You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@metron.apache.org by jo...@apache.org on 2017/11/23 01:38:54 UTC
metron git commit: METRON-1088 Upgrade bro to 2.5.2 (JonZeolla)
closes apache/metron#844
Repository: metron
Updated Branches:
refs/heads/master 8022f2c8c -> 59fe1b453
METRON-1088 Upgrade bro to 2.5.2 (JonZeolla) closes apache/metron#844
Project: http://git-wip-us.apache.org/repos/asf/metron/repo
Commit: http://git-wip-us.apache.org/repos/asf/metron/commit/59fe1b45
Tree: http://git-wip-us.apache.org/repos/asf/metron/tree/59fe1b45
Diff: http://git-wip-us.apache.org/repos/asf/metron/diff/59fe1b45
Branch: refs/heads/master
Commit: 59fe1b453279bf5c7df627ea656c762b3a98e777
Parents: 8022f2c
Author: JonZeolla <ze...@gmail.com>
Authored: Wed Nov 22 20:37:38 2017 -0500
Committer: JonZeolla <jo...@apache.org>
Committed: Wed Nov 22 20:37:38 2017 -0500
----------------------------------------------------------------------
.../inventory/full-dev-platform/group_vars/all | 2 +-
.../inventory/quick-dev-platform/group_vars/all | 2 +-
.../CURRENT/package/files/bro_index.template | 472 ++++++++++++++++++-
.../playbooks/docker_probe_install.yml | 2 +-
metron-deployment/roles/bro/tasks/bro.yml | 3 +
.../roles/bro/tasks/dependencies.yml | 11 +
.../roles/bro/tasks/metron-bro-plugin-kafka.yml | 3 +
metron-deployment/roles/bro/vars/main.yml | 2 +-
.../sample/data/bro/parsed/BroExampleParsed | 4 +
.../main/sample/data/bro/raw/BroExampleOutput | 4 +
.../metron/parsers/bro/BasicBroParserTest.java | 226 +++++++++
11 files changed, 711 insertions(+), 20 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/metron/blob/59fe1b45/metron-deployment/inventory/full-dev-platform/group_vars/all
----------------------------------------------------------------------
diff --git a/metron-deployment/inventory/full-dev-platform/group_vars/all b/metron-deployment/inventory/full-dev-platform/group_vars/all
index 9aa04ab..08e405b 100644
--- a/metron-deployment/inventory/full-dev-platform/group_vars/all
+++ b/metron-deployment/inventory/full-dev-platform/group_vars/all
@@ -42,7 +42,7 @@ enrichment_hbase_table: enrichment
# metron
metron_version: 0.4.2
metron_directory: /usr/metron/{{ metron_version }}
-bro_version: "2.4.2"
+bro_version: "2.5.2"
fixbuf_version: "1.7.1"
yaf_version: "2.8.0"
daq_version: "2.0.6-1"
http://git-wip-us.apache.org/repos/asf/metron/blob/59fe1b45/metron-deployment/inventory/quick-dev-platform/group_vars/all
----------------------------------------------------------------------
diff --git a/metron-deployment/inventory/quick-dev-platform/group_vars/all b/metron-deployment/inventory/quick-dev-platform/group_vars/all
index 28f235d..d2d8590 100644
--- a/metron-deployment/inventory/quick-dev-platform/group_vars/all
+++ b/metron-deployment/inventory/quick-dev-platform/group_vars/all
@@ -41,7 +41,7 @@ enrichment_hbase_table: enrichment
# metron
metron_version: 0.4.2
metron_directory: /usr/metron/{{ metron_version }}
-bro_version: "2.4.2"
+bro_version: "2.5.2"
fixbuf_version: "1.7.1"
yaf_version: "2.8.0"
daq_version: "2.0.6-1"
http://git-wip-us.apache.org/repos/asf/metron/blob/59fe1b45/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/bro_index.template
----------------------------------------------------------------------
diff --git a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/bro_index.template b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/bro_index.template
index 3a68d75..b0103f2 100644
--- a/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/bro_index.template
+++ b/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/files/bro_index.template
@@ -118,7 +118,7 @@
},
"match": "threat:triage:rules:*:name",
"match_mapping_type": "*"
- }
+ }
}
],
"properties": {
@@ -171,6 +171,12 @@
* https://www.bro.org/sphinx/scripts/base/protocols/http/main.bro.html#type-HTTP::Info
*
* Notable Fields
+ * Field: method
+ * Notes: Field exists in the HTTP and SIP logs
+ *
+ * Field: uri
+ * Notes: Field exists in the HTTP and SIP logs
+ *
* Field: password
* Notes: Field exists in the HTTP and FTP logs
*
@@ -178,19 +184,31 @@
* Notes: Field exists in the HTTP and FTP logs
*
* Field: trans_depth
- * Notes: Field exists in the HTTP and SMTP logs
+ * Notes: Field exists in the HTTP, SMTP, and SIP logs
*
* Field: user_agent
- * Notes: Field exists in the HTTP and SMTP logs
+ * Notes: Field exists in the HTTP, SMTP, and SIP logs
*
* Field: version
* Notes: Field exists in the HTTP, SSL, and SSH logs
*
* Field: host
- * Notes: Field exists in the HTTP and Software logs
+ * Notes: Field exists in the HTTP, KnownCerts, and Software logs
*
* Field: username
* Notes: Field exists in the HTTP and RADIUS logs
+ *
+ * Field: status_code
+ * Notes: Field exists in the HTTP and SIP logs
+ *
+ * Field: status_msg
+ * Notes: Field exists in the HTTP and SIP logs
+ *
+ * Field: request_body_len
+ * Notes: Field exists in the HTTP and SIP logs
+ *
+ * Field: response_body_len
+ * Notes: Field exists in the HTTP and SIP logs
*/
"trans_depth": {
"type": "integer"
@@ -232,6 +250,17 @@
"type": "string",
"index": "not_analyzed"
},
+ "info_code": {
+ "type": "integer"
+ },
+ "info_msg": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "tags": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
"username": {
"type": "string",
"index": "not_analyzed"
@@ -240,8 +269,27 @@
"type": "string",
"index": "not_analyzed"
},
- "capture_password": {
- "type": "boolean"
+ "proxied": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "orig_fuids": {
+ "type": "string"
+ },
+ "orig_filenames": {
+ "type": "string"
+ },
+ "orig_mime_types": {
+ "type": "string"
+ },
+ "resp_fuids": {
+ "type": "string"
+ },
+ "resp_filenames": {
+ "type": "string"
+ },
+ "resp_mime_types": {
+ "type": "string"
},
/*
* DNS log support
@@ -253,6 +301,10 @@
*
* Field: trans_id
* Notes: Field exists in the DNS and DHCP logs
+ *
+ * Field: rtt
+ * Notes: This field uses the "interval" type, which may need handled differently.
+ * https://www.bro.org/sphinx-git/script-reference/types.html#type-interval
*/
"proto": {
"type": "string",
@@ -261,6 +313,10 @@
"trans_id": {
"type": "long"
},
+ "rtt": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
"query": {
"type": "string",
"index": "not_analyzed"
@@ -304,6 +360,9 @@
"answers": {
"type": "string"
},
+ "TTLs": {
+ "type": "string"
+ },
"rejected": {
"type": "boolean"
},
@@ -406,7 +465,7 @@
* Notes: Field exists in the FTP and Files logs
*
* Field: fuid
- * Notes: Field exists in the FTP and Notice logs
+ * Notes: Field exists in the FTP, Files, and Notice logs
*/
"user": {
"type": "string",
@@ -470,6 +529,15 @@
*
* Field: mime_type
* Notes: Field exists in the FTP and Files logs
+ *
+ * Field: duration
+ * Notes: Field exists in the Conn and Files logs
+ *
+ * Field: local_orig
+ * Notes: Field exists in the Conn and Files logs
+ *
+ * Field: fuid
+ * Notes: Field exists in the FTP, Files, and Notice logs
*/
"conn_uids": {
"type": "string",
@@ -524,13 +592,26 @@
"type": "string",
"index": "not_analyzed"
},
+ "extracted": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "extracted_cutoff": {
+ "type": "boolean"
+ },
+ "extracted_size": {
+ "type": "long"
+ },
/*
* Known::CertInfo log support
* https://www.bro.org/sphinx/scripts/policy/protocols/ssl/known-certs.bro.html#type-Known::CertsInfo
*
* Notable Fields
+ * Field: host
+ * Notes: Field exists in the HTTP, KnownCerts, and Software logs
+ *
* Field: subject
- * Notes: Field exists in the Known::CertInfo and SMTP logs
+ * Notes: Field exists in the KnownCerts, SMTP, SIP, and SSL logs
*/
"port_num": {
"type": "integer"
@@ -552,8 +633,20 @@
* https://www.bro.org/sphinx/scripts/base/protocols/smtp/main.bro.html#type-SMTP::Info
*
* Notable Fields
+ * Field: trans_depth
+ * Notes: Field exists in the HTTP, SMTP, and SIP logs
+ *
+ * Field: date
+ * Notes: Field exists in the SMTP and SIP logs
+ *
* Field: subject
- * Notes: Field exists in the Known::CertInfo and SMTP logs
+ * Notes: Field exists in the KnownCerts, SMTP, SIP, and SSL logs
+ *
+ * Field: reply_to
+ * Notes: Field exists in the SMTP and SIP logs
+ *
+ * Field: user_agent
+ * Notes: Field exists in the HTTP, SMTP, and SIP logs
*/
"helo": {
"type": "string",
@@ -579,6 +672,10 @@
"type": "string",
"analyzer": "simple"
},
+ "cc": {
+ "type": "string",
+ "analyzer": "simple"
+ },
"reply_to": {
"type": "string",
"analyzer": "simple"
@@ -627,6 +724,9 @@
* Notable Fields
* Field: version
* Notes: Field exists in the HTTP, SSL, and SSH logs
+ *
+ * Field: subject
+ * Notes: Field exists in the KnownCerts, SMTP, SIP, and SSL logs
*/
"cipher": {
"type": "string",
@@ -643,6 +743,13 @@
"resumed": {
"type": "boolean"
},
+ "server_appdata": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "client_appdata": {
+ "type": "boolean"
+ },
"last_alert": {
"type": "string",
"index": "not_analyzed"
@@ -654,9 +761,38 @@
"established": {
"type": "boolean"
},
+ "cert_chain_fuids": {
+ "type": "string"
+ },
+ "client_cert_chain_fuids": {
+ "type": "string"
+ },
+ "issuer": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "client_subject": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "client_issuer": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "validation_status": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
/*
* Weird log support
* https://www.bro.org/sphinx/scripts/base/frameworks/notice/weird.bro.html#type-Weird::Info
+ *
+ * Notable Fields
+ * Field: peer
+ * Notes: Field exists in the Weird, CaptureLoss, and Stats logs
+ *
+ * Field: name
+ * Notes: Field exists in the Weird and LoadedScripts logs
*/
"name": {
"type": "string",
@@ -679,10 +815,25 @@
*
* Notable Fields
* Field: fuid
- * Notes: Field exists in the FTP and Notice logs
+ * Notes: Field exists in the FTP, Files, and Notice logs
*
* Field: proto
* Notes: Field exists in the DNS, Conn, DPD, and Notice logs
+ *
+ * Field: remote_location:country_code
+ * Notes: Field exists in the Notice and SSH logs
+ *
+ * Field: remote_location:region
+ * Notes: Field exists in the Notice and SSH logs
+ *
+ * Field: remote_location:city
+ * Notes: Field exists in the Notice and SSH logs
+ *
+ * Field: remote_location:latitude
+ * Notes: Field exists in the Notice and SSH logs
+ *
+ * Field: remote_location:longitude
+ * Notes: Field exists in the Notice and SSH logs
*/
"file_mime_type": {
"type": "string",
@@ -736,16 +887,31 @@
"dropped": {
"type": "boolean"
},
+ "remote_location:country_code": {
+ "type": "string"
+ },
+ "remote_location:region": {
+ "type": "string"
+ },
+ "remote_location:city": {
+ "type": "string"
+ },
+ "remote_location:latitude": {
+ "type": "double"
+ },
+ "remote_location:longitude": {
+ "type": "double"
+ },
/*
* DHCP log support
* https://www.bro.org/sphinx/scripts/base/protocols/dhcp/main.bro.html#type-DHCP::Info
*
* Notable Fields
+ * Field: mac
+ * Notes: Field exists in the DHCP, RADIUS, and KnownDevices logs
+ *
* Field: trans_id
* Notes: Field exists in the DNS and DHCP logs
- *
- * Field: mac
- * Notes: Field exists in the DHCP, RADIUS, and Known::DevicesInfo logs
*/
"mac": {
"type": "string",
@@ -765,6 +931,21 @@
* Notable Fields
* Field: version
* Notes: Field exists in the HTTP, SSL, and SSH logs
+ *
+ * Field: remote_location:country_code
+ * Notes: Field exists in the Notice and SSH logs
+ *
+ * Field: remote_location:region
+ * Notes: Field exists in the Notice and SSH logs
+ *
+ * Field: remote_location:city
+ * Notes: Field exists in the Notice and SSH logs
+ *
+ * Field: remote_location:latitude
+ * Notes: Field exists in the Notice and SSH logs
+ *
+ * Field: remote_location:longitude
+ * Notes: Field exists in the Notice and SSH logs
*/
"auth_success": {
"type": "boolean"
@@ -815,7 +996,7 @@
*
* Notable Fields
* Field: host
- * Notes: Field exists in the HTTP and Software logs
+ * Notes: Field exists in the HTTP, KnownCerts, and Software logs
*/
"host_p": {
"type": "integer",
@@ -858,8 +1039,15 @@
* Notes: Field exists in the HTTP and RADIUS logs
*
* Field: mac
- * Notes: Field exists in the DHCP, RADIUS, and Known::DevicesInfo logs
+ * Notes: Field exists in the DHCP, RADIUS, and KnownDevices logs
+ *
+ * Field: ttl
+ * Notes: This field uses the "interval" type, which may need handled differently.
+ * https://www.bro.org/sphinx-git/script-reference/types.html#type-interval
*/
+ "framed_addr": {
+ "type": "ip"
+ },
"remote_ip": {
"type": "ip"
},
@@ -867,10 +1055,18 @@
"type": "string",
"index": "not_analyzed"
},
+ "reply_msg": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
"result": {
"type": "string",
"index": "not_analyzed"
},
+ "ttl": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
/*
* X509 log support
* https://www.bro.org/sphinx/scripts/base/files/x509/main.bro.html#type-X509::Info
@@ -963,11 +1159,255 @@
*
* Notable Fields
* Field: mac
- * Notes: Field exists in the DHCP, RADIUS, and Known::DevicesInfo logs
+ * Notes: Field exists in the DHCP, RADIUS, and KnownDevices logs
*/
"dhcp_host_name": {
"type": "string",
"index": "not_analyzed"
+ },
+ /*
+ * RFB::Info log support
+ * https://www.bro.org/sphinx-git/scripts/base/protocols/rfb/main.bro.html#type-RFB::Info
+ */
+ "client_major_version": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "client_minor_version": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "server_major_version": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "server_minor_version": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "authentication_method": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "auth": {
+ "type": "boolean"
+ },
+ "share_flag": {
+ "type": "boolean"
+ },
+ "desktop_name": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "width": {
+ "type": "integer"
+ },
+ "height": {
+ "type": "integer"
+ },
+ /*
+ * Stats::Info log support
+ * https://www.bro.org/sphinx/scripts/policy/misc/stats.bro.html#type-Stats::Info
+ *
+ * Notable Fields
+ * Field: peer
+ * Notes: Field exists in the Weird, CaptureLoss, and Stats logs
+ *
+ * Field: pkt_lag
+ * Notes: This field uses the "interval" type, which may need handled differently.
+ * https://www.bro.org/sphinx-git/script-reference/types.html#type-interval
+ */
+ "mem": {
+ "type": "integer"
+ },
+ "pkts_proc": {
+ "type": "integer"
+ },
+ "bytes_recv": {
+ "type": "integer"
+ },
+ "pkts_dropped": {
+ "type": "integer"
+ },
+ "pkts_link": {
+ "type": "integer"
+ },
+ "pkt_lag": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "events_proc": {
+ "type": "integer"
+ },
+ "events_queued": {
+ "type": "integer"
+ },
+ "active_tcp_conns": {
+ "type": "integer"
+ },
+ "active_udp_conns": {
+ "type": "integer"
+ },
+ "active_icmp_conns": {
+ "type": "integer"
+ },
+ "tcp_conns": {
+ "type": "integer"
+ },
+ "udp_conns": {
+ "type": "integer"
+ },
+ "icmp_conns": {
+ "type": "integer"
+ },
+ "timers": {
+ "type": "integer"
+ },
+ "active_timers": {
+ "type": "integer"
+ },
+ "files": {
+ "type": "integer"
+ },
+ "active_files": {
+ "type": "integer"
+ },
+ "dns_requests": {
+ "type": "integer"
+ },
+ "active_dns_requests": {
+ "type": "integer"
+ },
+ "reassem_tcp_size": {
+ "type": "integer"
+ },
+ "reassem_file_size": {
+ "type": "integer"
+ },
+ "reassem_frag_size": {
+ "type": "integer"
+ },
+ "reassem_unknown_size": {
+ "type": "integer"
+ },
+ /*
+ * CaptureLoss::Info log support
+ * https://www.bro.org/sphinx/scripts/policy/misc/capture-loss.bro.html#type-CaptureLoss::Info
+ *
+ * Notable Fields
+ * Field: ts_delta
+ * Notes: This field uses the "interval" type, which may need handled differently.
+ * https://www.bro.org/sphinx-git/script-reference/types.html#type-interval
+ *
+ * Field: peer
+ * Notes: Field exists in the Weird, CaptureLoss, and Stats logs
+ */
+ "ts_delta": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "gaps": {
+ "type": "integer",
+ "index": "not_analyzed"
+ },
+ "acks": {
+ "type": "integer",
+ "index": "not_analyzed"
+ },
+ "percent_lost": {
+ "type": "double",
+ "index": "not_analyzed"
+ },
+ /*
+ * Reporter::Info log support
+ * https://www.bro.org/sphinx/scripts/base/frameworks/reporter/main.bro.html#type-Reporter::Info
+ */
+ "level": {
+ "type": "string"
+ },
+ "message": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "location": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ /*
+ * SIP::Info log support
+ * https://www.bro.org/sphinx/scripts/base/protocols/sip/main.bro.html#type-SIP::Info
+ *
+ * Notable Fields
+ * Field: trans_depth
+ * Notes: Field exists in the HTTP, SMTP, and SIP logs
+ *
+ * Field: method
+ * Notes: Field exists in the HTTP and SIP logs
+ *
+ * Field: uri
+ * Notes: Field exists in the HTTP and SIP logs
+ *
+ * Field: date
+ * Notes: Field exists in the SMTP and SIP logs
+ *
+ * Field: reply_to
+ * Notes: Field exists in the SMTP and SIP logs
+ *
+ * Field: subject
+ * Notes: Field exists in the KnownCerts, SMTP, SIP, and SSL logs
+ *
+ * Field: user_agent
+ * Notes: Field exists in the HTTP, SMTP, and SIP logs
+ *
+ * Field: status_code
+ * Notes: Field exists in the HTTP and SIP logs
+ *
+ * Field: status_msg
+ * Notes: Field exists in the HTTP and SIP logs
+ *
+ * Field: request_body_len
+ * Notes: Field exists in the HTTP and SIP logs
+ *
+ * Field: response_body_len
+ * Notes: Field exists in the HTTP and SIP logs
+ */
+ "request_from": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "request_to": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "response_from": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "response_to": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "call_id": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "seq": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "request_path": {
+ "type": "string"
+ },
+ "response_path": {
+ "type": "string"
+ },
+ "warning": {
+ "type": "string",
+ "index": "not_analyzed"
+ },
+ "content_type": {
+ "type": "string",
+ "index": "not_analyzed"
}
}
}
http://git-wip-us.apache.org/repos/asf/metron/blob/59fe1b45/metron-deployment/playbooks/docker_probe_install.yml
----------------------------------------------------------------------
diff --git a/metron-deployment/playbooks/docker_probe_install.yml b/metron-deployment/playbooks/docker_probe_install.yml
index a58ea52..75aa81b 100644
--- a/metron-deployment/playbooks/docker_probe_install.yml
+++ b/metron-deployment/playbooks/docker_probe_install.yml
@@ -32,7 +32,7 @@
vars:
metron_version: 0.4.2
metron_directory: /usr/metron/{{ metron_version }}
- bro_version: "2.4.2"
+ bro_version: "2.5.2"
fixbuf_version: "1.7.1"
yaf_version: "2.8.0"
daq_version: "2.0.6-1"
http://git-wip-us.apache.org/repos/asf/metron/blob/59fe1b45/metron-deployment/roles/bro/tasks/bro.yml
----------------------------------------------------------------------
diff --git a/metron-deployment/roles/bro/tasks/bro.yml b/metron-deployment/roles/bro/tasks/bro.yml
index d751674..222ef0e 100644
--- a/metron-deployment/roles/bro/tasks/bro.yml
+++ b/metron-deployment/roles/bro/tasks/bro.yml
@@ -29,6 +29,9 @@
- name: Compile and Install bro
shell: "{{ item }}"
+ environment:
+ CXX: /opt/rh/devtoolset-4/root/usr/bin/g++
+ CC: /opt/rh/devtoolset-4/root/usr/bin/gcc
args:
chdir: "/tmp/bro-{{ bro_version }}"
creates: "{{ bro_home }}/bin/bro"
http://git-wip-us.apache.org/repos/asf/metron/blob/59fe1b45/metron-deployment/roles/bro/tasks/dependencies.yml
----------------------------------------------------------------------
diff --git a/metron-deployment/roles/bro/tasks/dependencies.yml b/metron-deployment/roles/bro/tasks/dependencies.yml
index fa20b71..a74557e 100644
--- a/metron-deployment/roles/bro/tasks/dependencies.yml
+++ b/metron-deployment/roles/bro/tasks/dependencies.yml
@@ -33,6 +33,17 @@
- perl
- crontabs
- net-tools
+ - centos-release-scl
+ register: result
+ until: result.rc == 0
+ retries: 5
+ delay: 10
+
+- name: Install additional prerequisites
+ yum: name={{ item }}
+ with_items:
+ - devtoolset-4-gcc
+ - devtoolset-4-gcc-c++
register: result
until: result.rc == 0
retries: 5
http://git-wip-us.apache.org/repos/asf/metron/blob/59fe1b45/metron-deployment/roles/bro/tasks/metron-bro-plugin-kafka.yml
----------------------------------------------------------------------
diff --git a/metron-deployment/roles/bro/tasks/metron-bro-plugin-kafka.yml b/metron-deployment/roles/bro/tasks/metron-bro-plugin-kafka.yml
index b6e7b5c..f4575b3 100644
--- a/metron-deployment/roles/bro/tasks/metron-bro-plugin-kafka.yml
+++ b/metron-deployment/roles/bro/tasks/metron-bro-plugin-kafka.yml
@@ -23,6 +23,9 @@
- name: Compile and install the plugin
shell: "{{ item }}"
+ environment:
+ CXX: /opt/rh/devtoolset-4/root/usr/bin/g++
+ CC: /opt/rh/devtoolset-4/root/usr/bin/gcc
args:
chdir: "/tmp/metron-bro-plugin-kafka"
creates: "{{ bro_home }}/lib/bro/plugins/BRO_KAFKA"
http://git-wip-us.apache.org/repos/asf/metron/blob/59fe1b45/metron-deployment/roles/bro/vars/main.yml
----------------------------------------------------------------------
diff --git a/metron-deployment/roles/bro/vars/main.yml b/metron-deployment/roles/bro/vars/main.yml
index 9519807..d99a8ef 100644
--- a/metron-deployment/roles/bro/vars/main.yml
+++ b/metron-deployment/roles/bro/vars/main.yml
@@ -16,7 +16,7 @@
#
---
bro_home: /usr/local/bro
-bro_version: 2.4.2
+bro_version: 2.5.2
bro_daemon_log: /var/log/bro.log
bro_topic: bro
http://git-wip-us.apache.org/repos/asf/metron/blob/59fe1b45/metron-platform/metron-integration-test/src/main/sample/data/bro/parsed/BroExampleParsed
----------------------------------------------------------------------
diff --git a/metron-platform/metron-integration-test/src/main/sample/data/bro/parsed/BroExampleParsed b/metron-platform/metron-integration-test/src/main/sample/data/bro/parsed/BroExampleParsed
index b1d3102..8db8a5f 100644
--- a/metron-platform/metron-integration-test/src/main/sample/data/bro/parsed/BroExampleParsed
+++ b/metron-platform/metron-integration-test/src/main/sample/data/bro/parsed/BroExampleParsed
@@ -25,3 +25,7 @@
{"bro_timestamp":"1440447766.441298","ip_dst_port":1812,"source.type":"bro","result":"failed","uid":"CqF4zGzBOXFjTWqHh","protocol":"radius","original_string":"RADIUS | result:failed uid:CqF4zGzBOXFjTWqHh id.orig_p:53031 id.resp_p:1812 id.orig_h:127.0.0.1 ts:1440447766.441298 id.resp_h:127.0.0.1 username:steve","ip_dst_addr":"127.0.0.1","ip_src_port":53031,"guid":"b029735a-3e98-45a0-b8da-232967a34085","ip_src_addr":"127.0.0.1","username":"steve","timestamp":1440447766441}
{"certificate.key_length":1024,"bro_timestamp":"1216706999.661483","certificate.sig_alg":"sha1WithRSAEncryption","certificate.not_valid_before":1.2138336E9,"certificate.key_type":"rsa","basic_constraints.ca":false,"certificate.key_alg":"rsaEncryption","certificate.exponent":"65537","source.type":"bro","protocol":"x509","original_string":"X509 | certificate.key_length:1024 certificate.sig_alg:sha1WithRSAEncryption certificate.not_valid_before:1213833600.0 certificate.key_type:rsa basic_constraints.ca:false certificate.key_alg:rsaEncryption certificate.exponent:65537 certificate.version:3 certificate.subject:CN=login.live.com,OU=MSN-Passport,O=Microsoft Corporation,street=One Microsoft Way,L=Redmond,ST=Washington,postalCode=98052,C=US,serialNumber=600413485,businessCategory=V1.0\\, Clause 5.(b),1.3.6.1.4.1.311.60.2.1.2=#130A57617368696E67746F6E,1.3.6.1.4.1.311.60.2.1.3=#13025553 id:FkYBO41LPAXxh44KFk certificate.not_valid_after:1248134399.0 certificate.serial:6905C4A47CFDBF9DBC98DACE3
8835FB8 certificate.issuer:CN=VeriSign Class 3 Extended Validation SSL CA,OU=Terms of use at https:\/\/www.verisign.com\/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign\\, Inc.,C=US ts:1216706999.661483","certificate.version":3,"certificate.subject":"CN=login.live.com,OU=MSN-Passport,O=Microsoft Corporation,street=One Microsoft Way,L=Redmond,ST=Washington,postalCode=98052,C=US,serialNumber=600413485,businessCategory=V1.0\\, Clause 5.(b),1.3.6.1.4.1.311.60.2.1.2=#130A57617368696E67746F6E,1.3.6.1.4.1.311.60.2.1.3=#13025553","guid":"578eac04-9024-49ab-828d-e25f01c33c82","id":"FkYBO41LPAXxh44KFk","certificate.not_valid_after":1.248134399E9,"certificate.serial":"6905C4A47CFDBF9DBC98DACE38835FB8","certificate.issuer":"CN=VeriSign Class 3 Extended Validation SSL CA,OU=Terms of use at https:\/\/www.verisign.com\/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign\\, Inc.,C=US","timestamp":1216706999661}
{"bro_timestamp":"1258531221.486539","protocol":"known_devices","original_string":"KNOWN_DEVICES | dhcp_host_name:m57-jo mac:00:0b:db:63:58:a6 ts:1258531221.486539","dhcp_host_name":"m57-jo","guid":"e7a216d8-3623-4dea-af78-01da8c5e0bc5","mac":"00:0b:db:63:58:a6","timestamp":1258531221486,"source.type":"bro"}
+{"client_minor_version":"007","bro_timestamp":"1328634261.675248","client_major_version":"003","ip_dst_port":5900,"auth":true,"share_flag":false,"desktop_name":"aneagles@localhost.localdomain","source.type":"bro","authentication_method":"VNC","uid":"CGhHbC1P1kuJYtR4Ul","server_minor_version":"007","protocol":"rfb","original_string":"RFB | client_minor_version:007 id.orig_p:10254 client_major_version:003 auth:true id.resp_p:5900 share_flag:false desktop_name:aneagles@localhost.localdomain authentication_method:VNC uid:CGhHbC1P1kuJYtR4Ul server_minor_version:007 server_major_version:003 width:1280 id.orig_h:192.168.1.10 ts:1328634261.675248 id.resp_h:192.168.1.114 height:800","ip_dst_addr":"192.168.1.114","ip_src_port":10254,"server_major_version":"003","width":1280,"guid":"c2da5c0b-bfaf-4fff-80c4-be6040fdb57d","ip_src_addr":"192.168.1.10","height":800,"timestamp":1328634261675}
+{"dns_requests":0,"bro_timestamp":"1328634261.351352","reassem_frag_size":0,"protocol":"stats","original_string":"STATS | dns_requests:0 timers:35 active_udp_conns:0 reassem_frag_size:0 events_proc:392 active_icmp_conns:0 reassem_file_size:0 udp_conns:0 active_timers:32 events_queued:13 mem:55 reassem_tcp_size:0 peer:bro pkts_proc:1 icmp_conns:0 active_dns_requests:0 files:0 bytes_recv:62 active_files:0 tcp_conns:1 reassem_unknown_size:0 active_tcp_conns:1 ts:1328634261.351352","mem":55,"reassem_tcp_size":0,"peer":"bro","active_dns_requests":0,"active_files":0,"timestamp":1328634261351,"timers":35,"active_udp_conns":0,"events_proc":392,"active_icmp_conns":0,"reassem_file_size":0,"source.type":"bro","udp_conns":0,"active_timers":32,"events_queued":13,"pkts_proc":1,"icmp_conns":0,"files":0,"guid":"2ba97a72-8446-44ba-ac86-d491fa64a4c7","bytes_recv":62,"tcp_conns":1,"reassem_unknown_size":0,"active_tcp_conns":1}
+{"bro_timestamp":"1328634276.90953","protocol":"capture_loss","original_string":"CAPTURE_LOSS | peer:bro acks:710 ts_delta:15.558178 gaps:0 ts:1328634276.90953 percent_lost:0.0","peer":"bro","acks":710,"guid":"1587b0b9-2d85-4808-9aaa-9a19477e8f98","ts_delta":15.558178,"gaps":0,"percent_lost":0.0,"timestamp":1328634276909,"source.type":"bro"}
+{"bro_timestamp":"1216698600.338338","method":"REGISTER","ip_dst_port":10000,"request_body_len":0,"response_path":[],"uri":"sip:t.voncp.com:10000","call_id":"7757a70e218b95730dd2daeaac7d20b1@192.168.1.64","source.type":"bro","uid":"Cl2G2m3bdeE8F9I9ei","trans_depth":0,"request_from":"\"16178766111\" <sip:16178766111@t.voncp.com:10000>","protocol":"sip","original_string":"SIP | id.orig_p:1033 method:REGISTER request_body_len:0 id.resp_p:10000 response_path:[] uri:sip:t.voncp.com:10000 call_id:7757a70e218b95730dd2daeaac7d20b1@192.168.1.64 uid:Cl2G2m3bdeE8F9I9ei trans_depth:0 request_from:\"16178766111\" <sip:16178766111@t.voncp.com:10000> request_path:[\"SIP\\\/2.0\\\/UDP 192.168.1.64:10000\",\"SIP\\\/2.0\\\/UDP 192.168.1.64:10000\",\"SIP\\\/2.0\\\/UDP 192.168.1.64:10000\",\"SIP\\\/2.0\\\/UDP 192.168.1.64:10000\"] id.orig_h:192.168.1.64 request_to:\"16178766111\" <sip:16178766111@t.voncp.com:10000> seq:1761527957 REGISTER user_agent:VDV21 001DD92E4F61 2.8.1_1.4.7 LwooEk3GCD\/bcm001DD92
E4F61.xml ts:1216698600.338338 id.resp_h:69.59.232.120","ip_dst_addr":"69.59.232.120","ip_src_port":1033,"request_path":["SIP\/2.0\/UDP 192.168.1.64:10000","SIP\/2.0\/UDP 192.168.1.64:10000","SIP\/2.0\/UDP 192.168.1.64:10000","SIP\/2.0\/UDP 192.168.1.64:10000"],"guid":"a4d1d1c2-b55f-46c5-bd41-d741c9926ff1","request_to":"\"16178766111\" <sip:16178766111@t.voncp.com:10000>","ip_src_addr":"192.168.1.64","seq":"1761527957 REGISTER","user_agent":"VDV21 001DD92E4F61 2.8.1_1.4.7 LwooEk3GCD\/bcm001DD92E4F61.xml","timestamp":1216698600338}
http://git-wip-us.apache.org/repos/asf/metron/blob/59fe1b45/metron-platform/metron-integration-test/src/main/sample/data/bro/raw/BroExampleOutput
----------------------------------------------------------------------
diff --git a/metron-platform/metron-integration-test/src/main/sample/data/bro/raw/BroExampleOutput b/metron-platform/metron-integration-test/src/main/sample/data/bro/raw/BroExampleOutput
index 5c88714..e75c6b9 100644
--- a/metron-platform/metron-integration-test/src/main/sample/data/bro/raw/BroExampleOutput
+++ b/metron-platform/metron-integration-test/src/main/sample/data/bro/raw/BroExampleOutput
@@ -25,3 +25,7 @@
{"radius": {"ts":1440447766.441298,"uid":"CqF4zGzBOXFjTWqHh","id.orig_h":"127.0.0.1","id.orig_p":53031,"id.resp_h":"127.0.0.1","id.resp_p":1812,"username":"steve","result":"failed"}}
{"x509": {"ts":1216706999.661483,"id":"FkYBO41LPAXxh44KFk","certificate.version":3,"certificate.serial":"6905C4A47CFDBF9DBC98DACE38835FB8","certificate.subject":"CN=login.live.com,OU=MSN-Passport,O=Microsoft Corporation,street=One Microsoft Way,L=Redmond,ST=Washington,postalCode=98052,C=US,serialNumber=600413485,businessCategory=V1.0\u005c, Clause 5.(b),1.3.6.1.4.1.311.60.2.1.2=#130A57617368696E67746F6E,1.3.6.1.4.1.311.60.2.1.3=#13025553","certificate.issuer":"CN=VeriSign Class 3 Extended Validation SSL CA,OU=Terms of use at https://www.verisign.com/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign\u005c, Inc.,C=US","certificate.not_valid_before":1213833600.0,"certificate.not_valid_after":1248134399.0,"certificate.key_alg":"rsaEncryption","certificate.sig_alg":"sha1WithRSAEncryption","certificate.key_type":"rsa","certificate.key_length":1024,"certificate.exponent":"65537","basic_constraints.ca":false}}
{"known_devices": {"ts":1258531221.486539,"mac":"00:0b:db:63:58:a6","dhcp_host_name":"m57-jo"}}
+{"rfb": {"ts":1328634261.675248,"uid":"CGhHbC1P1kuJYtR4Ul","id.orig_h":"192.168.1.10","id.orig_p":10254,"id.resp_h":"192.168.1.114","id.resp_p":5900,"client_major_version":"003","client_minor_version":"007","server_major_version":"003","server_minor_version":"007","authentication_method":"VNC","auth":true,"share_flag":false,"desktop_name":"aneagles@localhost.localdomain","width":1280,"height":800}}
+{"stats": {"ts":1328634261.351352,"peer":"bro","mem":55,"pkts_proc":1,"bytes_recv":62,"events_proc":392,"events_queued":13,"active_tcp_conns":1,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":1,"udp_conns":0,"icmp_conns":0,"timers":35,"active_timers":32,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0}}
+{"capture_loss": {"ts":1328634276.90953,"ts_delta":15.558178,"peer":"bro","gaps":0,"acks":710,"percent_lost":0.0}}
+{"sip": {"ts":1216698600.338338,"uid":"Cl2G2m3bdeE8F9I9ei","id.orig_h":"192.168.1.64","id.orig_p":1033,"id.resp_h":"69.59.232.120","id.resp_p":10000,"trans_depth":0,"method":"REGISTER","uri":"sip:t.voncp.com:10000","request_from":"\u002216178766111\u0022 <sip:16178766111@t.voncp.com:10000>","request_to":"\u002216178766111\u0022 <sip:16178766111@t.voncp.com:10000>","call_id":"7757a70e218b95730dd2daeaac7d20b1@192.168.1.64","seq":"1761527957 REGISTER","request_path":["SIP/2.0/UDP 192.168.1.64:10000","SIP/2.0/UDP 192.168.1.64:10000","SIP/2.0/UDP 192.168.1.64:10000","SIP/2.0/UDP 192.168.1.64:10000"],"response_path":[],"user_agent":"VDV21 001DD92E4F61 2.8.1_1.4.7 LwooEk3GCD/bcm001DD92E4F61.xml","request_body_len":0}}
http://git-wip-us.apache.org/repos/asf/metron/blob/59fe1b45/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/bro/BasicBroParserTest.java
----------------------------------------------------------------------
diff --git a/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/bro/BasicBroParserTest.java b/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/bro/BasicBroParserTest.java
index aa60d1f..9d716e5 100644
--- a/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/bro/BasicBroParserTest.java
+++ b/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/bro/BasicBroParserTest.java
@@ -1133,6 +1133,232 @@ public class BasicBroParserTest {
}
/**
+ * {
+ * "rfb": {
+ * "ts":1328634261.675248,
+ * "uid":"CGhHbC1P1kuJYtR4Ul",
+ * "id.orig_h":"192.168.1.10",
+ * "id.orig_p":10254,
+ * "id.resp_h":"192.168.1.114",
+ * "id.resp_p":5900,
+ * "client_major_version":"003",
+ * "client_minor_version":"007",
+ * "server_major_version":"003",
+ * "server_minor_version":"007",
+ * "authentication_method":"VNC",
+ * "auth":true,
+ * "share_flag":false,
+ * "desktop_name":"aneagles@localhost.localdomain",
+ * "width":1280,
+ * "height":800
+ * }
+ * }
+ */
+ @Multiline
+ public final static String rfbBroMessage;
+
+ @SuppressWarnings("rawtypes")
+ @Test
+ public void testRfbBroMessage() throws ParseException {
+ Map rawMessageMap = (Map) jsonParser.parse(rfbBroMessage);
+ JSONObject rawJson = (JSONObject) rawMessageMap.get(rawMessageMap.keySet().iterator().next());
+
+ JSONObject broJson = broParser.parse(rfbBroMessage.getBytes()).get(0);
+ String expectedBroTimestamp = "1328634261.675248";
+ Assert.assertEquals(broJson.get("bro_timestamp"), expectedBroTimestamp);
+ String expectedTimestamp = "1328634261675";
+ Assert.assertEquals(broJson.get("timestamp").toString(), expectedTimestamp);
+ Assert.assertTrue(broJson.get("original_string").toString().startsWith(rawMessageMap.keySet().iterator().next().toString().toUpperCase()));
+
+ Assert.assertEquals(broJson.get("uid").toString(), rawJson.get("uid").toString());
+ Assert.assertEquals(broJson.get("ip_src_addr").toString(), rawJson.get("id.orig_h").toString());
+ Assert.assertEquals(broJson.get("ip_dst_addr").toString(), rawJson.get("id.resp_h").toString());
+ Assert.assertEquals(broJson.get("ip_src_port").toString(), rawJson.get("id.orig_p").toString());
+ Assert.assertEquals(broJson.get("ip_dst_port").toString(), rawJson.get("id.resp_p").toString());
+ Assert.assertEquals(broJson.get("client_major_version").toString(), rawJson.get("client_major_version").toString());
+ Assert.assertEquals(broJson.get("client_minor_version").toString(), rawJson.get("client_minor_version").toString());
+ Assert.assertEquals(broJson.get("server_major_version").toString(), rawJson.get("server_major_version").toString());
+ Assert.assertEquals(broJson.get("server_minor_version").toString(), rawJson.get("server_minor_version").toString());
+ Assert.assertEquals(broJson.get("authentication_method").toString(), rawJson.get("authentication_method").toString());
+ Assert.assertEquals(broJson.get("auth").toString(), rawJson.get("auth").toString());
+ Assert.assertEquals(broJson.get("share_flag").toString(), rawJson.get("share_flag").toString());
+ Assert.assertEquals(broJson.get("desktop_name").toString(), rawJson.get("desktop_name").toString());
+ Assert.assertEquals(broJson.get("width").toString(), rawJson.get("width").toString());
+ Assert.assertEquals(broJson.get("height").toString(), rawJson.get("height").toString());
+ }
+
+ /**
+ * {
+ * "stats": {
+ * "ts":1440447766.440305
+ * "peer":"bro",
+ * "mem":55,
+ * "pkts_proc":1,
+ * "bytes_recv":119,
+ * "events_proc":392,
+ * "events_queued":15,
+ * "active_tcp_conns":0,
+ * "active_udp_conns":1,
+ * "active_icmp_conns":0,
+ * "tcp_conns":0,
+ * "udp_conns":1,
+ * "icmp_conns":0,
+ * "timers":34,
+ * "active_timers":31,
+ * "files":0,
+ * "active_files":0,
+ * "dns_requests":0,
+ * "active_dns_requests":0,
+ * "reassem_tcp_size":0,
+ * "reassem_file_size":0,
+ * "reassem_frag_size":0,
+ * "reassem_unknown_size":0
+ * }
+ * }
+ */
+ @Multiline
+ public final static String statsBroMessage;
+
+ @SuppressWarnings("rawtypes")
+ @Test
+ public void testStatsBroMessage() throws ParseException {
+ Map rawMessageMap = (Map) jsonParser.parse(statsBroMessage);
+ JSONObject rawJson = (JSONObject) rawMessageMap.get(rawMessageMap.keySet().iterator().next());
+
+ JSONObject broJson = broParser.parse(statsBroMessage.getBytes()).get(0);
+ String expectedBroTimestamp = "1440447766.440305";
+ Assert.assertEquals(broJson.get("bro_timestamp"), expectedBroTimestamp);
+ String expectedTimestamp = "1440447766440";
+ Assert.assertEquals(broJson.get("timestamp").toString(), expectedTimestamp);
+ Assert.assertTrue(broJson.get("original_string").toString().startsWith(rawMessageMap.keySet().iterator().next().toString().toUpperCase()));
+
+ Assert.assertEquals(broJson.get("peer").toString(), rawJson.get("peer").toString());
+ Assert.assertEquals(broJson.get("mem").toString(), rawJson.get("mem").toString());
+ Assert.assertEquals(broJson.get("pkts_proc").toString(), rawJson.get("pkts_proc").toString());
+ Assert.assertEquals(broJson.get("bytes_recv").toString(), rawJson.get("bytes_recv").toString());
+ Assert.assertEquals(broJson.get("events_proc").toString(), rawJson.get("events_proc").toString());
+ Assert.assertEquals(broJson.get("events_queued").toString(), rawJson.get("events_queued").toString());
+ Assert.assertEquals(broJson.get("active_tcp_conns").toString(), rawJson.get("active_tcp_conns").toString());
+ Assert.assertEquals(broJson.get("active_udp_conns").toString(), rawJson.get("active_udp_conns").toString());
+ Assert.assertEquals(broJson.get("active_icmp_conns").toString(), rawJson.get("active_icmp_conns").toString());
+ Assert.assertEquals(broJson.get("tcp_conns").toString(), rawJson.get("tcp_conns").toString());
+ Assert.assertEquals(broJson.get("udp_conns").toString(), rawJson.get("udp_conns").toString());
+ Assert.assertEquals(broJson.get("icmp_conns").toString(), rawJson.get("icmp_conns").toString());
+ Assert.assertEquals(broJson.get("timers").toString(), rawJson.get("timers").toString());
+ Assert.assertEquals(broJson.get("active_timers").toString(), rawJson.get("active_timers").toString());
+ Assert.assertEquals(broJson.get("files").toString(), rawJson.get("files").toString());
+ Assert.assertEquals(broJson.get("active_files").toString(), rawJson.get("active_files").toString());
+ Assert.assertEquals(broJson.get("dns_requests").toString(), rawJson.get("dns_requests").toString());
+ Assert.assertEquals(broJson.get("active_dns_requests").toString(), rawJson.get("active_dns_requests").toString());
+ Assert.assertEquals(broJson.get("reassem_tcp_size").toString(), rawJson.get("reassem_tcp_size").toString());
+ Assert.assertEquals(broJson.get("reassem_file_size").toString(), rawJson.get("reassem_file_size").toString());
+ Assert.assertEquals(broJson.get("reassem_frag_size").toString(), rawJson.get("reassem_frag_size").toString());
+ Assert.assertEquals(broJson.get("reassem_unknown_size").toString(), rawJson.get("reassem_unknown_size").toString());
+ }
+
+ /**
+ * {
+ * "capture_loss": {
+ * "ts":1320435958.419451,
+ * "ts_delta":493.659207,
+ * "peer":"bro",
+ * "gaps":2,
+ * "acks":4854,
+ * "percent_lost":0.041203
+ * }
+ * }
+ */
+ @Multiline
+ public final static String captureLossBroMessage;
+
+ @SuppressWarnings("rawtypes")
+ @Test
+ public void testCaptureLossBroMessage() throws ParseException {
+ Map rawMessageMap = (Map) jsonParser.parse(captureLossBroMessage);
+ JSONObject rawJson = (JSONObject) rawMessageMap.get(rawMessageMap.keySet().iterator().next());
+
+ JSONObject broJson = broParser.parse(captureLossBroMessage.getBytes()).get(0);
+ String expectedBroTimestamp = "1320435958.419451";
+ Assert.assertEquals(broJson.get("bro_timestamp"), expectedBroTimestamp);
+ String expectedTimestamp = "1320435958419";
+ Assert.assertEquals(broJson.get("timestamp").toString(), expectedTimestamp);
+ Assert.assertTrue(broJson.get("original_string").toString().startsWith(rawMessageMap.keySet().iterator().next().toString().toUpperCase()));
+
+ Assert.assertEquals(broJson.get("ts_delta").toString(), rawJson.get("ts_delta").toString());
+ Assert.assertEquals(broJson.get("peer").toString(), rawJson.get("peer").toString());
+ Assert.assertEquals(broJson.get("gaps").toString(), rawJson.get("gaps").toString());
+ Assert.assertEquals(broJson.get("acks").toString(), rawJson.get("acks").toString());
+ Assert.assertEquals(broJson.get("percent_lost").toString(), rawJson.get("percent_lost").toString());
+ }
+
+ /**
+ * {
+ * "sip": {
+ * "ts":1216698441.346819,
+ * "uid":"Cf3LPS10DMyCqJMDv9",
+ * "id.orig_h":"192.168.1.64",
+ * "id.orig_p":1032,
+ * "id.resp_h":"216.115.20.143",
+ * "id.resp_p":10000,
+ * "trans_depth":0,
+ * "method":"REGISTER",
+ * "uri":"sip:t.voncp.com:10000",
+ * "request_from":"\\u002216178766111\\u0022 <sip:16178766111@t.voncp.com:10000>",
+ * "request_to":"\\u002216178766111\\u0022 <sip:16178766111@t.voncp.com:10000>",
+ * "response_from":"\\u002216178766111\\u0022 <sip:16178766111@t.voncp.com:10000>",
+ * "response_to":"\\u002216178766111\\u0022 <sip:16178766111@t.voncp.com:10000>",
+ * "call_id":"7757a70e218b95730dd2daeaac7d20b1@192.168.1.64",
+ * "seq":"1761527952 REGISTER",
+ * "request_path":["SIP/2.0/UDP 192.168.1.64:10000"],
+ * "response_path":["SIP/2.0/UDP 192.168.1.64:10000"],
+ * "user_agent":"VDV21 001DD92E4F61 2.8.1_1.4.7 LwooEk3GCD/bcm001DD92E4F61.xml",
+ * "status_code":200,
+ * "status_msg":"OK",
+ * "request_body_len":0,
+ * "response_body_len":0
+ * }
+ * }
+ */
+ @Multiline
+ public final static String sipBroMessage;
+
+ @SuppressWarnings("rawtypes")
+ @Test
+ public void testSipBroMessage() throws ParseException {
+ Map rawMessageMap = (Map) jsonParser.parse(sipBroMessage);
+ JSONObject rawJson = (JSONObject) rawMessageMap.get(rawMessageMap.keySet().iterator().next());
+
+ JSONObject broJson = broParser.parse(sipBroMessage.getBytes()).get(0);
+ String expectedBroTimestamp = "1216698441.346819";
+ Assert.assertEquals(broJson.get("bro_timestamp"), expectedBroTimestamp);
+ String expectedTimestamp = "1216698441346";
+ Assert.assertEquals(broJson.get("timestamp").toString(), expectedTimestamp);
+ Assert.assertTrue(broJson.get("original_string").toString().startsWith(rawMessageMap.keySet().iterator().next().toString().toUpperCase()));
+
+ Assert.assertEquals(broJson.get("uid").toString(), rawJson.get("uid").toString());
+ Assert.assertEquals(broJson.get("ip_src_addr").toString(), rawJson.get("id.orig_h").toString());
+ Assert.assertEquals(broJson.get("ip_dst_addr").toString(), rawJson.get("id.resp_h").toString());
+ Assert.assertEquals(broJson.get("ip_src_port").toString(), rawJson.get("id.orig_p").toString());
+ Assert.assertEquals(broJson.get("ip_dst_port").toString(), rawJson.get("id.resp_p").toString());
+ Assert.assertEquals(broJson.get("trans_depth").toString(), rawJson.get("trans_depth").toString());
+ Assert.assertEquals(broJson.get("method").toString(), rawJson.get("method").toString());
+ Assert.assertEquals(broJson.get("uri").toString(), rawJson.get("uri").toString());
+ Assert.assertEquals(broJson.get("request_from").toString(), rawJson.get("request_from").toString());
+ Assert.assertEquals(broJson.get("request_to").toString(), rawJson.get("request_to").toString());
+ Assert.assertEquals(broJson.get("response_from").toString(), rawJson.get("response_from").toString());
+ Assert.assertEquals(broJson.get("response_to").toString(), rawJson.get("response_to").toString());
+ Assert.assertEquals(broJson.get("call_id").toString(), rawJson.get("call_id").toString());
+ Assert.assertEquals(broJson.get("seq").toString(), rawJson.get("seq").toString());
+ Assert.assertEquals(broJson.get("request_path").toString(), rawJson.get("request_path").toString());
+ Assert.assertEquals(broJson.get("response_path").toString(), rawJson.get("response_path").toString());
+ Assert.assertEquals(broJson.get("user_agent").toString(), rawJson.get("user_agent").toString());
+ Assert.assertEquals(broJson.get("status_code").toString(), rawJson.get("status_code").toString());
+ Assert.assertEquals(broJson.get("status_msg").toString(), rawJson.get("status_msg").toString());
+ Assert.assertEquals(broJson.get("request_body_len").toString(), rawJson.get("request_body_len").toString());
+ Assert.assertEquals(broJson.get("response_body_len").toString(), rawJson.get("response_body_len").toString());
+ }
+
+ /**
* {
* "ht*tp": {
* "ts":1402307733.473,