From c6f240847cf221a9cb499172e72b4b109aef5ea5 Mon Sep 17 00:00:00 2001
From: Ryan Faircloth <35384120+rfaircloth-splunk@users.noreply.github.com>
Date: Fri, 7 Aug 2020 09:57:35 -0400
Subject: [PATCH] [filtermod] Checkpoint doesn't use the correct whitespace
 (#608)

---
 .../etc/conf.d/filters/checkpoint/splunk.conf | 62 +++++++++----------
 1 file changed, 31 insertions(+), 31 deletions(-)

diff --git a/package/etc/conf.d/filters/checkpoint/splunk.conf b/package/etc/conf.d/filters/checkpoint/splunk.conf
index cd2b8c4..0bbb3f6 100644
--- a/package/etc/conf.d/filters/checkpoint/splunk.conf
+++ b/package/etc/conf.d/filters/checkpoint/splunk.conf
@@ -1,63 +1,63 @@
 filter f_checkpoint_splunk {
     match('\|(?:origin_sic_name|originsicname)\=[cC][nN]|\|product\=SmartConsole\|' value("MSG") type("pcre")) or
     match('\|(?:origin_sic_name|originsicname)\=[cC][nN]|\|product\=SmartConsole\|' value("LEGACY_MSGHDR") type("pcre")) or
-    match('*|product=Syslog|ifdir=inbound|loguid=*' value("MSG") type("glob")) or
-    match('*|product=Syslog|ifdir=inbound|loguid=*' value("LEGACY_MSGHDR") type("glob"));
+    match('|product=Syslog|ifdir=inbound|loguid=' value("MSG") type("glob")) or
+    match('|product=Syslog|ifdir=inbound|loguid=' value("LEGACY_MSGHDR") type("glob"));
 };
 
 filter f_checkpoint_splunk_alerts {
-    match('*IOS Profile*' value('.kv.product') type('glob'))
-    or match('*Device*' value('.kv.product') type('glob'))
+    match('IOS\h+Profile' value('.kv.product'))
+    or match('Device' value('.kv.product'))
 };
 
 filter f_checkpoint_splunk_Change {
-    match('*Application Control*' value('.kv.product') type('glob'))
+    match('Application\h+Control' value('.kv.product'))
 };
 
 filter f_checkpoint_splunk_DLP {
-    match('*DLP*' value('.kv.product') type('glob'))
+    match('DLP' value('.kv.product'))
 };
 
 filter f_checkpoint_splunk_email {
-    match('*MTA*' value('.kv.product') type('glob'))
-    or match('*Anti-Spam*' value('.kv.product') type('glob'))
-    or match('*Anti Spam*' value('.kv.product') type('glob'))
+    match('MTA' value('.kv.product'))
+    or match('Anti-Spam' value('.kv.product'))
+    or match('Anti\h+Spam' value('.kv.product'))
 };
 
 filter f_checkpoint_splunk_IDS {
-    match('*IPS*' value('.kv.product') type('glob'))
-    or match('*WIFI*' value('.kv.product') type('glob'))
-    or match('*Cellular*' value('.kv.product') type('glob'))
+    match('IPS' value('.kv.product'))
+    or match('WIFI' value('.kv.product'))
+    or match('Cellular' value('.kv.product'))
 };
 
 filter f_checkpoint_splunk_IDS_Malware {
-    match('*Threat Emulation*' value('.kv.product') type('glob'))
-    or match('*Anti-Virus*' value('.kv.product') type('glob'))
-    or match('*Anti-Bot*' value('.kv.product') type('glob'))
-    or match('*Threat Extraction*' value('.kv.product') type('glob'))
-    or match('*Anti-Ransomware*' value('.kv.product') type('glob'))
-    or match('*Anti-Exploit**' value('.kv.product') type('glob'))
-    or match('*Forensics*' value('.kv.product') type('glob'))
-    or match('*OS Exploit*' value('.kv.product') type('glob'))
-    or (match('*Application*' value('.kv.product') type('glob')) and not match('*Application Control*' value('.kv.product') type('glob')))
-    or match('*Text Message*' value('.kv.product') type('glob'))
-    or match('*Network Access*' value('.kv.product') type('glob'))
-    or match('*Zero Phishing*' value('.kv.product') type('glob'))
+    match('Threat\h+Emulation' value('.kv.product'))
+    or match('Anti-Virus' value('.kv.product'))
+    or match('Anti-Bot' value('.kv.product'))
+    or match('Threat\h+Extraction' value('.kv.product'))
+    or match('Anti-Ransomware' value('.kv.product'))
+    or match('Anti-Exploit' value('.kv.product'))
+    or match('Forensics' value('.kv.product'))
+    or match('OS\h+Exploit' value('.kv.product'))
+    or (match('Application' value('.kv.product')) and not match('Application Control' value('.kv.product')))
+    or match('Text\h+Message' value('.kv.product'))
+    or match('Network\h+Access' value('.kv.product'))
+    or match('Zero\h+Phishing' value('.kv.product'))
 };
 
 filter f_checkpoint_splunk_NetworkSessions {
-    match('*VPN*' value('.kv.product') type('glob'))
-    or match('*Mobile*' value('.kv.product') type('glob'))
-    or match('*VPN*' value('.kv.fw_subproduct') type('glob'))
+    match('VPN' value('.kv.product'))
+    or match('Mobile' value('.kv.product'))
+    or match('VPN' value('.kv.fw_subproduct'))
 };
 
 filter f_checkpoint_splunk_NetworkTraffic {
-    match('*Firewall*' value('.kv.product') type('glob'))
-    and not match('*VPN*' value('.kv.fw_subproduct') type('glob'))
+    match('Firewall' value('.kv.product'))
+    and not match('VPN' value('.kv.fw_subproduct'))
 };
 filter f_checkpoint_splunk_Web {
-    match('*Url Filtering*' value('.kv.product') type('glob'))
+    match('U[rR][lL]\h+\h+Filtering' value('.kv.product'))
 };
 filter f_checkpoint_splunk_syslog {
-    match('Syslog' value('.kv.product') type('glob'))
+    match('Syslog' value('.kv.product'))
 };
\ No newline at end of file