Skip to content

Commit

Permalink
Fixes #156 (#157) Support forcepoint webprotect aka websense
Browse files Browse the repository at this point in the history
  • Loading branch information
Ryan Faircloth authored and GitHub committed Oct 16, 2019
1 parent 8e7a3ed commit d9394a8
Show file tree
Hide file tree
Showing 5 changed files with 124 additions and 0 deletions.
49 changes: 49 additions & 0 deletions docs/sources.md
Original file line number Diff line number Diff line change
Expand Up @@ -235,6 +235,55 @@ Verify timestamp, and host values match as expected

Verify timestamp, and host values match as expected

# Vendor - Forcepoint

## Product - Webprotect (Websense)

| Ref | Link |
|----------------|---------------------------------------------------------------------------------------------------------|
| Splunk Add-on | https://splunkbase.splunk.com/app/2966/ |
| Product Manual | http://www.websense.com/content/support/library/web/v85/siem/siem.pdf |


### Sourcetypes

| sourcetype | notes |
|----------------|---------------------------------------------------------------------------------------------------------|
| websense:cg:kv | None |


### Sourcetype and Index Configuration

| key | sourcetype | index | notes |
|----------------|----------------|----------------|----------------|
| forcepoint_webprotect | websense:cg:kv | netproxy | none |

### Filter type

MSG Parse: This filter parses message content

### Setup and Configuration

* Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer.
* Review and update the splunk_index.csv file and set the index and sourcetype as required for the data source.
* Refer to the admin manual for specific details of configuration to send Reliable syslog using RFC 3195 format, a typical logging configuration will include the following features.


### Options

| Variable | default | description |
|----------------|----------------|----------------|
| SC4S_LISTEN_FORCEPOINT_WEBPROTECT_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined |

### Verification

An active proxy will generate frequent events, in addition WebProtect has the ability to test logging functionality using a built in command


```
index=<asconfigured> sourcetype=websense:cg:kv
```

# Vendor - Fortinet

## Product - Fortigate
Expand Down
3 changes: 3 additions & 0 deletions package/etc/conf.d/filters/fortinet/webprotect.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
filter f_forcepoint_webprotect_kv {
program('vendor=[Ww]ebsense');
};
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
# Forcepoint Webprotect
{{- if (ne (getenv (print "SC4S_LISTEN_FORCEPOINT_WEBPROTECT_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_FORCEPOINT_WEBPROTECT_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_FORCEPOINT_WEBPROTECT_TLS_PORT") "no") "no") }}
{{ $context := dict "port_id" "FORCEPOINT_WEBPROTECT" "parser" "common" }}
{{ tmpl.Exec "t/source_network.t" $context }}
{{- end -}}
{{ define "log_path" }}
log {
{{- if eq (.) "yes"}}
source(s_default-ports);
filter(f_is_rfc3164);
filter(f_forcepoint_webprotect_kv);
{{- end}}
{{- if eq (.) "no"}}
source (s_dedicated_port_FORCEPOINT_WEBPROTECT);
{{- end}}

rewrite {
subst(" [^ =]+\=\-", "", value("MESSAGE"), flags("global"));
};
rewrite { r_set_splunk_dest_default(sourcetype("websense:cg:kv"), index("netproxy"), template("t_hdr_msg"))};
parser {p_add_context_splunk(key("forcepoint_webprotect")); };

parser (compliance_meta_by_source);

destination(d_hec); #--HEC--

flags(flow-control);
};
{{- end}}
{{- if (ne (getenv (print "SC4S_LISTEN_FORCEPOINT_WEBPROTECT_TCP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_FORCEPOINT_WEBPROTECT_UDP_PORT") "no") "no") or (ne (getenv (print "SC4S_LISTEN_FORCEPOINT_WEBPROTECT_TLS_PORT") "no") "no") }}
# Listen on the specified dedicated port(s) for FORCEPOINT_WEBPROTECT traffic
{{ tmpl.Exec "log_path" "no" }}
{{- end}}

# Listen on the default port (typically 514) for FORCEPOINT_WEBPROTECT traffic
{{ tmpl.Exec "log_path" "yes" }}
1 change: 1 addition & 0 deletions package/etc/context_templates/splunk_index.csv
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
#cisco_ios,index,netops
#cisco_nx_os,index,netops
#local_example,index,main
#forcepoint_webprotect,index,netproxy
#fortinet_fortios_event,index,netops
#fortinet_fortios_log,index,netops
#fortinet_fortios_traffic,index,netfw
Expand Down
35 changes: 35 additions & 0 deletions tests/test_forcepoint_web.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
# Copyright 2019 Splunk, Inc.
#
# Use of this source code is governed by a BSD-2-clause-style
# license that can be found in the LICENSE-BSD2 file or at
# https://opensource.org/licenses/BSD-2-Clause
import random

from jinja2 import Environment

from .sendmessage import *
from .splunkutils import *

env = Environment(extensions=['jinja2_time.TimeExtension'])

#<134>Oct 16 12:13:06 sourcehost2 vendor=Websense 9f product=Security product_version=7.7.0 action=permitted severity=7 category=755 user=LDAP://user7 OU=Users,OU=Beijing,DC=com/TEST\, TEST_NAME src_host=10.0.0.4 src_port=61435 dst_host=HOST-013 dst_ip=10.0.0.19 dst_port=25404 bytes_out=4074 bytes_in=12328 http_response=200 http_method=POST http_content_type=image/gif;charset=UTF-8 http_user_agent=Mozilla/3.0 (Windows; U; Windows NT 6.1; es-def; rv:1.7.0.11) Gecko/2009060215 Firefox/8.0.11 (.NET CLR 8.5.30729) http_proxy_status_code=200 reason=- disposition=2573 policy=role-8**Default role=4 duration=63 url=http://test_web.com/contents/content1.jpg
def test_forcepoint_webprotect_kv(record_property, setup_wordlist, setup_splunk):
host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist))

mt = env.from_string(
"{{ mark }}{% now 'utc', '%b %d %H:%M:%S' %} {{ host }} vendor=Websense 9f product=Security product_version=7.7.0 action=permitted severity=7 category=755 user=LDAP://user7 OU=Users,OU=Beijing,DC=com/TEST\, TEST_NAME src_host=10.0.0.4 src_port=61435 dst_host=HOST-013 dst_ip=10.0.0.19 dst_port=25404 bytes_out=4074 bytes_in=12328 http_response=200 http_method=POST http_content_type=image/gif;charset=UTF-8 http_user_agent=Mozilla/3.0 (Windows; U; Windows NT 6.1; es-def; rv:1.7.0.11) Gecko/2009060215 Firefox/8.0.11 (.NET CLR 8.5.30729) http_proxy_status_code=200 reason=- disposition=2573 policy=role-8**Default role=4 duration=63 url=http://test_web.com/contents/content1.jpg unknownfield=-\n")
message = mt.render(mark="<134>", host=host)

sendsingle(message)

st = env.from_string("search index=netproxy host=\"{{ host }}\" sourcetype=\"websense:cg:kv\" | head 2")
search = st.render(host=host)

resultCount, eventCount = splunk_single(setup_splunk, search)

record_property("host", host)
record_property("resultCount", resultCount)
record_property("message", message)

assert resultCount == 1
#<134>1 Dec 6 08:41:44 192.168.1.1 1 1386337316.207232138 MX84 events Cellular connection up

0 comments on commit d9394a8

Please sign in to comment.