You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@metron.apache.org by le...@apache.org on 2018/02/16 18:06:42 UTC
metron git commit: METRON-941 native PaloAlto parser corrupts message
when having a comma in the payload (ctramnitz via justinleet) closes
apache/metron#579
Repository: metron
Updated Branches:
refs/heads/master fa5cff2c3 -> 5f08ba0b1
METRON-941 native PaloAlto parser corrupts message when having a comma in the payload (ctramnitz via justinleet) closes apache/metron#579
Project: http://git-wip-us.apache.org/repos/asf/metron/repo
Commit: http://git-wip-us.apache.org/repos/asf/metron/commit/5f08ba0b
Tree: http://git-wip-us.apache.org/repos/asf/metron/tree/5f08ba0b
Diff: http://git-wip-us.apache.org/repos/asf/metron/diff/5f08ba0b
Branch: refs/heads/master
Commit: 5f08ba0b1dbe6ba19e8525055f639ecdb85291fc
Parents: fa5cff2
Author: ctramnitz <ct...@users.noreply.github.com>
Authored: Fri Feb 16 13:05:06 2018 -0500
Committer: leet <le...@apache.org>
Committed: Fri Feb 16 13:05:06 2018 -0500
----------------------------------------------------------------------
Upgrading.md | 18 +
.../paloalto/BasicPaloAltoFirewallParser.java | 333 +++++++++----
.../BasicPaloAltoFirewallParserTest.java | 493 ++++++++++++++++++-
.../logData/PaloAltoFirewallParserTest.txt | 2 -
4 files changed, 718 insertions(+), 128 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/metron/blob/5f08ba0b/Upgrading.md
----------------------------------------------------------------------
diff --git a/Upgrading.md b/Upgrading.md
index 047b68e..19da992 100644
--- a/Upgrading.md
+++ b/Upgrading.md
@@ -19,6 +19,24 @@ limitations under the License.
This document constitutes a per-version listing of changes of
configuration which are non-backwards compatible.
+## 0.4.2 to 0.4.3
+
+### [METRON-941: native PaloAlto parser corrupts message when having a comma in the payload](https://issues.apache.org/jira/browse/METRON-941)
+While modifying the PaloAlto log parser to support logs from newer
+PAN-OS version and to not break when a message payload contains a
+comma, some field names were changed to extend the coverage, fix some
+duplicate names and change some field names to the Metron standard
+message format.
+
+Installations making use of this parser should check, if the resulting
+messages still meet their expectations and adjust downstream configurations
+(i.e. ElasticSearch template) accordingly.
+
+*Note:* Previously, the samples for the test contained a full syslog line
+(including syslog header). This did - and will continue to - create a
+broken "domain" field in the parsed message. It is recommended to only feed
+the syslog message part to the parser for now.
+
## 0.4.1 to 0.4.2
### [METRON-1277: STELLAR Add Match functionality to language](https://issues.apache.org/jira/browse/METRON-1277)
http://git-wip-us.apache.org/repos/asf/metron/blob/5f08ba0b/metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/paloalto/BasicPaloAltoFirewallParser.java
----------------------------------------------------------------------
diff --git a/metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/paloalto/BasicPaloAltoFirewallParser.java b/metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/paloalto/BasicPaloAltoFirewallParser.java
index 46155b3..9051f09 100644
--- a/metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/paloalto/BasicPaloAltoFirewallParser.java
+++ b/metron-platform/metron-parsers/src/main/java/org/apache/metron/parsers/paloalto/BasicPaloAltoFirewallParser.java
@@ -18,6 +18,8 @@
package org.apache.metron.parsers.paloalto;
+import com.google.common.base.Splitter;
+import com.google.common.collect.Iterables;
import org.apache.metron.parsers.BasicParser;
import org.json.simple.JSONObject;
import org.slf4j.Logger;
@@ -28,68 +30,113 @@ import java.net.URL;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
+import java.util.regex.Pattern;
public class BasicPaloAltoFirewallParser extends BasicParser {
+ private static boolean empty_attribute( final String s ) {
+ return s == null || s.trim().isEmpty() || s.equals("\"\"");
+ }
+
+ private static String unquoted_attribute( String s ) {
+ s = s.trim();
+ if ( s.startsWith( "\"" ) && s.endsWith( "\"" ) )
+ return s.substring( 1, s.length( ) - 1 );
+ return s;
+ }
+
private static final Logger _LOG = LoggerFactory.getLogger
(BasicPaloAltoFirewallParser.class);
private static final long serialVersionUID = 3147090149725343999L;
public static final String PaloAltoDomain = "palo_alto_domain";
public static final String ReceiveTime = "receive_time";
- public static final String SerialNum = "serial_num";
+ public static final String SerialNum = "serial";
public static final String Type = "type";
- public static final String ThreatContentType = "threat_content_type";
+ public static final String ThreatContentType = "subtype";
public static final String ConfigVersion = "config_version";
- public static final String GenerateTime = "generate_time";
- public static final String SourceAddress = "source_address";
- public static final String DestinationAddress = "destination_address";
- public static final String NATSourceIP = "nat_source_ip";
- public static final String NATDestinationIP = "nat_destination_ip";
+ public static final String GenerateTime = "time_generated";
+ public static final String SourceAddress = "ip_src_addr"; // Palo Alto name: "src"
+ public static final String DestinationAddress = "ip_dst_addr"; // Palo Alto name: "dst"
+ public static final String NATSourceIP = "natsrc";
+ public static final String NATDestinationIP = "natdst";
public static final String Rule = "rule";
- public static final String SourceUser = "source_user";
- public static final String DestinationUser = "destination_user";
- public static final String Application = "application";
- public static final String VirtualSystem = "virtual_system";
- public static final String SourceZone = "source_zone";
- public static final String DestinationZone = "destination_zone";
- public static final String InboundInterface = "inbound_interface";
- public static final String OutboundInterface = "outbound_interface";
+ public static final String SourceUser = "srcuser";
+ public static final String DestinationUser = "dstuser";
+ public static final String Application = "app";
+ public static final String VirtualSystem = "vsys";
+ public static final String SourceZone = "from";
+ public static final String DestinationZone = "to";
+ public static final String InboundInterface = "inbound_if";
+ public static final String OutboundInterface = "outbound_if";
public static final String LogAction = "log_action";
- public static final String TimeLogged = "time_logged";
- public static final String SessionID = "session_id";
- public static final String RepeatCount = "repeat_count";
- public static final String SourcePort = "source_port";
- public static final String DestinationPort = "destination_port";
- public static final String NATSourcePort = "nats_source_port";
- public static final String NATDestinationPort = "nats_destination_port";
+ public static final String TimeLogged = "start";
+ public static final String SessionID = "sessionid";
+ public static final String RepeatCount = "repeatcnt";
+ public static final String SourcePort = "ip_src_port"; // Palo Alto name: "sport"
+ public static final String DestinationPort = "ip_dst_port"; // Palo Alto name: "dport"
+ public static final String NATSourcePort = "natsport";
+ public static final String NATDestinationPort = "natdport";
public static final String Flags = "flags";
- public static final String IPProtocol = "ip_protocol";
+ public static final String IPProtocol = "protocol"; // Palo Alto name: "proto"
public static final String Action = "action";
+ public static final String Seqno = "seqno";
+ public static final String ActionFlags = "actionflags";
+ public static final String Category = "category";
+ public static final String DGH1 = "dg_hier_level_1";
+ public static final String DGH2 = "dg_hier_level_2";
+ public static final String DGH3 = "dg_hier_level_3";
+ public static final String DGH4 = "dg_hier_level_4";
+ public static final String VSYSName = "vsys_name";
+ public static final String DeviceName = "device_name";
+ public static final String ActionSource = "action_source";
+ public static final String ParserVersion = "parser_version";
+ public static final String Tokens = "tokens_seen";
+
+ public static final String SourceVmUuid = "source_vm_uuid";
+ public static final String DestinationVmUuid = "destination_vm_uuid";
+ public static final String TunnelId = "tunnel_id";
+ public static final String MonitorTag = "monitor_tag";
+ public static final String ParentSessionId = "parent_session_id";
+ public static final String ParentSessionStartTime = "parent_session_start_time";
+ public static final String TunnelType = "tunnel_type";
//Threat
public static final String URL = "url";
public static final String HOST = "host";
- public static final String ThreatContentName = "threat_content_name";
- public static final String Category = "category";
+ public static final String ThreatID = "threatid";
+ public static final String Severity = "severity";
public static final String Direction = "direction";
- public static final String Seqno = "seqno";
- public static final String ActionFlags = "action_flags";
- public static final String SourceCountry = "source_country";
- public static final String DestinationCountry = "destination_country";
- public static final String Cpadding = "cpadding";
- public static final String ContentType = "content_type";
+ public static final String SourceLocation = "srcloc";
+ public static final String DestinationLocation = "dstloc";
+ public static final String ContentType = "contenttype";
+ public static final String PCAPID = "pcap_id";
+ public static final String WFFileDigest = "filedigest";
+ public static final String WFCloud = "cloud";
+ public static final String UserAgent= "user_agent";
+ public static final String WFFileType = "filetype";
+ public static final String XForwardedFor = "xff";
+ public static final String Referer = "referer";
+ public static final String WFSender = "sender";
+ public static final String WFSubject = "subject";
+ public static final String WFRecipient = "recipient";
+ public static final String WFReportID = "reportid";
+ public static final String URLIndex = "url_idx";
+ public static final String HTTPMethod = "http_method";
+ public static final String ThreatCategory = "threat_category";
+ public static final String ContentVersion = "content_version";
+
//Traffic
- public static final String Bytes = "content_type";
- public static final String BytesSent = "content_type";
- public static final String BytesReceived = "content_type";
- public static final String Packets = "content_type";
- public static final String StartTime = "content_type";
- public static final String ElapsedTimeInSec = "content_type";
- public static final String Padding = "content_type";
+ public static final String Bytes = "bytes";
+ public static final String BytesSent = "bytes_sent";
+ public static final String BytesReceived = "bytes_received";
+ public static final String Packets = "packets";
+ public static final String StartTime = "start";
+ public static final String ElapsedTimeInSec = "elapsed";
public static final String PktsSent = "pkts_sent";
public static final String PktsReceived = "pkts_received";
+ public static final String EndReason = "session_end_reason";
@Override
public void configure(Map<String, Object> parserConfig) {
@@ -117,12 +164,6 @@ public class BasicPaloAltoFirewallParser extends BasicParser {
parseMessage(toParse, outputMessage);
long timestamp = System.currentTimeMillis();
outputMessage.put("timestamp", System.currentTimeMillis());
- outputMessage.put("ip_src_addr", outputMessage.remove("source_address"));
- outputMessage.put("ip_src_port", outputMessage.remove("source_port"));
- outputMessage.put("ip_dst_addr", outputMessage.remove("destination_address"));
- outputMessage.put("ip_dst_port", outputMessage.remove("destination_port"));
- outputMessage.put("protocol", outputMessage.remove("ip_protocol"));
-
outputMessage.put("original_string", toParse);
messages.add(outputMessage);
return messages;
@@ -136,77 +177,157 @@ public class BasicPaloAltoFirewallParser extends BasicParser {
@SuppressWarnings("unchecked")
private void parseMessage(String message, JSONObject outputMessage) {
- String[] tokens = message.split(",");
+ String[] tokens = Iterables.toArray(Splitter.on(Pattern.compile(",(?=(?:[^\"]*\"[^\"]*\")*[^\"]*$)")).split(message), String.class);
+ int parser_version = 0;
String type = tokens[3].trim();
//populate common objects
- outputMessage.put(PaloAltoDomain, tokens[0].trim());
- outputMessage.put(ReceiveTime, tokens[1].trim());
- outputMessage.put(SerialNum, tokens[2].trim());
+ if( !empty_attribute( tokens[0] ) ) outputMessage.put(PaloAltoDomain, tokens[0].trim());
+ if( !empty_attribute( tokens[1] ) ) outputMessage.put(ReceiveTime, tokens[1].trim());
+ if( !empty_attribute( tokens[2] ) ) outputMessage.put(SerialNum, tokens[2].trim());
outputMessage.put(Type, type);
- outputMessage.put(ThreatContentType, tokens[4].trim());
- outputMessage.put(ConfigVersion, tokens[5].trim());
- outputMessage.put(GenerateTime, tokens[6].trim());
- outputMessage.put(SourceAddress, tokens[7].trim());
- outputMessage.put(DestinationAddress, tokens[8].trim());
- outputMessage.put(NATSourceIP, tokens[9].trim());
- outputMessage.put(NATDestinationIP, tokens[10].trim());
- outputMessage.put(Rule, tokens[11].trim());
- outputMessage.put(SourceUser, tokens[12].trim());
- outputMessage.put(DestinationUser, tokens[13].trim());
- outputMessage.put(Application, tokens[14].trim());
- outputMessage.put(VirtualSystem, tokens[15].trim());
- outputMessage.put(SourceZone, tokens[16].trim());
- outputMessage.put(DestinationZone, tokens[17].trim());
- outputMessage.put(InboundInterface, tokens[18].trim());
- outputMessage.put(OutboundInterface, tokens[19].trim());
- outputMessage.put(LogAction, tokens[20].trim());
- outputMessage.put(TimeLogged, tokens[21].trim());
- outputMessage.put(SessionID, tokens[22].trim());
- outputMessage.put(RepeatCount, tokens[23].trim());
- outputMessage.put(SourcePort, tokens[24].trim());
- outputMessage.put(DestinationPort, tokens[25].trim());
- outputMessage.put(NATSourcePort, tokens[26].trim());
- outputMessage.put(NATDestinationPort, tokens[27].trim());
- outputMessage.put(Flags, tokens[28].trim());
- outputMessage.put(IPProtocol, tokens[29].trim());
- outputMessage.put(Action, tokens[30].trim());
+ if( !empty_attribute( tokens[4] ) ) outputMessage.put(ThreatContentType, unquoted_attribute(tokens[4]));
+ if( !empty_attribute( tokens[5] ) ) outputMessage.put(ConfigVersion, tokens[5].trim());
+ if( !empty_attribute( tokens[6] ) ) outputMessage.put(GenerateTime, tokens[6].trim());
+ if( !empty_attribute( tokens[7] ) ) outputMessage.put(SourceAddress, tokens[7].trim());
+ if( !empty_attribute( tokens[8] ) ) outputMessage.put(DestinationAddress, tokens[8].trim());
+ if( !empty_attribute( tokens[9] ) ) outputMessage.put(NATSourceIP, tokens[9].trim());
+ if( !empty_attribute( tokens[10] ) ) outputMessage.put(NATDestinationIP, tokens[10].trim());
+ if( !empty_attribute( tokens[11] ) ) outputMessage.put(Rule, unquoted_attribute(tokens[11]));
+ if( !empty_attribute( tokens[12] ) ) outputMessage.put(SourceUser, unquoted_attribute(tokens[12]));
+ if( !empty_attribute( tokens[13] ) ) outputMessage.put(DestinationUser, unquoted_attribute(tokens[13]));
+ if( !empty_attribute( tokens[14] ) ) outputMessage.put(Application, unquoted_attribute(tokens[14]));
+ if( !empty_attribute( tokens[15] ) ) outputMessage.put(VirtualSystem, unquoted_attribute(tokens[15]));
+ if( !empty_attribute( tokens[16] ) ) outputMessage.put(SourceZone, unquoted_attribute(tokens[16]));
+ if( !empty_attribute( tokens[17] ) ) outputMessage.put(DestinationZone, unquoted_attribute(tokens[17]));
+ if( !empty_attribute( tokens[18] ) ) outputMessage.put(InboundInterface, unquoted_attribute(tokens[18]));
+ if( !empty_attribute( tokens[19] ) ) outputMessage.put(OutboundInterface, unquoted_attribute(tokens[19]));
+ if( !empty_attribute( tokens[20] ) ) outputMessage.put(LogAction, unquoted_attribute(tokens[20]));
+ if( !empty_attribute( tokens[21] ) ) outputMessage.put(TimeLogged, tokens[21].trim());
+ if( !empty_attribute( tokens[22] ) ) outputMessage.put(SessionID, tokens[22].trim());
+ if( !empty_attribute( tokens[23] ) ) outputMessage.put(RepeatCount, tokens[23].trim());
+ if( !empty_attribute( tokens[24] ) ) outputMessage.put(SourcePort, tokens[24].trim());
+ if( !empty_attribute( tokens[25] ) ) outputMessage.put(DestinationPort, tokens[25].trim());
+ if( !empty_attribute( tokens[26] ) ) outputMessage.put(NATSourcePort, tokens[26].trim());
+ if( !empty_attribute( tokens[27] ) ) outputMessage.put(NATDestinationPort, tokens[27].trim());
+ if( !empty_attribute( tokens[28] ) ) outputMessage.put(Flags, tokens[28].trim());
+ if( !empty_attribute( tokens[29] ) ) outputMessage.put(IPProtocol, unquoted_attribute(tokens[29]));
+ if( !empty_attribute( tokens[30] ) ) outputMessage.put(Action, unquoted_attribute(tokens[30]));
if ("THREAT".equals(type.toUpperCase())) {
- outputMessage.put(URL, tokens[31].trim());
- try {
- URL url = new URL(tokens[31].trim());
- outputMessage.put(HOST, url.getHost());
- } catch (MalformedURLException e) {
+ int p1_offset = 0;
+ if (tokens.length == 45) parser_version = 60;
+ else if (tokens.length == 53) parser_version = 61;
+ else if (tokens.length == 61) {
+ parser_version = 70;
+ p1_offset = 1;
+ }
+ else if (tokens.length == 72) {
+ parser_version = 80;
+ p1_offset =1;
+ }
+ outputMessage.put(ParserVersion, parser_version);
+ if( !empty_attribute( tokens[31] ) ) {
+ outputMessage.put(URL, unquoted_attribute(tokens[31]));
+ try {
+ URL url = new URL(unquoted_attribute(tokens[31]));
+ outputMessage.put(HOST, url.getHost());
+ } catch (MalformedURLException e) {
+ }
+ }
+ if( !empty_attribute( tokens[32] ) ) outputMessage.put(ThreatID, tokens[32].trim());
+ if( !empty_attribute( tokens[33] ) ) outputMessage.put(Category, unquoted_attribute(tokens[33]));
+ if( !empty_attribute( tokens[34] ) ) outputMessage.put(Severity, unquoted_attribute(tokens[34]));
+ if( !empty_attribute( tokens[35] ) ) outputMessage.put(Direction, unquoted_attribute(tokens[35]));
+ if( !empty_attribute( tokens[36] ) ) outputMessage.put(Seqno, tokens[36].trim());
+ if( !empty_attribute( tokens[37] ) ) outputMessage.put(ActionFlags, unquoted_attribute(tokens[37]));
+ if( !empty_attribute( tokens[38] ) ) outputMessage.put(SourceLocation, unquoted_attribute(tokens[38]));
+ if( !empty_attribute( tokens[39] ) ) outputMessage.put(DestinationLocation, unquoted_attribute(tokens[39]));
+ if( !empty_attribute( tokens[41] ) ) outputMessage.put(ContentType, unquoted_attribute(tokens[41]));
+ if( !empty_attribute( tokens[42] ) ) outputMessage.put(PCAPID, tokens[42].trim());
+ if( !empty_attribute( tokens[43] ) ) outputMessage.put(WFFileDigest, unquoted_attribute(tokens[43]));
+ if( !empty_attribute( tokens[44] ) ) outputMessage.put(WFCloud, unquoted_attribute(tokens[44]));
+ if ( parser_version >= 61) {
+ if( !empty_attribute( tokens[(45 + p1_offset)] ) ) outputMessage.put(UserAgent, unquoted_attribute(tokens[(45 + p1_offset)]));
+ if( !empty_attribute( tokens[(46 + p1_offset)] ) ) outputMessage.put(WFFileType, unquoted_attribute(tokens[(46 + p1_offset)]));
+ if( !empty_attribute( tokens[(47 + p1_offset)] ) ) outputMessage.put(XForwardedFor, unquoted_attribute(tokens[(47 + p1_offset)]));
+ if( !empty_attribute( tokens[(48 + p1_offset)] ) ) outputMessage.put(Referer, unquoted_attribute(tokens[(48 + p1_offset)]));
+ if( !empty_attribute( tokens[(49 + p1_offset)] ) ) outputMessage.put(WFSender, unquoted_attribute(tokens[(49 + p1_offset)]));
+ if( !empty_attribute( tokens[(50 + p1_offset)] ) ) outputMessage.put(WFSubject, unquoted_attribute(tokens[(50 + p1_offset)]));
+ if( !empty_attribute( tokens[(51 + p1_offset)] ) ) outputMessage.put(WFRecipient, unquoted_attribute(tokens[(51 + p1_offset)]));
+ if( !empty_attribute( tokens[(52 + p1_offset)] ) ) outputMessage.put(WFReportID, unquoted_attribute(tokens[(52 + p1_offset)]));
+ }
+ if ( parser_version >= 70) {
+ if( !empty_attribute( tokens[45] ) ) outputMessage.put(URLIndex, tokens[45].trim());
+ if( !empty_attribute( tokens[54] ) ) outputMessage.put(DGH1, tokens[54].trim());
+ if( !empty_attribute( tokens[55] ) ) outputMessage.put(DGH2, tokens[55].trim());
+ if( !empty_attribute( tokens[56] ) ) outputMessage.put(DGH3, tokens[56].trim());
+ if( !empty_attribute( tokens[57] ) ) outputMessage.put(DGH4, tokens[57].trim());
+ if( !empty_attribute( tokens[58] ) ) outputMessage.put(VSYSName, unquoted_attribute(tokens[58]));
+ if( !empty_attribute( tokens[59] ) ) outputMessage.put(DeviceName, unquoted_attribute(tokens[59]));
+ }
+ if ( parser_version >= 80) {
+ if( !empty_attribute( tokens[61] ) ) outputMessage.put(SourceVmUuid, tokens[61].trim());
+ if( !empty_attribute( tokens[62] ) ) outputMessage.put(DestinationVmUuid, tokens[62].trim());
+ if( !empty_attribute( tokens[63] ) ) outputMessage.put(HTTPMethod, tokens[63].trim());
+ if( !empty_attribute( tokens[64] ) ) outputMessage.put(TunnelId, tokens[64].trim());
+ if( !empty_attribute( tokens[65] ) ) outputMessage.put(MonitorTag, tokens[65].trim());
+ if( !empty_attribute( tokens[66] ) ) outputMessage.put(ParentSessionId, tokens[66].trim());
+ if( !empty_attribute( tokens[67] ) ) outputMessage.put(ParentSessionStartTime, tokens[67].trim());
+ if( !empty_attribute( tokens[68] ) ) outputMessage.put(TunnelType, tokens[68].trim());
+ if( !empty_attribute( tokens[69] ) ) outputMessage.put(ThreatCategory, tokens[69].trim());
+ if( !empty_attribute( tokens[70] ) ) outputMessage.put(ContentVersion, tokens[70].trim());
+ }
+ if ( parser_version == 0) {
+ outputMessage.put(Tokens, tokens.length);
+ }
+
+
+ } else if ("TRAFFIC".equals(type.toUpperCase())) {
+ if (tokens.length == 46) parser_version = 60;
+ else if (tokens.length == 47) parser_version = 61;
+ else if (tokens.length == 54) parser_version = 70;
+ else if (tokens.length == 61) parser_version = 80;
+ outputMessage.put(ParserVersion, parser_version);
+ if( !empty_attribute( tokens[31] ) ) outputMessage.put(Bytes, tokens[31].trim());
+ if( !empty_attribute( tokens[32] ) ) outputMessage.put(BytesSent, tokens[32].trim());
+ if( !empty_attribute( tokens[33] ) ) outputMessage.put(BytesReceived, tokens[33].trim());
+ if( !empty_attribute( tokens[34] ) ) outputMessage.put(Packets, tokens[34].trim());
+ if( !empty_attribute( tokens[35] ) ) outputMessage.put(StartTime, tokens[35].trim());
+ if( !empty_attribute( tokens[36] ) ) outputMessage.put(ElapsedTimeInSec, tokens[36].trim());
+ if( !empty_attribute( tokens[37] ) ) outputMessage.put(Category, unquoted_attribute(tokens[37]));
+ if( !empty_attribute( tokens[39] ) ) outputMessage.put(Seqno, tokens[39].trim());
+ if( !empty_attribute( tokens[40] ) ) outputMessage.put(ActionFlags, unquoted_attribute(tokens[40]));
+ if( !empty_attribute( tokens[41] ) ) outputMessage.put(SourceLocation, unquoted_attribute(tokens[41]));
+ if( !empty_attribute( tokens[42] ) ) outputMessage.put(DestinationLocation, unquoted_attribute(tokens[42]));
+ if( !empty_attribute( tokens[44] ) ) outputMessage.put(PktsSent, tokens[44].trim());
+ if( !empty_attribute( tokens[45] ) ) outputMessage.put(PktsReceived, tokens[45].trim());
+ if ( parser_version >= 61) {
+ if( !empty_attribute( tokens[46] ) ) outputMessage.put(EndReason, unquoted_attribute(tokens[46]));
+ }
+ if ( parser_version >= 70) {
+ if( !empty_attribute( tokens[47] ) ) outputMessage.put(DGH1, tokens[47].trim());
+ if( !empty_attribute( tokens[48] ) ) outputMessage.put(DGH2, tokens[48].trim());
+ if( !empty_attribute( tokens[49] ) ) outputMessage.put(DGH3, tokens[49].trim());
+ if( !empty_attribute( tokens[50] ) ) outputMessage.put(DGH4, tokens[50].trim());
+ if( !empty_attribute( tokens[51] ) ) outputMessage.put(VSYSName, unquoted_attribute(tokens[51]));
+ if( !empty_attribute( tokens[52] ) ) outputMessage.put(DeviceName, unquoted_attribute(tokens[52]));
+ if( !empty_attribute( tokens[53] ) ) outputMessage.put(ActionSource, unquoted_attribute(tokens[53]));
+ }
+ if ( parser_version >= 80) {
+ if( !empty_attribute( tokens[54] ) ) outputMessage.put(SourceVmUuid, tokens[54].trim());
+ if( !empty_attribute( tokens[55] ) ) outputMessage.put(DestinationVmUuid, tokens[55].trim());
+ if( !empty_attribute( tokens[56] ) ) outputMessage.put(TunnelId, tokens[56].trim());
+ if( !empty_attribute( tokens[57] ) ) outputMessage.put(MonitorTag, tokens[57].trim());
+ if( !empty_attribute( tokens[58] ) ) outputMessage.put(ParentSessionId, tokens[58].trim());
+ if( !empty_attribute( tokens[59] ) ) outputMessage.put(ParentSessionStartTime, tokens[59].trim());
+ if( !empty_attribute( tokens[60] ) ) outputMessage.put(TunnelType, tokens[60].trim());
+ }
+ if ( parser_version == 0) {
+ outputMessage.put(Tokens, tokens.length);
}
- outputMessage.put(ThreatContentName, tokens[32].trim());
- outputMessage.put(Category, tokens[33].trim());
- outputMessage.put(Direction, tokens[34].trim());
- outputMessage.put(Seqno, tokens[35].trim());
- outputMessage.put(ActionFlags, tokens[36].trim());
- outputMessage.put(SourceCountry, tokens[37].trim());
- outputMessage.put(DestinationCountry, tokens[38].trim());
- outputMessage.put(Cpadding, tokens[39].trim());
- outputMessage.put(ContentType, tokens[40].trim());
-
- } else {
- outputMessage.put(Bytes, tokens[31].trim());
- outputMessage.put(BytesSent, tokens[32].trim());
- outputMessage.put(BytesReceived, tokens[33].trim());
- outputMessage.put(Packets, tokens[34].trim());
- outputMessage.put(StartTime, tokens[35].trim());
- outputMessage.put(ElapsedTimeInSec, tokens[36].trim());
- outputMessage.put(Category, tokens[37].trim());
- outputMessage.put(Padding, tokens[38].trim());
- outputMessage.put(Seqno, tokens[39].trim());
- outputMessage.put(ActionFlags, tokens[40].trim());
- outputMessage.put(SourceCountry, tokens[41].trim());
- outputMessage.put(DestinationCountry, tokens[42].trim());
- outputMessage.put(Cpadding, tokens[43].trim());
- outputMessage.put(PktsSent, tokens[44].trim());
- outputMessage.put(PktsReceived, tokens[45].trim());
}
}
http://git-wip-us.apache.org/repos/asf/metron/blob/5f08ba0b/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/paloalto/BasicPaloAltoFirewallParserTest.java
----------------------------------------------------------------------
diff --git a/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/paloalto/BasicPaloAltoFirewallParserTest.java b/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/paloalto/BasicPaloAltoFirewallParserTest.java
index cf93c92..2c90b1e 100644
--- a/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/paloalto/BasicPaloAltoFirewallParserTest.java
+++ b/metron-platform/metron-parsers/src/test/java/org/apache/metron/parsers/paloalto/BasicPaloAltoFirewallParserTest.java
@@ -17,13 +17,11 @@
*/
package org.apache.metron.parsers.paloalto;
-import java.util.Map;
-import java.util.Map.Entry;
+import static org.junit.Assert.assertEquals;
+
import org.apache.metron.parsers.AbstractParserConfigTest;
import org.json.simple.JSONObject;
-import org.json.simple.parser.JSONParser;
import org.json.simple.parser.ParseException;
-import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
@@ -31,27 +29,482 @@ public class BasicPaloAltoFirewallParserTest extends AbstractParserConfigTest {
@Before
public void setUp() throws Exception {
- inputStrings = readTestDataFromFile(
- "src/test/resources/logData/PaloAltoFirewallParserTest.txt");
parser = new BasicPaloAltoFirewallParser();
}
- @SuppressWarnings({"rawtypes"})
+ public static final String THREAT_60 = "1,2015/01/05 05:38:58,0006C110285,THREAT,vulnerability,1,2015/01/05 05:38:58,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,example\\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 05:38:58,12031,1,54180,80,0,0,0x80004000,tcp,reset-both,\"ad.aspx?f=300x250&id=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\",HTTP: IIS Denial Of Service Attempt(40019),any,high,client-to-server,347368099,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109656,,";
+
+ @SuppressWarnings("unchecked")
+ @Test
+ public void testParseThreat60() throws ParseException {
+ JSONObject actual = parser.parse(THREAT_60.getBytes()).get(0);
+
+ JSONObject expected = new JSONObject();
+ expected.put(BasicPaloAltoFirewallParser.Action, "reset-both");
+ expected.put(BasicPaloAltoFirewallParser.ActionFlags, "0x0");
+ expected.put(BasicPaloAltoFirewallParser.Application, "web-browsing");
+ expected.put(BasicPaloAltoFirewallParser.Category, "any");
+
+ expected.put(BasicPaloAltoFirewallParser.ConfigVersion, "1");
+ expected.put(BasicPaloAltoFirewallParser.Direction, "client-to-server");
+ expected.put(BasicPaloAltoFirewallParser.DestinationLocation, "US");
+ expected.put(BasicPaloAltoFirewallParser.Flags, "0x80004000");
+ expected.put(BasicPaloAltoFirewallParser.SourceZone, "internal");
+ expected.put(BasicPaloAltoFirewallParser.InboundInterface, "ethernet1/2");
+ expected.put(BasicPaloAltoFirewallParser.DestinationAddress, "216.0.10.198");
+ expected.put(BasicPaloAltoFirewallParser.DestinationPort, "80");
+ expected.put(BasicPaloAltoFirewallParser.SourceAddress, "10.0.0.115");
+ expected.put(BasicPaloAltoFirewallParser.SourcePort, "54180");
+ expected.put(BasicPaloAltoFirewallParser.LogAction, "LOG-Default");
+ expected.put(BasicPaloAltoFirewallParser.NATDestinationPort, "0");
+ expected.put(BasicPaloAltoFirewallParser.NATDestinationIP, "0.0.0.0");
+ expected.put(BasicPaloAltoFirewallParser.NATSourcePort, "0");
+ expected.put(BasicPaloAltoFirewallParser.NATSourceIP, "0.0.0.0");
+ expected.put("original_string", THREAT_60);
+ expected.put(BasicPaloAltoFirewallParser.OutboundInterface, "ethernet1/1");
+ expected.put(BasicPaloAltoFirewallParser.PaloAltoDomain, "1");
+ expected.put(BasicPaloAltoFirewallParser.ParserVersion, 60);
+ expected.put(BasicPaloAltoFirewallParser.PCAPID, "1200568889751109656");
+ expected.put(BasicPaloAltoFirewallParser.IPProtocol, "tcp");
+ expected.put(BasicPaloAltoFirewallParser.ReceiveTime, "2015/01/05 05:38:58");
+ expected.put(BasicPaloAltoFirewallParser.RepeatCount, "1");
+ expected.put(BasicPaloAltoFirewallParser.Rule, "EX-Allow");
+ expected.put(BasicPaloAltoFirewallParser.Seqno, "347368099");
+ expected.put(BasicPaloAltoFirewallParser.SerialNum, "0006C110285");
+ expected.put(BasicPaloAltoFirewallParser.SessionID, "12031");
+ expected.put(BasicPaloAltoFirewallParser.Severity, "high");
+ expected.put(BasicPaloAltoFirewallParser.SourceLocation, "10.0.0.0-10.255.255.255");
+ expected.put(BasicPaloAltoFirewallParser.SourceUser, "example\\user.name");
+ expected.put(BasicPaloAltoFirewallParser.StartTime, "2015/01/05 05:38:58");
+ expected.put(BasicPaloAltoFirewallParser.ThreatContentType, "vulnerability");
+ expected.put(BasicPaloAltoFirewallParser.ThreatID, "HTTP: IIS Denial Of Service Attempt(40019)");
+ expected.put(BasicPaloAltoFirewallParser.GenerateTime, "2015/01/05 05:38:58");
+ expected.put("timestamp", actual.get("timestamp"));
+ expected.put(BasicPaloAltoFirewallParser.DestinationZone, "external");
+ expected.put(BasicPaloAltoFirewallParser.Type, "THREAT");
+ expected.put(BasicPaloAltoFirewallParser.URL, "ad.aspx?f=300x250&id=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9");
+ expected.put(BasicPaloAltoFirewallParser.VirtualSystem, "vsys1");
+ assertEquals(expected, actual);
+ }
+
+ public static final String TRAFFIC_60 = "1,2015/01/05 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05 12:51:33,10.0.0.39,10.1.0.163,0.0.0.0,0.0.0.0,EX-Allow,,example\\\\user.name,ms-ds-smb,vsys1,v_external,v_internal,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 12:51:33,33760927,1,52688,445,0,0,0x401a,tcp,allow,2229,1287,942,10,2015/01/05 12:51:01,30,any,0,17754932062,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,6,";
+ @SuppressWarnings("unchecked")
+ @Test
+ public void testParseTraffic60() throws ParseException {
+ JSONObject actual = parser.parse(TRAFFIC_60.getBytes()).get(0);
+
+ JSONObject expected = new JSONObject();
+ expected.put(BasicPaloAltoFirewallParser.Action, "allow");
+ expected.put(BasicPaloAltoFirewallParser.ActionFlags, "0x0");
+ expected.put(BasicPaloAltoFirewallParser.Application, "ms-ds-smb");
+ expected.put(BasicPaloAltoFirewallParser.Bytes, "2229");
+ expected.put(BasicPaloAltoFirewallParser.BytesReceived, "942");
+ expected.put(BasicPaloAltoFirewallParser.BytesSent, "1287");
+ expected.put(BasicPaloAltoFirewallParser.Category, "any");
+ expected.put(BasicPaloAltoFirewallParser.ConfigVersion, "1");
+ expected.put(BasicPaloAltoFirewallParser.DestinationLocation, "10.0.0.0-10.255.255.255");
+ expected.put(BasicPaloAltoFirewallParser.DestinationUser, "example\\\\user.name");
+ expected.put(BasicPaloAltoFirewallParser.ElapsedTimeInSec, "30");
+ expected.put(BasicPaloAltoFirewallParser.Flags, "0x401a");
+ expected.put(BasicPaloAltoFirewallParser.SourceZone, "v_external");
+ expected.put(BasicPaloAltoFirewallParser.InboundInterface, "ethernet1/2");
+ expected.put(BasicPaloAltoFirewallParser.DestinationAddress, "10.1.0.163");
+ expected.put(BasicPaloAltoFirewallParser.DestinationPort, "445");
+ expected.put(BasicPaloAltoFirewallParser.SourceAddress, "10.0.0.39");
+ expected.put(BasicPaloAltoFirewallParser.SourcePort, "52688");
+ expected.put(BasicPaloAltoFirewallParser.LogAction, "LOG-Default");
+ expected.put(BasicPaloAltoFirewallParser.NATDestinationPort, "0");
+ expected.put(BasicPaloAltoFirewallParser.NATDestinationIP, "0.0.0.0");
+ expected.put(BasicPaloAltoFirewallParser.NATSourcePort, "0");
+ expected.put(BasicPaloAltoFirewallParser.NATSourceIP, "0.0.0.0");
+ expected.put("original_string", TRAFFIC_60);
+ expected.put(BasicPaloAltoFirewallParser.OutboundInterface, "ethernet1/1");
+ expected.put(BasicPaloAltoFirewallParser.Packets, "10");
+ expected.put(BasicPaloAltoFirewallParser.PaloAltoDomain, "1");
+ expected.put(BasicPaloAltoFirewallParser.ParserVersion, 60);
+ expected.put(BasicPaloAltoFirewallParser.PktsSent, "6");
+ expected.put(BasicPaloAltoFirewallParser.IPProtocol, "tcp");
+ expected.put(BasicPaloAltoFirewallParser.ReceiveTime, "2015/01/05 12:51:33");
+ expected.put(BasicPaloAltoFirewallParser.RepeatCount, "1");
+ expected.put(BasicPaloAltoFirewallParser.Rule, "EX-Allow");
+ expected.put(BasicPaloAltoFirewallParser.Seqno, "17754932062");
+ expected.put(BasicPaloAltoFirewallParser.SerialNum, "0011C103117");
+ expected.put(BasicPaloAltoFirewallParser.SessionID, "33760927");
+ expected.put(BasicPaloAltoFirewallParser.SourceLocation, "10.0.0.0-10.255.255.255");
+ expected.put(BasicPaloAltoFirewallParser.StartTime, "2015/01/05 12:51:01");
+ expected.put(BasicPaloAltoFirewallParser.ThreatContentType, "end");
+ expected.put(BasicPaloAltoFirewallParser.GenerateTime, "2015/01/05 12:51:33");
+ expected.put("timestamp", actual.get("timestamp"));
+ expected.put(BasicPaloAltoFirewallParser.DestinationZone, "v_internal");
+ expected.put(BasicPaloAltoFirewallParser.Type, "TRAFFIC");
+ expected.put(BasicPaloAltoFirewallParser.VirtualSystem, "vsys1");
+ assertEquals(expected, actual);
+ }
+
+ public static final String THREAT_70 = "1,2017/05/24 09:53:10,001801000001,THREAT,virus,0,2017/05/24 09:53:10,217.1.2.3,10.1.8.7,217.1.2.3,214.123.1.2,WLAN-Internet,,user,web-browsing,vsys1,Untrust,wifi_zone,ethernet1/1,vlan.1,Std-Log-Forward,2017/05/24 09:53:10,49567,1,80,51787,80,25025,0x400000,tcp,reset-both,\"abcdef310.exe\",Virus/Win32.WGeneric.lumeo(2457399),computer-and-internet-info,medium,server-to-client,329423829,0x0,DE,10.0.0.0-10.255.255.255,0,,0,,,1,,,\"\",\"\",,,,0,19,0,0,0,,PAN1,";
+ @SuppressWarnings("unchecked")
+ @Test
+ public void testParseThreat70() throws ParseException {
+ JSONObject actual = parser.parse(THREAT_70.getBytes()).get(0);
+
+ JSONObject expected = new JSONObject();
+ expected.put(BasicPaloAltoFirewallParser.Action, "reset-both");
+ expected.put(BasicPaloAltoFirewallParser.ActionFlags, "0x0");
+ expected.put(BasicPaloAltoFirewallParser.Application, "web-browsing");
+ expected.put(BasicPaloAltoFirewallParser.Category, "computer-and-internet-info");
+ expected.put(BasicPaloAltoFirewallParser.ConfigVersion, "0");
+ expected.put(BasicPaloAltoFirewallParser.Direction, "server-to-client");
+ expected.put(BasicPaloAltoFirewallParser.DestinationLocation, "10.0.0.0-10.255.255.255");
+ expected.put(BasicPaloAltoFirewallParser.DestinationUser, "user");
+ expected.put(BasicPaloAltoFirewallParser.Flags, "0x400000");
+ expected.put(BasicPaloAltoFirewallParser.SourceZone, "Untrust");
+ expected.put(BasicPaloAltoFirewallParser.InboundInterface, "ethernet1/1");
+ expected.put(BasicPaloAltoFirewallParser.DestinationAddress, "10.1.8.7");
+ expected.put(BasicPaloAltoFirewallParser.DestinationPort, "51787");
+ expected.put(BasicPaloAltoFirewallParser.SourceAddress, "217.1.2.3");
+ expected.put(BasicPaloAltoFirewallParser.SourcePort, "80");
+ expected.put(BasicPaloAltoFirewallParser.LogAction, "Std-Log-Forward");
+ expected.put(BasicPaloAltoFirewallParser.NATDestinationPort, "25025");
+ expected.put(BasicPaloAltoFirewallParser.NATDestinationIP, "214.123.1.2");
+ expected.put(BasicPaloAltoFirewallParser.NATSourcePort, "80");
+ expected.put(BasicPaloAltoFirewallParser.NATSourceIP, "217.1.2.3");
+ expected.put("original_string", THREAT_70);
+ expected.put(BasicPaloAltoFirewallParser.OutboundInterface, "vlan.1");
+ expected.put(BasicPaloAltoFirewallParser.PaloAltoDomain, "1");
+ expected.put(BasicPaloAltoFirewallParser.ParserVersion, 70);
+ expected.put(BasicPaloAltoFirewallParser.PCAPID, "0");
+ expected.put(BasicPaloAltoFirewallParser.IPProtocol, "tcp");
+ expected.put(BasicPaloAltoFirewallParser.ReceiveTime, "2017/05/24 09:53:10");
+ expected.put(BasicPaloAltoFirewallParser.RepeatCount, "1");
+ expected.put(BasicPaloAltoFirewallParser.Rule, "WLAN-Internet");
+ expected.put(BasicPaloAltoFirewallParser.Seqno, "329423829");
+ expected.put(BasicPaloAltoFirewallParser.SerialNum, "001801000001");
+ expected.put(BasicPaloAltoFirewallParser.SessionID, "49567");
+ expected.put(BasicPaloAltoFirewallParser.Severity, "medium");
+ expected.put(BasicPaloAltoFirewallParser.SourceLocation, "DE");
+ expected.put(BasicPaloAltoFirewallParser.StartTime, "2017/05/24 09:53:10");
+ expected.put(BasicPaloAltoFirewallParser.ThreatContentType, "virus");
+ expected.put(BasicPaloAltoFirewallParser.ThreatID, "Virus/Win32.WGeneric.lumeo(2457399)");
+ expected.put(BasicPaloAltoFirewallParser.GenerateTime, "2017/05/24 09:53:10");
+ expected.put("timestamp", actual.get("timestamp"));
+ expected.put(BasicPaloAltoFirewallParser.DestinationZone, "wifi_zone");
+ expected.put(BasicPaloAltoFirewallParser.Type, "THREAT");
+ expected.put(BasicPaloAltoFirewallParser.URL, "abcdef310.exe");
+ expected.put(BasicPaloAltoFirewallParser.VirtualSystem, "vsys1");
+ expected.put(BasicPaloAltoFirewallParser.URLIndex, "1");
+ expected.put(BasicPaloAltoFirewallParser.WFReportID, "0");
+ expected.put(BasicPaloAltoFirewallParser.DGH1, "19");
+ expected.put(BasicPaloAltoFirewallParser.DGH2, "0");
+ expected.put(BasicPaloAltoFirewallParser.DGH3, "0");
+ expected.put(BasicPaloAltoFirewallParser.DGH4, "0");
+ expected.put(BasicPaloAltoFirewallParser.DeviceName, "PAN1");
+ assertEquals(expected, actual);
+ }
+
+ public static final String TRAFFIC_70 = "1,2017/05/25 21:38:13,001606000003,TRAFFIC,drop,1,2017/05/25 21:38:13,10.2.1.8,192.168.1.10,0.0.0.0,0.0.0.0,DropLog,,,not-applicable,vsys1,intern,VPN,vlan.1,,Std-Log-Forward,2017/05/25 21:38:13,0,1,137,137,0,0,0x0,udp,deny,114,114,0,1,2017/05/25 21:38:12,0,any,0,9953744,0x0,192.168.0.0-192.168.255.255,DE,0,1,0,policy-deny,19,0,0,0,,PAN1,from-policy";
+ @SuppressWarnings("unchecked")
@Test
- public void testParse() throws ParseException {
- for (String inputString : inputStrings) {
- JSONObject parsed = parser.parse(inputString.getBytes()).get(0);
- Assert.assertNotNull(parsed);
+ public void testParseTraffic70() throws ParseException {
+ JSONObject actual = parser.parse(TRAFFIC_70.getBytes()).get(0);
- JSONParser parser = new JSONParser();
- Map json = (Map) parser.parse(parsed.toJSONString());
+ JSONObject expected = new JSONObject();
+ expected.put(BasicPaloAltoFirewallParser.Action, "deny");
+ expected.put(BasicPaloAltoFirewallParser.ActionFlags, "0x0");
+ expected.put(BasicPaloAltoFirewallParser.ActionSource, "from-policy");
+ expected.put(BasicPaloAltoFirewallParser.Application, "not-applicable");
+ expected.put(BasicPaloAltoFirewallParser.Bytes, "114");
+ expected.put(BasicPaloAltoFirewallParser.BytesReceived, "0");
+ expected.put(BasicPaloAltoFirewallParser.BytesSent, "114");
+ expected.put(BasicPaloAltoFirewallParser.Category, "any");
+ expected.put(BasicPaloAltoFirewallParser.ConfigVersion, "1");
+ expected.put(BasicPaloAltoFirewallParser.DestinationLocation, "DE");
+ expected.put(BasicPaloAltoFirewallParser.ElapsedTimeInSec, "0");
+ expected.put(BasicPaloAltoFirewallParser.Flags, "0x0");
+ expected.put(BasicPaloAltoFirewallParser.SourceZone, "intern");
+ expected.put(BasicPaloAltoFirewallParser.InboundInterface, "vlan.1");
+ expected.put(BasicPaloAltoFirewallParser.DestinationAddress, "192.168.1.10");
+ expected.put(BasicPaloAltoFirewallParser.DestinationPort, "137");
+ expected.put(BasicPaloAltoFirewallParser.SourceAddress, "10.2.1.8");
+ expected.put(BasicPaloAltoFirewallParser.SourcePort, "137");
+ expected.put(BasicPaloAltoFirewallParser.LogAction, "Std-Log-Forward");
+ expected.put(BasicPaloAltoFirewallParser.NATDestinationPort, "0");
+ expected.put(BasicPaloAltoFirewallParser.NATDestinationIP, "0.0.0.0");
+ expected.put(BasicPaloAltoFirewallParser.NATSourcePort, "0");
+ expected.put(BasicPaloAltoFirewallParser.NATSourceIP, "0.0.0.0");
+ expected.put("original_string", TRAFFIC_70);
+ expected.put(BasicPaloAltoFirewallParser.Packets, "1");
+ expected.put(BasicPaloAltoFirewallParser.PaloAltoDomain, "1");
+ expected.put(BasicPaloAltoFirewallParser.ParserVersion, 70);
+ expected.put(BasicPaloAltoFirewallParser.PktsReceived, "0");
+ expected.put(BasicPaloAltoFirewallParser.PktsSent, "1");
+ expected.put(BasicPaloAltoFirewallParser.IPProtocol, "udp");
+ expected.put(BasicPaloAltoFirewallParser.ReceiveTime, "2017/05/25 21:38:13");
+ expected.put(BasicPaloAltoFirewallParser.RepeatCount, "1");
+ expected.put(BasicPaloAltoFirewallParser.Rule, "DropLog");
+ expected.put(BasicPaloAltoFirewallParser.Seqno, "9953744");
+ expected.put(BasicPaloAltoFirewallParser.SerialNum, "001606000003");
+ expected.put(BasicPaloAltoFirewallParser.EndReason, "policy-deny");
+ expected.put(BasicPaloAltoFirewallParser.SessionID, "0");
+ expected.put(BasicPaloAltoFirewallParser.SourceLocation, "192.168.0.0-192.168.255.255");
+ expected.put(BasicPaloAltoFirewallParser.StartTime, "2017/05/25 21:38:12");
+ expected.put(BasicPaloAltoFirewallParser.ThreatContentType, "drop");
+ expected.put(BasicPaloAltoFirewallParser.GenerateTime, "2017/05/25 21:38:13");
+ expected.put("timestamp", actual.get("timestamp"));
+ expected.put(BasicPaloAltoFirewallParser.DestinationZone, "VPN");
+ expected.put(BasicPaloAltoFirewallParser.Type, "TRAFFIC");
+ expected.put(BasicPaloAltoFirewallParser.VirtualSystem, "vsys1");
+ expected.put(BasicPaloAltoFirewallParser.DGH1, "19");
+ expected.put(BasicPaloAltoFirewallParser.DGH2, "0");
+ expected.put(BasicPaloAltoFirewallParser.DGH3, "0");
+ expected.put(BasicPaloAltoFirewallParser.DGH4, "0");
+ expected.put(BasicPaloAltoFirewallParser.DeviceName, "PAN1");
+ assertEquals(expected, actual);
+ }
+
+ public static final String TRAFFIC_71 = "1,2017/05/31 23:59:57,0006C000005,TRAFFIC,drop,0,2017/05/31 23:59:57,185.94.1.1,201.1.4.5,0.0.0.0,0.0.0.0,DropLog,,,not-applicable,vsys1,untrust,untrust,vlan.1,,Standard-Syslog,2017/05/31 23:59:57,0,1,59836,123,0,0,0x0,udp,deny,60,60,0,1,2017/05/31 23:59:57,0,any,0,3433072193,0x0,RU,DE,0,1,0,policy-deny,16,11,0,0,,PAN1,from-policy";
+ @SuppressWarnings("unchecked")
+ @Test
+ public void testParseTraffic71() throws ParseException {
+ JSONObject actual = parser.parse(TRAFFIC_71.getBytes()).get(0);
+
+ JSONObject expected = new JSONObject();
+ expected.put(BasicPaloAltoFirewallParser.Action, "deny");
+ expected.put(BasicPaloAltoFirewallParser.ActionFlags, "0x0");
+ expected.put(BasicPaloAltoFirewallParser.ActionSource, "from-policy");
+ expected.put(BasicPaloAltoFirewallParser.Application, "not-applicable");
+ expected.put(BasicPaloAltoFirewallParser.Bytes, "60");
+ expected.put(BasicPaloAltoFirewallParser.BytesReceived, "0");
+ expected.put(BasicPaloAltoFirewallParser.BytesSent, "60");
+ expected.put(BasicPaloAltoFirewallParser.Category, "any");
+ expected.put(BasicPaloAltoFirewallParser.ConfigVersion, "0");
+ expected.put(BasicPaloAltoFirewallParser.DestinationLocation, "DE");
+ expected.put(BasicPaloAltoFirewallParser.ElapsedTimeInSec, "0");
+ expected.put(BasicPaloAltoFirewallParser.Flags, "0x0");
+ expected.put(BasicPaloAltoFirewallParser.SourceZone, "untrust");
+ expected.put(BasicPaloAltoFirewallParser.InboundInterface, "vlan.1");
+ expected.put(BasicPaloAltoFirewallParser.DestinationAddress, "201.1.4.5");
+ expected.put(BasicPaloAltoFirewallParser.DestinationPort, "123");
+ expected.put(BasicPaloAltoFirewallParser.SourceAddress, "185.94.1.1");
+ expected.put(BasicPaloAltoFirewallParser.SourcePort, "59836");
+ expected.put(BasicPaloAltoFirewallParser.LogAction, "Standard-Syslog");
+ expected.put(BasicPaloAltoFirewallParser.NATDestinationPort, "0");
+ expected.put(BasicPaloAltoFirewallParser.NATDestinationIP, "0.0.0.0");
+ expected.put(BasicPaloAltoFirewallParser.NATSourcePort, "0");
+ expected.put(BasicPaloAltoFirewallParser.NATSourceIP, "0.0.0.0");
+ expected.put("original_string", TRAFFIC_71);
+ expected.put(BasicPaloAltoFirewallParser.Packets, "1");
+ expected.put(BasicPaloAltoFirewallParser.PaloAltoDomain, "1");
+ expected.put(BasicPaloAltoFirewallParser.ParserVersion, 70);
+ expected.put(BasicPaloAltoFirewallParser.PktsReceived, "0");
+ expected.put(BasicPaloAltoFirewallParser.PktsSent, "1");
+ expected.put(BasicPaloAltoFirewallParser.IPProtocol, "udp");
+ expected.put(BasicPaloAltoFirewallParser.ReceiveTime, "2017/05/31 23:59:57");
+ expected.put(BasicPaloAltoFirewallParser.RepeatCount, "1");
+ expected.put(BasicPaloAltoFirewallParser.Rule, "DropLog");
+ expected.put(BasicPaloAltoFirewallParser.Seqno, "3433072193");
+ expected.put(BasicPaloAltoFirewallParser.SerialNum, "0006C000005");
+ expected.put(BasicPaloAltoFirewallParser.EndReason, "policy-deny");
+ expected.put(BasicPaloAltoFirewallParser.SessionID, "0");
+ expected.put(BasicPaloAltoFirewallParser.SourceLocation, "RU");
+ expected.put(BasicPaloAltoFirewallParser.StartTime, "2017/05/31 23:59:57");
+ expected.put(BasicPaloAltoFirewallParser.ThreatContentType, "drop");
+ expected.put(BasicPaloAltoFirewallParser.GenerateTime, "2017/05/31 23:59:57");
+ expected.put("timestamp", actual.get("timestamp"));
+ expected.put(BasicPaloAltoFirewallParser.DestinationZone, "untrust");
+ expected.put(BasicPaloAltoFirewallParser.Type, "TRAFFIC");
+ expected.put(BasicPaloAltoFirewallParser.VirtualSystem, "vsys1");
+ expected.put(BasicPaloAltoFirewallParser.DGH1, "16");
+ expected.put(BasicPaloAltoFirewallParser.DGH2, "11");
+ expected.put(BasicPaloAltoFirewallParser.DGH3, "0");
+ expected.put(BasicPaloAltoFirewallParser.DGH4, "0");
+ expected.put(BasicPaloAltoFirewallParser.DeviceName, "PAN1");
+ assertEquals(expected, actual);
+ }
+
+ public static final String THREAT_71 = "1,2017/05/25 19:31:13,0006C000005,THREAT,url,0,2017/05/25 19:31:13,192.168.1.7,140.177.26.29,201.1.4.5,140.177.26.29,ms_out,,,ssl,vsys1,mgmt,untrust,vlan.199,vlan.1,Standard-Syslog,2017/05/25 19:31:13,50556,1,56059,443,14810,443,0x40b000,tcp,alert,\"settings-win.data.microsoft.com/\",(9999),computer-and-internet-info,informational,client-to-server,10030265,0x0,192.168.0.0-192.168.255.255,IE,0,,0,,,0,,,,,,,,0,16,11,0,0,,PAN1,";
+ @SuppressWarnings("unchecked")
+ @Test
+ public void testParseThreat71() throws ParseException {
+ JSONObject actual = parser.parse(THREAT_71.getBytes()).get(0);
+
+ JSONObject expected = new JSONObject();
+ expected.put(BasicPaloAltoFirewallParser.Action, "alert");
+ expected.put(BasicPaloAltoFirewallParser.ActionFlags, "0x0");
+ expected.put(BasicPaloAltoFirewallParser.Application, "ssl");
+ expected.put(BasicPaloAltoFirewallParser.Category, "computer-and-internet-info");
+ expected.put(BasicPaloAltoFirewallParser.ConfigVersion, "0");
+ expected.put(BasicPaloAltoFirewallParser.Direction, "client-to-server");
+ expected.put(BasicPaloAltoFirewallParser.DestinationLocation, "IE");
+ expected.put(BasicPaloAltoFirewallParser.Flags, "0x40b000");
+ expected.put(BasicPaloAltoFirewallParser.SourceZone, "mgmt");
+ expected.put(BasicPaloAltoFirewallParser.InboundInterface, "vlan.199");
+ expected.put(BasicPaloAltoFirewallParser.DestinationAddress, "140.177.26.29");
+ expected.put(BasicPaloAltoFirewallParser.DestinationPort, "443");
+ expected.put(BasicPaloAltoFirewallParser.SourceAddress, "192.168.1.7");
+ expected.put(BasicPaloAltoFirewallParser.SourcePort, "56059");
+ expected.put(BasicPaloAltoFirewallParser.LogAction, "Standard-Syslog");
+ expected.put(BasicPaloAltoFirewallParser.NATDestinationPort, "443");
+ expected.put(BasicPaloAltoFirewallParser.NATDestinationIP, "140.177.26.29");
+ expected.put(BasicPaloAltoFirewallParser.NATSourcePort, "14810");
+ expected.put(BasicPaloAltoFirewallParser.NATSourceIP, "201.1.4.5");
+ expected.put("original_string", THREAT_71);
+ expected.put(BasicPaloAltoFirewallParser.OutboundInterface, "vlan.1");
+ expected.put(BasicPaloAltoFirewallParser.PaloAltoDomain, "1");
+ expected.put(BasicPaloAltoFirewallParser.ParserVersion, 70);
+ expected.put(BasicPaloAltoFirewallParser.PCAPID, "0");
+ expected.put(BasicPaloAltoFirewallParser.IPProtocol, "tcp");
+ expected.put(BasicPaloAltoFirewallParser.ReceiveTime, "2017/05/25 19:31:13");
+ expected.put(BasicPaloAltoFirewallParser.RepeatCount, "1");
+ expected.put(BasicPaloAltoFirewallParser.Rule, "ms_out");
+ expected.put(BasicPaloAltoFirewallParser.Seqno, "10030265");
+ expected.put(BasicPaloAltoFirewallParser.SerialNum, "0006C000005");
+ expected.put(BasicPaloAltoFirewallParser.SessionID, "50556");
+ expected.put(BasicPaloAltoFirewallParser.Severity, "informational");
+ expected.put(BasicPaloAltoFirewallParser.SourceLocation, "192.168.0.0-192.168.255.255");
+ expected.put(BasicPaloAltoFirewallParser.StartTime, "2017/05/25 19:31:13");
+ expected.put(BasicPaloAltoFirewallParser.ThreatContentType, "url");
+ expected.put(BasicPaloAltoFirewallParser.ThreatID, "(9999)");
+ expected.put(BasicPaloAltoFirewallParser.GenerateTime, "2017/05/25 19:31:13");
+ expected.put("timestamp", actual.get("timestamp"));
+ expected.put(BasicPaloAltoFirewallParser.DestinationZone, "untrust");
+ expected.put(BasicPaloAltoFirewallParser.Type, "THREAT");
+ expected.put(BasicPaloAltoFirewallParser.URL, "settings-win.data.microsoft.com/");
+ expected.put(BasicPaloAltoFirewallParser.VirtualSystem, "vsys1");
+ expected.put(BasicPaloAltoFirewallParser.URLIndex, "0");
+ expected.put(BasicPaloAltoFirewallParser.WFReportID, "0");
+ expected.put(BasicPaloAltoFirewallParser.DGH1, "16");
+ expected.put(BasicPaloAltoFirewallParser.DGH2, "11");
+ expected.put(BasicPaloAltoFirewallParser.DGH3, "0");
+ expected.put(BasicPaloAltoFirewallParser.DGH4, "0");
+ expected.put(BasicPaloAltoFirewallParser.DeviceName, "PAN1");
+ assertEquals(expected, actual);
+ }
+
+ public static final String THREAT_80 = "1,2018/02/01 21:29:03,001606000007,THREAT,vulnerability,1,2018/02/01 21:29:03,213.211.198.62,172.16.2.6,213.211.198.62,192.168.178.202,Outgoing,,,web-browsing,vsys1,internet,guest,ethernet1/1,ethernet1/2.2,test,2018/02/01 21:29:03,18720,1,80,53161,80,32812,0x402000,tcp,reset-server,\"www.eicar.org/download/eicar.com\",Eicar File Detected(39040),computer-and-internet-info,medium,server-to-client,27438839,0x0,Germany,172.16.0.0-172.31.255.255,0,,0,,,9,,,,,,,,0,0,0,0,0,,PAN1,,,,,0,,0,,N/A,code-execution,AppThreat-771-4450,0x0";
+ @SuppressWarnings("unchecked")
+ @Test
+ public void testParseThreat80() throws ParseException {
+ JSONObject actual = parser.parse(THREAT_80.getBytes()).get(0);
+
+ JSONObject expected = new JSONObject();
+ expected.put(BasicPaloAltoFirewallParser.Action, "reset-server");
+ expected.put(BasicPaloAltoFirewallParser.ActionFlags, "0x0");
+ expected.put(BasicPaloAltoFirewallParser.Application, "web-browsing");
+ expected.put(BasicPaloAltoFirewallParser.Category, "computer-and-internet-info");
+ expected.put(BasicPaloAltoFirewallParser.ConfigVersion, "1");
+ expected.put(BasicPaloAltoFirewallParser.ContentVersion, "AppThreat-771-4450");
+ expected.put(BasicPaloAltoFirewallParser.Direction, "server-to-client");
+ expected.put(BasicPaloAltoFirewallParser.DestinationLocation, "172.16.0.0-172.31.255.255");
+ expected.put(BasicPaloAltoFirewallParser.Flags, "0x402000");
+ expected.put(BasicPaloAltoFirewallParser.SourceZone, "internet");
+ expected.put(BasicPaloAltoFirewallParser.InboundInterface, "ethernet1/1");
+ expected.put(BasicPaloAltoFirewallParser.DestinationAddress, "172.16.2.6");
+ expected.put(BasicPaloAltoFirewallParser.DestinationPort, "53161");
+ expected.put(BasicPaloAltoFirewallParser.SourceAddress, "213.211.198.62");
+ expected.put(BasicPaloAltoFirewallParser.SourcePort, "80");
+ expected.put(BasicPaloAltoFirewallParser.LogAction, "test");
+ expected.put(BasicPaloAltoFirewallParser.NATDestinationPort, "32812");
+ expected.put(BasicPaloAltoFirewallParser.NATDestinationIP, "192.168.178.202");
+ expected.put(BasicPaloAltoFirewallParser.NATSourcePort, "80");
+ expected.put(BasicPaloAltoFirewallParser.NATSourceIP, "213.211.198.62");
+ expected.put("original_string", THREAT_80);
+ expected.put(BasicPaloAltoFirewallParser.OutboundInterface, "ethernet1/2.2");
+ expected.put(BasicPaloAltoFirewallParser.PaloAltoDomain, "1");
+ expected.put(BasicPaloAltoFirewallParser.ParentSessionId, "0");
+ expected.put(BasicPaloAltoFirewallParser.ParserVersion, 80);
+ expected.put(BasicPaloAltoFirewallParser.PCAPID, "0");
+ expected.put(BasicPaloAltoFirewallParser.IPProtocol, "tcp");
+ expected.put(BasicPaloAltoFirewallParser.ReceiveTime, "2018/02/01 21:29:03");
+ expected.put(BasicPaloAltoFirewallParser.RepeatCount, "1");
+ expected.put(BasicPaloAltoFirewallParser.Rule, "Outgoing");
+ expected.put(BasicPaloAltoFirewallParser.Seqno, "27438839");
+ expected.put(BasicPaloAltoFirewallParser.SerialNum, "001606000007");
+ expected.put(BasicPaloAltoFirewallParser.SessionID, "18720");
+ expected.put(BasicPaloAltoFirewallParser.Severity, "medium");
+ expected.put(BasicPaloAltoFirewallParser.SourceLocation, "Germany");
+ expected.put(BasicPaloAltoFirewallParser.StartTime, "2018/02/01 21:29:03");
+ expected.put(BasicPaloAltoFirewallParser.ThreatCategory, "code-execution");
+ expected.put(BasicPaloAltoFirewallParser.ThreatContentType, "vulnerability");
+ expected.put(BasicPaloAltoFirewallParser.ThreatID, "Eicar File Detected(39040)");
+ expected.put(BasicPaloAltoFirewallParser.GenerateTime, "2018/02/01 21:29:03");
+ expected.put("timestamp", actual.get("timestamp"));
+ expected.put(BasicPaloAltoFirewallParser.DestinationZone, "guest");
+ expected.put(BasicPaloAltoFirewallParser.TunnelId, "0");
+ expected.put(BasicPaloAltoFirewallParser.TunnelType, "N/A");
+ expected.put(BasicPaloAltoFirewallParser.Type, "THREAT");
+ expected.put(BasicPaloAltoFirewallParser.URL, "www.eicar.org/download/eicar.com");
+ expected.put(BasicPaloAltoFirewallParser.VirtualSystem, "vsys1");
+ expected.put(BasicPaloAltoFirewallParser.URLIndex, "9");
+ expected.put(BasicPaloAltoFirewallParser.WFReportID, "0");
+ expected.put(BasicPaloAltoFirewallParser.DGH1, "0");
+ expected.put(BasicPaloAltoFirewallParser.DGH2, "0");
+ expected.put(BasicPaloAltoFirewallParser.DGH3, "0");
+ expected.put(BasicPaloAltoFirewallParser.DGH4, "0");
+ expected.put(BasicPaloAltoFirewallParser.DeviceName, "PAN1");
+ assertEquals(expected, actual);
+ }
+
+ public static final String TRAFFIC_80 = "1,2018/02/01 21:24:11,001606000007,TRAFFIC,end,1,2018/02/01 21:24:11,172.16.2.31,134.19.6.22,192.168.18.2,134.19.6.22,Outgoing,,,ssl,vsys1,guest,internet,ethernet1/2.2,ethernet1/1,test,2018/02/01 21:24:11,19468,1,41537,443,12211,443,0x40001c,tcp,allow,7936,1731,6205,24,2018/02/01 21:00:42,1395,computer-and-internet-info,0,62977478,0x0,172.16.0.0-172.31.255.255,United States,0,14,10,tcp-rst-from-client,0,0,0,0,,PAN1,from-policy,,,0,,0,,N/A";
+ @SuppressWarnings("unchecked")
+ @Test
+ public void testParseTraffic80() throws ParseException {
+ JSONObject actual = parser.parse(TRAFFIC_80.getBytes()).get(0);
- for (Object o : json.entrySet()) {
- Entry entry = (Entry) o;
- String key = (String) entry.getKey();
- String value = json.get(key).toString();
- Assert.assertNotNull(value);
- }
- }
+ JSONObject expected = new JSONObject();
+ expected.put(BasicPaloAltoFirewallParser.Action, "allow");
+ expected.put(BasicPaloAltoFirewallParser.ActionFlags, "0x0");
+ expected.put(BasicPaloAltoFirewallParser.ActionSource, "from-policy");
+ expected.put(BasicPaloAltoFirewallParser.Application, "ssl");
+ expected.put(BasicPaloAltoFirewallParser.Bytes, "7936");
+ expected.put(BasicPaloAltoFirewallParser.BytesReceived, "6205");
+ expected.put(BasicPaloAltoFirewallParser.BytesSent, "1731");
+ expected.put(BasicPaloAltoFirewallParser.Category, "computer-and-internet-info");
+ expected.put(BasicPaloAltoFirewallParser.ConfigVersion, "1");
+ expected.put(BasicPaloAltoFirewallParser.DestinationLocation, "United States");
+ expected.put(BasicPaloAltoFirewallParser.ElapsedTimeInSec, "1395");
+ expected.put(BasicPaloAltoFirewallParser.Flags, "0x40001c");
+ expected.put(BasicPaloAltoFirewallParser.SourceZone, "guest");
+ expected.put(BasicPaloAltoFirewallParser.InboundInterface, "ethernet1/2.2");
+ expected.put(BasicPaloAltoFirewallParser.DestinationAddress, "134.19.6.22");
+ expected.put(BasicPaloAltoFirewallParser.DestinationPort, "443");
+ expected.put(BasicPaloAltoFirewallParser.SourceAddress, "172.16.2.31");
+ expected.put(BasicPaloAltoFirewallParser.SourcePort, "41537");
+ expected.put(BasicPaloAltoFirewallParser.LogAction, "test");
+ expected.put(BasicPaloAltoFirewallParser.NATDestinationPort, "443");
+ expected.put(BasicPaloAltoFirewallParser.NATDestinationIP, "134.19.6.22");
+ expected.put(BasicPaloAltoFirewallParser.NATSourcePort, "12211");
+ expected.put(BasicPaloAltoFirewallParser.NATSourceIP, "192.168.18.2");
+ expected.put("original_string", TRAFFIC_80);
+ expected.put(BasicPaloAltoFirewallParser.OutboundInterface, "ethernet1/1");
+ expected.put(BasicPaloAltoFirewallParser.Packets, "24");
+ expected.put(BasicPaloAltoFirewallParser.PaloAltoDomain, "1");
+ expected.put(BasicPaloAltoFirewallParser.ParentSessionId, "0");
+ expected.put(BasicPaloAltoFirewallParser.ParserVersion, 80);
+ expected.put(BasicPaloAltoFirewallParser.PktsReceived, "10");
+ expected.put(BasicPaloAltoFirewallParser.PktsSent, "14");
+ expected.put(BasicPaloAltoFirewallParser.IPProtocol, "tcp");
+ expected.put(BasicPaloAltoFirewallParser.ReceiveTime, "2018/02/01 21:24:11");
+ expected.put(BasicPaloAltoFirewallParser.RepeatCount, "1");
+ expected.put(BasicPaloAltoFirewallParser.Rule, "Outgoing");
+ expected.put(BasicPaloAltoFirewallParser.Seqno, "62977478");
+ expected.put(BasicPaloAltoFirewallParser.SerialNum, "001606000007");
+ expected.put(BasicPaloAltoFirewallParser.EndReason, "tcp-rst-from-client");
+ expected.put(BasicPaloAltoFirewallParser.SessionID, "19468");
+ expected.put(BasicPaloAltoFirewallParser.SourceLocation, "172.16.0.0-172.31.255.255");
+ expected.put(BasicPaloAltoFirewallParser.StartTime, "2018/02/01 21:00:42");
+ expected.put(BasicPaloAltoFirewallParser.ThreatContentType, "end");
+ expected.put(BasicPaloAltoFirewallParser.GenerateTime, "2018/02/01 21:24:11");
+ expected.put("timestamp", actual.get("timestamp"));
+ expected.put(BasicPaloAltoFirewallParser.DestinationZone, "internet");
+ expected.put(BasicPaloAltoFirewallParser.TunnelId, "0");
+ expected.put(BasicPaloAltoFirewallParser.TunnelType, "N/A");
+ expected.put(BasicPaloAltoFirewallParser.Type, "TRAFFIC");
+ expected.put(BasicPaloAltoFirewallParser.VirtualSystem, "vsys1");
+ expected.put(BasicPaloAltoFirewallParser.DGH1, "0");
+ expected.put(BasicPaloAltoFirewallParser.DGH2, "0");
+ expected.put(BasicPaloAltoFirewallParser.DGH3, "0");
+ expected.put(BasicPaloAltoFirewallParser.DGH4, "0");
+ expected.put(BasicPaloAltoFirewallParser.DeviceName, "PAN1");
+ assertEquals(expected, actual);
}
}
http://git-wip-us.apache.org/repos/asf/metron/blob/5f08ba0b/metron-platform/metron-parsers/src/test/resources/logData/PaloAltoFirewallParserTest.txt
----------------------------------------------------------------------
diff --git a/metron-platform/metron-parsers/src/test/resources/logData/PaloAltoFirewallParserTest.txt b/metron-platform/metron-parsers/src/test/resources/logData/PaloAltoFirewallParserTest.txt
deleted file mode 100644
index c58bcc8..0000000
--- a/metron-platform/metron-parsers/src/test/resources/logData/PaloAltoFirewallParserTest.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-<11>Jan 5 05:38:59 PAN1.exampleCustomer.com 1,2015/01/05 05:38:58,0006C110285,THREAT,vulnerability,1,2015/01/05 05:38:58,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,example\\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 05:38:58,12031,1,54180,80,0,0,0x80004000,tcp,reset-both,\"ad.aspx?f=300x250&id=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\",HTTP: IIS Denial Of Service Attempt(40019),any,high,client-to-server,347368099,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109656,,
-<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05 12:51:33,10.0.0.39,10.1.0.163,0.0.0.0,0.0.0.0,EX-Allow,,example\\user.name,ms-ds-smb,vsys1,v_external,v_internal,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 12:51:33,33760927,1,52688,445,0,0,0x401a,tcp,allow,2229,1287,942,10,2015/01/05 12:51:01,30,any,0,17754932062,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,6,4
\ No newline at end of file