You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@metron.apache.org by ce...@apache.org on 2017/04/11 13:37:28 UTC
incubator-metron git commit: METRON-832 Fixed CEF parser for Palo Alto FITW closes apache/incubator-metron#519

Repository: incubator-metron
Updated Branches:
  refs/heads/master ba7330950 -> 0e629f3be


METRON-832 Fixed CEF parser for Palo Alto FITW closes apache/incubator-metron#519


Project: http://git-wip-us.apache.org/repos/asf/incubator-metron/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-metron/commit/0e629f3b
Tree: http://git-wip-us.apache.org/repos/asf/incubator-metron/tree/0e629f3b
Diff: http://git-wip-us.apache.org/repos/asf/incubator-metron/diff/0e629f3b

Branch: refs/heads/master
Commit: 0e629f3be53836e0d49adb9a3144a91360226791
Parents: ba73309
Author: Simon Elliston Ball <si...@simonellistonball.com>
Authored: Tue Apr 11 09:37:20 2017 -0400
Committer: cstella <ce...@gmail.com>
Committed: Tue Apr 11 09:37:20 2017 -0400

----------------------------------------------------------------------
 .../apache/metron/parsers/cef/CEFParser.java    | 12 +++----
 .../metron/parsers/cef/CEFParserTest.java       |  7 ++++
 .../org/apache/metron/parsers/cef/palo.cef      |  1 +
 .../org/apache/metron/parsers/cef/palo.schema   | 38 ++++++++++++++++++++
 4 files changed, 52 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-metron/blob/0e629f3b/metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/cef/CEFParser.java
----------------------------------------------------------------------
diff --git a/metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/cef/CEFParser.java b/metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/cef/CEFParser.java
index a765dd8..352c781 100644
--- a/metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/cef/CEFParser.java
+++ b/metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/cef/CEFParser.java
@@ -57,7 +57,11 @@ public class CEFParser extends BasicParser {
 		String syslogPriority = "<(?:[0-9]+)>";
 		String syslogHost = "[a-z0-9\\.\\\\-_]+";
 
-		StringBuilder sb = new StringBuilder("(?<syslogTime>");
+		StringBuilder sb = new StringBuilder("");
+		sb.append("(?<syslogPriority>");
+		sb.append(syslogPriority);
+		sb.append(")?");
+		sb.append("(?<syslogTime>");
 		sb.append(syslogTime);
 		sb.append("|");
 		sb.append(syslogTime5424);
@@ -67,13 +71,9 @@ public class CEFParser extends BasicParser {
 		sb.append(syslogHost);
 		sb.append(")?");
 
-		sb.append("(?<syslogPriority>");
-		sb.append(syslogPriority);
-		sb.append(")?");
-
 		sb.append(".*");
 
-		sb.append("CEF:0\\|");
+		sb.append("CEF: ?0\\|");
 
 		headerBlock("DeviceVendor", sb);
 		sb.append("\\|");

http://git-wip-us.apache.org/repos/asf/incubator-metron/blob/0e629f3b/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/cef/CEFParserTest.java
----------------------------------------------------------------------
diff --git a/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/cef/CEFParserTest.java b/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/cef/CEFParserTest.java
index 88c0f0c..88509dd 100644
--- a/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/cef/CEFParserTest.java
+++ b/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/cef/CEFParserTest.java
@@ -185,6 +185,13 @@ public class CEFParserTest extends TestCase {
 				Resources.toString(Resources.getResource(getClass(), "waf.schema"), UTF_8));
 	}
 
+	@Test
+	public void testPaloAltoCEF() throws Exception {
+		URL waf_url = Resources.getResource(getClass(), "palo.cef");
+		runTest("palo", Resources.readLines(waf_url, UTF_8),
+				Resources.toString(Resources.getResource(getClass(), "palo.schema"), UTF_8));
+	}
+
 	private void runTest(String name, List<String> lines, String schema) throws Exception {
 		runTest(name, lines, schema, "");
 	}

http://git-wip-us.apache.org/repos/asf/incubator-metron/blob/0e629f3b/metron-platform/metron-parsers/src/test/resources/org/apache/metron/parsers/cef/palo.cef
----------------------------------------------------------------------
diff --git a/metron-platform/metron-parsers/src/test/resources/org/apache/metron/parsers/cef/palo.cef b/metron-platform/metron-parsers/src/test/resources/org/apache/metron/parsers/cef/palo.cef
new file mode 100644
index 0000000..ab9b830
--- /dev/null
+++ b/metron-platform/metron-parsers/src/test/resources/org/apache/metron/parsers/cef/palo.cef
@@ -0,0 +1 @@
+<14>Apr  7 10:10:10 hostname CEF: 0|Palo Alto Networks|PAN-OS|6.1.3|url|THREAT|1|rt=Apr 07 2017 00:10:10 GMT deviceExternalId=00000000 src=10.10.10.10 dst=20.20.20.20 sourceTranslatedAddress=0.0.0.0 destinationTranslatedAddress=0.0.0.0 cs1Label=Rule cs1=Trusted-to-Untrusted suser= duser= app=ssl cs3Label=Virtual Sys cs3=vsys2 cs4Label=Src Zone cs4=Trusted cs5Label=Dst Zone cs5=Untrusted deviceInboundInterface=ethernet1/12.345 deviceOutboundInterface=ethernet1/12.345 cs6Label=LogProfile cs6=Log_Profile cn1Label=SessionID cn1=123456 cnt=1 spt=18371 dpt=443 sourceTranslatedPort=0 destinationTranslatedPort=0 flexString1Label=Flags flexString1=0x8000 proto=tcp act=alert request=\"www.example.com/\" cs2Label=URL Cat cs2=gambling flexString2Label=Direction flexString2=client-to-server externalId=123456789 requestContext= cat=(9999) filePath= fileId=0 fileHash= deviceProcessName=Device.Process.Name
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-metron/blob/0e629f3b/metron-platform/metron-parsers/src/test/resources/org/apache/metron/parsers/cef/palo.schema
----------------------------------------------------------------------
diff --git a/metron-platform/metron-parsers/src/test/resources/org/apache/metron/parsers/cef/palo.schema b/metron-platform/metron-parsers/src/test/resources/org/apache/metron/parsers/cef/palo.schema
new file mode 100644
index 0000000..7135634
--- /dev/null
+++ b/metron-platform/metron-parsers/src/test/resources/org/apache/metron/parsers/cef/palo.schema
@@ -0,0 +1,38 @@
+{
+	"title": "PaloAlto Schema",
+	"type": "object",
+	"properties": {
+		"ip_src_addr": {
+			"type": "string"
+		},
+		"ip_dst_addr": {
+			"type": "string"
+		},
+		"original_string": {
+			"type": "string"
+		},
+		"timestamp": {
+			"type": "integer"
+		},
+		"DeviceVendor": {
+			"type": "string"
+		},
+		"DeviceProduct": {
+			"type": "string"
+		},
+		"DeviceVersion": {
+			"type": "string"
+		},
+		"DeviceEvent": {
+			"type": "string"
+		},
+		"Name": {
+			"type": "string"
+		},
+		"Severity": {
+			"type": "integer"
+		}
+	},
+	"required": ["original_string", "timestamp", 
+	"DeviceVendor", "DeviceProduct", "DeviceVersion", "Name", "Severity"]
+}
\ No newline at end of file