix(".kv.") pair-separator("|") template("${MSGHDR} ${MSG}")); + date-parser-nofilter(format("%s") template("${.kv.time}")); + }; + rewrite { + set("${.kv.hostname}", value("HOST")); + set("checkpoint_splunk", value("fields.sc4s_vendor_product")); + r_set_splunk_dest_default(sourcetype("cp_log"), index("netops")) + }; + + parser {p_add_context_splunk(key("checkpoint_splunk")); }; + + if { + filter(f_checkpoint_splunk_NetworkTraffic); + rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("firewall"), index("netfw"))}; + parser {p_add_context_splunk(key("checkpoint_splunk_firewall")); }; + } elif { + filter(f_checkpoint_splunk_Web); + rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("web"), index("netproxy"))}; + parser {p_add_context_splunk(key("checkpoint_splunk_web")); }; + } elif { + filter(f_checkpoint_splunk_NetworkSessions); + rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("sessions"), index("netops"))}; + parser {p_add_context_splunk(key("checkpoint_splunk_sessions")); }; + } elif { + filter(f_checkpoint_splunk_IDS_Malware); + rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("ids_malware"), index("netids"))}; + parser {p_add_context_splunk(key("checkpoint_splunk_ids")); }; + } elif { + filter(f_checkpoint_splunk_IDS); + rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("ids"), index("netids"))}; + parser {p_add_context_splunk(key("checkpoint_splunk_ids")); }; + } elif { + filter(f_checkpoint_splunk_email); + rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("email"), index("email"))}; + parser {p_add_context_splunk(key("checkpoint_splunk_email")); }; + } elif { + filter(f_checkpoint_splunk_DLP); + rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("firewall"), index("netdlp"))}; + parser {p_add_context_splunk(key("checkpoint_splunk_dlp")); }; + } elif { + filter(f_checkpoint_splunk_syslog); + if { + parser { + syslog-parser(template("${.kv.default_device_message}") flags(guess-timezone, no-hostname)); + date-parser-nofilter(format("%s") template("${.kv.time}")); + }; + }; + + rewrite { + set("${.kv.hostname}", value("HOST")); + set("checkpoint_splunk", value("fields.sc4s_vendor_product")); + subst("^[^\t]+\t", "", value("MESSAGE"), flags("global")); + set("${PROGRAM}", value(".PROGRAM")); + subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); + }; + rewrite { r_set_splunk_dest_default(sourcetype("nix:syslog"), index("netops"), source("program:${.PROGRAM}")) }; + parser { p_add_context_splunk(key("checkpoint_os")); }; + + }; + } else { filter(f_nix_syslog); rewrite { - set("checkpoint_splunk", value("fields.sc4s_vendor_product")); + set("checkpoint_splunk", value("fields.sc4s_vendor_product")); subst("^[^\t]+\t", "", value("MESSAGE"), flags("global")); set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); @@ -32,51 +93,7 @@ log { rewrite { r_set_splunk_dest_default(sourcetype("nix:syslog"), index("netops"), source("program:${.PROGRAM}")) }; parser { p_add_context_splunk(key("checkpoint_os")); }; - } else { - parser { - kv-parser(prefix(".kv.") pair-separator("|") template("${MSGHDR} ${MSG}")); - date-parser-nofilter(format("%s") template("${.kv.time}")); - }; - }; - - rewrite { - set("${.kv.hostname}", value("HOST")); - set("checkpoint_splunk", value("fields.sc4s_vendor_product")); - r_set_splunk_dest_default(sourcetype("cp_log"), index("netops")) }; - - parser {p_add_context_splunk(key("checkpoint_splunk")); }; - - if { - filter(f_checkpoint_splunk_NetworkTraffic); - rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("firewall"), index("netfw"))}; - parser {p_add_context_splunk(key("checkpoint_splunk_firewall")); }; - } elif { - filter(f_checkpoint_splunk_Web); - rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("web"), index("netproxy"))}; - parser {p_add_context_splunk(key("checkpoint_splunk_web")); }; - } elif { - filter(f_checkpoint_splunk_NetworkSessions); - rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("sessions"), index("netops"))}; - parser {p_add_context_splunk(key("checkpoint_splunk_sessions")); }; - } elif { - filter(f_checkpoint_splunk_IDS_Malware); - rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("ids_malware"), index("netids"))}; - parser {p_add_context_splunk(key("checkpoint_splunk_ids")); }; - } elif { - filter(f_checkpoint_splunk_IDS); - rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("ids"), index("netids"))}; - parser {p_add_context_splunk(key("checkpoint_splunk_ids")); }; - } elif { - filter(f_checkpoint_splunk_email); - rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("email"), index("email"))}; - parser {p_add_context_splunk(key("checkpoint_splunk_email")); }; - } elif { - filter(f_checkpoint_splunk_DLP); - rewrite { r_set_splunk_dest_default(sourcetype("cp_log"), source("firewall"), index("netdlp"))}; - parser {p_add_context_splunk(key("checkpoint_splunk_dlp")); }; - }; - parser (compliance_meta_by_source); rewrite { set("$(template ${.splunk.sc4s_template} $(template t_hdr_msg))" value("MSG")); }; diff --git a/package/etc/context_templates/vendor_product_by_source.conf.example b/package/etc/context_templates/vendor_product_by_source.conf.example index 1115e34..1eb20df 100644 --- a/package/etc/context_templates/vendor_product_by_source.conf.example +++ b/package/etc/context_templates/vendor_product_by_source.conf.example @@ -2,7 +2,7 @@ filter f_test_test { host("testvp-*" type(glob)) #or netmask(xxx.xxx.xxx.xxx/xx) }; -filter f_catch_first { +filter f_null_queue { netmask(169.254.100.0/24) }; diff --git a/package/etc/context_templates/vendor_product_by_source.csv.example b/package/etc/context_templates/vendor_product_by_source.csv.example index 302b8ca..0ea93b5 100644 --- a/package/etc/context_templates/vendor_product_by_source.csv.example +++ b/package/etc/context_templates/vendor_product_by_source.csv.example @@ -1,6 +1,6 @@ f_test_test,sc4s_vendor_product,"test_test" f_brocade_syslog,sc4s_vendor_product,"brocade_syslog" -f_catch_first,sc4s_vendor_product,"catch_first" +f_null_queue,sc4s_vendor_product,"catch_first" f_cisco_meraki,sc4s_vendor_product,"cisco_meraki" f_citrix_netscaler,sc4s_vendor_product,"citrix_netscaler" f_dell_rsa_secureid,sc4s_vendor_product,"dell_rsa_secureid" diff --git a/package/etc/go_templates/source_network.t b/package/etc/go_templates/source_network.t index 47bfab1..6d7a6d3 100644 --- a/package/etc/go_templates/source_network.t +++ b/package/etc/go_templates/source_network.t @@ -1,13 +1,8 @@ -{{ define "T1" }} - -# The following is the source port declaration for {{ (print .port_id) }} - -source s_{{ .port_id }} { - channel { - source { -{{- if or (getenv (print "SC4S_LISTEN_" .port_id "_UDP_PORT")) (eq .port_id "DEFAULT") }} - syslog ( +{{ define "UDP" }} + syslog ( transport("udp") + so-reuseport(1) + persist-name("{{ .port_id }}{{ .instance }}") port({{ getenv (print "SC4S_LISTEN_" .port_id "_UDP_PORT") "514" }}) ip-protocol(4) so-rcvbuf({{getenv "SC4S_SOURCE_UDP_SO_RCVBUFF" "1703936"}}) @@ -17,7 +12,22 @@ source s_{{ .port_id }} { use-fqdn(no) chain-hostnames(off) flags(validate-utf8, no-parse {{- if (conv.ToBool (getenv "SC4S_SOURCE_STORE_RAWMSG" "no")) }} store-raw-message {{- end}}) - ); + ); +{{- end}} + +{{ define "T1" }} + +# The following is the source port declaration for {{ (print .port_id) }} + +source s_{{ .port_id }} { + channel { + source { +{{- if or (getenv (print "SC4S_LISTEN_" .port_id "_UDP_PORT")) (eq .port_id "DEFAULT") }} +{{- $port_id := .port_id }} +{{- range (math.Seq (getenv "SC4S_SOURCE_LISTEN_UDP_SOCKETS" "5"))}} +{{- $context := dict "instance" . "port_id" $port_id }} +{{- template "UDP" $context }} +{{- end}} {{- end}} {{- if or (getenv (print "SC4S_LISTEN_" .port_id "_TCP_PORT")) (eq .port_id "DEFAULT") }} network ( @@ -32,7 +42,7 @@ source s_{{ .port_id }} { use-dns(no) use-fqdn(no) chain-hostnames(off) - flags(no-parse {{- if (conv.ToBool (getenv "SC4S_SOURCE_STORE_RAWMSG" "no")) }} store-raw-message {{- end}}) + flags(validate-utf8, no-parse {{- if (conv.ToBool (getenv "SC4S_SOURCE_STORE_RAWMSG" "no")) }} store-raw-message {{- end}}) ); {{- end}} {{- if (conv.ToBool (getenv "SC4S_SOURCE_TLS_ENABLE" "no")) }} @@ -48,7 +58,7 @@ source s_{{ .port_id }} { use-dns(no) use-fqdn(no) chain-hostnames(off) - flags(no-parse {{- if (conv.ToBool (getenv "SC4S_SOURCE_STORE_RAWMSG" "no")) }} store-raw-message {{- end}}) + flags(validate-utf8, no-parse {{- if (conv.ToBool (getenv "SC4S_SOURCE_STORE_RAWMSG" "no")) }} store-raw-message {{- end}}) tls(allow-compress(yes) key-file("/opt/syslog-ng/tls/server.key") cert-file("/opt/syslog-ng/tls/server.pem") @@ -197,4 +207,4 @@ source s_{{ .port_id }} { {{- end -}} {{- if or (or (or (getenv (print "SC4S_LISTEN_" .port_id "_TCP_PORT")) (getenv (print "SC4S_LISTEN_" .port_id "_UDP_PORT"))) (getenv (print "SC4S_LISTEN_" .port_id "_TLS_PORT"))) (eq .port_id "DEFAULT") -}} {{- template "T1" (.) -}} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/package/sbin/entrypoint.sh b/package/sbin/entrypoint.sh index caaa3aa..c3bfa26 100755 --- a/package/sbin/entrypoint.sh +++ b/package/sbin/entrypoint.sh @@ -13,6 +13,28 @@ if [ ${SC4S_DEST_MICROFOCUS_ARCSIGHT_HEC} ]; then export SC4S_DEST_CEF_HEC=$SC4S cd /opt/syslog-ng +# SIGTERM-handler +term_handler() { + if [ $pid -ne 0 ]; then + echo Terminating + kill -SIGTERM "$pid" + wait "$pid" + fi + exit 143; # 128 + 15 -- SIGTERM +} + +# SIGHUP-handler +hup_handler() { + if [ $pid -ne 0 ]; then + echo Reloading + kill -SIGHUP "$pid" + fi +} + +trap 'kill ${!}; hup_handler' SIGHUP +trap 'kill ${!}; term_handler' SIGTERM + + gomplate $(find . -name *.tmpl | sed -E 's/^(\/.*\/)*(.*)\..*$/--file=\2.tmpl --out=\2/') --template t=etc/go_templates/ mkdir -p /opt/syslog-ng/etc/conf.d/local/context/ @@ -31,4 +53,11 @@ echo sc4s version=$(cat /VERSION) >/opt/syslog-ng/var/log/syslog-ng.out echo syslog-ng starting /opt/syslog-ng/bin/persist-tool add /opt/syslog-ng/etc/reset_persist -o /opt/syslog-ng/var -exec /opt/syslog-ng/sbin/syslog-ng $@ + +/opt/syslog-ng/sbin/syslog-ng -F $@ & +pid="$!" +# wait forever +while true +do + tail -f /dev/null & wait ${!} +done \ No newline at end of file diff --git a/tests/docker-compose-ci.yml b/tests/docker-compose-ci.yml index 3fe2010..e45bda0 100644 --- a/tests/docker-compose-ci.yml +++ b/tests/docker-compose-ci.yml @@ -48,6 +48,12 @@ services: - SC4S_LISTEN_JUNIPER_IDP_TCP_PORT=5004 - SC4S_LISTEN_PALOALTO_PANOS_TCP_PORT=5005 - SC4S_LISTEN_PFSENSE_TCP_PORT=5006 + - SC4S_LISTEN_CISCO_ASA_UDP_PORT=5001 + - SC4S_LISTEN_CISCO_IOS_UDP_PORT=5002 + - SC4S_LISTEN_CISCO_MERAKI_UDP_PORT=5003 + - SC4S_LISTEN_JUNIPER_IDP_UDP_PORT=5004 + - SC4S_LISTEN_PALOALTO_PANOS_UDP_PORT=5005 + - SC4S_LISTEN_PFSENSE_UDP_PORT=5006 - SC4S_ARCHIVE_GLOBAL=no splunk: build: diff --git a/tests/docker-compose.yml b/tests/docker-compose.yml index d893bae..c8a8e1e 100644 --- a/tests/docker-compose.yml +++ b/tests/docker-compose.yml @@ -14,7 +14,7 @@ services: context: ../package hostname: sc4s #When this is enabled test_common will fail - #command: -det + command: -det ports: - "514" - "601" @@ -38,6 +38,12 @@ services: - SC4S_LISTEN_JUNIPER_IDP_TCP_PORT=5004 - SC4S_LISTEN_PALOALTO_PANOS_TCP_PORT=5005 - SC4S_LISTEN_PFSENSE_TCP_PORT=5006 + - SC4S_LISTEN_CISCO_ASA_UDP_PORT=5001 + - SC4S_LISTEN_CISCO_IOS_UDP_PORT=5002 + - SC4S_LISTEN_CISCO_MERAKI_UDP_PORT=5003 + - SC4S_LISTEN_JUNIPER_IDP_UDP_PORT=5004 + - SC4S_LISTEN_PALOALTO_PANOS_UDP_PORT=5005 + - SC4S_LISTEN_PFSENSE_UDP_PORT=5006 - SC4S_ARCHIVE_GLOBAL=no - SC4S_SOURCE_STORE_RAWMSG=yes splunk: diff --git a/tests/test_checkpoint.py b/tests/test_checkpoint.py index 77f8cc8..d6ac8aa 100644 --- a/tests/test_checkpoint.py +++ b/tests/test_checkpoint.py @@ -52,7 +52,33 @@ def test_checkpoint_splunk_firewall(record_property, setup_wordlist, setup_splun epoch = epoch[:-7] mt = env.from_string( - "{{ mark }} {{ bsd }} {{ host }} time={{ epoch }}|hostname={{ host }}|product=Firewall|action=Drop|ifdir=inbound|ifname=bond1|loguid={0x5d9ce80f,0x8d0555,0x5f19f392,0x18982828}|origin=1.1.1.1|time={{ epoch }}|version=1|chassis_bladed_system=[ 1_1 ]|dst=10.10.10.10|inzone=External|origin_sic_name=CN=something_03_local,O=devicename.domain.com.p7fdbt|outzone=Internal|proto=6|rule=402|rule_name=11_..|rule_uid={C8CD796E-7BD5-47B6-90CA-B250D062D5E5}|s_port=33687|service=23|src=1.1.1.2|\n") + "{{ mark }} {{ bsd }} {{ host }} time={{ epoch }}|hostname={{ host }}|product=Firewall|action=Drop|ifdir=inbound|ifname=bond1|loguid={0x5d9ce80f,0x8d0555,0x5f19f392,0x18982828}|origin=1.1.1.1|time={{ epoch }}|version=1|chassis_bladed_system=[ 1_1 ]|dst=10.10.10.10|inzone=External|origin_sic_name=CN=something_03_local,O=devicename.domain.com.p7fdbt|outzone=Internal|proto=6|rule=402|rule_name=11:..|rule_uid={C8CD796E-7BD5-47B6-90CA-B250D062D5E5}|s_port=33687|service=23|src=1.1.1.2|\n") + message = mt.render(mark="<111>", host=host, bsd=bsd, epoch=epoch) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string("search _time={{ epoch }} index=netfw host=\"{{ host }}\" sourcetype=\"cp_log\"") + search = st.render(epoch=epoch, bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 + +def test_checkpoint_splunk_firewall2(record_property, setup_wordlist, setup_splunk, setup_sc4s): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + + dt = datetime.datetime.now() + iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) + + # Tune time functions for Checkpoint + epoch = epoch[:-7] + + mt = env.from_string( + "{{ mark }} {{ bsd }} {{ host }} time={{ epoch }}|hostname={{ host }}|severity=Medium|product=Firewall|action=Drop|ifdir=inbound|ifname=eth1|loguid={0x0,0x0,0x0,0x0}|origin=111.89.111.53|originsicname=CN\=xx-xx.xx.net,O\=cma-xx.xx.net.xx|sequencenum=64|time={{epoch}}|version=5|dst=10.11.11.11|inspection_category=anomaly|foo=bar: bat mark||\n") message = mt.render(mark="<111>", host=host, bsd=bsd, epoch=epoch) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) @@ -197,3 +223,38 @@ def test_checkpoint_splunk_os(record_property, setup_wordlist, setup_splunk, set record_property("message", message) assert resultCount == 1 + + +# time=1586182935|hostname=xxxx-xxxx|product=Syslog|ifdir=inbound|loguid={0x0,0x0,0x0,0x0}|origin=10.0.0.164|sequencenum=3|time=1586182935|version=5|default_device_message=<134>ctasd[5665]: Save SenderId lists finished |facility=local use 0| +def test_checkpoint_splunk_os_nested( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + + dt = datetime.datetime.now() + iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) + + # Tune time functions for Checkpoint + epoch = epoch[:-7] + + mt = env.from_string( + "{{ mark }} {{ bsd }} {{ host }} time={{ epoch }}|hostname={{ host }}|product=Syslog|ifdir=inbound|loguid={0x0,0x0,0x0,0x0}|origin=10.0.0.0|sequencenum=3|time={{ epoch }}|version=5|default_device_message=<134>ctasd[5665]: Save SenderId lists finished |facility=local use 0|\n" + ) + message = mt.render(mark="<111>", host=host, bsd=bsd, epoch=epoch) + + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + + st = env.from_string( + 'search _time={{ epoch }} index=netops host="{{ host }}" sourcetype="nix:syslog"' + ) + search = st.render( + epoch=epoch, bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset + ) + + resultCount, eventCount = splunk_single(setup_splunk, search) + + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1