metron-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James Sirota (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (METRON-172) Improve Palo Alto parser
Date Thu, 02 Jun 2016 05:32:59 GMT

     [ https://issues.apache.org/jira/browse/METRON-172?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

James Sirota updated METRON-172:
--------------------------------
    Labels: ParserExtension  (was: )

> Improve Palo Alto parser
> ------------------------
>
>                 Key: METRON-172
>                 URL: https://issues.apache.org/jira/browse/METRON-172
>             Project: Metron
>          Issue Type: Improvement
>            Reporter: Sunny Kumar
>            Priority: Minor
>              Labels: ParserExtension
>   Original Estimate: 72h
>  Remaining Estimate: 72h
>
> Enhance the Palo Alto basic parser to support additional fields and more configurations.
> Samples below:
> <11>Jan  5 05:38:59 PAN1.exampleCustomer.com 1,2015/01/05 05:38:58,0006C110285,THREAT,vulnerability,1,2015/01/05
05:38:58,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,example\\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05
05:38:58,12031,1,54180,80,0,0,0x80004000,tcp,reset-both,\"ad.aspx?f=300x250&id=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\",HTTP:
IIS Denial Of Service Attempt(40019),any,high,client-to-server,347368099,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109656,,
> -----------------------------
> {"source.type":"paloalto","natDestinationIp":"0.0.0.0","threatId":"HTTP: IIS Denial Of
Service Attempt(40019)","virtualSystem":"vsys1","ipSrcPort":"54180","subject":"","type":"THREAT","deviceName":"","dstUserName":"","cloud":"","hostname":"PAN1.exampleCustomer.com","protocol":"tcp","original_string":"<11>Jan
 5 05:38:59 PAN1.exampleCustomer.com 1,2015\/01\/05 05:38:58,0006C110285,THREAT,vulnerability,1,2015\/01\/05
05:38:58,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,example\\\\user.name,,web-browsing,vsys1,internal,external,ethernet1\/2,ethernet1\/1,LOG-Default,2015\/01\/05
05:38:58,12031,1,54180,80,0,0,0x80004000,tcp,reset-both,\\\"ad.aspx?f=300x250&id=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\\\",HTTP:
IIS Denial Of Service Attempt(40019),any,high,client-to-server,347368099,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109656,,","egressInterface":"ethernet1\/1","action":"reset-both","ipSrcAddr":"10.0.0.115","contentType":"","repeatCount":"1","deviceGroupHierarchyLevel1":"","sequenceNumber":"347368099","pcapId":"1200568889751109656","deviceGroupHierarchyLevel3":"","serialNumber":"0006C110285","deviceGroupHierarchyLevel2":"","sourceZone":"internal","deviceGroupHierarchyLevel4":"","srcUserName":"example\\\\user.name","priority":"11","destinationZone":"external","sender":"","ipDstPort":"80","miscellaneous":"\\\"ad.aspx?f=300x250&id=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\\\"","flags":"0x80004000","destinationLocation":"US","fileDigest":"","urlIndex":"","generatedTime":"2015\/01\/05
05:38:58","ipDstAddr":"216.0.10.198","subtype":"vulnerability","futureUse":"1","ruleName":"EX-Allow","logForwardingProfile":"LOG-Default","timestamp":1451972339000,"direction":"client-to-server","severity":"high","futureUse3":"2015\/01\/05
05:38:58","reportId":"","futureUse2":"1","virtualSystemName":"","natDestinationPort":"0","userAgent":"","sessionId":"12031","ingressInterface":"ethernet1\/2","natSourceIp":"0.0.0.0","receiveTime":"2015\/01\/05
05:38:58","actionFlags":"0x0","referrer":"","natSourcePort":"0","application":"web-browsing","recipient":"","sourceLocation":"10.0.0.0-10.255.255.255","futureUse5":"","futureUse4":"0","xForwardedFor":"","category":"any","fileType":""}
> ###################
> <14>Jan  5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05
12:51:33,10.0.0.53,10.1.0.174,0.0.0.0,0.0.0.0,EX-EasyAV2,,,mssql-db,vsys1,v_external,v_internal,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05
12:51:33,33621086,1,54266,40004,0,0,0x401c,tcp,allow,5325,3299,2026,25,2015/01/05 12:51:01,30,any,0,17754932075,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,11,14
> -------------------------------
> {"source.type":"paloalto","natDestinationIp":"0.0.0.0","virtualSystem":"vsys1","ipSrcPort":"54266","type":"TRAFFIC","deviceName":"","packets":"25","dstUserName":"","hostname":"PAN1.exampleCustomer.com","protocol":"tcp","original_string":"<14>Jan
 5 12:51:34 PAN1.exampleCustomer.com 1,2015\/01\/05 12:51:33,0011C103117,TRAFFIC,end,1,2015\/01\/05
12:51:33,10.0.0.53,10.1.0.174,0.0.0.0,0.0.0.0,EX-EasyAV2,,,mssql-db,vsys1,v_external,v_internal,ethernet1\/2,ethernet1\/1,LOG-Default,2015\/01\/05
12:51:33,33621086,1,54266,40004,0,0,0x401c,tcp,allow,5325,3299,2026,25,2015\/01\/05 12:51:01,30,any,0,17754932075,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,11,14","egressInterface":"ethernet1\/1","action":"allow","packetsSent":"11","ipSrcAddr":"10.0.0.53","repeatCount":"1","deviceGroupHierarchyLevel1":"","sequenceNumber":"17754932075","deviceGroupHierarchyLevel3":"","serialNumber":"0011C103117","deviceGroupHierarchyLevel2":"","sourceZone":"v_external","deviceGroupHierarchyLevel4":"","srcUserName":"","priority":"14","destinationZone":"v_internal","packetsReceived":"14","ipDstPort":"40004","flags":"0x401c","destinationLocation":"10.0.0.0-10.255.255.255","generatedTime":"2015\/01\/05
12:51:33","ipDstAddr":"10.1.0.174","subtype":"end","futureUse":"1","ruleName":"EX-EasyAV2","startTime":"2015\/01\/05
12:51:01","logForwardingProfile":"LOG-Default","timestamp":1451998294000,"futureUse3":"2015\/01\/05
12:51:33","futureUse2":"1","virtualSystemName":"","natDestinationPort":"0","sessionId":"33621086","bytesSent":"3299","ingressInterface":"ethernet1\/2","natSourceIp":"0.0.0.0","actionSource":"","receiveTime":"2015\/01\/05
12:51:33","actionFlags":"0x0","bytesReceived":"2026","natSourcePort":"0","application":"mssql-db","bytes":"5325","sourceLocation":"10.0.0.0-10.255.255.255","futureUse5":"0","futureUse4":"0","category":"any","elapsedTime":"30","sessionEndReason":""}
> ###################
> <14>Mar 24 18:36:14 PAN1.exampleCustomer.com 1,2016/03/24 18:36:14,003001112668,CONFIG,0,0,2016/03/24
18:36:14,10.255.255.255,,set,HarryPotter,Web,Succeeded, config mgt-config users HarryPotter
preferences saved-log-query traffic Change-Mar25,8071,0x0,0,0,0,0,,SUNKUPAN1
> -----------------------------
> {"source.type":"paloalto","virtualSystem":"","admin":"HarryPotter","type":"CONFIG","deviceName":"SUNKUPAN1","result":"Succeeded","generatedTime":"2016\/03\/24
18:36:14","hostname":"PAN1.exampleCustomer.com","original_string":"<14>Mar 24 18:36:14
PAN1.exampleCustomer.com 1,2016\/03\/24 18:36:14,003001112668,CONFIG,0,0,2016\/03\/24 18:36:14,10.255.255.255,,set,HarryPotter,Web,Succeeded,
config mgt-config users HarryPotter preferences saved-log-query traffic Change-Mar25,8071,0x0,0,0,0,0,,SUNKUPAN1","subtype":"0","host":"10.255.255.255","futureUse":"1","client":"Web","timestamp":1458844574000,"deviceGroupHierarchyLevel1":"0","sequenceNumber":"8071","deviceGroupHierarchyLevel3":"0","serialNumber":"003001112668","deviceGroupHierarchyLevel2":"0","futureUse2":"0","deviceGroupHierarchyLevel4":"0","virtualSystemName":"","priority":"14","command":"set","receiveTime":"2016\/03\/24
18:36:14","actionFlags":"0x0","configurationPath":" config mgt-config users HarryPotter preferences
saved-log-query traffic Change-Mar25"}
> ####################
> <14>Mar 25 00:00:56 PAN1.exampleCustomer.com 1,2016/03/25 00:00:56,003002112674,SYSTEM,general,0,2016/03/25
00:00:56,,general,,0,0,general,informational,User HarryPotter logged in via Web from 10.255.255.255
using http,156324,0x0,0,0,0,0,,SUNKUPAN1
> {"source.type":"paloalto","virtualSystem":"","description":"User HarryPotter logged in
via Web from 10.255.255.255 using http","type":"SYSTEM","deviceName":"SUNKUPAN1","generatedTime":"2016\/03\/25
00:00:56","hostname":"PAN1.exampleCustomer.com","original_string":"<14>Mar 25 00:00:56
PAN1.exampleCustomer.com 1,2016\/03\/25 00:00:56,003002112674,SYSTEM,general,0,2016\/03\/25
00:00:56,,general,,0,0,general,informational,User HarryPotter logged in via Web from 10.255.255.255
using http,156324,0x0,0,0,0,0,,SUNKUPAN1","subtype":"general","futureUse":"1","timestamp":1458864056000,"severity":"informational","deviceGroupHierarchyLevel1":"0","eventId":"general","sequenceNumber":"156324","deviceGroupHierarchyLevel3":"0","serialNumber":"003002112674","deviceGroupHierarchyLevel2":"0","futureUse3":"0","futureUse2":"0","deviceGroupHierarchyLevel4":"0","module":"general","virtualSystemName":"","priority":"14","receiveTime":"2016\/03\/25
00:00:56","actionFlags":"0x0","futureUse4":"0","object":""}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message