Merge pull request #30 from ZachChristensen28/dev

Version 1.3.2

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2019 Zach Christensen
+Copyright (c) 2020 Zach Christensen
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -4,17 +4,25 @@
 
  Info | Description
 ------|----------
-Version | 1.3.1 - See on [Splunkbase](https://splunkbase.splunk.com/app/4538/)
+Version | 1.3.2 - See on [Splunkbase](https://splunkbase.splunk.com/app/4538/)
 Vendor Product Version | [OPNsense 20.7](https://opnsense.org/)
 Add-on has a web UI | No. This add-on does not contain any views.
 
+**NEW:** Try the new [OPNsense App for Splunk](https://github.com/ZachChristensen28/Opnsense_App_for_Splunk)!
+
 The TA-opnsense Add-on allows Splunk data administrators to map the OPNsense firewall events to the [CIM](https://docs.splunk.com/Splexicon:CommonInformationModel) enabling the data to be used with other Splunk Apps, such as Enterprise Security.
 
 ```
-Version 1.3.1
+Version 1.3.2
+New
+- Added meta field for event length (opnsense_event_length)
+- Added sourcetype for Syslog-ng logs (opnsense:syslog)
+- Added action for "Redirect" if port forwarding logging rules exist
 
 Fix
-- fixed KV_MODE for opnsense:unbound sourcetype
+- Fixed "unknown" severity for opnsense:suricata:json events - issue #27
+- Fixed IGMP events not being extracted - issue #32
+- Fixed Access logs not being extracted - issue #35
 ```
 
 Contributors
@@ -175,6 +183,7 @@ Source type | Description | CIM Data Models
 `opnsense:suricata` `opnsense:suricata:json` | IDS events from suricata | [Intrusion Detection](https://docs.splunk.com/Documentation/CIM/latest/User/IntrusionDetection) [Network Traffic](https://docs.splunk.com/Documentation/CIM/latest/User/NetworkTraffic)
 `opnsense:squid` | Proxy events from Squid Proxy | [Web](https://docs.splunk.com/Documentation/CIM/latest/User/Web)
 `opnsense:unbound` | DNS events from Unbound DNS | [Network Resolution](https://docs.splunk.com/Documentation/CIM/latest/User/NetworkResolutionDNS)
+`opnsense:syslog` | Events from Syslog-ng |
 
 
 ## Bugs
@@ -183,6 +192,9 @@ Please open an issue at [github.com](https://github.com/ZachChristensen28/TA-opn
 ## Versions
 
 ```
+Version 1.3.1
+- fixed KV_MODE for opnsense:unbound sourcetype
+
 Version 1.3.0
 - Added compatibility for eve syslog format for Suricata events
 

app.manifest

@@ -5,7 +5,7 @@
     "id": {
       "group": null,
       "name": "TA-opnsense",
-      "version": "1.3.1"
+      "version": "1.3.2"
     },
     "author": [
       {

default/app.conf

@@ -1,14 +1,17 @@
 #
 # Splunk app configuration file
 #
+[install]
+build = 2
+
 [ui]
 is_visible = 0
 label = OPNsense Add-on
 
 [launcher]
 author = Zach Christensen
 description = This Technology Add-on provides CIM compliant field extractions, eventtypes and tags for the OPNsense Firewall
-version = 1.3.1
+version = 1.3.2
 
 [package]
 id = TA-opnsense

default/eventtypes.conf

@@ -27,5 +27,8 @@ search = sourcetype=opnsense:access action IN(success,failure)
 [opnsense_dhcpd]
 search = sourcetype=opnsense:dhcpd
 
-[opnsense_openvpn]
+[opnsense_openvpn_auth]
 search = sourcetype=opnsense:openvpn user=* auth_method=*
+
+[opnsense_openvpn_sessions]
+search = sourcetype=opnsense:openvpn dest_ip=*

default/fields.conf

@@ -23,3 +23,6 @@ INDEXED_VALUE = false
 
 [ip_precedence]
 INDEXED_VALUE = false
+
+[opnsense_event_length]
+INDEXED = true

default/props.conf

@@ -6,17 +6,44 @@
 [opnsense]
 NO_BINARY_CHECK = true
 CHARSET         = UTF-8
-disabled        = false
 ANNOTATE_PUNCT  = false
 KV_MODE         = none
 #===========================================
 # SEDCMD: The below sed command normalizes a squid event with (squid-1): to squid:
 # This is to help the sourcetyper extract the sourcetype properly
 #===========================================
 SEDCMD-0opnsense_squid_cleaner  = s/(\(squid\S+)/squid:/g
-TRANSFORMS-opnsense_change_sourcetype = opnsense_sourcetype_filterlog,opnsense_sourcetype_dhcpd,opnsense_sourcetype_suricata_json,opnsense_sourcetype_suricata,opnsense_sourcetype_squid,opnsense_sourcetype_cron,opnsense_sourcetype_unbound,opnsense_sourcetype_lighttpd,opnsense_sourcetype_access,opnsense_sourcetype_openvpn
+TRANSFORMS-opnsense_change_sourcetype = opnsense_sourcetype_filterlog,opnsense_sourcetype_dhcpd,opnsense_sourcetype_suricata_json,opnsense_sourcetype_suricata,opnsense_sourcetype_squid,opnsense_sourcetype_cron,opnsense_sourcetype_unbound,opnsense_sourcetype_lighttpd,opnsense_sourcetype_access,opnsense_sourcetype_openvpn,opnsense_sourcetype_syslog
 TRANSFORMS-z_opnsense_make_suricata_json = opnsense_make_suricata_json
 
+[(::){0}opnsense*]
+TRANSFORMS-zzz_opnsense_length = opnsense_raw_length
+
+[opnsense:access]
+ANNOTATE_PUNCT                 = false
+KV_MODE                        = none
+REPORT-opnsense_access         = opnsense_access_extract
+EVAL-app                       = "opnsense_web_access"
+EVAL-action                    = case(match(signature, "(?i)Successful\s+login"), "success", match(signature, "(?i)authentication\s+error"), "failure")
+FIELDALIAS-opnsense_access_src = src_ip AS src
+
+[opnsense:cron]
+ANNOTATE_PUNCT            = false
+KV_MODE                   = none
+REPORT-opnsense_cron_main = opnsense_cron_main
+
+[opnsense:dhcpd]
+ANNOTATE_PUNCT                   = false
+KV_MODE                          = none
+REPORT-opnsense_dhcp_main        = opnsense_dhcp_main
+REPORT-opnsense_dhcp_discover    = opnsense_dhcp_discover
+REPORT-opnsense_dhcp_reuse_lease = opnsense_dhcp_reuse_lease
+FIELDALIAS-opnsense_dest_ip      = client_ip AS dest_ip
+FIELDALIAS-opnsense_dest_mac     = client_mac AS dest_mac
+FIELDALIAS-opnsense_nt_host      = client_name AS dest_nt_host
+FIELDALIAS-opnsense_signature    = vendor_event AS signature
+EVAL-vendor_product              = "opnsense_firewall"
+
 [opnsense:filterlog]
 ANNOTATE_PUNCT                           = false
 KV_MODE                                  = none
@@ -28,6 +55,7 @@ REPORT-opnsense_tcp_ipv4                 = opnsense_tcp_4, opnsense_vendor_tcp_f
 REPORT-opnsense_tcp_ipv6                 = opnsense_tcp_6, opnsense_vendor_tcp_flag, opnsense_vendor_options
 REPORT-opnsense_udp_ipv4                 = opnsense_udp_4
 REPORT-opnsense_udp_ipv6                 = opnsense_udp_6
+REPORT-opnsense_datalength               = opnsense_datalength
 EVAL-app                                 = "opnsense_filterlog"
 EVAL-bytes_in                            = if(vendor_direction=="in",'bytes',0)
 EVAL-bytes_out                           = if(vendor_direction=="out",'bytes',0)
@@ -42,16 +70,28 @@ LOOKUP-opnsense_filterlog_tcp_flags      = opnsense_filterlog_tcp_flags_lookup v
 LOOKUP-opnsense_filterlog_transport      = opnsense_transport_lookup vendor_transport OUTPUTNEW transport
 LOOKUP-opnsense_filterlog-tos            = opnsense_tos_lookup tos OUTPUTNEW dscp_class, ip_precedence
 
-[opnsense:dhcpd]
+[opnsense:lighttpd]
+ANNOTATE_PUNCT              = false
+KV_MODE                     = none
+REPORT-opnsense_lighttpd    = opnsense_lighttpd_extract
+EVAL-app                    = "opnsense_lighttpd"
+EVAL-http_user_agent_length = len(http_user_agent)
+EVAL-url_length             = len(url)
+FIELDALIAS-opnsense_src     = src_ip AS src
+FIELDALIAS-opnsense_dest    = dest_ip AS dest
+LOOKUP-opnsense_http_status = opnsense_http_status_lookup status OUTPUTNEW status_description
+
+[opnsense:openvpn]
 ANNOTATE_PUNCT                   = false
 KV_MODE                          = none
-REPORT-opnsense_dhcp_main        = opnsense_dhcp_main
-REPORT-opnsense_dhcp_discover    = opnsense_dhcp_discover
-REPORT-opnsense_dhcp_reuse_lease = opnsense_dhcp_reuse_lease
-FIELDALIAS-opnsense_dest_ip      = client_ip AS dest_ip
-FIELDALIAS-opnsense_dest_mac     = client_mac AS dest_mac
-FIELDALIAS-opnsense_nt_host      = client_name AS dest_nt_host
-FIELDALIAS-opnsense_signature    = vendor_event AS signature
+REPORT-opnsense_openvpn_auth     = opnsense_openvpn_auth
+REPORT-opnsense_openvpn_dest_ip  = opnsense_openvpn_destip
+REPORT-opnsense_openvpn_extract  = opnsense_openvpn_extract
+REPORT-opnsense_openvpn_src      = opnsense_openvpn_src
+FIELDALIAS-opnsense_openvpn_dest = auth_method AS dest
+FIELDALIAS-opnsense_openvpn_src  = src_ip AS src
+EVAL-action                      = case(isnotnull(user), "success", isnotnull(dest_ip), "success")
+EVAL-app                         = "opnsense_openvpn"
 EVAL-vendor_product              = "opnsense_firewall"
 
 [opnsense:suricata]
@@ -79,15 +119,29 @@ LOOKUP-opnsense_suricata_severity     = opnsense_suricata_severity_lookup severi
 LOOKUP-opnsense_suricata_transport    = opnsense_transport_lookup vendor_transport OUTPUTNEW transport
 
 [opnsense:suricata:json]
-KV_MODE                                = json
-EVAL-bytes                             = bytes_in + bytes_out
-EVAL-duration                          = round(_time - strptime('flow.start', "%Y-%m-%dT%H:%M:%S.%6N%z"),0)
-EVAL-packets                           = packets_in + packets_out
-EVAL-ids_type                          = "network"
-EVAL-transport                         = lower(proto)
-EVAL-vendor_product                    = "opnsense_firewall"
-FIELDALIAS-opnsense_suricata_json      = alert.action AS action, alert.category AS category, alert.severity AS severity_id, alert.signature AS signature, alert.signature_id AS signature_id, src_ip AS src, dest_ip AS dest, host AS dvc, app_proto AS app, flow.bytes_toclient AS bytes_in, flow.bytes_toserver AS bytes_out, flow.pkts_toclient AS packets_in, flow.pkts_toserver AS packets_out, in_iface AS src_interface
-LOOKUP-opnsense_suricata_json_severity = opnsense_suricata_severity_lookup severity_id OUTPUTNEW severity
+KV_MODE                                       = json
+EVAL-bytes                                    = bytes_in + bytes_out
+EVAL-duration                                 = round(_time - strptime('flow.start', "%Y-%m-%dT%H:%M:%S.%6N%z"),0)
+EVAL-packets                                  = packets_in + packets_out
+EVAL-ids_type                                 = "network"
+EVAL-transport                                = lower(proto)
+EVAL-vendor_product                           = "opnsense_firewall"
+FIELDALIAS-opnsense_suricatajson_action       = alert.action AS action
+FIELDALIAS-opnsense_suricatajson_app          = app_proto AS app
+FIELDALIAS-opnsense_suricatajson_bytesin      = flow.bytes_toclient AS bytes_in
+FIELDALIAS-opnsense_suricatajson_bytesout     = flow.bytes_toserver AS bytes_out
+FIELDALIAS-opnsense_suricatajson_category     = alert.category AS category
+FIELDALIAS-opnsense_suricatajson_dest         = dest_ip AS dest
+FIELDALIAS-opnsense_suricatajson_dvc          = host AS dvc
+FIELDALIAS-opnsense_suricatajson_packetsin    = flow.pkts_toclient AS packets_in
+FIELDALIAS-opnsense_suricatajson_packetsout   = flow.pkts_toserver AS packets_out
+FIELDALIAS-opnsense_suricatajson_severity_id  = alert.severity AS severity_id
+FIELDALIAS-opnsense_suricatajson_signature    = alert.signature AS signature
+FIELDALIAS-opnsense_suricatajson_signature_id = alert.signature_id AS signature_id
+FIELDALIAS-opnsense_suricatajson_src          = src_ip AS src
+FIELDALIAS-opnsense_suricatajson_srcinterface = in_iface AS src_interface
+EVAL-severity_id                              = mvdedup(severity_id)
+LOOKUP-opnsense_suricata_json_severity        = opnsense_suricata_severity_lookup severity_id OUTPUTNEW severity
 
 [opnsense:squid]
 ANNOTATE_PUNCT                = false
@@ -107,10 +161,10 @@ FIELDALIAS-opnsense_squid_src = src_ip AS src
 LOOKUP-opnsense_squid_action  = opnsense_squid_action_lookup vendor_action OUTPUTNEW action
 LOOKUP-opnsense_squid_status  = opnsense_squid_status_lookup status OUTPUTNEW status_description
 
-[opnsense:cron]
-ANNOTATE_PUNCT            = false
-KV_MODE                   = none
-REPORT-opnsense_cron_main = opnsense_cron_main
+[opnsense:syslog]
+ANNOTATE_PUNCT         = false
+KV_MODE                = none
+REPORT-opnsense_syslog = opnsense_syslog_extractions, opnsense_kv_syslog
 
 [opnsense:unbound]
 ANNOTATE_PUNCT                = false
@@ -119,31 +173,3 @@ REPORT-opnsense_unbound_query = opnsense_unbound_query
 EVAL-app                      = "opnsense_unbound_resolver"
 EVAL-message_type             = "Query"
 EVAL-vendor_product           = "opnsense_firewall"
-
-[opnsense:lighttpd]
-ANNOTATE_PUNCT              = false
-KV_MODE                     = none
-REPORT-opnsense_lighttpd    = opnsense_lighttpd_extract
-EVAL-app                    = "opnsense_lighttpd"
-EVAL-http_user_agent_length = len(http_user_agent)
-EVAL-url_length             = len(url)
-FIELDALIAS-opnsense_src     = src_ip AS src
-FIELDALIAS-opnsense_dest    = dest_ip AS dest
-LOOKUP-opnsense_http_status = opnsense_http_status_lookup status OUTPUTNEW status_description
-
-[opnsense:access]
-ANNOTATE_PUNCT                 = false
-KV_MODE                        = none
-REPORT-opnsense_access         = opnsense_access_extract
-EVAL-app                       = "opnsense_web_access"
-EVAL-action                    = case(match(signature, "Successful\s+login"), "success", match(signature, "authentication\s+error"), "failure", true(), "unknown")
-FIELDALIAS-opnsense_access_src = src_ip AS src
-
-[opnsense:openvpn]
-ANNOTATE_PUNCT                   = false
-KV_MODE                          = none
-REPORT-opnsense_openvpn          = opnsense_openvpn_extract
-REPORT-opnsense_openvpn_src      = opnsense_openvpn_src
-EVAL-action                      = case(isnotnull(user), "success", true(), null())
-EVAL-app                         = "opnsense_openvpn"
-FIELDALIAS-opnsense_openvpn_dest = auth_method AS dest

default/tags.conf

@@ -35,5 +35,11 @@ network = enabled
 session = enabled
 dhcp    = enabled
 
-[eventtype=opnsense_openvpn]
+[eventtype=opnsense_openvpn_auth]
 authentication = enabled
+
+[eventtype=opnsense_openvpn_sessions]
+vpn     = enabled
+start   = enabled
+network = enabled
+session = enabled