From 5b23e7a03e71ce4fed7422784e77c7a398dcfcf4 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Thu, 14 May 2020 07:31:52 -0400 Subject: [PATCH 1/4] Update test_checkpoint.py --- tests/test_checkpoint.py | 171 ++++++++++++++++++++++++++++----------- 1 file changed, 123 insertions(+), 48 deletions(-) diff --git a/tests/test_checkpoint.py b/tests/test_checkpoint.py index 7baf2e8..22fc362 100644 --- a/tests/test_checkpoint.py +++ b/tests/test_checkpoint.py @@ -14,8 +14,10 @@ env = Environment() # -#Oct 8 15:00:25 DEVICENAME time=1570561225|hostname=devicename|severity=Informational|confidence_level=Unknown|product=IPS|action=Drop|ifdir=inbound|ifname=bond2|loguid={0x5d9cdcc9,0x8d159f,0x5f19f392,0x1897a828}|origin=1.1.1.1|time=1570561225|version=1|attack=Streaming Engine: TCP Segment Limit Enforcement|attack_info=TCP segment out of maximum allowed sequence. Packet dropped.|chassis_bladed_system=[ 1_3 ]|dst=10.10.10.10|origin_sic_name=CN=something_03_local,O=devicename.domain.com.p7fdbt|performance_impact=0|protection_id=tcp_segment_limit|protection_name=TCP Segment Limit Enforcement|protection_type=settings_tcp|proto=6|rule=393|rule_name=10.384_..|rule_uid={9F77F944-8DD5-4ADF-803A-785D03B3A2E8}|s_port=46455|service=443|smartdefense_profile=Recommended_Protection_ded9e8d8ee89d|src=1.1.1.2| -def test_checkpoint_splunk_ips(record_property, setup_wordlist, setup_splunk, setup_sc4s): +# Oct 8 15:00:25 DEVICENAME time=1570561225|hostname=devicename|severity=Informational|confidence_level=Unknown|product=IPS|action=Drop|ifdir=inbound|ifname=bond2|loguid={0x5d9cdcc9,0x8d159f,0x5f19f392,0x1897a828}|origin=1.1.1.1|time=1570561225|version=1|attack=Streaming Engine: TCP Segment Limit Enforcement|attack_info=TCP segment out of maximum allowed sequence. Packet dropped.|chassis_bladed_system=[ 1_3 ]|dst=10.10.10.10|origin_sic_name=CN=something_03_local,O=devicename.domain.com.p7fdbt|performance_impact=0|protection_id=tcp_segment_limit|protection_name=TCP Segment Limit Enforcement|protection_type=settings_tcp|proto=6|rule=393|rule_name=10.384_..|rule_uid={9F77F944-8DD5-4ADF-803A-785D03B3A2E8}|s_port=46455|service=443|smartdefense_profile=Recommended_Protection_ded9e8d8ee89d|src=1.1.1.2| +def test_checkpoint_splunk_ips( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now() @@ -25,13 +27,18 @@ def test_checkpoint_splunk_ips(record_property, setup_wordlist, setup_splunk, se epoch = epoch[:-7] mt = env.from_string( - "{{ mark }} {{ bsd }} {{ host }} time={{ epoch }}|hostname={{ host }}|severity=Informational|confidence_level=Unknown|product=IPS|action=Drop|ifdir=inbound|ifname=bond2|loguid={0x5d9cdcc9,0x8d159f,0x5f19f392,0x1897a828}|origin=1.1.1.1|time={{ epoch }}|version=1|attack=Streaming Engine: TCP Segment Limit Enforcement|attack_info=TCP segment out of maximum allowed sequence. Packet dropped.|chassis_bladed_system=[ 1_3 ]|dst=10.10.10.10|origin_sic_name=CN=something_03_local,O=devicename.domain.com.p7fdbt|performance_impact=0|protection_id=tcp_segment_limit|protection_name=TCP Segment Limit Enforcement|protection_type=settings_tcp|proto=6|rule=393|rule_name=10.384_..|rule_uid={9F77F944-8DD5-4ADF-803A-785D03B3A2E8}|s_port=46455|service=443|smartdefense_profile=Recommended_Protection_ded9e8d8ee89d|src=1.1.1.2|\n") + "{{ mark }} {{ bsd }} {{ host }} time={{ epoch }}|hostname={{ host }}|severity=Informational|confidence_level=Unknown|product=IPS|action=Drop|ifdir=inbound|ifname=bond2|loguid={0x5d9cdcc9,0x8d159f,0x5f19f392,0x1897a828}|origin=1.1.1.1|time={{ epoch }}|version=1|attack=Streaming Engine: TCP Segment Limit Enforcement|attack_info=TCP segment out of maximum allowed sequence. Packet dropped.|chassis_bladed_system=[ 1_3 ]|dst=10.10.10.10|origin_sic_name=CN=something_03_local,O=devicename.domain.com.p7fdbt|performance_impact=0|protection_id=tcp_segment_limit|protection_name=TCP Segment Limit Enforcement|protection_type=settings_tcp|proto=6|rule=393|rule_name=10.384_..|rule_uid={9F77F944-8DD5-4ADF-803A-785D03B3A2E8}|s_port=46455|service=443|smartdefense_profile=Recommended_Protection_ded9e8d8ee89d|src=1.1.1.2|\n" + ) message = mt.render(mark="<111>", host=host, bsd=bsd, epoch=epoch) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netids host=\"{{ host }}\" sourcetype=\"cp_log\"") - search = st.render(epoch=epoch, bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset) + st = env.from_string( + 'search _time={{ epoch }} index=netids host="{{ host }}" sourcetype="cp_log"' + ) + search = st.render( + epoch=epoch, bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset + ) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -41,8 +48,11 @@ def test_checkpoint_splunk_ips(record_property, setup_wordlist, setup_splunk, se assert resultCount == 1 -#$Oct 8 15:48:31 DEVICENAME time=1570564111|hostname=devicename|product=Firewall|action=Drop|ifdir=inbound|ifname=bond1|loguid={0x5d9ce80f,0x8d0555,0x5f19f392,0x18982828}|origin=1.1.1.1|time=1570564111|version=1|chassis_bladed_system=[ 1_1 ]|dst=10.10.10.10|inzone=External|origin_sic_name=CN=something_03_local,O=devicename.domain.com.p7fdbt|outzone=Internal|proto=6|rule=402|rule_name=11_..|rule_uid={C8CD796E-7BD5-47B6-90CA-B250D062D5E5}|s_port=33687|service=23|src=1.1.1.2| -def test_checkpoint_splunk_firewall(record_property, setup_wordlist, setup_splunk, setup_sc4s): + +# $Oct 8 15:48:31 DEVICENAME time=1570564111|hostname=devicename|product=Firewall|action=Drop|ifdir=inbound|ifname=bond1|loguid={0x5d9ce80f,0x8d0555,0x5f19f392,0x18982828}|origin=1.1.1.1|time=1570564111|version=1|chassis_bladed_system=[ 1_1 ]|dst=10.10.10.10|inzone=External|origin_sic_name=CN=something_03_local,O=devicename.domain.com.p7fdbt|outzone=Internal|proto=6|rule=402|rule_name=11_..|rule_uid={C8CD796E-7BD5-47B6-90CA-B250D062D5E5}|s_port=33687|service=23|src=1.1.1.2| +def test_checkpoint_splunk_firewall( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now() @@ -52,13 +62,18 @@ def test_checkpoint_splunk_firewall(record_property, setup_wordlist, setup_splun epoch = epoch[:-7] mt = env.from_string( - "{{ mark }} {{ bsd }} {{ host }} time={{ epoch }}|hostname={{ host }}|product=Firewall|action=Drop|ifdir=inbound|ifname=bond1|loguid={0x5d9ce80f,0x8d0555,0x5f19f392,0x18982828}|origin=1.1.1.1|time={{ epoch }}|version=1|chassis_bladed_system=[ 1_1 ]|dst=10.10.10.10|inzone=External|origin_sic_name=CN=something_03_local,O=devicename.domain.com.p7fdbt|outzone=Internal|proto=6|rule=402|rule_name=11:..|rule_uid={C8CD796E-7BD5-47B6-90CA-B250D062D5E5}|s_port=33687|service=23|src=1.1.1.2|\n") + "{{ mark }} {{ bsd }} {{ host }} time={{ epoch }}|hostname={{ host }}|product=Firewall|action=Drop|ifdir=inbound|ifname=bond1|loguid={0x5d9ce80f,0x8d0555,0x5f19f392,0x18982828}|origin=1.1.1.1|time={{ epoch }}|version=1|chassis_bladed_system=[ 1_1 ]|dst=10.10.10.10|inzone=External|origin_sic_name=CN=something_03_local,O=devicename.domain.com.p7fdbt|outzone=Internal|proto=6|rule=402|rule_name=11:..|rule_uid={C8CD796E-7BD5-47B6-90CA-B250D062D5E5}|s_port=33687|service=23|src=1.1.1.2|\n" + ) message = mt.render(mark="<111>", host=host, bsd=bsd, epoch=epoch) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netfw host=\"{{ host }}\" sourcetype=\"cp_log\"") - search = st.render(epoch=epoch, bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset) + st = env.from_string( + 'search _time={{ epoch }} index=netfw host="{{ host }}" sourcetype="cp_log"' + ) + search = st.render( + epoch=epoch, bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset + ) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -69,7 +84,9 @@ def test_checkpoint_splunk_firewall(record_property, setup_wordlist, setup_splun assert resultCount == 1 -def test_checkpoint_splunk_firewall_noise(record_property, setup_wordlist, setup_splunk, setup_sc4s): +def test_checkpoint_splunk_firewall_noise( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now() @@ -79,7 +96,8 @@ def test_checkpoint_splunk_firewall_noise(record_property, setup_wordlist, setup epoch = epoch[:-7] mt = env.from_string( - "{{ mark }} {{ bsd }} {{ host }} time={{ epoch }}|hostname={{ host }}|product=Firewall|action=Drop|ifdir=inbound|ifname=bond1|loguid={0x5d9ce80f,0x8d0555,0x5f19f392,0x18982828}|origin=1.1.1.1|time={{ epoch }}|version=1|chassis_bladed_system=[ 1_1 ]|dst=10.10.10.10|inzone=External|origin_sic_name=CN=something_03_local,O=devicename.domain.com.p7fdbt|outzone=Internal|proto=6|rule=402|rule_name=11:..|rule_uid={C8CD796E-7BD5-47B6-90CA-B250D062D5E5}|s_port=33687|service=23|src=1.1.1.2|\n") + "{{ mark }} {{ bsd }} {{ host }} time={{ epoch }}|hostname={{ host }}|product=Firewall|action=Drop|ifdir=inbound|ifname=bond1|loguid={0x5d9ce80f,0x8d0555,0x5f19f392,0x18982828}|origin=1.1.1.1|time={{ epoch }}|version=1|chassis_bladed_system=[ 1_1 ]|dst=10.10.10.10|inzone=External|origin_sic_name=CN=something_03_local,O=devicename.domain.com.p7fdbt|outzone=Internal|proto=6|rule=402|rule_name=11:..|rule_uid={C8CD796E-7BD5-47B6-90CA-B250D062D5E5}|s_port=33687|service=23|src=1.1.1.2|\n" + ) message = mt.render(mark="<111>", host=host, bsd=bsd, epoch=epoch) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) @@ -87,8 +105,12 @@ def test_checkpoint_splunk_firewall_noise(record_property, setup_wordlist, setup sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netfw host=\"{{ host }}\" sourcetype=\"cp_log\"") - search = st.render(epoch=epoch, bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset) + st = env.from_string( + 'search _time={{ epoch }} index=netfw host="{{ host }}" sourcetype="cp_log"' + ) + search = st.render( + epoch=epoch, bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset + ) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -98,7 +120,10 @@ def test_checkpoint_splunk_firewall_noise(record_property, setup_wordlist, setup assert resultCount == 1 -def test_checkpoint_splunk_firewall_noise2(record_property, setup_wordlist, setup_splunk, setup_sc4s): + +def test_checkpoint_splunk_firewall_noise2( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now() @@ -108,17 +133,21 @@ def test_checkpoint_splunk_firewall_noise2(record_property, setup_wordlist, setu epoch = epoch[:-7] mt = env.from_string( - "{{ mark }} {{ bsd }} {{ host }} time={{ epoch }}|hostname={{ host }}|product=Firewall|action=Drop|ifdir=inbound|ifname=bond1|loguid={0x5d9ce80f,0x8d0555,0x5f19f392,0x18982828}|origin=1.1.1.1|time={{ epoch }}|version=1|chassis_bladed_system=[ 1_1 ]|dst=10.10.10.10|inzone=External|origin_sic_name=CN=something_03_local,O=devicename.domain.com.p7fdbt|outzone=Internal|proto=6|rule=402|rule_name=11:..|rule_uid={C8CD796E-7BD5-47B6-90CA-B250D062D5E5}|s_port=33687|service=23|src=1.1.1.2|\n") + "{{ mark }} {{ bsd }} {{ host }} time={{ epoch }}|hostname={{ host }}|product=Firewall|action=Drop|ifdir=inbound|ifname=bond1|loguid={0x5d9ce80f,0x8d0555,0x5f19f392,0x18982828}|origin=1.1.1.1|time={{ epoch }}|version=1|chassis_bladed_system=[ 1_1 ]|dst=10.10.10.10|inzone=External|origin_sic_name=CN=something_03_local,O=devicename.domain.com.p7fdbt|outzone=Internal|proto=6|rule=402|rule_name=11:..|rule_uid={C8CD796E-7BD5-47B6-90CA-B250D062D5E5}|s_port=33687|service=23|src=1.1.1.2|\n" + ) message = mt.render(mark="<111>", host=host, bsd=bsd, epoch=epoch) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - sleep(5) - sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + sleep(10) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netfw host=\"{{ host }}\" sourcetype=\"cp_log\"") - search = st.render(epoch=epoch, bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset) + st = env.from_string( + 'search _time={{ epoch }} index=netfw host="{{ host }}" sourcetype="cp_log"' + ) + search = st.render( + epoch=epoch, bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset + ) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -128,7 +157,10 @@ def test_checkpoint_splunk_firewall_noise2(record_property, setup_wordlist, setu assert resultCount == 2 -def test_checkpoint_splunk_firewall2(record_property, setup_wordlist, setup_splunk, setup_sc4s): + +def test_checkpoint_splunk_firewall2( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now() @@ -138,13 +170,18 @@ def test_checkpoint_splunk_firewall2(record_property, setup_wordlist, setup_splu epoch = epoch[:-7] mt = env.from_string( - "{{ mark }} {{ bsd }} {{ host }} time={{ epoch }}|hostname={{ host }}|severity=Medium|product=Firewall|action=Drop|ifdir=inbound|ifname=eth1|loguid={0x0,0x0,0x0,0x0}|origin=111.89.111.53|originsicname=CN\=xx-xx.xx.net,O\=cma-xx.xx.net.xx|sequencenum=64|time={{epoch}}|version=5|dst=10.11.11.11|inspection_category=anomaly|foo=bar: bat mark||\n") + "{{ mark }} {{ bsd }} {{ host }} time={{ epoch }}|hostname={{ host }}|severity=Medium|product=Firewall|action=Drop|ifdir=inbound|ifname=eth1|loguid={0x0,0x0,0x0,0x0}|origin=111.89.111.53|originsicname=CN\=xx-xx.xx.net,O\=cma-xx.xx.net.xx|sequencenum=64|time={{epoch}}|version=5|dst=10.11.11.11|inspection_category=anomaly|foo=bar: bat mark||\n" + ) message = mt.render(mark="<111>", host=host, bsd=bsd, epoch=epoch) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netfw host=\"{{ host }}\" sourcetype=\"cp_log\"") - search = st.render(epoch=epoch, bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset) + st = env.from_string( + 'search _time={{ epoch }} index=netfw host="{{ host }}" sourcetype="cp_log"' + ) + search = st.render( + epoch=epoch, bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset + ) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -154,8 +191,11 @@ def test_checkpoint_splunk_firewall2(record_property, setup_wordlist, setup_splu assert resultCount == 1 -#Oct 9 12:01:16 DEVICENAME |hostname=DEVICENAME|product=mds-query-tool|action=Accept|ifdir=outbound|origin=1.1.1.1|2.2.2.2|originsicname=cn\=cp_mgmt,o\=DEVICENAME.domain.com.p7fdbt|sequencenum=1|time=1570641309|version=5|administrator=localhost|client_ip=3.3.3.3|machine=DEVICENAME|operation=Log Out|operation_number=12|subject=Administrator Login| -def test_checkpoint_splunk_mds(record_property, setup_wordlist, setup_splunk, setup_sc4s): + +# Oct 9 12:01:16 DEVICENAME |hostname=DEVICENAME|product=mds-query-tool|action=Accept|ifdir=outbound|origin=1.1.1.1|2.2.2.2|originsicname=cn\=cp_mgmt,o\=DEVICENAME.domain.com.p7fdbt|sequencenum=1|time=1570641309|version=5|administrator=localhost|client_ip=3.3.3.3|machine=DEVICENAME|operation=Log Out|operation_number=12|subject=Administrator Login| +def test_checkpoint_splunk_mds( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now() @@ -165,13 +205,18 @@ def test_checkpoint_splunk_mds(record_property, setup_wordlist, setup_splunk, se epoch = epoch[:-7] mt = env.from_string( - "{{ mark }} {{ bsd }} {{ host }} |hostname={{ host }}|product=mds-query-tool|action=Accept|ifdir=outbound|origin=1.1.1.1|2.2.2.2|originsicname=cn\=cp_mgmt,o\=DEVICENAME.domain.com.p7fdbt|sequencenum=1|time={{ epoch }}|version=5|administrator=localhost|client_ip=3.3.3.3|machine=DEVICENAME|operation=Log Out|operation_number=12|subject=Administrator Login|\n") + "{{ mark }} {{ bsd }} {{ host }} |hostname={{ host }}|product=mds-query-tool|action=Accept|ifdir=outbound|origin=1.1.1.1|2.2.2.2|originsicname=cn\=cp_mgmt,o\=DEVICENAME.domain.com.p7fdbt|sequencenum=1|time={{ epoch }}|version=5|administrator=localhost|client_ip=3.3.3.3|machine=DEVICENAME|operation=Log Out|operation_number=12|subject=Administrator Login|\n" + ) message = mt.render(mark="<111>", host=host, bsd=bsd, epoch=epoch) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netops host=\"{{ host }}\" sourcetype=\"cp_log\"") - search = st.render(epoch=epoch, bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset) + st = env.from_string( + 'search _time={{ epoch }} index=netops host="{{ host }}" sourcetype="cp_log"' + ) + search = st.render( + epoch=epoch, bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset + ) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -181,8 +226,11 @@ def test_checkpoint_splunk_mds(record_property, setup_wordlist, setup_splunk, se assert resultCount == 1 -#Oct 9 12:01:16 DEVICENAME|hostname=DEVICENAME|product=CPMI Client|action=Accept|ifdir=outbound|origin=1.1.1.1|2.2.2.2|originsicname=cn\=cp_mgmt,o\=DEVICENAME.domain.com.p7fdbt|sequencenum=1|time=1570641173|version=5|administrator=localhost|client_ip=3.3.3.3|machine=DEVICENAME|operation=Log Out|operation_number=12|subject=Administrator Login -def test_checkpoint_splunk_cpmi(record_property, setup_wordlist, setup_splunk, setup_sc4s): + +# Oct 9 12:01:16 DEVICENAME|hostname=DEVICENAME|product=CPMI Client|action=Accept|ifdir=outbound|origin=1.1.1.1|2.2.2.2|originsicname=cn\=cp_mgmt,o\=DEVICENAME.domain.com.p7fdbt|sequencenum=1|time=1570641173|version=5|administrator=localhost|client_ip=3.3.3.3|machine=DEVICENAME|operation=Log Out|operation_number=12|subject=Administrator Login +def test_checkpoint_splunk_cpmi( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now() @@ -192,13 +240,18 @@ def test_checkpoint_splunk_cpmi(record_property, setup_wordlist, setup_splunk, s epoch = epoch[:-7] mt = env.from_string( - "{{ mark }} {{ bsd }} {{ host }} |hostname={{ host }}|product=CPMI Client|action=Accept|ifdir=outbound|origin=1.1.1.1|2.2.2.2|originsicname=cn\=cp_mgmt,o\=DEVICENAME.domain.com.p7fdbt|sequencenum=1|time={{ epoch }}|version=5|administrator=localhost|client_ip=3.3.3.3|machine=DEVICENAME|operation=Log Out|operation_number=12|subject=Administrator Login\n") + "{{ mark }} {{ bsd }} {{ host }} |hostname={{ host }}|product=CPMI Client|action=Accept|ifdir=outbound|origin=1.1.1.1|2.2.2.2|originsicname=cn\=cp_mgmt,o\=DEVICENAME.domain.com.p7fdbt|sequencenum=1|time={{ epoch }}|version=5|administrator=localhost|client_ip=3.3.3.3|machine=DEVICENAME|operation=Log Out|operation_number=12|subject=Administrator Login\n" + ) message = mt.render(mark="<111>", host=host, bsd=bsd, epoch=epoch) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netops host=\"{{ host }}\" sourcetype=\"cp_log\"") - search = st.render(epoch=epoch, bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset) + st = env.from_string( + 'search _time={{ epoch }} index=netops host="{{ host }}" sourcetype="cp_log"' + ) + search = st.render( + epoch=epoch, bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset + ) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -208,8 +261,11 @@ def test_checkpoint_splunk_cpmi(record_property, setup_wordlist, setup_splunk, s assert resultCount == 1 -#Oct 9 12:01:16 DEVICENAME |hostname=DEVICENAME|product=WEB_API|action=Accept|ifdir=outbound|origin=1.1.1.1|2.2.2.2|originsicname=cn\=cp_mgmt,o\=DEVICENAME.domain.com.p7fdbt|sequencenum=1|time=1570640578|version=5|administrator=tufinapi|client_ip=3.3.3.3|machine=DEVICENAME|operation=Log Out|operation_number=12|subject=Administrator Login -def test_checkpoint_splunk_web_api(record_property, setup_wordlist, setup_splunk, setup_sc4s): + +# Oct 9 12:01:16 DEVICENAME |hostname=DEVICENAME|product=WEB_API|action=Accept|ifdir=outbound|origin=1.1.1.1|2.2.2.2|originsicname=cn\=cp_mgmt,o\=DEVICENAME.domain.com.p7fdbt|sequencenum=1|time=1570640578|version=5|administrator=tufinapi|client_ip=3.3.3.3|machine=DEVICENAME|operation=Log Out|operation_number=12|subject=Administrator Login +def test_checkpoint_splunk_web_api( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now() @@ -219,13 +275,18 @@ def test_checkpoint_splunk_web_api(record_property, setup_wordlist, setup_splunk epoch = epoch[:-7] mt = env.from_string( - "{{ mark }} {{ bsd }} {{ host }} |hostname={{ host }}|product=WEB_API|action=Accept|ifdir=outbound|origin=1.1.1.1|2.2.2.2|originsicname=cn\=cp_mgmt,o\=DEVICENAME.domain.com.p7fdbt|sequencenum=1|time={{ epoch }}|version=5|administrator=tufinapi|client_ip=3.3.3.3|machine=DEVICENAME|operation=Log Out|operation_number=12|subject=Administrator Login\n") + "{{ mark }} {{ bsd }} {{ host }} |hostname={{ host }}|product=WEB_API|action=Accept|ifdir=outbound|origin=1.1.1.1|2.2.2.2|originsicname=cn\=cp_mgmt,o\=DEVICENAME.domain.com.p7fdbt|sequencenum=1|time={{ epoch }}|version=5|administrator=tufinapi|client_ip=3.3.3.3|machine=DEVICENAME|operation=Log Out|operation_number=12|subject=Administrator Login\n" + ) message = mt.render(mark="<111>", host=host, bsd=bsd, epoch=epoch) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netops host=\"{{ host }}\" sourcetype=\"cp_log\"") - search = st.render(epoch=epoch, bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset) + st = env.from_string( + 'search _time={{ epoch }} index=netops host="{{ host }}" sourcetype="cp_log"' + ) + search = st.render( + epoch=epoch, bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset + ) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -235,8 +296,11 @@ def test_checkpoint_splunk_web_api(record_property, setup_wordlist, setup_splunk assert resultCount == 1 -#Oct 9 11:05:15 DEVICENAME time=1570633513|hostname=DEVICENAME|product=SmartConsole|action=Accept|ifdir=outbound|origin=1.1.1.1|4.4.4.4|sequencenum=1|time=1570633513|version=5|additional_info=Authentication method: Password based application token|administrator=psanadhya|client_ip=3.3.3.3|machine=DEVICENAME|operation=Log In|operation_number=10|subject=Administrator Login| -def test_checkpoint_splunk_smartconsole(record_property, setup_wordlist, setup_splunk, setup_sc4s): + +# Oct 9 11:05:15 DEVICENAME time=1570633513|hostname=DEVICENAME|product=SmartConsole|action=Accept|ifdir=outbound|origin=1.1.1.1|4.4.4.4|sequencenum=1|time=1570633513|version=5|additional_info=Authentication method: Password based application token|administrator=psanadhya|client_ip=3.3.3.3|machine=DEVICENAME|operation=Log In|operation_number=10|subject=Administrator Login| +def test_checkpoint_splunk_smartconsole( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now() @@ -246,13 +310,18 @@ def test_checkpoint_splunk_smartconsole(record_property, setup_wordlist, setup_s epoch = epoch[:-7] mt = env.from_string( - "{{ mark }} {{ bsd }} {{ host }} time={{ epoch }}|hostname={{ host }}|product=SmartConsole|action=Accept|ifdir=outbound|origin=1.1.1.1|4.4.4.4|sequencenum=1|time={{ epoch }}|version=5|additional_info=Authentication method: Password based application token|administrator=psanadhya|client_ip=3.3.3.3|machine=DEVICENAME|operation=Log In|operation_number=10|subject=Administrator Login|\n") + "{{ mark }} {{ bsd }} {{ host }} time={{ epoch }}|hostname={{ host }}|product=SmartConsole|action=Accept|ifdir=outbound|origin=1.1.1.1|4.4.4.4|sequencenum=1|time={{ epoch }}|version=5|additional_info=Authentication method: Password based application token|administrator=psanadhya|client_ip=3.3.3.3|machine=DEVICENAME|operation=Log In|operation_number=10|subject=Administrator Login|\n" + ) message = mt.render(mark="<111>", host=host, bsd=bsd, epoch=epoch) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netops host=\"{{ host }}\" sourcetype=\"cp_log\"") - search = st.render(epoch=epoch, bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset) + st = env.from_string( + 'search _time={{ epoch }} index=netops host="{{ host }}" sourcetype="cp_log"' + ) + search = st.render( + epoch=epoch, bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset + ) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -262,18 +331,24 @@ def test_checkpoint_splunk_smartconsole(record_property, setup_wordlist, setup_s assert resultCount == 1 -#<6>kernel: sd 2:0:0:0: SCSI error: return code = 0x00040000 -def test_checkpoint_splunk_os(record_property, setup_wordlist, setup_splunk, setup_sc4s): + +# <6>kernel: sd 2:0:0:0: SCSI error: return code = 0x00040000 +def test_checkpoint_splunk_os( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) pid = random.randint(1000, 32000) mt = env.from_string( - "{{ mark }}kernel: sd 2:0:0:0: SCSI error: return code = 0x{{pid}}\n") + "{{ mark }}kernel: sd 2:0:0:0: SCSI error: return code = 0x{{pid}}\n" + ) message = mt.render(mark="<6>", pid=pid) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search earliest=-1m@m latest=+1m@m index=osnix \"0x{{ pid }}\" sourcetype=\"nix:syslog\"") + st = env.from_string( + 'search earliest=-1m@m latest=+1m@m index=osnix "0x{{ pid }}" sourcetype="nix:syslog"' + ) search = st.render(host=host, pid=pid) resultCount, eventCount = splunk_single(setup_splunk, search) From 8cabdbe3d259cf3426d6ad33492fd1b5b9701ee2 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Thu, 14 May 2020 07:48:11 -0400 Subject: [PATCH 2/4] Update test_checkpoint.py --- tests/test_checkpoint.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_checkpoint.py b/tests/test_checkpoint.py index 22fc362..762c53b 100644 --- a/tests/test_checkpoint.py +++ b/tests/test_checkpoint.py @@ -137,10 +137,10 @@ def test_checkpoint_splunk_firewall_noise2( ) message = mt.render(mark="<111>", host=host, bsd=bsd, epoch=epoch) - sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) sleep(10) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( 'search _time={{ epoch }} index=netfw host="{{ host }}" sourcetype="cp_log"' From 4b81261dc11d484c879cca3f75ea295297966eb2 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Thu, 14 May 2020 07:57:06 -0400 Subject: [PATCH 3/4] Update test_checkpoint.py --- tests/test_checkpoint.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/test_checkpoint.py b/tests/test_checkpoint.py index 762c53b..998748d 100644 --- a/tests/test_checkpoint.py +++ b/tests/test_checkpoint.py @@ -27,7 +27,7 @@ def test_checkpoint_splunk_ips( epoch = epoch[:-7] mt = env.from_string( - "{{ mark }} {{ bsd }} {{ host }} time={{ epoch }}|hostname={{ host }}|severity=Informational|confidence_level=Unknown|product=IPS|action=Drop|ifdir=inbound|ifname=bond2|loguid={0x5d9cdcc9,0x8d159f,0x5f19f392,0x1897a828}|origin=1.1.1.1|time={{ epoch }}|version=1|attack=Streaming Engine: TCP Segment Limit Enforcement|attack_info=TCP segment out of maximum allowed sequence. Packet dropped.|chassis_bladed_system=[ 1_3 ]|dst=10.10.10.10|origin_sic_name=CN=something_03_local,O=devicename.domain.com.p7fdbt|performance_impact=0|protection_id=tcp_segment_limit|protection_name=TCP Segment Limit Enforcement|protection_type=settings_tcp|proto=6|rule=393|rule_name=10.384_..|rule_uid={9F77F944-8DD5-4ADF-803A-785D03B3A2E8}|s_port=46455|service=443|smartdefense_profile=Recommended_Protection_ded9e8d8ee89d|src=1.1.1.2|\n" + "{{ mark }} {{ bsd }} {{ host }} time={{ epoch }}|hostname={{ host }}|severity=Informational|confidence_level=Unknown|product=IPS|action=Drop|ifdir=inbound|ifname=bond2|loguid={{ host }}{0x5d9cdcc9,0x8d159f,0x5f19f392,0x1897a828}|origin=1.1.1.1|time={{ epoch }}|version=1|attack=Streaming Engine: TCP Segment Limit Enforcement|attack_info=TCP segment out of maximum allowed sequence. Packet dropped.|chassis_bladed_system=[ 1_3 ]|dst=10.10.10.10|origin_sic_name=CN=something_03_local,O=devicename.domain.com.p7fdbt|performance_impact=0|protection_id=tcp_segment_limit|protection_name=TCP Segment Limit Enforcement|protection_type=settings_tcp|proto=6|rule=393|rule_name=10.384_..|rule_uid={9F77F944-8DD5-4ADF-803A-785D03B3A2E8}|s_port=46455|service=443|smartdefense_profile=Recommended_Protection_ded9e8d8ee89d|src=1.1.1.2|\n" ) message = mt.render(mark="<111>", host=host, bsd=bsd, epoch=epoch) @@ -62,7 +62,7 @@ def test_checkpoint_splunk_firewall( epoch = epoch[:-7] mt = env.from_string( - "{{ mark }} {{ bsd }} {{ host }} time={{ epoch }}|hostname={{ host }}|product=Firewall|action=Drop|ifdir=inbound|ifname=bond1|loguid={0x5d9ce80f,0x8d0555,0x5f19f392,0x18982828}|origin=1.1.1.1|time={{ epoch }}|version=1|chassis_bladed_system=[ 1_1 ]|dst=10.10.10.10|inzone=External|origin_sic_name=CN=something_03_local,O=devicename.domain.com.p7fdbt|outzone=Internal|proto=6|rule=402|rule_name=11:..|rule_uid={C8CD796E-7BD5-47B6-90CA-B250D062D5E5}|s_port=33687|service=23|src=1.1.1.2|\n" + "{{ mark }} {{ bsd }} {{ host }} time={{ epoch }}|hostname={{ host }}|product=Firewall|action=Drop|ifdir=inbound|ifname=bond1|loguid={{ host }}{0x5d9ce80f,0x8d0555,0x5f19f392,0x18982828}|origin=1.1.1.1|time={{ epoch }}|version=1|chassis_bladed_system=[ 1_1 ]|dst=10.10.10.10|inzone=External|origin_sic_name=CN=something_03_local,O=devicename.domain.com.p7fdbt|outzone=Internal|proto=6|rule=402|rule_name=11:..|rule_uid={C8CD796E-7BD5-47B6-90CA-B250D062D5E5}|s_port=33687|service=23|src=1.1.1.2|\n" ) message = mt.render(mark="<111>", host=host, bsd=bsd, epoch=epoch) @@ -133,7 +133,7 @@ def test_checkpoint_splunk_firewall_noise2( epoch = epoch[:-7] mt = env.from_string( - "{{ mark }} {{ bsd }} {{ host }} time={{ epoch }}|hostname={{ host }}|product=Firewall|action=Drop|ifdir=inbound|ifname=bond1|loguid={0x5d9ce80f,0x8d0555,0x5f19f392,0x18982828}|origin=1.1.1.1|time={{ epoch }}|version=1|chassis_bladed_system=[ 1_1 ]|dst=10.10.10.10|inzone=External|origin_sic_name=CN=something_03_local,O=devicename.domain.com.p7fdbt|outzone=Internal|proto=6|rule=402|rule_name=11:..|rule_uid={C8CD796E-7BD5-47B6-90CA-B250D062D5E5}|s_port=33687|service=23|src=1.1.1.2|\n" + "{{ mark }} {{ bsd }} {{ host }} time={{ epoch }}|hostname={{ host }}|product=Firewall|action=Drop|ifdir=inbound|ifname=bond1|loguid={{ host }}{0x5d9ce80f,0x8d0555,0x5f19f392,0x18982828}|origin=1.1.1.1|time={{ epoch }}|version=1|chassis_bladed_system=[ 1_1 ]|dst=10.10.10.10|inzone=External|origin_sic_name=CN=something_03_local,O=devicename.domain.com.p7fdbt|outzone=Internal|proto=6|rule=402|rule_name=11:..|rule_uid={C8CD796E-7BD5-47B6-90CA-B250D062D5E5}|s_port=33687|service=23|src=1.1.1.2|\n" ) message = mt.render(mark="<111>", host=host, bsd=bsd, epoch=epoch) @@ -170,7 +170,7 @@ def test_checkpoint_splunk_firewall2( epoch = epoch[:-7] mt = env.from_string( - "{{ mark }} {{ bsd }} {{ host }} time={{ epoch }}|hostname={{ host }}|severity=Medium|product=Firewall|action=Drop|ifdir=inbound|ifname=eth1|loguid={0x0,0x0,0x0,0x0}|origin=111.89.111.53|originsicname=CN\=xx-xx.xx.net,O\=cma-xx.xx.net.xx|sequencenum=64|time={{epoch}}|version=5|dst=10.11.11.11|inspection_category=anomaly|foo=bar: bat mark||\n" + "{{ mark }} {{ bsd }} {{ host }} time={{ epoch }}|hostname={{ host }}|severity=Medium|product=Firewall|action=Drop|ifdir=inbound|ifname=eth1|loguid={{ host }}{0x0,0x0,0x0,0x0}|origin=111.89.111.53|originsicname=CN\=xx-xx.xx.net,O\=cma-xx.xx.net.xx|sequencenum=64|time={{epoch}}|version=5|dst=10.11.11.11|inspection_category=anomaly|foo=bar: bat mark||\n" ) message = mt.render(mark="<111>", host=host, bsd=bsd, epoch=epoch) @@ -373,7 +373,7 @@ def test_checkpoint_splunk_os_nested( epoch = epoch[:-7] mt = env.from_string( - "{{ mark }} {{ bsd }} {{ host }} time={{ epoch }}|hostname={{ host }}|product=Syslog|ifdir=inbound|loguid={0x0,0x0,0x0,0x0}|origin=10.0.0.0|sequencenum=3|time={{ epoch }}|version=5|default_device_message=<134>ctasd[5665]: Save SenderId lists finished |facility=local use 0|\n" + "{{ mark }} {{ bsd }} {{ host }} time={{ epoch }}|hostname={{ host }}|product=Syslog|ifdir=inbound|loguid={{ host }}{0x0,0x0,0x0,0x0}|origin=10.0.0.0|sequencenum=3|time={{ epoch }}|version=5|default_device_message=<134>ctasd[5665]: Save SenderId lists finished |facility=local use 0|\n" ) message = mt.render(mark="<111>", host=host, bsd=bsd, epoch=epoch) From 2842b88046e81c3c308619b71da09c244bfc9267 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Thu, 14 May 2020 18:15:49 -0400 Subject: [PATCH 4/4] Remove extra test --- tests/test_checkpoint.py | 37 ------------------------------------- 1 file changed, 37 deletions(-) diff --git a/tests/test_checkpoint.py b/tests/test_checkpoint.py index 998748d..873c050 100644 --- a/tests/test_checkpoint.py +++ b/tests/test_checkpoint.py @@ -121,43 +121,6 @@ def test_checkpoint_splunk_firewall_noise( assert resultCount == 1 -def test_checkpoint_splunk_firewall_noise2( - record_property, setup_wordlist, setup_splunk, setup_sc4s -): - host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) - - dt = datetime.datetime.now() - iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) - - # Tune time functions for Checkpoint - epoch = epoch[:-7] - - mt = env.from_string( - "{{ mark }} {{ bsd }} {{ host }} time={{ epoch }}|hostname={{ host }}|product=Firewall|action=Drop|ifdir=inbound|ifname=bond1|loguid={{ host }}{0x5d9ce80f,0x8d0555,0x5f19f392,0x18982828}|origin=1.1.1.1|time={{ epoch }}|version=1|chassis_bladed_system=[ 1_1 ]|dst=10.10.10.10|inzone=External|origin_sic_name=CN=something_03_local,O=devicename.domain.com.p7fdbt|outzone=Internal|proto=6|rule=402|rule_name=11:..|rule_uid={C8CD796E-7BD5-47B6-90CA-B250D062D5E5}|s_port=33687|service=23|src=1.1.1.2|\n" - ) - message = mt.render(mark="<111>", host=host, bsd=bsd, epoch=epoch) - - sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - sleep(10) - sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - - st = env.from_string( - 'search _time={{ epoch }} index=netfw host="{{ host }}" sourcetype="cp_log"' - ) - search = st.render( - epoch=epoch, bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset - ) - - resultCount, eventCount = splunk_single(setup_splunk, search) - - record_property("host", host) - record_property("resultCount", resultCount) - record_property("message", message) - - assert resultCount == 2 - - def test_checkpoint_splunk_firewall2( record_property, setup_wordlist, setup_splunk, setup_sc4s ):