-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[filtermod] Checkpoint doesn't use the correct whitespace (#608)
- Loading branch information
Ryan Faircloth
authored and
GitHub
committed
Aug 7, 2020
1 parent
b280749
commit c6f2408
Showing
1 changed file
with
31 additions
and
31 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,63 +1,63 @@ | ||
| filter f_checkpoint_splunk { | ||
| match('\|(?:origin_sic_name|originsicname)\=[cC][nN]|\|product\=SmartConsole\|' value("MSG") type("pcre")) or | ||
| match('\|(?:origin_sic_name|originsicname)\=[cC][nN]|\|product\=SmartConsole\|' value("LEGACY_MSGHDR") type("pcre")) or | ||
| match('*|product=Syslog|ifdir=inbound|loguid=*' value("MSG") type("glob")) or | ||
| match('*|product=Syslog|ifdir=inbound|loguid=*' value("LEGACY_MSGHDR") type("glob")); | ||
| match('|product=Syslog|ifdir=inbound|loguid=' value("MSG") type("glob")) or | ||
| match('|product=Syslog|ifdir=inbound|loguid=' value("LEGACY_MSGHDR") type("glob")); | ||
| }; | ||
|
|
||
| filter f_checkpoint_splunk_alerts { | ||
| match('*IOS Profile*' value('.kv.product') type('glob')) | ||
| or match('*Device*' value('.kv.product') type('glob')) | ||
| match('IOS\h+Profile' value('.kv.product')) | ||
| or match('Device' value('.kv.product')) | ||
| }; | ||
|
|
||
| filter f_checkpoint_splunk_Change { | ||
| match('*Application Control*' value('.kv.product') type('glob')) | ||
| match('Application\h+Control' value('.kv.product')) | ||
| }; | ||
|
|
||
| filter f_checkpoint_splunk_DLP { | ||
| match('*DLP*' value('.kv.product') type('glob')) | ||
| match('DLP' value('.kv.product')) | ||
| }; | ||
|
|
||
| filter f_checkpoint_splunk_email { | ||
| match('*MTA*' value('.kv.product') type('glob')) | ||
| or match('*Anti-Spam*' value('.kv.product') type('glob')) | ||
| or match('*Anti Spam*' value('.kv.product') type('glob')) | ||
| match('MTA' value('.kv.product')) | ||
| or match('Anti-Spam' value('.kv.product')) | ||
| or match('Anti\h+Spam' value('.kv.product')) | ||
| }; | ||
|
|
||
| filter f_checkpoint_splunk_IDS { | ||
| match('*IPS*' value('.kv.product') type('glob')) | ||
| or match('*WIFI*' value('.kv.product') type('glob')) | ||
| or match('*Cellular*' value('.kv.product') type('glob')) | ||
| match('IPS' value('.kv.product')) | ||
| or match('WIFI' value('.kv.product')) | ||
| or match('Cellular' value('.kv.product')) | ||
| }; | ||
|
|
||
| filter f_checkpoint_splunk_IDS_Malware { | ||
| match('*Threat Emulation*' value('.kv.product') type('glob')) | ||
| or match('*Anti-Virus*' value('.kv.product') type('glob')) | ||
| or match('*Anti-Bot*' value('.kv.product') type('glob')) | ||
| or match('*Threat Extraction*' value('.kv.product') type('glob')) | ||
| or match('*Anti-Ransomware*' value('.kv.product') type('glob')) | ||
| or match('*Anti-Exploit**' value('.kv.product') type('glob')) | ||
| or match('*Forensics*' value('.kv.product') type('glob')) | ||
| or match('*OS Exploit*' value('.kv.product') type('glob')) | ||
| or (match('*Application*' value('.kv.product') type('glob')) and not match('*Application Control*' value('.kv.product') type('glob'))) | ||
| or match('*Text Message*' value('.kv.product') type('glob')) | ||
| or match('*Network Access*' value('.kv.product') type('glob')) | ||
| or match('*Zero Phishing*' value('.kv.product') type('glob')) | ||
| match('Threat\h+Emulation' value('.kv.product')) | ||
| or match('Anti-Virus' value('.kv.product')) | ||
| or match('Anti-Bot' value('.kv.product')) | ||
| or match('Threat\h+Extraction' value('.kv.product')) | ||
| or match('Anti-Ransomware' value('.kv.product')) | ||
| or match('Anti-Exploit' value('.kv.product')) | ||
| or match('Forensics' value('.kv.product')) | ||
| or match('OS\h+Exploit' value('.kv.product')) | ||
| or (match('Application' value('.kv.product')) and not match('Application Control' value('.kv.product'))) | ||
| or match('Text\h+Message' value('.kv.product')) | ||
| or match('Network\h+Access' value('.kv.product')) | ||
| or match('Zero\h+Phishing' value('.kv.product')) | ||
| }; | ||
|
|
||
| filter f_checkpoint_splunk_NetworkSessions { | ||
| match('*VPN*' value('.kv.product') type('glob')) | ||
| or match('*Mobile*' value('.kv.product') type('glob')) | ||
| or match('*VPN*' value('.kv.fw_subproduct') type('glob')) | ||
| match('VPN' value('.kv.product')) | ||
| or match('Mobile' value('.kv.product')) | ||
| or match('VPN' value('.kv.fw_subproduct')) | ||
| }; | ||
|
|
||
| filter f_checkpoint_splunk_NetworkTraffic { | ||
| match('*Firewall*' value('.kv.product') type('glob')) | ||
| and not match('*VPN*' value('.kv.fw_subproduct') type('glob')) | ||
| match('Firewall' value('.kv.product')) | ||
| and not match('VPN' value('.kv.fw_subproduct')) | ||
| }; | ||
| filter f_checkpoint_splunk_Web { | ||
| match('*Url Filtering*' value('.kv.product') type('glob')) | ||
| match('U[rR][lL]\h+\h+Filtering' value('.kv.product')) | ||
| }; | ||
| filter f_checkpoint_splunk_syslog { | ||
| match('Syslog' value('.kv.product') type('glob')) | ||
| match('Syslog' value('.kv.product')) | ||
| }; |