From aa7776748715aa66e487bb8584a1e23fba29a722 Mon Sep 17 00:00:00 2001 From: Simon Schneider Date: Tue, 26 May 2026 15:10:32 +0200 Subject: [PATCH] Fix juniper srx syslog parsing --- packages/juniper_srx/changelog.yml | 5 + .../log/_dev/test/pipeline/test-atp.log | 2 + .../test/pipeline/test-atp.log-expected.json | 171 +++++++++++ .../log/_dev/test/pipeline/test-flow.log | 2 + .../test/pipeline/test-flow.log-expected.json | 274 ++++++++++++++++++ .../log/_dev/test/pipeline/test-idp.log | 2 + .../test/pipeline/test-idp.log-expected.json | 220 ++++++++++++++ .../log/_dev/test/pipeline/test-ids.log | 2 + .../test/pipeline/test-ids.log-expected.json | 147 ++++++++++ .../log/_dev/test/pipeline/test-secintel.log | 1 + .../pipeline/test-secintel.log-expected.json | 115 ++++++++ .../log/_dev/test/pipeline/test-system.log | 1 + .../pipeline/test-system.log-expected.json | 36 +++ .../log/_dev/test/pipeline/test-utm.log | 1 + .../test/pipeline/test-utm.log-expected.json | 87 ++++++ .../elasticsearch/ingest_pipeline/default.yml | 2 +- packages/juniper_srx/manifest.yml | 2 +- 17 files changed, 1068 insertions(+), 2 deletions(-) diff --git a/packages/juniper_srx/changelog.yml b/packages/juniper_srx/changelog.yml index fe59cb438c4..ca25ce6591a 100644 --- a/packages/juniper_srx/changelog.yml +++ b/packages/juniper_srx/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.27.2" + changes: + - description: Fix Syslog Parsing without syslog version + type: bugfix + link: https://github.com/elastic/integrations/pull/19209 - version: "1.27.1" changes: - description: Remove top level note from docs diff --git a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-atp.log b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-atp.log index fb82adabaf4..0aad826fffe 100644 --- a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-atp.log +++ b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-atp.log @@ -2,3 +2,5 @@ <14>1 2016-09-20T10:43:30.330-07:00 host-example RT_AAMW - AAMW_MALWARE_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp="Thu Jun 23 09:55:38 2016" tenant-id="ABC123456" sample-sha256="ABC123" client-ip="192.168.2.0" verdict-number="9" malware-info="Eicar:TestVirus" username="admin" hostname="host.example.com"] <11>1 2016-09-20T10:40:30.050-07:00 host-example RT_AAMW - AAMW_HOST_INFECTED_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp="Thu Jun 23 09:55:38 2016" tenant-id="ABC123456" client-ip="192.168.2.0" hostname="host.example.com" status="in_progress" policy-name="default" th="7" state="added" reason="malware" message="malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123"] <165>1 2007-02-15T09:17:15.719Z aamw1 RT_AAMW - AAMW_ACTION_LOG [junos@67.43.156.15 hostname="dummy_host" file-category="executable" verdict-number="10" malware-info="Testfile" action="PERMIT" list-hit="N/A" file-hash-lookup="FALSE" source-address="67.43.156.15" source-port="60148" destination-address="67.43.156.15" destination-port="80" protocol-id="6" application="HTTP" nested-application="N/A" policy-name="test-policy" username="N/A" roles="N/A" session-id-32="502156" source-zone-name="Inside" destination-zone-name="Outside" sample-sha256="e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494" file-name="dummy_file" url="dummy_url"] +<11> 2016-09-20T10:40:30.050-07:00 host-example RT_AAMW - AAMW_HOST_INFECTED_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp="Thu Jun 23 09:55:38 2016" tenant-id="ABC123456" client-ip="192.168.2.0" hostname="host.example.com" status="in_progress" policy-name="default" th="7" state="added" reason="malware" message="malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123"] +<165> 2007-02-15T09:17:15.719Z aamw1 RT_AAMW - AAMW_ACTION_LOG [junos@67.43.156.15 hostname="dummy_host" file-category="executable" verdict-number="10" malware-info="Testfile" action="PERMIT" list-hit="N/A" file-hash-lookup="FALSE" source-address="67.43.156.15" source-port="60148" destination-address="67.43.156.15" destination-port="80" protocol-id="6" application="HTTP" nested-application="N/A" policy-name="test-policy" username="N/A" roles="N/A" session-id-32="502156" source-zone-name="Inside" destination-zone-name="Outside" sample-sha256="e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494" file-name="dummy_file" url="dummy_url"] \ No newline at end of file diff --git a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-atp.log-expected.json b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-atp.log-expected.json index eefd7af1de3..014e05b7d54 100644 --- a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-atp.log-expected.json +++ b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-atp.log-expected.json @@ -341,6 +341,177 @@ "tags": [ "preserve_original_event" ] + }, + { + "@timestamp": "2016-09-20T17:40:30.050Z", + "ecs": { + "version": "8.17.0" + }, + "event": { + "category": [ + "network", + "malware" + ], + "kind": "alert", + "original": "<11> 2016-09-20T10:40:30.050-07:00 host-example RT_AAMW - AAMW_HOST_INFECTED_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" client-ip=\"192.168.2.0\" hostname=\"host.example.com\" status=\"in_progress\" policy-name=\"default\" th=\"7\" state=\"added\" reason=\"malware\" message=\"malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123\"]", + "outcome": "success", + "severity": 11, + "type": [ + "allowed", + "connection" + ] + }, + "juniper": { + "srx": { + "message": "malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123", + "policy_name": "default", + "process": "RT_AAMW", + "reason": "malware", + "state": "added", + "status": "in_progress", + "tag": "AAMW_HOST_INFECTED_EVENT_LOG", + "tenant_id": "ABC123456", + "th": "7", + "timestamp": "2016-06-23T09:55:38.000Z" + } + }, + "log": { + "level": "error" + }, + "observer": { + "name": "host-example", + "product": "SRX", + "type": "firewall", + "vendor": "Juniper" + }, + "process": { + "name": "RT_AAMW" + }, + "related": { + "hosts": [ + "host.example.com" + ], + "ip": [ + "192.168.2.0" + ] + }, + "source": { + "domain": "host.example.com", + "ip": "192.168.2.0" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-02-15T09:17:15.719Z", + "client": { + "ip": "67.43.156.15", + "port": 60148 + }, + "destination": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.15", + "port": 80 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "category": [ + "network" + ], + "kind": "event", + "original": "<165> 2007-02-15T09:17:15.719Z aamw1 RT_AAMW - AAMW_ACTION_LOG [junos@67.43.156.15 hostname=\"dummy_host\" file-category=\"executable\" verdict-number=\"10\" malware-info=\"Testfile\" action=\"PERMIT\" list-hit=\"N/A\" file-hash-lookup=\"FALSE\" source-address=\"67.43.156.15\" source-port=\"60148\" destination-address=\"67.43.156.15\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" policy-name=\"test-policy\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502156\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" sample-sha256=\"e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494\" file-name=\"dummy_file\" url=\"dummy_url\"]", + "outcome": "success", + "severity": 165, + "type": [ + "allowed", + "connection" + ] + }, + "juniper": { + "srx": { + "action": "PERMIT", + "application": "HTTP", + "file_category": "executable", + "file_hash_lookup": "FALSE", + "file_name": "dummy_file", + "malware_info": "Testfile", + "policy_name": "test-policy", + "process": "RT_AAMW", + "sample_sha256": "e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494", + "session_id_32": "502156", + "tag": "AAMW_ACTION_LOG", + "url": "dummy_url", + "verdict_number": "10" + } + }, + "log": { + "level": "notification" + }, + "network": { + "iana_number": "6", + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "Outside" + }, + "ingress": { + "zone": "Inside" + }, + "name": "aamw1", + "product": "SRX", + "type": "firewall", + "vendor": "Juniper" + }, + "process": { + "name": "RT_AAMW" + }, + "related": { + "hosts": [ + "dummy_host" + ], + "ip": [ + "67.43.156.15" + ] + }, + "server": { + "ip": "67.43.156.15", + "port": 80 + }, + "source": { + "as": { + "number": 35908 + }, + "domain": "dummy_host", + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.15", + "port": 60148 + }, + "tags": [ + "preserve_original_event" + ] } ] } diff --git a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-flow.log b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-flow.log index d1fa53d81e6..a46d5696afd 100644 --- a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-flow.log +++ b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-flow.log @@ -27,3 +27,5 @@ <14>1 2023-01-31T12:41:27.457Z vSRX RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [source-address="10.1.1.100" source-port="38128" destination-address="67.43.156.15" destination-port="443" service-name="junos-https" application="SSL" nested-application="UNKNOWN" nat-source-address="192.168.222.164" nat-source-port="25257" nat-destination-address="67.43.156.15" nat-destination-port="443" src-nat-rule-name="snat" dst-nat-rule-name="N/A" protocol-id="6" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id="298" packets-from-client="1573" bytes-from-client="92063" packets-from-server="2887" bytes-from-server="5007812" elapsed-time="60" username="N/A" roles="N/A" encrypted="No" destination-interface-name="ge-0/0/0.0" category="Infrastructure" sub-category="Encryption" src-vrf-grp="N/A" dst-vrf-grp="N/A" dscp-value="N/A" apbr-rule-type="N/A"] <14>1 2023-01-31T12:42:18.657Z vSRX RT_FLOW - RT_FLOW_SESSION_CLOSE [reason="TCP CLIENT RST" source-address="10.1.1.100" source-port="38128" destination-address="67.43.156.15" destination-port="443" connection-tag="0" service-name="junos-https" nat-source-address="192.168.222.164" nat-source-port="25257" nat-destination-address="67.43.156.15" nat-destination-port="443" nat-connection-tag="0" src-nat-rule-type="source rule" src-nat-rule-name="snat" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id="298" packets-from-client="2865" bytes-from-client="166523" packets-from-server="5233" bytes-from-server="9075604" elapsed-time="110" application="SSL" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/1.0" encrypted="No" application-category="Infrastructure" application-sub-category="Encryption" application-risk="4" application-characteristics="Capable of Tunneling;" secure-web-proxy-session-type="NA" peer-session-id="0" peer-source-address="0.0.0.0" peer-source-port="0" peer-destination-address="0.0.0.0" peer-destination-port="0" hostname="NA NA" src-vrf-grp="N/A" dst-vrf-grp="N/A" tunnel-inspection="Off" tunnel-inspection-policy-set="root" session-flag="0" source-tenant="N/A" destination-service="N/A"] <14>1 2023-01-31T12:42:18.657Z vSRX RT_FLOW - APPTRACK_SESSION_CLOSE [reason="TCP CLIENT RST" source-address="10.1.1.100" source-port="38128" destination-address="67.43.156.15" destination-port="443" service-name="junos-https" application="SSL" nested-application="UNKNOWN" nat-source-address="192.168.222.164" nat-source-port="25257" nat-destination-address="67.43.156.15" nat-destination-port="443" src-nat-rule-name="snat" dst-nat-rule-name="N/A" protocol-id="6" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id="298" packets-from-client="2865" bytes-from-client="166523" packets-from-server="5233" bytes-from-server="9075604" elapsed-time="110" username="N/A" roles="N/A" encrypted="No" profile-name="N/A" rule-name="N/A" routing-instance="default" destination-interface-name="ge-0/0/0.0" uplink-incoming-interface-name="N/A" uplink-tx-bytes="0" uplink-rx-bytes="0" category="Infrastructure" sub-category="Encryption" apbr-policy-name="N/A" multipath-rule-name="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A" dscp-value="N/A" apbr-rule-type="N/A"] +<14> 2020-01-19T15:18:20.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE_LS [junos@67.43.156.15 reason="TCP CLIENT RST" source-address="67.43.156.14" source-port="48873" destination-address="67.43.156.15" destination-port="80" service-name="junos-http" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="67.43.156.14" nat-source-port="48873" nat-destination-address="67.43.156.15" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="32" packets-from-client="5" bytes-from-client="392" packets-from-server="3" bytes-from-server="646" elapsed-time="3" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” apbr-rule-type=”default”] +<14> 2023-01-31T12:42:18.657Z vSRX RT_FLOW - APPTRACK_SESSION_CLOSE [reason="TCP CLIENT RST" source-address="10.1.1.100" source-port="38128" destination-address="67.43.156.15" destination-port="443" service-name="junos-https" application="SSL" nested-application="UNKNOWN" nat-source-address="192.168.222.164" nat-source-port="25257" nat-destination-address="67.43.156.15" nat-destination-port="443" src-nat-rule-name="snat" dst-nat-rule-name="N/A" protocol-id="6" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id="298" packets-from-client="2865" bytes-from-client="166523" packets-from-server="5233" bytes-from-server="9075604" elapsed-time="110" username="N/A" roles="N/A" encrypted="No" profile-name="N/A" rule-name="N/A" routing-instance="default" destination-interface-name="ge-0/0/0.0" uplink-incoming-interface-name="N/A" uplink-tx-bytes="0" uplink-rx-bytes="0" category="Infrastructure" sub-category="Encryption" apbr-policy-name="N/A" multipath-rule-name="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A" dscp-value="N/A" apbr-rule-type="N/A"] \ No newline at end of file diff --git a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-flow.log-expected.json b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-flow.log-expected.json index b2c7fc1e7a1..cf3bd11c68b 100644 --- a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-flow.log-expected.json +++ b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-flow.log-expected.json @@ -3591,6 +3591,280 @@ "tags": [ "preserve_original_event" ] + }, + { + "@timestamp": "2020-01-19T15:18:20.040Z", + "client": { + "bytes": 392, + "ip": "67.43.156.14", + "nat": { + "port": 48873 + }, + "packets": 5, + "port": 48873 + }, + "destination": { + "as": { + "number": 35908 + }, + "bytes": 646, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.15", + "nat": { + "ip": "67.43.156.15", + "port": 80 + }, + "packets": 3, + "port": 80 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "flow_close", + "category": [ + "network" + ], + "duration": 3000000000, + "end": "2020-01-19T15:18:23.040Z", + "kind": "event", + "original": "<14> 2020-01-19T15:18:20.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE_LS [junos@67.43.156.15 reason=\"TCP CLIENT RST\" source-address=\"67.43.156.14\" source-port=\"48873\" destination-address=\"67.43.156.15\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"67.43.156.14\" nat-source-port=\"48873\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"32\" packets-from-client=\"5\" bytes-from-client=\"392\" packets-from-server=\"3\" bytes-from-server=\"646\" elapsed-time=\"3\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=”st0.0” apbr-rule-type=”default”]", + "outcome": "success", + "severity": 14, + "start": "2020-01-19T15:18:20.040Z", + "type": [ + "end", + "allowed", + "connection" + ] + }, + "juniper": { + "srx": { + "apbr_rule_type": "”default”", + "encrypted": "No", + "process": "RT_FLOW", + "reason": "TCP CLIENT RST", + "roles": "DEPT1", + "service_name": "junos-http", + "session_id_32": "32", + "tag": "APPTRACK_SESSION_CLOSE_LS" + } + }, + "log": { + "level": "informational" + }, + "network": { + "bytes": 1038, + "iana_number": "6", + "packets": 8, + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "”st0.0”" + }, + "zone": "untrust" + }, + "ingress": { + "zone": "trust" + }, + "name": "SRX100HM", + "product": "SRX", + "type": "firewall", + "vendor": "Juniper" + }, + "process": { + "name": "RT_FLOW" + }, + "related": { + "ip": [ + "67.43.156.14", + "67.43.156.15" + ], + "user": [ + "user1" + ] + }, + "rule": { + "name": "permit-all" + }, + "server": { + "bytes": 646, + "ip": "67.43.156.15", + "nat": { + "port": 80 + }, + "packets": 3, + "port": 80 + }, + "source": { + "as": { + "number": 35908 + }, + "bytes": 392, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.14", + "nat": { + "ip": "67.43.156.14", + "port": 48873 + }, + "packets": 5, + "port": 48873, + "user": { + "name": "user1" + } + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-01-31T12:42:18.657Z", + "client": { + "bytes": 166523, + "ip": "10.1.1.100", + "nat": { + "port": 25257 + }, + "packets": 2865, + "port": 38128 + }, + "destination": { + "as": { + "number": 35908 + }, + "bytes": 9075604, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.15", + "nat": { + "ip": "67.43.156.15", + "port": 443 + }, + "packets": 5233, + "port": 443 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "flow_close", + "category": [ + "network" + ], + "duration": 110000000000, + "end": "2023-01-31T12:44:08.657Z", + "kind": "event", + "original": "<14> 2023-01-31T12:42:18.657Z vSRX RT_FLOW - APPTRACK_SESSION_CLOSE [reason=\"TCP CLIENT RST\" source-address=\"10.1.1.100\" source-port=\"38128\" destination-address=\"67.43.156.15\" destination-port=\"443\" service-name=\"junos-https\" application=\"SSL\" nested-application=\"UNKNOWN\" nat-source-address=\"192.168.222.164\" nat-source-port=\"25257\" nat-destination-address=\"67.43.156.15\" nat-destination-port=\"443\" src-nat-rule-name=\"snat\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id=\"298\" packets-from-client=\"2865\" bytes-from-client=\"166523\" packets-from-server=\"5233\" bytes-from-server=\"9075604\" elapsed-time=\"110\" username=\"N/A\" roles=\"N/A\" encrypted=\"No\" profile-name=\"N/A\" rule-name=\"N/A\" routing-instance=\"default\" destination-interface-name=\"ge-0/0/0.0\" uplink-incoming-interface-name=\"N/A\" uplink-tx-bytes=\"0\" uplink-rx-bytes=\"0\" category=\"Infrastructure\" sub-category=\"Encryption\" apbr-policy-name=\"N/A\" multipath-rule-name=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\" dscp-value=\"N/A\" apbr-rule-type=\"N/A\"]", + "outcome": "success", + "severity": 14, + "start": "2023-01-31T12:42:18.657Z", + "type": [ + "end", + "allowed", + "connection" + ] + }, + "juniper": { + "srx": { + "application": "SSL", + "category": "Infrastructure", + "encrypted": "No", + "process": "RT_FLOW", + "reason": "TCP CLIENT RST", + "routing_instance": "default", + "service_name": "junos-https", + "session_id": "298", + "src_nat_rule_name": "snat", + "sub_category": "Encryption", + "tag": "APPTRACK_SESSION_CLOSE", + "uplink_rx_bytes": "0", + "uplink_tx_bytes": "0" + } + }, + "log": { + "level": "informational" + }, + "network": { + "bytes": 9242127, + "iana_number": "6", + "packets": 8098, + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "ge-0/0/0.0" + }, + "zone": "untrust" + }, + "ingress": { + "zone": "trust" + }, + "name": "vSRX", + "product": "SRX", + "type": "firewall", + "vendor": "Juniper" + }, + "process": { + "name": "RT_FLOW" + }, + "related": { + "ip": [ + "10.1.1.100", + "67.43.156.15", + "192.168.222.164" + ] + }, + "rule": { + "name": "default-permit" + }, + "server": { + "bytes": 9075604, + "ip": "67.43.156.15", + "nat": { + "port": 443 + }, + "packets": 5233, + "port": 443 + }, + "source": { + "bytes": 166523, + "ip": "10.1.1.100", + "nat": { + "ip": "192.168.222.164", + "port": 25257 + }, + "packets": 2865, + "port": 38128 + }, + "tags": [ + "preserve_original_event" + ] } ] } diff --git a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-idp.log b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-idp.log index a6c9f8f71b0..536aab3f9e6 100644 --- a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-idp.log +++ b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-idp.log @@ -5,3 +5,5 @@ <165>1 2011-10-23T02:06:26.544 SRX34001 RT_IDP - IDP_APPDDOS_APP_STATE_EVENT [junos@67.43.156.15 epoch-time="1319367986" ddos-application-name="Webserver" destination-zone-name="untrust" destination-interface-name="reth0.0" destination-address="172.27.14.203" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" rulebase-name="DDOS" policy-name="A DoS-Webserver" repeat-count="0" message="Connection rate exceeded limit 60" context-value="N/A"] <165>1 2011-10-23T16:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT [junos@67.43.156.15 epoch-time="1319419711" ddos-application-name="Webserver" source-zone-name="trust" source-interface-name="reth1.O" source-address="192.168.14.214" source-port="50825" destination-zone-name="untrust" destination-interface-name="reth0.0" destination-address="172.27.14.203" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" ruleebase-name="DDOS" policy-name="AppDoS-Webserver" repeat-count="0" action="NONE" threat-severity="INFO" connection-hit-rate="30" context-name="http-get-url" context-hit-rate="123" context-value-hit-rate="0" time-scope="PEER" time-count="3" time-period="60" context-value="N/A"] <165>1 2012-10-23T17:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT_LS [junos@67.43.156.15 epoch-time="1419419711" ddos-application-name="Webserver" source-zone-name="trust" source-interface-name="reth3.0" source-address="192.168.14.214" source-port="50825" destination-zone-name="untrust" destination-interface-name="reth0.1" destination-address="172.30.20.201" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" ruleebase-name="DDOS02" policy-name="AppDoS-Webserver" repeat-count="0" action="NONE" threat-severity="INFO" connection-hit-rate="30" context-name="http-get-url" context-hit-rate="123" context-value-hit-rate="0" time-scope="PEER" time-count="3" time-period="60" context-value="N/A"] +<165> 2017-10-13T08:55:55.792+11:00 idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@67.43.156.15 epoch-time="1507845354" message-type="SIG" source-address="67.43.156.14" source-port="45610" destination-address="67.43.156.14" destination-port="80" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="9" rulebase-name="IPS" policy-name="Recommended" export-id="15229" repeat-count="0" action="DROP" threat-severity="HIGH" attack-name="TROJAN:ZMEU-BOT-SCAN" nat-source-address="0.0.0.0" nat-source-port="0" nat-destination-address="172.16.1.10" nat-destination-port="0" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="sec-zone-name-internet" source-interface-name="reth0.11" destination-zone-name="dst-sec-zone1-outside" destination-interface-name="reth1.1" packet-log-id="0" alert="no" username="N/A" roles="N/A" message="-"] +<165> 2012-10-23T17:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT_LS [junos@67.43.156.15 epoch-time="1419419711" ddos-application-name="Webserver" source-zone-name="trust" source-interface-name="reth3.0" source-address="192.168.14.214" source-port="50825" destination-zone-name="untrust" destination-interface-name="reth0.1" destination-address="172.30.20.201" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" ruleebase-name="DDOS02" policy-name="AppDoS-Webserver" repeat-count="0" action="NONE" threat-severity="INFO" connection-hit-rate="30" context-name="http-get-url" context-hit-rate="123" context-value-hit-rate="0" time-scope="PEER" time-count="3" time-period="60" context-value="N/A"] \ No newline at end of file diff --git a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-idp.log-expected.json b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-idp.log-expected.json index f4fa8cbff3f..6796bf13b36 100644 --- a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-idp.log-expected.json +++ b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-idp.log-expected.json @@ -776,6 +776,226 @@ "tags": [ "preserve_original_event" ] + }, + { + "@timestamp": "2017-10-12T21:55:55.792Z", + "client": { + "bytes": 0, + "ip": "67.43.156.14", + "nat": { + "port": 0 + }, + "packets": 0, + "port": 45610 + }, + "destination": { + "bytes": 0, + "ip": "67.43.156.14", + "nat": { + "ip": "172.16.1.10", + "port": 0 + }, + "packets": 0, + "port": 80 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "security_threat", + "category": [ + "network", + "intrusion_detection" + ], + "duration": 0, + "end": "2017-10-12T21:55:55.792Z", + "kind": "alert", + "original": "<165> 2017-10-13T08:55:55.792+11:00 idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@67.43.156.15 epoch-time=\"1507845354\" message-type=\"SIG\" source-address=\"67.43.156.14\" source-port=\"45610\" destination-address=\"67.43.156.14\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"9\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"15229\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"TROJAN:ZMEU-BOT-SCAN\" nat-source-address=\"0.0.0.0\" nat-source-port=\"0\" nat-destination-address=\"172.16.1.10\" nat-destination-port=\"0\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"sec-zone-name-internet\" source-interface-name=\"reth0.11\" destination-zone-name=\"dst-sec-zone1-outside\" destination-interface-name=\"reth1.1\" packet-log-id=\"0\" alert=\"no\" username=\"N/A\" roles=\"N/A\" message=\"-\"]", + "outcome": "success", + "severity": 165, + "start": "2017-10-12T21:55:55.792Z", + "type": [ + "info", + "denied", + "connection" + ] + }, + "juniper": { + "srx": { + "action": "DROP", + "alert": "no", + "application_name": "HTTP", + "attack_name": "TROJAN:ZMEU-BOT-SCAN", + "epoch_time": "1507845354", + "export_id": "15229", + "message_type": "SIG", + "packet_log_id": "0", + "policy_name": "Recommended", + "process": "RT_IDP", + "repeat_count": "0", + "service_name": "SERVICE_IDP", + "tag": "IDP_ATTACK_LOG_EVENT", + "threat_severity": "HIGH" + } + }, + "log": { + "level": "notification" + }, + "network": { + "protocol": "TCP" + }, + "observer": { + "egress": { + "interface": { + "name": "reth1.1" + }, + "zone": "dst-sec-zone1-outside" + }, + "ingress": { + "interface": { + "name": "reth0.11" + }, + "zone": "sec-zone-name-internet" + }, + "name": "idp1", + "product": "SRX", + "type": "firewall", + "vendor": "Juniper" + }, + "process": { + "name": "RT_IDP" + }, + "related": { + "ip": [ + "67.43.156.14", + "0.0.0.0", + "172.16.1.10" + ] + }, + "rule": { + "id": "9", + "name": "IPS" + }, + "server": { + "bytes": 0, + "ip": "67.43.156.14", + "nat": { + "port": 0 + }, + "packets": 0, + "port": 80 + }, + "source": { + "bytes": 0, + "ip": "67.43.156.14", + "nat": { + "ip": "0.0.0.0", + "port": 0 + }, + "packets": 0, + "port": 45610 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2012-10-23T17:28:31.696Z", + "client": { + "ip": "192.168.14.214", + "port": 50825 + }, + "destination": { + "ip": "172.30.20.201", + "port": 80 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "application_ddos", + "category": [ + "network", + "intrusion_detection" + ], + "kind": "alert", + "original": "<165> 2012-10-23T17:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT_LS [junos@67.43.156.15 epoch-time=\"1419419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth3.0\" source-address=\"192.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.1\" destination-address=\"172.30.20.201\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS02\" policy-name=\"AppDoS-Webserver\" repeat-count=\"0\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"0\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"]", + "outcome": "success", + "severity": 165, + "type": [ + "info", + "denied", + "connection" + ] + }, + "juniper": { + "srx": { + "action": "NONE", + "connection_hit_rate": "30", + "context_hit_rate": "123", + "context_name": "http-get-url", + "context_value_hit_rate": "0", + "ddos_application_name": "Webserver", + "epoch_time": "1419419711", + "policy_name": "AppDoS-Webserver", + "process": "RT_IDP", + "repeat_count": "0", + "ruleebase_name": "DDOS02", + "service_name": "HTTP", + "tag": "IDP_APPDDOS_APP_ATTACK_EVENT_LS", + "threat_severity": "INFO", + "time_count": "3", + "time_period": "60", + "time_scope": "PEER" + } + }, + "log": { + "level": "notification" + }, + "network": { + "protocol": "TCP" + }, + "observer": { + "egress": { + "interface": { + "name": "reth0.1" + }, + "zone": "untrust" + }, + "ingress": { + "interface": { + "name": "reth3.0" + }, + "zone": "trust" + }, + "name": "SRX34001", + "product": "SRX", + "type": "firewall", + "vendor": "Juniper" + }, + "process": { + "name": "RT_IDP" + }, + "related": { + "ip": [ + "192.168.14.214", + "172.30.20.201" + ] + }, + "rule": { + "id": "1" + }, + "server": { + "ip": "172.30.20.201", + "port": 80 + }, + "source": { + "ip": "192.168.14.214", + "port": 50825 + }, + "tags": [ + "preserve_original_event" + ] } ] } diff --git a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-ids.log b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-ids.log index 906f671e386..984481ddbb1 100644 --- a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-ids.log +++ b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-ids.log @@ -10,3 +10,5 @@ <11>1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_SRC_IP [junos@67.43.156.15 attack-name="SYN flood!" source-address="67.43.156.15" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="alarm-without-drop"] <11>1 2020-07-17T09:54:43.912+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@67.43.156.15 attack-name="TCP port scan!" source-address="10.1.1.100" source-port="50630" destination-address="10.1.1.1" destination-port="10778" source-zone-name="trust" interface-name="ge-0/0/1.0" action="drop"] <11>1 2020-07-17T10:01:43.006+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@67.43.156.15 attack-name="FIN but no ACK bit!" source-address="10.1.1.100" source-port="42799" destination-address="10.1.1.1" destination-port="7" source-zone-name="trust" interface-name="ge-0/0/1.0" action="drop"] +<11> 2020-07-17T10:01:43.006+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@67.43.156.15 attack-name="FIN but no ACK bit!" source-address="10.1.1.100" source-port="42799" destination-address="10.1.1.1" destination-port="7" source-zone-name="trust" interface-name="ge-0/0/1.0" action="drop"] +<11> 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_SRC_IP [junos@67.43.156.15 attack-name="SYN flood!" source-address="67.43.156.15" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="alarm-without-drop"] \ No newline at end of file diff --git a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-ids.log-expected.json b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-ids.log-expected.json index 2a2d5aa3f95..302831d6fa7 100644 --- a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-ids.log-expected.json +++ b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-ids.log-expected.json @@ -1047,6 +1047,153 @@ "tags": [ "preserve_original_event" ] + }, + { + "@timestamp": "2020-07-17T08:01:43.006Z", + "client": { + "ip": "10.1.1.100", + "port": 42799 + }, + "destination": { + "ip": "10.1.1.1", + "port": 7 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "illegal_tcp_flag_detected", + "category": [ + "network", + "intrusion_detection" + ], + "kind": "alert", + "original": "<11> 2020-07-17T10:01:43.006+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@67.43.156.15 attack-name=\"FIN but no ACK bit!\" source-address=\"10.1.1.100\" source-port=\"42799\" destination-address=\"10.1.1.1\" destination-port=\"7\" source-zone-name=\"trust\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", + "outcome": "success", + "severity": 11, + "type": [ + "info", + "denied", + "connection" + ] + }, + "juniper": { + "srx": { + "action": "drop", + "attack_name": "FIN but no ACK bit!", + "process": "RT_IDS", + "tag": "RT_SCREEN_TCP" + } + }, + "log": { + "level": "error" + }, + "observer": { + "ingress": { + "interface": { + "name": "ge-0/0/1.0" + }, + "zone": "trust" + }, + "name": "rtr199", + "product": "SRX", + "type": "firewall", + "vendor": "Juniper" + }, + "process": { + "name": "RT_IDS" + }, + "related": { + "ip": [ + "10.1.1.100", + "10.1.1.1" + ] + }, + "server": { + "ip": "10.1.1.1", + "port": 7 + }, + "source": { + "ip": "10.1.1.100", + "port": 42799 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2018-07-20T00:19:02.309Z", + "client": { + "ip": "67.43.156.15" + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "flood_detected", + "category": [ + "network", + "intrusion_detection" + ], + "kind": "alert", + "original": "<11> 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_SRC_IP [junos@67.43.156.15 attack-name=\"SYN flood!\" source-address=\"67.43.156.15\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"]", + "outcome": "success", + "severity": 11, + "type": [ + "info", + "denied", + "connection" + ] + }, + "juniper": { + "srx": { + "action": "alarm-without-drop", + "attack_name": "SYN flood!", + "process": "RT_IDS", + "tag": "RT_SCREEN_TCP_SRC_IP" + } + }, + "log": { + "level": "error" + }, + "observer": { + "ingress": { + "interface": { + "name": "ge-0/0/1.0" + }, + "zone": "trustZone" + }, + "name": "rtr199", + "product": "SRX", + "type": "firewall", + "vendor": "Juniper" + }, + "process": { + "name": "RT_IDS" + }, + "related": { + "ip": [ + "67.43.156.15" + ] + }, + "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.15" + }, + "tags": [ + "preserve_original_event" + ] } ] } diff --git a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-secintel.log b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-secintel.log index b43a6c7153d..842dda9497a 100644 --- a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-secintel.log +++ b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-secintel.log @@ -1,2 +1,3 @@ <14>1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@67.43.156.15 category="secintel" sub-category="Blacklist" action="BLOCK" action-detail="DROP" http-host="N/A" threat-severity="0" source-address="67.43.156.15" source-port="1" destination-address="67.43.156.15" destination-port="24039" protocol-id="1" application="N/A" nested-application="N/A" feed-name="Tor_Exit_Nodes" policy-name="cc_policy" profile-name="Blacklist" username="N/A" roles="N/A" session-id-32="572564" source-zone-name="Outside" destination-zone-name="DMZ"] <14>1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@67.43.156.15 category="secintel" sub-category="CC" action="BLOCK" action-detail="CLOSE REDIRECT MSG" http-host="dummy_host" threat-severity="10" source-address="67.43.156.15" source-port="36612" destination-address="67.43.156.15" destination-port="80" protocol-id="6" application="HTTP" nested-application="N/A" feed-name="cc_url_data" policy-name="test" profile-name="test-profile" username="N/A" roles="N/A" session-id-32="502362" source-zone-name="Inside" destination-zone-name="Outside" occur-count="0"] +<14> 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@67.43.156.15 category="secintel" sub-category="CC" action="BLOCK" action-detail="CLOSE REDIRECT MSG" http-host="dummy_host" threat-severity="10" source-address="67.43.156.15" source-port="36612" destination-address="67.43.156.15" destination-port="80" protocol-id="6" application="HTTP" nested-application="N/A" feed-name="cc_url_data" policy-name="test" profile-name="test-profile" username="N/A" roles="N/A" session-id-32="502362" source-zone-name="Inside" destination-zone-name="Outside" occur-count="0"] \ No newline at end of file diff --git a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-secintel.log-expected.json b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-secintel.log-expected.json index 9a0434541ec..948f0fba19c 100644 --- a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-secintel.log-expected.json +++ b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-secintel.log-expected.json @@ -221,6 +221,121 @@ "url": { "domain": "dummy_host" } + }, + { + "@timestamp": "2016-10-17T15:18:11.618Z", + "client": { + "ip": "67.43.156.15", + "port": 36612 + }, + "destination": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.15", + "port": 80 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "malware_detected", + "category": [ + "network", + "malware" + ], + "kind": "alert", + "original": "<14> 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@67.43.156.15 category=\"secintel\" sub-category=\"CC\" action=\"BLOCK\" action-detail=\"CLOSE REDIRECT MSG\" http-host=\"dummy_host\" threat-severity=\"10\" source-address=\"67.43.156.15\" source-port=\"36612\" destination-address=\"67.43.156.15\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" feed-name=\"cc_url_data\" policy-name=\"test\" profile-name=\"test-profile\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502362\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" occur-count=\"0\"]", + "outcome": "success", + "severity": 14, + "type": [ + "info", + "denied", + "connection" + ] + }, + "juniper": { + "srx": { + "action": "BLOCK", + "action_detail": "CLOSE REDIRECT MSG", + "application": "HTTP", + "category": "secintel", + "feed_name": "cc_url_data", + "occur_count": "0", + "policy_name": "test", + "process": "RT_SECINTEL", + "profile_name": "test-profile", + "session_id_32": "502362", + "sub_category": "CC", + "tag": "SECINTEL_ACTION_LOG", + "threat_severity": "10" + } + }, + "log": { + "level": "informational" + }, + "network": { + "iana_number": "6", + "transport": "tcp" + }, + "observer": { + "egress": { + "zone": "Outside" + }, + "ingress": { + "zone": "Inside" + }, + "name": "SRX-1500", + "product": "SRX", + "type": "firewall", + "vendor": "Juniper" + }, + "process": { + "name": "RT_SECINTEL" + }, + "related": { + "hosts": [ + "dummy_host" + ], + "ip": [ + "67.43.156.15" + ] + }, + "server": { + "ip": "67.43.156.15", + "port": 80 + }, + "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.15", + "port": 36612 + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "dummy_host" + } } ] } diff --git a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-system.log b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-system.log index 2a3dadbf708..70b10ab847e 100644 --- a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-system.log +++ b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-system.log @@ -20,3 +20,4 @@ <166>1 2023-05-08T10:54:24.756+10:00 AB1234-A-AB-AB01C-ABC - - - - AB1234-A-AB-AB01C-ABC nh_fabric_fill_jnhinfo: Storing nh_id as 0x2dd and jnh as 0x58e302 <167>1 2023-05-08T10:54:24.704+10:00 AB1234-A-AB-AB01C-ABC - - - - AB1234-A-AB-AB01C-ABC Copying remote chassis chassis 1, IP: 81.2.69.192 <166>1 2023-05-08T10:54:24.756+10:00 AB1234-A-AB-AB01C-ABC - - - - AB1234-A-AB-AB01C-ABC nh_fabric_fill_jnhinfo: ABCDE: Test default message 123456 +<166> 2023-05-08T10:54:24.756+10:00 AB1234-A-AB-AB01C-ABC - - - - AB1234-A-AB-AB01C-ABC nh_fabric_fill_jnhinfo: ABCDE: Test default message 123456 \ No newline at end of file diff --git a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-system.log-expected.json b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-system.log-expected.json index 8e8d9beb83d..7e347113343 100644 --- a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-system.log-expected.json +++ b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-system.log-expected.json @@ -1170,6 +1170,42 @@ "tags": [ "preserve_original_event" ] + }, + { + "@timestamp": "2023-05-08T00:54:24.756Z", + "ecs": { + "version": "8.17.0" + }, + "event": { + "category": [ + "network" + ], + "kind": "event", + "original": "<166> 2023-05-08T10:54:24.756+10:00 AB1234-A-AB-AB01C-ABC - - - - AB1234-A-AB-AB01C-ABC nh_fabric_fill_jnhinfo: ABCDE: Test default message 123456", + "severity": 166 + }, + "host": { + "name": "AB1234-A-AB-AB01C-ABC" + }, + "juniper": { + "srx": { + "log_type": "system", + "tag": "nh_fabric_fill_jnhinfo" + } + }, + "log": { + "level": "informational" + }, + "message": "ABCDE: Test default message 123456", + "observer": { + "name": "AB1234-A-AB-AB01C-ABC", + "product": "SRX", + "type": "firewall", + "vendor": "Juniper" + }, + "tags": [ + "preserve_original_event" + ] } ] } diff --git a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-utm.log b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-utm.log index 5ba1c282674..4313a88a111 100644 --- a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-utm.log +++ b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-utm.log @@ -10,3 +10,4 @@ <14>1 2020-07-14T14:16:18.345Z SRX650-1 RT_UTM - WEBFILTER_URL_PERMITTED [junos@67.43.156.15 source-zone="trust" destination-zone="untrust" source-address="10.1.1.100" source-port="58974" destination-address="67.43.156.14" destination-port="443" session-id="16297" application="UNKNOWN" nested-application="UNKNOWN" category="Enhanced_Information_Technology" reason="BY_SITE_REPUTATION_MODERATELY_SAFE" profile="WCF1" url="datawrapper.dwcdn.net" obj="/" username="N/A" roles="N/A" application-sub-category="N/A" urlcategory-risk="0"] <12>1 2020-07-14T14:16:29.541Z SRX650-1 RT_UTM - WEBFILTER_URL_BLOCKED [junos@67.43.156.15 source-zone="trust" destination-zone="untrust" source-address="10.1.1.100" source-port="59075" destination-address="67.43.156.13" destination-port="443" session-id="16490" application="UNKNOWN" nested-application="UNKNOWN" category="Enhanced_Advertisements" reason="BY_SITE_REPUTATION_SUSPICIOUS" profile="WCF1" url="dsp.adfarm1.adition.com" obj="/" username="N/A" roles="N/A" application-sub-category="N/A" urlcategory-risk="3"] <12>1 2020-07-14T14:17:04.733Z SRX650-1 RT_UTM - AV_FILE_NOT_SCANNED_DROPPED_MT [junos@67.43.156.15 source-zone="trust" destination-zone="untrust" source-address="67.43.156.13" source-port="80" destination-address="10.1.1.100" destination-port="58954" profile-name="Custom-Sophos-Profile" filename="download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar" action="BLOCKED" reason="exceeding maximum content size" error-code="7" username="N/A" roles="N/A"] +<12> 2020-07-14T14:17:04.733Z SRX650-1 RT_UTM - AV_FILE_NOT_SCANNED_DROPPED_MT [junos@67.43.156.15 source-zone="trust" destination-zone="untrust" source-address="67.43.156.13" source-port="80" destination-address="10.1.1.100" destination-port="58954" profile-name="Custom-Sophos-Profile" filename="download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar" action="BLOCKED" reason="exceeding maximum content size" error-code="7" username="N/A" roles="N/A"] \ No newline at end of file diff --git a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-utm.log-expected.json b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-utm.log-expected.json index 5e6e378f584..b1d9dd4d61b 100644 --- a/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-utm.log-expected.json +++ b/packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-utm.log-expected.json @@ -1080,6 +1080,93 @@ "tags": [ "preserve_original_event" ] + }, + { + "@timestamp": "2020-07-14T14:17:04.733Z", + "client": { + "ip": "67.43.156.13", + "port": 80 + }, + "destination": { + "ip": "10.1.1.100", + "port": 58954 + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "category": [ + "network" + ], + "kind": "event", + "original": "<12> 2020-07-14T14:17:04.733Z SRX650-1 RT_UTM - AV_FILE_NOT_SCANNED_DROPPED_MT [junos@67.43.156.15 source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"67.43.156.13\" source-port=\"80\" destination-address=\"10.1.1.100\" destination-port=\"58954\" profile-name=\"Custom-Sophos-Profile\" filename=\"download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar\" action=\"BLOCKED\" reason=\"exceeding maximum content size\" error-code=\"7\" username=\"N/A\" roles=\"N/A\"]", + "outcome": "success", + "severity": 12, + "type": [ + "allowed", + "connection" + ] + }, + "file": { + "name": "download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar" + }, + "juniper": { + "srx": { + "action": "BLOCKED", + "error_code": "7", + "process": "RT_UTM", + "profile_name": "Custom-Sophos-Profile", + "reason": "exceeding maximum content size", + "tag": "AV_FILE_NOT_SCANNED_DROPPED_MT" + } + }, + "log": { + "level": "warning" + }, + "observer": { + "egress": { + "zone": "untrust" + }, + "ingress": { + "zone": "trust" + }, + "name": "SRX650-1", + "product": "SRX", + "type": "firewall", + "vendor": "Juniper" + }, + "process": { + "name": "RT_UTM" + }, + "related": { + "ip": [ + "67.43.156.13", + "10.1.1.100" + ] + }, + "server": { + "ip": "10.1.1.100", + "port": 58954 + }, + "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.13", + "port": 80 + }, + "tags": [ + "preserve_original_event" + ] } ] } diff --git a/packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/default.yml index a6809113738..5e14dffcb02 100644 --- a/packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -24,7 +24,7 @@ processors: # 3. SRX System structured-brief and unstructured log patterns (further parsing done in system.yml) - '^%{SYSLOG_PREFIX}?%{CUSTOM_DATE:_temp_.raw_date}\s%{SYSLOGHOST:syslog_hostname}\s%{GREEDYDATA:_temp_.unparsed.message}$' pattern_definitions: - SYSLOG_PREFIX: '<%{POSINT:syslog_pri}>(?:\d{1,3}\s)' + SYSLOG_PREFIX: '<%{POSINT:syslog_pri}>(?:\d{1,3})?%{SPACE}' CUSTOM_DATE: "%{TIMESTAMP_ISO8601}|(%{MONTH}%{SPACE}%{MONTHDAY}%{SPACE}%{TIME})" JUNIPER_TRAFFIC_PROCESS: "RT_FLOW|RT_UTM|RT_IDP|RT_IDS|RT_AAMW|RT_SECINTEL" diff --git a/packages/juniper_srx/manifest.yml b/packages/juniper_srx/manifest.yml index ce01dbf3ef4..3a0c65c9c69 100644 --- a/packages/juniper_srx/manifest.yml +++ b/packages/juniper_srx/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: juniper_srx title: Juniper SRX -version: "1.27.1" +version: "1.27.2" description: Collect logs from Juniper SRX devices with Elastic Agent. categories: ["network", "security", "firewall_security"] type: integration