diff --git a/packages/sonicwall/_dev/deploy/docker/sample_logs/sonicwall-firewall-general.log b/packages/sonicwall/_dev/deploy/docker/sample_logs/sonicwall-firewall-general.log index 41f778c72f3..1748d4e02bd 100644 --- a/packages/sonicwall/_dev/deploy/docker/sample_logs/sonicwall-firewall-general.log +++ b/packages/sonicwall/_dev/deploy/docker/sample_logs/sonicwall-firewall-general.log @@ -19,3 +19,6 @@ Jan 3 13:45:47 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:18" Jan 3 13:45:49 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:20" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" n=568002 src=192.168.5.10:3417:LAN dst=192.168.1.100:53:WAN proto=udp/dns sent=401 rcvd=254 vpnpolicy="name" Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:20" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23426 src=192.168.125.75:524:WAN dst=192.168.5.10:3582:LAN proto=udp/3582 Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:21" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23427 src=192.168.6.10:28503:WAN dst=192.168.5.10:53:LAN proto=tcp/dns +10.0.0.1 id=firewall sn=123456789 time="2022-02-22 18:24:30 UTC" fw=10.0.0.2 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=10.0.0.3:52379:X0 natSrc=10.0.0.2:48245 dst=8.8.8.8:443:X1 natDst=8.8.8.8:443 usr="Unknown (SSO failed)" proto=tcp/https sent=52 app=49177 appName='General HTTPS' n=123456789 fw_action="NA" dpi=0 +10.0.0.1 id=firewall sn=123456789 time="2022-02-22 18:29:37 UTC" fw=10.0.0.2 pri=6 c=1024 gcat=2 m=97 msg="Web site hit" srcMac=12:34:56:78:90:ab src=10.0.0.3:64828:X0 srcZone=Trusted natSrc=10.0.0.2:47621 dstMac=ab:09:87:65:43:21 dst=8.8.8.8:443:X1 dstZone=Untrusted natDst=8.8.8.8:443 usr="Unknown (SSO failed)" proto=tcp/https sent=3523 rcvd=14226 app=7927 dstname=chat-pa.clients6.google.com arg=/ code=29 Category="Search Engines and Portals" note="Policy: cfsZonePolicy0, Info: 6148 " n=123456789 fw_action="NA" dpi=1 +10.0.0.1 id=firewall sn=2CB8ED17E180 time="2022-02-22 18:34:21 UTC" fw=10.0.0.2 pri=6 c=1024 gcat=2 m=97 msg="Web site hit" srcMac=12:34:56:78:90:ab src=10.0.0.3:49217:X0 srcZone=Trusted natSrc=10.0.0.2:53466 dstMac=ab:09:87:65:43:21 dst=8.8.8.8:443:X1 dstZone=Untrusted natDst=8.8.8.8:443 usr="Unknown (SSO failed)" proto=tcp/https sent=2079 rcvd=6642 app=7927 dstname=seg.ad.gt arg=/ code=15 Category="Business and Economy" note="Policy: cfsZonePolicy0, Info: 6148 " n=123456789 fw_action="NA" dpi=1 \ No newline at end of file diff --git a/packages/sonicwall/changelog.yml b/packages/sonicwall/changelog.yml index de1ab8b5e67..1df7f42ad2f 100644 --- a/packages/sonicwall/changelog.yml +++ b/packages/sonicwall/changelog.yml @@ -1,4 +1,10 @@ # newer versions go on top + +- version: "0.8.0" + changes: + - description: Add fields to be parsed + type: enhancement + link: https://github.com/elastic/integrations/pull/2729 - version: "0.7.0" changes: - description: Update to ECS 8.0.0 diff --git a/packages/sonicwall/data_stream/firewall/_dev/test/pipeline/test-general.log b/packages/sonicwall/data_stream/firewall/_dev/test/pipeline/test-general.log index 41f778c72f3..90e98e20dce 100644 --- a/packages/sonicwall/data_stream/firewall/_dev/test/pipeline/test-general.log +++ b/packages/sonicwall/data_stream/firewall/_dev/test/pipeline/test-general.log @@ -1,21 +1,29 @@ -Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:06" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23419 src=2.2.2.2:36701:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000 -Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:07" fw=1.1.1.1 pri=1 c=32 m=30 msg="Administrator login denied due to bad credentials" n=7 src=2.2.2.2:36701:WAN dst=1.1.1.1:50000:WAN -Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:07" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23420 src=2.2.2.2:36702:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000 -Jan 3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:07" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" n=567996 src=192.168.4.10:27577:WAN dst=192.168.5.10:53:LAN proto=tcp/dns sent=257 rcvd=242 -Jan 3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:08" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" n=567997 src=192.168.5.56:4277:LAN dst=192.168.1.100:1026:WAN proto=tcp/1026 sent=3590 rcvd=13042 vpnpolicy="name" -Jan 3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" n=567999 src=192.168.5.56:4280:LAN dst=192.168.2.81:41850:WAN proto=tcp/41850 sent=386026 rcvd=454118 vpnpolicy="name" -Jan 3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" n=567999 src=1.1.1.1:500:WAN dst=2.2.2.2:500:WAN proto=udp/500 sent=344 rcvd=152 -Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23421 src=2.2.2.2:36703:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000 -Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=1.1.1.1 pri=1 c=32 m=30 msg="Administrator login denied due to bad credentials" n=8 src=2.2.2.2:36703:WAN dst=1.1.1.1:50000:WAN -Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:11" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23422 src=2.2.2.2:36704:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000 -Jan 3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:14" fw=1.1.1.1 pri=5 c=256 m=38 msg="ICMP packet dropped" n=22070 src=219.89.19.223:1026:WAN dst=1.1.1.1:6822:WAN type=3 code=3 -Jan 3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:14" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" n=568000 src=219.89.19.223:1026:WAN dst=1.1.1.1:0:WAN proto=udp/0 -Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=1.1.1.1 pri=6 c=16 m=346 msg="IKE Initiator: Start Quick Mode (Phase 2)." n=171872 src=2.2.2.2:500 dst=1.1.1.1:500 -Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23423 src=1.1.1.1:500:WAN dst=2.2.2.2:500:WAN proto=udp/500 -Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=1.1.1.1 pri=4 c=16 m=483 msg="Received notify: INVALID_ID_INFO" n=171625 src=2.2.2.2:500 dst=1.1.1.1:500 -Jan 3 13:45:45 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23424 src=192.168.115.10:11549:WAN dst=192.168.5.10:53:LAN proto=tcp/dns -Jan 3 13:45:46 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:17" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23425 src=192.168.5.64:3182:LAN dst=192.168.1.100:445:WAN proto=tcp/445 -Jan 3 13:45:47 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:18" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" n=568001 src=2.2.2.2:36699:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000 sent=1557 rcvd=957 -Jan 3 13:45:49 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:20" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" n=568002 src=192.168.5.10:3417:LAN dst=192.168.1.100:53:WAN proto=udp/dns sent=401 rcvd=254 vpnpolicy="name" -Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:20" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23426 src=192.168.125.75:524:WAN dst=192.168.5.10:3582:LAN proto=udp/3582 -Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:21" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23427 src=192.168.6.10:28503:WAN dst=192.168.5.10:53:LAN proto=tcp/dns +Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:06" fw=1.128.3.4 pri=6 c=262144 m=98 msg="Connection Opened" n=23419 src=175.16.199.1:36701:WAN dst=1.128.3.4:50000:WAN proto=tcp/50000 +Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:07" fw=1.128.3.4 pri=1 c=32 m=30 msg="Administrator login denied due to bad credentials" n=7 src=175.16.199.1:36701:WAN dst=1.128.3.4:50000:WAN +Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:07" fw=1.128.3.4 pri=6 c=262144 m=98 msg="Connection Opened" n=23420 src=175.16.199.1:36702:WAN dst=1.128.3.4:50000:WAN proto=tcp/50000 +Jan 3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:07" fw=1.128.3.4 pri=6 c=1024 m=537 msg="Connection Closed" n=567996 src=192.168.4.10:27577:WAN dst=192.168.5.10:53:LAN proto=tcp/dns sent=257 rcvd=242 +Jan 3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:08" fw=1.128.3.4 pri=6 c=1024 m=537 msg="Connection Closed" n=567997 src=192.168.5.56:4277:LAN dst=192.168.1.100:1026:WAN proto=tcp/1026 sent=3590 rcvd=13042 vpnpolicy="name" +Jan 3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=1.128.3.4 pri=6 c=1024 m=537 msg="Connection Closed" n=567999 src=192.168.5.56:4280:LAN dst=192.168.2.81:41850:WAN proto=tcp/41850 sent=386026 rcvd=454118 vpnpolicy="name" +Jan 3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=1.128.3.4 pri=6 c=1024 m=537 msg="Connection Closed" n=567999 src=1.128.3.4:500:WAN dst=175.16.199.1:500:WAN proto=udp/500 sent=344 rcvd=152 +Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=1.128.3.4 pri=6 c=262144 m=98 msg="Connection Opened" n=23421 src=175.16.199.1:36703:WAN dst=1.128.3.4:50000:WAN proto=tcp/50000 +Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=1.128.3.4 pri=1 c=32 m=30 msg="Administrator login denied due to bad credentials" n=8 src=175.16.199.1:36703:WAN dst=1.128.3.4:50000:WAN +Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:11" fw=1.128.3.4 pri=6 c=262144 m=98 msg="Connection Opened" n=23422 src=175.16.199.1:36704:WAN dst=1.128.3.4:50000:WAN proto=tcp/50000 +Jan 3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:14" fw=1.128.3.4 pri=5 c=256 m=38 msg="ICMP packet dropped" n=22070 src=216.160.83.57:1026:WAN dst=1.128.3.4:6822:WAN type=3 code=3 +Jan 3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:14" fw=1.128.3.4 pri=6 c=1024 m=537 msg="Connection Closed" n=568000 src=216.160.83.57:1026:WAN dst=1.128.3.4:0:WAN proto=udp/0 +Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=1.128.3.4 pri=6 c=16 m=346 msg="IKE Initiator: Start Quick Mode (Phase 2)." n=171872 src=175.16.199.1:500 dst=1.128.3.4:500 +Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=1.128.3.4 pri=6 c=262144 m=98 msg="Connection Opened" n=23423 src=1.128.3.4:500:WAN dst=175.16.199.1:500:WAN proto=udp/500 +Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=1.128.3.4 pri=4 c=16 m=483 msg="Received notify: INVALID_ID_INFO" n=171625 src=175.16.199.1:500 dst=1.128.3.4:500 +Jan 3 13:45:45 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=1.128.3.4 pri=6 c=262144 m=98 msg="Connection Opened" n=23424 src=192.168.115.10:11549:WAN dst=192.168.5.10:53:LAN proto=tcp/dns +Jan 3 13:45:46 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:17" fw=1.128.3.4 pri=6 c=262144 m=98 msg="Connection Opened" n=23425 src=192.168.5.64:3182:LAN dst=192.168.1.100:445:WAN proto=tcp/445 +Jan 3 13:45:47 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:18" fw=1.128.3.4 pri=6 c=1024 m=537 msg="Connection Closed" n=568001 src=175.16.199.1:36699:WAN dst=1.128.3.4:50000:WAN proto=tcp/50000 sent=1557 rcvd=957 +Jan 3 13:45:49 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:20" fw=1.128.3.4 pri=6 c=1024 m=537 msg="Connection Closed" n=568002 src=192.168.5.10:3417:LAN dst=192.168.1.100:53:WAN proto=udp/dns sent=401 rcvd=254 vpnpolicy="name" +Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:20" fw=1.128.3.4 pri=6 c=262144 m=98 msg="Connection Opened" n=23426 src=192.168.125.75:524:WAN dst=192.168.5.10:3582:LAN proto=udp/3582 +Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:21" fw=1.128.3.4 pri=6 c=262144 m=98 msg="Connection Opened" n=23427 src=192.168.6.10:28503:WAN dst=192.168.5.10:53:LAN proto=tcp/dns +10.0.0.1 id=firewall sn=123456789 time="2022-02-22 18:24:30 UTC" fw=10.0.0.2 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=10.0.0.3:52379:X0 natSrc=10.0.0.2:48245 dst=216.160.83.61:443:X1 natDst=216.160.83.61:443 usr="Unknown (SSO failed)" proto=tcp/https sent=52 app=49177 appName='General HTTPS' n=123456789 fw_action="NA" dpi=0 +10.0.0.1 id=firewall sn=123456789 time="2022-02-22 18:29:37 UTC" fw=10.0.0.2 pri=6 c=1024 gcat=2 m=97 msg="Web site hit" srcMac=12:34:56:78:90:ab src=10.0.0.3:64828:X0 srcZone=Trusted natSrc=10.0.0.2:47621 dstMac=ab:09:87:65:43:21 dst=216.160.83.61:443:X1 dstZone=Untrusted natDst=216.160.83.61:443 usr="Unknown (SSO failed)" proto=tcp/https sent=3523 rcvd=14226 app=7927 dstname=chat-pa.clients6.google.com arg=/ code=29 Category="Search Engines and Portals" note="Policy: cfsZonePolicy0, Info: 6148 " n=123456789 fw_action="NA" dpi=1 +10.0.0.1 id=firewall sn=12345678 time="2022-02-22 18:34:21 UTC" fw=10.0.0.2 pri=6 c=1024 gcat=2 m=97 msg="Web site hit" srcMac=12:34:56:78:90:ab src=10.0.0.3:49217:X0 srcZone=Trusted natSrc=10.0.0.2:53466 dstMac=ab:09:87:65:43:21 dst=216.160.83.61:443:X1 dstZone=Untrusted natDst=216.160.83.61:443 usr="Unknown (SSO failed)" proto=tcp/https sent=2079 rcvd=6642 app=7927 dstname=seg.ad.gt arg=/ code=15 Category="Business and Economy" note="Policy: cfsZonePolicy0, Info: 6148 " n=123456789 fw_action="NA" dpi=1 +10.0.0.1 id=firewall sn=12345678 time="2022-03-09 14:58:44 UTC" fw=10.0.0.2 pri=6 c=1024 gcat=2 m=97 msg="Web site hit" srcMac=12:34:56:78:90:ab src=10.0.0.3:56242:X0 srcZone=Trusted natSrc=10.0.0.2:18447 dstMac=ab:09:87:65:43:21 dst=67.43.156.13:443:X1 dstZone=Untrusted natDst=67.43.156.13:443 usr="Unknown (SSO failed)" proto=tcp/https sent=1749 rcvd=968 app=7927 dstname=rcs-us-east-1.neoservice-aws.com arg=/ code=27 Category="Information Technology/Computers" note="Policy: cfsZonePolicy0, Info: 6148 " n=368203630 fw_action="NA" dpi=1 +10.0.0.1 id=firewall sn=12345678 time="2022-03-09 05:29:32 UTC" fw=10.0.0.2 pri=6 c=1024 gcat=2 m=97 msg="Web site hit" srcMac=12:34:56:78:90:ab src=10.0.0.3:56502:X0 srcZone=Trusted natSrc=10.0.0.2:15926 dstMac=ab:09:87:65:43:21 dst=67.43.156.14:80:X1 dstZone=Untrusted natDst=67.43.156.14:80 usr="Unknown (SSO failed)" proto=tcp/http sent=510 rcvd=955 app=5147 op=1 dstname=ocsp.digicert.com arg=/abcd code=27 Category="Information Technology/Computers" note="Policy: cfsZonePolicy0, Info: 6147 " n=367895985 fw_action="NA" dpi=1 +10.0.0.1 id=firewall sn=12345678 time="2022-03-09 18:44:05 UTC" fw=10.0.0.2 pri=6 c=1024 gcat=6 m=537 msg="Connection Closed" src=10.0.0.4:37153:X0 natSrc=10.0.0.2:12325 dst=89.160.20.112:8800:X1 natDst=89.160.20.112:8800 proto=udp/8800 sent=284 spkt=1 app=49202 appName='General UDP' n=1846613339 fw_action="NA" dpi=0 +10.0.0.1 id=firewall sn=12345678 time="2022-03-09 18:57:05 UTC" fw=10.0.0.2 pri=1 c=32 gcat=3 m=608 src=67.43.156.15:8:X1 dst=10.0.0.3:1850:X0 msg="IPS Detection Alert: ICMP Echo Reply, SID: 316, Priority: Low" msg="IPS Detection Alert: ICMP Echo Reply" sid=316 ipscat="ICMP Echo Reply" ipspri=3 n=174072 fw_action="NA" +10.0.0.1 id=firewall sn=12345678 time="2022-03-11 14:17:52 UTC" fw=10.0.0.2 pri=6 c=1024 gcat=2 m=97 srcMac=12:34:56:78:90:ab src=10.0.0.4:41856:X0 srcZone=Trusted natSrc=10.0.0.2:8689 dstMac=ab:09:87:65:43:21 dst=89.160.20.112:443:X1 dstZone=Untrusted natDst=89.160.20.112:443 usr="Unknown (SSO failed)" proto=tcp/https sent=104 rcvd=230 rule="15 (LAN->WAN)" app=5 af_polid=4 ipscat=N/A appcat="PROXY-ACCESS" appid=2900 dstname=89.160.20.112 arg=/ code=64 Category="Not Rated" note="Policy: cfsZonePolicy0, Info: 6148 " n=2520325 fw_action="NA" dpi=1 diff --git a/packages/sonicwall/data_stream/firewall/_dev/test/pipeline/test-general.log-expected.json b/packages/sonicwall/data_stream/firewall/_dev/test/pipeline/test-general.log-expected.json index 5a8ebbd67aa..57733b28827 100644 --- a/packages/sonicwall/data_stream/firewall/_dev/test/pipeline/test-general.log-expected.json +++ b/packages/sonicwall/data_stream/firewall/_dev/test/pipeline/test-general.log-expected.json @@ -1,256 +1,2179 @@ { "expected": [ { + "@timestamp": "2007-01-03T14:48:06.000Z", + "destination": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.3.4", + "port": 50000 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "connection opened", + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:10.825954500Z", + "module": "sonicwall", + "original": "Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:06\" fw=1.128.3.4 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23419 src=175.16.199.1:36701:WAN dst=1.128.3.4:50000:WAN proto=tcp/50000", + "risk_score": 6, + "sequence": 23419, + "severity": 6, + "type": "event" + }, + "ingest_lag_in_seconds": 479515864, + "ingest_time": "2022-03-15T13:39:10.825954500Z", + "message": "Connection Opened", + "network": { + "protocol": "50000", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN" + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 262144, + "message_id": 98 + } + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 36701 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:07.000Z", + "destination": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.3.4", + "port": 50000 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:10.825982500Z", + "module": "sonicwall", + "original": "Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:07\" fw=1.128.3.4 pri=1 c=32 m=30 msg=\"Administrator login denied due to bad credentials\" n=7 src=175.16.199.1:36701:WAN dst=1.128.3.4:50000:WAN", + "risk_score": 1, + "sequence": 7, + "severity": 1 + }, + "ingest_lag_in_seconds": 479515863, + "ingest_time": "2022-03-15T13:39:10.825982500Z", + "message": "Administrator login denied due to bad credentials", + "observer": { + "egress": { + "interface": { + "name": "WAN" + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 32, + "message_id": 30 + } + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 36701 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:07.000Z", + "destination": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.3.4", + "port": 50000 + }, "ecs": { "version": "8.0.0" }, "event": { - "ingested": "2022-01-25T12:55:20.173101290Z" + "action": "connection opened", + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:10.825990300Z", + "module": "sonicwall", + "original": "Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:07\" fw=1.128.3.4 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23420 src=175.16.199.1:36702:WAN dst=1.128.3.4:50000:WAN proto=tcp/50000", + "risk_score": 6, + "sequence": 23420, + "severity": 6, + "type": "event" + }, + "ingest_lag_in_seconds": 479515863, + "ingest_time": "2022-03-15T13:39:10.825990300Z", + "message": "Connection Opened", + "network": { + "protocol": "50000", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN" + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 262144, + "message_id": 98 + } + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 36702 }, - "message": "Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:06\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23419 src=2.2.2.2:36701:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000", "tags": [ "preserve_original_event" ] }, { + "@timestamp": "2007-01-03T14:48:07.000Z", + "destination": { + "bytes": 242, + "ip": "192.168.5.10", + "port": 53 + }, "ecs": { "version": "8.0.0" }, "event": { - "ingested": "2022-01-25T12:55:20.173104554Z" + "action": "connection closed", + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:10.825997500Z", + "module": "sonicwall", + "original": "Jan 3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:07\" fw=1.128.3.4 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567996 src=192.168.4.10:27577:WAN dst=192.168.5.10:53:LAN proto=tcp/dns sent=257 rcvd=242", + "risk_score": 6, + "sequence": 567996, + "severity": 6, + "type": "event" + }, + "ingest_lag_in_seconds": 479515863, + "ingest_time": "2022-03-15T13:39:10.825997500Z", + "message": "Connection Closed", + "network": { + "bytes": 499, + "protocol": "dns", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "LAN" + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 1024, + "message_id": 537 + } + }, + "source": { + "bytes": 257, + "ip": "192.168.4.10", + "port": 27577 }, - "message": "Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:07\" fw=1.1.1.1 pri=1 c=32 m=30 msg=\"Administrator login denied due to bad credentials\" n=7 src=2.2.2.2:36701:WAN dst=1.1.1.1:50000:WAN", "tags": [ "preserve_original_event" ] }, { + "@timestamp": "2007-01-03T14:48:08.000Z", + "destination": { + "bytes": 13042, + "ip": "192.168.1.100", + "port": 1026 + }, "ecs": { "version": "8.0.0" }, "event": { - "ingested": "2022-01-25T12:55:20.173105755Z" + "action": "connection closed", + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:10.826121Z", + "module": "sonicwall", + "original": "Jan 3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:08\" fw=1.128.3.4 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567997 src=192.168.5.56:4277:LAN dst=192.168.1.100:1026:WAN proto=tcp/1026 sent=3590 rcvd=13042 vpnpolicy=\"name\"", + "risk_score": 6, + "sequence": 567997, + "severity": 6, + "type": "event" + }, + "ingest_lag_in_seconds": 479515862, + "ingest_time": "2022-03-15T13:39:10.826121Z", + "message": "Connection Closed", + "network": { + "bytes": 16632, + "protocol": "1026", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN" + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "LAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 1024, + "message_id": 537 + } + }, + "source": { + "bytes": 3590, + "ip": "192.168.5.56", + "port": 4277, + "vpn_policy": "name" }, - "message": "Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:07\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23420 src=2.2.2.2:36702:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000", "tags": [ "preserve_original_event" ] }, { + "@timestamp": "2007-01-03T14:48:10.000Z", + "destination": { + "bytes": 454118, + "ip": "192.168.2.81", + "port": 41850 + }, "ecs": { "version": "8.0.0" }, "event": { - "ingested": "2022-01-25T12:55:20.173106816Z" + "action": "connection closed", + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:10.826131900Z", + "module": "sonicwall", + "original": "Jan 3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=1.128.3.4 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567999 src=192.168.5.56:4280:LAN dst=192.168.2.81:41850:WAN proto=tcp/41850 sent=386026 rcvd=454118 vpnpolicy=\"name\"", + "risk_score": 6, + "sequence": 567999, + "severity": 6, + "type": "event" + }, + "ingest_lag_in_seconds": 479515860, + "ingest_time": "2022-03-15T13:39:10.826131900Z", + "message": "Connection Closed", + "network": { + "bytes": 840144, + "protocol": "41850", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN" + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "LAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 1024, + "message_id": 537 + } + }, + "source": { + "bytes": 386026, + "ip": "192.168.5.56", + "port": 4280, + "vpn_policy": "name" }, - "message": "Jan 3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:07\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567996 src=192.168.4.10:27577:WAN dst=192.168.5.10:53:LAN proto=tcp/dns sent=257 rcvd=242", "tags": [ "preserve_original_event" ] }, { + "@timestamp": "2007-01-03T14:48:10.000Z", + "destination": { + "bytes": 152, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 500 + }, "ecs": { "version": "8.0.0" }, "event": { - "ingested": "2022-01-25T12:55:20.173107989Z" + "action": "connection closed", + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:10.826138200Z", + "module": "sonicwall", + "original": "Jan 3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=1.128.3.4 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567999 src=1.128.3.4:500:WAN dst=175.16.199.1:500:WAN proto=udp/500 sent=344 rcvd=152", + "risk_score": 6, + "sequence": 567999, + "severity": 6, + "type": "event" + }, + "ingest_lag_in_seconds": 479515860, + "ingest_time": "2022-03-15T13:39:10.826138200Z", + "message": "Connection Closed", + "network": { + "bytes": 496, + "protocol": "500", + "transport": "udp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN" + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 1024, + "message_id": 537 + } + }, + "source": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "bytes": 344, + "ip": "1.128.3.4", + "port": 500 }, - "message": "Jan 3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:08\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567997 src=192.168.5.56:4277:LAN dst=192.168.1.100:1026:WAN proto=tcp/1026 sent=3590 rcvd=13042 vpnpolicy=\"name\"", "tags": [ "preserve_original_event" ] }, { + "@timestamp": "2007-01-03T14:48:10.000Z", + "destination": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.3.4", + "port": 50000 + }, "ecs": { "version": "8.0.0" }, "event": { - "ingested": "2022-01-25T12:55:20.173109022Z" + "action": "connection opened", + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:10.826144200Z", + "module": "sonicwall", + "original": "Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=1.128.3.4 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23421 src=175.16.199.1:36703:WAN dst=1.128.3.4:50000:WAN proto=tcp/50000", + "risk_score": 6, + "sequence": 23421, + "severity": 6, + "type": "event" + }, + "ingest_lag_in_seconds": 479515860, + "ingest_time": "2022-03-15T13:39:10.826144200Z", + "message": "Connection Opened", + "network": { + "protocol": "50000", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN" + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 262144, + "message_id": 98 + } + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 36703 }, - "message": "Jan 3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567999 src=192.168.5.56:4280:LAN dst=192.168.2.81:41850:WAN proto=tcp/41850 sent=386026 rcvd=454118 vpnpolicy=\"name\"", "tags": [ "preserve_original_event" ] }, { + "@timestamp": "2007-01-03T14:48:10.000Z", + "destination": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.3.4", + "port": 50000 + }, "ecs": { "version": "8.0.0" }, "event": { - "ingested": "2022-01-25T12:55:20.173110050Z" + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:10.826204900Z", + "module": "sonicwall", + "original": "Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=1.128.3.4 pri=1 c=32 m=30 msg=\"Administrator login denied due to bad credentials\" n=8 src=175.16.199.1:36703:WAN dst=1.128.3.4:50000:WAN", + "risk_score": 1, + "sequence": 8, + "severity": 1 + }, + "ingest_lag_in_seconds": 479515860, + "ingest_time": "2022-03-15T13:39:10.826204900Z", + "message": "Administrator login denied due to bad credentials", + "observer": { + "egress": { + "interface": { + "name": "WAN" + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 32, + "message_id": 30 + } + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 36703 }, - "message": "Jan 3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567999 src=1.1.1.1:500:WAN dst=2.2.2.2:500:WAN proto=udp/500 sent=344 rcvd=152", "tags": [ "preserve_original_event" ] }, { + "@timestamp": "2007-01-03T14:48:11.000Z", + "destination": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.3.4", + "port": 50000 + }, "ecs": { "version": "8.0.0" }, "event": { - "ingested": "2022-01-25T12:55:20.173111095Z" + "action": "connection opened", + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:10.826220700Z", + "module": "sonicwall", + "original": "Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:11\" fw=1.128.3.4 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23422 src=175.16.199.1:36704:WAN dst=1.128.3.4:50000:WAN proto=tcp/50000", + "risk_score": 6, + "sequence": 23422, + "severity": 6, + "type": "event" + }, + "ingest_lag_in_seconds": 479515859, + "ingest_time": "2022-03-15T13:39:10.826220700Z", + "message": "Connection Opened", + "network": { + "protocol": "50000", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN" + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 262144, + "message_id": 98 + } + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 36704 }, - "message": "Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23421 src=2.2.2.2:36703:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000", "tags": [ "preserve_original_event" ] }, { + "@timestamp": "2007-01-03T14:48:14.000Z", + "destination": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.3.4", + "port": 6822 + }, "ecs": { "version": "8.0.0" }, "event": { - "ingested": "2022-01-25T12:55:20.173112110Z" + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:10.826228900Z", + "module": "sonicwall", + "original": "Jan 3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:14\" fw=1.128.3.4 pri=5 c=256 m=38 msg=\"ICMP packet dropped\" n=22070 src=216.160.83.57:1026:WAN dst=1.128.3.4:6822:WAN type=3 code=3", + "risk_score": 5, + "sequence": 22070, + "severity": 5 + }, + "ingest_lag_in_seconds": 479515856, + "ingest_time": "2022-03-15T13:39:10.826228900Z", + "message": "ICMP packet dropped", + "observer": { + "egress": { + "interface": { + "name": "WAN " + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 256, + "code": 3, + "icmp_type": 3, + "message_id": 38 + } + }, + "source": { + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.57", + "port": 1026 }, - "message": "Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=1.1.1.1 pri=1 c=32 m=30 msg=\"Administrator login denied due to bad credentials\" n=8 src=2.2.2.2:36703:WAN dst=1.1.1.1:50000:WAN", "tags": [ "preserve_original_event" ] }, { + "@timestamp": "2007-01-03T14:48:14.000Z", + "destination": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.3.4", + "port": 0 + }, "ecs": { "version": "8.0.0" }, "event": { - "ingested": "2022-01-25T12:55:20.173113334Z" + "action": "connection closed", + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:10.826236700Z", + "module": "sonicwall", + "original": "Jan 3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:14\" fw=1.128.3.4 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=568000 src=216.160.83.57:1026:WAN dst=1.128.3.4:0:WAN proto=udp/0", + "risk_score": 6, + "sequence": 568000, + "severity": 6, + "type": "event" + }, + "ingest_lag_in_seconds": 479515856, + "ingest_time": "2022-03-15T13:39:10.826236700Z", + "message": "Connection Closed", + "network": { + "protocol": "0", + "transport": "udp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN" + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 1024, + "message_id": 537 + } + }, + "source": { + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.57", + "port": 1026 }, - "message": "Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:11\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23422 src=2.2.2.2:36704:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000", "tags": [ "preserve_original_event" ] }, { + "@timestamp": "2007-01-03T14:48:15.000Z", + "destination": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.3.4", + "port": 500 + }, "ecs": { "version": "8.0.0" }, "event": { - "ingested": "2022-01-25T12:55:20.173114380Z" + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:10.826243500Z", + "module": "sonicwall", + "original": "Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.128.3.4 pri=6 c=16 m=346 msg=\"IKE Initiator: Start Quick Mode (Phase 2).\" n=171872 src=175.16.199.1:500 dst=1.128.3.4:500", + "risk_score": 6, + "sequence": 171872, + "severity": 6 + }, + "ingest_lag_in_seconds": 479515855, + "ingest_time": "2022-03-15T13:39:10.826243500Z", + "message": "IKE Initiator: Start Quick Mode (Phase 2).", + "observer": { + "egress": { + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 16, + "message_id": 346 + } + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 500 }, - "message": "Jan 3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:14\" fw=1.1.1.1 pri=5 c=256 m=38 msg=\"ICMP packet dropped\" n=22070 src=219.89.19.223:1026:WAN dst=1.1.1.1:6822:WAN type=3 code=3", "tags": [ "preserve_original_event" ] }, { + "@timestamp": "2007-01-03T14:48:15.000Z", + "destination": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 500 + }, "ecs": { "version": "8.0.0" }, "event": { - "ingested": "2022-01-25T12:55:20.173115657Z" + "action": "connection opened", + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:10.826295500Z", + "module": "sonicwall", + "original": "Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.128.3.4 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23423 src=1.128.3.4:500:WAN dst=175.16.199.1:500:WAN proto=udp/500", + "risk_score": 6, + "sequence": 23423, + "severity": 6, + "type": "event" + }, + "ingest_lag_in_seconds": 479515855, + "ingest_time": "2022-03-15T13:39:10.826295500Z", + "message": "Connection Opened", + "network": { + "protocol": "500", + "transport": "udp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN" + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 262144, + "message_id": 98 + } + }, + "source": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.3.4", + "port": 500 }, - "message": "Jan 3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:14\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=568000 src=219.89.19.223:1026:WAN dst=1.1.1.1:0:WAN proto=udp/0", "tags": [ "preserve_original_event" ] }, { + "@timestamp": "2007-01-03T14:48:15.000Z", + "destination": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.3.4", + "port": 500 + }, "ecs": { "version": "8.0.0" }, "event": { - "ingested": "2022-01-25T12:55:20.173116695Z" + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:10.826308800Z", + "module": "sonicwall", + "original": "Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.128.3.4 pri=4 c=16 m=483 msg=\"Received notify: INVALID_ID_INFO\" n=171625 src=175.16.199.1:500 dst=1.128.3.4:500", + "risk_score": 4, + "sequence": 171625, + "severity": 4 + }, + "ingest_lag_in_seconds": 479515855, + "ingest_time": "2022-03-15T13:39:10.826308800Z", + "message": "Received notify: INVALID_ID_INFO", + "observer": { + "egress": { + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 16, + "message_id": 483 + } + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 500 }, - "message": "Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.1.1.1 pri=6 c=16 m=346 msg=\"IKE Initiator: Start Quick Mode (Phase 2).\" n=171872 src=2.2.2.2:500 dst=1.1.1.1:500", "tags": [ "preserve_original_event" ] }, { + "@timestamp": "2007-01-03T14:48:15.000Z", + "destination": { + "ip": "192.168.5.10", + "port": 53 + }, "ecs": { "version": "8.0.0" }, "event": { - "ingested": "2022-01-25T12:55:20.173117717Z" + "action": "connection opened", + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:10.826316100Z", + "module": "sonicwall", + "original": "Jan 3 13:45:45 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.128.3.4 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23424 src=192.168.115.10:11549:WAN dst=192.168.5.10:53:LAN proto=tcp/dns", + "risk_score": 6, + "sequence": 23424, + "severity": 6, + "type": "event" + }, + "ingest_lag_in_seconds": 479515855, + "ingest_time": "2022-03-15T13:39:10.826316100Z", + "message": "Connection Opened", + "network": { + "protocol": "dns", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "LAN" + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 262144, + "message_id": 98 + } + }, + "source": { + "ip": "192.168.115.10", + "port": 11549 }, - "message": "Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23423 src=1.1.1.1:500:WAN dst=2.2.2.2:500:WAN proto=udp/500", "tags": [ "preserve_original_event" ] }, { + "@timestamp": "2007-01-03T14:48:17.000Z", + "destination": { + "ip": "192.168.1.100", + "port": 445 + }, "ecs": { "version": "8.0.0" }, "event": { - "ingested": "2022-01-25T12:55:20.173118743Z" + "action": "connection opened", + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:10.826322100Z", + "module": "sonicwall", + "original": "Jan 3 13:45:46 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:17\" fw=1.128.3.4 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23425 src=192.168.5.64:3182:LAN dst=192.168.1.100:445:WAN proto=tcp/445", + "risk_score": 6, + "sequence": 23425, + "severity": 6, + "type": "event" + }, + "ingest_lag_in_seconds": 479515853, + "ingest_time": "2022-03-15T13:39:10.826322100Z", + "message": "Connection Opened", + "network": { + "protocol": "445", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN" + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "LAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 262144, + "message_id": 98 + } + }, + "source": { + "ip": "192.168.5.64", + "port": 3182 }, - "message": "Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.1.1.1 pri=4 c=16 m=483 msg=\"Received notify: INVALID_ID_INFO\" n=171625 src=2.2.2.2:500 dst=1.1.1.1:500", "tags": [ "preserve_original_event" ] }, { + "@timestamp": "2007-01-03T14:48:18.000Z", + "destination": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "bytes": 957, + "ip": "1.128.3.4", + "port": 50000 + }, "ecs": { "version": "8.0.0" }, "event": { - "ingested": "2022-01-25T12:55:20.173119763Z" + "action": "connection closed", + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:10.826326700Z", + "module": "sonicwall", + "original": "Jan 3 13:45:47 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:18\" fw=1.128.3.4 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=568001 src=175.16.199.1:36699:WAN dst=1.128.3.4:50000:WAN proto=tcp/50000 sent=1557 rcvd=957", + "risk_score": 6, + "sequence": 568001, + "severity": 6, + "type": "event" + }, + "ingest_lag_in_seconds": 479515852, + "ingest_time": "2022-03-15T13:39:10.826326700Z", + "message": "Connection Closed", + "network": { + "bytes": 2514, + "protocol": "50000", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN" + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 1024, + "message_id": 537 + } + }, + "source": { + "bytes": 1557, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 36699 }, - "message": "Jan 3 13:45:45 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23424 src=192.168.115.10:11549:WAN dst=192.168.5.10:53:LAN proto=tcp/dns", "tags": [ "preserve_original_event" ] }, { + "@timestamp": "2007-01-03T14:48:20.000Z", + "destination": { + "bytes": 254, + "ip": "192.168.1.100", + "port": 53 + }, "ecs": { "version": "8.0.0" }, "event": { - "ingested": "2022-01-25T12:55:20.173120920Z" + "action": "connection closed", + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:10.826370500Z", + "module": "sonicwall", + "original": "Jan 3 13:45:49 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:20\" fw=1.128.3.4 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=568002 src=192.168.5.10:3417:LAN dst=192.168.1.100:53:WAN proto=udp/dns sent=401 rcvd=254 vpnpolicy=\"name\"", + "risk_score": 6, + "sequence": 568002, + "severity": 6, + "type": "event" + }, + "ingest_lag_in_seconds": 479515850, + "ingest_time": "2022-03-15T13:39:10.826370500Z", + "message": "Connection Closed", + "network": { + "bytes": 655, + "protocol": "dns", + "transport": "udp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN" + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "LAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 1024, + "message_id": 537 + } + }, + "source": { + "bytes": 401, + "ip": "192.168.5.10", + "port": 3417, + "vpn_policy": "name" }, - "message": "Jan 3 13:45:46 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:17\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23425 src=192.168.5.64:3182:LAN dst=192.168.1.100:445:WAN proto=tcp/445", "tags": [ "preserve_original_event" ] }, { + "@timestamp": "2007-01-03T14:48:20.000Z", + "destination": { + "ip": "192.168.5.10", + "port": 3582 + }, "ecs": { "version": "8.0.0" }, "event": { - "ingested": "2022-01-25T12:55:20.173121940Z" + "action": "connection opened", + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:10.826423300Z", + "module": "sonicwall", + "original": "Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:20\" fw=1.128.3.4 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23426 src=192.168.125.75:524:WAN dst=192.168.5.10:3582:LAN proto=udp/3582", + "risk_score": 6, + "sequence": 23426, + "severity": 6, + "type": "event" + }, + "ingest_lag_in_seconds": 479515850, + "ingest_time": "2022-03-15T13:39:10.826423300Z", + "message": "Connection Opened", + "network": { + "protocol": "3582", + "transport": "udp" + }, + "observer": { + "egress": { + "interface": { + "name": "LAN" + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 262144, + "message_id": 98 + } + }, + "source": { + "ip": "192.168.125.75", + "port": 524 }, - "message": "Jan 3 13:45:47 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:18\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=568001 src=2.2.2.2:36699:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000 sent=1557 rcvd=957", "tags": [ "preserve_original_event" ] }, { + "@timestamp": "2007-01-03T14:48:21.000Z", + "destination": { + "ip": "192.168.5.10", + "port": 53 + }, "ecs": { "version": "8.0.0" }, "event": { - "ingested": "2022-01-25T12:55:20.173122957Z" + "action": "connection opened", + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:10.826432900Z", + "module": "sonicwall", + "original": "Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:21\" fw=1.128.3.4 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23427 src=192.168.6.10:28503:WAN dst=192.168.5.10:53:LAN proto=tcp/dns", + "risk_score": 6, + "sequence": 23427, + "severity": 6, + "type": "event" + }, + "ingest_lag_in_seconds": 479515849, + "ingest_time": "2022-03-15T13:39:10.826432900Z", + "message": "Connection Opened", + "network": { + "protocol": "dns", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "LAN" + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 262144, + "message_id": 98 + } + }, + "source": { + "ip": "192.168.6.10", + "port": 28503 }, - "message": "Jan 3 13:45:49 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:20\" fw=1.1.1.1 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=568002 src=192.168.5.10:3417:LAN dst=192.168.1.100:53:WAN proto=udp/dns sent=401 rcvd=254 vpnpolicy=\"name\"", "tags": [ "preserve_original_event" ] }, { + "@timestamp": "2022-02-22T18:24:30.000Z", + "destination": { + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.61", + "nat": { + "ip": "216.160.83.61", + "port": 443 + }, + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "connection opened", + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:10.826438800Z", + "module": "sonicwall", + "original": "10.0.0.1 id=firewall sn=123456789 time=\"2022-02-22 18:24:30 UTC\" fw=10.0.0.2 pri=6 c=262144 gcat=6 m=98 msg=\"Connection Opened\" src=10.0.0.3:52379:X0 natSrc=10.0.0.2:48245 dst=216.160.83.61:443:X1 natDst=216.160.83.61:443 usr=\"Unknown (SSO failed)\" proto=tcp/https sent=52 app=49177 appName='General HTTPS' n=123456789 fw_action=\"NA\" dpi=0", + "risk_score": 6, + "sequence": 123456789, + "severity": 6, + "type": "event" + }, + "ingest_lag_in_seconds": 1797280, + "ingest_time": "2022-03-15T13:39:10.826438800Z", + "message": "Connection Opened", + "network": { + "bytes": 52, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "ip": "10.0.0.2" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "X0" + } + }, + "ip": "10.0.0.1", + "serial_number": "123456789" + }, + "sonicwall": { + "event": { + "app_name": "'General HTTPS'", + "application_id_number": 49177, + "category": 262144, + "dpi": 0, + "firewall_action": "NA", + "group_category": 6, + "message_id": 98 + } + }, + "source": { + "bytes": 52, + "ip": "10.0.0.3", + "nat": { + "ip": "10.0.0.2", + "port": 48245 + }, + "port": 52379 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "Unknown (SSO failed)" + } + }, + { + "@timestamp": "2022-02-22T18:29:37.000Z", + "destination": { + "as": { + "number": 209 + }, + "bytes": 14226, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.61", + "mac": "ab:09:87:65:43:21", + "nat": { + "ip": "216.160.83.61", + "port": 443 + }, + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:10.826443400Z", + "module": "sonicwall", + "original": "10.0.0.1 id=firewall sn=123456789 time=\"2022-02-22 18:29:37 UTC\" fw=10.0.0.2 pri=6 c=1024 gcat=2 m=97 msg=\"Web site hit\" srcMac=12:34:56:78:90:ab src=10.0.0.3:64828:X0 srcZone=Trusted natSrc=10.0.0.2:47621 dstMac=ab:09:87:65:43:21 dst=216.160.83.61:443:X1 dstZone=Untrusted natDst=216.160.83.61:443 usr=\"Unknown (SSO failed)\" proto=tcp/https sent=3523 rcvd=14226 app=7927 dstname=chat-pa.clients6.google.com arg=/ code=29 Category=\"Search Engines and Portals\" note=\"Policy: cfsZonePolicy0, Info: 6148 \" n=123456789 fw_action=\"NA\" dpi=1", + "risk_score": 6, + "sequence": 123456789, + "severity": 6 + }, + "ingest_lag_in_seconds": 1796973, + "ingest_time": "2022-03-15T13:39:10.826443400Z", + "message": "Web site hit", + "network": { + "bytes": 17749, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "ip": "10.0.0.2", + "zone": "Untrusted" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "X0" + }, + "zone": "Trusted" + }, + "ip": "10.0.0.1", + "serial_number": "123456789" + }, + "sonicwall": { + "destination": { + "name": "chat-pa.clients6.google.com" + }, + "event": { + "application_id_number": 7927, + "blocking_category": "Search Engines and Portals", + "category": 1024, + "code": 29, + "dpi": 1, + "firewall_action": "NA", + "group_category": 2, + "message_id": 97, + "note": "Policy: cfsZonePolicy0, Info: 6148 ", + "url_path": "/" + } + }, + "source": { + "bytes": 3523, + "ip": "10.0.0.3", + "mac": "12:34:56:78:90:ab", + "nat": { + "ip": "10.0.0.2", + "port": 47621 + }, + "port": 64828 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "Unknown (SSO failed)" + } + }, + { + "@timestamp": "2022-02-22T18:34:21.000Z", + "destination": { + "as": { + "number": 209 + }, + "bytes": 6642, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.61", + "mac": "ab:09:87:65:43:21", + "nat": { + "ip": "216.160.83.61", + "port": 443 + }, + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:10.826491400Z", + "module": "sonicwall", + "original": "10.0.0.1 id=firewall sn=12345678 time=\"2022-02-22 18:34:21 UTC\" fw=10.0.0.2 pri=6 c=1024 gcat=2 m=97 msg=\"Web site hit\" srcMac=12:34:56:78:90:ab src=10.0.0.3:49217:X0 srcZone=Trusted natSrc=10.0.0.2:53466 dstMac=ab:09:87:65:43:21 dst=216.160.83.61:443:X1 dstZone=Untrusted natDst=216.160.83.61:443 usr=\"Unknown (SSO failed)\" proto=tcp/https sent=2079 rcvd=6642 app=7927 dstname=seg.ad.gt arg=/ code=15 Category=\"Business and Economy\" note=\"Policy: cfsZonePolicy0, Info: 6148 \" n=123456789 fw_action=\"NA\" dpi=1", + "risk_score": 6, + "sequence": 123456789, + "severity": 6 + }, + "ingest_lag_in_seconds": 1796689, + "ingest_time": "2022-03-15T13:39:10.826491400Z", + "message": "Web site hit", + "network": { + "bytes": 8721, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "ip": "10.0.0.2", + "zone": "Untrusted" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "X0" + }, + "zone": "Trusted" + }, + "ip": "10.0.0.1", + "serial_number": "12345678" + }, + "sonicwall": { + "destination": { + "name": "seg.ad.gt" + }, + "event": { + "application_id_number": 7927, + "blocking_category": "Business and Economy", + "category": 1024, + "code": 15, + "dpi": 1, + "firewall_action": "NA", + "group_category": 2, + "message_id": 97, + "note": "Policy: cfsZonePolicy0, Info: 6148 ", + "url_path": "/" + } + }, + "source": { + "bytes": 2079, + "ip": "10.0.0.3", + "mac": "12:34:56:78:90:ab", + "nat": { + "ip": "10.0.0.2", + "port": 53466 + }, + "port": 49217 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "Unknown (SSO failed)" + } + }, + { + "@timestamp": "2022-03-09T14:58:44.000Z", + "destination": { + "as": { + "number": 35908 + }, + "bytes": 968, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.13", + "mac": "ab:09:87:65:43:21", + "nat": { + "ip": "67.43.156.13", + "port": 443 + }, + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:10.826501Z", + "module": "sonicwall", + "original": "10.0.0.1 id=firewall sn=12345678 time=\"2022-03-09 14:58:44 UTC\" fw=10.0.0.2 pri=6 c=1024 gcat=2 m=97 msg=\"Web site hit\" srcMac=12:34:56:78:90:ab src=10.0.0.3:56242:X0 srcZone=Trusted natSrc=10.0.0.2:18447 dstMac=ab:09:87:65:43:21 dst=67.43.156.13:443:X1 dstZone=Untrusted natDst=67.43.156.13:443 usr=\"Unknown (SSO failed)\" proto=tcp/https sent=1749 rcvd=968 app=7927 dstname=rcs-us-east-1.neoservice-aws.com arg=/ code=27 Category=\"Information Technology/Computers\" note=\"Policy: cfsZonePolicy0, Info: 6148 \" n=368203630 fw_action=\"NA\" dpi=1", + "risk_score": 6, + "sequence": 368203630, + "severity": 6 + }, + "ingest_lag_in_seconds": 513626, + "ingest_time": "2022-03-15T13:39:10.826501Z", + "message": "Web site hit", + "network": { + "bytes": 2717, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "ip": "10.0.0.2", + "zone": "Untrusted" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "X0" + }, + "zone": "Trusted" + }, + "ip": "10.0.0.1", + "serial_number": "12345678" + }, + "sonicwall": { + "destination": { + "name": "rcs-us-east-1.neoservice-aws.com" + }, + "event": { + "application_id_number": 7927, + "blocking_category": "Information Technology/Computers", + "category": 1024, + "code": 27, + "dpi": 1, + "firewall_action": "NA", + "group_category": 2, + "message_id": 97, + "note": "Policy: cfsZonePolicy0, Info: 6148 ", + "url_path": "/" + } + }, + "source": { + "bytes": 1749, + "ip": "10.0.0.3", + "mac": "12:34:56:78:90:ab", + "nat": { + "ip": "10.0.0.2", + "port": 18447 + }, + "port": 56242 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "Unknown (SSO failed)" + } + }, + { + "@timestamp": "2022-03-09T05:29:32.000Z", + "destination": { + "as": { + "number": 35908 + }, + "bytes": 955, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.14", + "mac": "ab:09:87:65:43:21", + "nat": { + "ip": "67.43.156.14", + "port": 80 + }, + "port": 80 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:10.826507400Z", + "module": "sonicwall", + "original": "10.0.0.1 id=firewall sn=12345678 time=\"2022-03-09 05:29:32 UTC\" fw=10.0.0.2 pri=6 c=1024 gcat=2 m=97 msg=\"Web site hit\" srcMac=12:34:56:78:90:ab src=10.0.0.3:56502:X0 srcZone=Trusted natSrc=10.0.0.2:15926 dstMac=ab:09:87:65:43:21 dst=67.43.156.14:80:X1 dstZone=Untrusted natDst=67.43.156.14:80 usr=\"Unknown (SSO failed)\" proto=tcp/http sent=510 rcvd=955 app=5147 op=1 dstname=ocsp.digicert.com arg=/abcd code=27 Category=\"Information Technology/Computers\" note=\"Policy: cfsZonePolicy0, Info: 6147 \" n=367895985 fw_action=\"NA\" dpi=1", + "risk_score": 6, + "sequence": 367895985, + "severity": 6 + }, + "http": { + "request": { + "method": "GET" + } + }, + "ingest_lag_in_seconds": 547778, + "ingest_time": "2022-03-15T13:39:10.826507400Z", + "message": "Web site hit", + "network": { + "bytes": 1465, + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "ip": "10.0.0.2", + "zone": "Untrusted" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "X0" + }, + "zone": "Trusted" + }, + "ip": "10.0.0.1", + "serial_number": "12345678" + }, + "sonicwall": { + "destination": { + "name": "ocsp.digicert.com" + }, + "event": { + "application_id_number": 5147, + "blocking_category": "Information Technology/Computers", + "category": 1024, + "code": 27, + "dpi": 1, + "firewall_action": "NA", + "group_category": 2, + "http_op_code": 1, + "message_id": 97, + "note": "Policy: cfsZonePolicy0, Info: 6147 ", + "url_path": "/abcd" + } + }, + "source": { + "bytes": 510, + "ip": "10.0.0.3", + "mac": "12:34:56:78:90:ab", + "nat": { + "ip": "10.0.0.2", + "port": 15926 + }, + "port": 56502 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "Unknown (SSO failed)" + } + }, + { + "@timestamp": "2022-03-09T18:44:05.000Z", + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.112", + "nat": { + "ip": "89.160.20.112", + "port": 8800 + }, + "port": 8800 + }, "ecs": { "version": "8.0.0" }, "event": { - "ingested": "2022-01-25T12:55:20.173123993Z" + "action": "connection closed", + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:10.826512400Z", + "module": "sonicwall", + "original": "10.0.0.1 id=firewall sn=12345678 time=\"2022-03-09 18:44:05 UTC\" fw=10.0.0.2 pri=6 c=1024 gcat=6 m=537 msg=\"Connection Closed\" src=10.0.0.4:37153:X0 natSrc=10.0.0.2:12325 dst=89.160.20.112:8800:X1 natDst=89.160.20.112:8800 proto=udp/8800 sent=284 spkt=1 app=49202 appName='General UDP' n=1846613339 fw_action=\"NA\" dpi=0", + "risk_score": 6, + "sequence": 1846613339, + "severity": 6, + "type": "event" + }, + "ingest_lag_in_seconds": 500105, + "ingest_time": "2022-03-15T13:39:10.826512400Z", + "message": "Connection Closed", + "network": { + "bytes": 284, + "packets": 1, + "protocol": "8800", + "transport": "udp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "ip": "10.0.0.2" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "X0" + } + }, + "ip": "10.0.0.1", + "serial_number": "12345678" + }, + "sonicwall": { + "event": { + "app_name": "'General UDP'", + "application_id_number": 49202, + "category": 1024, + "dpi": 0, + "firewall_action": "NA", + "group_category": 6, + "message_id": 537 + } + }, + "source": { + "bytes": 284, + "ip": "10.0.0.4", + "nat": { + "ip": "10.0.0.2", + "port": 12325 + }, + "packets": 1, + "port": 37153 }, - "message": "Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:20\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23426 src=192.168.125.75:524:WAN dst=192.168.5.10:3582:LAN proto=udp/3582", "tags": [ "preserve_original_event" ] }, { + "@timestamp": "2022-03-09T18:57:05.000Z", + "destination": { + "ip": "10.0.0.3", + "port": 1850 + }, "ecs": { "version": "8.0.0" }, "event": { - "ingested": "2022-01-25T12:55:20.173125041Z" + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:10.826517300Z", + "module": "sonicwall", + "original": "10.0.0.1 id=firewall sn=12345678 time=\"2022-03-09 18:57:05 UTC\" fw=10.0.0.2 pri=1 c=32 gcat=3 m=608 src=67.43.156.15:8:X1 dst=10.0.0.3:1850:X0 msg=\"IPS Detection Alert: ICMP Echo Reply, SID: 316, Priority: Low\" msg=\"IPS Detection Alert: ICMP Echo Reply\" sid=316 ipscat=\"ICMP Echo Reply\" ipspri=3 n=174072 fw_action=\"NA\"", + "risk_score": 1, + "sequence": 174072, + "severity": 1 + }, + "ingest_lag_in_seconds": 499325, + "ingest_time": "2022-03-15T13:39:10.826517300Z", + "ips": { + "category": "ICMP Echo Reply", + "severity": 3 + }, + "message": [ + "IPS Detection Alert: ICMP Echo Reply, SID: 316, Priority: Low", + "IPS Detection Alert: ICMP Echo Reply" + ], + "observer": { + "egress": { + "interface": { + "name": "X0" + }, + "ip": "10.0.0.2" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "X1" + } + }, + "ip": "10.0.0.1", + "serial_number": "12345678" + }, + "sonicwall": { + "event": { + "category": 32, + "firewall_action": "NA", + "group_category": 3, + "message_id": 608, + "sid_number": 316 + } + }, + "source": { + "as": { + "number": 35908 + }, + "geo": { + "continent_name": "Asia", + "country_iso_code": "BT", + "country_name": "Bhutan", + "location": { + "lat": 27.5, + "lon": 90.5 + } + }, + "ip": "67.43.156.15", + "port": 8 }, - "message": "Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:21\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23427 src=192.168.6.10:28503:WAN dst=192.168.5.10:53:LAN proto=tcp/dns", "tags": [ "preserve_original_event" ] + }, + { + "@timestamp": "2022-03-11T14:17:52.000Z", + "destination": { + "as": { + "number": 29518, + "organization": { + "name": "Bredband2 AB" + } + }, + "bytes": 230, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.112", + "mac": "ab:09:87:65:43:21", + "nat": { + "ip": "89.160.20.112", + "port": 443 + }, + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:10.826564400Z", + "module": "sonicwall", + "original": "10.0.0.1 id=firewall sn=12345678 time=\"2022-03-11 14:17:52 UTC\" fw=10.0.0.2 pri=6 c=1024 gcat=2 m=97 srcMac=12:34:56:78:90:ab src=10.0.0.4:41856:X0 srcZone=Trusted natSrc=10.0.0.2:8689 dstMac=ab:09:87:65:43:21 dst=89.160.20.112:443:X1 dstZone=Untrusted natDst=89.160.20.112:443 usr=\"Unknown (SSO failed)\" proto=tcp/https sent=104 rcvd=230 rule=\"15 (LAN-\u003eWAN)\" app=5 af_polid=4 ipscat=N/A appcat=\"PROXY-ACCESS\" appid=2900 dstname=89.160.20.112 arg=/ code=64 Category=\"Not Rated\" note=\"Policy: cfsZonePolicy0, Info: 6148 \" n=2520325 fw_action=\"NA\" dpi=1", + "risk_score": 6, + "sequence": 2520325, + "severity": 6 + }, + "ingest_lag_in_seconds": 343278, + "ingest_time": "2022-03-15T13:39:10.826564400Z", + "ips": { + "category": "N/A" + }, + "network": { + "bytes": 334, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "ip": "10.0.0.2", + "zone": "Untrusted" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "X0" + }, + "zone": "Trusted" + }, + "ip": "10.0.0.1", + "serial_number": "12345678" + }, + "sonicwall": { + "application": { + "application_id": 2900, + "filter_id": "4" + }, + "destination": { + "name": "89.160.20.112" + }, + "event": { + "appcat": "PROXY-ACCESS", + "application_id_number": 5, + "blocking_category": "Not Rated", + "category": 1024, + "code": 64, + "dpi": 1, + "firewall_action": "NA", + "group_category": 2, + "message_id": 97, + "note": "Policy: cfsZonePolicy0, Info: 6148 ", + "rule": "15 (LAN-\u003eWAN)", + "url_path": "/" + } + }, + "source": { + "bytes": 104, + "ip": "10.0.0.4", + "mac": "12:34:56:78:90:ab", + "nat": { + "ip": "10.0.0.2", + "port": 8689 + }, + "port": 41856 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "Unknown (SSO failed)" + } } ] } \ No newline at end of file diff --git a/packages/sonicwall/data_stream/firewall/_dev/test/pipeline/test-generated.log b/packages/sonicwall/data_stream/firewall/_dev/test/pipeline/test-generated.log index 303aa073e77..5d24620271d 100644 --- a/packages/sonicwall/data_stream/firewall/_dev/test/pipeline/test-generated.log +++ b/packages/sonicwall/data_stream/firewall/_dev/test/pipeline/test-generated.log @@ -1,100 +1,24 @@ -id=nnumqua sn=eacommod time="2016/01/29 06:09:59" fw=10.208.232.8 pri=very-high c=tur m=1197 msg="itv" sess=odoco n=ria src=10.20.234.169:1001:eth5722 dst= 10.208.15.216:4257:lo6125 note= "ntsunti Protocol:udp" npcs=ciade -idi id=pexe sn=nes time="2016/02/12 13:12:33" fw=10.254.41.82 pri=low c=Ute m=914 msg="lupt" n=dolore src=10.92.136.230:6437:eth7178:nostrud4819.mail.test dst=10.49.111.67:884:eth3598:oreetdol1714.internal.corp -id=umexe sn=estlabo time="2016/02/26 20:15:08" fw=10.186.114.123 pri=high c=olupt m=16 Web site accessed -id=alo sn=eosquir time="2016-3-12 3:17:42" fw=10.149.203.46 pri=medium c=mwritten m=1369 msg="ctetur" n=uidolorsrc=10.150.156.22:6378:eth6183dst=10.227.15.1:410:eth1977srcMac=01:00:5e:84:66:6cdstMac=01:00:5e:f7:a9:ffproto=rdp/ommfw_action="allow" -emape id=aer sn=lupt time="2016/03/26 10:20:16" fw=10.26.46.95 pri=medium c=temvel m=127 PPPoE LCP Link Up -id=consec sn=taliquip time="2016/04/09 17:22:51" fw=10.134.172.34 pri=high c=snos m=170 Received a path MTU icmp message from router/gateway -id=tconsec sn=nsequat time="2016/04/24 00:25:25" fw=10.137.246.137 pri=medium c=oluptas m=372 msg="llu" n=uptassi src=10.95.245.65 dst=10.13.70.213 -llamcorp id=ari sn=eataevit time="2016/05/08 07:27:59" fw=10.50.112.141 pri=very-high c=dmi m=176 Fraudulent Microsoft Certificate Blocked -mquisnos id=loremagn sn=iciade time="2016/05/22 14:30:33" fw=10.137.104.79 pri=medium c=mUt m=50 RealAudio decode failure -id=aali sn=ametcons time="2016/06/05 21:33:08" fw=10.244.98.230 pri=low c=iinea m=87 IKE Responder: Accepting IPSec proposal -emip id=tvol sn=moll time="2016/06/20 04:35:42" fw=10.228.149.225 pri=high c=deomni m=139 msg="accept" n=onse src=10.136.153.149:3788:enp0s2489 dst= 10.16.52.205 -orsitame id=quiratio sn=ite time="2016/07/04 11:38:16" fw=10.72.98.186 pri=very-high c=ercit m=15 Newsgroup blocked -id=usan sn=aper time="2016/07/18 18:40:50" fw=10.183.16.166 pri=low c=ender m=70 IPSec packet from illegal host -id=atquovo sn=iumto time="2016/08/02 01:43:25" fw=10.117.18.47 pri=low c=essecill m=129 PPPoE terminated -id=undeo sn=loremip time="2016-8-16 8:45:59" fw=10.134.0.141 pri=very-high c=uis m=1149 msg="idolore" n=onse fw_action="cancel" -id=rveli sn=rsint time="2016/08/30 15:48:33" fw=10.172.146.234 pri=very-high c=Nemoeni m=81 Smurf Amplification Attack Dropped -id=qua sn=luptatev time="2016/09/13 22:51:07" fw=10.123.104.59 pri=low c=elaudant m=1110 msg="tinvol" n=lores -id=tatiset sn=eprehen time="2016/09/28 05:53:42" fw=10.117.146.33 pri=high c=entsu m=10 Problem loading the Filter list; check Filter settings -id=aliq sn=rsitam time="2016/10/12 12:56:16" fw=10.79.33.129 pri=high c=umdolo m=353 msg="onproide" n=Nemoen src=10.241.178.107 dst=10.30.196.102 dstname=fugi4637.www.lan lifeSeconds=imadmini" -id=itecto sn=erc time="2016/10/26 19:58:50" fw=10.69.57.206 pri=high c=nsec m=68 IPSec Decryption Failed -id=tat sn=tion time="2016/11/10 03:01:24" fw=10.53.150.119 pri=medium c=uasia m=24 msg="emp" n=aperia src=10.157.161.103:383 dst=10.78.151.178:3088 note="taut" -id=tati sn=utaliqu time="2016/11/24 10:03:59" fw=10.53.187.44 pri=high c=iadese m=242 msg="imidest" n=emagnama src= 10.153.136.222 dst= 10.206.136.206:4108 -id=nidolo sn=tatn time="2016/12/08 17:06:33" fw=10.18.109.121 pri=very-high c=dolo m=87 msg="Loremip" n=idolor src=10.204.11.20 dst=10.239.201.234 -id=quip sn=mporain time="2016-12-23 12:09:07" fw=10.34.161.166 pri=very-high c=sequi m=428 msg="rehend" n=tio src=10.245.200.97:3768:eth4059 dst=10.219.116.137:3452:enp0s3611 srcMac= 01:00:5e:1a:ec:91 dstMac=01:00:5e:e1:73:47 proto=icmp fw_action="accept" -id=idex sn=xerci time="2017/01/06 07:11:41" fw=10.84.206.79 pri=high c=uipe m=401 msg="inesci" n=serror src=10.118.80.140 dst=10.252.122.195 dstname=eFinib -id=ari sn=exercit time="2017/01/20 14:14:16" fw=10.220.244.59 pri=high c=oluptate m=143 Backup firewall has transitioned to Active -id=serunt sn=aquaeabi time="2017/02/03 21:16:50" fw=10.171.157.74 pri=high c=emoe m=104 Retransmitting DHCP REQUEST (Verifying). -id=veniamq sn=one time="2017/02/18 04:19:24" fw=10.4.26.208 pri=very-high c=reseos m=156 Backup received heartbeat from wrong source -id=tin sn=tenima time="2017/03/04 11:21:59" fw=10.241.177.156 pri=medium c=proide m=132 PPPoE discovery process complete -id=tmollita sn=fde time="2017-3-18 6:24:33" fw=10.149.89.126 pri=high c=abo m=794 msg="veniamqu" sid=nse spycat=non spypri=paquioff pktdatId=mquisnos n=maven src=10.86.101.235:3266:lo6501 dst=10.30.153.159:6843:enp0s6487 proto=icmp/eporr fw_action="cancel" -id=aturQui sn=utlabor time="2017/04/02 01:27:07" fw=10.38.249.71 pri=low c=mfugiat m=133 PPPoE starting CHAP Authentication -id=tvolu sn=ecte time="2017/04/16 08:29:41" fw=10.130.14.60 pri=low c=iciadese m=9 No new Filter list available -olupta id=litse sn=icabo time="2017/04/30 15:32:16" fw=10.89.208.95 pri=low c=llumdolo m=255 msg="nre" n=ercitat src=10.237.163.139 dst=10.162.172.28 -ionevo id=ugiatnu sn=ciati time="2017/05/14 22:34:50" fw=10.184.122.157 pri=medium c=scivelit m=31 msg="allow" n=ehen src=10.191.23.41:1493:eth4488 dst= 10.250.47.252 -id=pta sn=tetu time="2017/05/29 05:37:24" fw=10.101.57.134 pri=low c=Nequepo m=12 Problem sending log email; check log settings -ntocc id=uteirure sn=nevo time="2017/06/12 12:39:58" fw=10.226.23.214 pri=very-high c=adip m=994 msg="tium" n=nnum usr=tenbyCi src=10.16.72.220:1842 dst=10.111.187.12:3577 note="quinesc" -id=tur sn=roi time="2017/06/26 19:42:33" fw=10.106.31.86 pri=low c=sno m=7 Log full; deactivating SonicWALL -ntocca id=ostru sn=ntoccae time="2017/07/11 02:45:07" fw=10.35.99.92 pri=medium c=iatisu m=866 msg="sec" sess=cons n=sBon -id=ten sn=vita time="2017/07/25 09:47:41" fw=10.35.5.16 pri=high c=emaccusa m=538 msg="accept" n=qui src=10.143.76.137:1414:lo3470 dst= 10.131.61.13 -id=evolu sn=ersp time="2017/08/08 16:50:15" fw=10.64.221.30 pri=medium c=inven m=793 msg="osquira" af_polid=tes af_policy="mquame" af_type="nihilmol" af_service="xercita" af_action="trud" n=eriti src=10.99.0.226:2984:eth1766:sequatu341.mail.invalid dst=10.77.129.130:6604:enp0s4138:Nemoenim2039.api.localhost -id=nbyCic sn=utlabor time="2017/08/22 23:52:50" fw=10.27.251.77 pri=medium c=ine m=905 msg="lup" n=tatemUt -id=quovol sn=nve time="2017/09/06 06:55:24" fw=10.104.201.10 pri=very-high c=ccaecat m=94 Diagnostic Code B -tau id=exercita sn=ris time="2017/09/20 13:57:58" fw=10.84.25.23 pri=high c=boree m=565 msg="intoc" n=ncidi -irat id=onev sn=aturauto time="2017/10/04 21:00:32" fw=10.218.243.47 pri=very-high c=oremi m=37 UDP packet dropped -id=temUt sn=olor time="2017/10/19 04:03:07" fw=10.19.10.148 pri=low c=niamqui m=4 SonicWALL activated -id=ess sn=ipisci time="2017/11/02 11:05:41" fw=10.113.95.59 pri=very-high c=reprehen m=156 Backup received heartbeat from wrong source -luptate id=persp sn=entsunt time="2017/11/16 18:08:15" fw=10.206.107.211 pri=low c=fugi m=140 msg="accept" n=inci src=10.230.173.4:2631:enp0s5632 dst= 10.192.27.157 -id=cusant sn=atemq time="2017/12/01 01:10:49" fw=10.136.31.188 pri=high c=borios m=118 Sending DHCP REQUEST (Verifying). -id=ercita sn=ciadeser time="2017/12/15 08:13:24" fw=10.175.236.135 pri=medium c=isnisi m=18 ActiveX blocked -id=isiuta sn=orsitam time="2017/12/29 15:15:58" fw=10.159.119.34 pri=high c=psaquaea m=195 msg="taevita" n=ameiusm src=10.227.15.253 dst=10.190.175.158 sport=271 dport=7005 rcvd=6587 -id=nre sn=veli time="2018/01/12 22:18:32" fw=10.62.147.186 pri=low c=elitse m=22 Ping of death blocked -id=quasia sn=adi time="2018/01/27 05:21:06" fw=10.9.12.248 pri=medium c=mac m=616 msg="block" n=aveni src=10.29.155.171:1871 dst=10.15.97.155:5935 -id=llamco sn=nea time="2018/02/10 12:23:41" fw=10.123.143.188 pri=medium c=orsit m=9 No new Filter list available -id=ise sn=itau time="2018/02/24 19:26:15" fw=10.44.22.97 pri=very-high c=lorsita m=907 msg="dolore" n=uptate -id=odi sn=ptass time="2018/03/11 02:28:49" fw=10.39.10.155 pri=low c=tametcon m=157 HA packet processing error -id=aco sn=tio time="2018/03/25 09:31:24" fw=10.112.38.219 pri=high c=dantium m=261 msg="lor" n=velillu usr=cteturad src= 10.18.204.87 dst= 10.25.32.107 -id=utodita sn=aec time="2018-4-8 4:33:58" fw=10.21.89.175 pri=medium c=diconse m=428 msg="elitse" n=reseo src=10.71.238.250:41:lo3856 dst=10.246.0.167:2189:eth2632 srcMac= 01:00:5e:7c:42:0b dstMac=01:00:5e:2c:22:06 proto=icmp fw_action="block" -id=ritin sn=temporin time="2018-4-22 11:36:32" fw=10.122.76.148 pri=high c=tdol m=794 msg="upt" sid=mex spycat=tatem spypri=untutlab pktdatId=amcor n=ica src=10.13.66.97:2000:enp0s5411 dst=10.176.209.227:6362:eth7037 proto=ipv6/siu fw_action="allow" -id=quaea sn=ametcons time="2018/05/07 06:39:06" fw=10.74.46.22 pri=very-high c=tetur m=7 Log full; deactivating SonicWALL -id=ariatur sn=rer time="2018/05/21 13:41:41" fw=10.210.243.175 pri=low c=atisetqu m=240 msg="issuscip" n=uisa src=10.240.49.224 dst=10.77.174.205 -id=luptatem sn=uaeratv time="2018/06/04 20:44:15" fw=10.240.190.136 pri=medium c=atcupid m=255 msg="quamnih" n=dminima src=10.44.150.31 dst=10.187.210.173 -id=ntutlabo sn=iusmodte time="2018-6-19 3:46:49" fw=10.108.84.24 pri=low c=iosamnis m=606 msg="volupt" n=rem src=10.113.100.237:3887:eth163 dst=10.251.248.228:6909 srcMac= 01:00:5e:8b:c1:b4 dstMac=01:00:5e:c3:ed:55proto=udp fw_action="deny" -id=emvele sn=isnost time="2018/07/03 10:49:23" fw=10.71.112.159 pri=medium c=emqu m=28 Fragmented Packet Dropped -sit id=rumSect sn=ita time="2018/07/17 17:51:58" fw=10.139.65.241 pri=low c=teni m=61 Diagnostic Code E -oremag id=illu sn=ruredo time="2018/08/01 00:54:32" fw=10.72.196.74 pri=very-high c=ptassita m=906 msg="its" n=lore -sBono id=loremqu sn=tetur time="2018/08/15 07:57:06" fw=10.213.94.135 pri=very-high c=urmagn m=237 msg="block" n=uptat src=10.105.46.101:3346:enp0s382 dst= 10.50.44.5:7668:lo1441 -id=ddoeius sn=ugiatn time="2018/08/29 14:59:40" fw=10.50.102.128 pri=high c=abore m=328 msg="squ" n=uiadol src=10.60.142.127:1081:eth6291 dst= 10.52.248.251:5776:lo2241 -id=onu sn=liquaUte time="2018/09/12 22:02:15" fw=10.137.202.243 pri=high c=tempor m=134 PPPoE starting PAP Authentication -id=mveniamq sn=taedict time="2018-9-27 5:04:49" fw=10.206.69.135 pri=high c=aturve m=880 msg="utfug" n=aturQu note="aaliq" fw_action="allow" -id=uiinea sn=mnisiut time="2018/10/11 12:07:23" fw=10.208.228.129 pri=low c=olup m=441 msg="labor" n=dol src= 10.240.54.28 dst= 10.115.38.80 -id=mve sn=uia time="2018/10/25 19:09:57" fw=10.92.237.93 pri=high c=nsequunt m=163 Disconnecting PPPoE due to traffic timeout -id=doei sn=cipitl time="2018/11/09 02:12:32" fw=10.53.127.17 pri=very-high c=strumex m=252 msg="eprehend" n=asnu src=10.102.166.19 dst=10.104.49.142 -id=repreh sn=plic time="2018/11/23 09:15:06" fw=10.17.87.79 pri=high c=saq m=199 msg="block" n=ritqu src=10.203.77.154:3916:lo4991 dst= 10.120.25.169:1965:lo4527 -ipsa id=asuntexp sn=adminim time="2018/12/07 16:17:40" fw=10.115.115.26 pri=high c=modoc m=88 IKE Responder: IPSec proposal not acceptable -id=iumt sn=tsed time="2018/12/21 23:20:14" fw=10.249.120.78 pri=medium c=atuse m=34 Login screen timed out -id=loremag sn=tcu time="2019/01/05 06:22:49" fw=10.84.251.253 pri=high c=erspi m=195 msg="rorsit" n=tionemu src=10.77.95.12 dst=10.137.217.159 sport=2310 dport=563 rcvd=1629 -elillum id=upt sn=rnat time="2019/01/19 13:25:23" fw=10.1.96.93 pri=high c=edolo m=48 Out-of-order command packet dropped -doeiu id=deF sn=itempo time="2019/02/02 20:27:57" fw=10.200.237.196 pri=medium c=ecillum m=995 msg="isci" n=dolor src=10.165.48.224:5386 dst=10.191.242.168:5251 note="equep" -BCS id=qui sn=ugiatquo time="2019/02/17 03:30:32" fw=10.204.133.116 pri=medium c=autemv m=909 msg="emq" n=plicaboN -id=vol sn=admi time="2019/03/03 10:33:06" fw=10.77.229.168 pri=high c=aquiof m=178 msg="ende" n=abor src=10.185.37.32:708 dst=10.116.173.79:7693 -id=olorem sn=gitse time="2019/03/17 17:35:40" fw=10.245.127.213 pri=very-high c=billoinv m=995 msg="sci" n=col src=10.219.42.212:5708 dst=10.57.85.98:3286 note="mquisno" -id=nisiu sn=imad time="2019/04/01 00:38:14" fw=10.30.101.79 pri=high c=tenimad m=97 n=sitametc src= 10.152.35.175:2737:enp0s3423 dst= 10.88.244.209:6953:enp0s2460 proto=ipv6-icmp op=caecat sent=5835 dstname=tquidol -undeom id=emullamc sn=tec time="2019/04/15 07:40:49" fw=10.29.118.7 pri=medium c=mveleum m=537 msg="accept" f=exercita n=sBonorum src= 10.132.171.15 dst= 10.107.216.138:3147:lo5057:ugitsedq5067.internal.test proto=rdp sent=5943 rcvd=1635 -id=gna sn=isiutali time="2019/04/29 14:43:23" fw=10.156.152.182 pri=very-high c=ons m=137 Wan IP Changed -id=uaturve sn=amquisno time="2019/05/13 21:45:57" fw=10.123.74.66 pri=very-high c=mquiad m=351 msg="CSe" n=lors src=10.135.70.159 dst=10.195.223.82 -id=atu sn=iusm time="2019/05/28 04:48:31" fw=10.20.81.176 pri=low c=stquido m=261 msg="rsitvolu" n=mnisi usr=usmo src=10.22.244.71:1865:eth3249 dst= 10.142.120.198 -id=oin sn=itseddoe time="2019/06/11 11:51:06" fw=10.141.143.56 pri=low c=erc m=125 Unused AV log entry. -id=giatquov sn=olu time="2019/06/25 18:53:40" fw=10.137.103.62 pri=medium c=serror m=105 Sending DHCP DISCOVER. -emagn id=emulla sn=mips time="2019/07/10 01:56:14" fw=10.201.146.83 pri=very-high c=atnula m=34 Login screen timed out -id=itametc sn=ori time="2019/07/24 08:58:48" fw=10.202.74.93 pri=low c=ido m=144 Primary firewall has transitioned to Idle -id=doconse sn=etdol time="2019/08/07 16:01:23" fw=10.156.88.51 pri=high c=tura m=658 msg="osquirat" n=equat src=10.56.10.84:5366 dst=10.12.54.142:6543 -id=min sn=oluptat time="2019/08/21 23:03:57" fw=10.162.129.196 pri=medium c=snisi m=195 msg="magnaal" n=uscip src=10.222.169.140 dst=10.117.63.181 sport=5299 dport=6863 rcvd=7416 -id=eacommo sn=ueip time="2019/09/05 06:06:31" fw=10.243.252.157 pri=low c=minim m=867 msg="scipi" sess=tur n=acon -usm id=labori sn=porai time="2019/09/19 13:09:05" fw=10.73.176.98 pri=high c=ostr m=60 Access to Proxy Server Blocked -id=lup sn=upta time="2019-10-3 8:11:40" fw=10.247.88.138 pri=very-high c=orissu m=794 msg="fic" sid=sBon spycat=usmod spypri=umdol pktdatId=rumexerc n=isiutali src=10.57.255.4:239:lo1325 dst=10.200.122.184:1176:eth5397 proto=rdp/amvo fw_action="allow" -id=mmod sn=iti time="2019/10/18 03:14:14" fw=10.55.81.14 pri=medium c=asp m=19 Java blocked -id=mag sn=gelitse time="2019/11/01 10:16:48" fw=10.195.58.44 pri=high c=radip m=413 msg="upta" n=tetura src=10.206.229.61:3467 dst=10.129.101.147:3606 -id=nostrud sn=cteturad time="2019/11/15 17:19:22" fw=10.150.163.151 pri=high c=veniam m=159 Diagnostic Code F -id=imavenia sn=expli time="2019/11/30 00:21:57" fw=10.144.57.239 pri=medium c=rur m=520 msg="itse" n=ilm src=10.167.9.200:4003:lo5561 dst= 10.119.4.120:3822:enp0s234 -oluptate id=lit sn=santi time="2019/12/14 07:24:31" fw=10.211.112.194 pri=low c=uis m=1079 msg="Clientamcis assigned IP:10.221.220.148" n=apar +Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:06" fw=1.128.3.4 pri=6 c=262144 m=98 msg="Connection Opened" n=23419 src=175.16.199.1:36701:WAN dst=1.128.3.4:50000:WAN proto=tcp/50000 +Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:07" fw=1.128.3.4 pri=1 c=32 m=30 msg="Administrator login denied due to bad credentials" n=7 src=175.16.199.1:36701:WAN dst=1.128.3.4:50000:WAN +Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:07" fw=1.128.3.4 pri=6 c=262144 m=98 msg="Connection Opened" n=23420 src=175.16.199.1:36702:WAN dst=1.128.3.4:50000:WAN proto=tcp/50000 +Jan 3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:07" fw=1.128.3.4 pri=6 c=1024 m=537 msg="Connection Closed" n=567996 src=192.168.4.10:27577:WAN dst=192.168.5.10:53:LAN proto=tcp/dns sent=257 rcvd=242 +Jan 3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:08" fw=1.128.3.4 pri=6 c=1024 m=537 msg="Connection Closed" n=567997 src=192.168.5.56:4277:LAN dst=192.168.1.100:1026:WAN proto=tcp/1026 sent=3590 rcvd=13042 vpnpolicy="name" +Jan 3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=1.128.3.4 pri=6 c=1024 m=537 msg="Connection Closed" n=567999 src=192.168.5.56:4280:LAN dst=192.168.2.81:41850:WAN proto=tcp/41850 sent=386026 rcvd=454118 vpnpolicy="name" +Jan 3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=1.128.3.4 pri=6 c=1024 m=537 msg="Connection Closed" n=567999 src=1.128.3.4:500:WAN dst=175.16.199.1:500:WAN proto=udp/500 sent=344 rcvd=152 +Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=1.128.3.4 pri=6 c=262144 m=98 msg="Connection Opened" n=23421 src=175.16.199.1:36703:WAN dst=1.128.3.4:50000:WAN proto=tcp/50000 +Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:10" fw=1.128.3.4 pri=1 c=32 m=30 msg="Administrator login denied due to bad credentials" n=8 src=175.16.199.1:36703:WAN dst=1.128.3.4:50000:WAN +Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:11" fw=1.128.3.4 pri=6 c=262144 m=98 msg="Connection Opened" n=23422 src=175.16.199.1:36704:WAN dst=1.128.3.4:50000:WAN proto=tcp/50000 +Jan 3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:14" fw=1.128.3.4 pri=5 c=256 m=38 msg="ICMP packet dropped" n=22070 src=216.160.83.57:1026:WAN dst=1.128.3.4:6822:WAN type=3 code=3 +Jan 3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:14" fw=1.128.3.4 pri=6 c=1024 m=537 msg="Connection Closed" n=568000 src=216.160.83.57:1026:WAN dst=1.128.3.4:0:WAN proto=udp/0 +Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=1.128.3.4 pri=6 c=16 m=346 msg="IKE Initiator: Start Quick Mode (Phase 2)." n=171872 src=175.16.199.1:500 dst=1.128.3.4:500 +Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=1.128.3.4 pri=6 c=262144 m=98 msg="Connection Opened" n=23423 src=1.128.3.4:500:WAN dst=175.16.199.1:500:WAN proto=udp/500 +Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=1.128.3.4 pri=4 c=16 m=483 msg="Received notify: INVALID_ID_INFO" n=171625 src=175.16.199.1:500 dst=1.128.3.4:500 +Jan 3 13:45:45 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:15" fw=1.128.3.4 pri=6 c=262144 m=98 msg="Connection Opened" n=23424 src=192.168.115.10:11549:WAN dst=192.168.5.10:53:LAN proto=tcp/dns +Jan 3 13:45:46 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:17" fw=1.128.3.4 pri=6 c=262144 m=98 msg="Connection Opened" n=23425 src=192.168.5.64:3182:LAN dst=192.168.1.100:445:WAN proto=tcp/445 +Jan 3 13:45:47 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:18" fw=1.128.3.4 pri=6 c=1024 m=537 msg="Connection Closed" n=568001 src=175.16.199.1:36699:WAN dst=1.128.3.4:50000:WAN proto=tcp/50000 sent=1557 rcvd=957 +Jan 3 13:45:49 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:20" fw=1.128.3.4 pri=6 c=1024 m=537 msg="Connection Closed" n=568002 src=192.168.5.10:3417:LAN dst=192.168.1.100:53:WAN proto=udp/dns sent=401 rcvd=254 vpnpolicy="name" +Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:20" fw=1.128.3.4 pri=6 c=262144 m=98 msg="Connection Opened" n=23426 src=192.168.125.75:524:WAN dst=192.168.5.10:3582:LAN proto=udp/3582 +Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:21" fw=1.128.3.4 pri=6 c=262144 m=98 msg="Connection Opened" n=23427 src=192.168.6.10:28503:WAN dst=192.168.5.10:53:LAN proto=tcp/dns +10.0.0.1 id=firewall sn=123456789 time="2022-02-22 18:24:30 UTC" fw=10.0.0.2 pri=6 c=262144 gcat=6 m=98 msg="Connection Opened" src=10.0.0.3:52379:X0 natSrc=10.0.0.2:48245 dst=216.160.83.61:443:X1 natDst=216.160.83.61:443 usr="Unknown (SSO failed)" proto=tcp/https sent=52 app=49177 appName='General HTTPS' n=123456789 fw_action="NA" dpi=0 +10.0.0.1 id=firewall sn=123456789 time="2022-02-22 18:29:37 UTC" fw=10.0.0.2 pri=6 c=1024 gcat=2 m=97 msg="Web site hit" srcMac=12:34:56:78:90:ab src=10.0.0.3:64828:X0 srcZone=Trusted natSrc=10.0.0.2:47621 dstMac=ab:09:87:65:43:21 dst=216.160.83.61:443:X1 dstZone=Untrusted natDst=216.160.83.61:443 usr="Unknown (SSO failed)" proto=tcp/https sent=3523 rcvd=14226 app=7927 dstname=chat-pa.clients6.google.com arg=/ code=29 Category="Search Engines and Portals" note="Policy: cfsZonePolicy0, Info: 6148 " n=123456789 fw_action="NA" dpi=1 +10.0.0.1 id=firewall sn=2CB8ED17E180 time="2022-02-22 18:34:21 UTC" fw=10.0.0.2 pri=6 c=1024 gcat=2 m=97 msg="Web site hit" srcMac=12:34:56:78:90:ab src=10.0.0.3:49217:X0 srcZone=Trusted natSrc=10.0.0.2:53466 dstMac=ab:09:87:65:43:21 dst=216.160.83.61:443:X1 dstZone=Untrusted natDst=216.160.83.61:443 usr="Unknown (SSO failed)" proto=tcp/https sent=2079 rcvd=6642 app=7927 dstname=seg.ad.gt arg=/ code=15 Category="Business and Economy" note="Policy: cfsZonePolicy0, Info: 6148 " n=123456789 fw_action="NA" dpi=1 diff --git a/packages/sonicwall/data_stream/firewall/_dev/test/pipeline/test-generated.log-expected.json b/packages/sonicwall/data_stream/firewall/_dev/test/pipeline/test-generated.log-expected.json index ccd07de501d..5e62d6d93db 100644 --- a/packages/sonicwall/data_stream/firewall/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/sonicwall/data_stream/firewall/_dev/test/pipeline/test-generated.log-expected.json @@ -1,1204 +1,1706 @@ { "expected": [ { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566165987Z" - }, - "message": "id=nnumqua sn=eacommod time=\"2016/01/29 06:09:59\" fw=10.208.232.8 pri=very-high c=tur m=1197 msg=\"itv\" sess=odoco n=ria src=10.20.234.169:1001:eth5722 dst= 10.208.15.216:4257:lo6125 note= \"ntsunti Protocol:udp\" npcs=ciade", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566169266Z" - }, - "message": "idi id=pexe sn=nes time=\"2016/02/12 13:12:33\" fw=10.254.41.82 pri=low c=Ute m=914 msg=\"lupt\" n=dolore src=10.92.136.230:6437:eth7178:nostrud4819.mail.test dst=10.49.111.67:884:eth3598:oreetdol1714.internal.corp", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566170268Z" - }, - "message": "id=umexe sn=estlabo time=\"2016/02/26 20:15:08\" fw=10.186.114.123 pri=high c=olupt m=16 Web site accessed", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566171118Z" - }, - "message": "id=alo sn=eosquir time=\"2016-3-12 3:17:42\" fw=10.149.203.46 pri=medium c=mwritten m=1369 msg=\"ctetur\" n=uidolorsrc=10.150.156.22:6378:eth6183dst=10.227.15.1:410:eth1977srcMac=01:00:5e:84:66:6cdstMac=01:00:5e:f7:a9:ffproto=rdp/ommfw_action=\"allow\"", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566171929Z" - }, - "message": "emape id=aer sn=lupt time=\"2016/03/26 10:20:16\" fw=10.26.46.95 pri=medium c=temvel m=127 PPPoE LCP Link Up", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566172726Z" - }, - "message": "id=consec sn=taliquip time=\"2016/04/09 17:22:51\" fw=10.134.172.34 pri=high c=snos m=170 Received a path MTU icmp message from router/gateway", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566173518Z" - }, - "message": "id=tconsec sn=nsequat time=\"2016/04/24 00:25:25\" fw=10.137.246.137 pri=medium c=oluptas m=372 msg=\"llu\" n=uptassi src=10.95.245.65 dst=10.13.70.213", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566174343Z" - }, - "message": "llamcorp id=ari sn=eataevit time=\"2016/05/08 07:27:59\" fw=10.50.112.141 pri=very-high c=dmi m=176 Fraudulent Microsoft Certificate Blocked", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566175157Z" - }, - "message": "mquisnos id=loremagn sn=iciade time=\"2016/05/22 14:30:33\" fw=10.137.104.79 pri=medium c=mUt m=50 RealAudio decode failure", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566175950Z" - }, - "message": "id=aali sn=ametcons time=\"2016/06/05 21:33:08\" fw=10.244.98.230 pri=low c=iinea m=87 IKE Responder: Accepting IPSec proposal", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566176742Z" - }, - "message": "emip id=tvol sn=moll time=\"2016/06/20 04:35:42\" fw=10.228.149.225 pri=high c=deomni m=139 msg=\"accept\" n=onse src=10.136.153.149:3788:enp0s2489 dst= 10.16.52.205", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566177677Z" - }, - "message": "orsitame id=quiratio sn=ite time=\"2016/07/04 11:38:16\" fw=10.72.98.186 pri=very-high c=ercit m=15 Newsgroup blocked", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566178494Z" - }, - "message": "id=usan sn=aper time=\"2016/07/18 18:40:50\" fw=10.183.16.166 pri=low c=ender m=70 IPSec packet from illegal host", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566179298Z" - }, - "message": "id=atquovo sn=iumto time=\"2016/08/02 01:43:25\" fw=10.117.18.47 pri=low c=essecill m=129 PPPoE terminated", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566180100Z" - }, - "message": "id=undeo sn=loremip time=\"2016-8-16 8:45:59\" fw=10.134.0.141 pri=very-high c=uis m=1149 msg=\"idolore\" n=onse fw_action=\"cancel\"", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566180892Z" - }, - "message": "id=rveli sn=rsint time=\"2016/08/30 15:48:33\" fw=10.172.146.234 pri=very-high c=Nemoeni m=81 Smurf Amplification Attack Dropped", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566181864Z" - }, - "message": "id=qua sn=luptatev time=\"2016/09/13 22:51:07\" fw=10.123.104.59 pri=low c=elaudant m=1110 msg=\"tinvol\" n=lores", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566182670Z" - }, - "message": "id=tatiset sn=eprehen time=\"2016/09/28 05:53:42\" fw=10.117.146.33 pri=high c=entsu m=10 Problem loading the Filter list; check Filter settings", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566183457Z" - }, - "message": "id=aliq sn=rsitam time=\"2016/10/12 12:56:16\" fw=10.79.33.129 pri=high c=umdolo m=353 msg=\"onproide\" n=Nemoen src=10.241.178.107 dst=10.30.196.102 dstname=fugi4637.www.lan lifeSeconds=imadmini\"", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566184255Z" - }, - "message": "id=itecto sn=erc time=\"2016/10/26 19:58:50\" fw=10.69.57.206 pri=high c=nsec m=68 IPSec Decryption Failed", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566185049Z" - }, - "message": "id=tat sn=tion time=\"2016/11/10 03:01:24\" fw=10.53.150.119 pri=medium c=uasia m=24 msg=\"emp\" n=aperia src=10.157.161.103:383 dst=10.78.151.178:3088 note=\"taut\"", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566185863Z" - }, - "message": "id=tati sn=utaliqu time=\"2016/11/24 10:03:59\" fw=10.53.187.44 pri=high c=iadese m=242 msg=\"imidest\" n=emagnama src= 10.153.136.222 dst= 10.206.136.206:4108", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566186734Z" - }, - "message": "id=nidolo sn=tatn time=\"2016/12/08 17:06:33\" fw=10.18.109.121 pri=very-high c=dolo m=87 msg=\"Loremip\" n=idolor src=10.204.11.20 dst=10.239.201.234", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566187685Z" - }, - "message": "id=quip sn=mporain time=\"2016-12-23 12:09:07\" fw=10.34.161.166 pri=very-high c=sequi m=428 msg=\"rehend\" n=tio src=10.245.200.97:3768:eth4059 dst=10.219.116.137:3452:enp0s3611 srcMac= 01:00:5e:1a:ec:91 dstMac=01:00:5e:e1:73:47 proto=icmp fw_action=\"accept\"", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566188501Z" - }, - "message": "id=idex sn=xerci time=\"2017/01/06 07:11:41\" fw=10.84.206.79 pri=high c=uipe m=401 msg=\"inesci\" n=serror src=10.118.80.140 dst=10.252.122.195 dstname=eFinib", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566189306Z" - }, - "message": "id=ari sn=exercit time=\"2017/01/20 14:14:16\" fw=10.220.244.59 pri=high c=oluptate m=143 Backup firewall has transitioned to Active", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566190106Z" - }, - "message": "id=serunt sn=aquaeabi time=\"2017/02/03 21:16:50\" fw=10.171.157.74 pri=high c=emoe m=104 Retransmitting DHCP REQUEST (Verifying).", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566190908Z" - }, - "message": "id=veniamq sn=one time=\"2017/02/18 04:19:24\" fw=10.4.26.208 pri=very-high c=reseos m=156 Backup received heartbeat from wrong source", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566191709Z" - }, - "message": "id=tin sn=tenima time=\"2017/03/04 11:21:59\" fw=10.241.177.156 pri=medium c=proide m=132 PPPoE discovery process complete", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566192526Z" - }, - "message": "id=tmollita sn=fde time=\"2017-3-18 6:24:33\" fw=10.149.89.126 pri=high c=abo m=794 msg=\"veniamqu\" sid=nse spycat=non spypri=paquioff pktdatId=mquisnos n=maven src=10.86.101.235:3266:lo6501 dst=10.30.153.159:6843:enp0s6487 proto=icmp/eporr fw_action=\"cancel\"", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566193322Z" - }, - "message": "id=aturQui sn=utlabor time=\"2017/04/02 01:27:07\" fw=10.38.249.71 pri=low c=mfugiat m=133 PPPoE starting CHAP Authentication", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566194123Z" - }, - "message": "id=tvolu sn=ecte time=\"2017/04/16 08:29:41\" fw=10.130.14.60 pri=low c=iciadese m=9 No new Filter list available", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566194927Z" - }, - "message": "olupta id=litse sn=icabo time=\"2017/04/30 15:32:16\" fw=10.89.208.95 pri=low c=llumdolo m=255 msg=\"nre\" n=ercitat src=10.237.163.139 dst=10.162.172.28", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566195725Z" - }, - "message": "ionevo id=ugiatnu sn=ciati time=\"2017/05/14 22:34:50\" fw=10.184.122.157 pri=medium c=scivelit m=31 msg=\"allow\" n=ehen src=10.191.23.41:1493:eth4488 dst= 10.250.47.252 ", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566196682Z" - }, - "message": "id=pta sn=tetu time=\"2017/05/29 05:37:24\" fw=10.101.57.134 pri=low c=Nequepo m=12 Problem sending log email; check log settings", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566213772Z" - }, - "message": "ntocc id=uteirure sn=nevo time=\"2017/06/12 12:39:58\" fw=10.226.23.214 pri=very-high c=adip m=994 msg=\"tium\" n=nnum usr=tenbyCi src=10.16.72.220:1842 dst=10.111.187.12:3577 note=\"quinesc\"", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566214555Z" - }, - "message": "id=tur sn=roi time=\"2017/06/26 19:42:33\" fw=10.106.31.86 pri=low c=sno m=7 Log full; deactivating SonicWALL", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566215329Z" - }, - "message": "ntocca id=ostru sn=ntoccae time=\"2017/07/11 02:45:07\" fw=10.35.99.92 pri=medium c=iatisu m=866 msg=\"sec\" sess=cons n=sBon", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566216104Z" - }, - "message": "id=ten sn=vita time=\"2017/07/25 09:47:41\" fw=10.35.5.16 pri=high c=emaccusa m=538 msg=\"accept\" n=qui src=10.143.76.137:1414:lo3470 dst= 10.131.61.13", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566216879Z" - }, - "message": "id=evolu sn=ersp time=\"2017/08/08 16:50:15\" fw=10.64.221.30 pri=medium c=inven m=793 msg=\"osquira\" af_polid=tes af_policy=\"mquame\" af_type=\"nihilmol\" af_service=\"xercita\" af_action=\"trud\" n=eriti src=10.99.0.226:2984:eth1766:sequatu341.mail.invalid dst=10.77.129.130:6604:enp0s4138:Nemoenim2039.api.localhost", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566217658Z" - }, - "message": "id=nbyCic sn=utlabor time=\"2017/08/22 23:52:50\" fw=10.27.251.77 pri=medium c=ine m=905 msg=\"lup\" n=tatemUt", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566218448Z" - }, - "message": "id=quovol sn=nve time=\"2017/09/06 06:55:24\" fw=10.104.201.10 pri=very-high c=ccaecat m=94 Diagnostic Code B", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566219248Z" - }, - "message": "tau id=exercita sn=ris time=\"2017/09/20 13:57:58\" fw=10.84.25.23 pri=high c=boree m=565 msg=\"intoc\" n=ncidi", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566220025Z" - }, - "message": "irat id=onev sn=aturauto time=\"2017/10/04 21:00:32\" fw=10.218.243.47 pri=very-high c=oremi m=37 UDP packet dropped", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566220789Z" - }, - "message": "id=temUt sn=olor time=\"2017/10/19 04:03:07\" fw=10.19.10.148 pri=low c=niamqui m=4 SonicWALL activated", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566221573Z" - }, - "message": "id=ess sn=ipisci time=\"2017/11/02 11:05:41\" fw=10.113.95.59 pri=very-high c=reprehen m=156 Backup received heartbeat from wrong source", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566222354Z" - }, - "message": "luptate id=persp sn=entsunt time=\"2017/11/16 18:08:15\" fw=10.206.107.211 pri=low c=fugi m=140 msg=\"accept\" n=inci src=10.230.173.4:2631:enp0s5632 dst= 10.192.27.157", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566223120Z" - }, - "message": "id=cusant sn=atemq time=\"2017/12/01 01:10:49\" fw=10.136.31.188 pri=high c=borios m=118 Sending DHCP REQUEST (Verifying).", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566223886Z" - }, - "message": "id=ercita sn=ciadeser time=\"2017/12/15 08:13:24\" fw=10.175.236.135 pri=medium c=isnisi m=18 ActiveX blocked", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566224700Z" - }, - "message": "id=isiuta sn=orsitam time=\"2017/12/29 15:15:58\" fw=10.159.119.34 pri=high c=psaquaea m=195 msg=\"taevita\" n=ameiusm src=10.227.15.253 dst=10.190.175.158 sport=271 dport=7005 rcvd=6587", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566225593Z" - }, - "message": "id=nre sn=veli time=\"2018/01/12 22:18:32\" fw=10.62.147.186 pri=low c=elitse m=22 Ping of death blocked", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566226373Z" - }, - "message": "id=quasia sn=adi time=\"2018/01/27 05:21:06\" fw=10.9.12.248 pri=medium c=mac m=616 msg=\"block\" n=aveni src=10.29.155.171:1871 dst=10.15.97.155:5935", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566227145Z" - }, - "message": "id=llamco sn=nea time=\"2018/02/10 12:23:41\" fw=10.123.143.188 pri=medium c=orsit m=9 No new Filter list available", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566227919Z" - }, - "message": "id=ise sn=itau time=\"2018/02/24 19:26:15\" fw=10.44.22.97 pri=very-high c=lorsita m=907 msg=\"dolore\" n=uptate", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566228702Z" - }, - "message": "id=odi sn=ptass time=\"2018/03/11 02:28:49\" fw=10.39.10.155 pri=low c=tametcon m=157 HA packet processing error", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566229479Z" - }, - "message": "id=aco sn=tio time=\"2018/03/25 09:31:24\" fw=10.112.38.219 pri=high c=dantium m=261 msg=\"lor\" n=velillu usr=cteturad src= 10.18.204.87 dst= 10.25.32.107", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566230248Z" - }, - "message": "id=utodita sn=aec time=\"2018-4-8 4:33:58\" fw=10.21.89.175 pri=medium c=diconse m=428 msg=\"elitse\" n=reseo src=10.71.238.250:41:lo3856 dst=10.246.0.167:2189:eth2632 srcMac= 01:00:5e:7c:42:0b dstMac=01:00:5e:2c:22:06 proto=icmp fw_action=\"block\"", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566231021Z" - }, - "message": "id=ritin sn=temporin time=\"2018-4-22 11:36:32\" fw=10.122.76.148 pri=high c=tdol m=794 msg=\"upt\" sid=mex spycat=tatem spypri=untutlab pktdatId=amcor n=ica src=10.13.66.97:2000:enp0s5411 dst=10.176.209.227:6362:eth7037 proto=ipv6/siu fw_action=\"allow\"", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566231798Z" - }, - "message": "id=quaea sn=ametcons time=\"2018/05/07 06:39:06\" fw=10.74.46.22 pri=very-high c=tetur m=7 Log full; deactivating SonicWALL", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566232572Z" - }, - "message": "id=ariatur sn=rer time=\"2018/05/21 13:41:41\" fw=10.210.243.175 pri=low c=atisetqu m=240 msg=\"issuscip\" n=uisa src=10.240.49.224 dst=10.77.174.205", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566233344Z" - }, - "message": "id=luptatem sn=uaeratv time=\"2018/06/04 20:44:15\" fw=10.240.190.136 pri=medium c=atcupid m=255 msg=\"quamnih\" n=dminima src=10.44.150.31 dst=10.187.210.173", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566234124Z" - }, - "message": "id=ntutlabo sn=iusmodte time=\"2018-6-19 3:46:49\" fw=10.108.84.24 pri=low c=iosamnis m=606 msg=\"volupt\" n=rem src=10.113.100.237:3887:eth163 dst=10.251.248.228:6909 srcMac= 01:00:5e:8b:c1:b4 dstMac=01:00:5e:c3:ed:55proto=udp fw_action=\"deny\"", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566234893Z" - }, - "message": "id=emvele sn=isnost time=\"2018/07/03 10:49:23\" fw=10.71.112.159 pri=medium c=emqu m=28 Fragmented Packet Dropped", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566235681Z" - }, - "message": "sit id=rumSect sn=ita time=\"2018/07/17 17:51:58\" fw=10.139.65.241 pri=low c=teni m=61 Diagnostic Code E", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566236465Z" - }, - "message": "oremag id=illu sn=ruredo time=\"2018/08/01 00:54:32\" fw=10.72.196.74 pri=very-high c=ptassita m=906 msg=\"its\" n=lore", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566237244Z" - }, - "message": "sBono id=loremqu sn=tetur time=\"2018/08/15 07:57:06\" fw=10.213.94.135 pri=very-high c=urmagn m=237 msg=\"block\" n=uptat src=10.105.46.101:3346:enp0s382 dst= 10.50.44.5:7668:lo1441", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566238024Z" - }, - "message": "id=ddoeius sn=ugiatn time=\"2018/08/29 14:59:40\" fw=10.50.102.128 pri=high c=abore m=328 msg=\"squ\" n=uiadol src=10.60.142.127:1081:eth6291 dst= 10.52.248.251:5776:lo2241", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566238815Z" - }, - "message": "id=onu sn=liquaUte time=\"2018/09/12 22:02:15\" fw=10.137.202.243 pri=high c=tempor m=134 PPPoE starting PAP Authentication", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566239613Z" - }, - "message": "id=mveniamq sn=taedict time=\"2018-9-27 5:04:49\" fw=10.206.69.135 pri=high c=aturve m=880 msg=\"utfug\" n=aturQu note=\"aaliq\" fw_action=\"allow\"", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566240405Z" - }, - "message": "id=uiinea sn=mnisiut time=\"2018/10/11 12:07:23\" fw=10.208.228.129 pri=low c=olup m=441 msg=\"labor\" n=dol src= 10.240.54.28 dst= 10.115.38.80", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566241191Z" - }, - "message": "id=mve sn=uia time=\"2018/10/25 19:09:57\" fw=10.92.237.93 pri=high c=nsequunt m=163 Disconnecting PPPoE due to traffic timeout", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566241964Z" - }, - "message": "id=doei sn=cipitl time=\"2018/11/09 02:12:32\" fw=10.53.127.17 pri=very-high c=strumex m=252 msg=\"eprehend\" n=asnu src=10.102.166.19 dst=10.104.49.142", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566242738Z" - }, - "message": "id=repreh sn=plic time=\"2018/11/23 09:15:06\" fw=10.17.87.79 pri=high c=saq m=199 msg=\"block\" n=ritqu src=10.203.77.154:3916:lo4991 dst= 10.120.25.169:1965:lo4527", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566244759Z" - }, - "message": "ipsa id=asuntexp sn=adminim time=\"2018/12/07 16:17:40\" fw=10.115.115.26 pri=high c=modoc m=88 IKE Responder: IPSec proposal not acceptable", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566245649Z" - }, - "message": "id=iumt sn=tsed time=\"2018/12/21 23:20:14\" fw=10.249.120.78 pri=medium c=atuse m=34 Login screen timed out", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566246447Z" - }, - "message": "id=loremag sn=tcu time=\"2019/01/05 06:22:49\" fw=10.84.251.253 pri=high c=erspi m=195 msg=\"rorsit\" n=tionemu src=10.77.95.12 dst=10.137.217.159 sport=2310 dport=563 rcvd=1629", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566247228Z" - }, - "message": "elillum id=upt sn=rnat time=\"2019/01/19 13:25:23\" fw=10.1.96.93 pri=high c=edolo m=48 Out-of-order command packet dropped", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566247997Z" - }, - "message": "doeiu id=deF sn=itempo time=\"2019/02/02 20:27:57\" fw=10.200.237.196 pri=medium c=ecillum m=995 msg=\"isci\" n=dolor src=10.165.48.224:5386 dst=10.191.242.168:5251 note=\"equep\"", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566248766Z" - }, - "message": "BCS id=qui sn=ugiatquo time=\"2019/02/17 03:30:32\" fw=10.204.133.116 pri=medium c=autemv m=909 msg=\"emq\" n=plicaboN", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566249540Z" - }, - "message": "id=vol sn=admi time=\"2019/03/03 10:33:06\" fw=10.77.229.168 pri=high c=aquiof m=178 msg=\"ende\" n=abor src=10.185.37.32:708 dst=10.116.173.79:7693", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566250316Z" - }, - "message": "id=olorem sn=gitse time=\"2019/03/17 17:35:40\" fw=10.245.127.213 pri=very-high c=billoinv m=995 msg=\"sci\" n=col src=10.219.42.212:5708 dst=10.57.85.98:3286 note=\"mquisno\"", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566251089Z" - }, - "message": "id=nisiu sn=imad time=\"2019/04/01 00:38:14\" fw=10.30.101.79 pri=high c=tenimad m=97 n=sitametc src= 10.152.35.175:2737:enp0s3423 dst= 10.88.244.209:6953:enp0s2460 proto=ipv6-icmp op=caecat sent=5835 dstname=tquidol", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566251866Z" - }, - "message": "undeom id=emullamc sn=tec time=\"2019/04/15 07:40:49\" fw=10.29.118.7 pri=medium c=mveleum m=537 msg=\"accept\" f=exercita n=sBonorum src= 10.132.171.15 dst= 10.107.216.138:3147:lo5057:ugitsedq5067.internal.test proto=rdp sent=5943 rcvd=1635", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566252642Z" - }, - "message": "id=gna sn=isiutali time=\"2019/04/29 14:43:23\" fw=10.156.152.182 pri=very-high c=ons m=137 Wan IP Changed", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566253414Z" - }, - "message": "id=uaturve sn=amquisno time=\"2019/05/13 21:45:57\" fw=10.123.74.66 pri=very-high c=mquiad m=351 msg=\"CSe\" n=lors src=10.135.70.159 dst=10.195.223.82", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566254209Z" - }, - "message": "id=atu sn=iusm time=\"2019/05/28 04:48:31\" fw=10.20.81.176 pri=low c=stquido m=261 msg=\"rsitvolu\" n=mnisi usr=usmo src=10.22.244.71:1865:eth3249 dst= 10.142.120.198", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566255Z" - }, - "message": "id=oin sn=itseddoe time=\"2019/06/11 11:51:06\" fw=10.141.143.56 pri=low c=erc m=125 Unused AV log entry.", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566255774Z" - }, - "message": "id=giatquov sn=olu time=\"2019/06/25 18:53:40\" fw=10.137.103.62 pri=medium c=serror m=105 Sending DHCP DISCOVER.", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566256547Z" - }, - "message": "emagn id=emulla sn=mips time=\"2019/07/10 01:56:14\" fw=10.201.146.83 pri=very-high c=atnula m=34 Login screen timed out", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566257334Z" - }, - "message": "id=itametc sn=ori time=\"2019/07/24 08:58:48\" fw=10.202.74.93 pri=low c=ido m=144 Primary firewall has transitioned to Idle", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566258141Z" - }, - "message": "id=doconse sn=etdol time=\"2019/08/07 16:01:23\" fw=10.156.88.51 pri=high c=tura m=658 msg=\"osquirat\" n=equat src=10.56.10.84:5366 dst=10.12.54.142:6543", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566258936Z" - }, - "message": "id=min sn=oluptat time=\"2019/08/21 23:03:57\" fw=10.162.129.196 pri=medium c=snisi m=195 msg=\"magnaal\" n=uscip src=10.222.169.140 dst=10.117.63.181 sport=5299 dport=6863 rcvd=7416", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566259711Z" - }, - "message": "id=eacommo sn=ueip time=\"2019/09/05 06:06:31\" fw=10.243.252.157 pri=low c=minim m=867 msg=\"scipi\" sess=tur n=acon", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" - }, - "event": { - "ingested": "2022-01-25T12:55:20.566260494Z" + "@timestamp": "2007-01-03T14:48:06.000Z", + "destination": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.3.4", + "port": 50000 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "connection opened", + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:30.196720800Z", + "module": "sonicwall", + "original": "Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:06\" fw=1.128.3.4 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23419 src=175.16.199.1:36701:WAN dst=1.128.3.4:50000:WAN proto=tcp/50000", + "risk_score": 6, + "sequence": 23419, + "severity": 6, + "type": "event" + }, + "ingest_lag_in_seconds": 479515884, + "ingest_time": "2022-03-15T13:39:30.196720800Z", + "message": "Connection Opened", + "network": { + "protocol": "50000", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN" + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 262144, + "message_id": 98 + } + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 36701 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:07.000Z", + "destination": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.3.4", + "port": 50000 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:30.196742300Z", + "module": "sonicwall", + "original": "Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:07\" fw=1.128.3.4 pri=1 c=32 m=30 msg=\"Administrator login denied due to bad credentials\" n=7 src=175.16.199.1:36701:WAN dst=1.128.3.4:50000:WAN", + "risk_score": 1, + "sequence": 7, + "severity": 1 + }, + "ingest_lag_in_seconds": 479515883, + "ingest_time": "2022-03-15T13:39:30.196742300Z", + "message": "Administrator login denied due to bad credentials", + "observer": { + "egress": { + "interface": { + "name": "WAN" + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 32, + "message_id": 30 + } + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 36701 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:07.000Z", + "destination": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.3.4", + "port": 50000 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "connection opened", + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:30.196748400Z", + "module": "sonicwall", + "original": "Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:07\" fw=1.128.3.4 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23420 src=175.16.199.1:36702:WAN dst=1.128.3.4:50000:WAN proto=tcp/50000", + "risk_score": 6, + "sequence": 23420, + "severity": 6, + "type": "event" + }, + "ingest_lag_in_seconds": 479515883, + "ingest_time": "2022-03-15T13:39:30.196748400Z", + "message": "Connection Opened", + "network": { + "protocol": "50000", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN" + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 262144, + "message_id": 98 + } + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 36702 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:07.000Z", + "destination": { + "bytes": 242, + "ip": "192.168.5.10", + "port": 53 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "connection closed", + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:30.196990200Z", + "module": "sonicwall", + "original": "Jan 3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:07\" fw=1.128.3.4 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567996 src=192.168.4.10:27577:WAN dst=192.168.5.10:53:LAN proto=tcp/dns sent=257 rcvd=242", + "risk_score": 6, + "sequence": 567996, + "severity": 6, + "type": "event" }, - "message": "usm id=labori sn=porai time=\"2019/09/19 13:09:05\" fw=10.73.176.98 pri=high c=ostr m=60 Access to Proxy Server Blocked", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" + "ingest_lag_in_seconds": 479515883, + "ingest_time": "2022-03-15T13:39:30.196990200Z", + "message": "Connection Closed", + "network": { + "bytes": 499, + "protocol": "dns", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "LAN" + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 1024, + "message_id": 537 + } + }, + "source": { + "bytes": 257, + "ip": "192.168.4.10", + "port": 27577 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:08.000Z", + "destination": { + "bytes": 13042, + "ip": "192.168.1.100", + "port": 1026 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "connection closed", + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:30.197009600Z", + "module": "sonicwall", + "original": "Jan 3 13:45:37 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:08\" fw=1.128.3.4 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567997 src=192.168.5.56:4277:LAN dst=192.168.1.100:1026:WAN proto=tcp/1026 sent=3590 rcvd=13042 vpnpolicy=\"name\"", + "risk_score": 6, + "sequence": 567997, + "severity": 6, + "type": "event" + }, + "ingest_lag_in_seconds": 479515882, + "ingest_time": "2022-03-15T13:39:30.197009600Z", + "message": "Connection Closed", + "network": { + "bytes": 16632, + "protocol": "1026", + "transport": "tcp" }, - "event": { - "ingested": "2022-01-25T12:55:20.566261279Z" + "observer": { + "egress": { + "interface": { + "name": "WAN" + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "LAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" }, - "message": "id=lup sn=upta time=\"2019-10-3 8:11:40\" fw=10.247.88.138 pri=very-high c=orissu m=794 msg=\"fic\" sid=sBon spycat=usmod spypri=umdol pktdatId=rumexerc n=isiutali src=10.57.255.4:239:lo1325 dst=10.200.122.184:1176:eth5397 proto=rdp/amvo fw_action=\"allow\"", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" + "sonicwall": { + "event": { + "category": 1024, + "message_id": 537 + } + }, + "source": { + "bytes": 3590, + "ip": "192.168.5.56", + "port": 4277, + "vpn_policy": "name" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:10.000Z", + "destination": { + "bytes": 454118, + "ip": "192.168.2.81", + "port": 41850 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "connection closed", + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:30.197017300Z", + "module": "sonicwall", + "original": "Jan 3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=1.128.3.4 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567999 src=192.168.5.56:4280:LAN dst=192.168.2.81:41850:WAN proto=tcp/41850 sent=386026 rcvd=454118 vpnpolicy=\"name\"", + "risk_score": 6, + "sequence": 567999, + "severity": 6, + "type": "event" + }, + "ingest_lag_in_seconds": 479515880, + "ingest_time": "2022-03-15T13:39:30.197017300Z", + "message": "Connection Closed", + "network": { + "bytes": 840144, + "protocol": "41850", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN" + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "LAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 1024, + "message_id": 537 + } + }, + "source": { + "bytes": 386026, + "ip": "192.168.5.56", + "port": 4280, + "vpn_policy": "name" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:10.000Z", + "destination": { + "bytes": 152, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 500 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "connection closed", + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:30.197023900Z", + "module": "sonicwall", + "original": "Jan 3 13:45:39 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=1.128.3.4 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=567999 src=1.128.3.4:500:WAN dst=175.16.199.1:500:WAN proto=udp/500 sent=344 rcvd=152", + "risk_score": 6, + "sequence": 567999, + "severity": 6, + "type": "event" + }, + "ingest_lag_in_seconds": 479515880, + "ingest_time": "2022-03-15T13:39:30.197023900Z", + "message": "Connection Closed", + "network": { + "bytes": 496, + "protocol": "500", + "transport": "udp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN" + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 1024, + "message_id": 537 + } + }, + "source": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "bytes": 344, + "ip": "1.128.3.4", + "port": 500 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:10.000Z", + "destination": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.3.4", + "port": 50000 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "connection opened", + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:30.197031Z", + "module": "sonicwall", + "original": "Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=1.128.3.4 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23421 src=175.16.199.1:36703:WAN dst=1.128.3.4:50000:WAN proto=tcp/50000", + "risk_score": 6, + "sequence": 23421, + "severity": 6, + "type": "event" + }, + "ingest_lag_in_seconds": 479515880, + "ingest_time": "2022-03-15T13:39:30.197031Z", + "message": "Connection Opened", + "network": { + "protocol": "50000", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN" + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 262144, + "message_id": 98 + } + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 36703 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:10.000Z", + "destination": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.3.4", + "port": 50000 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:30.197080400Z", + "module": "sonicwall", + "original": "Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=1.128.3.4 pri=1 c=32 m=30 msg=\"Administrator login denied due to bad credentials\" n=8 src=175.16.199.1:36703:WAN dst=1.128.3.4:50000:WAN", + "risk_score": 1, + "sequence": 8, + "severity": 1 + }, + "ingest_lag_in_seconds": 479515880, + "ingest_time": "2022-03-15T13:39:30.197080400Z", + "message": "Administrator login denied due to bad credentials", + "observer": { + "egress": { + "interface": { + "name": "WAN" + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 32, + "message_id": 30 + } + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 36703 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:11.000Z", + "destination": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.3.4", + "port": 50000 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "connection opened", + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:30.197094600Z", + "module": "sonicwall", + "original": "Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:11\" fw=1.128.3.4 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23422 src=175.16.199.1:36704:WAN dst=1.128.3.4:50000:WAN proto=tcp/50000", + "risk_score": 6, + "sequence": 23422, + "severity": 6, + "type": "event" + }, + "ingest_lag_in_seconds": 479515879, + "ingest_time": "2022-03-15T13:39:30.197094600Z", + "message": "Connection Opened", + "network": { + "protocol": "50000", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN" + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 262144, + "message_id": 98 + } + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 36704 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:14.000Z", + "destination": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.3.4", + "port": 6822 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:30.197103700Z", + "module": "sonicwall", + "original": "Jan 3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:14\" fw=1.128.3.4 pri=5 c=256 m=38 msg=\"ICMP packet dropped\" n=22070 src=216.160.83.57:1026:WAN dst=1.128.3.4:6822:WAN type=3 code=3", + "risk_score": 5, + "sequence": 22070, + "severity": 5 + }, + "ingest_lag_in_seconds": 479515876, + "ingest_time": "2022-03-15T13:39:30.197103700Z", + "message": "ICMP packet dropped", + "observer": { + "egress": { + "interface": { + "name": "WAN " + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 256, + "code": 3, + "icmp_type": 3, + "message_id": 38 + } + }, + "source": { + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.57", + "port": 1026 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:14.000Z", + "destination": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.3.4", + "port": 0 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "connection closed", + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:30.197111500Z", + "module": "sonicwall", + "original": "Jan 3 13:45:43 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:14\" fw=1.128.3.4 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=568000 src=216.160.83.57:1026:WAN dst=1.128.3.4:0:WAN proto=udp/0", + "risk_score": 6, + "sequence": 568000, + "severity": 6, + "type": "event" + }, + "ingest_lag_in_seconds": 479515876, + "ingest_time": "2022-03-15T13:39:30.197111500Z", + "message": "Connection Closed", + "network": { + "protocol": "0", + "transport": "udp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN" + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 1024, + "message_id": 537 + } + }, + "source": { + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.57", + "port": 1026 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:15.000Z", + "destination": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.3.4", + "port": 500 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:30.197172200Z", + "module": "sonicwall", + "original": "Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.128.3.4 pri=6 c=16 m=346 msg=\"IKE Initiator: Start Quick Mode (Phase 2).\" n=171872 src=175.16.199.1:500 dst=1.128.3.4:500", + "risk_score": 6, + "sequence": 171872, + "severity": 6 + }, + "ingest_lag_in_seconds": 479515875, + "ingest_time": "2022-03-15T13:39:30.197172200Z", + "message": "IKE Initiator: Start Quick Mode (Phase 2).", + "observer": { + "egress": { + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 16, + "message_id": 346 + } + }, + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 500 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:15.000Z", + "destination": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 500 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "connection opened", + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:30.197238800Z", + "module": "sonicwall", + "original": "Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.128.3.4 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23423 src=1.128.3.4:500:WAN dst=175.16.199.1:500:WAN proto=udp/500", + "risk_score": 6, + "sequence": 23423, + "severity": 6, + "type": "event" + }, + "ingest_lag_in_seconds": 479515875, + "ingest_time": "2022-03-15T13:39:30.197238800Z", + "message": "Connection Opened", + "network": { + "protocol": "500", + "transport": "udp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN" + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 262144, + "message_id": 98 + } + }, + "source": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.3.4", + "port": 500 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:15.000Z", + "destination": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "ip": "1.128.3.4", + "port": 500 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:30.197313700Z", + "module": "sonicwall", + "original": "Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.128.3.4 pri=4 c=16 m=483 msg=\"Received notify: INVALID_ID_INFO\" n=171625 src=175.16.199.1:500 dst=1.128.3.4:500", + "risk_score": 4, + "sequence": 171625, + "severity": 4 + }, + "ingest_lag_in_seconds": 479515875, + "ingest_time": "2022-03-15T13:39:30.197313700Z", + "message": "Received notify: INVALID_ID_INFO", + "observer": { + "egress": { + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 16, + "message_id": 483 + } }, - "event": { - "ingested": "2022-01-25T12:55:20.566262061Z" + "source": { + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 500 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:15.000Z", + "destination": { + "ip": "192.168.5.10", + "port": 53 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "connection opened", + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:30.197327100Z", + "module": "sonicwall", + "original": "Jan 3 13:45:45 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.128.3.4 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23424 src=192.168.115.10:11549:WAN dst=192.168.5.10:53:LAN proto=tcp/dns", + "risk_score": 6, + "sequence": 23424, + "severity": 6, + "type": "event" }, - "message": "id=mmod sn=iti time=\"2019/10/18 03:14:14\" fw=10.55.81.14 pri=medium c=asp m=19 Java blocked", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" + "ingest_lag_in_seconds": 479515875, + "ingest_time": "2022-03-15T13:39:30.197327100Z", + "message": "Connection Opened", + "network": { + "protocol": "dns", + "transport": "tcp" }, - "event": { - "ingested": "2022-01-25T12:55:20.566262841Z" + "observer": { + "egress": { + "interface": { + "name": "LAN" + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" }, - "message": "id=mag sn=gelitse time=\"2019/11/01 10:16:48\" fw=10.195.58.44 pri=high c=radip m=413 msg=\"upta\" n=tetura src=10.206.229.61:3467 dst=10.129.101.147:3606", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" + "sonicwall": { + "event": { + "category": 262144, + "message_id": 98 + } }, - "event": { - "ingested": "2022-01-25T12:55:20.566263647Z" + "source": { + "ip": "192.168.115.10", + "port": 11549 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:17.000Z", + "destination": { + "ip": "192.168.1.100", + "port": 445 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "connection opened", + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:30.197335600Z", + "module": "sonicwall", + "original": "Jan 3 13:45:46 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:17\" fw=1.128.3.4 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23425 src=192.168.5.64:3182:LAN dst=192.168.1.100:445:WAN proto=tcp/445", + "risk_score": 6, + "sequence": 23425, + "severity": 6, + "type": "event" + }, + "ingest_lag_in_seconds": 479515873, + "ingest_time": "2022-03-15T13:39:30.197335600Z", + "message": "Connection Opened", + "network": { + "protocol": "445", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN" + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "LAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 262144, + "message_id": 98 + } }, - "message": "id=nostrud sn=cteturad time=\"2019/11/15 17:19:22\" fw=10.150.163.151 pri=high c=veniam m=159 Diagnostic Code F", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" + "source": { + "ip": "192.168.5.64", + "port": 3182 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:18.000Z", + "destination": { + "as": { + "number": 1221, + "organization": { + "name": "Telstra Pty Ltd" + } + }, + "bytes": 957, + "ip": "1.128.3.4", + "port": 50000 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "connection closed", + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:30.197342700Z", + "module": "sonicwall", + "original": "Jan 3 13:45:47 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:18\" fw=1.128.3.4 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=568001 src=175.16.199.1:36699:WAN dst=1.128.3.4:50000:WAN proto=tcp/50000 sent=1557 rcvd=957", + "risk_score": 6, + "sequence": 568001, + "severity": 6, + "type": "event" + }, + "ingest_lag_in_seconds": 479515872, + "ingest_time": "2022-03-15T13:39:30.197342700Z", + "message": "Connection Closed", + "network": { + "bytes": 2514, + "protocol": "50000", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "WAN" + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 1024, + "message_id": 537 + } + }, + "source": { + "bytes": 1557, + "geo": { + "city_name": "Changchun", + "continent_name": "Asia", + "country_iso_code": "CN", + "country_name": "China", + "location": { + "lat": 43.88, + "lon": 125.3228 + }, + "region_iso_code": "CN-22", + "region_name": "Jilin Sheng" + }, + "ip": "175.16.199.1", + "port": 36699 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:20.000Z", + "destination": { + "bytes": 254, + "ip": "192.168.1.100", + "port": 53 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "connection closed", + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:30.197421500Z", + "module": "sonicwall", + "original": "Jan 3 13:45:49 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:20\" fw=1.128.3.4 pri=6 c=1024 m=537 msg=\"Connection Closed\" n=568002 src=192.168.5.10:3417:LAN dst=192.168.1.100:53:WAN proto=udp/dns sent=401 rcvd=254 vpnpolicy=\"name\"", + "risk_score": 6, + "sequence": 568002, + "severity": 6, + "type": "event" + }, + "ingest_lag_in_seconds": 479515870, + "ingest_time": "2022-03-15T13:39:30.197421500Z", + "message": "Connection Closed", + "network": { + "bytes": 655, + "protocol": "dns", + "transport": "udp" }, - "event": { - "ingested": "2022-01-25T12:55:20.566264427Z" + "observer": { + "egress": { + "interface": { + "name": "WAN" + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "LAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 1024, + "message_id": 537 + } + }, + "source": { + "bytes": 401, + "ip": "192.168.5.10", + "port": 3417, + "vpn_policy": "name" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:20.000Z", + "destination": { + "ip": "192.168.5.10", + "port": 3582 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "connection opened", + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:30.197432600Z", + "module": "sonicwall", + "original": "Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:20\" fw=1.128.3.4 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23426 src=192.168.125.75:524:WAN dst=192.168.5.10:3582:LAN proto=udp/3582", + "risk_score": 6, + "sequence": 23426, + "severity": 6, + "type": "event" }, - "message": "id=imavenia sn=expli time=\"2019/11/30 00:21:57\" fw=10.144.57.239 pri=medium c=rur m=520 msg=\"itse\" n=ilm src=10.167.9.200:4003:lo5561 dst= 10.119.4.120:3822:enp0s234", - "tags": [ - "preserve_original_event" - ] - }, - { - "ecs": { - "version": "8.0.0" + "ingest_lag_in_seconds": 479515870, + "ingest_time": "2022-03-15T13:39:30.197432600Z", + "message": "Connection Opened", + "network": { + "protocol": "3582", + "transport": "udp" }, - "event": { - "ingested": "2022-01-25T12:55:20.566265201Z" + "observer": { + "egress": { + "interface": { + "name": "LAN" + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" }, - "message": "oluptate id=lit sn=santi time=\"2019/12/14 07:24:31\" fw=10.211.112.194 pri=low c=uis m=1079 msg=\"Clientamcis assigned IP:10.221.220.148\" n=apar", - "tags": [ - "preserve_original_event" - ] + "sonicwall": { + "event": { + "category": 262144, + "message_id": 98 + } + }, + "source": { + "ip": "192.168.125.75", + "port": 524 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2007-01-03T14:48:21.000Z", + "destination": { + "ip": "192.168.5.10", + "port": 53 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "connection opened", + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:30.197440700Z", + "module": "sonicwall", + "original": "Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:21\" fw=1.128.3.4 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23427 src=192.168.6.10:28503:WAN dst=192.168.5.10:53:LAN proto=tcp/dns", + "risk_score": 6, + "sequence": 23427, + "severity": 6, + "type": "event" + }, + "ingest_lag_in_seconds": 479515869, + "ingest_time": "2022-03-15T13:39:30.197440700Z", + "message": "Connection Opened", + "network": { + "protocol": "dns", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "LAN" + }, + "ip": "1.128.3.4" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "WAN" + } + }, + "ip": "192.168.5.1", + "serial_number": "000SERIAL" + }, + "sonicwall": { + "event": { + "category": 262144, + "message_id": 98 + } + }, + "source": { + "ip": "192.168.6.10", + "port": 28503 + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-02-22T18:24:30.000Z", + "destination": { + "as": { + "number": 209 + }, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.61", + "nat": { + "ip": "216.160.83.61", + "port": 443 + }, + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "connection opened", + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:30.197447300Z", + "module": "sonicwall", + "original": "10.0.0.1 id=firewall sn=123456789 time=\"2022-02-22 18:24:30 UTC\" fw=10.0.0.2 pri=6 c=262144 gcat=6 m=98 msg=\"Connection Opened\" src=10.0.0.3:52379:X0 natSrc=10.0.0.2:48245 dst=216.160.83.61:443:X1 natDst=216.160.83.61:443 usr=\"Unknown (SSO failed)\" proto=tcp/https sent=52 app=49177 appName='General HTTPS' n=123456789 fw_action=\"NA\" dpi=0", + "risk_score": 6, + "sequence": 123456789, + "severity": 6, + "type": "event" + }, + "ingest_lag_in_seconds": 1797300, + "ingest_time": "2022-03-15T13:39:30.197447300Z", + "message": "Connection Opened", + "network": { + "bytes": 52, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "ip": "10.0.0.2" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "X0" + } + }, + "ip": "10.0.0.1", + "serial_number": "123456789" + }, + "sonicwall": { + "event": { + "app_name": "'General HTTPS'", + "application_id_number": 49177, + "category": 262144, + "dpi": 0, + "firewall_action": "NA", + "group_category": 6, + "message_id": 98 + } + }, + "source": { + "bytes": 52, + "ip": "10.0.0.3", + "nat": { + "ip": "10.0.0.2", + "port": 48245 + }, + "port": 52379 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "Unknown (SSO failed)" + } + }, + { + "@timestamp": "2022-02-22T18:29:37.000Z", + "destination": { + "as": { + "number": 209 + }, + "bytes": 14226, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.61", + "mac": "ab:09:87:65:43:21", + "nat": { + "ip": "216.160.83.61", + "port": 443 + }, + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:30.197515900Z", + "module": "sonicwall", + "original": "10.0.0.1 id=firewall sn=123456789 time=\"2022-02-22 18:29:37 UTC\" fw=10.0.0.2 pri=6 c=1024 gcat=2 m=97 msg=\"Web site hit\" srcMac=12:34:56:78:90:ab src=10.0.0.3:64828:X0 srcZone=Trusted natSrc=10.0.0.2:47621 dstMac=ab:09:87:65:43:21 dst=216.160.83.61:443:X1 dstZone=Untrusted natDst=216.160.83.61:443 usr=\"Unknown (SSO failed)\" proto=tcp/https sent=3523 rcvd=14226 app=7927 dstname=chat-pa.clients6.google.com arg=/ code=29 Category=\"Search Engines and Portals\" note=\"Policy: cfsZonePolicy0, Info: 6148 \" n=123456789 fw_action=\"NA\" dpi=1", + "risk_score": 6, + "sequence": 123456789, + "severity": 6 + }, + "ingest_lag_in_seconds": 1796993, + "ingest_time": "2022-03-15T13:39:30.197515900Z", + "message": "Web site hit", + "network": { + "bytes": 17749, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "ip": "10.0.0.2", + "zone": "Untrusted" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "X0" + }, + "zone": "Trusted" + }, + "ip": "10.0.0.1", + "serial_number": "123456789" + }, + "sonicwall": { + "destination": { + "name": "chat-pa.clients6.google.com" + }, + "event": { + "application_id_number": 7927, + "blocking_category": "Search Engines and Portals", + "category": 1024, + "code": 29, + "dpi": 1, + "firewall_action": "NA", + "group_category": 2, + "message_id": 97, + "note": "Policy: cfsZonePolicy0, Info: 6148 ", + "url_path": "/" + } + }, + "source": { + "bytes": 3523, + "ip": "10.0.0.3", + "mac": "12:34:56:78:90:ab", + "nat": { + "ip": "10.0.0.2", + "port": 47621 + }, + "port": 64828 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "Unknown (SSO failed)" + } + }, + { + "@timestamp": "2022-02-22T18:34:21.000Z", + "destination": { + "as": { + "number": 209 + }, + "bytes": 6642, + "geo": { + "city_name": "Milton", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 47.2513, + "lon": -122.3149 + }, + "region_iso_code": "US-WA", + "region_name": "Washington" + }, + "ip": "216.160.83.61", + "mac": "ab:09:87:65:43:21", + "nat": { + "ip": "216.160.83.61", + "port": 443 + }, + "port": 443 + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "dataset": "sonicwall.firewall", + "ingested": "2022-03-15T13:39:30.197533300Z", + "module": "sonicwall", + "original": "10.0.0.1 id=firewall sn=2CB8ED17E180 time=\"2022-02-22 18:34:21 UTC\" fw=10.0.0.2 pri=6 c=1024 gcat=2 m=97 msg=\"Web site hit\" srcMac=12:34:56:78:90:ab src=10.0.0.3:49217:X0 srcZone=Trusted natSrc=10.0.0.2:53466 dstMac=ab:09:87:65:43:21 dst=216.160.83.61:443:X1 dstZone=Untrusted natDst=216.160.83.61:443 usr=\"Unknown (SSO failed)\" proto=tcp/https sent=2079 rcvd=6642 app=7927 dstname=seg.ad.gt arg=/ code=15 Category=\"Business and Economy\" note=\"Policy: cfsZonePolicy0, Info: 6148 \" n=123456789 fw_action=\"NA\" dpi=1", + "risk_score": 6, + "sequence": 123456789, + "severity": 6 + }, + "ingest_lag_in_seconds": 1796709, + "ingest_time": "2022-03-15T13:39:30.197533300Z", + "message": "Web site hit", + "network": { + "bytes": 8721, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "X1" + }, + "ip": "10.0.0.2", + "zone": "Untrusted" + }, + "hostname": "firewall", + "ingress": { + "interface": { + "name": "X0" + }, + "zone": "Trusted" + }, + "ip": "10.0.0.1", + "serial_number": "2CB8ED17E180" + }, + "sonicwall": { + "destination": { + "name": "seg.ad.gt" + }, + "event": { + "application_id_number": 7927, + "blocking_category": "Business and Economy", + "category": 1024, + "code": 15, + "dpi": 1, + "firewall_action": "NA", + "group_category": 2, + "message_id": 97, + "note": "Policy: cfsZonePolicy0, Info: 6148 ", + "url_path": "/" + } + }, + "source": { + "bytes": 2079, + "ip": "10.0.0.3", + "mac": "12:34:56:78:90:ab", + "nat": { + "ip": "10.0.0.2", + "port": 53466 + }, + "port": 49217 + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "Unknown (SSO failed)" + } } ] } \ No newline at end of file diff --git a/packages/sonicwall/data_stream/firewall/agent/stream/stream.yml.hbs b/packages/sonicwall/data_stream/firewall/agent/stream/stream.yml.hbs deleted file mode 100644 index 180ea60135d..00000000000 --- a/packages/sonicwall/data_stream/firewall/agent/stream/stream.yml.hbs +++ /dev/null @@ -1,9739 +0,0 @@ -paths: -{{#each paths as |path i|}} - - {{path}} -{{/each}} -exclude_files: [".gz$"] -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Sonicwall" - product: "Firewalls" - type: "Firewall" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} n=%{fld2->} src=%{p0}"); - - var dup8 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); - - var dup9 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); - - var dup10 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{daddr}:%{dport}:%{p0}"); - - var dup11 = date_time({ - dest: "event_time", - args: ["hdate","htime"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup12 = setc("eventcategory","1502010000"); - - var dup13 = setc("eventcategory","1502020000"); - - var dup14 = setc("eventcategory","1002010000"); - - var dup15 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); - - var dup16 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}"); - - var dup17 = match("MESSAGE#28:23:01/2", "nwparser.p0", "%{p0}"); - - var dup18 = setf("hostip","hhostip"); - - var dup19 = setf("id","hid"); - - var dup20 = setf("serial_number","hserial_number"); - - var dup21 = setf("category","hcategory"); - - var dup22 = setf("severity","hseverity"); - - var dup23 = setc("eventcategory","1805010000"); - - var dup24 = call({ - dest: "nwparser.msg", - fn: RMQ, - args: [ - field("msg"), - ], - }); - - var dup25 = setc("eventcategory","1302000000"); - - var dup26 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); - - var dup27 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}"); - - var dup28 = match("MESSAGE#38:29:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); - - var dup29 = match("MESSAGE#38:29:01/2_1", "nwparser.p0", "%{daddr->} "); - - var dup30 = setc("eventcategory","1401050100"); - - var dup31 = setc("eventcategory","1401030000"); - - var dup32 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}"); - - var dup33 = setc("eventcategory","1301020000"); - - var dup34 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}"); - - var dup35 = match("MESSAGE#52:35:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}"); - - var dup36 = match_copy("MESSAGE#52:35:01/2_1", "nwparser.p0", "daddr"); - - var dup37 = match("MESSAGE#54:36:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{p0}"); - - var dup38 = match("MESSAGE#54:36:01/1_1", "nwparser.p0", "n=%{p0}"); - - var dup39 = match("MESSAGE#54:36:01/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); - - var dup40 = match("MESSAGE#54:36:01/3_1", "nwparser.p0", "%{saddr->} %{p0}"); - - var dup41 = match("MESSAGE#54:36:01/4", "nwparser.p0", "dst= %{p0}"); - - var dup42 = match("MESSAGE#54:36:01/7_1", "nwparser.p0", "rule=%{rule}"); - - var dup43 = match("MESSAGE#54:36:01/7_2", "nwparser.p0", "proto=%{protocol}"); - - var dup44 = date_time({ - dest: "event_time", - args: ["date","time"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup45 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); - - var dup46 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}"); - - var dup47 = match_copy("MESSAGE#55:36:02/6", "nwparser.p0", "info"); - - var dup48 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} proto= %{p0}"); - - var dup49 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{dinterface->} proto= %{p0}"); - - var dup50 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{protocol->} npcs=%{info}"); - - var dup51 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}"); - - var dup52 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} type= %{p0}"); - - var dup53 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{dinterface->} type= %{p0}"); - - var dup54 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{event_description}\"%{p0}"); - - var dup55 = match("MESSAGE#64:38:03/1_0", "nwparser.p0", " app=%{fld2->} appName=\"%{application}\"%{p0}"); - - var dup56 = match_copy("MESSAGE#64:38:03/1_1", "nwparser.p0", "p0"); - - var dup57 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); - - var dup58 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}"); - - var dup59 = setc("ec_subject","NetworkComm"); - - var dup60 = setc("ec_activity","Deny"); - - var dup61 = setc("ec_theme","Communication"); - - var dup62 = setf("msg","$MSG"); - - var dup63 = setc("action","dropped"); - - var dup64 = setc("eventcategory","1608010000"); - - var dup65 = setc("eventcategory","1302010000"); - - var dup66 = setc("eventcategory","1301000000"); - - var dup67 = setc("eventcategory","1001000000"); - - var dup68 = setc("eventcategory","1003030000"); - - var dup69 = setc("eventcategory","1003050000"); - - var dup70 = setc("eventcategory","1103000000"); - - var dup71 = setc("eventcategory","1603110000"); - - var dup72 = setc("eventcategory","1605020000"); - - var dup73 = match("MESSAGE#126:89:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}"); - - var dup74 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}"); - - var dup75 = match("MESSAGE#135:97:01/6_0", "nwparser.p0", "result=%{result->} dstname=%{p0}"); - - var dup76 = match("MESSAGE#135:97:01/6_1", "nwparser.p0", "dstname=%{p0}"); - - var dup77 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}"); - - var dup78 = setc("eventcategory","1801000000"); - - var dup79 = match("MESSAGE#141:97:07/1_1", "nwparser.p0", "%{dinterface->} srcMac=%{p0}"); - - var dup80 = match("MESSAGE#147:98:01/6_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}"); - - var dup81 = match("MESSAGE#147:98:01/7_4", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes}"); - - var dup82 = match("MESSAGE#148:98:06/0", "nwparser.payload", "msg=\"%{event_description}\" %{p0}"); - - var dup83 = match("MESSAGE#148:98:06/5_0", "nwparser.p0", "%{sinterface}:%{shost->} dst= %{p0}"); - - var dup84 = match("MESSAGE#148:98:06/5_1", "nwparser.p0", "%{sinterface->} dst= %{p0}"); - - var dup85 = match("MESSAGE#148:98:06/7_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); - - var dup86 = match("MESSAGE#148:98:06/9_3", "nwparser.p0", "sent=%{sbytes}"); - - var dup87 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); - - var dup88 = setf("id","hfld1"); - - var dup89 = setc("eventcategory","1001020309"); - - var dup90 = setc("eventcategory","1303000000"); - - var dup91 = setc("eventcategory","1801010100"); - - var dup92 = setc("eventcategory","1604010000"); - - var dup93 = setc("eventcategory","1002020000"); - - var dup94 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} npcs= %{p0}"); - - var dup95 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{dinterface->} npcs= %{p0}"); - - var dup96 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{info}"); - - var dup97 = setc("eventcategory","1001010000"); - - var dup98 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} note= %{p0}"); - - var dup99 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{dinterface->} note= %{p0}"); - - var dup100 = match("MESSAGE#256:180:01/4", "nwparser.p0", "\"%{fld3}\" npcs=%{info}"); - - var dup101 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); - - var dup102 = match("MESSAGE#260:194/1_1", "nwparser.p0", "rcvd=%{rbytes}"); - - var dup103 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); - - var dup104 = match("MESSAGE#262:196/1_1", "nwparser.p0", "rcvd=%{rbytes->} cmd=%{p0}"); - - var dup105 = match_copy("MESSAGE#262:196/2", "nwparser.p0", "method"); - - var dup106 = setc("eventcategory","1401060000"); - - var dup107 = setc("eventcategory","1804000000"); - - var dup108 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); - - var dup109 = setc("eventcategory","1401070000"); - - var dup110 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); - - var dup111 = setc("eventcategory","1801030000"); - - var dup112 = setc("eventcategory","1402020300"); - - var dup113 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); - - var dup114 = match("MESSAGE#302:401/1_0", "nwparser.p0", "dstname=%{name}"); - - var dup115 = match_copy("MESSAGE#302:401/1_1", "nwparser.p0", "space"); - - var dup116 = setc("eventcategory","1402000000"); - - var dup117 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); - - var dup118 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); - - var dup119 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); - - var dup120 = setc("eventcategory","1803020000"); - - var dup121 = match("MESSAGE#318:522:01/4", "nwparser.p0", "proto=%{protocol->} npcs=%{info}"); - - var dup122 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); - - var dup123 = match_copy("MESSAGE#330:537:01/5_1", "nwparser.p0", "rbytes"); - - var dup124 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", " app=%{fld51->} appName=\"%{application}\"n=%{p0}"); - - var dup125 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", " app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); - - var dup126 = match("MESSAGE#332:537:08/1_2", "nwparser.p0", " app=%{fld51}n=%{p0}"); - - var dup127 = match("MESSAGE#332:537:08/2_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); - - var dup128 = match("MESSAGE#332:537:08/2_1", "nwparser.p0", "%{fld1}src=%{p0}"); - - var dup129 = match("MESSAGE#332:537:08/6_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{p0}"); - - var dup130 = match("MESSAGE#332:537:08/6_1", "nwparser.p0", "%{sbytes->} spkt=%{p0}"); - - var dup131 = match("MESSAGE#332:537:08/7_1", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7}"); - - var dup132 = match("MESSAGE#332:537:08/7_3", "nwparser.p0", "%{fld3->} cdur=%{fld7}"); - - var dup133 = match_copy("MESSAGE#332:537:08/7_4", "nwparser.p0", "fld3"); - - var dup134 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); - - var dup135 = match("MESSAGE#336:537:04/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}"); - - var dup136 = match("MESSAGE#336:537:04/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); - - var dup137 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); - - var dup138 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "usr=\"%{username}\" %{p0}"); - - var dup139 = match("MESSAGE#338:537:10/2", "nwparser.p0", "src=%{p0}"); - - var dup140 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); - - var dup141 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); - - var dup142 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info}"); - - var dup143 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12}"); - - var dup144 = setc("event_description","Connection Closed"); - - var dup145 = setc("eventcategory","1801020000"); - - var dup146 = setc("ec_activity","Permit"); - - var dup147 = setc("action","allowed"); - - var dup148 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{daddr}:%{dport}:%{p0}"); - - var dup149 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); - - var dup150 = match("MESSAGE#361:606/1_0", "nwparser.p0", "%{dport}:%{dinterface->} srcMac=%{p0}"); - - var dup151 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{dport->} srcMac=%{p0}"); - - var dup152 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); - - var dup153 = match("MESSAGE#362:608/4", "nwparser.p0", "%{daddr}:%{p0}"); - - var dup154 = match("MESSAGE#362:608/5_1", "nwparser.p0", "%{dport}:%{dinterface}"); - - var dup155 = match_copy("MESSAGE#362:608/5_2", "nwparser.p0", "dport"); - - var dup156 = setc("eventcategory","1001030500"); - - var dup157 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); - - var dup158 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{p0}"); - - var dup159 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); - - var dup160 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); - - var dup161 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); - - var dup162 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); - - var dup163 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); - - var dup164 = match_copy("MESSAGE#366:712:02/5", "nwparser.p0", "fld51"); - - var dup165 = setc("eventcategory","1801010000"); - - var dup166 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{p0}"); - - var dup167 = match("MESSAGE#391:908/1_1", "nwparser.p0", "%{sinterface->} dst=%{p0}"); - - var dup168 = match("MESSAGE#391:908/2", "nwparser.p0", "%{} %{daddr}:%{p0}"); - - var dup169 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); - - var dup170 = setc("eventcategory","1003010000"); - - var dup171 = setc("eventcategory","1609000000"); - - var dup172 = setc("eventcategory","1204000000"); - - var dup173 = setc("eventcategory","1602000000"); - - var dup174 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); - - var dup175 = setc("eventcategory","1803000000"); - - var dup176 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); - - var dup177 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{dport}:%{dinterface->} note=%{p0}"); - - var dup178 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{dport->} note=%{p0}"); - - var dup179 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); - - var dup180 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); - - var dup181 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); - - var dup182 = linear_select([ - dup8, - dup9, - ]); - - var dup183 = linear_select([ - dup15, - dup16, - ]); - - var dup184 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ - dup1, - dup24, - ])); - - var dup185 = linear_select([ - dup26, - dup27, - ]); - - var dup186 = linear_select([ - dup28, - dup29, - ]); - - var dup187 = linear_select([ - dup35, - dup36, - ]); - - var dup188 = linear_select([ - dup37, - dup38, - ]); - - var dup189 = linear_select([ - dup39, - dup40, - ]); - - var dup190 = linear_select([ - dup26, - dup46, - ]); - - var dup191 = linear_select([ - dup48, - dup49, - ]); - - var dup192 = linear_select([ - dup52, - dup53, - ]); - - var dup193 = linear_select([ - dup55, - dup56, - ]); - - var dup194 = linear_select([ - dup57, - dup58, - ]); - - var dup195 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ - dup70, - ])); - - var dup196 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ - dup5, - ])); - - var dup197 = linear_select([ - dup75, - dup76, - ]); - - var dup198 = linear_select([ - dup83, - dup84, - ]); - - var dup199 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([ - dup1, - ])); - - var dup200 = linear_select([ - dup94, - dup95, - ]); - - var dup201 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ - dup5, - ])); - - var dup202 = linear_select([ - dup98, - dup99, - ]); - - var dup203 = linear_select([ - dup86, - dup102, - ]); - - var dup204 = linear_select([ - dup103, - dup104, - ]); - - var dup205 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup93, - ])); - - var dup206 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup93, - ])); - - var dup207 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup1, - ])); - - var dup208 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ - dup1, - ])); - - var dup209 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ - dup1, - dup24, - ])); - - var dup210 = linear_select([ - dup114, - dup115, - ]); - - var dup211 = linear_select([ - dup117, - dup118, - ]); - - var dup212 = linear_select([ - dup43, - dup42, - ]); - - var dup213 = linear_select([ - dup8, - dup27, - ]); - - var dup214 = linear_select([ - dup8, - dup26, - dup46, - ]); - - var dup215 = linear_select([ - dup80, - dup15, - dup16, - ]); - - var dup216 = linear_select([ - dup124, - dup125, - dup126, - dup38, - ]); - - var dup217 = linear_select([ - dup127, - dup128, - ]); - - var dup218 = linear_select([ - dup129, - dup130, - ]); - - var dup219 = linear_select([ - dup135, - dup136, - dup137, - ]); - - var dup220 = linear_select([ - dup138, - dup56, - ]); - - var dup221 = linear_select([ - dup140, - dup141, - ]); - - var dup222 = linear_select([ - dup142, - dup143, - ]); - - var dup223 = linear_select([ - dup150, - dup151, - ]); - - var dup224 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup156, - ])); - - var dup225 = linear_select([ - dup158, - dup38, - ]); - - var dup226 = linear_select([ - dup160, - dup161, - ]); - - var dup227 = linear_select([ - dup162, - dup163, - ]); - - var dup228 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ - dup5, - ])); - - var dup229 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype}", processor_chain([ - dup5, - ])); - - var dup230 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ - dup5, - dup24, - ])); - - var dup231 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ - dup1, - dup24, - ])); - - var dup232 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ - dup1, - dup24, - ])); - - var dup233 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup171, - dup44, - ])); - - var dup234 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ - dup1, - ])); - - var dup235 = linear_select([ - dup177, - dup178, - ]); - - var dup236 = linear_select([ - dup180, - dup181, - ]); - - var dup237 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup1, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ])); - - var dup238 = all_match({ - processors: [ - dup32, - dup185, - dup186, - ], - on_success: processor_chain([ - dup31, - ]), - }); - - var dup239 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup91, - ]), - }); - - var dup240 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup67, - ]), - }); - - var dup241 = all_match({ - processors: [ - dup101, - dup203, - ], - on_success: processor_chain([ - dup67, - ]), - }); - - var dup242 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup106, - ]), - }); - - var dup243 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup31, - ]), - }); - - var dup244 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup30, - ]), - }); - - var dup245 = all_match({ - processors: [ - dup108, - dup185, - dup187, - ], - on_success: processor_chain([ - dup109, - ]), - }); - - var dup246 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - dup112, - ]), - }); - - var dup247 = all_match({ - processors: [ - dup113, - dup210, - ], - on_success: processor_chain([ - dup93, - ]), - }); - - var dup248 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - dup116, - ]), - }); - - var dup249 = all_match({ - processors: [ - dup51, - dup189, - dup41, - dup187, - ], - on_success: processor_chain([ - dup5, - ]), - }); - - var dup250 = all_match({ - processors: [ - dup73, - dup185, - dup183, - dup43, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var dup251 = all_match({ - processors: [ - dup157, - dup225, - dup159, - dup226, - dup227, - dup164, - ], - on_success: processor_chain([ - dup156, - dup59, - dup60, - dup61, - dup62, - dup44, - dup63, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var dup252 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup202, - dup100, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var dup253 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup200, - dup96, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var hdr1 = match("HEADER#0:0001", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{date->} %{time}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ - setc("header_id","0001"), - ])); - - var hdr2 = match("HEADER#1:0002", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{date->} %{time}\" fw=%{hhostip->} pri=%{hseverity->} %{messageid}= %{p0}", processor_chain([ - setc("header_id","0002"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant("= "), - field("p0"), - ], - }), - ])); - - var hdr3 = match("HEADER#2:0003", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{hdate->} %{htime}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ - setc("header_id","0003"), - ])); - - var hdr4 = match("HEADER#3:0004", "message", "%{hfld20->} id=%{hfld1->} sn=%{hserial_number->} time=\"%{hdate->} %{htime}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ - setc("header_id","0004"), - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - ]); - - var part1 = match("MESSAGE#0:4", "nwparser.payload", "SonicWALL activated%{}", processor_chain([ - dup1, - ])); - - var msg1 = msg("4", part1); - - var part2 = match("MESSAGE#1:5", "nwparser.payload", "Log Cleared%{}", processor_chain([ - dup1, - ])); - - var msg2 = msg("5", part2); - - var part3 = match("MESSAGE#2:5:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ - dup1, - ])); - - var msg3 = msg("5:01", part3); - - var select2 = linear_select([ - msg2, - msg3, - ]); - - var part4 = match("MESSAGE#3:6", "nwparser.payload", "Log successfully sent via email%{}", processor_chain([ - dup1, - ])); - - var msg4 = msg("6", part4); - - var part5 = match("MESSAGE#4:6:01", "nwparser.payload", "msg=\"Log successfully sent via email\" n=%{fld1}", processor_chain([ - dup1, - ])); - - var msg5 = msg("6:01", part5); - - var select3 = linear_select([ - msg4, - msg5, - ]); - - var part6 = match("MESSAGE#5:7", "nwparser.payload", "Log full; deactivating SonicWALL%{}", processor_chain([ - dup2, - ])); - - var msg6 = msg("7", part6); - - var part7 = match("MESSAGE#6:8", "nwparser.payload", "New Filter list loaded%{}", processor_chain([ - dup3, - ])); - - var msg7 = msg("8", part7); - - var part8 = match("MESSAGE#7:9", "nwparser.payload", "No new Filter list available%{}", processor_chain([ - dup4, - ])); - - var msg8 = msg("9", part8); - - var part9 = match("MESSAGE#8:10", "nwparser.payload", "Problem loading the Filter list; check Filter settings%{}", processor_chain([ - dup4, - ])); - - var msg9 = msg("10", part9); - - var part10 = match("MESSAGE#9:11", "nwparser.payload", "Problem loading the Filter list; check your DNS server%{}", processor_chain([ - dup4, - ])); - - var msg10 = msg("11", part10); - - var part11 = match("MESSAGE#10:12", "nwparser.payload", "Problem sending log email; check log settings%{}", processor_chain([ - dup5, - ])); - - var msg11 = msg("12", part11); - - var part12 = match("MESSAGE#11:12:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ - dup5, - ])); - - var msg12 = msg("12:01", part12); - - var select4 = linear_select([ - msg11, - msg12, - ]); - - var part13 = match("MESSAGE#12:13", "nwparser.payload", "Restarting SonicWALL; dumping log to email%{}", processor_chain([ - dup1, - ])); - - var msg13 = msg("13", part13); - - var part14 = match("MESSAGE#13:14/0_0", "nwparser.payload", "msg=\"Web site access denied\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstname=%{dhost->} arg=%{fld2->} code=%{icmpcode}"); - - var part15 = match("MESSAGE#13:14/0_1", "nwparser.payload", "Web site blocked%{}"); - - var select5 = linear_select([ - part14, - part15, - ]); - - var all1 = all_match({ - processors: [ - select5, - ], - on_success: processor_chain([ - dup6, - setc("action","Web site access denied"), - ]), - }); - - var msg14 = msg("14", all1); - - var part16 = match("MESSAGE#14:14:01/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} code= %{p0}"); - - var part17 = match("MESSAGE#14:14:01/3_1", "nwparser.p0", "%{dinterface->} code= %{p0}"); - - var select6 = linear_select([ - part16, - part17, - ]); - - var part18 = match("MESSAGE#14:14:01/4", "nwparser.p0", "%{fld3->} Category=%{fld4->} npcs=%{info}"); - - var all2 = all_match({ - processors: [ - dup7, - dup182, - dup10, - select6, - part18, - ], - on_success: processor_chain([ - dup6, - ]), - }); - - var msg15 = msg("14:01", all2); - - var part19 = match("MESSAGE#15:14:02", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup6, - dup11, - ])); - - var msg16 = msg("14:02", part19); - - var part20 = match("MESSAGE#16:14:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup6, - dup11, - ])); - - var msg17 = msg("14:03", part20); - - var part21 = match("MESSAGE#17:14:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup6, - dup11, - ])); - - var msg18 = msg("14:04", part21); - - var part22 = match("MESSAGE#18:14:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr}dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup6, - dup11, - ])); - - var msg19 = msg("14:05", part22); - - var select7 = linear_select([ - msg14, - msg15, - msg16, - msg17, - msg18, - msg19, - ]); - - var part23 = match("MESSAGE#19:15", "nwparser.payload", "Newsgroup blocked%{}", processor_chain([ - dup12, - ])); - - var msg20 = msg("15", part23); - - var part24 = match("MESSAGE#20:16", "nwparser.payload", "Web site accessed%{}", processor_chain([ - dup13, - ])); - - var msg21 = msg("16", part24); - - var part25 = match("MESSAGE#21:17", "nwparser.payload", "Newsgroup accessed%{}", processor_chain([ - dup13, - ])); - - var msg22 = msg("17", part25); - - var part26 = match("MESSAGE#22:18", "nwparser.payload", "ActiveX blocked%{}", processor_chain([ - dup12, - ])); - - var msg23 = msg("18", part26); - - var part27 = match("MESSAGE#23:19", "nwparser.payload", "Java blocked%{}", processor_chain([ - dup12, - ])); - - var msg24 = msg("19", part27); - - var part28 = match("MESSAGE#24:20", "nwparser.payload", "ActiveX or Java archive blocked%{}", processor_chain([ - dup12, - ])); - - var msg25 = msg("20", part28); - - var part29 = match("MESSAGE#25:21", "nwparser.payload", "Cookie removed%{}", processor_chain([ - dup1, - ])); - - var msg26 = msg("21", part29); - - var part30 = match("MESSAGE#26:22", "nwparser.payload", "Ping of death blocked%{}", processor_chain([ - dup14, - ])); - - var msg27 = msg("22", part30); - - var part31 = match("MESSAGE#27:23", "nwparser.payload", "IP spoof detected%{}", processor_chain([ - dup14, - ])); - - var msg28 = msg("23", part31); - - var part32 = match("MESSAGE#28:23:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); - - var part33 = match("MESSAGE#28:23:01/3_0", "nwparser.p0", "- MAC address: %{p0}"); - - var part34 = match("MESSAGE#28:23:01/3_1", "nwparser.p0", "mac= %{p0}"); - - var select8 = linear_select([ - part33, - part34, - ]); - - var part35 = match("MESSAGE#28:23:01/4", "nwparser.p0", "%{smacaddr}"); - - var all3 = all_match({ - processors: [ - part32, - dup183, - dup17, - select8, - part35, - ], - on_success: processor_chain([ - dup14, - ]), - }); - - var msg29 = msg("23:01", all3); - - var part36 = match("MESSAGE#29:23:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} - MAC address: %{smacaddr}", processor_chain([ - dup14, - ])); - - var msg30 = msg("23:02", part36); - - var part37 = match("MESSAGE#30:23:03/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{daddr}:%{dport}:%{p0}"); - - var part38 = match("MESSAGE#30:23:03/1_0", "nwparser.p0", "%{dinterface}:%{dhost->} srcMac= %{p0}"); - - var part39 = match("MESSAGE#30:23:03/1_1", "nwparser.p0", "%{dinterface->} srcMac= %{p0}"); - - var select9 = linear_select([ - part38, - part39, - ]); - - var part40 = match("MESSAGE#30:23:03/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}"); - - var all4 = all_match({ - processors: [ - part37, - select9, - part40, - ], - on_success: processor_chain([ - dup14, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var msg31 = msg("23:03", all4); - - var select10 = linear_select([ - msg28, - msg29, - msg30, - msg31, - ]); - - var part41 = match("MESSAGE#31:24", "nwparser.payload", "Illegal LAN address in use%{}", processor_chain([ - dup23, - ])); - - var msg32 = msg("24", part41); - - var msg33 = msg("24:01", dup184); - - var select11 = linear_select([ - msg32, - msg33, - ]); - - var part42 = match("MESSAGE#32:25", "nwparser.payload", "Possible SYN flood attack%{}", processor_chain([ - dup14, - ])); - - var msg34 = msg("25", part42); - - var part43 = match("MESSAGE#33:26", "nwparser.payload", "Probable SYN flood attack%{}", processor_chain([ - dup14, - ])); - - var msg35 = msg("26", part43); - - var part44 = match("MESSAGE#34:27", "nwparser.payload", "Land Attack Dropped%{}", processor_chain([ - dup14, - ])); - - var msg36 = msg("27", part44); - - var part45 = match("MESSAGE#35:28", "nwparser.payload", "Fragmented Packet Dropped%{}", processor_chain([ - dup14, - ])); - - var msg37 = msg("28", part45); - - var part46 = match("MESSAGE#36:28:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ - dup14, - ])); - - var msg38 = msg("28:01", part46); - - var select12 = linear_select([ - msg37, - msg38, - ]); - - var part47 = match("MESSAGE#37:29", "nwparser.payload", "Successful administrator login%{}", processor_chain([ - dup25, - ])); - - var msg39 = msg("29", part47); - - var part48 = match("MESSAGE#38:29:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} usr=%{username->} src=%{p0}"); - - var all5 = all_match({ - processors: [ - part48, - dup185, - dup186, - ], - on_success: processor_chain([ - dup30, - ]), - }); - - var msg40 = msg("29:01", all5); - - var select13 = linear_select([ - msg39, - msg40, - ]); - - var part49 = match("MESSAGE#39:30", "nwparser.payload", "Administrator login failed - incorrect password%{}", processor_chain([ - dup31, - ])); - - var msg41 = msg("30", part49); - - var msg42 = msg("30:01", dup238); - - var select14 = linear_select([ - msg41, - msg42, - ]); - - var part50 = match("MESSAGE#41:31", "nwparser.payload", "Successful user login%{}", processor_chain([ - dup25, - ])); - - var msg43 = msg("31", part50); - - var all6 = all_match({ - processors: [ - dup32, - dup185, - dup186, - ], - on_success: processor_chain([ - dup25, - ]), - }); - - var msg44 = msg("31:01", all6); - - var part51 = match("MESSAGE#43:31:02", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup25, - dup11, - ])); - - var msg45 = msg("31:02", part51); - - var part52 = match("MESSAGE#44:31:03", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration}n=%{fld1}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup25, - dup11, - ])); - - var msg46 = msg("31:03", part52); - - var part53 = match("MESSAGE#45:31:04", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup25, - dup11, - ])); - - var msg47 = msg("31:04", part53); - - var select15 = linear_select([ - msg43, - msg44, - msg45, - msg46, - msg47, - ]); - - var part54 = match("MESSAGE#46:32", "nwparser.payload", "User login failed - incorrect password%{}", processor_chain([ - dup31, - ])); - - var msg48 = msg("32", part54); - - var msg49 = msg("32:01", dup238); - - var select16 = linear_select([ - msg48, - msg49, - ]); - - var part55 = match("MESSAGE#48:33", "nwparser.payload", "Unknown user attempted to log in%{}", processor_chain([ - dup33, - ])); - - var msg50 = msg("33", part55); - - var all7 = all_match({ - processors: [ - dup34, - dup185, - dup186, - ], - on_success: processor_chain([ - dup31, - ]), - }); - - var msg51 = msg("33:01", all7); - - var select17 = linear_select([ - msg50, - msg51, - ]); - - var part56 = match("MESSAGE#50:34", "nwparser.payload", "Login screen timed out%{}", processor_chain([ - dup5, - ])); - - var msg52 = msg("34", part56); - - var part57 = match("MESSAGE#51:35", "nwparser.payload", "Attempted administrator login from WAN%{}", processor_chain([ - setc("eventcategory","1401040000"), - ])); - - var msg53 = msg("35", part57); - - var all8 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - setc("eventcategory","1401050200"), - ]), - }); - - var msg54 = msg("35:01", all8); - - var select18 = linear_select([ - msg53, - msg54, - ]); - - var part58 = match("MESSAGE#53:36", "nwparser.payload", "TCP connection dropped%{}", processor_chain([ - dup5, - ])); - - var msg55 = msg("36", part58); - - var part59 = match("MESSAGE#54:36:01/0", "nwparser.payload", "msg=\"%{msg}\" %{p0}"); - - var part60 = match("MESSAGE#54:36:01/2", "nwparser.p0", "%{fld1->} src= %{p0}"); - - var part61 = match("MESSAGE#54:36:01/7_0", "nwparser.p0", "srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); - - var select19 = linear_select([ - part61, - dup42, - dup43, - ]); - - var all9 = all_match({ - processors: [ - part59, - dup188, - part60, - dup189, - dup41, - dup183, - dup17, - select19, - ], - on_success: processor_chain([ - dup5, - dup44, - ]), - }); - - var msg56 = msg("36:01", all9); - - var part62 = match("MESSAGE#55:36:02/5_0", "nwparser.p0", "rule=%{rule->} npcs=%{p0}"); - - var part63 = match("MESSAGE#55:36:02/5_1", "nwparser.p0", "proto=%{protocol->} npcs=%{p0}"); - - var select20 = linear_select([ - part62, - part63, - ]); - - var all10 = all_match({ - processors: [ - dup45, - dup190, - dup17, - dup183, - dup17, - select20, - dup47, - ], - on_success: processor_chain([ - dup5, - ]), - }); - - var msg57 = msg("36:02", all10); - - var select21 = linear_select([ - msg55, - msg56, - msg57, - ]); - - var part64 = match("MESSAGE#56:37", "nwparser.payload", "UDP packet dropped%{}", processor_chain([ - dup5, - ])); - - var msg58 = msg("37", part64); - - var part65 = match("MESSAGE#57:37:01/0", "nwparser.payload", "msg=\"UDP packet dropped\" %{p0}"); - - var part66 = match("MESSAGE#57:37:01/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); - - var part67 = match("MESSAGE#57:37:01/3_0", "nwparser.p0", "%{dport}proto=%{protocol->} fw_action=\"%{fld3}\""); - - var part68 = match("MESSAGE#57:37:01/3_1", "nwparser.p0", "%{dport}rule=%{rule}"); - - var select22 = linear_select([ - part67, - part68, - ]); - - var all11 = all_match({ - processors: [ - part65, - dup188, - part66, - select22, - ], - on_success: processor_chain([ - dup5, - dup44, - ]), - }); - - var msg59 = msg("37:01", all11); - - var part69 = match("MESSAGE#58:37:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} rule=%{rule}", processor_chain([ - dup5, - ])); - - var msg60 = msg("37:02", part69); - - var all12 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup191, - dup50, - ], - on_success: processor_chain([ - dup5, - ]), - }); - - var msg61 = msg("37:03", all12); - - var part70 = match("MESSAGE#60:37:04", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ - dup5, - dup11, - ])); - - var msg62 = msg("37:04", part70); - - var select23 = linear_select([ - msg58, - msg59, - msg60, - msg61, - msg62, - ]); - - var part71 = match("MESSAGE#61:38", "nwparser.payload", "ICMP packet dropped%{}", processor_chain([ - dup5, - ])); - - var msg63 = msg("38", part71); - - var part72 = match("MESSAGE#62:38:01/5_0", "nwparser.p0", "type=%{type->} code=%{code}"); - - var select24 = linear_select([ - part72, - dup42, - ]); - - var all13 = all_match({ - processors: [ - dup51, - dup189, - dup41, - dup183, - dup17, - select24, - ], - on_success: processor_chain([ - dup5, - ]), - }); - - var msg64 = msg("38:01", all13); - - var part73 = match("MESSAGE#63:38:02/4", "nwparser.p0", "%{fld3->} icmpCode=%{fld4->} npcs=%{info}"); - - var all14 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup192, - part73, - ], - on_success: processor_chain([ - dup5, - ]), - }); - - var msg65 = msg("38:02", all14); - - var part74 = match("MESSAGE#64:38:03/2", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); - - var part75 = match("MESSAGE#64:38:03/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\""); - - var all15 = all_match({ - processors: [ - dup54, - dup193, - part74, - dup194, - part75, - ], - on_success: processor_chain([ - dup5, - dup11, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var msg66 = msg("38:03", all15); - - var select25 = linear_select([ - msg63, - msg64, - msg65, - msg66, - ]); - - var part76 = match("MESSAGE#65:39", "nwparser.payload", "PPTP packet dropped%{}", processor_chain([ - dup5, - ])); - - var msg67 = msg("39", part76); - - var part77 = match("MESSAGE#66:40", "nwparser.payload", "IPSec packet dropped%{}", processor_chain([ - dup5, - ])); - - var msg68 = msg("40", part77); - - var part78 = match("MESSAGE#67:41:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=\"IP Protocol: %{dclass_counter1}\"", processor_chain([ - dup5, - dup59, - dup60, - dup61, - dup62, - dup11, - dup63, - dup18, - dup19, - dup20, - dup21, - dup22, - ])); - - var msg69 = msg("41:01", part78); - - var part79 = match("MESSAGE#68:41:02", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport}:%{sinterface->} dst=%{dtransaddr}:%{dtransport}::%{dinterface}", processor_chain([ - dup5, - ])); - - var msg70 = msg("41:02", part79); - - var part80 = match("MESSAGE#69:41:03", "nwparser.payload", "Unknown protocol dropped%{}", processor_chain([ - dup5, - ])); - - var msg71 = msg("41:03", part80); - - var select26 = linear_select([ - msg69, - msg70, - msg71, - ]); - - var part81 = match("MESSAGE#70:42", "nwparser.payload", "IPSec packet dropped; waiting for pending IPSec connection%{}", processor_chain([ - dup5, - ])); - - var msg72 = msg("42", part81); - - var part82 = match("MESSAGE#71:43", "nwparser.payload", "IPSec connection interrupt%{}", processor_chain([ - dup5, - ])); - - var msg73 = msg("43", part82); - - var part83 = match("MESSAGE#72:44", "nwparser.payload", "NAT could not remap incoming packet%{}", processor_chain([ - dup5, - ])); - - var msg74 = msg("44", part83); - - var part84 = match("MESSAGE#73:45", "nwparser.payload", "ARP timeout%{}", processor_chain([ - dup5, - ])); - - var msg75 = msg("45", part84); - - var part85 = match("MESSAGE#74:45:01", "nwparser.payload", "msg=\"ARP timeout\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup5, - ])); - - var msg76 = msg("45:01", part85); - - var part86 = match("MESSAGE#75:45:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} npcs=%{info}", processor_chain([ - dup5, - ])); - - var msg77 = msg("45:02", part86); - - var select27 = linear_select([ - msg75, - msg76, - msg77, - ]); - - var part87 = match("MESSAGE#76:46:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([ - dup5, - dup59, - dup60, - dup61, - dup62, - dup11, - dup63, - dup18, - dup19, - dup20, - dup21, - dup22, - ])); - - var msg78 = msg("46:01", part87); - - var part88 = match("MESSAGE#77:46:02", "nwparser.payload", "msg=\"Broadcast packet dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ - dup5, - ])); - - var msg79 = msg("46:02", part88); - - var part89 = match("MESSAGE#78:46", "nwparser.payload", "Broadcast packet dropped%{}", processor_chain([ - dup5, - ])); - - var msg80 = msg("46", part89); - - var part90 = match("MESSAGE#79:46:03/0", "nwparser.payload", "msg=\"Broadcast packet dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); - - var all16 = all_match({ - processors: [ - part90, - dup182, - dup10, - dup191, - dup50, - ], - on_success: processor_chain([ - dup5, - ]), - }); - - var msg81 = msg("46:03", all16); - - var select28 = linear_select([ - msg78, - msg79, - msg80, - msg81, - ]); - - var part91 = match("MESSAGE#80:47", "nwparser.payload", "No ICMP redirect sent%{}", processor_chain([ - dup5, - ])); - - var msg82 = msg("47", part91); - - var part92 = match("MESSAGE#81:48", "nwparser.payload", "Out-of-order command packet dropped%{}", processor_chain([ - dup5, - ])); - - var msg83 = msg("48", part92); - - var part93 = match("MESSAGE#82:49", "nwparser.payload", "Failure to add data channel%{}", processor_chain([ - dup5, - ])); - - var msg84 = msg("49", part93); - - var part94 = match("MESSAGE#83:50", "nwparser.payload", "RealAudio decode failure%{}", processor_chain([ - dup5, - ])); - - var msg85 = msg("50", part94); - - var part95 = match("MESSAGE#84:51", "nwparser.payload", "Duplicate packet dropped%{}", processor_chain([ - dup5, - ])); - - var msg86 = msg("51", part95); - - var part96 = match("MESSAGE#85:52", "nwparser.payload", "No HOST tag found in HTTP request%{}", processor_chain([ - dup5, - ])); - - var msg87 = msg("52", part96); - - var part97 = match("MESSAGE#86:53", "nwparser.payload", "The cache is full; too many open connections; some will be dropped%{}", processor_chain([ - dup2, - ])); - - var msg88 = msg("53", part97); - - var part98 = match("MESSAGE#87:58", "nwparser.payload", "License exceeded: Connection dropped because too many IP addresses are in use on your LAN%{}", processor_chain([ - dup64, - ])); - - var msg89 = msg("58", part98); - - var part99 = match("MESSAGE#88:60", "nwparser.payload", "Access to Proxy Server Blocked%{}", processor_chain([ - dup12, - ])); - - var msg90 = msg("60", part99); - - var part100 = match("MESSAGE#89:61", "nwparser.payload", "Diagnostic Code E%{}", processor_chain([ - dup1, - ])); - - var msg91 = msg("61", part100); - - var part101 = match("MESSAGE#90:62", "nwparser.payload", "Dynamic IPSec client connected%{}", processor_chain([ - dup65, - ])); - - var msg92 = msg("62", part101); - - var part102 = match("MESSAGE#91:63", "nwparser.payload", "IPSec packet too big%{}", processor_chain([ - dup66, - ])); - - var msg93 = msg("63", part102); - - var part103 = match("MESSAGE#92:63:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup66, - ])); - - var msg94 = msg("63:01", part103); - - var select29 = linear_select([ - msg93, - msg94, - ]); - - var part104 = match("MESSAGE#93:64", "nwparser.payload", "Diagnostic Code D%{}", processor_chain([ - dup1, - ])); - - var msg95 = msg("64", part104); - - var part105 = match("MESSAGE#94:65", "nwparser.payload", "Illegal IPSec SPI%{}", processor_chain([ - dup66, - ])); - - var msg96 = msg("65", part105); - - var part106 = match("MESSAGE#95:66", "nwparser.payload", "Unknown IPSec SPI%{}", processor_chain([ - dup66, - ])); - - var msg97 = msg("66", part106); - - var part107 = match("MESSAGE#96:67", "nwparser.payload", "IPSec Authentication Failed%{}", processor_chain([ - dup66, - ])); - - var msg98 = msg("67", part107); - - var all17 = all_match({ - processors: [ - dup32, - dup185, - dup186, - ], - on_success: processor_chain([ - dup66, - ]), - }); - - var msg99 = msg("67:01", all17); - - var select30 = linear_select([ - msg98, - msg99, - ]); - - var part108 = match("MESSAGE#98:68", "nwparser.payload", "IPSec Decryption Failed%{}", processor_chain([ - dup66, - ])); - - var msg100 = msg("68", part108); - - var part109 = match("MESSAGE#99:69", "nwparser.payload", "Incompatible IPSec Security Association%{}", processor_chain([ - dup66, - ])); - - var msg101 = msg("69", part109); - - var part110 = match("MESSAGE#100:70", "nwparser.payload", "IPSec packet from illegal host%{}", processor_chain([ - dup66, - ])); - - var msg102 = msg("70", part110); - - var part111 = match("MESSAGE#101:70:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst%{p0}"); - - var part112 = match("MESSAGE#101:70:01/1_0", "nwparser.p0", "=%{daddr}"); - - var part113 = match("MESSAGE#101:70:01/1_1", "nwparser.p0", "name=%{name}"); - - var select31 = linear_select([ - part112, - part113, - ]); - - var all18 = all_match({ - processors: [ - part111, - select31, - ], - on_success: processor_chain([ - dup66, - ]), - }); - - var msg103 = msg("70:01", all18); - - var select32 = linear_select([ - msg102, - msg103, - ]); - - var part114 = match("MESSAGE#102:72", "nwparser.payload", "NetBus Attack Dropped%{}", processor_chain([ - dup67, - ])); - - var msg104 = msg("72", part114); - - var part115 = match("MESSAGE#103:72:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ - dup67, - ])); - - var msg105 = msg("72:01", part115); - - var select33 = linear_select([ - msg104, - msg105, - ]); - - var part116 = match("MESSAGE#104:73", "nwparser.payload", "Back Orifice Attack Dropped%{}", processor_chain([ - dup68, - ])); - - var msg106 = msg("73", part116); - - var part117 = match("MESSAGE#105:74", "nwparser.payload", "Net Spy Attack Dropped%{}", processor_chain([ - dup69, - ])); - - var msg107 = msg("74", part117); - - var part118 = match("MESSAGE#106:75", "nwparser.payload", "Sub Seven Attack Dropped%{}", processor_chain([ - dup68, - ])); - - var msg108 = msg("75", part118); - - var part119 = match("MESSAGE#107:76", "nwparser.payload", "Ripper Attack Dropped%{}", processor_chain([ - dup67, - ])); - - var msg109 = msg("76", part119); - - var part120 = match("MESSAGE#108:77", "nwparser.payload", "Striker Attack Dropped%{}", processor_chain([ - dup67, - ])); - - var msg110 = msg("77", part120); - - var part121 = match("MESSAGE#109:78", "nwparser.payload", "Senna Spy Attack Dropped%{}", processor_chain([ - dup69, - ])); - - var msg111 = msg("78", part121); - - var part122 = match("MESSAGE#110:79", "nwparser.payload", "Priority Attack Dropped%{}", processor_chain([ - dup67, - ])); - - var msg112 = msg("79", part122); - - var part123 = match("MESSAGE#111:80", "nwparser.payload", "Ini Killer Attack Dropped%{}", processor_chain([ - dup67, - ])); - - var msg113 = msg("80", part123); - - var part124 = match("MESSAGE#112:81", "nwparser.payload", "Smurf Amplification Attack Dropped%{}", processor_chain([ - dup14, - ])); - - var msg114 = msg("81", part124); - - var part125 = match("MESSAGE#113:82", "nwparser.payload", "Possible Port Scan%{}", processor_chain([ - dup70, - ])); - - var msg115 = msg("82", part125); - - var part126 = match("MESSAGE#114:82:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{info}\"", processor_chain([ - dup70, - ])); - - var msg116 = msg("82:02", part126); - - var part127 = match("MESSAGE#115:82:03", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([ - dup70, - ])); - - var msg117 = msg("82:03", part127); - - var msg118 = msg("82:01", dup195); - - var select34 = linear_select([ - msg115, - msg116, - msg117, - msg118, - ]); - - var part128 = match("MESSAGE#117:83", "nwparser.payload", "Probable Port Scan%{}", processor_chain([ - dup70, - ])); - - var msg119 = msg("83", part128); - - var msg120 = msg("83:01", dup196); - - var part129 = match("MESSAGE#119:83:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([ - dup5, - ])); - - var msg121 = msg("83:02", part129); - - var select35 = linear_select([ - msg119, - msg120, - msg121, - ]); - - var part130 = match("MESSAGE#120:84/0_0", "nwparser.payload", "msg=\"Failed to resolve name\" n=%{fld1->} dstname=%{dhost}"); - - var part131 = match("MESSAGE#120:84/0_1", "nwparser.payload", "Failed to resolve name%{}"); - - var select36 = linear_select([ - part130, - part131, - ]); - - var all19 = all_match({ - processors: [ - select36, - ], - on_success: processor_chain([ - dup71, - setc("action","Failed to resolve name"), - ]), - }); - - var msg122 = msg("84", all19); - - var part132 = match("MESSAGE#121:87", "nwparser.payload", "IKE Responder: Accepting IPSec proposal%{}", processor_chain([ - dup72, - ])); - - var msg123 = msg("87", part132); - - var part133 = match("MESSAGE#122:87:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup72, - ])); - - var msg124 = msg("87:01", part133); - - var select37 = linear_select([ - msg123, - msg124, - ]); - - var part134 = match("MESSAGE#123:88", "nwparser.payload", "IKE Responder: IPSec proposal not acceptable%{}", processor_chain([ - dup66, - ])); - - var msg125 = msg("88", part134); - - var part135 = match("MESSAGE#124:88:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup66, - ])); - - var msg126 = msg("88:01", part135); - - var select38 = linear_select([ - msg125, - msg126, - ]); - - var part136 = match("MESSAGE#125:89", "nwparser.payload", "IKE negotiation complete. Adding IPSec SA%{}", processor_chain([ - dup72, - ])); - - var msg127 = msg("89", part136); - - var part137 = match("MESSAGE#126:89:01/1_0", "nwparser.p0", "%{saddr}:::%{sinterface->} dst=%{daddr}:::%{dinterface}"); - - var part138 = match("MESSAGE#126:89:01/1_1", "nwparser.p0", "%{saddr->} dst=%{daddr->} dstname=%{name}"); - - var select39 = linear_select([ - part137, - part138, - ]); - - var all20 = all_match({ - processors: [ - dup73, - select39, - ], - on_success: processor_chain([ - dup72, - ]), - }); - - var msg128 = msg("89:01", all20); - - var select40 = linear_select([ - msg127, - msg128, - ]); - - var part139 = match("MESSAGE#127:90", "nwparser.payload", "Starting IKE negotiation%{}", processor_chain([ - dup72, - ])); - - var msg129 = msg("90", part139); - - var part140 = match("MESSAGE#128:91", "nwparser.payload", "Deleting IPSec SA for destination%{}", processor_chain([ - dup72, - ])); - - var msg130 = msg("91", part140); - - var part141 = match("MESSAGE#129:92", "nwparser.payload", "Deleting IPSec SA%{}", processor_chain([ - dup72, - ])); - - var msg131 = msg("92", part141); - - var part142 = match("MESSAGE#130:93", "nwparser.payload", "Diagnostic Code A%{}", processor_chain([ - dup1, - ])); - - var msg132 = msg("93", part142); - - var part143 = match("MESSAGE#131:94", "nwparser.payload", "Diagnostic Code B%{}", processor_chain([ - dup1, - ])); - - var msg133 = msg("94", part143); - - var part144 = match("MESSAGE#132:95", "nwparser.payload", "Diagnostic Code C%{}", processor_chain([ - dup1, - ])); - - var msg134 = msg("95", part144); - - var part145 = match("MESSAGE#133:96", "nwparser.payload", "Status%{}", processor_chain([ - dup1, - ])); - - var msg135 = msg("96", part145); - - var part146 = match("MESSAGE#134:97", "nwparser.payload", "Web site hit%{}", processor_chain([ - dup1, - ])); - - var msg136 = msg("97", part146); - - var part147 = match("MESSAGE#135:97:01/4", "nwparser.p0", "proto=%{protocol->} op=%{fld->} %{p0}"); - - var part148 = match("MESSAGE#135:97:01/5_0", "nwparser.p0", "rcvd=%{rbytes->} %{p0}"); - - var part149 = match("MESSAGE#135:97:01/5_1", "nwparser.p0", "sent=%{sbytes->} %{p0}"); - - var select41 = linear_select([ - part148, - part149, - ]); - - var part150 = match_copy("MESSAGE#135:97:01/7", "nwparser.p0", "name"); - - var all21 = all_match({ - processors: [ - dup74, - dup189, - dup41, - dup183, - part147, - select41, - dup197, - part150, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg137 = msg("97:01", all21); - - var part151 = match("MESSAGE#136:97:02/4", "nwparser.p0", "proto=%{protocol->} op=%{fld->} result=%{result}"); - - var all22 = all_match({ - processors: [ - dup74, - dup189, - dup41, - dup183, - part151, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg138 = msg("97:02", all22); - - var part152 = match("MESSAGE#137:97:03/4", "nwparser.p0", "proto=%{protocol->} op=%{fld3->} sent=%{sbytes->} rcvd=%{rbytes->} %{p0}"); - - var part153 = match("MESSAGE#137:97:03/6", "nwparser.p0", "%{} %{name}arg=%{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}"); - - var all23 = all_match({ - processors: [ - dup77, - dup189, - dup41, - dup183, - part152, - dup197, - part153, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg139 = msg("97:03", all23); - - var part154 = match("MESSAGE#138:97:04/4", "nwparser.p0", "proto=%{protocol->} op=%{fld3->} %{p0}"); - - var part155 = match("MESSAGE#138:97:04/6", "nwparser.p0", "%{}arg= %{name}%{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}"); - - var all24 = all_match({ - processors: [ - dup77, - dup189, - dup41, - dup183, - part154, - dup197, - part155, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg140 = msg("97:04", all24); - - var part156 = match("MESSAGE#139:97:05/4", "nwparser.p0", "proto=%{protocol->} op=%{fld2->} dstname=%{name->} arg=%{fld3->} code=%{fld4->} Category=%{category}"); - - var all25 = all_match({ - processors: [ - dup74, - dup189, - dup41, - dup183, - part156, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg141 = msg("97:05", all25); - - var part157 = match("MESSAGE#140:97:06/0", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{p0}"); - - var part158 = match("MESSAGE#140:97:06/1_0", "nwparser.p0", "%{sinterface}:%{shost}dst=%{p0}"); - - var part159 = match("MESSAGE#140:97:06/1_1", "nwparser.p0", "%{sinterface}dst=%{p0}"); - - var select42 = linear_select([ - part158, - part159, - ]); - - var part160 = match("MESSAGE#140:97:06/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\""); - - var all26 = all_match({ - processors: [ - part157, - select42, - part160, - ], - on_success: processor_chain([ - dup78, - dup11, - ]), - }); - - var msg142 = msg("97:06", all26); - - var part161 = match("MESSAGE#141:97:07/0", "nwparser.payload", "app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{p0}"); - - var part162 = match("MESSAGE#141:97:07/1_0", "nwparser.p0", "%{dinterface}:%{fld3->} srcMac=%{p0}"); - - var select43 = linear_select([ - part162, - dup79, - ]); - - var part163 = match("MESSAGE#141:97:07/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\""); - - var all27 = all_match({ - processors: [ - part161, - select43, - part163, - ], - on_success: processor_chain([ - dup78, - dup11, - ]), - }); - - var msg143 = msg("97:07", all27); - - var part164 = match("MESSAGE#142:97:08", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup78, - dup11, - ])); - - var msg144 = msg("97:08", part164); - - var part165 = match("MESSAGE#143:97:09", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup78, - dup11, - ])); - - var msg145 = msg("97:09", part165); - - var part166 = match("MESSAGE#144:97:10", "nwparser.payload", "app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup78, - dup11, - ])); - - var msg146 = msg("97:10", part166); - - var select44 = linear_select([ - msg136, - msg137, - msg138, - msg139, - msg140, - msg141, - msg142, - msg143, - msg144, - msg145, - msg146, - ]); - - var part167 = match("MESSAGE#145:98/2", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{p0}"); - - var part168 = match("MESSAGE#145:98/3_0", "nwparser.p0", "%{dinterface} %{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); - - var part169 = match("MESSAGE#145:98/3_1", "nwparser.p0", "%{dinterface} %{protocol->} sent=%{sbytes}"); - - var part170 = match("MESSAGE#145:98/3_2", "nwparser.p0", "%{dinterface} %{protocol}"); - - var select45 = linear_select([ - part168, - part169, - part170, - ]); - - var all28 = all_match({ - processors: [ - dup54, - dup193, - part167, - select45, - ], - on_success: processor_chain([ - dup78, - dup59, - setc("ec_activity","Stop"), - dup61, - dup62, - dup11, - setc("action","Opened"), - dup18, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var msg147 = msg("98", all28); - - var part171 = match("MESSAGE#146:98:07", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{protocol}/%{fld4->} sent=%{sbytes->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup1, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ])); - - var msg148 = msg("98:07", part171); - - var part172 = match("MESSAGE#147:98:01/0", "nwparser.payload", "msg=\"%{msg}\"%{p0}"); - - var part173 = match("MESSAGE#147:98:01/1_0", "nwparser.p0", " app=%{fld2->} sess=\"%{fld3}\"%{p0}"); - - var select46 = linear_select([ - part173, - dup56, - ]); - - var part174 = match("MESSAGE#147:98:01/2", "nwparser.p0", "%{}n=%{p0}"); - - var part175 = match("MESSAGE#147:98:01/3_0", "nwparser.p0", "%{fld1->} usr=%{username->} src=%{p0}"); - - var part176 = match("MESSAGE#147:98:01/3_1", "nwparser.p0", "%{fld1->} src=%{p0}"); - - var select47 = linear_select([ - part175, - part176, - ]); - - var part177 = match("MESSAGE#147:98:01/4_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}"); - - var part178 = match("MESSAGE#147:98:01/4_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); - - var part179 = match("MESSAGE#147:98:01/4_2", "nwparser.p0", "%{saddr}dst=%{p0}"); - - var select48 = linear_select([ - part177, - part178, - part179, - ]); - - var part180 = match("MESSAGE#147:98:01/5", "nwparser.p0", "%{} %{p0}"); - - var part181 = match("MESSAGE#147:98:01/6_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); - - var part182 = match("MESSAGE#147:98:01/6_2", "nwparser.p0", "%{daddr->} %{p0}"); - - var select49 = linear_select([ - dup80, - part181, - part182, - ]); - - var part183 = match("MESSAGE#147:98:01/7_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); - - var part184 = match("MESSAGE#147:98:01/7_1", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes}"); - - var part185 = match("MESSAGE#147:98:01/7_2", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\""); - - var part186 = match("MESSAGE#147:98:01/7_3", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); - - var select50 = linear_select([ - part183, - part184, - part185, - part186, - dup81, - dup43, - ]); - - var all29 = all_match({ - processors: [ - part172, - select46, - part174, - select47, - select48, - part180, - select49, - select50, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg149 = msg("98:01", all29); - - var part187 = match("MESSAGE#148:98:06/1_0", "nwparser.p0", "app=%{fld2->} appName=\"%{application}\" n=%{p0}"); - - var part188 = match("MESSAGE#148:98:06/1_1", "nwparser.p0", "app=%{fld2->} n=%{p0}"); - - var part189 = match("MESSAGE#148:98:06/1_2", "nwparser.p0", "sess=%{fld2->} n=%{p0}"); - - var select51 = linear_select([ - part187, - part188, - part189, - ]); - - var part190 = match("MESSAGE#148:98:06/2", "nwparser.p0", "%{fld1->} %{p0}"); - - var part191 = match("MESSAGE#148:98:06/3_0", "nwparser.p0", "usr=%{username->} %{p0}"); - - var select52 = linear_select([ - part191, - dup56, - ]); - - var part192 = match("MESSAGE#148:98:06/4", "nwparser.p0", "src= %{saddr}:%{sport}:%{p0}"); - - var part193 = match("MESSAGE#148:98:06/7_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{dmacaddr->} proto=%{p0}"); - - var part194 = match("MESSAGE#148:98:06/7_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{p0}"); - - var part195 = match("MESSAGE#148:98:06/7_3", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); - - var select53 = linear_select([ - part193, - part194, - dup85, - part195, - ]); - - var part196 = match("MESSAGE#148:98:06/8", "nwparser.p0", "%{protocol->} %{p0}"); - - var part197 = match("MESSAGE#148:98:06/9_0", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\""); - - var part198 = match("MESSAGE#148:98:06/9_1", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=%{action}"); - - var part199 = match("MESSAGE#148:98:06/9_2", "nwparser.p0", "sent=%{sbytes->} fw_action=\"%{action}\""); - - var part200 = match("MESSAGE#148:98:06/9_4", "nwparser.p0", "fw_action=\"%{action}\""); - - var select54 = linear_select([ - part197, - part198, - part199, - dup86, - part200, - ]); - - var all30 = all_match({ - processors: [ - dup82, - select51, - part190, - select52, - part192, - dup198, - dup17, - select53, - part196, - select54, - ], - on_success: processor_chain([ - dup78, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var msg150 = msg("98:06", all30); - - var part201 = match("MESSAGE#149:98:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=%{username->} src=%{p0}"); - - var all31 = all_match({ - processors: [ - part201, - dup185, - dup183, - dup43, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg151 = msg("98:02", all31); - - var part202 = match("MESSAGE#150:98:03/0_0", "nwparser.payload", "Connection%{}"); - - var part203 = match("MESSAGE#150:98:03/0_1", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}"); - - var select55 = linear_select([ - part202, - part203, - ]); - - var all32 = all_match({ - processors: [ - select55, - ], - on_success: processor_chain([ - dup1, - dup44, - ]), - }); - - var msg152 = msg("98:03", all32); - - var part204 = match("MESSAGE#151:98:04/3", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} vpnpolicy=\"%{policyname}\" npcs=%{info}"); - - var all33 = all_match({ - processors: [ - dup7, - dup185, - dup183, - part204, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg153 = msg("98:04", all33); - - var part205 = match("MESSAGE#152:98:05/3", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} npcs=%{info}"); - - var all34 = all_match({ - processors: [ - dup7, - dup185, - dup183, - part205, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg154 = msg("98:05", all34); - - var select56 = linear_select([ - msg147, - msg148, - msg149, - msg150, - msg151, - msg152, - msg153, - msg154, - ]); - - var part206 = match("MESSAGE#153:986", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup31, - dup11, - ])); - - var msg155 = msg("986", part206); - - var part207 = match("MESSAGE#154:427/3", "nwparser.p0", "note=\"%{event_description}\""); - - var all35 = all_match({ - processors: [ - dup73, - dup185, - dup183, - part207, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg156 = msg("427", all35); - - var part208 = match("MESSAGE#155:428/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); - - var all36 = all_match({ - processors: [ - dup87, - dup194, - part208, - ], - on_success: processor_chain([ - dup23, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg157 = msg("428", all36); - - var part209 = match("MESSAGE#156:99", "nwparser.payload", "Retransmitting DHCP DISCOVER.%{}", processor_chain([ - dup72, - ])); - - var msg158 = msg("99", part209); - - var part210 = match("MESSAGE#157:100", "nwparser.payload", "Retransmitting DHCP REQUEST (Requesting).%{}", processor_chain([ - dup72, - ])); - - var msg159 = msg("100", part210); - - var part211 = match("MESSAGE#158:101", "nwparser.payload", "Retransmitting DHCP REQUEST (Renewing).%{}", processor_chain([ - dup72, - ])); - - var msg160 = msg("101", part211); - - var part212 = match("MESSAGE#159:102", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebinding).%{}", processor_chain([ - dup72, - ])); - - var msg161 = msg("102", part212); - - var part213 = match("MESSAGE#160:103", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebooting).%{}", processor_chain([ - dup72, - ])); - - var msg162 = msg("103", part213); - - var part214 = match("MESSAGE#161:104", "nwparser.payload", "Retransmitting DHCP REQUEST (Verifying).%{}", processor_chain([ - dup72, - ])); - - var msg163 = msg("104", part214); - - var part215 = match("MESSAGE#162:105", "nwparser.payload", "Sending DHCP DISCOVER.%{}", processor_chain([ - dup72, - ])); - - var msg164 = msg("105", part215); - - var part216 = match("MESSAGE#163:106", "nwparser.payload", "DHCP Server not available. Did not get any DHCP OFFER.%{}", processor_chain([ - dup71, - ])); - - var msg165 = msg("106", part216); - - var part217 = match("MESSAGE#164:107", "nwparser.payload", "Got DHCP OFFER. Selecting.%{}", processor_chain([ - dup72, - ])); - - var msg166 = msg("107", part217); - - var part218 = match("MESSAGE#165:108", "nwparser.payload", "Sending DHCP REQUEST.%{}", processor_chain([ - dup72, - ])); - - var msg167 = msg("108", part218); - - var part219 = match("MESSAGE#166:109", "nwparser.payload", "DHCP Client did not get DHCP ACK.%{}", processor_chain([ - dup71, - ])); - - var msg168 = msg("109", part219); - - var part220 = match("MESSAGE#167:110", "nwparser.payload", "DHCP Client got NACK.%{}", processor_chain([ - dup72, - ])); - - var msg169 = msg("110", part220); - - var msg170 = msg("111:01", dup199); - - var part221 = match("MESSAGE#169:111", "nwparser.payload", "DHCP Client got ACK from server.%{}", processor_chain([ - dup72, - ])); - - var msg171 = msg("111", part221); - - var select57 = linear_select([ - msg170, - msg171, - ]); - - var part222 = match("MESSAGE#170:112", "nwparser.payload", "DHCP Client is declining address offered by the server.%{}", processor_chain([ - dup72, - ])); - - var msg172 = msg("112", part222); - - var part223 = match("MESSAGE#171:113", "nwparser.payload", "DHCP Client sending REQUEST and going to REBIND state.%{}", processor_chain([ - dup72, - ])); - - var msg173 = msg("113", part223); - - var part224 = match("MESSAGE#172:114", "nwparser.payload", "DHCP Client sending REQUEST and going to RENEW state.%{}", processor_chain([ - dup72, - ])); - - var msg174 = msg("114", part224); - - var msg175 = msg("115:01", dup199); - - var part225 = match("MESSAGE#174:115", "nwparser.payload", "Sending DHCP REQUEST (Renewing).%{}", processor_chain([ - dup72, - ])); - - var msg176 = msg("115", part225); - - var select58 = linear_select([ - msg175, - msg176, - ]); - - var part226 = match("MESSAGE#175:116", "nwparser.payload", "Sending DHCP REQUEST (Rebinding).%{}", processor_chain([ - dup72, - ])); - - var msg177 = msg("116", part226); - - var part227 = match("MESSAGE#176:117", "nwparser.payload", "Sending DHCP REQUEST (Rebooting).%{}", processor_chain([ - dup72, - ])); - - var msg178 = msg("117", part227); - - var part228 = match("MESSAGE#177:118", "nwparser.payload", "Sending DHCP REQUEST (Verifying).%{}", processor_chain([ - dup72, - ])); - - var msg179 = msg("118", part228); - - var part229 = match("MESSAGE#178:119", "nwparser.payload", "DHCP Client failed to verify and lease has expired. Go to INIT state.%{}", processor_chain([ - dup71, - ])); - - var msg180 = msg("119", part229); - - var part230 = match("MESSAGE#179:120", "nwparser.payload", "DHCP Client failed to verify and lease is still valid. Go to BOUND state.%{}", processor_chain([ - dup71, - ])); - - var msg181 = msg("120", part230); - - var part231 = match("MESSAGE#180:121", "nwparser.payload", "DHCP Client got a new IP address lease.%{}", processor_chain([ - dup72, - ])); - - var msg182 = msg("121", part231); - - var part232 = match("MESSAGE#181:122", "nwparser.payload", "Access attempt from host without Anti-Virus agent installed%{}", processor_chain([ - dup71, - ])); - - var msg183 = msg("122", part232); - - var part233 = match("MESSAGE#182:123", "nwparser.payload", "Anti-Virus agent out-of-date on host%{}", processor_chain([ - dup71, - ])); - - var msg184 = msg("123", part233); - - var part234 = match("MESSAGE#183:124", "nwparser.payload", "Received AV Alert: %s%{}", processor_chain([ - dup72, - ])); - - var msg185 = msg("124", part234); - - var part235 = match("MESSAGE#184:125", "nwparser.payload", "Unused AV log entry.%{}", processor_chain([ - dup72, - ])); - - var msg186 = msg("125", part235); - - var part236 = match("MESSAGE#185:1254", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ - dup89, - dup11, - ])); - - var msg187 = msg("1254", part236); - - var part237 = match("MESSAGE#186:1256", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ - dup78, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ])); - - var msg188 = msg("1256", part237); - - var part238 = match("MESSAGE#187:1257", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup89, - dup11, - ])); - - var msg189 = msg("1257", part238); - - var part239 = match("MESSAGE#188:126", "nwparser.payload", "Starting PPPoE discovery%{}", processor_chain([ - dup72, - ])); - - var msg190 = msg("126", part239); - - var part240 = match("MESSAGE#189:127", "nwparser.payload", "PPPoE LCP Link Up%{}", processor_chain([ - dup72, - ])); - - var msg191 = msg("127", part240); - - var part241 = match("MESSAGE#190:128", "nwparser.payload", "PPPoE LCP Link Down%{}", processor_chain([ - dup5, - ])); - - var msg192 = msg("128", part241); - - var part242 = match("MESSAGE#191:129", "nwparser.payload", "PPPoE terminated%{}", processor_chain([ - dup5, - ])); - - var msg193 = msg("129", part242); - - var part243 = match("MESSAGE#192:130", "nwparser.payload", "PPPoE Network Connected%{}", processor_chain([ - dup1, - ])); - - var msg194 = msg("130", part243); - - var part244 = match("MESSAGE#193:131", "nwparser.payload", "PPPoE Network Disconnected%{}", processor_chain([ - dup1, - ])); - - var msg195 = msg("131", part244); - - var part245 = match("MESSAGE#194:132", "nwparser.payload", "PPPoE discovery process complete%{}", processor_chain([ - dup1, - ])); - - var msg196 = msg("132", part245); - - var part246 = match("MESSAGE#195:133", "nwparser.payload", "PPPoE starting CHAP Authentication%{}", processor_chain([ - dup1, - ])); - - var msg197 = msg("133", part246); - - var part247 = match("MESSAGE#196:134", "nwparser.payload", "PPPoE starting PAP Authentication%{}", processor_chain([ - dup1, - ])); - - var msg198 = msg("134", part247); - - var part248 = match("MESSAGE#197:135", "nwparser.payload", "PPPoE CHAP Authentication Failed%{}", processor_chain([ - dup90, - ])); - - var msg199 = msg("135", part248); - - var part249 = match("MESSAGE#198:136", "nwparser.payload", "PPPoE PAP Authentication Failed%{}", processor_chain([ - dup90, - ])); - - var msg200 = msg("136", part249); - - var part250 = match("MESSAGE#199:137", "nwparser.payload", "Wan IP Changed%{}", processor_chain([ - dup3, - ])); - - var msg201 = msg("137", part250); - - var part251 = match("MESSAGE#200:138", "nwparser.payload", "XAUTH Succeeded%{}", processor_chain([ - dup3, - ])); - - var msg202 = msg("138", part251); - - var part252 = match("MESSAGE#201:139", "nwparser.payload", "XAUTH Failed%{}", processor_chain([ - dup5, - ])); - - var msg203 = msg("139", part252); - - var all37 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - setc("eventcategory","1801020100"), - ]), - }); - - var msg204 = msg("139:01", all37); - - var select59 = linear_select([ - msg203, - msg204, - ]); - - var msg205 = msg("140", dup239); - - var msg206 = msg("141", dup239); - - var part253 = match("MESSAGE#205:142", "nwparser.payload", "Primary firewall has transitioned to Active%{}", processor_chain([ - dup1, - ])); - - var msg207 = msg("142", part253); - - var part254 = match("MESSAGE#206:143", "nwparser.payload", "Backup firewall has transitioned to Active%{}", processor_chain([ - dup1, - ])); - - var msg208 = msg("143", part254); - - var part255 = match("MESSAGE#207:1431", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=::%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ - dup78, - dup11, - ])); - - var msg209 = msg("1431", part255); - - var part256 = match("MESSAGE#208:144", "nwparser.payload", "Primary firewall has transitioned to Idle%{}", processor_chain([ - dup1, - ])); - - var msg210 = msg("144", part256); - - var part257 = match("MESSAGE#209:145", "nwparser.payload", "Backup firewall has transitioned to Idle%{}", processor_chain([ - dup1, - ])); - - var msg211 = msg("145", part257); - - var part258 = match("MESSAGE#210:146", "nwparser.payload", "Primary missed heartbeats from Active Backup: Primary going Active%{}", processor_chain([ - dup92, - ])); - - var msg212 = msg("146", part258); - - var part259 = match("MESSAGE#211:147", "nwparser.payload", "Backup missed heartbeats from Active Primary: Backup going Active%{}", processor_chain([ - dup92, - ])); - - var msg213 = msg("147", part259); - - var part260 = match("MESSAGE#212:148", "nwparser.payload", "Primary received error signal from Active Backup: Primary going Active%{}", processor_chain([ - dup1, - ])); - - var msg214 = msg("148", part260); - - var part261 = match("MESSAGE#213:1480", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - setc("eventcategory","1204010000"), - dup11, - ])); - - var msg215 = msg("1480", part261); - - var part262 = match("MESSAGE#214:149", "nwparser.payload", "Backup received error signal from Active Primary: Backup going Active%{}", processor_chain([ - dup1, - ])); - - var msg216 = msg("149", part262); - - var part263 = match("MESSAGE#215:150", "nwparser.payload", "Backup firewall being preempted by Primary%{}", processor_chain([ - dup1, - ])); - - var msg217 = msg("150", part263); - - var part264 = match("MESSAGE#216:151", "nwparser.payload", "Primary firewall preempting Backup%{}", processor_chain([ - dup1, - ])); - - var msg218 = msg("151", part264); - - var part265 = match("MESSAGE#217:152", "nwparser.payload", "Active Backup detects Active Primary: Backup rebooting%{}", processor_chain([ - dup1, - ])); - - var msg219 = msg("152", part265); - - var part266 = match("MESSAGE#218:153", "nwparser.payload", "Imported HA hardware ID did not match this firewall%{}", processor_chain([ - setc("eventcategory","1603010000"), - ])); - - var msg220 = msg("153", part266); - - var part267 = match("MESSAGE#219:154", "nwparser.payload", "Received AV Alert: Your SonicWALL Network Anti-Virus subscription has expired. %s%{}", processor_chain([ - dup64, - ])); - - var msg221 = msg("154", part267); - - var part268 = match("MESSAGE#220:155", "nwparser.payload", "Primary received heartbeat from wrong source%{}", processor_chain([ - dup92, - ])); - - var msg222 = msg("155", part268); - - var part269 = match("MESSAGE#221:156", "nwparser.payload", "Backup received heartbeat from wrong source%{}", processor_chain([ - dup92, - ])); - - var msg223 = msg("156", part269); - - var part270 = match("MESSAGE#222:157:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ - dup1, - ])); - - var msg224 = msg("157:01", part270); - - var part271 = match("MESSAGE#223:157", "nwparser.payload", "HA packet processing error%{}", processor_chain([ - dup5, - ])); - - var msg225 = msg("157", part271); - - var select60 = linear_select([ - msg224, - msg225, - ]); - - var part272 = match("MESSAGE#224:158", "nwparser.payload", "Heartbeat received from incompatible source%{}", processor_chain([ - dup92, - ])); - - var msg226 = msg("158", part272); - - var part273 = match("MESSAGE#225:159", "nwparser.payload", "Diagnostic Code F%{}", processor_chain([ - dup5, - ])); - - var msg227 = msg("159", part273); - - var part274 = match("MESSAGE#226:160", "nwparser.payload", "Forbidden E-mail attachment altered%{}", processor_chain([ - setc("eventcategory","1203000000"), - ])); - - var msg228 = msg("160", part274); - - var part275 = match("MESSAGE#227:161", "nwparser.payload", "PPPoE PAP Authentication success.%{}", processor_chain([ - dup65, - ])); - - var msg229 = msg("161", part275); - - var part276 = match("MESSAGE#228:162", "nwparser.payload", "PPPoE PAP Authentication Failed. Please verify PPPoE username and password%{}", processor_chain([ - dup33, - ])); - - var msg230 = msg("162", part276); - - var part277 = match("MESSAGE#229:163", "nwparser.payload", "Disconnecting PPPoE due to traffic timeout%{}", processor_chain([ - dup5, - ])); - - var msg231 = msg("163", part277); - - var part278 = match("MESSAGE#230:164", "nwparser.payload", "No response from ISP Disconnecting PPPoE.%{}", processor_chain([ - dup5, - ])); - - var msg232 = msg("164", part278); - - var part279 = match("MESSAGE#231:165", "nwparser.payload", "Backup going Active in preempt mode after reboot%{}", processor_chain([ - dup1, - ])); - - var msg233 = msg("165", part279); - - var part280 = match("MESSAGE#232:166", "nwparser.payload", "Denied TCP connection from LAN%{}", processor_chain([ - dup12, - ])); - - var msg234 = msg("166", part280); - - var part281 = match("MESSAGE#233:167", "nwparser.payload", "Denied UDP packet from LAN%{}", processor_chain([ - dup12, - ])); - - var msg235 = msg("167", part281); - - var part282 = match("MESSAGE#234:168", "nwparser.payload", "Denied ICMP packet from LAN%{}", processor_chain([ - dup12, - ])); - - var msg236 = msg("168", part282); - - var part283 = match("MESSAGE#235:169", "nwparser.payload", "Firewall access from LAN%{}", processor_chain([ - dup1, - ])); - - var msg237 = msg("169", part283); - - var part284 = match("MESSAGE#236:170", "nwparser.payload", "Received a path MTU icmp message from router/gateway%{}", processor_chain([ - dup1, - ])); - - var msg238 = msg("170", part284); - - var part285 = match("MESSAGE#237:171", "nwparser.payload", "Probable TCP FIN scan%{}", processor_chain([ - dup70, - ])); - - var msg239 = msg("171", part285); - - var part286 = match("MESSAGE#238:171:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup93, - ])); - - var msg240 = msg("171:01", part286); - - var part287 = match("MESSAGE#239:171:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}:%{dport}", processor_chain([ - dup93, - ])); - - var msg241 = msg("171:02", part287); - - var part288 = match("MESSAGE#240:171:03/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld1}\" sess=%{fld2->} n=%{fld3->} src=%{p0}"); - - var all38 = all_match({ - processors: [ - part288, - dup182, - dup10, - dup200, - dup96, - ], - on_success: processor_chain([ - dup93, - ]), - }); - - var msg242 = msg("171:03", all38); - - var select61 = linear_select([ - msg239, - msg240, - msg241, - msg242, - ]); - - var part289 = match("MESSAGE#241:172", "nwparser.payload", "Probable TCP XMAS scan%{}", processor_chain([ - dup70, - ])); - - var msg243 = msg("172", part289); - - var part290 = match("MESSAGE#242:172:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ - dup70, - ])); - - var msg244 = msg("172:01", part290); - - var select62 = linear_select([ - msg243, - msg244, - ]); - - var part291 = match("MESSAGE#243:173", "nwparser.payload", "Probable TCP NULL scan%{}", processor_chain([ - dup70, - ])); - - var msg245 = msg("173", part291); - - var part292 = match("MESSAGE#244:174", "nwparser.payload", "IPSEC Replay Detected%{}", processor_chain([ - dup67, - ])); - - var msg246 = msg("174", part292); - - var all39 = all_match({ - processors: [ - dup73, - dup185, - dup183, - dup43, - ], - on_success: processor_chain([ - dup67, - ]), - }); - - var msg247 = msg("174:01", all39); - - var all40 = all_match({ - processors: [ - dup51, - dup189, - dup41, - dup187, - ], - on_success: processor_chain([ - dup12, - ]), - }); - - var msg248 = msg("174:02", all40); - - var all41 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup191, - dup50, - ], - on_success: processor_chain([ - dup12, - ]), - }); - - var msg249 = msg("174:03", all41); - - var select63 = linear_select([ - msg246, - msg247, - msg248, - msg249, - ]); - - var part293 = match("MESSAGE#248:175", "nwparser.payload", "TCP FIN packet dropped%{}", processor_chain([ - dup67, - ])); - - var msg250 = msg("175", part293); - - var part294 = match("MESSAGE#249:175:01", "nwparser.payload", "msg=\"ICMP packet from LAN dropped\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} type=%{type}", processor_chain([ - dup67, - ])); - - var msg251 = msg("175:01", part294); - - var part295 = match("MESSAGE#250:175:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} type=%{type->} icmpCode=%{fld3->} npcs=%{info}", processor_chain([ - dup67, - ])); - - var msg252 = msg("175:02", part295); - - var select64 = linear_select([ - msg250, - msg251, - msg252, - ]); - - var part296 = match("MESSAGE#251:176", "nwparser.payload", "Fraudulent Microsoft Certificate Blocked%{}", processor_chain([ - dup93, - ])); - - var msg253 = msg("176", part296); - - var msg254 = msg("177", dup196); - - var msg255 = msg("178", dup201); - - var msg256 = msg("179", dup196); - - var all42 = all_match({ - processors: [ - dup34, - dup185, - dup187, - ], - on_success: processor_chain([ - dup97, - ]), - }); - - var msg257 = msg("180", all42); - - var all43 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup202, - dup100, - ], - on_success: processor_chain([ - dup97, - ]), - }); - - var msg258 = msg("180:01", all43); - - var select65 = linear_select([ - msg257, - msg258, - ]); - - var msg259 = msg("181", dup195); - - var all44 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup200, - dup96, - ], - on_success: processor_chain([ - dup70, - ]), - }); - - var msg260 = msg("181:01", all44); - - var select66 = linear_select([ - msg259, - msg260, - ]); - - var msg261 = msg("193", dup240); - - var msg262 = msg("194", dup241); - - var msg263 = msg("195", dup241); - - var part297 = match("MESSAGE#262:196/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{fld2->} dst=%{daddr}:%{fld3->} sport=%{sport->} dport=%{dport->} %{p0}"); - - var all45 = all_match({ - processors: [ - part297, - dup204, - dup105, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg264 = msg("196", all45); - - var all46 = all_match({ - processors: [ - dup101, - dup204, - dup105, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg265 = msg("196:01", all46); - - var select67 = linear_select([ - msg264, - msg265, - ]); - - var msg266 = msg("199", dup242); - - var msg267 = msg("200", dup243); - - var part298 = match("MESSAGE#266:235:02", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ - dup30, - ])); - - var msg268 = msg("235:02", part298); - - var part299 = match("MESSAGE#267:235/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{p0}"); - - var all47 = all_match({ - processors: [ - part299, - dup185, - dup187, - ], - on_success: processor_chain([ - dup30, - ]), - }); - - var msg269 = msg("235", all47); - - var msg270 = msg("235:01", dup244); - - var select68 = linear_select([ - msg268, - msg269, - msg270, - ]); - - var msg271 = msg("236", dup244); - - var msg272 = msg("237", dup242); - - var msg273 = msg("238", dup242); - - var part300 = match("MESSAGE#272:239", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([ - dup107, - ])); - - var msg274 = msg("239", part300); - - var part301 = match("MESSAGE#273:240", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([ - dup107, - ])); - - var msg275 = msg("240", part301); - - var part302 = match("MESSAGE#274:241", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ - dup78, - ])); - - var msg276 = msg("241", part302); - - var part303 = match("MESSAGE#275:241:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup78, - ])); - - var msg277 = msg("241:01", part303); - - var select69 = linear_select([ - msg276, - msg277, - ]); - - var part304 = match("MESSAGE#276:242/1_0", "nwparser.p0", "%{saddr}:%{sport}:: %{p0}"); - - var part305 = match("MESSAGE#276:242/1_1", "nwparser.p0", "%{saddr}:%{sport->} %{p0}"); - - var select70 = linear_select([ - part304, - part305, - dup40, - ]); - - var part306 = match("MESSAGE#276:242/3_0", "nwparser.p0", "%{daddr}:%{dport}::"); - - var part307 = match("MESSAGE#276:242/3_1", "nwparser.p0", "%{daddr}:%{dport}"); - - var select71 = linear_select([ - part306, - part307, - dup36, - ]); - - var all48 = all_match({ - processors: [ - dup51, - select70, - dup41, - select71, - ], - on_success: processor_chain([ - dup78, - ]), - }); - - var msg278 = msg("242", all48); - - var msg279 = msg("252", dup205); - - var msg280 = msg("255", dup205); - - var msg281 = msg("257", dup205); - - var msg282 = msg("261:01", dup245); - - var msg283 = msg("261", dup205); - - var select72 = linear_select([ - msg282, - msg283, - ]); - - var msg284 = msg("262", dup245); - - var all49 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - dup111, - ]), - }); - - var msg285 = msg("273", all49); - - var msg286 = msg("328", dup246); - - var msg287 = msg("329", dup243); - - var msg288 = msg("346", dup205); - - var msg289 = msg("350", dup205); - - var msg290 = msg("351", dup205); - - var msg291 = msg("352", dup205); - - var msg292 = msg("353:01", dup201); - - var part308 = match("MESSAGE#291:353", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost->} lifeSeconds=%{misc}\"", processor_chain([ - dup5, - ])); - - var msg293 = msg("353", part308); - - var select73 = linear_select([ - msg292, - msg293, - ]); - - var part309 = match("MESSAGE#292:354", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=\"%{shost->} lifeSeconds=%{misc}\"", processor_chain([ - dup1, - ])); - - var msg294 = msg("354", part309); - - var msg295 = msg("355", dup206); - - var msg296 = msg("355:01", dup205); - - var select74 = linear_select([ - msg295, - msg296, - ]); - - var msg297 = msg("356", dup207); - - var part310 = match("MESSAGE#296:357", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} dstname=%{name}", processor_chain([ - dup93, - ])); - - var msg298 = msg("357", part310); - - var part311 = match("MESSAGE#297:357:01", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup93, - ])); - - var msg299 = msg("357:01", part311); - - var select75 = linear_select([ - msg298, - msg299, - ]); - - var msg300 = msg("358", dup208); - - var part312 = match("MESSAGE#299:371", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost}", processor_chain([ - setc("eventcategory","1503000000"), - ])); - - var msg301 = msg("371", part312); - - var msg302 = msg("371:01", dup209); - - var select76 = linear_select([ - msg301, - msg302, - ]); - - var msg303 = msg("372", dup205); - - var msg304 = msg("373", dup207); - - var msg305 = msg("401", dup247); - - var msg306 = msg("402", dup247); - - var msg307 = msg("406", dup208); - - var part313 = match("MESSAGE#305:413", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ - dup1, - ])); - - var msg308 = msg("413", part313); - - var msg309 = msg("414", dup205); - - var msg310 = msg("438", dup248); - - var msg311 = msg("439", dup248); - - var all50 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - setc("eventcategory","1501020000"), - ]), - }); - - var msg312 = msg("440", all50); - - var all51 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - setc("eventcategory","1502050000"), - ]), - }); - - var msg313 = msg("441", all51); - - var part314 = match("MESSAGE#311:441:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ - setc("eventcategory","1001020000"), - ])); - - var msg314 = msg("441:01", part314); - - var select77 = linear_select([ - msg313, - msg314, - ]); - - var all52 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - setc("eventcategory","1501030000"), - ]), - }); - - var msg315 = msg("442", all52); - - var part315 = match("MESSAGE#313:446/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{p0}"); - - var part316 = match("MESSAGE#313:446/1_0", "nwparser.p0", "%{fld1->} appName=\"%{application}\" n=%{p0}"); - - var part317 = match("MESSAGE#313:446/1_1", "nwparser.p0", "%{fld1->} n=%{p0}"); - - var select78 = linear_select([ - part316, - part317, - ]); - - var part318 = match("MESSAGE#313:446/2", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); - - var all53 = all_match({ - processors: [ - part315, - select78, - part318, - dup211, - dup119, - ], - on_success: processor_chain([ - dup67, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg316 = msg("446", all53); - - var part319 = match("MESSAGE#314:477", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=\"MAC=%{smacaddr->} HostName:%{hostname}\"", processor_chain([ - dup120, - dup59, - dup60, - dup61, - dup62, - dup11, - dup63, - dup18, - dup19, - dup20, - dup21, - dup22, - ])); - - var msg317 = msg("477", part319); - - var all54 = all_match({ - processors: [ - dup73, - dup185, - dup187, - ], - on_success: processor_chain([ - dup30, - ]), - }); - - var msg318 = msg("509", all54); - - var all55 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - dup109, - ]), - }); - - var msg319 = msg("520", all55); - - var msg320 = msg("522", dup249); - - var part320 = match("MESSAGE#318:522:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} srcV6=%{saddr_v6->} src= %{p0}"); - - var part321 = match("MESSAGE#318:522:01/2", "nwparser.p0", "dstV6=%{daddr_v6->} dst= %{p0}"); - - var all56 = all_match({ - processors: [ - part320, - dup189, - part321, - dup183, - dup121, - ], - on_success: processor_chain([ - dup5, - ]), - }); - - var msg321 = msg("522:01", all56); - - var part322 = match("MESSAGE#319:522:02/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{shost->} dst= %{p0}"); - - var select79 = linear_select([ - part322, - dup46, - ]); - - var all57 = all_match({ - processors: [ - dup45, - select79, - dup17, - dup183, - dup121, - ], - on_success: processor_chain([ - dup5, - ]), - }); - - var msg322 = msg("522:02", all57); - - var select80 = linear_select([ - msg320, - msg321, - msg322, - ]); - - var msg323 = msg("523", dup249); - - var all58 = all_match({ - processors: [ - dup73, - dup185, - dup183, - dup17, - dup212, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg324 = msg("524", all58); - - var part323 = match("MESSAGE#322:524:01/4_0", "nwparser.p0", "proto=%{protocol->} npcs= %{p0}"); - - var part324 = match("MESSAGE#322:524:01/4_1", "nwparser.p0", "rule=%{rule->} npcs= %{p0}"); - - var select81 = linear_select([ - part323, - part324, - ]); - - var all59 = all_match({ - processors: [ - dup7, - dup185, - dup183, - dup17, - select81, - dup47, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg325 = msg("524:01", all59); - - var part325 = match("MESSAGE#323:524:02/0", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}rule=\"%{rule}\"%{p0}"); - - var part326 = match("MESSAGE#323:524:02/1_0", "nwparser.p0", " note=\"%{rulename}\"%{p0}"); - - var select82 = linear_select([ - part326, - dup56, - ]); - - var part327 = match("MESSAGE#323:524:02/2", "nwparser.p0", "%{}fw_action=\"%{action}\""); - - var all60 = all_match({ - processors: [ - part325, - select82, - part327, - ], - on_success: processor_chain([ - dup6, - dup11, - ]), - }); - - var msg326 = msg("524:02", all60); - - var select83 = linear_select([ - msg324, - msg325, - msg326, - ]); - - var msg327 = msg("526", dup250); - - var part328 = match("MESSAGE#325:526:01/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{fld20->} dst= %{p0}"); - - var select84 = linear_select([ - dup26, - part328, - dup46, - ]); - - var part329 = match("MESSAGE#325:526:01/3_1", "nwparser.p0", "%{daddr}"); - - var select85 = linear_select([ - dup35, - part329, - ]); - - var all61 = all_match({ - processors: [ - dup73, - select84, - dup17, - select85, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg328 = msg("526:01", all61); - - var all62 = all_match({ - processors: [ - dup7, - dup213, - dup183, - dup121, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg329 = msg("526:02", all62); - - var part330 = match("MESSAGE#327:526:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup1, - dup11, - ])); - - var msg330 = msg("526:03", part330); - - var part331 = match("MESSAGE#328:526:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup1, - dup11, - ])); - - var msg331 = msg("526:04", part331); - - var part332 = match("MESSAGE#329:526:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup1, - dup11, - ])); - - var msg332 = msg("526:05", part332); - - var select86 = linear_select([ - msg327, - msg328, - msg329, - msg330, - msg331, - msg332, - ]); - - var part333 = match("MESSAGE#330:537:01/4", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} rcvd=%{p0}"); - - var part334 = match("MESSAGE#330:537:01/5_0", "nwparser.p0", "%{rbytes->} vpnpolicy=%{fld3}"); - - var select87 = linear_select([ - part334, - dup123, - ]); - - var all63 = all_match({ - processors: [ - dup122, - dup214, - dup17, - dup215, - part333, - select87, - ], - on_success: processor_chain([ - dup111, - ]), - }); - - var msg333 = msg("537:01", all63); - - var all64 = all_match({ - processors: [ - dup122, - dup214, - dup17, - dup215, - dup81, - ], - on_success: processor_chain([ - dup111, - ]), - }); - - var msg334 = msg("537:02", all64); - - var part335 = match("MESSAGE#332:537:08/3_0", "nwparser.p0", "%{saddr} %{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{p0}"); - - var part336 = match("MESSAGE#332:537:08/3_1", "nwparser.p0", "%{saddr->} %{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); - - var part337 = match("MESSAGE#332:537:08/3_2", "nwparser.p0", "%{saddr->} %{daddr}srcMac=%{p0}"); - - var select88 = linear_select([ - part335, - part336, - part337, - ]); - - var part338 = match("MESSAGE#332:537:08/4", "nwparser.p0", "%{} %{smacaddr->} %{p0}"); - - var part339 = match("MESSAGE#332:537:08/5_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}"); - - var part340 = match("MESSAGE#332:537:08/5_1", "nwparser.p0", "proto=%{protocol->} sent=%{p0}"); - - var select89 = linear_select([ - part339, - part340, - ]); - - var part341 = match("MESSAGE#332:537:08/7_0", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} fw_action=\"%{action}\""); - - var part342 = match("MESSAGE#332:537:08/7_2", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} fw_action=\"%{action}\""); - - var select90 = linear_select([ - part341, - dup131, - part342, - dup132, - dup133, - ]); - - var all65 = all_match({ - processors: [ - dup54, - dup216, - dup217, - select88, - part338, - select89, - dup218, - select90, - ], - on_success: processor_chain([ - dup111, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var msg335 = msg("537:08", all65); - - var select91 = linear_select([ - dup125, - dup124, - dup126, - dup38, - ]); - - var part343 = match("MESSAGE#333:537:09/3_0", "nwparser.p0", "%{saddr} %{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); - - var part344 = match("MESSAGE#333:537:09/3_1", "nwparser.p0", "%{saddr->} %{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); - - var part345 = match("MESSAGE#333:537:09/3_2", "nwparser.p0", "%{saddr->} %{daddr}dstMac=%{p0}"); - - var select92 = linear_select([ - part343, - part344, - part345, - ]); - - var part346 = match("MESSAGE#333:537:09/4", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{p0}"); - - var part347 = match("MESSAGE#333:537:09/6_0", "nwparser.p0", "%{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); - - var select93 = linear_select([ - part347, - dup131, - dup132, - dup133, - ]); - - var all66 = all_match({ - processors: [ - dup54, - select91, - dup217, - select92, - part346, - dup218, - select93, - ], - on_success: processor_chain([ - dup111, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var msg336 = msg("537:09", all66); - - var part348 = match("MESSAGE#334:537:07/3_0", "nwparser.p0", "%{saddr} %{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); - - var part349 = match("MESSAGE#334:537:07/3_1", "nwparser.p0", "%{saddr} %{fld3->} rpkt=%{fld6->} cdur=%{fld7}"); - - var part350 = match("MESSAGE#334:537:07/3_2", "nwparser.p0", "%{saddr} %{fld3->} cdur=%{fld7}"); - - var part351 = match("MESSAGE#334:537:07/3_3", "nwparser.p0", "%{saddr} %{fld3->} fw_action=\"%{action}\""); - - var part352 = match("MESSAGE#334:537:07/3_4", "nwparser.p0", "%{saddr} %{fld3}"); - - var select94 = linear_select([ - part348, - part349, - part350, - part351, - part352, - ]); - - var all67 = all_match({ - processors: [ - dup54, - dup216, - dup217, - select94, - ], - on_success: processor_chain([ - dup111, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var msg337 = msg("537:07", all67); - - var part353 = match("MESSAGE#335:537/0", "nwparser.payload", "msg=\"%{action}\"%{p0}"); - - var part354 = match("MESSAGE#335:537/1_0", "nwparser.p0", " app=%{fld51->} appName=\"%{application}\"%{p0}"); - - var select95 = linear_select([ - part354, - dup56, - ]); - - var part355 = match("MESSAGE#335:537/2", "nwparser.p0", "%{}n=%{fld1->} src= %{p0}"); - - var part356 = match("MESSAGE#335:537/3_0", "nwparser.p0", "%{saddr}%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); - - var part357 = match("MESSAGE#335:537/3_1", "nwparser.p0", "%{saddr} %{daddr}:%{dport}:%{dinterface}: proto=%{p0}"); - - var part358 = match("MESSAGE#335:537/3_2", "nwparser.p0", "%{saddr}%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); - - var part359 = match("MESSAGE#335:537/3_3", "nwparser.p0", "%{saddr}%{daddr->} proto=%{p0}"); - - var select96 = linear_select([ - part356, - part357, - part358, - part359, - ]); - - var part360 = match("MESSAGE#335:537/4", "nwparser.p0", "%{protocol->} sent=%{p0}"); - - var part361 = match("MESSAGE#335:537/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} fw_action=\"%{fld6}\""); - - var part362 = match("MESSAGE#335:537/5_1", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} fw_action=\"%{fld5}\""); - - var part363 = match("MESSAGE#335:537/5_2", "nwparser.p0", "%{sbytes->} spkt=%{fld3}fw_action=\"%{fld4}\""); - - var part364 = match("MESSAGE#335:537/5_3", "nwparser.p0", "%{sbytes}rcvd=%{rbytes}"); - - var part365 = match_copy("MESSAGE#335:537/5_4", "nwparser.p0", "sbytes"); - - var select97 = linear_select([ - part361, - part362, - part363, - part364, - part365, - ]); - - var all68 = all_match({ - processors: [ - part353, - select95, - part355, - select96, - part360, - select97, - ], - on_success: processor_chain([ - dup111, - ]), - }); - - var msg338 = msg("537", all68); - - var part366 = match("MESSAGE#336:537:04/4", "nwparser.p0", "%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} npcs=%{info}"); - - var all69 = all_match({ - processors: [ - dup134, - dup190, - dup17, - dup219, - part366, - ], - on_success: processor_chain([ - dup111, - ]), - }); - - var msg339 = msg("537:04", all69); - - var part367 = match("MESSAGE#337:537:05/4", "nwparser.p0", "%{protocol->} sent=%{sbytes->} spkt=%{fld3->} cdur=%{fld4->} %{p0}"); - - var part368 = match("MESSAGE#337:537:05/5_0", "nwparser.p0", "appcat=%{fld5->} appid=%{fld6->} npcs= %{p0}"); - - var part369 = match("MESSAGE#337:537:05/5_1", "nwparser.p0", "npcs= %{p0}"); - - var select98 = linear_select([ - part368, - part369, - ]); - - var all70 = all_match({ - processors: [ - dup134, - dup190, - dup17, - dup219, - part367, - select98, - dup96, - ], - on_success: processor_chain([ - dup111, - ]), - }); - - var msg340 = msg("537:05", all70); - - var part370 = match("MESSAGE#338:537:10/0", "nwparser.payload", "msg=\"%{event_description}\" sess=%{fld1->} n=%{fld2->} %{p0}"); - - var part371 = match("MESSAGE#338:537:10/4_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); - - var part372 = match("MESSAGE#338:537:10/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); - - var part373 = match("MESSAGE#338:537:10/4_2", "nwparser.p0", "%{daddr->} dstMac=%{p0}"); - - var select99 = linear_select([ - part371, - part372, - part373, - ]); - - var part374 = match("MESSAGE#338:537:10/5", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); - - var all71 = all_match({ - processors: [ - part370, - dup220, - dup139, - dup221, - select99, - part374, - dup222, - ], - on_success: processor_chain([ - dup111, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var msg341 = msg("537:10", all71); - - var part375 = match("MESSAGE#339:537:03/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} %{p0}"); - - var part376 = match("MESSAGE#339:537:03/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); - - var part377 = match("MESSAGE#339:537:03/4_2", "nwparser.p0", "%{daddr->} proto=%{p0}"); - - var select100 = linear_select([ - dup85, - part376, - part377, - ]); - - var part378 = match("MESSAGE#339:537:03/5", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); - - var all72 = all_match({ - processors: [ - part375, - dup220, - dup139, - dup221, - select100, - part378, - dup222, - ], - on_success: processor_chain([ - dup111, - ]), - }); - - var msg342 = msg("537:03", all72); - - var part379 = match("MESSAGE#340:537:06/4", "nwparser.p0", "%{protocol->} sent=%{sbytes->} spkt=%{fld3->} npcs=%{info}"); - - var all73 = all_match({ - processors: [ - dup134, - dup190, - dup17, - dup219, - part379, - ], - on_success: processor_chain([ - dup111, - ]), - }); - - var msg343 = msg("537:06", all73); - - var part380 = match("MESSAGE#341:537:11", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}spkt=%{fld3}rpkt=%{fld4}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup111, - dup62, - dup11, - dup144, - ])); - - var msg344 = msg("537:11", part380); - - var part381 = match("MESSAGE#342:537:12", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup111, - dup62, - dup11, - dup144, - ])); - - var msg345 = msg("537:12", part381); - - var select101 = linear_select([ - msg333, - msg334, - msg335, - msg336, - msg337, - msg338, - msg339, - msg340, - msg341, - msg342, - msg343, - msg344, - msg345, - ]); - - var msg346 = msg("538", dup240); - - var msg347 = msg("549", dup243); - - var msg348 = msg("557", dup243); - - var all74 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - setc("eventcategory","1402020200"), - ]), - }); - - var msg349 = msg("558", all74); - - var msg350 = msg("561", dup246); - - var msg351 = msg("562", dup246); - - var msg352 = msg("563", dup246); - - var all75 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - setc("eventcategory","1402020400"), - ]), - }); - - var msg353 = msg("583", all75); - - var part382 = match("MESSAGE#351:597:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ - dup145, - dup59, - dup146, - dup61, - dup62, - dup11, - dup147, - dup18, - dup19, - dup20, - dup21, - dup22, - ])); - - var msg354 = msg("597:01", part382); - - var part383 = match("MESSAGE#352:597:02", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ - dup1, - ])); - - var msg355 = msg("597:02", part383); - - var part384 = match("MESSAGE#353:597:03/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src= %{saddr}:%{sport}:%{p0}"); - - var part385 = match("MESSAGE#353:597:03/2", "nwparser.p0", "%{daddr}:%{dport}:%{p0}"); - - var all76 = all_match({ - processors: [ - part384, - dup198, - part385, - dup200, - dup96, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg356 = msg("597:03", all76); - - var select102 = linear_select([ - msg354, - msg355, - msg356, - ]); - - var part386 = match("MESSAGE#354:598", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{type->} code=%{code}", processor_chain([ - dup1, - ])); - - var msg357 = msg("598", part386); - - var part387 = match("MESSAGE#355:598:01/2", "nwparser.p0", "%{type->} npcs=%{info}"); - - var all77 = all_match({ - processors: [ - dup148, - dup192, - part387, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg358 = msg("598:01", all77); - - var all78 = all_match({ - processors: [ - dup148, - dup200, - dup96, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg359 = msg("598:02", all78); - - var select103 = linear_select([ - msg357, - msg358, - msg359, - ]); - - var part388 = match("MESSAGE#357:602:01", "nwparser.payload", "msg=\"%{event_description}allowed\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([ - dup145, - dup59, - dup146, - dup61, - dup62, - dup11, - dup147, - dup18, - dup19, - dup20, - dup21, - dup22, - ])); - - var msg360 = msg("602:01", part388); - - var msg361 = msg("602:02", dup250); - - var all79 = all_match({ - processors: [ - dup7, - dup185, - dup183, - dup43, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg362 = msg("602:03", all79); - - var select104 = linear_select([ - msg360, - msg361, - msg362, - ]); - - var msg363 = msg("605", dup208); - - var all80 = all_match({ - processors: [ - dup149, - dup223, - dup152, - dup211, - dup119, - ], - on_success: processor_chain([ - dup93, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg364 = msg("606", all80); - - var part389 = match("MESSAGE#362:608/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} ipscat=%{ipscat->} ipspri=%{p0}"); - - var part390 = match("MESSAGE#362:608/1_0", "nwparser.p0", "%{fld66->} pktdatId=%{fld11->} n=%{p0}"); - - var part391 = match("MESSAGE#362:608/1_1", "nwparser.p0", "%{ipspri->} n=%{p0}"); - - var select105 = linear_select([ - part390, - part391, - ]); - - var part392 = match("MESSAGE#362:608/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{p0}"); - - var part393 = match("MESSAGE#362:608/3_0", "nwparser.p0", "%{sport}:%{sinterface->} dst=%{p0}"); - - var part394 = match("MESSAGE#362:608/3_1", "nwparser.p0", "%{sport->} dst=%{p0}"); - - var select106 = linear_select([ - part393, - part394, - ]); - - var part395 = match("MESSAGE#362:608/5_0", "nwparser.p0", "%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{fld2}\""); - - var select107 = linear_select([ - part395, - dup154, - dup155, - ]); - - var all81 = all_match({ - processors: [ - part389, - select105, - part392, - select106, - dup153, - select107, - ], - on_success: processor_chain([ - dup1, - dup44, - ]), - }); - - var msg365 = msg("608", all81); - - var msg366 = msg("616", dup206); - - var msg367 = msg("658", dup201); - - var msg368 = msg("710", dup224); - - var msg369 = msg("712:02", dup251); - - var msg370 = msg("712", dup224); - - var all82 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup202, - dup100, - ], - on_success: processor_chain([ - dup156, - ]), - }); - - var msg371 = msg("712:01", all82); - - var select108 = linear_select([ - msg369, - msg370, - msg371, - ]); - - var part396 = match("MESSAGE#369:713:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=%{info}", processor_chain([ - dup5, - dup59, - dup60, - dup61, - dup62, - dup11, - dup63, - dup18, - dup19, - dup20, - dup21, - dup22, - ])); - - var msg372 = msg("713:01", part396); - - var msg373 = msg("713:04", dup251); - - var msg374 = msg("713:02", dup224); - - var part397 = match("MESSAGE#372:713:03", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{action}\" npcs=%{info}", processor_chain([ - dup5, - dup59, - dup60, - dup61, - dup62, - dup11, - dup63, - dup18, - dup19, - dup20, - dup21, - dup22, - ])); - - var msg375 = msg("713:03", part397); - - var select109 = linear_select([ - msg372, - msg373, - msg374, - msg375, - ]); - - var part398 = match("MESSAGE#373:760", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=%{info}", processor_chain([ - dup120, - dup59, - dup60, - dup61, - dup62, - dup11, - dup63, - dup18, - dup19, - dup20, - dup21, - dup22, - ])); - - var msg376 = msg("760", part398); - - var part399 = match("MESSAGE#374:760:01/0", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); - - var part400 = match("MESSAGE#374:760:01/4", "nwparser.p0", "%{action->} npcs=%{info}"); - - var all83 = all_match({ - processors: [ - part399, - dup182, - dup10, - dup202, - part400, - ], - on_success: processor_chain([ - dup120, - dup59, - dup60, - dup61, - dup62, - dup11, - dup63, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var msg377 = msg("760:01", all83); - - var select110 = linear_select([ - msg376, - msg377, - ]); - - var msg378 = msg("766", dup228); - - var msg379 = msg("860", dup228); - - var msg380 = msg("860:01", dup229); - - var select111 = linear_select([ - msg379, - msg380, - ]); - - var part401 = match("MESSAGE#378:866/0", "nwparser.payload", "msg=\"%{msg}\" n=%{p0}"); - - var part402 = match("MESSAGE#378:866/1_0", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); - - var part403 = match_copy("MESSAGE#378:866/1_1", "nwparser.p0", "ntype"); - - var select112 = linear_select([ - part402, - part403, - ]); - - var all84 = all_match({ - processors: [ - part401, - select112, - ], - on_success: processor_chain([ - dup5, - dup44, - ]), - }); - - var msg381 = msg("866", all84); - - var msg382 = msg("866:01", dup229); - - var select113 = linear_select([ - msg381, - msg382, - ]); - - var msg383 = msg("867", dup228); - - var msg384 = msg("867:01", dup229); - - var select114 = linear_select([ - msg383, - msg384, - ]); - - var part404 = match("MESSAGE#382:882", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ - dup1, - ])); - - var msg385 = msg("882", part404); - - var part405 = match("MESSAGE#383:882:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} npcs=%{info}", processor_chain([ - dup1, - ])); - - var msg386 = msg("882:01", part405); - - var select115 = linear_select([ - msg385, - msg386, - ]); - - var part406 = match("MESSAGE#384:888", "nwparser.payload", "msg=\"%{reason};%{action}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ - dup165, - ])); - - var msg387 = msg("888", part406); - - var part407 = match("MESSAGE#385:888:01", "nwparser.payload", "msg=\"%{reason};%{action}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=%{fld3->} npcs=%{info}", processor_chain([ - dup165, - ])); - - var msg388 = msg("888:01", part407); - - var select116 = linear_select([ - msg387, - msg388, - ]); - - var all85 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup200, - dup96, - ], - on_success: processor_chain([ - dup165, - ]), - }); - - var msg389 = msg("892", all85); - - var msg390 = msg("904", dup228); - - var msg391 = msg("905", dup228); - - var msg392 = msg("906", dup228); - - var msg393 = msg("907", dup228); - - var part408 = match("MESSAGE#391:908/1_0", "nwparser.p0", "%{sinterface}:%{shost->} dst=%{p0}"); - - var select117 = linear_select([ - part408, - dup167, - ]); - - var all86 = all_match({ - processors: [ - dup166, - select117, - dup168, - dup223, - dup169, - dup211, - dup119, - ], - on_success: processor_chain([ - dup78, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg394 = msg("908", all86); - - var msg395 = msg("909", dup228); - - var msg396 = msg("914", dup230); - - var part409 = match("MESSAGE#394:931", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ - dup72, - ])); - - var msg397 = msg("931", part409); - - var msg398 = msg("657", dup230); - - var all87 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup200, - dup96, - ], - on_success: processor_chain([ - dup5, - ]), - }); - - var msg399 = msg("657:01", all87); - - var select118 = linear_select([ - msg398, - msg399, - ]); - - var msg400 = msg("403", dup209); - - var msg401 = msg("534", dup184); - - var msg402 = msg("994", dup231); - - var part410 = match("MESSAGE#400:243", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} proto=%{protocol}", processor_chain([ - dup1, - dup24, - ])); - - var msg403 = msg("243", part410); - - var msg404 = msg("995", dup184); - - var part411 = match("MESSAGE#402:997", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{fld3->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld4->} note=\"%{info}\"", processor_chain([ - dup1, - dup59, - dup61, - dup62, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ])); - - var msg405 = msg("997", part411); - - var msg406 = msg("998", dup231); - - var part412 = match("MESSAGE#405:998:01", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup111, - dup11, - ])); - - var msg407 = msg("998:01", part412); - - var select119 = linear_select([ - msg406, - msg407, - ]); - - var msg408 = msg("1110", dup232); - - var msg409 = msg("565", dup232); - - var part413 = match("MESSAGE#408:404", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} note=\"%{event_description}\"", processor_chain([ - dup1, - dup62, - ])); - - var msg410 = msg("404", part413); - - var part414 = match("MESSAGE#409:267:01/1_0", "nwparser.p0", "%{daddr}:%{dport->} srcMac=%{p0}"); - - var select120 = linear_select([ - part414, - dup58, - ]); - - var part415 = match("MESSAGE#409:267:01/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{fld3}\" fw_action=\"%{action}\""); - - var all88 = all_match({ - processors: [ - dup87, - select120, - part415, - ], - on_success: processor_chain([ - dup111, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg411 = msg("267:01", all88); - - var part416 = match("MESSAGE#410:267", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}", processor_chain([ - dup1, - dup62, - ])); - - var msg412 = msg("267", part416); - - var select121 = linear_select([ - msg411, - msg412, - ]); - - var part417 = match("MESSAGE#411:263", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} proto=%{protocol}", processor_chain([ - dup1, - dup24, - ])); - - var msg413 = msg("263", part417); - - var part418 = match("MESSAGE#412:264", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ - dup109, - dup11, - ])); - - var msg414 = msg("264", part418); - - var msg415 = msg("412", dup209); - - var part419 = match("MESSAGE#415:793", "nwparser.payload", "msg=\"%{msg}\" af_polid=%{fld1->} af_policy=\"%{fld2}\" af_type=\"%{fld3}\" af_service=\"%{fld4}\" af_action=\"%{fld5}\" n=%{fld6->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ - dup1, - dup24, - ])); - - var msg416 = msg("793", part419); - - var part420 = match("MESSAGE#416:805", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} if=%{fld2->} ucastRx=%{fld3->} bcastRx=%{fld4->} bytesRx=%{rbytes->} ucastTx=%{fld5->} bcastTx=%{fld6->} bytesTx=%{sbytes}", processor_chain([ - dup1, - dup24, - ])); - - var msg417 = msg("805", part420); - - var part421 = match("MESSAGE#417:809", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ - dup170, - dup11, - ])); - - var msg418 = msg("809", part421); - - var part422 = match("MESSAGE#418:809:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ - dup170, - dup11, - ])); - - var msg419 = msg("809:01", part422); - - var select122 = linear_select([ - msg418, - msg419, - ]); - - var msg420 = msg("935", dup230); - - var msg421 = msg("614", dup233); - - var part423 = match("MESSAGE#421:748/0", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); - - var all89 = all_match({ - processors: [ - part423, - dup211, - dup119, - ], - on_success: processor_chain([ - dup66, - dup44, - ]), - }); - - var msg422 = msg("748", all89); - - var part424 = match("MESSAGE#422:794/0", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} spycat=%{fld1->} spypri=%{fld2->} pktdatId=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); - - var part425 = match("MESSAGE#422:794/1_0", "nwparser.p0", "%{protocol}/%{fld5->} fw_action=\"%{p0}"); - - var select123 = linear_select([ - part425, - dup118, - ]); - - var all90 = all_match({ - processors: [ - part424, - select123, - dup119, - ], - on_success: processor_chain([ - dup171, - dup44, - ]), - }); - - var msg423 = msg("794", all90); - - var msg424 = msg("1086", dup233); - - var part426 = match("MESSAGE#424:1430", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ - dup171, - dup44, - ])); - - var msg425 = msg("1430", part426); - - var msg426 = msg("1149", dup233); - - var msg427 = msg("1159", dup233); - - var part427 = match("MESSAGE#427:1195", "nwparser.payload", "n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup171, - dup44, - ])); - - var msg428 = msg("1195", part427); - - var part428 = match("MESSAGE#428:1195:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}", processor_chain([ - dup171, - dup44, - ])); - - var msg429 = msg("1195:01", part428); - - var select124 = linear_select([ - msg428, - msg429, - ]); - - var part429 = match("MESSAGE#429:1226", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup5, - dup44, - ])); - - var msg430 = msg("1226", part429); - - var part430 = match("MESSAGE#430:1222", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} note=\"%{fld3}\" fw_action=\"%{action}\"", processor_chain([ - dup5, - dup44, - ])); - - var msg431 = msg("1222", part430); - - var part431 = match("MESSAGE#431:1154", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ - dup1, - dup24, - ])); - - var msg432 = msg("1154", part431); - - var part432 = match("MESSAGE#432:1154:01/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{p0}"); - - var all91 = all_match({ - processors: [ - part432, - dup182, - dup10, - dup200, - dup96, - ], - on_success: processor_chain([ - dup1, - dup24, - ]), - }); - - var msg433 = msg("1154:01", all91); - - var part433 = match("MESSAGE#433:1154:02", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid%{fld2->} catid=%{fld3->} sess=\"%{fld4}\" n=%{fld5->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup172, - dup11, - ])); - - var msg434 = msg("1154:02", part433); - - var part434 = match("MESSAGE#434:1154:03/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid=%{fld2->} catid=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{p0}"); - - var part435 = match("MESSAGE#434:1154:03/1_0", "nwparser.p0", "%{dinterface}:%{dhost->} srcMac=%{p0}"); - - var select125 = linear_select([ - part435, - dup79, - ]); - - var part436 = match("MESSAGE#434:1154:03/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\""); - - var all92 = all_match({ - processors: [ - part434, - select125, - part436, - ], - on_success: processor_chain([ - dup172, - dup11, - ]), - }); - - var msg435 = msg("1154:03", all92); - - var select126 = linear_select([ - msg432, - msg433, - msg434, - msg435, - ]); - - var part437 = match("MESSAGE#435:msg", "nwparser.payload", "msg=\"%{msg}\" src=%{stransaddr->} dst=%{dtransaddr->} %{result}", processor_chain([ - dup173, - ])); - - var msg436 = msg("msg", part437); - - var part438 = match("MESSAGE#436:src", "nwparser.payload", "src=%{stransaddr->} dst=%{dtransaddr->} %{msg}", processor_chain([ - dup173, - ])); - - var msg437 = msg("src", part438); - - var all93 = all_match({ - processors: [ - dup7, - dup185, - dup183, - dup17, - dup212, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg438 = msg("1235", all93); - - var part439 = match("MESSAGE#438:1197/4", "nwparser.p0", "\"%{fld3->} Protocol:%{protocol}\" npcs=%{info}"); - - var all94 = all_match({ - processors: [ - dup7, - dup185, - dup10, - dup202, - part439, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg439 = msg("1197", all94); - - var part440 = match("MESSAGE#439:1199/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3->} sess=%{fld1->} n=%{fld2->} src=%{p0}"); - - var all95 = all_match({ - processors: [ - part440, - dup185, - dup174, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg440 = msg("1199", all95); - - var part441 = match("MESSAGE#440:1199:01", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup175, - dup11, - ])); - - var msg441 = msg("1199:01", part441); - - var part442 = match("MESSAGE#441:1199:02", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup175, - dup11, - ])); - - var msg442 = msg("1199:02", part442); - - var select127 = linear_select([ - msg440, - msg441, - msg442, - ]); - - var part443 = match("MESSAGE#442:1155/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} catid=%{fld3->} sess=%{fld4->} n=%{fld5->} src=%{p0}"); - - var all96 = all_match({ - processors: [ - part443, - dup182, - dup10, - dup200, - dup96, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg443 = msg("1155", all96); - - var part444 = match("MESSAGE#443:1155:01", "nwparser.payload", "msg=\"%{action}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ - dup111, - ])); - - var msg444 = msg("1155:01", part444); - - var select128 = linear_select([ - msg443, - msg444, - ]); - - var all97 = all_match({ - processors: [ - dup176, - dup213, - dup174, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg445 = msg("1198", all97); - - var all98 = all_match({ - processors: [ - dup7, - dup185, - dup174, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg446 = msg("714", all98); - - var msg447 = msg("709", dup252); - - var msg448 = msg("1005", dup252); - - var msg449 = msg("1003", dup252); - - var msg450 = msg("1007", dup253); - - var part445 = match("MESSAGE#450:1008", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}::%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup109, - dup11, - ])); - - var msg451 = msg("1008", part445); - - var msg452 = msg("708", dup253); - - var all99 = all_match({ - processors: [ - dup176, - dup182, - dup10, - dup200, - dup96, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg453 = msg("1201", all99); - - var msg454 = msg("1201:01", dup253); - - var select129 = linear_select([ - msg453, - msg454, - ]); - - var msg455 = msg("654", dup234); - - var msg456 = msg("670", dup234); - - var msg457 = msg("884", dup253); - - var part446 = match("MESSAGE#457:1153", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} rcvd=%{rbytes->} note=\"%{info}\"", processor_chain([ - dup1, - ])); - - var msg458 = msg("1153", part446); - - var part447 = match("MESSAGE#458:1153:01/1_0", "nwparser.p0", " app=%{fld1->} sess=%{fld2->} n=%{p0}"); - - var part448 = match("MESSAGE#458:1153:01/1_1", "nwparser.p0", " sess=%{fld2->} n=%{p0}"); - - var part449 = match("MESSAGE#458:1153:01/1_2", "nwparser.p0", " n=%{p0}"); - - var select130 = linear_select([ - part447, - part448, - part449, - ]); - - var part450 = match("MESSAGE#458:1153:01/2", "nwparser.p0", "%{fld3->} usr=\"%{username}\" src=%{p0}"); - - var part451 = match("MESSAGE#458:1153:01/3_0", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); - - var select131 = linear_select([ - part451, - dup26, - ]); - - var part452 = match("MESSAGE#458:1153:01/4_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac= %{p0}"); - - var part453 = match("MESSAGE#458:1153:01/4_1", "nwparser.p0", "%{daddr}:%{dport}srcMac= %{p0}"); - - var part454 = match("MESSAGE#458:1153:01/4_2", "nwparser.p0", "%{daddr}srcMac= %{p0}"); - - var select132 = linear_select([ - part452, - part453, - part454, - ]); - - var part455 = match("MESSAGE#458:1153:01/5", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} %{p0}"); - - var part456 = match("MESSAGE#458:1153:01/6_0", "nwparser.p0", "sent=%{sbytes}rcvd=%{p0}"); - - var part457 = match("MESSAGE#458:1153:01/6_1", "nwparser.p0", "type=%{fld4->} icmpCode=%{fld5->} rcvd=%{p0}"); - - var part458 = match("MESSAGE#458:1153:01/6_2", "nwparser.p0", "rcvd=%{p0}"); - - var select133 = linear_select([ - part456, - part457, - part458, - ]); - - var all100 = all_match({ - processors: [ - dup54, - select130, - part450, - select131, - select132, - part455, - select133, - dup123, - ], - on_success: processor_chain([ - dup1, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var msg459 = msg("1153:01", all100); - - var part459 = match("MESSAGE#459:1153:02/1_0", "nwparser.p0", "app=%{fld1->} n=%{fld2->} src=%{p0}"); - - var part460 = match("MESSAGE#459:1153:02/1_1", "nwparser.p0", "n=%{fld2->} src=%{p0}"); - - var select134 = linear_select([ - part459, - part460, - ]); - - var part461 = match("MESSAGE#459:1153:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes}"); - - var all101 = all_match({ - processors: [ - dup82, - select134, - part461, - ], - on_success: processor_chain([ - dup1, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var msg460 = msg("1153:02", all101); - - var select135 = linear_select([ - msg458, - msg459, - msg460, - ]); - - var part462 = match("MESSAGE#460:1107", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1}", processor_chain([ - dup1, - ])); - - var msg461 = msg("1107", part462); - - var part463 = match("MESSAGE#461:1220/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{p0}"); - - var part464 = match("MESSAGE#461:1220/1_0", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); - - var part465 = match("MESSAGE#461:1220/1_1", "nwparser.p0", "%{fld2}src=%{saddr}:%{sport->} dst= %{p0}"); - - var select136 = linear_select([ - part464, - part465, - ]); - - var all102 = all_match({ - processors: [ - part463, - select136, - dup153, - dup235, - dup179, - ], - on_success: processor_chain([ - dup165, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg462 = msg("1220", all102); - - var all103 = all_match({ - processors: [ - dup149, - dup235, - dup179, - ], - on_success: processor_chain([ - dup165, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg463 = msg("1230", all103); - - var part466 = match("MESSAGE#463:1231", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1->} note=\"%{info}\"", processor_chain([ - dup1, - ])); - - var msg464 = msg("1231", part466); - - var part467 = match("MESSAGE#464:1233", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ - dup175, - dup11, - ])); - - var msg465 = msg("1233", part467); - - var part468 = match("MESSAGE#465:1079/0", "nwparser.payload", "msg=\"User%{username}log%{p0}"); - - var part469 = match("MESSAGE#465:1079/1_0", "nwparser.p0", "in%{p0}"); - - var part470 = match("MESSAGE#465:1079/1_1", "nwparser.p0", "out%{p0}"); - - var select137 = linear_select([ - part469, - part470, - ]); - - var part471 = match("MESSAGE#465:1079/2", "nwparser.p0", "\"%{p0}"); - - var part472 = match("MESSAGE#465:1079/3_0", "nwparser.p0", "dur=%{duration->} %{space}n=%{p0}"); - - var part473 = match("MESSAGE#465:1079/3_1", "nwparser.p0", "sess=\"%{fld2}\" n=%{p0}"); - - var select138 = linear_select([ - part472, - part473, - dup38, - ]); - - var part474 = match_copy("MESSAGE#465:1079/4", "nwparser.p0", "fld1"); - - var all104 = all_match({ - processors: [ - part468, - select137, - part471, - select138, - part474, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg466 = msg("1079", all104); - - var part475 = match("MESSAGE#466:1079:01", "nwparser.payload", "msg=\"Client%{username}is assigned IP:%{hostip}\" %{space->} n=%{fld1}", processor_chain([ - dup1, - ])); - - var msg467 = msg("1079:01", part475); - - var part476 = match("MESSAGE#467:1079:02", "nwparser.payload", "msg=\"destination for %{daddr->} is not allowed by access control\" n=%{fld2}", processor_chain([ - dup1, - dup11, - setc("event_description","destination is not allowed by access control"), - dup18, - dup19, - dup20, - dup21, - dup22, - ])); - - var msg468 = msg("1079:02", part476); - - var part477 = match("MESSAGE#468:1079:03", "nwparser.payload", "msg=\"SSLVPN Client %{username->} matched device profile Default Device Profile for Windows\" n=%{fld2}", processor_chain([ - dup1, - dup11, - setc("event_description","SSLVPN Client matched device profile Default Device Profile for Windows"), - dup18, - dup19, - dup20, - dup21, - dup22, - ])); - - var msg469 = msg("1079:03", part477); - - var select139 = linear_select([ - msg466, - msg467, - msg468, - msg469, - ]); - - var part478 = match("MESSAGE#469:1080/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=\"%{username}\" src= %{p0}"); - - var part479 = match("MESSAGE#469:1080/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); - - var select140 = linear_select([ - dup8, - part479, - ]); - - var part480 = match("MESSAGE#469:1080/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); - - var select141 = linear_select([ - dup135, - part480, - ]); - - var part481 = match_copy("MESSAGE#469:1080/3", "nwparser.p0", "protocol"); - - var all105 = all_match({ - processors: [ - part478, - select140, - select141, - part481, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg470 = msg("1080", all105); - - var part482 = match("MESSAGE#470:580", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ - dup5, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ])); - - var msg471 = msg("580", part482); - - var part483 = match("MESSAGE#471:1369/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{p0}"); - - var all106 = all_match({ - processors: [ - part483, - dup236, - dup119, - ], - on_success: processor_chain([ - dup78, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg472 = msg("1369", all106); - - var all107 = all_match({ - processors: [ - dup149, - dup223, - dup152, - dup236, - dup119, - ], - on_success: processor_chain([ - dup78, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg473 = msg("1370", all107); - - var all108 = all_match({ - processors: [ - dup149, - dup223, - dup169, - dup211, - dup119, - ], - on_success: processor_chain([ - dup78, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg474 = msg("1371", all108); - - var part484 = match("MESSAGE#474:1387/1_1", "nwparser.p0", " dst=%{p0}"); - - var select142 = linear_select([ - dup167, - part484, - ]); - - var all109 = all_match({ - processors: [ - dup166, - select142, - dup168, - dup223, - dup169, - dup211, - dup119, - ], - on_success: processor_chain([ - dup165, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg475 = msg("1387", all109); - - var part485 = match("MESSAGE#475:1391/0", "nwparser.payload", "pktdatId=%{fld1}pktdatNum=\"%{fld2}\" pktdatEnc=\"%{fld3}\" n=%{fld4}src=%{saddr}:%{p0}"); - - var part486 = match("MESSAGE#475:1391/1_0", "nwparser.p0", "%{sport}:%{sinterface}dst=%{p0}"); - - var part487 = match("MESSAGE#475:1391/1_1", "nwparser.p0", "%{sport}dst=%{p0}"); - - var select143 = linear_select([ - part486, - part487, - ]); - - var part488 = match("MESSAGE#475:1391/3_0", "nwparser.p0", "%{dport}:%{dinterface}:%{dhost}"); - - var select144 = linear_select([ - part488, - dup154, - dup155, - ]); - - var all110 = all_match({ - processors: [ - part485, - select143, - dup153, - select144, - ], - on_success: processor_chain([ - dup1, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg476 = msg("1391", all110); - - var part489 = match("MESSAGE#476:1253", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1}appName=\"%{application}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\"", processor_chain([ - dup5, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ])); - - var msg477 = msg("1253", part489); - - var part490 = match("MESSAGE#477:1009", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ - dup5, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ])); - - var msg478 = msg("1009", part490); - - var part491 = match("MESSAGE#478:910/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2}appName=\"%{application}\" n=%{fld3}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{p0}"); - - var part492 = match("MESSAGE#478:910/1_0", "nwparser.p0", "%{dinterface}:%{dhost}srcMac=%{p0}"); - - var part493 = match("MESSAGE#478:910/1_1", "nwparser.p0", "%{dinterface}srcMac=%{p0}"); - - var select145 = linear_select([ - part492, - part493, - ]); - - var part494 = match("MESSAGE#478:910/2", "nwparser.p0", "%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\""); - - var all111 = all_match({ - processors: [ - part491, - select145, - part494, - ], - on_success: processor_chain([ - dup5, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg479 = msg("910", all111); - - var part495 = match("MESSAGE#479:m:01", "nwparser.payload", "m=%{id1}msg=\"%{event_description}\" n=%{fld2}if=%{interface}ucastRx=%{fld3}bcastRx=%{fld4}bytesRx=%{rbytes}ucastTx=%{fld5}bcastTx=%{fld6}bytesTx=%{sbytes}", processor_chain([ - dup1, - dup62, - dup18, - dup88, - dup20, - dup22, - dup44, - ])); - - var msg480 = msg("m:01", part495); - - var part496 = match("MESSAGE#480:1011", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ - dup1, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ])); - - var msg481 = msg("1011", part496); - - var part497 = match("MESSAGE#481:609", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} ipscat=\"%{fld3}\" ipspri=%{fld4->} pktdatId=%{fld5->} n=%{fld6->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ - dup172, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ])); - - var msg482 = msg("609", part497); - - var msg483 = msg("796", dup237); - - var part498 = match("MESSAGE#483:880", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ - dup78, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ])); - - var msg484 = msg("880", part498); - - var part499 = match("MESSAGE#484:1309", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup165, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ])); - - var msg485 = msg("1309", part499); - - var msg486 = msg("1310", dup237); - - var part500 = match("MESSAGE#486:1232/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{p0}"); - - var part501 = match("MESSAGE#486:1232/1_0", "nwparser.p0", "%{dinterface}:%{dhost->} note=\"%{p0}"); - - var part502 = match("MESSAGE#486:1232/1_1", "nwparser.p0", "%{dinterface->} note=\"%{p0}"); - - var select146 = linear_select([ - part501, - part502, - ]); - - var part503 = match("MESSAGE#486:1232/2", "nwparser.p0", "%{info}\" fw_action=\"%{action}\""); - - var all112 = all_match({ - processors: [ - part500, - select146, - part503, - ], - on_success: processor_chain([ - dup1, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg487 = msg("1232", all112); - - var part504 = match("MESSAGE#487:1447/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1->} appName=\"%{application}\" n=%{fld2->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); - - var all113 = all_match({ - processors: [ - part504, - dup211, - dup119, - ], - on_success: processor_chain([ - dup165, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg488 = msg("1447", all113); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "10": msg9, - "100": msg159, - "1003": msg449, - "1005": msg448, - "1007": msg450, - "1008": msg451, - "1009": msg478, - "101": msg160, - "1011": msg481, - "102": msg161, - "103": msg162, - "104": msg163, - "105": msg164, - "106": msg165, - "107": msg166, - "1079": select139, - "108": msg167, - "1080": msg470, - "1086": msg424, - "109": msg168, - "11": msg10, - "110": msg169, - "1107": msg461, - "111": select57, - "1110": msg408, - "112": msg172, - "113": msg173, - "114": msg174, - "1149": msg426, - "115": select58, - "1153": select135, - "1154": select126, - "1155": select128, - "1159": msg427, - "116": msg177, - "117": msg178, - "118": msg179, - "119": msg180, - "1195": select124, - "1197": msg439, - "1198": msg445, - "1199": select127, - "12": select4, - "120": msg181, - "1201": select129, - "121": msg182, - "122": msg183, - "1220": msg462, - "1222": msg431, - "1226": msg430, - "123": msg184, - "1230": msg463, - "1231": msg464, - "1232": msg487, - "1233": msg465, - "1235": msg438, - "124": msg185, - "125": msg186, - "1253": msg477, - "1254": msg187, - "1256": msg188, - "1257": msg189, - "126": msg190, - "127": msg191, - "128": msg192, - "129": msg193, - "13": msg13, - "130": msg194, - "1309": msg485, - "131": msg195, - "1310": msg486, - "132": msg196, - "133": msg197, - "134": msg198, - "135": msg199, - "136": msg200, - "1369": msg472, - "137": msg201, - "1370": msg473, - "1371": msg474, - "138": msg202, - "1387": msg475, - "139": select59, - "1391": msg476, - "14": select7, - "140": msg205, - "141": msg206, - "142": msg207, - "143": msg208, - "1430": msg425, - "1431": msg209, - "144": msg210, - "1447": msg488, - "145": msg211, - "146": msg212, - "147": msg213, - "148": msg214, - "1480": msg215, - "149": msg216, - "15": msg20, - "150": msg217, - "151": msg218, - "152": msg219, - "153": msg220, - "154": msg221, - "155": msg222, - "156": msg223, - "157": select60, - "158": msg226, - "159": msg227, - "16": msg21, - "160": msg228, - "161": msg229, - "162": msg230, - "163": msg231, - "164": msg232, - "165": msg233, - "166": msg234, - "167": msg235, - "168": msg236, - "169": msg237, - "17": msg22, - "170": msg238, - "171": select61, - "172": select62, - "173": msg245, - "174": select63, - "175": select64, - "176": msg253, - "177": msg254, - "178": msg255, - "179": msg256, - "18": msg23, - "180": select65, - "181": select66, - "19": msg24, - "193": msg261, - "194": msg262, - "195": msg263, - "196": select67, - "199": msg266, - "20": msg25, - "200": msg267, - "21": msg26, - "22": msg27, - "23": select10, - "235": select68, - "236": msg271, - "237": msg272, - "238": msg273, - "239": msg274, - "24": select11, - "240": msg275, - "241": select69, - "242": msg278, - "243": msg403, - "25": msg34, - "252": msg279, - "255": msg280, - "257": msg281, - "26": msg35, - "261": select72, - "262": msg284, - "263": msg413, - "264": msg414, - "267": select121, - "27": msg36, - "273": msg285, - "28": select12, - "29": select13, - "30": select14, - "31": select15, - "32": select16, - "328": msg286, - "329": msg287, - "33": select17, - "34": msg52, - "346": msg288, - "35": select18, - "350": msg289, - "351": msg290, - "352": msg291, - "353": select73, - "354": msg294, - "355": select74, - "356": msg297, - "357": select75, - "358": msg300, - "36": select21, - "37": select23, - "371": select76, - "372": msg303, - "373": msg304, - "38": select25, - "39": msg67, - "4": msg1, - "40": msg68, - "401": msg305, - "402": msg306, - "403": msg400, - "404": msg410, - "406": msg307, - "41": select26, - "412": msg415, - "413": msg308, - "414": msg309, - "42": msg72, - "427": msg156, - "428": msg157, - "43": msg73, - "438": msg310, - "439": msg311, - "44": msg74, - "440": msg312, - "441": select77, - "442": msg315, - "446": msg316, - "45": select27, - "46": select28, - "47": msg82, - "477": msg317, - "48": msg83, - "49": msg84, - "5": select2, - "50": msg85, - "509": msg318, - "51": msg86, - "52": msg87, - "520": msg319, - "522": select80, - "523": msg323, - "524": select83, - "526": select86, - "53": msg88, - "534": msg401, - "537": select101, - "538": msg346, - "549": msg347, - "557": msg348, - "558": msg349, - "561": msg350, - "562": msg351, - "563": msg352, - "565": msg409, - "58": msg89, - "580": msg471, - "583": msg353, - "597": select102, - "598": select103, - "6": select3, - "60": msg90, - "602": select104, - "605": msg363, - "606": msg364, - "608": msg365, - "609": msg482, - "61": msg91, - "614": msg421, - "616": msg366, - "62": msg92, - "63": select29, - "64": msg95, - "65": msg96, - "654": msg455, - "657": select118, - "658": msg367, - "66": msg97, - "67": select30, - "670": msg456, - "68": msg100, - "69": msg101, - "7": msg6, - "70": select32, - "708": msg452, - "709": msg447, - "710": msg368, - "712": select108, - "713": select109, - "714": msg446, - "72": select33, - "73": msg106, - "74": msg107, - "748": msg422, - "75": msg108, - "76": msg109, - "760": select110, - "766": msg378, - "77": msg110, - "78": msg111, - "79": msg112, - "793": msg416, - "794": msg423, - "796": msg483, - "8": msg7, - "80": msg113, - "805": msg417, - "809": select122, - "81": msg114, - "82": select34, - "83": select35, - "84": msg122, - "860": select111, - "866": select113, - "867": select114, - "87": select37, - "88": select38, - "880": msg484, - "882": select115, - "884": msg457, - "888": select116, - "89": select40, - "892": msg389, - "9": msg8, - "90": msg129, - "904": msg390, - "905": msg391, - "906": msg392, - "907": msg393, - "908": msg394, - "909": msg395, - "91": msg130, - "910": msg479, - "914": msg396, - "92": msg131, - "93": msg132, - "931": msg397, - "935": msg420, - "94": msg133, - "95": msg134, - "96": msg135, - "97": select44, - "98": select56, - "986": msg155, - "99": msg158, - "994": msg402, - "995": msg404, - "997": msg405, - "998": select119, - "m": msg480, - "msg": msg436, - "src": msg437, - }), - ]); - - var part505 = match("MESSAGE#14:14:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); - - var part506 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); - - var part507 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); - - var part508 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{daddr}:%{dport}:%{p0}"); - - var part509 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); - - var part510 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}"); - - var part511 = match("MESSAGE#28:23:01/2", "nwparser.p0", "%{p0}"); - - var part512 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); - - var part513 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}"); - - var part514 = match("MESSAGE#38:29:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); - - var part515 = match("MESSAGE#38:29:01/2_1", "nwparser.p0", "%{daddr->} "); - - var part516 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}"); - - var part517 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}"); - - var part518 = match("MESSAGE#52:35:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}"); - - var part519 = match_copy("MESSAGE#52:35:01/2_1", "nwparser.p0", "daddr"); - - var part520 = match("MESSAGE#54:36:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{p0}"); - - var part521 = match("MESSAGE#54:36:01/1_1", "nwparser.p0", "n=%{p0}"); - - var part522 = match("MESSAGE#54:36:01/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); - - var part523 = match("MESSAGE#54:36:01/3_1", "nwparser.p0", "%{saddr->} %{p0}"); - - var part524 = match("MESSAGE#54:36:01/4", "nwparser.p0", "dst= %{p0}"); - - var part525 = match("MESSAGE#54:36:01/7_1", "nwparser.p0", "rule=%{rule}"); - - var part526 = match("MESSAGE#54:36:01/7_2", "nwparser.p0", "proto=%{protocol}"); - - var part527 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); - - var part528 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}"); - - var part529 = match_copy("MESSAGE#55:36:02/6", "nwparser.p0", "info"); - - var part530 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} proto= %{p0}"); - - var part531 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{dinterface->} proto= %{p0}"); - - var part532 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{protocol->} npcs=%{info}"); - - var part533 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}"); - - var part534 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} type= %{p0}"); - - var part535 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{dinterface->} type= %{p0}"); - - var part536 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{event_description}\"%{p0}"); - - var part537 = match("MESSAGE#64:38:03/1_0", "nwparser.p0", " app=%{fld2->} appName=\"%{application}\"%{p0}"); - - var part538 = match_copy("MESSAGE#64:38:03/1_1", "nwparser.p0", "p0"); - - var part539 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); - - var part540 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}"); - - var part541 = match("MESSAGE#126:89:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}"); - - var part542 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}"); - - var part543 = match("MESSAGE#135:97:01/6_0", "nwparser.p0", "result=%{result->} dstname=%{p0}"); - - var part544 = match("MESSAGE#135:97:01/6_1", "nwparser.p0", "dstname=%{p0}"); - - var part545 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}"); - - var part546 = match("MESSAGE#141:97:07/1_1", "nwparser.p0", "%{dinterface->} srcMac=%{p0}"); - - var part547 = match("MESSAGE#147:98:01/6_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}"); - - var part548 = match("MESSAGE#147:98:01/7_4", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes}"); - - var part549 = match("MESSAGE#148:98:06/0", "nwparser.payload", "msg=\"%{event_description}\" %{p0}"); - - var part550 = match("MESSAGE#148:98:06/5_0", "nwparser.p0", "%{sinterface}:%{shost->} dst= %{p0}"); - - var part551 = match("MESSAGE#148:98:06/5_1", "nwparser.p0", "%{sinterface->} dst= %{p0}"); - - var part552 = match("MESSAGE#148:98:06/7_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); - - var part553 = match("MESSAGE#148:98:06/9_3", "nwparser.p0", "sent=%{sbytes}"); - - var part554 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); - - var part555 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} npcs= %{p0}"); - - var part556 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{dinterface->} npcs= %{p0}"); - - var part557 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{info}"); - - var part558 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} note= %{p0}"); - - var part559 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{dinterface->} note= %{p0}"); - - var part560 = match("MESSAGE#256:180:01/4", "nwparser.p0", "\"%{fld3}\" npcs=%{info}"); - - var part561 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); - - var part562 = match("MESSAGE#260:194/1_1", "nwparser.p0", "rcvd=%{rbytes}"); - - var part563 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); - - var part564 = match("MESSAGE#262:196/1_1", "nwparser.p0", "rcvd=%{rbytes->} cmd=%{p0}"); - - var part565 = match_copy("MESSAGE#262:196/2", "nwparser.p0", "method"); - - var part566 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); - - var part567 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); - - var part568 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); - - var part569 = match("MESSAGE#302:401/1_0", "nwparser.p0", "dstname=%{name}"); - - var part570 = match_copy("MESSAGE#302:401/1_1", "nwparser.p0", "space"); - - var part571 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); - - var part572 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); - - var part573 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); - - var part574 = match("MESSAGE#318:522:01/4", "nwparser.p0", "proto=%{protocol->} npcs=%{info}"); - - var part575 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); - - var part576 = match_copy("MESSAGE#330:537:01/5_1", "nwparser.p0", "rbytes"); - - var part577 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", " app=%{fld51->} appName=\"%{application}\"n=%{p0}"); - - var part578 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", " app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); - - var part579 = match("MESSAGE#332:537:08/1_2", "nwparser.p0", " app=%{fld51}n=%{p0}"); - - var part580 = match("MESSAGE#332:537:08/2_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); - - var part581 = match("MESSAGE#332:537:08/2_1", "nwparser.p0", "%{fld1}src=%{p0}"); - - var part582 = match("MESSAGE#332:537:08/6_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{p0}"); - - var part583 = match("MESSAGE#332:537:08/6_1", "nwparser.p0", "%{sbytes->} spkt=%{p0}"); - - var part584 = match("MESSAGE#332:537:08/7_1", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7}"); - - var part585 = match("MESSAGE#332:537:08/7_3", "nwparser.p0", "%{fld3->} cdur=%{fld7}"); - - var part586 = match_copy("MESSAGE#332:537:08/7_4", "nwparser.p0", "fld3"); - - var part587 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); - - var part588 = match("MESSAGE#336:537:04/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}"); - - var part589 = match("MESSAGE#336:537:04/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); - - var part590 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); - - var part591 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "usr=\"%{username}\" %{p0}"); - - var part592 = match("MESSAGE#338:537:10/2", "nwparser.p0", "src=%{p0}"); - - var part593 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); - - var part594 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); - - var part595 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info}"); - - var part596 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12}"); - - var part597 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{daddr}:%{dport}:%{p0}"); - - var part598 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); - - var part599 = match("MESSAGE#361:606/1_0", "nwparser.p0", "%{dport}:%{dinterface->} srcMac=%{p0}"); - - var part600 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{dport->} srcMac=%{p0}"); - - var part601 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); - - var part602 = match("MESSAGE#362:608/4", "nwparser.p0", "%{daddr}:%{p0}"); - - var part603 = match("MESSAGE#362:608/5_1", "nwparser.p0", "%{dport}:%{dinterface}"); - - var part604 = match_copy("MESSAGE#362:608/5_2", "nwparser.p0", "dport"); - - var part605 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); - - var part606 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{p0}"); - - var part607 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); - - var part608 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); - - var part609 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); - - var part610 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); - - var part611 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); - - var part612 = match_copy("MESSAGE#366:712:02/5", "nwparser.p0", "fld51"); - - var part613 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{p0}"); - - var part614 = match("MESSAGE#391:908/1_1", "nwparser.p0", "%{sinterface->} dst=%{p0}"); - - var part615 = match("MESSAGE#391:908/2", "nwparser.p0", "%{} %{daddr}:%{p0}"); - - var part616 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); - - var part617 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); - - var part618 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); - - var part619 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{dport}:%{dinterface->} note=%{p0}"); - - var part620 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{dport->} note=%{p0}"); - - var part621 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); - - var part622 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); - - var part623 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); - - var select147 = linear_select([ - dup8, - dup9, - ]); - - var select148 = linear_select([ - dup15, - dup16, - ]); - - var part624 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ - dup1, - dup24, - ])); - - var select149 = linear_select([ - dup26, - dup27, - ]); - - var select150 = linear_select([ - dup28, - dup29, - ]); - - var select151 = linear_select([ - dup35, - dup36, - ]); - - var select152 = linear_select([ - dup37, - dup38, - ]); - - var select153 = linear_select([ - dup39, - dup40, - ]); - - var select154 = linear_select([ - dup26, - dup46, - ]); - - var select155 = linear_select([ - dup48, - dup49, - ]); - - var select156 = linear_select([ - dup52, - dup53, - ]); - - var select157 = linear_select([ - dup55, - dup56, - ]); - - var select158 = linear_select([ - dup57, - dup58, - ]); - - var part625 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ - dup70, - ])); - - var part626 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ - dup5, - ])); - - var select159 = linear_select([ - dup75, - dup76, - ]); - - var select160 = linear_select([ - dup83, - dup84, - ]); - - var part627 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([ - dup1, - ])); - - var select161 = linear_select([ - dup94, - dup95, - ]); - - var part628 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ - dup5, - ])); - - var select162 = linear_select([ - dup98, - dup99, - ]); - - var select163 = linear_select([ - dup86, - dup102, - ]); - - var select164 = linear_select([ - dup103, - dup104, - ]); - - var part629 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup93, - ])); - - var part630 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup93, - ])); - - var part631 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup1, - ])); - - var part632 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ - dup1, - ])); - - var part633 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ - dup1, - dup24, - ])); - - var select165 = linear_select([ - dup114, - dup115, - ]); - - var select166 = linear_select([ - dup117, - dup118, - ]); - - var select167 = linear_select([ - dup43, - dup42, - ]); - - var select168 = linear_select([ - dup8, - dup27, - ]); - - var select169 = linear_select([ - dup8, - dup26, - dup46, - ]); - - var select170 = linear_select([ - dup80, - dup15, - dup16, - ]); - - var select171 = linear_select([ - dup124, - dup125, - dup126, - dup38, - ]); - - var select172 = linear_select([ - dup127, - dup128, - ]); - - var select173 = linear_select([ - dup129, - dup130, - ]); - - var select174 = linear_select([ - dup135, - dup136, - dup137, - ]); - - var select175 = linear_select([ - dup138, - dup56, - ]); - - var select176 = linear_select([ - dup140, - dup141, - ]); - - var select177 = linear_select([ - dup142, - dup143, - ]); - - var select178 = linear_select([ - dup150, - dup151, - ]); - - var part634 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup156, - ])); - - var select179 = linear_select([ - dup158, - dup38, - ]); - - var select180 = linear_select([ - dup160, - dup161, - ]); - - var select181 = linear_select([ - dup162, - dup163, - ]); - - var part635 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ - dup5, - ])); - - var part636 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype}", processor_chain([ - dup5, - ])); - - var part637 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ - dup5, - dup24, - ])); - - var part638 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ - dup1, - dup24, - ])); - - var part639 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ - dup1, - dup24, - ])); - - var part640 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup171, - dup44, - ])); - - var part641 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ - dup1, - ])); - - var select182 = linear_select([ - dup177, - dup178, - ]); - - var select183 = linear_select([ - dup180, - dup181, - ]); - - var part642 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup1, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ])); - - var all114 = all_match({ - processors: [ - dup32, - dup185, - dup186, - ], - on_success: processor_chain([ - dup31, - ]), - }); - - var all115 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup91, - ]), - }); - - var all116 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup67, - ]), - }); - - var all117 = all_match({ - processors: [ - dup101, - dup203, - ], - on_success: processor_chain([ - dup67, - ]), - }); - - var all118 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup106, - ]), - }); - - var all119 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup31, - ]), - }); - - var all120 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup30, - ]), - }); - - var all121 = all_match({ - processors: [ - dup108, - dup185, - dup187, - ], - on_success: processor_chain([ - dup109, - ]), - }); - - var all122 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - dup112, - ]), - }); - - var all123 = all_match({ - processors: [ - dup113, - dup210, - ], - on_success: processor_chain([ - dup93, - ]), - }); - - var all124 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - dup116, - ]), - }); - - var all125 = all_match({ - processors: [ - dup51, - dup189, - dup41, - dup187, - ], - on_success: processor_chain([ - dup5, - ]), - }); - - var all126 = all_match({ - processors: [ - dup73, - dup185, - dup183, - dup43, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var all127 = all_match({ - processors: [ - dup157, - dup225, - dup159, - dup226, - dup227, - dup164, - ], - on_success: processor_chain([ - dup156, - dup59, - dup60, - dup61, - dup62, - dup44, - dup63, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var all128 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup202, - dup100, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var all129 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup200, - dup96, - ], - on_success: processor_chain([ - dup1, - ]), - }); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/sonicwall/data_stream/firewall/agent/stream/tcp.yml.hbs b/packages/sonicwall/data_stream/firewall/agent/stream/tcp.yml.hbs deleted file mode 100644 index 7c1f4432d26..00000000000 --- a/packages/sonicwall/data_stream/firewall/agent/stream/tcp.yml.hbs +++ /dev/null @@ -1,9736 +0,0 @@ -tcp: -host: "{{tcp_host}}:{{tcp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Sonicwall" - product: "Firewalls" - type: "Firewall" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} n=%{fld2->} src=%{p0}"); - - var dup8 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); - - var dup9 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); - - var dup10 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{daddr}:%{dport}:%{p0}"); - - var dup11 = date_time({ - dest: "event_time", - args: ["hdate","htime"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup12 = setc("eventcategory","1502010000"); - - var dup13 = setc("eventcategory","1502020000"); - - var dup14 = setc("eventcategory","1002010000"); - - var dup15 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); - - var dup16 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}"); - - var dup17 = match("MESSAGE#28:23:01/2", "nwparser.p0", "%{p0}"); - - var dup18 = setf("hostip","hhostip"); - - var dup19 = setf("id","hid"); - - var dup20 = setf("serial_number","hserial_number"); - - var dup21 = setf("category","hcategory"); - - var dup22 = setf("severity","hseverity"); - - var dup23 = setc("eventcategory","1805010000"); - - var dup24 = call({ - dest: "nwparser.msg", - fn: RMQ, - args: [ - field("msg"), - ], - }); - - var dup25 = setc("eventcategory","1302000000"); - - var dup26 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); - - var dup27 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}"); - - var dup28 = match("MESSAGE#38:29:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); - - var dup29 = match("MESSAGE#38:29:01/2_1", "nwparser.p0", "%{daddr->} "); - - var dup30 = setc("eventcategory","1401050100"); - - var dup31 = setc("eventcategory","1401030000"); - - var dup32 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}"); - - var dup33 = setc("eventcategory","1301020000"); - - var dup34 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}"); - - var dup35 = match("MESSAGE#52:35:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}"); - - var dup36 = match_copy("MESSAGE#52:35:01/2_1", "nwparser.p0", "daddr"); - - var dup37 = match("MESSAGE#54:36:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{p0}"); - - var dup38 = match("MESSAGE#54:36:01/1_1", "nwparser.p0", "n=%{p0}"); - - var dup39 = match("MESSAGE#54:36:01/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); - - var dup40 = match("MESSAGE#54:36:01/3_1", "nwparser.p0", "%{saddr->} %{p0}"); - - var dup41 = match("MESSAGE#54:36:01/4", "nwparser.p0", "dst= %{p0}"); - - var dup42 = match("MESSAGE#54:36:01/7_1", "nwparser.p0", "rule=%{rule}"); - - var dup43 = match("MESSAGE#54:36:01/7_2", "nwparser.p0", "proto=%{protocol}"); - - var dup44 = date_time({ - dest: "event_time", - args: ["date","time"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup45 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); - - var dup46 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}"); - - var dup47 = match_copy("MESSAGE#55:36:02/6", "nwparser.p0", "info"); - - var dup48 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} proto= %{p0}"); - - var dup49 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{dinterface->} proto= %{p0}"); - - var dup50 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{protocol->} npcs=%{info}"); - - var dup51 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}"); - - var dup52 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} type= %{p0}"); - - var dup53 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{dinterface->} type= %{p0}"); - - var dup54 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{event_description}\"%{p0}"); - - var dup55 = match("MESSAGE#64:38:03/1_0", "nwparser.p0", " app=%{fld2->} appName=\"%{application}\"%{p0}"); - - var dup56 = match_copy("MESSAGE#64:38:03/1_1", "nwparser.p0", "p0"); - - var dup57 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); - - var dup58 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}"); - - var dup59 = setc("ec_subject","NetworkComm"); - - var dup60 = setc("ec_activity","Deny"); - - var dup61 = setc("ec_theme","Communication"); - - var dup62 = setf("msg","$MSG"); - - var dup63 = setc("action","dropped"); - - var dup64 = setc("eventcategory","1608010000"); - - var dup65 = setc("eventcategory","1302010000"); - - var dup66 = setc("eventcategory","1301000000"); - - var dup67 = setc("eventcategory","1001000000"); - - var dup68 = setc("eventcategory","1003030000"); - - var dup69 = setc("eventcategory","1003050000"); - - var dup70 = setc("eventcategory","1103000000"); - - var dup71 = setc("eventcategory","1603110000"); - - var dup72 = setc("eventcategory","1605020000"); - - var dup73 = match("MESSAGE#126:89:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}"); - - var dup74 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}"); - - var dup75 = match("MESSAGE#135:97:01/6_0", "nwparser.p0", "result=%{result->} dstname=%{p0}"); - - var dup76 = match("MESSAGE#135:97:01/6_1", "nwparser.p0", "dstname=%{p0}"); - - var dup77 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}"); - - var dup78 = setc("eventcategory","1801000000"); - - var dup79 = match("MESSAGE#141:97:07/1_1", "nwparser.p0", "%{dinterface->} srcMac=%{p0}"); - - var dup80 = match("MESSAGE#147:98:01/6_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}"); - - var dup81 = match("MESSAGE#147:98:01/7_4", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes}"); - - var dup82 = match("MESSAGE#148:98:06/0", "nwparser.payload", "msg=\"%{event_description}\" %{p0}"); - - var dup83 = match("MESSAGE#148:98:06/5_0", "nwparser.p0", "%{sinterface}:%{shost->} dst= %{p0}"); - - var dup84 = match("MESSAGE#148:98:06/5_1", "nwparser.p0", "%{sinterface->} dst= %{p0}"); - - var dup85 = match("MESSAGE#148:98:06/7_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); - - var dup86 = match("MESSAGE#148:98:06/9_3", "nwparser.p0", "sent=%{sbytes}"); - - var dup87 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); - - var dup88 = setf("id","hfld1"); - - var dup89 = setc("eventcategory","1001020309"); - - var dup90 = setc("eventcategory","1303000000"); - - var dup91 = setc("eventcategory","1801010100"); - - var dup92 = setc("eventcategory","1604010000"); - - var dup93 = setc("eventcategory","1002020000"); - - var dup94 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} npcs= %{p0}"); - - var dup95 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{dinterface->} npcs= %{p0}"); - - var dup96 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{info}"); - - var dup97 = setc("eventcategory","1001010000"); - - var dup98 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} note= %{p0}"); - - var dup99 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{dinterface->} note= %{p0}"); - - var dup100 = match("MESSAGE#256:180:01/4", "nwparser.p0", "\"%{fld3}\" npcs=%{info}"); - - var dup101 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); - - var dup102 = match("MESSAGE#260:194/1_1", "nwparser.p0", "rcvd=%{rbytes}"); - - var dup103 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); - - var dup104 = match("MESSAGE#262:196/1_1", "nwparser.p0", "rcvd=%{rbytes->} cmd=%{p0}"); - - var dup105 = match_copy("MESSAGE#262:196/2", "nwparser.p0", "method"); - - var dup106 = setc("eventcategory","1401060000"); - - var dup107 = setc("eventcategory","1804000000"); - - var dup108 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); - - var dup109 = setc("eventcategory","1401070000"); - - var dup110 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); - - var dup111 = setc("eventcategory","1801030000"); - - var dup112 = setc("eventcategory","1402020300"); - - var dup113 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); - - var dup114 = match("MESSAGE#302:401/1_0", "nwparser.p0", "dstname=%{name}"); - - var dup115 = match_copy("MESSAGE#302:401/1_1", "nwparser.p0", "space"); - - var dup116 = setc("eventcategory","1402000000"); - - var dup117 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); - - var dup118 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); - - var dup119 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); - - var dup120 = setc("eventcategory","1803020000"); - - var dup121 = match("MESSAGE#318:522:01/4", "nwparser.p0", "proto=%{protocol->} npcs=%{info}"); - - var dup122 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); - - var dup123 = match_copy("MESSAGE#330:537:01/5_1", "nwparser.p0", "rbytes"); - - var dup124 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", " app=%{fld51->} appName=\"%{application}\"n=%{p0}"); - - var dup125 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", " app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); - - var dup126 = match("MESSAGE#332:537:08/1_2", "nwparser.p0", " app=%{fld51}n=%{p0}"); - - var dup127 = match("MESSAGE#332:537:08/2_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); - - var dup128 = match("MESSAGE#332:537:08/2_1", "nwparser.p0", "%{fld1}src=%{p0}"); - - var dup129 = match("MESSAGE#332:537:08/6_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{p0}"); - - var dup130 = match("MESSAGE#332:537:08/6_1", "nwparser.p0", "%{sbytes->} spkt=%{p0}"); - - var dup131 = match("MESSAGE#332:537:08/7_1", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7}"); - - var dup132 = match("MESSAGE#332:537:08/7_3", "nwparser.p0", "%{fld3->} cdur=%{fld7}"); - - var dup133 = match_copy("MESSAGE#332:537:08/7_4", "nwparser.p0", "fld3"); - - var dup134 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); - - var dup135 = match("MESSAGE#336:537:04/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}"); - - var dup136 = match("MESSAGE#336:537:04/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); - - var dup137 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); - - var dup138 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "usr=\"%{username}\" %{p0}"); - - var dup139 = match("MESSAGE#338:537:10/2", "nwparser.p0", "src=%{p0}"); - - var dup140 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); - - var dup141 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); - - var dup142 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info}"); - - var dup143 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12}"); - - var dup144 = setc("event_description","Connection Closed"); - - var dup145 = setc("eventcategory","1801020000"); - - var dup146 = setc("ec_activity","Permit"); - - var dup147 = setc("action","allowed"); - - var dup148 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{daddr}:%{dport}:%{p0}"); - - var dup149 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); - - var dup150 = match("MESSAGE#361:606/1_0", "nwparser.p0", "%{dport}:%{dinterface->} srcMac=%{p0}"); - - var dup151 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{dport->} srcMac=%{p0}"); - - var dup152 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); - - var dup153 = match("MESSAGE#362:608/4", "nwparser.p0", "%{daddr}:%{p0}"); - - var dup154 = match("MESSAGE#362:608/5_1", "nwparser.p0", "%{dport}:%{dinterface}"); - - var dup155 = match_copy("MESSAGE#362:608/5_2", "nwparser.p0", "dport"); - - var dup156 = setc("eventcategory","1001030500"); - - var dup157 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); - - var dup158 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{p0}"); - - var dup159 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); - - var dup160 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); - - var dup161 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); - - var dup162 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); - - var dup163 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); - - var dup164 = match_copy("MESSAGE#366:712:02/5", "nwparser.p0", "fld51"); - - var dup165 = setc("eventcategory","1801010000"); - - var dup166 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{p0}"); - - var dup167 = match("MESSAGE#391:908/1_1", "nwparser.p0", "%{sinterface->} dst=%{p0}"); - - var dup168 = match("MESSAGE#391:908/2", "nwparser.p0", "%{} %{daddr}:%{p0}"); - - var dup169 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); - - var dup170 = setc("eventcategory","1003010000"); - - var dup171 = setc("eventcategory","1609000000"); - - var dup172 = setc("eventcategory","1204000000"); - - var dup173 = setc("eventcategory","1602000000"); - - var dup174 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); - - var dup175 = setc("eventcategory","1803000000"); - - var dup176 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); - - var dup177 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{dport}:%{dinterface->} note=%{p0}"); - - var dup178 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{dport->} note=%{p0}"); - - var dup179 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); - - var dup180 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); - - var dup181 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); - - var dup182 = linear_select([ - dup8, - dup9, - ]); - - var dup183 = linear_select([ - dup15, - dup16, - ]); - - var dup184 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ - dup1, - dup24, - ])); - - var dup185 = linear_select([ - dup26, - dup27, - ]); - - var dup186 = linear_select([ - dup28, - dup29, - ]); - - var dup187 = linear_select([ - dup35, - dup36, - ]); - - var dup188 = linear_select([ - dup37, - dup38, - ]); - - var dup189 = linear_select([ - dup39, - dup40, - ]); - - var dup190 = linear_select([ - dup26, - dup46, - ]); - - var dup191 = linear_select([ - dup48, - dup49, - ]); - - var dup192 = linear_select([ - dup52, - dup53, - ]); - - var dup193 = linear_select([ - dup55, - dup56, - ]); - - var dup194 = linear_select([ - dup57, - dup58, - ]); - - var dup195 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ - dup70, - ])); - - var dup196 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ - dup5, - ])); - - var dup197 = linear_select([ - dup75, - dup76, - ]); - - var dup198 = linear_select([ - dup83, - dup84, - ]); - - var dup199 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([ - dup1, - ])); - - var dup200 = linear_select([ - dup94, - dup95, - ]); - - var dup201 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ - dup5, - ])); - - var dup202 = linear_select([ - dup98, - dup99, - ]); - - var dup203 = linear_select([ - dup86, - dup102, - ]); - - var dup204 = linear_select([ - dup103, - dup104, - ]); - - var dup205 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup93, - ])); - - var dup206 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup93, - ])); - - var dup207 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup1, - ])); - - var dup208 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ - dup1, - ])); - - var dup209 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ - dup1, - dup24, - ])); - - var dup210 = linear_select([ - dup114, - dup115, - ]); - - var dup211 = linear_select([ - dup117, - dup118, - ]); - - var dup212 = linear_select([ - dup43, - dup42, - ]); - - var dup213 = linear_select([ - dup8, - dup27, - ]); - - var dup214 = linear_select([ - dup8, - dup26, - dup46, - ]); - - var dup215 = linear_select([ - dup80, - dup15, - dup16, - ]); - - var dup216 = linear_select([ - dup124, - dup125, - dup126, - dup38, - ]); - - var dup217 = linear_select([ - dup127, - dup128, - ]); - - var dup218 = linear_select([ - dup129, - dup130, - ]); - - var dup219 = linear_select([ - dup135, - dup136, - dup137, - ]); - - var dup220 = linear_select([ - dup138, - dup56, - ]); - - var dup221 = linear_select([ - dup140, - dup141, - ]); - - var dup222 = linear_select([ - dup142, - dup143, - ]); - - var dup223 = linear_select([ - dup150, - dup151, - ]); - - var dup224 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup156, - ])); - - var dup225 = linear_select([ - dup158, - dup38, - ]); - - var dup226 = linear_select([ - dup160, - dup161, - ]); - - var dup227 = linear_select([ - dup162, - dup163, - ]); - - var dup228 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ - dup5, - ])); - - var dup229 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype}", processor_chain([ - dup5, - ])); - - var dup230 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ - dup5, - dup24, - ])); - - var dup231 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ - dup1, - dup24, - ])); - - var dup232 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ - dup1, - dup24, - ])); - - var dup233 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup171, - dup44, - ])); - - var dup234 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ - dup1, - ])); - - var dup235 = linear_select([ - dup177, - dup178, - ]); - - var dup236 = linear_select([ - dup180, - dup181, - ]); - - var dup237 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup1, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ])); - - var dup238 = all_match({ - processors: [ - dup32, - dup185, - dup186, - ], - on_success: processor_chain([ - dup31, - ]), - }); - - var dup239 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup91, - ]), - }); - - var dup240 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup67, - ]), - }); - - var dup241 = all_match({ - processors: [ - dup101, - dup203, - ], - on_success: processor_chain([ - dup67, - ]), - }); - - var dup242 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup106, - ]), - }); - - var dup243 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup31, - ]), - }); - - var dup244 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup30, - ]), - }); - - var dup245 = all_match({ - processors: [ - dup108, - dup185, - dup187, - ], - on_success: processor_chain([ - dup109, - ]), - }); - - var dup246 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - dup112, - ]), - }); - - var dup247 = all_match({ - processors: [ - dup113, - dup210, - ], - on_success: processor_chain([ - dup93, - ]), - }); - - var dup248 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - dup116, - ]), - }); - - var dup249 = all_match({ - processors: [ - dup51, - dup189, - dup41, - dup187, - ], - on_success: processor_chain([ - dup5, - ]), - }); - - var dup250 = all_match({ - processors: [ - dup73, - dup185, - dup183, - dup43, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var dup251 = all_match({ - processors: [ - dup157, - dup225, - dup159, - dup226, - dup227, - dup164, - ], - on_success: processor_chain([ - dup156, - dup59, - dup60, - dup61, - dup62, - dup44, - dup63, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var dup252 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup202, - dup100, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var dup253 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup200, - dup96, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var hdr1 = match("HEADER#0:0001", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{date->} %{time}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ - setc("header_id","0001"), - ])); - - var hdr2 = match("HEADER#1:0002", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{date->} %{time}\" fw=%{hhostip->} pri=%{hseverity->} %{messageid}= %{p0}", processor_chain([ - setc("header_id","0002"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant("= "), - field("p0"), - ], - }), - ])); - - var hdr3 = match("HEADER#2:0003", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{hdate->} %{htime}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ - setc("header_id","0003"), - ])); - - var hdr4 = match("HEADER#3:0004", "message", "%{hfld20->} id=%{hfld1->} sn=%{hserial_number->} time=\"%{hdate->} %{htime}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ - setc("header_id","0004"), - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - ]); - - var part1 = match("MESSAGE#0:4", "nwparser.payload", "SonicWALL activated%{}", processor_chain([ - dup1, - ])); - - var msg1 = msg("4", part1); - - var part2 = match("MESSAGE#1:5", "nwparser.payload", "Log Cleared%{}", processor_chain([ - dup1, - ])); - - var msg2 = msg("5", part2); - - var part3 = match("MESSAGE#2:5:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ - dup1, - ])); - - var msg3 = msg("5:01", part3); - - var select2 = linear_select([ - msg2, - msg3, - ]); - - var part4 = match("MESSAGE#3:6", "nwparser.payload", "Log successfully sent via email%{}", processor_chain([ - dup1, - ])); - - var msg4 = msg("6", part4); - - var part5 = match("MESSAGE#4:6:01", "nwparser.payload", "msg=\"Log successfully sent via email\" n=%{fld1}", processor_chain([ - dup1, - ])); - - var msg5 = msg("6:01", part5); - - var select3 = linear_select([ - msg4, - msg5, - ]); - - var part6 = match("MESSAGE#5:7", "nwparser.payload", "Log full; deactivating SonicWALL%{}", processor_chain([ - dup2, - ])); - - var msg6 = msg("7", part6); - - var part7 = match("MESSAGE#6:8", "nwparser.payload", "New Filter list loaded%{}", processor_chain([ - dup3, - ])); - - var msg7 = msg("8", part7); - - var part8 = match("MESSAGE#7:9", "nwparser.payload", "No new Filter list available%{}", processor_chain([ - dup4, - ])); - - var msg8 = msg("9", part8); - - var part9 = match("MESSAGE#8:10", "nwparser.payload", "Problem loading the Filter list; check Filter settings%{}", processor_chain([ - dup4, - ])); - - var msg9 = msg("10", part9); - - var part10 = match("MESSAGE#9:11", "nwparser.payload", "Problem loading the Filter list; check your DNS server%{}", processor_chain([ - dup4, - ])); - - var msg10 = msg("11", part10); - - var part11 = match("MESSAGE#10:12", "nwparser.payload", "Problem sending log email; check log settings%{}", processor_chain([ - dup5, - ])); - - var msg11 = msg("12", part11); - - var part12 = match("MESSAGE#11:12:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ - dup5, - ])); - - var msg12 = msg("12:01", part12); - - var select4 = linear_select([ - msg11, - msg12, - ]); - - var part13 = match("MESSAGE#12:13", "nwparser.payload", "Restarting SonicWALL; dumping log to email%{}", processor_chain([ - dup1, - ])); - - var msg13 = msg("13", part13); - - var part14 = match("MESSAGE#13:14/0_0", "nwparser.payload", "msg=\"Web site access denied\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstname=%{dhost->} arg=%{fld2->} code=%{icmpcode}"); - - var part15 = match("MESSAGE#13:14/0_1", "nwparser.payload", "Web site blocked%{}"); - - var select5 = linear_select([ - part14, - part15, - ]); - - var all1 = all_match({ - processors: [ - select5, - ], - on_success: processor_chain([ - dup6, - setc("action","Web site access denied"), - ]), - }); - - var msg14 = msg("14", all1); - - var part16 = match("MESSAGE#14:14:01/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} code= %{p0}"); - - var part17 = match("MESSAGE#14:14:01/3_1", "nwparser.p0", "%{dinterface->} code= %{p0}"); - - var select6 = linear_select([ - part16, - part17, - ]); - - var part18 = match("MESSAGE#14:14:01/4", "nwparser.p0", "%{fld3->} Category=%{fld4->} npcs=%{info}"); - - var all2 = all_match({ - processors: [ - dup7, - dup182, - dup10, - select6, - part18, - ], - on_success: processor_chain([ - dup6, - ]), - }); - - var msg15 = msg("14:01", all2); - - var part19 = match("MESSAGE#15:14:02", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup6, - dup11, - ])); - - var msg16 = msg("14:02", part19); - - var part20 = match("MESSAGE#16:14:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup6, - dup11, - ])); - - var msg17 = msg("14:03", part20); - - var part21 = match("MESSAGE#17:14:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup6, - dup11, - ])); - - var msg18 = msg("14:04", part21); - - var part22 = match("MESSAGE#18:14:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr}dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup6, - dup11, - ])); - - var msg19 = msg("14:05", part22); - - var select7 = linear_select([ - msg14, - msg15, - msg16, - msg17, - msg18, - msg19, - ]); - - var part23 = match("MESSAGE#19:15", "nwparser.payload", "Newsgroup blocked%{}", processor_chain([ - dup12, - ])); - - var msg20 = msg("15", part23); - - var part24 = match("MESSAGE#20:16", "nwparser.payload", "Web site accessed%{}", processor_chain([ - dup13, - ])); - - var msg21 = msg("16", part24); - - var part25 = match("MESSAGE#21:17", "nwparser.payload", "Newsgroup accessed%{}", processor_chain([ - dup13, - ])); - - var msg22 = msg("17", part25); - - var part26 = match("MESSAGE#22:18", "nwparser.payload", "ActiveX blocked%{}", processor_chain([ - dup12, - ])); - - var msg23 = msg("18", part26); - - var part27 = match("MESSAGE#23:19", "nwparser.payload", "Java blocked%{}", processor_chain([ - dup12, - ])); - - var msg24 = msg("19", part27); - - var part28 = match("MESSAGE#24:20", "nwparser.payload", "ActiveX or Java archive blocked%{}", processor_chain([ - dup12, - ])); - - var msg25 = msg("20", part28); - - var part29 = match("MESSAGE#25:21", "nwparser.payload", "Cookie removed%{}", processor_chain([ - dup1, - ])); - - var msg26 = msg("21", part29); - - var part30 = match("MESSAGE#26:22", "nwparser.payload", "Ping of death blocked%{}", processor_chain([ - dup14, - ])); - - var msg27 = msg("22", part30); - - var part31 = match("MESSAGE#27:23", "nwparser.payload", "IP spoof detected%{}", processor_chain([ - dup14, - ])); - - var msg28 = msg("23", part31); - - var part32 = match("MESSAGE#28:23:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); - - var part33 = match("MESSAGE#28:23:01/3_0", "nwparser.p0", "- MAC address: %{p0}"); - - var part34 = match("MESSAGE#28:23:01/3_1", "nwparser.p0", "mac= %{p0}"); - - var select8 = linear_select([ - part33, - part34, - ]); - - var part35 = match("MESSAGE#28:23:01/4", "nwparser.p0", "%{smacaddr}"); - - var all3 = all_match({ - processors: [ - part32, - dup183, - dup17, - select8, - part35, - ], - on_success: processor_chain([ - dup14, - ]), - }); - - var msg29 = msg("23:01", all3); - - var part36 = match("MESSAGE#29:23:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} - MAC address: %{smacaddr}", processor_chain([ - dup14, - ])); - - var msg30 = msg("23:02", part36); - - var part37 = match("MESSAGE#30:23:03/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{daddr}:%{dport}:%{p0}"); - - var part38 = match("MESSAGE#30:23:03/1_0", "nwparser.p0", "%{dinterface}:%{dhost->} srcMac= %{p0}"); - - var part39 = match("MESSAGE#30:23:03/1_1", "nwparser.p0", "%{dinterface->} srcMac= %{p0}"); - - var select9 = linear_select([ - part38, - part39, - ]); - - var part40 = match("MESSAGE#30:23:03/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}"); - - var all4 = all_match({ - processors: [ - part37, - select9, - part40, - ], - on_success: processor_chain([ - dup14, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var msg31 = msg("23:03", all4); - - var select10 = linear_select([ - msg28, - msg29, - msg30, - msg31, - ]); - - var part41 = match("MESSAGE#31:24", "nwparser.payload", "Illegal LAN address in use%{}", processor_chain([ - dup23, - ])); - - var msg32 = msg("24", part41); - - var msg33 = msg("24:01", dup184); - - var select11 = linear_select([ - msg32, - msg33, - ]); - - var part42 = match("MESSAGE#32:25", "nwparser.payload", "Possible SYN flood attack%{}", processor_chain([ - dup14, - ])); - - var msg34 = msg("25", part42); - - var part43 = match("MESSAGE#33:26", "nwparser.payload", "Probable SYN flood attack%{}", processor_chain([ - dup14, - ])); - - var msg35 = msg("26", part43); - - var part44 = match("MESSAGE#34:27", "nwparser.payload", "Land Attack Dropped%{}", processor_chain([ - dup14, - ])); - - var msg36 = msg("27", part44); - - var part45 = match("MESSAGE#35:28", "nwparser.payload", "Fragmented Packet Dropped%{}", processor_chain([ - dup14, - ])); - - var msg37 = msg("28", part45); - - var part46 = match("MESSAGE#36:28:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ - dup14, - ])); - - var msg38 = msg("28:01", part46); - - var select12 = linear_select([ - msg37, - msg38, - ]); - - var part47 = match("MESSAGE#37:29", "nwparser.payload", "Successful administrator login%{}", processor_chain([ - dup25, - ])); - - var msg39 = msg("29", part47); - - var part48 = match("MESSAGE#38:29:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} usr=%{username->} src=%{p0}"); - - var all5 = all_match({ - processors: [ - part48, - dup185, - dup186, - ], - on_success: processor_chain([ - dup30, - ]), - }); - - var msg40 = msg("29:01", all5); - - var select13 = linear_select([ - msg39, - msg40, - ]); - - var part49 = match("MESSAGE#39:30", "nwparser.payload", "Administrator login failed - incorrect password%{}", processor_chain([ - dup31, - ])); - - var msg41 = msg("30", part49); - - var msg42 = msg("30:01", dup238); - - var select14 = linear_select([ - msg41, - msg42, - ]); - - var part50 = match("MESSAGE#41:31", "nwparser.payload", "Successful user login%{}", processor_chain([ - dup25, - ])); - - var msg43 = msg("31", part50); - - var all6 = all_match({ - processors: [ - dup32, - dup185, - dup186, - ], - on_success: processor_chain([ - dup25, - ]), - }); - - var msg44 = msg("31:01", all6); - - var part51 = match("MESSAGE#43:31:02", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup25, - dup11, - ])); - - var msg45 = msg("31:02", part51); - - var part52 = match("MESSAGE#44:31:03", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration}n=%{fld1}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup25, - dup11, - ])); - - var msg46 = msg("31:03", part52); - - var part53 = match("MESSAGE#45:31:04", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup25, - dup11, - ])); - - var msg47 = msg("31:04", part53); - - var select15 = linear_select([ - msg43, - msg44, - msg45, - msg46, - msg47, - ]); - - var part54 = match("MESSAGE#46:32", "nwparser.payload", "User login failed - incorrect password%{}", processor_chain([ - dup31, - ])); - - var msg48 = msg("32", part54); - - var msg49 = msg("32:01", dup238); - - var select16 = linear_select([ - msg48, - msg49, - ]); - - var part55 = match("MESSAGE#48:33", "nwparser.payload", "Unknown user attempted to log in%{}", processor_chain([ - dup33, - ])); - - var msg50 = msg("33", part55); - - var all7 = all_match({ - processors: [ - dup34, - dup185, - dup186, - ], - on_success: processor_chain([ - dup31, - ]), - }); - - var msg51 = msg("33:01", all7); - - var select17 = linear_select([ - msg50, - msg51, - ]); - - var part56 = match("MESSAGE#50:34", "nwparser.payload", "Login screen timed out%{}", processor_chain([ - dup5, - ])); - - var msg52 = msg("34", part56); - - var part57 = match("MESSAGE#51:35", "nwparser.payload", "Attempted administrator login from WAN%{}", processor_chain([ - setc("eventcategory","1401040000"), - ])); - - var msg53 = msg("35", part57); - - var all8 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - setc("eventcategory","1401050200"), - ]), - }); - - var msg54 = msg("35:01", all8); - - var select18 = linear_select([ - msg53, - msg54, - ]); - - var part58 = match("MESSAGE#53:36", "nwparser.payload", "TCP connection dropped%{}", processor_chain([ - dup5, - ])); - - var msg55 = msg("36", part58); - - var part59 = match("MESSAGE#54:36:01/0", "nwparser.payload", "msg=\"%{msg}\" %{p0}"); - - var part60 = match("MESSAGE#54:36:01/2", "nwparser.p0", "%{fld1->} src= %{p0}"); - - var part61 = match("MESSAGE#54:36:01/7_0", "nwparser.p0", "srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); - - var select19 = linear_select([ - part61, - dup42, - dup43, - ]); - - var all9 = all_match({ - processors: [ - part59, - dup188, - part60, - dup189, - dup41, - dup183, - dup17, - select19, - ], - on_success: processor_chain([ - dup5, - dup44, - ]), - }); - - var msg56 = msg("36:01", all9); - - var part62 = match("MESSAGE#55:36:02/5_0", "nwparser.p0", "rule=%{rule->} npcs=%{p0}"); - - var part63 = match("MESSAGE#55:36:02/5_1", "nwparser.p0", "proto=%{protocol->} npcs=%{p0}"); - - var select20 = linear_select([ - part62, - part63, - ]); - - var all10 = all_match({ - processors: [ - dup45, - dup190, - dup17, - dup183, - dup17, - select20, - dup47, - ], - on_success: processor_chain([ - dup5, - ]), - }); - - var msg57 = msg("36:02", all10); - - var select21 = linear_select([ - msg55, - msg56, - msg57, - ]); - - var part64 = match("MESSAGE#56:37", "nwparser.payload", "UDP packet dropped%{}", processor_chain([ - dup5, - ])); - - var msg58 = msg("37", part64); - - var part65 = match("MESSAGE#57:37:01/0", "nwparser.payload", "msg=\"UDP packet dropped\" %{p0}"); - - var part66 = match("MESSAGE#57:37:01/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); - - var part67 = match("MESSAGE#57:37:01/3_0", "nwparser.p0", "%{dport}proto=%{protocol->} fw_action=\"%{fld3}\""); - - var part68 = match("MESSAGE#57:37:01/3_1", "nwparser.p0", "%{dport}rule=%{rule}"); - - var select22 = linear_select([ - part67, - part68, - ]); - - var all11 = all_match({ - processors: [ - part65, - dup188, - part66, - select22, - ], - on_success: processor_chain([ - dup5, - dup44, - ]), - }); - - var msg59 = msg("37:01", all11); - - var part69 = match("MESSAGE#58:37:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} rule=%{rule}", processor_chain([ - dup5, - ])); - - var msg60 = msg("37:02", part69); - - var all12 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup191, - dup50, - ], - on_success: processor_chain([ - dup5, - ]), - }); - - var msg61 = msg("37:03", all12); - - var part70 = match("MESSAGE#60:37:04", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ - dup5, - dup11, - ])); - - var msg62 = msg("37:04", part70); - - var select23 = linear_select([ - msg58, - msg59, - msg60, - msg61, - msg62, - ]); - - var part71 = match("MESSAGE#61:38", "nwparser.payload", "ICMP packet dropped%{}", processor_chain([ - dup5, - ])); - - var msg63 = msg("38", part71); - - var part72 = match("MESSAGE#62:38:01/5_0", "nwparser.p0", "type=%{type->} code=%{code}"); - - var select24 = linear_select([ - part72, - dup42, - ]); - - var all13 = all_match({ - processors: [ - dup51, - dup189, - dup41, - dup183, - dup17, - select24, - ], - on_success: processor_chain([ - dup5, - ]), - }); - - var msg64 = msg("38:01", all13); - - var part73 = match("MESSAGE#63:38:02/4", "nwparser.p0", "%{fld3->} icmpCode=%{fld4->} npcs=%{info}"); - - var all14 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup192, - part73, - ], - on_success: processor_chain([ - dup5, - ]), - }); - - var msg65 = msg("38:02", all14); - - var part74 = match("MESSAGE#64:38:03/2", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); - - var part75 = match("MESSAGE#64:38:03/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\""); - - var all15 = all_match({ - processors: [ - dup54, - dup193, - part74, - dup194, - part75, - ], - on_success: processor_chain([ - dup5, - dup11, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var msg66 = msg("38:03", all15); - - var select25 = linear_select([ - msg63, - msg64, - msg65, - msg66, - ]); - - var part76 = match("MESSAGE#65:39", "nwparser.payload", "PPTP packet dropped%{}", processor_chain([ - dup5, - ])); - - var msg67 = msg("39", part76); - - var part77 = match("MESSAGE#66:40", "nwparser.payload", "IPSec packet dropped%{}", processor_chain([ - dup5, - ])); - - var msg68 = msg("40", part77); - - var part78 = match("MESSAGE#67:41:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=\"IP Protocol: %{dclass_counter1}\"", processor_chain([ - dup5, - dup59, - dup60, - dup61, - dup62, - dup11, - dup63, - dup18, - dup19, - dup20, - dup21, - dup22, - ])); - - var msg69 = msg("41:01", part78); - - var part79 = match("MESSAGE#68:41:02", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport}:%{sinterface->} dst=%{dtransaddr}:%{dtransport}::%{dinterface}", processor_chain([ - dup5, - ])); - - var msg70 = msg("41:02", part79); - - var part80 = match("MESSAGE#69:41:03", "nwparser.payload", "Unknown protocol dropped%{}", processor_chain([ - dup5, - ])); - - var msg71 = msg("41:03", part80); - - var select26 = linear_select([ - msg69, - msg70, - msg71, - ]); - - var part81 = match("MESSAGE#70:42", "nwparser.payload", "IPSec packet dropped; waiting for pending IPSec connection%{}", processor_chain([ - dup5, - ])); - - var msg72 = msg("42", part81); - - var part82 = match("MESSAGE#71:43", "nwparser.payload", "IPSec connection interrupt%{}", processor_chain([ - dup5, - ])); - - var msg73 = msg("43", part82); - - var part83 = match("MESSAGE#72:44", "nwparser.payload", "NAT could not remap incoming packet%{}", processor_chain([ - dup5, - ])); - - var msg74 = msg("44", part83); - - var part84 = match("MESSAGE#73:45", "nwparser.payload", "ARP timeout%{}", processor_chain([ - dup5, - ])); - - var msg75 = msg("45", part84); - - var part85 = match("MESSAGE#74:45:01", "nwparser.payload", "msg=\"ARP timeout\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup5, - ])); - - var msg76 = msg("45:01", part85); - - var part86 = match("MESSAGE#75:45:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} npcs=%{info}", processor_chain([ - dup5, - ])); - - var msg77 = msg("45:02", part86); - - var select27 = linear_select([ - msg75, - msg76, - msg77, - ]); - - var part87 = match("MESSAGE#76:46:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([ - dup5, - dup59, - dup60, - dup61, - dup62, - dup11, - dup63, - dup18, - dup19, - dup20, - dup21, - dup22, - ])); - - var msg78 = msg("46:01", part87); - - var part88 = match("MESSAGE#77:46:02", "nwparser.payload", "msg=\"Broadcast packet dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ - dup5, - ])); - - var msg79 = msg("46:02", part88); - - var part89 = match("MESSAGE#78:46", "nwparser.payload", "Broadcast packet dropped%{}", processor_chain([ - dup5, - ])); - - var msg80 = msg("46", part89); - - var part90 = match("MESSAGE#79:46:03/0", "nwparser.payload", "msg=\"Broadcast packet dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); - - var all16 = all_match({ - processors: [ - part90, - dup182, - dup10, - dup191, - dup50, - ], - on_success: processor_chain([ - dup5, - ]), - }); - - var msg81 = msg("46:03", all16); - - var select28 = linear_select([ - msg78, - msg79, - msg80, - msg81, - ]); - - var part91 = match("MESSAGE#80:47", "nwparser.payload", "No ICMP redirect sent%{}", processor_chain([ - dup5, - ])); - - var msg82 = msg("47", part91); - - var part92 = match("MESSAGE#81:48", "nwparser.payload", "Out-of-order command packet dropped%{}", processor_chain([ - dup5, - ])); - - var msg83 = msg("48", part92); - - var part93 = match("MESSAGE#82:49", "nwparser.payload", "Failure to add data channel%{}", processor_chain([ - dup5, - ])); - - var msg84 = msg("49", part93); - - var part94 = match("MESSAGE#83:50", "nwparser.payload", "RealAudio decode failure%{}", processor_chain([ - dup5, - ])); - - var msg85 = msg("50", part94); - - var part95 = match("MESSAGE#84:51", "nwparser.payload", "Duplicate packet dropped%{}", processor_chain([ - dup5, - ])); - - var msg86 = msg("51", part95); - - var part96 = match("MESSAGE#85:52", "nwparser.payload", "No HOST tag found in HTTP request%{}", processor_chain([ - dup5, - ])); - - var msg87 = msg("52", part96); - - var part97 = match("MESSAGE#86:53", "nwparser.payload", "The cache is full; too many open connections; some will be dropped%{}", processor_chain([ - dup2, - ])); - - var msg88 = msg("53", part97); - - var part98 = match("MESSAGE#87:58", "nwparser.payload", "License exceeded: Connection dropped because too many IP addresses are in use on your LAN%{}", processor_chain([ - dup64, - ])); - - var msg89 = msg("58", part98); - - var part99 = match("MESSAGE#88:60", "nwparser.payload", "Access to Proxy Server Blocked%{}", processor_chain([ - dup12, - ])); - - var msg90 = msg("60", part99); - - var part100 = match("MESSAGE#89:61", "nwparser.payload", "Diagnostic Code E%{}", processor_chain([ - dup1, - ])); - - var msg91 = msg("61", part100); - - var part101 = match("MESSAGE#90:62", "nwparser.payload", "Dynamic IPSec client connected%{}", processor_chain([ - dup65, - ])); - - var msg92 = msg("62", part101); - - var part102 = match("MESSAGE#91:63", "nwparser.payload", "IPSec packet too big%{}", processor_chain([ - dup66, - ])); - - var msg93 = msg("63", part102); - - var part103 = match("MESSAGE#92:63:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup66, - ])); - - var msg94 = msg("63:01", part103); - - var select29 = linear_select([ - msg93, - msg94, - ]); - - var part104 = match("MESSAGE#93:64", "nwparser.payload", "Diagnostic Code D%{}", processor_chain([ - dup1, - ])); - - var msg95 = msg("64", part104); - - var part105 = match("MESSAGE#94:65", "nwparser.payload", "Illegal IPSec SPI%{}", processor_chain([ - dup66, - ])); - - var msg96 = msg("65", part105); - - var part106 = match("MESSAGE#95:66", "nwparser.payload", "Unknown IPSec SPI%{}", processor_chain([ - dup66, - ])); - - var msg97 = msg("66", part106); - - var part107 = match("MESSAGE#96:67", "nwparser.payload", "IPSec Authentication Failed%{}", processor_chain([ - dup66, - ])); - - var msg98 = msg("67", part107); - - var all17 = all_match({ - processors: [ - dup32, - dup185, - dup186, - ], - on_success: processor_chain([ - dup66, - ]), - }); - - var msg99 = msg("67:01", all17); - - var select30 = linear_select([ - msg98, - msg99, - ]); - - var part108 = match("MESSAGE#98:68", "nwparser.payload", "IPSec Decryption Failed%{}", processor_chain([ - dup66, - ])); - - var msg100 = msg("68", part108); - - var part109 = match("MESSAGE#99:69", "nwparser.payload", "Incompatible IPSec Security Association%{}", processor_chain([ - dup66, - ])); - - var msg101 = msg("69", part109); - - var part110 = match("MESSAGE#100:70", "nwparser.payload", "IPSec packet from illegal host%{}", processor_chain([ - dup66, - ])); - - var msg102 = msg("70", part110); - - var part111 = match("MESSAGE#101:70:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst%{p0}"); - - var part112 = match("MESSAGE#101:70:01/1_0", "nwparser.p0", "=%{daddr}"); - - var part113 = match("MESSAGE#101:70:01/1_1", "nwparser.p0", "name=%{name}"); - - var select31 = linear_select([ - part112, - part113, - ]); - - var all18 = all_match({ - processors: [ - part111, - select31, - ], - on_success: processor_chain([ - dup66, - ]), - }); - - var msg103 = msg("70:01", all18); - - var select32 = linear_select([ - msg102, - msg103, - ]); - - var part114 = match("MESSAGE#102:72", "nwparser.payload", "NetBus Attack Dropped%{}", processor_chain([ - dup67, - ])); - - var msg104 = msg("72", part114); - - var part115 = match("MESSAGE#103:72:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ - dup67, - ])); - - var msg105 = msg("72:01", part115); - - var select33 = linear_select([ - msg104, - msg105, - ]); - - var part116 = match("MESSAGE#104:73", "nwparser.payload", "Back Orifice Attack Dropped%{}", processor_chain([ - dup68, - ])); - - var msg106 = msg("73", part116); - - var part117 = match("MESSAGE#105:74", "nwparser.payload", "Net Spy Attack Dropped%{}", processor_chain([ - dup69, - ])); - - var msg107 = msg("74", part117); - - var part118 = match("MESSAGE#106:75", "nwparser.payload", "Sub Seven Attack Dropped%{}", processor_chain([ - dup68, - ])); - - var msg108 = msg("75", part118); - - var part119 = match("MESSAGE#107:76", "nwparser.payload", "Ripper Attack Dropped%{}", processor_chain([ - dup67, - ])); - - var msg109 = msg("76", part119); - - var part120 = match("MESSAGE#108:77", "nwparser.payload", "Striker Attack Dropped%{}", processor_chain([ - dup67, - ])); - - var msg110 = msg("77", part120); - - var part121 = match("MESSAGE#109:78", "nwparser.payload", "Senna Spy Attack Dropped%{}", processor_chain([ - dup69, - ])); - - var msg111 = msg("78", part121); - - var part122 = match("MESSAGE#110:79", "nwparser.payload", "Priority Attack Dropped%{}", processor_chain([ - dup67, - ])); - - var msg112 = msg("79", part122); - - var part123 = match("MESSAGE#111:80", "nwparser.payload", "Ini Killer Attack Dropped%{}", processor_chain([ - dup67, - ])); - - var msg113 = msg("80", part123); - - var part124 = match("MESSAGE#112:81", "nwparser.payload", "Smurf Amplification Attack Dropped%{}", processor_chain([ - dup14, - ])); - - var msg114 = msg("81", part124); - - var part125 = match("MESSAGE#113:82", "nwparser.payload", "Possible Port Scan%{}", processor_chain([ - dup70, - ])); - - var msg115 = msg("82", part125); - - var part126 = match("MESSAGE#114:82:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{info}\"", processor_chain([ - dup70, - ])); - - var msg116 = msg("82:02", part126); - - var part127 = match("MESSAGE#115:82:03", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([ - dup70, - ])); - - var msg117 = msg("82:03", part127); - - var msg118 = msg("82:01", dup195); - - var select34 = linear_select([ - msg115, - msg116, - msg117, - msg118, - ]); - - var part128 = match("MESSAGE#117:83", "nwparser.payload", "Probable Port Scan%{}", processor_chain([ - dup70, - ])); - - var msg119 = msg("83", part128); - - var msg120 = msg("83:01", dup196); - - var part129 = match("MESSAGE#119:83:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([ - dup5, - ])); - - var msg121 = msg("83:02", part129); - - var select35 = linear_select([ - msg119, - msg120, - msg121, - ]); - - var part130 = match("MESSAGE#120:84/0_0", "nwparser.payload", "msg=\"Failed to resolve name\" n=%{fld1->} dstname=%{dhost}"); - - var part131 = match("MESSAGE#120:84/0_1", "nwparser.payload", "Failed to resolve name%{}"); - - var select36 = linear_select([ - part130, - part131, - ]); - - var all19 = all_match({ - processors: [ - select36, - ], - on_success: processor_chain([ - dup71, - setc("action","Failed to resolve name"), - ]), - }); - - var msg122 = msg("84", all19); - - var part132 = match("MESSAGE#121:87", "nwparser.payload", "IKE Responder: Accepting IPSec proposal%{}", processor_chain([ - dup72, - ])); - - var msg123 = msg("87", part132); - - var part133 = match("MESSAGE#122:87:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup72, - ])); - - var msg124 = msg("87:01", part133); - - var select37 = linear_select([ - msg123, - msg124, - ]); - - var part134 = match("MESSAGE#123:88", "nwparser.payload", "IKE Responder: IPSec proposal not acceptable%{}", processor_chain([ - dup66, - ])); - - var msg125 = msg("88", part134); - - var part135 = match("MESSAGE#124:88:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup66, - ])); - - var msg126 = msg("88:01", part135); - - var select38 = linear_select([ - msg125, - msg126, - ]); - - var part136 = match("MESSAGE#125:89", "nwparser.payload", "IKE negotiation complete. Adding IPSec SA%{}", processor_chain([ - dup72, - ])); - - var msg127 = msg("89", part136); - - var part137 = match("MESSAGE#126:89:01/1_0", "nwparser.p0", "%{saddr}:::%{sinterface->} dst=%{daddr}:::%{dinterface}"); - - var part138 = match("MESSAGE#126:89:01/1_1", "nwparser.p0", "%{saddr->} dst=%{daddr->} dstname=%{name}"); - - var select39 = linear_select([ - part137, - part138, - ]); - - var all20 = all_match({ - processors: [ - dup73, - select39, - ], - on_success: processor_chain([ - dup72, - ]), - }); - - var msg128 = msg("89:01", all20); - - var select40 = linear_select([ - msg127, - msg128, - ]); - - var part139 = match("MESSAGE#127:90", "nwparser.payload", "Starting IKE negotiation%{}", processor_chain([ - dup72, - ])); - - var msg129 = msg("90", part139); - - var part140 = match("MESSAGE#128:91", "nwparser.payload", "Deleting IPSec SA for destination%{}", processor_chain([ - dup72, - ])); - - var msg130 = msg("91", part140); - - var part141 = match("MESSAGE#129:92", "nwparser.payload", "Deleting IPSec SA%{}", processor_chain([ - dup72, - ])); - - var msg131 = msg("92", part141); - - var part142 = match("MESSAGE#130:93", "nwparser.payload", "Diagnostic Code A%{}", processor_chain([ - dup1, - ])); - - var msg132 = msg("93", part142); - - var part143 = match("MESSAGE#131:94", "nwparser.payload", "Diagnostic Code B%{}", processor_chain([ - dup1, - ])); - - var msg133 = msg("94", part143); - - var part144 = match("MESSAGE#132:95", "nwparser.payload", "Diagnostic Code C%{}", processor_chain([ - dup1, - ])); - - var msg134 = msg("95", part144); - - var part145 = match("MESSAGE#133:96", "nwparser.payload", "Status%{}", processor_chain([ - dup1, - ])); - - var msg135 = msg("96", part145); - - var part146 = match("MESSAGE#134:97", "nwparser.payload", "Web site hit%{}", processor_chain([ - dup1, - ])); - - var msg136 = msg("97", part146); - - var part147 = match("MESSAGE#135:97:01/4", "nwparser.p0", "proto=%{protocol->} op=%{fld->} %{p0}"); - - var part148 = match("MESSAGE#135:97:01/5_0", "nwparser.p0", "rcvd=%{rbytes->} %{p0}"); - - var part149 = match("MESSAGE#135:97:01/5_1", "nwparser.p0", "sent=%{sbytes->} %{p0}"); - - var select41 = linear_select([ - part148, - part149, - ]); - - var part150 = match_copy("MESSAGE#135:97:01/7", "nwparser.p0", "name"); - - var all21 = all_match({ - processors: [ - dup74, - dup189, - dup41, - dup183, - part147, - select41, - dup197, - part150, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg137 = msg("97:01", all21); - - var part151 = match("MESSAGE#136:97:02/4", "nwparser.p0", "proto=%{protocol->} op=%{fld->} result=%{result}"); - - var all22 = all_match({ - processors: [ - dup74, - dup189, - dup41, - dup183, - part151, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg138 = msg("97:02", all22); - - var part152 = match("MESSAGE#137:97:03/4", "nwparser.p0", "proto=%{protocol->} op=%{fld3->} sent=%{sbytes->} rcvd=%{rbytes->} %{p0}"); - - var part153 = match("MESSAGE#137:97:03/6", "nwparser.p0", "%{} %{name}arg=%{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}"); - - var all23 = all_match({ - processors: [ - dup77, - dup189, - dup41, - dup183, - part152, - dup197, - part153, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg139 = msg("97:03", all23); - - var part154 = match("MESSAGE#138:97:04/4", "nwparser.p0", "proto=%{protocol->} op=%{fld3->} %{p0}"); - - var part155 = match("MESSAGE#138:97:04/6", "nwparser.p0", "%{}arg= %{name}%{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}"); - - var all24 = all_match({ - processors: [ - dup77, - dup189, - dup41, - dup183, - part154, - dup197, - part155, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg140 = msg("97:04", all24); - - var part156 = match("MESSAGE#139:97:05/4", "nwparser.p0", "proto=%{protocol->} op=%{fld2->} dstname=%{name->} arg=%{fld3->} code=%{fld4->} Category=%{category}"); - - var all25 = all_match({ - processors: [ - dup74, - dup189, - dup41, - dup183, - part156, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg141 = msg("97:05", all25); - - var part157 = match("MESSAGE#140:97:06/0", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{p0}"); - - var part158 = match("MESSAGE#140:97:06/1_0", "nwparser.p0", "%{sinterface}:%{shost}dst=%{p0}"); - - var part159 = match("MESSAGE#140:97:06/1_1", "nwparser.p0", "%{sinterface}dst=%{p0}"); - - var select42 = linear_select([ - part158, - part159, - ]); - - var part160 = match("MESSAGE#140:97:06/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\""); - - var all26 = all_match({ - processors: [ - part157, - select42, - part160, - ], - on_success: processor_chain([ - dup78, - dup11, - ]), - }); - - var msg142 = msg("97:06", all26); - - var part161 = match("MESSAGE#141:97:07/0", "nwparser.payload", "app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{p0}"); - - var part162 = match("MESSAGE#141:97:07/1_0", "nwparser.p0", "%{dinterface}:%{fld3->} srcMac=%{p0}"); - - var select43 = linear_select([ - part162, - dup79, - ]); - - var part163 = match("MESSAGE#141:97:07/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\""); - - var all27 = all_match({ - processors: [ - part161, - select43, - part163, - ], - on_success: processor_chain([ - dup78, - dup11, - ]), - }); - - var msg143 = msg("97:07", all27); - - var part164 = match("MESSAGE#142:97:08", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup78, - dup11, - ])); - - var msg144 = msg("97:08", part164); - - var part165 = match("MESSAGE#143:97:09", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup78, - dup11, - ])); - - var msg145 = msg("97:09", part165); - - var part166 = match("MESSAGE#144:97:10", "nwparser.payload", "app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup78, - dup11, - ])); - - var msg146 = msg("97:10", part166); - - var select44 = linear_select([ - msg136, - msg137, - msg138, - msg139, - msg140, - msg141, - msg142, - msg143, - msg144, - msg145, - msg146, - ]); - - var part167 = match("MESSAGE#145:98/2", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{p0}"); - - var part168 = match("MESSAGE#145:98/3_0", "nwparser.p0", "%{dinterface} %{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); - - var part169 = match("MESSAGE#145:98/3_1", "nwparser.p0", "%{dinterface} %{protocol->} sent=%{sbytes}"); - - var part170 = match("MESSAGE#145:98/3_2", "nwparser.p0", "%{dinterface} %{protocol}"); - - var select45 = linear_select([ - part168, - part169, - part170, - ]); - - var all28 = all_match({ - processors: [ - dup54, - dup193, - part167, - select45, - ], - on_success: processor_chain([ - dup78, - dup59, - setc("ec_activity","Stop"), - dup61, - dup62, - dup11, - setc("action","Opened"), - dup18, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var msg147 = msg("98", all28); - - var part171 = match("MESSAGE#146:98:07", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{protocol}/%{fld4->} sent=%{sbytes->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup1, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ])); - - var msg148 = msg("98:07", part171); - - var part172 = match("MESSAGE#147:98:01/0", "nwparser.payload", "msg=\"%{msg}\"%{p0}"); - - var part173 = match("MESSAGE#147:98:01/1_0", "nwparser.p0", " app=%{fld2->} sess=\"%{fld3}\"%{p0}"); - - var select46 = linear_select([ - part173, - dup56, - ]); - - var part174 = match("MESSAGE#147:98:01/2", "nwparser.p0", "%{}n=%{p0}"); - - var part175 = match("MESSAGE#147:98:01/3_0", "nwparser.p0", "%{fld1->} usr=%{username->} src=%{p0}"); - - var part176 = match("MESSAGE#147:98:01/3_1", "nwparser.p0", "%{fld1->} src=%{p0}"); - - var select47 = linear_select([ - part175, - part176, - ]); - - var part177 = match("MESSAGE#147:98:01/4_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}"); - - var part178 = match("MESSAGE#147:98:01/4_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); - - var part179 = match("MESSAGE#147:98:01/4_2", "nwparser.p0", "%{saddr}dst=%{p0}"); - - var select48 = linear_select([ - part177, - part178, - part179, - ]); - - var part180 = match("MESSAGE#147:98:01/5", "nwparser.p0", "%{} %{p0}"); - - var part181 = match("MESSAGE#147:98:01/6_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); - - var part182 = match("MESSAGE#147:98:01/6_2", "nwparser.p0", "%{daddr->} %{p0}"); - - var select49 = linear_select([ - dup80, - part181, - part182, - ]); - - var part183 = match("MESSAGE#147:98:01/7_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); - - var part184 = match("MESSAGE#147:98:01/7_1", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes}"); - - var part185 = match("MESSAGE#147:98:01/7_2", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\""); - - var part186 = match("MESSAGE#147:98:01/7_3", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); - - var select50 = linear_select([ - part183, - part184, - part185, - part186, - dup81, - dup43, - ]); - - var all29 = all_match({ - processors: [ - part172, - select46, - part174, - select47, - select48, - part180, - select49, - select50, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg149 = msg("98:01", all29); - - var part187 = match("MESSAGE#148:98:06/1_0", "nwparser.p0", "app=%{fld2->} appName=\"%{application}\" n=%{p0}"); - - var part188 = match("MESSAGE#148:98:06/1_1", "nwparser.p0", "app=%{fld2->} n=%{p0}"); - - var part189 = match("MESSAGE#148:98:06/1_2", "nwparser.p0", "sess=%{fld2->} n=%{p0}"); - - var select51 = linear_select([ - part187, - part188, - part189, - ]); - - var part190 = match("MESSAGE#148:98:06/2", "nwparser.p0", "%{fld1->} %{p0}"); - - var part191 = match("MESSAGE#148:98:06/3_0", "nwparser.p0", "usr=%{username->} %{p0}"); - - var select52 = linear_select([ - part191, - dup56, - ]); - - var part192 = match("MESSAGE#148:98:06/4", "nwparser.p0", "src= %{saddr}:%{sport}:%{p0}"); - - var part193 = match("MESSAGE#148:98:06/7_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{dmacaddr->} proto=%{p0}"); - - var part194 = match("MESSAGE#148:98:06/7_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{p0}"); - - var part195 = match("MESSAGE#148:98:06/7_3", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); - - var select53 = linear_select([ - part193, - part194, - dup85, - part195, - ]); - - var part196 = match("MESSAGE#148:98:06/8", "nwparser.p0", "%{protocol->} %{p0}"); - - var part197 = match("MESSAGE#148:98:06/9_0", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\""); - - var part198 = match("MESSAGE#148:98:06/9_1", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=%{action}"); - - var part199 = match("MESSAGE#148:98:06/9_2", "nwparser.p0", "sent=%{sbytes->} fw_action=\"%{action}\""); - - var part200 = match("MESSAGE#148:98:06/9_4", "nwparser.p0", "fw_action=\"%{action}\""); - - var select54 = linear_select([ - part197, - part198, - part199, - dup86, - part200, - ]); - - var all30 = all_match({ - processors: [ - dup82, - select51, - part190, - select52, - part192, - dup198, - dup17, - select53, - part196, - select54, - ], - on_success: processor_chain([ - dup78, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var msg150 = msg("98:06", all30); - - var part201 = match("MESSAGE#149:98:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=%{username->} src=%{p0}"); - - var all31 = all_match({ - processors: [ - part201, - dup185, - dup183, - dup43, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg151 = msg("98:02", all31); - - var part202 = match("MESSAGE#150:98:03/0_0", "nwparser.payload", "Connection%{}"); - - var part203 = match("MESSAGE#150:98:03/0_1", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}"); - - var select55 = linear_select([ - part202, - part203, - ]); - - var all32 = all_match({ - processors: [ - select55, - ], - on_success: processor_chain([ - dup1, - dup44, - ]), - }); - - var msg152 = msg("98:03", all32); - - var part204 = match("MESSAGE#151:98:04/3", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} vpnpolicy=\"%{policyname}\" npcs=%{info}"); - - var all33 = all_match({ - processors: [ - dup7, - dup185, - dup183, - part204, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg153 = msg("98:04", all33); - - var part205 = match("MESSAGE#152:98:05/3", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} npcs=%{info}"); - - var all34 = all_match({ - processors: [ - dup7, - dup185, - dup183, - part205, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg154 = msg("98:05", all34); - - var select56 = linear_select([ - msg147, - msg148, - msg149, - msg150, - msg151, - msg152, - msg153, - msg154, - ]); - - var part206 = match("MESSAGE#153:986", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup31, - dup11, - ])); - - var msg155 = msg("986", part206); - - var part207 = match("MESSAGE#154:427/3", "nwparser.p0", "note=\"%{event_description}\""); - - var all35 = all_match({ - processors: [ - dup73, - dup185, - dup183, - part207, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg156 = msg("427", all35); - - var part208 = match("MESSAGE#155:428/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); - - var all36 = all_match({ - processors: [ - dup87, - dup194, - part208, - ], - on_success: processor_chain([ - dup23, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg157 = msg("428", all36); - - var part209 = match("MESSAGE#156:99", "nwparser.payload", "Retransmitting DHCP DISCOVER.%{}", processor_chain([ - dup72, - ])); - - var msg158 = msg("99", part209); - - var part210 = match("MESSAGE#157:100", "nwparser.payload", "Retransmitting DHCP REQUEST (Requesting).%{}", processor_chain([ - dup72, - ])); - - var msg159 = msg("100", part210); - - var part211 = match("MESSAGE#158:101", "nwparser.payload", "Retransmitting DHCP REQUEST (Renewing).%{}", processor_chain([ - dup72, - ])); - - var msg160 = msg("101", part211); - - var part212 = match("MESSAGE#159:102", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebinding).%{}", processor_chain([ - dup72, - ])); - - var msg161 = msg("102", part212); - - var part213 = match("MESSAGE#160:103", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebooting).%{}", processor_chain([ - dup72, - ])); - - var msg162 = msg("103", part213); - - var part214 = match("MESSAGE#161:104", "nwparser.payload", "Retransmitting DHCP REQUEST (Verifying).%{}", processor_chain([ - dup72, - ])); - - var msg163 = msg("104", part214); - - var part215 = match("MESSAGE#162:105", "nwparser.payload", "Sending DHCP DISCOVER.%{}", processor_chain([ - dup72, - ])); - - var msg164 = msg("105", part215); - - var part216 = match("MESSAGE#163:106", "nwparser.payload", "DHCP Server not available. Did not get any DHCP OFFER.%{}", processor_chain([ - dup71, - ])); - - var msg165 = msg("106", part216); - - var part217 = match("MESSAGE#164:107", "nwparser.payload", "Got DHCP OFFER. Selecting.%{}", processor_chain([ - dup72, - ])); - - var msg166 = msg("107", part217); - - var part218 = match("MESSAGE#165:108", "nwparser.payload", "Sending DHCP REQUEST.%{}", processor_chain([ - dup72, - ])); - - var msg167 = msg("108", part218); - - var part219 = match("MESSAGE#166:109", "nwparser.payload", "DHCP Client did not get DHCP ACK.%{}", processor_chain([ - dup71, - ])); - - var msg168 = msg("109", part219); - - var part220 = match("MESSAGE#167:110", "nwparser.payload", "DHCP Client got NACK.%{}", processor_chain([ - dup72, - ])); - - var msg169 = msg("110", part220); - - var msg170 = msg("111:01", dup199); - - var part221 = match("MESSAGE#169:111", "nwparser.payload", "DHCP Client got ACK from server.%{}", processor_chain([ - dup72, - ])); - - var msg171 = msg("111", part221); - - var select57 = linear_select([ - msg170, - msg171, - ]); - - var part222 = match("MESSAGE#170:112", "nwparser.payload", "DHCP Client is declining address offered by the server.%{}", processor_chain([ - dup72, - ])); - - var msg172 = msg("112", part222); - - var part223 = match("MESSAGE#171:113", "nwparser.payload", "DHCP Client sending REQUEST and going to REBIND state.%{}", processor_chain([ - dup72, - ])); - - var msg173 = msg("113", part223); - - var part224 = match("MESSAGE#172:114", "nwparser.payload", "DHCP Client sending REQUEST and going to RENEW state.%{}", processor_chain([ - dup72, - ])); - - var msg174 = msg("114", part224); - - var msg175 = msg("115:01", dup199); - - var part225 = match("MESSAGE#174:115", "nwparser.payload", "Sending DHCP REQUEST (Renewing).%{}", processor_chain([ - dup72, - ])); - - var msg176 = msg("115", part225); - - var select58 = linear_select([ - msg175, - msg176, - ]); - - var part226 = match("MESSAGE#175:116", "nwparser.payload", "Sending DHCP REQUEST (Rebinding).%{}", processor_chain([ - dup72, - ])); - - var msg177 = msg("116", part226); - - var part227 = match("MESSAGE#176:117", "nwparser.payload", "Sending DHCP REQUEST (Rebooting).%{}", processor_chain([ - dup72, - ])); - - var msg178 = msg("117", part227); - - var part228 = match("MESSAGE#177:118", "nwparser.payload", "Sending DHCP REQUEST (Verifying).%{}", processor_chain([ - dup72, - ])); - - var msg179 = msg("118", part228); - - var part229 = match("MESSAGE#178:119", "nwparser.payload", "DHCP Client failed to verify and lease has expired. Go to INIT state.%{}", processor_chain([ - dup71, - ])); - - var msg180 = msg("119", part229); - - var part230 = match("MESSAGE#179:120", "nwparser.payload", "DHCP Client failed to verify and lease is still valid. Go to BOUND state.%{}", processor_chain([ - dup71, - ])); - - var msg181 = msg("120", part230); - - var part231 = match("MESSAGE#180:121", "nwparser.payload", "DHCP Client got a new IP address lease.%{}", processor_chain([ - dup72, - ])); - - var msg182 = msg("121", part231); - - var part232 = match("MESSAGE#181:122", "nwparser.payload", "Access attempt from host without Anti-Virus agent installed%{}", processor_chain([ - dup71, - ])); - - var msg183 = msg("122", part232); - - var part233 = match("MESSAGE#182:123", "nwparser.payload", "Anti-Virus agent out-of-date on host%{}", processor_chain([ - dup71, - ])); - - var msg184 = msg("123", part233); - - var part234 = match("MESSAGE#183:124", "nwparser.payload", "Received AV Alert: %s%{}", processor_chain([ - dup72, - ])); - - var msg185 = msg("124", part234); - - var part235 = match("MESSAGE#184:125", "nwparser.payload", "Unused AV log entry.%{}", processor_chain([ - dup72, - ])); - - var msg186 = msg("125", part235); - - var part236 = match("MESSAGE#185:1254", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ - dup89, - dup11, - ])); - - var msg187 = msg("1254", part236); - - var part237 = match("MESSAGE#186:1256", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ - dup78, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ])); - - var msg188 = msg("1256", part237); - - var part238 = match("MESSAGE#187:1257", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup89, - dup11, - ])); - - var msg189 = msg("1257", part238); - - var part239 = match("MESSAGE#188:126", "nwparser.payload", "Starting PPPoE discovery%{}", processor_chain([ - dup72, - ])); - - var msg190 = msg("126", part239); - - var part240 = match("MESSAGE#189:127", "nwparser.payload", "PPPoE LCP Link Up%{}", processor_chain([ - dup72, - ])); - - var msg191 = msg("127", part240); - - var part241 = match("MESSAGE#190:128", "nwparser.payload", "PPPoE LCP Link Down%{}", processor_chain([ - dup5, - ])); - - var msg192 = msg("128", part241); - - var part242 = match("MESSAGE#191:129", "nwparser.payload", "PPPoE terminated%{}", processor_chain([ - dup5, - ])); - - var msg193 = msg("129", part242); - - var part243 = match("MESSAGE#192:130", "nwparser.payload", "PPPoE Network Connected%{}", processor_chain([ - dup1, - ])); - - var msg194 = msg("130", part243); - - var part244 = match("MESSAGE#193:131", "nwparser.payload", "PPPoE Network Disconnected%{}", processor_chain([ - dup1, - ])); - - var msg195 = msg("131", part244); - - var part245 = match("MESSAGE#194:132", "nwparser.payload", "PPPoE discovery process complete%{}", processor_chain([ - dup1, - ])); - - var msg196 = msg("132", part245); - - var part246 = match("MESSAGE#195:133", "nwparser.payload", "PPPoE starting CHAP Authentication%{}", processor_chain([ - dup1, - ])); - - var msg197 = msg("133", part246); - - var part247 = match("MESSAGE#196:134", "nwparser.payload", "PPPoE starting PAP Authentication%{}", processor_chain([ - dup1, - ])); - - var msg198 = msg("134", part247); - - var part248 = match("MESSAGE#197:135", "nwparser.payload", "PPPoE CHAP Authentication Failed%{}", processor_chain([ - dup90, - ])); - - var msg199 = msg("135", part248); - - var part249 = match("MESSAGE#198:136", "nwparser.payload", "PPPoE PAP Authentication Failed%{}", processor_chain([ - dup90, - ])); - - var msg200 = msg("136", part249); - - var part250 = match("MESSAGE#199:137", "nwparser.payload", "Wan IP Changed%{}", processor_chain([ - dup3, - ])); - - var msg201 = msg("137", part250); - - var part251 = match("MESSAGE#200:138", "nwparser.payload", "XAUTH Succeeded%{}", processor_chain([ - dup3, - ])); - - var msg202 = msg("138", part251); - - var part252 = match("MESSAGE#201:139", "nwparser.payload", "XAUTH Failed%{}", processor_chain([ - dup5, - ])); - - var msg203 = msg("139", part252); - - var all37 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - setc("eventcategory","1801020100"), - ]), - }); - - var msg204 = msg("139:01", all37); - - var select59 = linear_select([ - msg203, - msg204, - ]); - - var msg205 = msg("140", dup239); - - var msg206 = msg("141", dup239); - - var part253 = match("MESSAGE#205:142", "nwparser.payload", "Primary firewall has transitioned to Active%{}", processor_chain([ - dup1, - ])); - - var msg207 = msg("142", part253); - - var part254 = match("MESSAGE#206:143", "nwparser.payload", "Backup firewall has transitioned to Active%{}", processor_chain([ - dup1, - ])); - - var msg208 = msg("143", part254); - - var part255 = match("MESSAGE#207:1431", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=::%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ - dup78, - dup11, - ])); - - var msg209 = msg("1431", part255); - - var part256 = match("MESSAGE#208:144", "nwparser.payload", "Primary firewall has transitioned to Idle%{}", processor_chain([ - dup1, - ])); - - var msg210 = msg("144", part256); - - var part257 = match("MESSAGE#209:145", "nwparser.payload", "Backup firewall has transitioned to Idle%{}", processor_chain([ - dup1, - ])); - - var msg211 = msg("145", part257); - - var part258 = match("MESSAGE#210:146", "nwparser.payload", "Primary missed heartbeats from Active Backup: Primary going Active%{}", processor_chain([ - dup92, - ])); - - var msg212 = msg("146", part258); - - var part259 = match("MESSAGE#211:147", "nwparser.payload", "Backup missed heartbeats from Active Primary: Backup going Active%{}", processor_chain([ - dup92, - ])); - - var msg213 = msg("147", part259); - - var part260 = match("MESSAGE#212:148", "nwparser.payload", "Primary received error signal from Active Backup: Primary going Active%{}", processor_chain([ - dup1, - ])); - - var msg214 = msg("148", part260); - - var part261 = match("MESSAGE#213:1480", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - setc("eventcategory","1204010000"), - dup11, - ])); - - var msg215 = msg("1480", part261); - - var part262 = match("MESSAGE#214:149", "nwparser.payload", "Backup received error signal from Active Primary: Backup going Active%{}", processor_chain([ - dup1, - ])); - - var msg216 = msg("149", part262); - - var part263 = match("MESSAGE#215:150", "nwparser.payload", "Backup firewall being preempted by Primary%{}", processor_chain([ - dup1, - ])); - - var msg217 = msg("150", part263); - - var part264 = match("MESSAGE#216:151", "nwparser.payload", "Primary firewall preempting Backup%{}", processor_chain([ - dup1, - ])); - - var msg218 = msg("151", part264); - - var part265 = match("MESSAGE#217:152", "nwparser.payload", "Active Backup detects Active Primary: Backup rebooting%{}", processor_chain([ - dup1, - ])); - - var msg219 = msg("152", part265); - - var part266 = match("MESSAGE#218:153", "nwparser.payload", "Imported HA hardware ID did not match this firewall%{}", processor_chain([ - setc("eventcategory","1603010000"), - ])); - - var msg220 = msg("153", part266); - - var part267 = match("MESSAGE#219:154", "nwparser.payload", "Received AV Alert: Your SonicWALL Network Anti-Virus subscription has expired. %s%{}", processor_chain([ - dup64, - ])); - - var msg221 = msg("154", part267); - - var part268 = match("MESSAGE#220:155", "nwparser.payload", "Primary received heartbeat from wrong source%{}", processor_chain([ - dup92, - ])); - - var msg222 = msg("155", part268); - - var part269 = match("MESSAGE#221:156", "nwparser.payload", "Backup received heartbeat from wrong source%{}", processor_chain([ - dup92, - ])); - - var msg223 = msg("156", part269); - - var part270 = match("MESSAGE#222:157:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ - dup1, - ])); - - var msg224 = msg("157:01", part270); - - var part271 = match("MESSAGE#223:157", "nwparser.payload", "HA packet processing error%{}", processor_chain([ - dup5, - ])); - - var msg225 = msg("157", part271); - - var select60 = linear_select([ - msg224, - msg225, - ]); - - var part272 = match("MESSAGE#224:158", "nwparser.payload", "Heartbeat received from incompatible source%{}", processor_chain([ - dup92, - ])); - - var msg226 = msg("158", part272); - - var part273 = match("MESSAGE#225:159", "nwparser.payload", "Diagnostic Code F%{}", processor_chain([ - dup5, - ])); - - var msg227 = msg("159", part273); - - var part274 = match("MESSAGE#226:160", "nwparser.payload", "Forbidden E-mail attachment altered%{}", processor_chain([ - setc("eventcategory","1203000000"), - ])); - - var msg228 = msg("160", part274); - - var part275 = match("MESSAGE#227:161", "nwparser.payload", "PPPoE PAP Authentication success.%{}", processor_chain([ - dup65, - ])); - - var msg229 = msg("161", part275); - - var part276 = match("MESSAGE#228:162", "nwparser.payload", "PPPoE PAP Authentication Failed. Please verify PPPoE username and password%{}", processor_chain([ - dup33, - ])); - - var msg230 = msg("162", part276); - - var part277 = match("MESSAGE#229:163", "nwparser.payload", "Disconnecting PPPoE due to traffic timeout%{}", processor_chain([ - dup5, - ])); - - var msg231 = msg("163", part277); - - var part278 = match("MESSAGE#230:164", "nwparser.payload", "No response from ISP Disconnecting PPPoE.%{}", processor_chain([ - dup5, - ])); - - var msg232 = msg("164", part278); - - var part279 = match("MESSAGE#231:165", "nwparser.payload", "Backup going Active in preempt mode after reboot%{}", processor_chain([ - dup1, - ])); - - var msg233 = msg("165", part279); - - var part280 = match("MESSAGE#232:166", "nwparser.payload", "Denied TCP connection from LAN%{}", processor_chain([ - dup12, - ])); - - var msg234 = msg("166", part280); - - var part281 = match("MESSAGE#233:167", "nwparser.payload", "Denied UDP packet from LAN%{}", processor_chain([ - dup12, - ])); - - var msg235 = msg("167", part281); - - var part282 = match("MESSAGE#234:168", "nwparser.payload", "Denied ICMP packet from LAN%{}", processor_chain([ - dup12, - ])); - - var msg236 = msg("168", part282); - - var part283 = match("MESSAGE#235:169", "nwparser.payload", "Firewall access from LAN%{}", processor_chain([ - dup1, - ])); - - var msg237 = msg("169", part283); - - var part284 = match("MESSAGE#236:170", "nwparser.payload", "Received a path MTU icmp message from router/gateway%{}", processor_chain([ - dup1, - ])); - - var msg238 = msg("170", part284); - - var part285 = match("MESSAGE#237:171", "nwparser.payload", "Probable TCP FIN scan%{}", processor_chain([ - dup70, - ])); - - var msg239 = msg("171", part285); - - var part286 = match("MESSAGE#238:171:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup93, - ])); - - var msg240 = msg("171:01", part286); - - var part287 = match("MESSAGE#239:171:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}:%{dport}", processor_chain([ - dup93, - ])); - - var msg241 = msg("171:02", part287); - - var part288 = match("MESSAGE#240:171:03/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld1}\" sess=%{fld2->} n=%{fld3->} src=%{p0}"); - - var all38 = all_match({ - processors: [ - part288, - dup182, - dup10, - dup200, - dup96, - ], - on_success: processor_chain([ - dup93, - ]), - }); - - var msg242 = msg("171:03", all38); - - var select61 = linear_select([ - msg239, - msg240, - msg241, - msg242, - ]); - - var part289 = match("MESSAGE#241:172", "nwparser.payload", "Probable TCP XMAS scan%{}", processor_chain([ - dup70, - ])); - - var msg243 = msg("172", part289); - - var part290 = match("MESSAGE#242:172:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ - dup70, - ])); - - var msg244 = msg("172:01", part290); - - var select62 = linear_select([ - msg243, - msg244, - ]); - - var part291 = match("MESSAGE#243:173", "nwparser.payload", "Probable TCP NULL scan%{}", processor_chain([ - dup70, - ])); - - var msg245 = msg("173", part291); - - var part292 = match("MESSAGE#244:174", "nwparser.payload", "IPSEC Replay Detected%{}", processor_chain([ - dup67, - ])); - - var msg246 = msg("174", part292); - - var all39 = all_match({ - processors: [ - dup73, - dup185, - dup183, - dup43, - ], - on_success: processor_chain([ - dup67, - ]), - }); - - var msg247 = msg("174:01", all39); - - var all40 = all_match({ - processors: [ - dup51, - dup189, - dup41, - dup187, - ], - on_success: processor_chain([ - dup12, - ]), - }); - - var msg248 = msg("174:02", all40); - - var all41 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup191, - dup50, - ], - on_success: processor_chain([ - dup12, - ]), - }); - - var msg249 = msg("174:03", all41); - - var select63 = linear_select([ - msg246, - msg247, - msg248, - msg249, - ]); - - var part293 = match("MESSAGE#248:175", "nwparser.payload", "TCP FIN packet dropped%{}", processor_chain([ - dup67, - ])); - - var msg250 = msg("175", part293); - - var part294 = match("MESSAGE#249:175:01", "nwparser.payload", "msg=\"ICMP packet from LAN dropped\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} type=%{type}", processor_chain([ - dup67, - ])); - - var msg251 = msg("175:01", part294); - - var part295 = match("MESSAGE#250:175:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} type=%{type->} icmpCode=%{fld3->} npcs=%{info}", processor_chain([ - dup67, - ])); - - var msg252 = msg("175:02", part295); - - var select64 = linear_select([ - msg250, - msg251, - msg252, - ]); - - var part296 = match("MESSAGE#251:176", "nwparser.payload", "Fraudulent Microsoft Certificate Blocked%{}", processor_chain([ - dup93, - ])); - - var msg253 = msg("176", part296); - - var msg254 = msg("177", dup196); - - var msg255 = msg("178", dup201); - - var msg256 = msg("179", dup196); - - var all42 = all_match({ - processors: [ - dup34, - dup185, - dup187, - ], - on_success: processor_chain([ - dup97, - ]), - }); - - var msg257 = msg("180", all42); - - var all43 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup202, - dup100, - ], - on_success: processor_chain([ - dup97, - ]), - }); - - var msg258 = msg("180:01", all43); - - var select65 = linear_select([ - msg257, - msg258, - ]); - - var msg259 = msg("181", dup195); - - var all44 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup200, - dup96, - ], - on_success: processor_chain([ - dup70, - ]), - }); - - var msg260 = msg("181:01", all44); - - var select66 = linear_select([ - msg259, - msg260, - ]); - - var msg261 = msg("193", dup240); - - var msg262 = msg("194", dup241); - - var msg263 = msg("195", dup241); - - var part297 = match("MESSAGE#262:196/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{fld2->} dst=%{daddr}:%{fld3->} sport=%{sport->} dport=%{dport->} %{p0}"); - - var all45 = all_match({ - processors: [ - part297, - dup204, - dup105, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg264 = msg("196", all45); - - var all46 = all_match({ - processors: [ - dup101, - dup204, - dup105, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg265 = msg("196:01", all46); - - var select67 = linear_select([ - msg264, - msg265, - ]); - - var msg266 = msg("199", dup242); - - var msg267 = msg("200", dup243); - - var part298 = match("MESSAGE#266:235:02", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ - dup30, - ])); - - var msg268 = msg("235:02", part298); - - var part299 = match("MESSAGE#267:235/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{p0}"); - - var all47 = all_match({ - processors: [ - part299, - dup185, - dup187, - ], - on_success: processor_chain([ - dup30, - ]), - }); - - var msg269 = msg("235", all47); - - var msg270 = msg("235:01", dup244); - - var select68 = linear_select([ - msg268, - msg269, - msg270, - ]); - - var msg271 = msg("236", dup244); - - var msg272 = msg("237", dup242); - - var msg273 = msg("238", dup242); - - var part300 = match("MESSAGE#272:239", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([ - dup107, - ])); - - var msg274 = msg("239", part300); - - var part301 = match("MESSAGE#273:240", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([ - dup107, - ])); - - var msg275 = msg("240", part301); - - var part302 = match("MESSAGE#274:241", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ - dup78, - ])); - - var msg276 = msg("241", part302); - - var part303 = match("MESSAGE#275:241:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup78, - ])); - - var msg277 = msg("241:01", part303); - - var select69 = linear_select([ - msg276, - msg277, - ]); - - var part304 = match("MESSAGE#276:242/1_0", "nwparser.p0", "%{saddr}:%{sport}:: %{p0}"); - - var part305 = match("MESSAGE#276:242/1_1", "nwparser.p0", "%{saddr}:%{sport->} %{p0}"); - - var select70 = linear_select([ - part304, - part305, - dup40, - ]); - - var part306 = match("MESSAGE#276:242/3_0", "nwparser.p0", "%{daddr}:%{dport}::"); - - var part307 = match("MESSAGE#276:242/3_1", "nwparser.p0", "%{daddr}:%{dport}"); - - var select71 = linear_select([ - part306, - part307, - dup36, - ]); - - var all48 = all_match({ - processors: [ - dup51, - select70, - dup41, - select71, - ], - on_success: processor_chain([ - dup78, - ]), - }); - - var msg278 = msg("242", all48); - - var msg279 = msg("252", dup205); - - var msg280 = msg("255", dup205); - - var msg281 = msg("257", dup205); - - var msg282 = msg("261:01", dup245); - - var msg283 = msg("261", dup205); - - var select72 = linear_select([ - msg282, - msg283, - ]); - - var msg284 = msg("262", dup245); - - var all49 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - dup111, - ]), - }); - - var msg285 = msg("273", all49); - - var msg286 = msg("328", dup246); - - var msg287 = msg("329", dup243); - - var msg288 = msg("346", dup205); - - var msg289 = msg("350", dup205); - - var msg290 = msg("351", dup205); - - var msg291 = msg("352", dup205); - - var msg292 = msg("353:01", dup201); - - var part308 = match("MESSAGE#291:353", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost->} lifeSeconds=%{misc}\"", processor_chain([ - dup5, - ])); - - var msg293 = msg("353", part308); - - var select73 = linear_select([ - msg292, - msg293, - ]); - - var part309 = match("MESSAGE#292:354", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=\"%{shost->} lifeSeconds=%{misc}\"", processor_chain([ - dup1, - ])); - - var msg294 = msg("354", part309); - - var msg295 = msg("355", dup206); - - var msg296 = msg("355:01", dup205); - - var select74 = linear_select([ - msg295, - msg296, - ]); - - var msg297 = msg("356", dup207); - - var part310 = match("MESSAGE#296:357", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} dstname=%{name}", processor_chain([ - dup93, - ])); - - var msg298 = msg("357", part310); - - var part311 = match("MESSAGE#297:357:01", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup93, - ])); - - var msg299 = msg("357:01", part311); - - var select75 = linear_select([ - msg298, - msg299, - ]); - - var msg300 = msg("358", dup208); - - var part312 = match("MESSAGE#299:371", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost}", processor_chain([ - setc("eventcategory","1503000000"), - ])); - - var msg301 = msg("371", part312); - - var msg302 = msg("371:01", dup209); - - var select76 = linear_select([ - msg301, - msg302, - ]); - - var msg303 = msg("372", dup205); - - var msg304 = msg("373", dup207); - - var msg305 = msg("401", dup247); - - var msg306 = msg("402", dup247); - - var msg307 = msg("406", dup208); - - var part313 = match("MESSAGE#305:413", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ - dup1, - ])); - - var msg308 = msg("413", part313); - - var msg309 = msg("414", dup205); - - var msg310 = msg("438", dup248); - - var msg311 = msg("439", dup248); - - var all50 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - setc("eventcategory","1501020000"), - ]), - }); - - var msg312 = msg("440", all50); - - var all51 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - setc("eventcategory","1502050000"), - ]), - }); - - var msg313 = msg("441", all51); - - var part314 = match("MESSAGE#311:441:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ - setc("eventcategory","1001020000"), - ])); - - var msg314 = msg("441:01", part314); - - var select77 = linear_select([ - msg313, - msg314, - ]); - - var all52 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - setc("eventcategory","1501030000"), - ]), - }); - - var msg315 = msg("442", all52); - - var part315 = match("MESSAGE#313:446/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{p0}"); - - var part316 = match("MESSAGE#313:446/1_0", "nwparser.p0", "%{fld1->} appName=\"%{application}\" n=%{p0}"); - - var part317 = match("MESSAGE#313:446/1_1", "nwparser.p0", "%{fld1->} n=%{p0}"); - - var select78 = linear_select([ - part316, - part317, - ]); - - var part318 = match("MESSAGE#313:446/2", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); - - var all53 = all_match({ - processors: [ - part315, - select78, - part318, - dup211, - dup119, - ], - on_success: processor_chain([ - dup67, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg316 = msg("446", all53); - - var part319 = match("MESSAGE#314:477", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=\"MAC=%{smacaddr->} HostName:%{hostname}\"", processor_chain([ - dup120, - dup59, - dup60, - dup61, - dup62, - dup11, - dup63, - dup18, - dup19, - dup20, - dup21, - dup22, - ])); - - var msg317 = msg("477", part319); - - var all54 = all_match({ - processors: [ - dup73, - dup185, - dup187, - ], - on_success: processor_chain([ - dup30, - ]), - }); - - var msg318 = msg("509", all54); - - var all55 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - dup109, - ]), - }); - - var msg319 = msg("520", all55); - - var msg320 = msg("522", dup249); - - var part320 = match("MESSAGE#318:522:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} srcV6=%{saddr_v6->} src= %{p0}"); - - var part321 = match("MESSAGE#318:522:01/2", "nwparser.p0", "dstV6=%{daddr_v6->} dst= %{p0}"); - - var all56 = all_match({ - processors: [ - part320, - dup189, - part321, - dup183, - dup121, - ], - on_success: processor_chain([ - dup5, - ]), - }); - - var msg321 = msg("522:01", all56); - - var part322 = match("MESSAGE#319:522:02/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{shost->} dst= %{p0}"); - - var select79 = linear_select([ - part322, - dup46, - ]); - - var all57 = all_match({ - processors: [ - dup45, - select79, - dup17, - dup183, - dup121, - ], - on_success: processor_chain([ - dup5, - ]), - }); - - var msg322 = msg("522:02", all57); - - var select80 = linear_select([ - msg320, - msg321, - msg322, - ]); - - var msg323 = msg("523", dup249); - - var all58 = all_match({ - processors: [ - dup73, - dup185, - dup183, - dup17, - dup212, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg324 = msg("524", all58); - - var part323 = match("MESSAGE#322:524:01/4_0", "nwparser.p0", "proto=%{protocol->} npcs= %{p0}"); - - var part324 = match("MESSAGE#322:524:01/4_1", "nwparser.p0", "rule=%{rule->} npcs= %{p0}"); - - var select81 = linear_select([ - part323, - part324, - ]); - - var all59 = all_match({ - processors: [ - dup7, - dup185, - dup183, - dup17, - select81, - dup47, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg325 = msg("524:01", all59); - - var part325 = match("MESSAGE#323:524:02/0", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}rule=\"%{rule}\"%{p0}"); - - var part326 = match("MESSAGE#323:524:02/1_0", "nwparser.p0", " note=\"%{rulename}\"%{p0}"); - - var select82 = linear_select([ - part326, - dup56, - ]); - - var part327 = match("MESSAGE#323:524:02/2", "nwparser.p0", "%{}fw_action=\"%{action}\""); - - var all60 = all_match({ - processors: [ - part325, - select82, - part327, - ], - on_success: processor_chain([ - dup6, - dup11, - ]), - }); - - var msg326 = msg("524:02", all60); - - var select83 = linear_select([ - msg324, - msg325, - msg326, - ]); - - var msg327 = msg("526", dup250); - - var part328 = match("MESSAGE#325:526:01/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{fld20->} dst= %{p0}"); - - var select84 = linear_select([ - dup26, - part328, - dup46, - ]); - - var part329 = match("MESSAGE#325:526:01/3_1", "nwparser.p0", "%{daddr}"); - - var select85 = linear_select([ - dup35, - part329, - ]); - - var all61 = all_match({ - processors: [ - dup73, - select84, - dup17, - select85, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg328 = msg("526:01", all61); - - var all62 = all_match({ - processors: [ - dup7, - dup213, - dup183, - dup121, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg329 = msg("526:02", all62); - - var part330 = match("MESSAGE#327:526:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup1, - dup11, - ])); - - var msg330 = msg("526:03", part330); - - var part331 = match("MESSAGE#328:526:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup1, - dup11, - ])); - - var msg331 = msg("526:04", part331); - - var part332 = match("MESSAGE#329:526:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup1, - dup11, - ])); - - var msg332 = msg("526:05", part332); - - var select86 = linear_select([ - msg327, - msg328, - msg329, - msg330, - msg331, - msg332, - ]); - - var part333 = match("MESSAGE#330:537:01/4", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} rcvd=%{p0}"); - - var part334 = match("MESSAGE#330:537:01/5_0", "nwparser.p0", "%{rbytes->} vpnpolicy=%{fld3}"); - - var select87 = linear_select([ - part334, - dup123, - ]); - - var all63 = all_match({ - processors: [ - dup122, - dup214, - dup17, - dup215, - part333, - select87, - ], - on_success: processor_chain([ - dup111, - ]), - }); - - var msg333 = msg("537:01", all63); - - var all64 = all_match({ - processors: [ - dup122, - dup214, - dup17, - dup215, - dup81, - ], - on_success: processor_chain([ - dup111, - ]), - }); - - var msg334 = msg("537:02", all64); - - var part335 = match("MESSAGE#332:537:08/3_0", "nwparser.p0", "%{saddr} %{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{p0}"); - - var part336 = match("MESSAGE#332:537:08/3_1", "nwparser.p0", "%{saddr->} %{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); - - var part337 = match("MESSAGE#332:537:08/3_2", "nwparser.p0", "%{saddr->} %{daddr}srcMac=%{p0}"); - - var select88 = linear_select([ - part335, - part336, - part337, - ]); - - var part338 = match("MESSAGE#332:537:08/4", "nwparser.p0", "%{} %{smacaddr->} %{p0}"); - - var part339 = match("MESSAGE#332:537:08/5_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}"); - - var part340 = match("MESSAGE#332:537:08/5_1", "nwparser.p0", "proto=%{protocol->} sent=%{p0}"); - - var select89 = linear_select([ - part339, - part340, - ]); - - var part341 = match("MESSAGE#332:537:08/7_0", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} fw_action=\"%{action}\""); - - var part342 = match("MESSAGE#332:537:08/7_2", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} fw_action=\"%{action}\""); - - var select90 = linear_select([ - part341, - dup131, - part342, - dup132, - dup133, - ]); - - var all65 = all_match({ - processors: [ - dup54, - dup216, - dup217, - select88, - part338, - select89, - dup218, - select90, - ], - on_success: processor_chain([ - dup111, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var msg335 = msg("537:08", all65); - - var select91 = linear_select([ - dup125, - dup124, - dup126, - dup38, - ]); - - var part343 = match("MESSAGE#333:537:09/3_0", "nwparser.p0", "%{saddr} %{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); - - var part344 = match("MESSAGE#333:537:09/3_1", "nwparser.p0", "%{saddr->} %{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); - - var part345 = match("MESSAGE#333:537:09/3_2", "nwparser.p0", "%{saddr->} %{daddr}dstMac=%{p0}"); - - var select92 = linear_select([ - part343, - part344, - part345, - ]); - - var part346 = match("MESSAGE#333:537:09/4", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{p0}"); - - var part347 = match("MESSAGE#333:537:09/6_0", "nwparser.p0", "%{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); - - var select93 = linear_select([ - part347, - dup131, - dup132, - dup133, - ]); - - var all66 = all_match({ - processors: [ - dup54, - select91, - dup217, - select92, - part346, - dup218, - select93, - ], - on_success: processor_chain([ - dup111, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var msg336 = msg("537:09", all66); - - var part348 = match("MESSAGE#334:537:07/3_0", "nwparser.p0", "%{saddr} %{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); - - var part349 = match("MESSAGE#334:537:07/3_1", "nwparser.p0", "%{saddr} %{fld3->} rpkt=%{fld6->} cdur=%{fld7}"); - - var part350 = match("MESSAGE#334:537:07/3_2", "nwparser.p0", "%{saddr} %{fld3->} cdur=%{fld7}"); - - var part351 = match("MESSAGE#334:537:07/3_3", "nwparser.p0", "%{saddr} %{fld3->} fw_action=\"%{action}\""); - - var part352 = match("MESSAGE#334:537:07/3_4", "nwparser.p0", "%{saddr} %{fld3}"); - - var select94 = linear_select([ - part348, - part349, - part350, - part351, - part352, - ]); - - var all67 = all_match({ - processors: [ - dup54, - dup216, - dup217, - select94, - ], - on_success: processor_chain([ - dup111, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var msg337 = msg("537:07", all67); - - var part353 = match("MESSAGE#335:537/0", "nwparser.payload", "msg=\"%{action}\"%{p0}"); - - var part354 = match("MESSAGE#335:537/1_0", "nwparser.p0", " app=%{fld51->} appName=\"%{application}\"%{p0}"); - - var select95 = linear_select([ - part354, - dup56, - ]); - - var part355 = match("MESSAGE#335:537/2", "nwparser.p0", "%{}n=%{fld1->} src= %{p0}"); - - var part356 = match("MESSAGE#335:537/3_0", "nwparser.p0", "%{saddr}%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); - - var part357 = match("MESSAGE#335:537/3_1", "nwparser.p0", "%{saddr} %{daddr}:%{dport}:%{dinterface}: proto=%{p0}"); - - var part358 = match("MESSAGE#335:537/3_2", "nwparser.p0", "%{saddr}%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); - - var part359 = match("MESSAGE#335:537/3_3", "nwparser.p0", "%{saddr}%{daddr->} proto=%{p0}"); - - var select96 = linear_select([ - part356, - part357, - part358, - part359, - ]); - - var part360 = match("MESSAGE#335:537/4", "nwparser.p0", "%{protocol->} sent=%{p0}"); - - var part361 = match("MESSAGE#335:537/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} fw_action=\"%{fld6}\""); - - var part362 = match("MESSAGE#335:537/5_1", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} fw_action=\"%{fld5}\""); - - var part363 = match("MESSAGE#335:537/5_2", "nwparser.p0", "%{sbytes->} spkt=%{fld3}fw_action=\"%{fld4}\""); - - var part364 = match("MESSAGE#335:537/5_3", "nwparser.p0", "%{sbytes}rcvd=%{rbytes}"); - - var part365 = match_copy("MESSAGE#335:537/5_4", "nwparser.p0", "sbytes"); - - var select97 = linear_select([ - part361, - part362, - part363, - part364, - part365, - ]); - - var all68 = all_match({ - processors: [ - part353, - select95, - part355, - select96, - part360, - select97, - ], - on_success: processor_chain([ - dup111, - ]), - }); - - var msg338 = msg("537", all68); - - var part366 = match("MESSAGE#336:537:04/4", "nwparser.p0", "%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} npcs=%{info}"); - - var all69 = all_match({ - processors: [ - dup134, - dup190, - dup17, - dup219, - part366, - ], - on_success: processor_chain([ - dup111, - ]), - }); - - var msg339 = msg("537:04", all69); - - var part367 = match("MESSAGE#337:537:05/4", "nwparser.p0", "%{protocol->} sent=%{sbytes->} spkt=%{fld3->} cdur=%{fld4->} %{p0}"); - - var part368 = match("MESSAGE#337:537:05/5_0", "nwparser.p0", "appcat=%{fld5->} appid=%{fld6->} npcs= %{p0}"); - - var part369 = match("MESSAGE#337:537:05/5_1", "nwparser.p0", "npcs= %{p0}"); - - var select98 = linear_select([ - part368, - part369, - ]); - - var all70 = all_match({ - processors: [ - dup134, - dup190, - dup17, - dup219, - part367, - select98, - dup96, - ], - on_success: processor_chain([ - dup111, - ]), - }); - - var msg340 = msg("537:05", all70); - - var part370 = match("MESSAGE#338:537:10/0", "nwparser.payload", "msg=\"%{event_description}\" sess=%{fld1->} n=%{fld2->} %{p0}"); - - var part371 = match("MESSAGE#338:537:10/4_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); - - var part372 = match("MESSAGE#338:537:10/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); - - var part373 = match("MESSAGE#338:537:10/4_2", "nwparser.p0", "%{daddr->} dstMac=%{p0}"); - - var select99 = linear_select([ - part371, - part372, - part373, - ]); - - var part374 = match("MESSAGE#338:537:10/5", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); - - var all71 = all_match({ - processors: [ - part370, - dup220, - dup139, - dup221, - select99, - part374, - dup222, - ], - on_success: processor_chain([ - dup111, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var msg341 = msg("537:10", all71); - - var part375 = match("MESSAGE#339:537:03/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} %{p0}"); - - var part376 = match("MESSAGE#339:537:03/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); - - var part377 = match("MESSAGE#339:537:03/4_2", "nwparser.p0", "%{daddr->} proto=%{p0}"); - - var select100 = linear_select([ - dup85, - part376, - part377, - ]); - - var part378 = match("MESSAGE#339:537:03/5", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); - - var all72 = all_match({ - processors: [ - part375, - dup220, - dup139, - dup221, - select100, - part378, - dup222, - ], - on_success: processor_chain([ - dup111, - ]), - }); - - var msg342 = msg("537:03", all72); - - var part379 = match("MESSAGE#340:537:06/4", "nwparser.p0", "%{protocol->} sent=%{sbytes->} spkt=%{fld3->} npcs=%{info}"); - - var all73 = all_match({ - processors: [ - dup134, - dup190, - dup17, - dup219, - part379, - ], - on_success: processor_chain([ - dup111, - ]), - }); - - var msg343 = msg("537:06", all73); - - var part380 = match("MESSAGE#341:537:11", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}spkt=%{fld3}rpkt=%{fld4}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup111, - dup62, - dup11, - dup144, - ])); - - var msg344 = msg("537:11", part380); - - var part381 = match("MESSAGE#342:537:12", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup111, - dup62, - dup11, - dup144, - ])); - - var msg345 = msg("537:12", part381); - - var select101 = linear_select([ - msg333, - msg334, - msg335, - msg336, - msg337, - msg338, - msg339, - msg340, - msg341, - msg342, - msg343, - msg344, - msg345, - ]); - - var msg346 = msg("538", dup240); - - var msg347 = msg("549", dup243); - - var msg348 = msg("557", dup243); - - var all74 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - setc("eventcategory","1402020200"), - ]), - }); - - var msg349 = msg("558", all74); - - var msg350 = msg("561", dup246); - - var msg351 = msg("562", dup246); - - var msg352 = msg("563", dup246); - - var all75 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - setc("eventcategory","1402020400"), - ]), - }); - - var msg353 = msg("583", all75); - - var part382 = match("MESSAGE#351:597:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ - dup145, - dup59, - dup146, - dup61, - dup62, - dup11, - dup147, - dup18, - dup19, - dup20, - dup21, - dup22, - ])); - - var msg354 = msg("597:01", part382); - - var part383 = match("MESSAGE#352:597:02", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ - dup1, - ])); - - var msg355 = msg("597:02", part383); - - var part384 = match("MESSAGE#353:597:03/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src= %{saddr}:%{sport}:%{p0}"); - - var part385 = match("MESSAGE#353:597:03/2", "nwparser.p0", "%{daddr}:%{dport}:%{p0}"); - - var all76 = all_match({ - processors: [ - part384, - dup198, - part385, - dup200, - dup96, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg356 = msg("597:03", all76); - - var select102 = linear_select([ - msg354, - msg355, - msg356, - ]); - - var part386 = match("MESSAGE#354:598", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{type->} code=%{code}", processor_chain([ - dup1, - ])); - - var msg357 = msg("598", part386); - - var part387 = match("MESSAGE#355:598:01/2", "nwparser.p0", "%{type->} npcs=%{info}"); - - var all77 = all_match({ - processors: [ - dup148, - dup192, - part387, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg358 = msg("598:01", all77); - - var all78 = all_match({ - processors: [ - dup148, - dup200, - dup96, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg359 = msg("598:02", all78); - - var select103 = linear_select([ - msg357, - msg358, - msg359, - ]); - - var part388 = match("MESSAGE#357:602:01", "nwparser.payload", "msg=\"%{event_description}allowed\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([ - dup145, - dup59, - dup146, - dup61, - dup62, - dup11, - dup147, - dup18, - dup19, - dup20, - dup21, - dup22, - ])); - - var msg360 = msg("602:01", part388); - - var msg361 = msg("602:02", dup250); - - var all79 = all_match({ - processors: [ - dup7, - dup185, - dup183, - dup43, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg362 = msg("602:03", all79); - - var select104 = linear_select([ - msg360, - msg361, - msg362, - ]); - - var msg363 = msg("605", dup208); - - var all80 = all_match({ - processors: [ - dup149, - dup223, - dup152, - dup211, - dup119, - ], - on_success: processor_chain([ - dup93, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg364 = msg("606", all80); - - var part389 = match("MESSAGE#362:608/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} ipscat=%{ipscat->} ipspri=%{p0}"); - - var part390 = match("MESSAGE#362:608/1_0", "nwparser.p0", "%{fld66->} pktdatId=%{fld11->} n=%{p0}"); - - var part391 = match("MESSAGE#362:608/1_1", "nwparser.p0", "%{ipspri->} n=%{p0}"); - - var select105 = linear_select([ - part390, - part391, - ]); - - var part392 = match("MESSAGE#362:608/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{p0}"); - - var part393 = match("MESSAGE#362:608/3_0", "nwparser.p0", "%{sport}:%{sinterface->} dst=%{p0}"); - - var part394 = match("MESSAGE#362:608/3_1", "nwparser.p0", "%{sport->} dst=%{p0}"); - - var select106 = linear_select([ - part393, - part394, - ]); - - var part395 = match("MESSAGE#362:608/5_0", "nwparser.p0", "%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{fld2}\""); - - var select107 = linear_select([ - part395, - dup154, - dup155, - ]); - - var all81 = all_match({ - processors: [ - part389, - select105, - part392, - select106, - dup153, - select107, - ], - on_success: processor_chain([ - dup1, - dup44, - ]), - }); - - var msg365 = msg("608", all81); - - var msg366 = msg("616", dup206); - - var msg367 = msg("658", dup201); - - var msg368 = msg("710", dup224); - - var msg369 = msg("712:02", dup251); - - var msg370 = msg("712", dup224); - - var all82 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup202, - dup100, - ], - on_success: processor_chain([ - dup156, - ]), - }); - - var msg371 = msg("712:01", all82); - - var select108 = linear_select([ - msg369, - msg370, - msg371, - ]); - - var part396 = match("MESSAGE#369:713:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=%{info}", processor_chain([ - dup5, - dup59, - dup60, - dup61, - dup62, - dup11, - dup63, - dup18, - dup19, - dup20, - dup21, - dup22, - ])); - - var msg372 = msg("713:01", part396); - - var msg373 = msg("713:04", dup251); - - var msg374 = msg("713:02", dup224); - - var part397 = match("MESSAGE#372:713:03", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{action}\" npcs=%{info}", processor_chain([ - dup5, - dup59, - dup60, - dup61, - dup62, - dup11, - dup63, - dup18, - dup19, - dup20, - dup21, - dup22, - ])); - - var msg375 = msg("713:03", part397); - - var select109 = linear_select([ - msg372, - msg373, - msg374, - msg375, - ]); - - var part398 = match("MESSAGE#373:760", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=%{info}", processor_chain([ - dup120, - dup59, - dup60, - dup61, - dup62, - dup11, - dup63, - dup18, - dup19, - dup20, - dup21, - dup22, - ])); - - var msg376 = msg("760", part398); - - var part399 = match("MESSAGE#374:760:01/0", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); - - var part400 = match("MESSAGE#374:760:01/4", "nwparser.p0", "%{action->} npcs=%{info}"); - - var all83 = all_match({ - processors: [ - part399, - dup182, - dup10, - dup202, - part400, - ], - on_success: processor_chain([ - dup120, - dup59, - dup60, - dup61, - dup62, - dup11, - dup63, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var msg377 = msg("760:01", all83); - - var select110 = linear_select([ - msg376, - msg377, - ]); - - var msg378 = msg("766", dup228); - - var msg379 = msg("860", dup228); - - var msg380 = msg("860:01", dup229); - - var select111 = linear_select([ - msg379, - msg380, - ]); - - var part401 = match("MESSAGE#378:866/0", "nwparser.payload", "msg=\"%{msg}\" n=%{p0}"); - - var part402 = match("MESSAGE#378:866/1_0", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); - - var part403 = match_copy("MESSAGE#378:866/1_1", "nwparser.p0", "ntype"); - - var select112 = linear_select([ - part402, - part403, - ]); - - var all84 = all_match({ - processors: [ - part401, - select112, - ], - on_success: processor_chain([ - dup5, - dup44, - ]), - }); - - var msg381 = msg("866", all84); - - var msg382 = msg("866:01", dup229); - - var select113 = linear_select([ - msg381, - msg382, - ]); - - var msg383 = msg("867", dup228); - - var msg384 = msg("867:01", dup229); - - var select114 = linear_select([ - msg383, - msg384, - ]); - - var part404 = match("MESSAGE#382:882", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ - dup1, - ])); - - var msg385 = msg("882", part404); - - var part405 = match("MESSAGE#383:882:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} npcs=%{info}", processor_chain([ - dup1, - ])); - - var msg386 = msg("882:01", part405); - - var select115 = linear_select([ - msg385, - msg386, - ]); - - var part406 = match("MESSAGE#384:888", "nwparser.payload", "msg=\"%{reason};%{action}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ - dup165, - ])); - - var msg387 = msg("888", part406); - - var part407 = match("MESSAGE#385:888:01", "nwparser.payload", "msg=\"%{reason};%{action}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=%{fld3->} npcs=%{info}", processor_chain([ - dup165, - ])); - - var msg388 = msg("888:01", part407); - - var select116 = linear_select([ - msg387, - msg388, - ]); - - var all85 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup200, - dup96, - ], - on_success: processor_chain([ - dup165, - ]), - }); - - var msg389 = msg("892", all85); - - var msg390 = msg("904", dup228); - - var msg391 = msg("905", dup228); - - var msg392 = msg("906", dup228); - - var msg393 = msg("907", dup228); - - var part408 = match("MESSAGE#391:908/1_0", "nwparser.p0", "%{sinterface}:%{shost->} dst=%{p0}"); - - var select117 = linear_select([ - part408, - dup167, - ]); - - var all86 = all_match({ - processors: [ - dup166, - select117, - dup168, - dup223, - dup169, - dup211, - dup119, - ], - on_success: processor_chain([ - dup78, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg394 = msg("908", all86); - - var msg395 = msg("909", dup228); - - var msg396 = msg("914", dup230); - - var part409 = match("MESSAGE#394:931", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ - dup72, - ])); - - var msg397 = msg("931", part409); - - var msg398 = msg("657", dup230); - - var all87 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup200, - dup96, - ], - on_success: processor_chain([ - dup5, - ]), - }); - - var msg399 = msg("657:01", all87); - - var select118 = linear_select([ - msg398, - msg399, - ]); - - var msg400 = msg("403", dup209); - - var msg401 = msg("534", dup184); - - var msg402 = msg("994", dup231); - - var part410 = match("MESSAGE#400:243", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} proto=%{protocol}", processor_chain([ - dup1, - dup24, - ])); - - var msg403 = msg("243", part410); - - var msg404 = msg("995", dup184); - - var part411 = match("MESSAGE#402:997", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{fld3->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld4->} note=\"%{info}\"", processor_chain([ - dup1, - dup59, - dup61, - dup62, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ])); - - var msg405 = msg("997", part411); - - var msg406 = msg("998", dup231); - - var part412 = match("MESSAGE#405:998:01", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup111, - dup11, - ])); - - var msg407 = msg("998:01", part412); - - var select119 = linear_select([ - msg406, - msg407, - ]); - - var msg408 = msg("1110", dup232); - - var msg409 = msg("565", dup232); - - var part413 = match("MESSAGE#408:404", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} note=\"%{event_description}\"", processor_chain([ - dup1, - dup62, - ])); - - var msg410 = msg("404", part413); - - var part414 = match("MESSAGE#409:267:01/1_0", "nwparser.p0", "%{daddr}:%{dport->} srcMac=%{p0}"); - - var select120 = linear_select([ - part414, - dup58, - ]); - - var part415 = match("MESSAGE#409:267:01/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{fld3}\" fw_action=\"%{action}\""); - - var all88 = all_match({ - processors: [ - dup87, - select120, - part415, - ], - on_success: processor_chain([ - dup111, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg411 = msg("267:01", all88); - - var part416 = match("MESSAGE#410:267", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}", processor_chain([ - dup1, - dup62, - ])); - - var msg412 = msg("267", part416); - - var select121 = linear_select([ - msg411, - msg412, - ]); - - var part417 = match("MESSAGE#411:263", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} proto=%{protocol}", processor_chain([ - dup1, - dup24, - ])); - - var msg413 = msg("263", part417); - - var part418 = match("MESSAGE#412:264", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ - dup109, - dup11, - ])); - - var msg414 = msg("264", part418); - - var msg415 = msg("412", dup209); - - var part419 = match("MESSAGE#415:793", "nwparser.payload", "msg=\"%{msg}\" af_polid=%{fld1->} af_policy=\"%{fld2}\" af_type=\"%{fld3}\" af_service=\"%{fld4}\" af_action=\"%{fld5}\" n=%{fld6->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ - dup1, - dup24, - ])); - - var msg416 = msg("793", part419); - - var part420 = match("MESSAGE#416:805", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} if=%{fld2->} ucastRx=%{fld3->} bcastRx=%{fld4->} bytesRx=%{rbytes->} ucastTx=%{fld5->} bcastTx=%{fld6->} bytesTx=%{sbytes}", processor_chain([ - dup1, - dup24, - ])); - - var msg417 = msg("805", part420); - - var part421 = match("MESSAGE#417:809", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ - dup170, - dup11, - ])); - - var msg418 = msg("809", part421); - - var part422 = match("MESSAGE#418:809:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ - dup170, - dup11, - ])); - - var msg419 = msg("809:01", part422); - - var select122 = linear_select([ - msg418, - msg419, - ]); - - var msg420 = msg("935", dup230); - - var msg421 = msg("614", dup233); - - var part423 = match("MESSAGE#421:748/0", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); - - var all89 = all_match({ - processors: [ - part423, - dup211, - dup119, - ], - on_success: processor_chain([ - dup66, - dup44, - ]), - }); - - var msg422 = msg("748", all89); - - var part424 = match("MESSAGE#422:794/0", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} spycat=%{fld1->} spypri=%{fld2->} pktdatId=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); - - var part425 = match("MESSAGE#422:794/1_0", "nwparser.p0", "%{protocol}/%{fld5->} fw_action=\"%{p0}"); - - var select123 = linear_select([ - part425, - dup118, - ]); - - var all90 = all_match({ - processors: [ - part424, - select123, - dup119, - ], - on_success: processor_chain([ - dup171, - dup44, - ]), - }); - - var msg423 = msg("794", all90); - - var msg424 = msg("1086", dup233); - - var part426 = match("MESSAGE#424:1430", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ - dup171, - dup44, - ])); - - var msg425 = msg("1430", part426); - - var msg426 = msg("1149", dup233); - - var msg427 = msg("1159", dup233); - - var part427 = match("MESSAGE#427:1195", "nwparser.payload", "n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup171, - dup44, - ])); - - var msg428 = msg("1195", part427); - - var part428 = match("MESSAGE#428:1195:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}", processor_chain([ - dup171, - dup44, - ])); - - var msg429 = msg("1195:01", part428); - - var select124 = linear_select([ - msg428, - msg429, - ]); - - var part429 = match("MESSAGE#429:1226", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup5, - dup44, - ])); - - var msg430 = msg("1226", part429); - - var part430 = match("MESSAGE#430:1222", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} note=\"%{fld3}\" fw_action=\"%{action}\"", processor_chain([ - dup5, - dup44, - ])); - - var msg431 = msg("1222", part430); - - var part431 = match("MESSAGE#431:1154", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ - dup1, - dup24, - ])); - - var msg432 = msg("1154", part431); - - var part432 = match("MESSAGE#432:1154:01/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{p0}"); - - var all91 = all_match({ - processors: [ - part432, - dup182, - dup10, - dup200, - dup96, - ], - on_success: processor_chain([ - dup1, - dup24, - ]), - }); - - var msg433 = msg("1154:01", all91); - - var part433 = match("MESSAGE#433:1154:02", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid%{fld2->} catid=%{fld3->} sess=\"%{fld4}\" n=%{fld5->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup172, - dup11, - ])); - - var msg434 = msg("1154:02", part433); - - var part434 = match("MESSAGE#434:1154:03/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid=%{fld2->} catid=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{p0}"); - - var part435 = match("MESSAGE#434:1154:03/1_0", "nwparser.p0", "%{dinterface}:%{dhost->} srcMac=%{p0}"); - - var select125 = linear_select([ - part435, - dup79, - ]); - - var part436 = match("MESSAGE#434:1154:03/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\""); - - var all92 = all_match({ - processors: [ - part434, - select125, - part436, - ], - on_success: processor_chain([ - dup172, - dup11, - ]), - }); - - var msg435 = msg("1154:03", all92); - - var select126 = linear_select([ - msg432, - msg433, - msg434, - msg435, - ]); - - var part437 = match("MESSAGE#435:msg", "nwparser.payload", "msg=\"%{msg}\" src=%{stransaddr->} dst=%{dtransaddr->} %{result}", processor_chain([ - dup173, - ])); - - var msg436 = msg("msg", part437); - - var part438 = match("MESSAGE#436:src", "nwparser.payload", "src=%{stransaddr->} dst=%{dtransaddr->} %{msg}", processor_chain([ - dup173, - ])); - - var msg437 = msg("src", part438); - - var all93 = all_match({ - processors: [ - dup7, - dup185, - dup183, - dup17, - dup212, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg438 = msg("1235", all93); - - var part439 = match("MESSAGE#438:1197/4", "nwparser.p0", "\"%{fld3->} Protocol:%{protocol}\" npcs=%{info}"); - - var all94 = all_match({ - processors: [ - dup7, - dup185, - dup10, - dup202, - part439, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg439 = msg("1197", all94); - - var part440 = match("MESSAGE#439:1199/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3->} sess=%{fld1->} n=%{fld2->} src=%{p0}"); - - var all95 = all_match({ - processors: [ - part440, - dup185, - dup174, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg440 = msg("1199", all95); - - var part441 = match("MESSAGE#440:1199:01", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup175, - dup11, - ])); - - var msg441 = msg("1199:01", part441); - - var part442 = match("MESSAGE#441:1199:02", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup175, - dup11, - ])); - - var msg442 = msg("1199:02", part442); - - var select127 = linear_select([ - msg440, - msg441, - msg442, - ]); - - var part443 = match("MESSAGE#442:1155/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} catid=%{fld3->} sess=%{fld4->} n=%{fld5->} src=%{p0}"); - - var all96 = all_match({ - processors: [ - part443, - dup182, - dup10, - dup200, - dup96, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg443 = msg("1155", all96); - - var part444 = match("MESSAGE#443:1155:01", "nwparser.payload", "msg=\"%{action}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ - dup111, - ])); - - var msg444 = msg("1155:01", part444); - - var select128 = linear_select([ - msg443, - msg444, - ]); - - var all97 = all_match({ - processors: [ - dup176, - dup213, - dup174, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg445 = msg("1198", all97); - - var all98 = all_match({ - processors: [ - dup7, - dup185, - dup174, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg446 = msg("714", all98); - - var msg447 = msg("709", dup252); - - var msg448 = msg("1005", dup252); - - var msg449 = msg("1003", dup252); - - var msg450 = msg("1007", dup253); - - var part445 = match("MESSAGE#450:1008", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}::%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup109, - dup11, - ])); - - var msg451 = msg("1008", part445); - - var msg452 = msg("708", dup253); - - var all99 = all_match({ - processors: [ - dup176, - dup182, - dup10, - dup200, - dup96, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg453 = msg("1201", all99); - - var msg454 = msg("1201:01", dup253); - - var select129 = linear_select([ - msg453, - msg454, - ]); - - var msg455 = msg("654", dup234); - - var msg456 = msg("670", dup234); - - var msg457 = msg("884", dup253); - - var part446 = match("MESSAGE#457:1153", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} rcvd=%{rbytes->} note=\"%{info}\"", processor_chain([ - dup1, - ])); - - var msg458 = msg("1153", part446); - - var part447 = match("MESSAGE#458:1153:01/1_0", "nwparser.p0", " app=%{fld1->} sess=%{fld2->} n=%{p0}"); - - var part448 = match("MESSAGE#458:1153:01/1_1", "nwparser.p0", " sess=%{fld2->} n=%{p0}"); - - var part449 = match("MESSAGE#458:1153:01/1_2", "nwparser.p0", " n=%{p0}"); - - var select130 = linear_select([ - part447, - part448, - part449, - ]); - - var part450 = match("MESSAGE#458:1153:01/2", "nwparser.p0", "%{fld3->} usr=\"%{username}\" src=%{p0}"); - - var part451 = match("MESSAGE#458:1153:01/3_0", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); - - var select131 = linear_select([ - part451, - dup26, - ]); - - var part452 = match("MESSAGE#458:1153:01/4_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac= %{p0}"); - - var part453 = match("MESSAGE#458:1153:01/4_1", "nwparser.p0", "%{daddr}:%{dport}srcMac= %{p0}"); - - var part454 = match("MESSAGE#458:1153:01/4_2", "nwparser.p0", "%{daddr}srcMac= %{p0}"); - - var select132 = linear_select([ - part452, - part453, - part454, - ]); - - var part455 = match("MESSAGE#458:1153:01/5", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} %{p0}"); - - var part456 = match("MESSAGE#458:1153:01/6_0", "nwparser.p0", "sent=%{sbytes}rcvd=%{p0}"); - - var part457 = match("MESSAGE#458:1153:01/6_1", "nwparser.p0", "type=%{fld4->} icmpCode=%{fld5->} rcvd=%{p0}"); - - var part458 = match("MESSAGE#458:1153:01/6_2", "nwparser.p0", "rcvd=%{p0}"); - - var select133 = linear_select([ - part456, - part457, - part458, - ]); - - var all100 = all_match({ - processors: [ - dup54, - select130, - part450, - select131, - select132, - part455, - select133, - dup123, - ], - on_success: processor_chain([ - dup1, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var msg459 = msg("1153:01", all100); - - var part459 = match("MESSAGE#459:1153:02/1_0", "nwparser.p0", "app=%{fld1->} n=%{fld2->} src=%{p0}"); - - var part460 = match("MESSAGE#459:1153:02/1_1", "nwparser.p0", "n=%{fld2->} src=%{p0}"); - - var select134 = linear_select([ - part459, - part460, - ]); - - var part461 = match("MESSAGE#459:1153:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes}"); - - var all101 = all_match({ - processors: [ - dup82, - select134, - part461, - ], - on_success: processor_chain([ - dup1, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var msg460 = msg("1153:02", all101); - - var select135 = linear_select([ - msg458, - msg459, - msg460, - ]); - - var part462 = match("MESSAGE#460:1107", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1}", processor_chain([ - dup1, - ])); - - var msg461 = msg("1107", part462); - - var part463 = match("MESSAGE#461:1220/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{p0}"); - - var part464 = match("MESSAGE#461:1220/1_0", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); - - var part465 = match("MESSAGE#461:1220/1_1", "nwparser.p0", "%{fld2}src=%{saddr}:%{sport->} dst= %{p0}"); - - var select136 = linear_select([ - part464, - part465, - ]); - - var all102 = all_match({ - processors: [ - part463, - select136, - dup153, - dup235, - dup179, - ], - on_success: processor_chain([ - dup165, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg462 = msg("1220", all102); - - var all103 = all_match({ - processors: [ - dup149, - dup235, - dup179, - ], - on_success: processor_chain([ - dup165, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg463 = msg("1230", all103); - - var part466 = match("MESSAGE#463:1231", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1->} note=\"%{info}\"", processor_chain([ - dup1, - ])); - - var msg464 = msg("1231", part466); - - var part467 = match("MESSAGE#464:1233", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ - dup175, - dup11, - ])); - - var msg465 = msg("1233", part467); - - var part468 = match("MESSAGE#465:1079/0", "nwparser.payload", "msg=\"User%{username}log%{p0}"); - - var part469 = match("MESSAGE#465:1079/1_0", "nwparser.p0", "in%{p0}"); - - var part470 = match("MESSAGE#465:1079/1_1", "nwparser.p0", "out%{p0}"); - - var select137 = linear_select([ - part469, - part470, - ]); - - var part471 = match("MESSAGE#465:1079/2", "nwparser.p0", "\"%{p0}"); - - var part472 = match("MESSAGE#465:1079/3_0", "nwparser.p0", "dur=%{duration->} %{space}n=%{p0}"); - - var part473 = match("MESSAGE#465:1079/3_1", "nwparser.p0", "sess=\"%{fld2}\" n=%{p0}"); - - var select138 = linear_select([ - part472, - part473, - dup38, - ]); - - var part474 = match_copy("MESSAGE#465:1079/4", "nwparser.p0", "fld1"); - - var all104 = all_match({ - processors: [ - part468, - select137, - part471, - select138, - part474, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg466 = msg("1079", all104); - - var part475 = match("MESSAGE#466:1079:01", "nwparser.payload", "msg=\"Client%{username}is assigned IP:%{hostip}\" %{space->} n=%{fld1}", processor_chain([ - dup1, - ])); - - var msg467 = msg("1079:01", part475); - - var part476 = match("MESSAGE#467:1079:02", "nwparser.payload", "msg=\"destination for %{daddr->} is not allowed by access control\" n=%{fld2}", processor_chain([ - dup1, - dup11, - setc("event_description","destination is not allowed by access control"), - dup18, - dup19, - dup20, - dup21, - dup22, - ])); - - var msg468 = msg("1079:02", part476); - - var part477 = match("MESSAGE#468:1079:03", "nwparser.payload", "msg=\"SSLVPN Client %{username->} matched device profile Default Device Profile for Windows\" n=%{fld2}", processor_chain([ - dup1, - dup11, - setc("event_description","SSLVPN Client matched device profile Default Device Profile for Windows"), - dup18, - dup19, - dup20, - dup21, - dup22, - ])); - - var msg469 = msg("1079:03", part477); - - var select139 = linear_select([ - msg466, - msg467, - msg468, - msg469, - ]); - - var part478 = match("MESSAGE#469:1080/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=\"%{username}\" src= %{p0}"); - - var part479 = match("MESSAGE#469:1080/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); - - var select140 = linear_select([ - dup8, - part479, - ]); - - var part480 = match("MESSAGE#469:1080/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); - - var select141 = linear_select([ - dup135, - part480, - ]); - - var part481 = match_copy("MESSAGE#469:1080/3", "nwparser.p0", "protocol"); - - var all105 = all_match({ - processors: [ - part478, - select140, - select141, - part481, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg470 = msg("1080", all105); - - var part482 = match("MESSAGE#470:580", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ - dup5, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ])); - - var msg471 = msg("580", part482); - - var part483 = match("MESSAGE#471:1369/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{p0}"); - - var all106 = all_match({ - processors: [ - part483, - dup236, - dup119, - ], - on_success: processor_chain([ - dup78, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg472 = msg("1369", all106); - - var all107 = all_match({ - processors: [ - dup149, - dup223, - dup152, - dup236, - dup119, - ], - on_success: processor_chain([ - dup78, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg473 = msg("1370", all107); - - var all108 = all_match({ - processors: [ - dup149, - dup223, - dup169, - dup211, - dup119, - ], - on_success: processor_chain([ - dup78, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg474 = msg("1371", all108); - - var part484 = match("MESSAGE#474:1387/1_1", "nwparser.p0", " dst=%{p0}"); - - var select142 = linear_select([ - dup167, - part484, - ]); - - var all109 = all_match({ - processors: [ - dup166, - select142, - dup168, - dup223, - dup169, - dup211, - dup119, - ], - on_success: processor_chain([ - dup165, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg475 = msg("1387", all109); - - var part485 = match("MESSAGE#475:1391/0", "nwparser.payload", "pktdatId=%{fld1}pktdatNum=\"%{fld2}\" pktdatEnc=\"%{fld3}\" n=%{fld4}src=%{saddr}:%{p0}"); - - var part486 = match("MESSAGE#475:1391/1_0", "nwparser.p0", "%{sport}:%{sinterface}dst=%{p0}"); - - var part487 = match("MESSAGE#475:1391/1_1", "nwparser.p0", "%{sport}dst=%{p0}"); - - var select143 = linear_select([ - part486, - part487, - ]); - - var part488 = match("MESSAGE#475:1391/3_0", "nwparser.p0", "%{dport}:%{dinterface}:%{dhost}"); - - var select144 = linear_select([ - part488, - dup154, - dup155, - ]); - - var all110 = all_match({ - processors: [ - part485, - select143, - dup153, - select144, - ], - on_success: processor_chain([ - dup1, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg476 = msg("1391", all110); - - var part489 = match("MESSAGE#476:1253", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1}appName=\"%{application}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\"", processor_chain([ - dup5, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ])); - - var msg477 = msg("1253", part489); - - var part490 = match("MESSAGE#477:1009", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ - dup5, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ])); - - var msg478 = msg("1009", part490); - - var part491 = match("MESSAGE#478:910/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2}appName=\"%{application}\" n=%{fld3}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{p0}"); - - var part492 = match("MESSAGE#478:910/1_0", "nwparser.p0", "%{dinterface}:%{dhost}srcMac=%{p0}"); - - var part493 = match("MESSAGE#478:910/1_1", "nwparser.p0", "%{dinterface}srcMac=%{p0}"); - - var select145 = linear_select([ - part492, - part493, - ]); - - var part494 = match("MESSAGE#478:910/2", "nwparser.p0", "%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\""); - - var all111 = all_match({ - processors: [ - part491, - select145, - part494, - ], - on_success: processor_chain([ - dup5, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg479 = msg("910", all111); - - var part495 = match("MESSAGE#479:m:01", "nwparser.payload", "m=%{id1}msg=\"%{event_description}\" n=%{fld2}if=%{interface}ucastRx=%{fld3}bcastRx=%{fld4}bytesRx=%{rbytes}ucastTx=%{fld5}bcastTx=%{fld6}bytesTx=%{sbytes}", processor_chain([ - dup1, - dup62, - dup18, - dup88, - dup20, - dup22, - dup44, - ])); - - var msg480 = msg("m:01", part495); - - var part496 = match("MESSAGE#480:1011", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ - dup1, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ])); - - var msg481 = msg("1011", part496); - - var part497 = match("MESSAGE#481:609", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} ipscat=\"%{fld3}\" ipspri=%{fld4->} pktdatId=%{fld5->} n=%{fld6->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ - dup172, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ])); - - var msg482 = msg("609", part497); - - var msg483 = msg("796", dup237); - - var part498 = match("MESSAGE#483:880", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ - dup78, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ])); - - var msg484 = msg("880", part498); - - var part499 = match("MESSAGE#484:1309", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup165, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ])); - - var msg485 = msg("1309", part499); - - var msg486 = msg("1310", dup237); - - var part500 = match("MESSAGE#486:1232/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{p0}"); - - var part501 = match("MESSAGE#486:1232/1_0", "nwparser.p0", "%{dinterface}:%{dhost->} note=\"%{p0}"); - - var part502 = match("MESSAGE#486:1232/1_1", "nwparser.p0", "%{dinterface->} note=\"%{p0}"); - - var select146 = linear_select([ - part501, - part502, - ]); - - var part503 = match("MESSAGE#486:1232/2", "nwparser.p0", "%{info}\" fw_action=\"%{action}\""); - - var all112 = all_match({ - processors: [ - part500, - select146, - part503, - ], - on_success: processor_chain([ - dup1, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg487 = msg("1232", all112); - - var part504 = match("MESSAGE#487:1447/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1->} appName=\"%{application}\" n=%{fld2->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); - - var all113 = all_match({ - processors: [ - part504, - dup211, - dup119, - ], - on_success: processor_chain([ - dup165, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg488 = msg("1447", all113); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "10": msg9, - "100": msg159, - "1003": msg449, - "1005": msg448, - "1007": msg450, - "1008": msg451, - "1009": msg478, - "101": msg160, - "1011": msg481, - "102": msg161, - "103": msg162, - "104": msg163, - "105": msg164, - "106": msg165, - "107": msg166, - "1079": select139, - "108": msg167, - "1080": msg470, - "1086": msg424, - "109": msg168, - "11": msg10, - "110": msg169, - "1107": msg461, - "111": select57, - "1110": msg408, - "112": msg172, - "113": msg173, - "114": msg174, - "1149": msg426, - "115": select58, - "1153": select135, - "1154": select126, - "1155": select128, - "1159": msg427, - "116": msg177, - "117": msg178, - "118": msg179, - "119": msg180, - "1195": select124, - "1197": msg439, - "1198": msg445, - "1199": select127, - "12": select4, - "120": msg181, - "1201": select129, - "121": msg182, - "122": msg183, - "1220": msg462, - "1222": msg431, - "1226": msg430, - "123": msg184, - "1230": msg463, - "1231": msg464, - "1232": msg487, - "1233": msg465, - "1235": msg438, - "124": msg185, - "125": msg186, - "1253": msg477, - "1254": msg187, - "1256": msg188, - "1257": msg189, - "126": msg190, - "127": msg191, - "128": msg192, - "129": msg193, - "13": msg13, - "130": msg194, - "1309": msg485, - "131": msg195, - "1310": msg486, - "132": msg196, - "133": msg197, - "134": msg198, - "135": msg199, - "136": msg200, - "1369": msg472, - "137": msg201, - "1370": msg473, - "1371": msg474, - "138": msg202, - "1387": msg475, - "139": select59, - "1391": msg476, - "14": select7, - "140": msg205, - "141": msg206, - "142": msg207, - "143": msg208, - "1430": msg425, - "1431": msg209, - "144": msg210, - "1447": msg488, - "145": msg211, - "146": msg212, - "147": msg213, - "148": msg214, - "1480": msg215, - "149": msg216, - "15": msg20, - "150": msg217, - "151": msg218, - "152": msg219, - "153": msg220, - "154": msg221, - "155": msg222, - "156": msg223, - "157": select60, - "158": msg226, - "159": msg227, - "16": msg21, - "160": msg228, - "161": msg229, - "162": msg230, - "163": msg231, - "164": msg232, - "165": msg233, - "166": msg234, - "167": msg235, - "168": msg236, - "169": msg237, - "17": msg22, - "170": msg238, - "171": select61, - "172": select62, - "173": msg245, - "174": select63, - "175": select64, - "176": msg253, - "177": msg254, - "178": msg255, - "179": msg256, - "18": msg23, - "180": select65, - "181": select66, - "19": msg24, - "193": msg261, - "194": msg262, - "195": msg263, - "196": select67, - "199": msg266, - "20": msg25, - "200": msg267, - "21": msg26, - "22": msg27, - "23": select10, - "235": select68, - "236": msg271, - "237": msg272, - "238": msg273, - "239": msg274, - "24": select11, - "240": msg275, - "241": select69, - "242": msg278, - "243": msg403, - "25": msg34, - "252": msg279, - "255": msg280, - "257": msg281, - "26": msg35, - "261": select72, - "262": msg284, - "263": msg413, - "264": msg414, - "267": select121, - "27": msg36, - "273": msg285, - "28": select12, - "29": select13, - "30": select14, - "31": select15, - "32": select16, - "328": msg286, - "329": msg287, - "33": select17, - "34": msg52, - "346": msg288, - "35": select18, - "350": msg289, - "351": msg290, - "352": msg291, - "353": select73, - "354": msg294, - "355": select74, - "356": msg297, - "357": select75, - "358": msg300, - "36": select21, - "37": select23, - "371": select76, - "372": msg303, - "373": msg304, - "38": select25, - "39": msg67, - "4": msg1, - "40": msg68, - "401": msg305, - "402": msg306, - "403": msg400, - "404": msg410, - "406": msg307, - "41": select26, - "412": msg415, - "413": msg308, - "414": msg309, - "42": msg72, - "427": msg156, - "428": msg157, - "43": msg73, - "438": msg310, - "439": msg311, - "44": msg74, - "440": msg312, - "441": select77, - "442": msg315, - "446": msg316, - "45": select27, - "46": select28, - "47": msg82, - "477": msg317, - "48": msg83, - "49": msg84, - "5": select2, - "50": msg85, - "509": msg318, - "51": msg86, - "52": msg87, - "520": msg319, - "522": select80, - "523": msg323, - "524": select83, - "526": select86, - "53": msg88, - "534": msg401, - "537": select101, - "538": msg346, - "549": msg347, - "557": msg348, - "558": msg349, - "561": msg350, - "562": msg351, - "563": msg352, - "565": msg409, - "58": msg89, - "580": msg471, - "583": msg353, - "597": select102, - "598": select103, - "6": select3, - "60": msg90, - "602": select104, - "605": msg363, - "606": msg364, - "608": msg365, - "609": msg482, - "61": msg91, - "614": msg421, - "616": msg366, - "62": msg92, - "63": select29, - "64": msg95, - "65": msg96, - "654": msg455, - "657": select118, - "658": msg367, - "66": msg97, - "67": select30, - "670": msg456, - "68": msg100, - "69": msg101, - "7": msg6, - "70": select32, - "708": msg452, - "709": msg447, - "710": msg368, - "712": select108, - "713": select109, - "714": msg446, - "72": select33, - "73": msg106, - "74": msg107, - "748": msg422, - "75": msg108, - "76": msg109, - "760": select110, - "766": msg378, - "77": msg110, - "78": msg111, - "79": msg112, - "793": msg416, - "794": msg423, - "796": msg483, - "8": msg7, - "80": msg113, - "805": msg417, - "809": select122, - "81": msg114, - "82": select34, - "83": select35, - "84": msg122, - "860": select111, - "866": select113, - "867": select114, - "87": select37, - "88": select38, - "880": msg484, - "882": select115, - "884": msg457, - "888": select116, - "89": select40, - "892": msg389, - "9": msg8, - "90": msg129, - "904": msg390, - "905": msg391, - "906": msg392, - "907": msg393, - "908": msg394, - "909": msg395, - "91": msg130, - "910": msg479, - "914": msg396, - "92": msg131, - "93": msg132, - "931": msg397, - "935": msg420, - "94": msg133, - "95": msg134, - "96": msg135, - "97": select44, - "98": select56, - "986": msg155, - "99": msg158, - "994": msg402, - "995": msg404, - "997": msg405, - "998": select119, - "m": msg480, - "msg": msg436, - "src": msg437, - }), - ]); - - var part505 = match("MESSAGE#14:14:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); - - var part506 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); - - var part507 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); - - var part508 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{daddr}:%{dport}:%{p0}"); - - var part509 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); - - var part510 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}"); - - var part511 = match("MESSAGE#28:23:01/2", "nwparser.p0", "%{p0}"); - - var part512 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); - - var part513 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}"); - - var part514 = match("MESSAGE#38:29:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); - - var part515 = match("MESSAGE#38:29:01/2_1", "nwparser.p0", "%{daddr->} "); - - var part516 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}"); - - var part517 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}"); - - var part518 = match("MESSAGE#52:35:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}"); - - var part519 = match_copy("MESSAGE#52:35:01/2_1", "nwparser.p0", "daddr"); - - var part520 = match("MESSAGE#54:36:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{p0}"); - - var part521 = match("MESSAGE#54:36:01/1_1", "nwparser.p0", "n=%{p0}"); - - var part522 = match("MESSAGE#54:36:01/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); - - var part523 = match("MESSAGE#54:36:01/3_1", "nwparser.p0", "%{saddr->} %{p0}"); - - var part524 = match("MESSAGE#54:36:01/4", "nwparser.p0", "dst= %{p0}"); - - var part525 = match("MESSAGE#54:36:01/7_1", "nwparser.p0", "rule=%{rule}"); - - var part526 = match("MESSAGE#54:36:01/7_2", "nwparser.p0", "proto=%{protocol}"); - - var part527 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); - - var part528 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}"); - - var part529 = match_copy("MESSAGE#55:36:02/6", "nwparser.p0", "info"); - - var part530 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} proto= %{p0}"); - - var part531 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{dinterface->} proto= %{p0}"); - - var part532 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{protocol->} npcs=%{info}"); - - var part533 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}"); - - var part534 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} type= %{p0}"); - - var part535 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{dinterface->} type= %{p0}"); - - var part536 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{event_description}\"%{p0}"); - - var part537 = match("MESSAGE#64:38:03/1_0", "nwparser.p0", " app=%{fld2->} appName=\"%{application}\"%{p0}"); - - var part538 = match_copy("MESSAGE#64:38:03/1_1", "nwparser.p0", "p0"); - - var part539 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); - - var part540 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}"); - - var part541 = match("MESSAGE#126:89:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}"); - - var part542 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}"); - - var part543 = match("MESSAGE#135:97:01/6_0", "nwparser.p0", "result=%{result->} dstname=%{p0}"); - - var part544 = match("MESSAGE#135:97:01/6_1", "nwparser.p0", "dstname=%{p0}"); - - var part545 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}"); - - var part546 = match("MESSAGE#141:97:07/1_1", "nwparser.p0", "%{dinterface->} srcMac=%{p0}"); - - var part547 = match("MESSAGE#147:98:01/6_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}"); - - var part548 = match("MESSAGE#147:98:01/7_4", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes}"); - - var part549 = match("MESSAGE#148:98:06/0", "nwparser.payload", "msg=\"%{event_description}\" %{p0}"); - - var part550 = match("MESSAGE#148:98:06/5_0", "nwparser.p0", "%{sinterface}:%{shost->} dst= %{p0}"); - - var part551 = match("MESSAGE#148:98:06/5_1", "nwparser.p0", "%{sinterface->} dst= %{p0}"); - - var part552 = match("MESSAGE#148:98:06/7_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); - - var part553 = match("MESSAGE#148:98:06/9_3", "nwparser.p0", "sent=%{sbytes}"); - - var part554 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); - - var part555 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} npcs= %{p0}"); - - var part556 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{dinterface->} npcs= %{p0}"); - - var part557 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{info}"); - - var part558 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} note= %{p0}"); - - var part559 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{dinterface->} note= %{p0}"); - - var part560 = match("MESSAGE#256:180:01/4", "nwparser.p0", "\"%{fld3}\" npcs=%{info}"); - - var part561 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); - - var part562 = match("MESSAGE#260:194/1_1", "nwparser.p0", "rcvd=%{rbytes}"); - - var part563 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); - - var part564 = match("MESSAGE#262:196/1_1", "nwparser.p0", "rcvd=%{rbytes->} cmd=%{p0}"); - - var part565 = match_copy("MESSAGE#262:196/2", "nwparser.p0", "method"); - - var part566 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); - - var part567 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); - - var part568 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); - - var part569 = match("MESSAGE#302:401/1_0", "nwparser.p0", "dstname=%{name}"); - - var part570 = match_copy("MESSAGE#302:401/1_1", "nwparser.p0", "space"); - - var part571 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); - - var part572 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); - - var part573 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); - - var part574 = match("MESSAGE#318:522:01/4", "nwparser.p0", "proto=%{protocol->} npcs=%{info}"); - - var part575 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); - - var part576 = match_copy("MESSAGE#330:537:01/5_1", "nwparser.p0", "rbytes"); - - var part577 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", " app=%{fld51->} appName=\"%{application}\"n=%{p0}"); - - var part578 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", " app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); - - var part579 = match("MESSAGE#332:537:08/1_2", "nwparser.p0", " app=%{fld51}n=%{p0}"); - - var part580 = match("MESSAGE#332:537:08/2_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); - - var part581 = match("MESSAGE#332:537:08/2_1", "nwparser.p0", "%{fld1}src=%{p0}"); - - var part582 = match("MESSAGE#332:537:08/6_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{p0}"); - - var part583 = match("MESSAGE#332:537:08/6_1", "nwparser.p0", "%{sbytes->} spkt=%{p0}"); - - var part584 = match("MESSAGE#332:537:08/7_1", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7}"); - - var part585 = match("MESSAGE#332:537:08/7_3", "nwparser.p0", "%{fld3->} cdur=%{fld7}"); - - var part586 = match_copy("MESSAGE#332:537:08/7_4", "nwparser.p0", "fld3"); - - var part587 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); - - var part588 = match("MESSAGE#336:537:04/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}"); - - var part589 = match("MESSAGE#336:537:04/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); - - var part590 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); - - var part591 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "usr=\"%{username}\" %{p0}"); - - var part592 = match("MESSAGE#338:537:10/2", "nwparser.p0", "src=%{p0}"); - - var part593 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); - - var part594 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); - - var part595 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info}"); - - var part596 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12}"); - - var part597 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{daddr}:%{dport}:%{p0}"); - - var part598 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); - - var part599 = match("MESSAGE#361:606/1_0", "nwparser.p0", "%{dport}:%{dinterface->} srcMac=%{p0}"); - - var part600 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{dport->} srcMac=%{p0}"); - - var part601 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); - - var part602 = match("MESSAGE#362:608/4", "nwparser.p0", "%{daddr}:%{p0}"); - - var part603 = match("MESSAGE#362:608/5_1", "nwparser.p0", "%{dport}:%{dinterface}"); - - var part604 = match_copy("MESSAGE#362:608/5_2", "nwparser.p0", "dport"); - - var part605 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); - - var part606 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{p0}"); - - var part607 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); - - var part608 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); - - var part609 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); - - var part610 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); - - var part611 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); - - var part612 = match_copy("MESSAGE#366:712:02/5", "nwparser.p0", "fld51"); - - var part613 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{p0}"); - - var part614 = match("MESSAGE#391:908/1_1", "nwparser.p0", "%{sinterface->} dst=%{p0}"); - - var part615 = match("MESSAGE#391:908/2", "nwparser.p0", "%{} %{daddr}:%{p0}"); - - var part616 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); - - var part617 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); - - var part618 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); - - var part619 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{dport}:%{dinterface->} note=%{p0}"); - - var part620 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{dport->} note=%{p0}"); - - var part621 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); - - var part622 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); - - var part623 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); - - var select147 = linear_select([ - dup8, - dup9, - ]); - - var select148 = linear_select([ - dup15, - dup16, - ]); - - var part624 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ - dup1, - dup24, - ])); - - var select149 = linear_select([ - dup26, - dup27, - ]); - - var select150 = linear_select([ - dup28, - dup29, - ]); - - var select151 = linear_select([ - dup35, - dup36, - ]); - - var select152 = linear_select([ - dup37, - dup38, - ]); - - var select153 = linear_select([ - dup39, - dup40, - ]); - - var select154 = linear_select([ - dup26, - dup46, - ]); - - var select155 = linear_select([ - dup48, - dup49, - ]); - - var select156 = linear_select([ - dup52, - dup53, - ]); - - var select157 = linear_select([ - dup55, - dup56, - ]); - - var select158 = linear_select([ - dup57, - dup58, - ]); - - var part625 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ - dup70, - ])); - - var part626 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ - dup5, - ])); - - var select159 = linear_select([ - dup75, - dup76, - ]); - - var select160 = linear_select([ - dup83, - dup84, - ]); - - var part627 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([ - dup1, - ])); - - var select161 = linear_select([ - dup94, - dup95, - ]); - - var part628 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ - dup5, - ])); - - var select162 = linear_select([ - dup98, - dup99, - ]); - - var select163 = linear_select([ - dup86, - dup102, - ]); - - var select164 = linear_select([ - dup103, - dup104, - ]); - - var part629 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup93, - ])); - - var part630 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup93, - ])); - - var part631 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup1, - ])); - - var part632 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ - dup1, - ])); - - var part633 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ - dup1, - dup24, - ])); - - var select165 = linear_select([ - dup114, - dup115, - ]); - - var select166 = linear_select([ - dup117, - dup118, - ]); - - var select167 = linear_select([ - dup43, - dup42, - ]); - - var select168 = linear_select([ - dup8, - dup27, - ]); - - var select169 = linear_select([ - dup8, - dup26, - dup46, - ]); - - var select170 = linear_select([ - dup80, - dup15, - dup16, - ]); - - var select171 = linear_select([ - dup124, - dup125, - dup126, - dup38, - ]); - - var select172 = linear_select([ - dup127, - dup128, - ]); - - var select173 = linear_select([ - dup129, - dup130, - ]); - - var select174 = linear_select([ - dup135, - dup136, - dup137, - ]); - - var select175 = linear_select([ - dup138, - dup56, - ]); - - var select176 = linear_select([ - dup140, - dup141, - ]); - - var select177 = linear_select([ - dup142, - dup143, - ]); - - var select178 = linear_select([ - dup150, - dup151, - ]); - - var part634 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup156, - ])); - - var select179 = linear_select([ - dup158, - dup38, - ]); - - var select180 = linear_select([ - dup160, - dup161, - ]); - - var select181 = linear_select([ - dup162, - dup163, - ]); - - var part635 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ - dup5, - ])); - - var part636 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype}", processor_chain([ - dup5, - ])); - - var part637 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ - dup5, - dup24, - ])); - - var part638 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ - dup1, - dup24, - ])); - - var part639 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ - dup1, - dup24, - ])); - - var part640 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup171, - dup44, - ])); - - var part641 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ - dup1, - ])); - - var select182 = linear_select([ - dup177, - dup178, - ]); - - var select183 = linear_select([ - dup180, - dup181, - ]); - - var part642 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup1, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ])); - - var all114 = all_match({ - processors: [ - dup32, - dup185, - dup186, - ], - on_success: processor_chain([ - dup31, - ]), - }); - - var all115 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup91, - ]), - }); - - var all116 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup67, - ]), - }); - - var all117 = all_match({ - processors: [ - dup101, - dup203, - ], - on_success: processor_chain([ - dup67, - ]), - }); - - var all118 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup106, - ]), - }); - - var all119 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup31, - ]), - }); - - var all120 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup30, - ]), - }); - - var all121 = all_match({ - processors: [ - dup108, - dup185, - dup187, - ], - on_success: processor_chain([ - dup109, - ]), - }); - - var all122 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - dup112, - ]), - }); - - var all123 = all_match({ - processors: [ - dup113, - dup210, - ], - on_success: processor_chain([ - dup93, - ]), - }); - - var all124 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - dup116, - ]), - }); - - var all125 = all_match({ - processors: [ - dup51, - dup189, - dup41, - dup187, - ], - on_success: processor_chain([ - dup5, - ]), - }); - - var all126 = all_match({ - processors: [ - dup73, - dup185, - dup183, - dup43, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var all127 = all_match({ - processors: [ - dup157, - dup225, - dup159, - dup226, - dup227, - dup164, - ], - on_success: processor_chain([ - dup156, - dup59, - dup60, - dup61, - dup62, - dup44, - dup63, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var all128 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup202, - dup100, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var all129 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup200, - dup96, - ], - on_success: processor_chain([ - dup1, - ]), - }); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/sonicwall/data_stream/firewall/agent/stream/udp.yml.hbs b/packages/sonicwall/data_stream/firewall/agent/stream/udp.yml.hbs deleted file mode 100644 index 62b0a8c15e0..00000000000 --- a/packages/sonicwall/data_stream/firewall/agent/stream/udp.yml.hbs +++ /dev/null @@ -1,9736 +0,0 @@ -udp: -host: "{{udp_host}}:{{udp_port}}" -tags: -{{#if preserve_original_event}} - - preserve_original_event -{{/if}} -{{#each tags as |tag i|}} - - {{tag}} -{{/each}} -fields_under_root: true -fields: - observer: - vendor: "Sonicwall" - product: "Firewalls" - type: "Firewall" -{{#contains "forwarded" tags}} -publisher_pipeline.disable_host: true -{{/contains}} -processors: -{{#if processors}} -{{processors}} -{{/if}} -- script: - lang: javascript - params: - ecs: true - rsa: {{rsa_fields}} - tz_offset: {{tz_offset}} - keep_raw: {{keep_raw_fields}} - debug: {{debug}} - source: | - // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - // or more contributor license agreements. Licensed under the Elastic License; - // you may not use this file except in compliance with the Elastic License. - - /* jshint -W014,-W016,-W097,-W116 */ - - var processor = require("processor"); - var console = require("console"); - - var FLAG_FIELD = "log.flags"; - var FIELDS_OBJECT = "nwparser"; - var FIELDS_PREFIX = FIELDS_OBJECT + "."; - - var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true - }; - - var saved_flags = null; - var debug; - var map_ecs; - var map_rsa; - var keep_raw; - var device; - var tz_offset; - var strip_priority; - - // Register params from configuration. - function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); - } - - function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } - } - - function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); - } - - function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); - } - - function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; - } - - function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; - } - - function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; - } - - var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); - })(); - - function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; - } - - function match_copy(id, src, dst, on_success) { - dst = FIELDS_PREFIX + dst; - if (dst === FIELDS_PREFIX || dst === src) { - return function (evt) { - if (debug) { - console.debug("noop OK: " + id + " field:" + src); - console.debug(" input: <<" + evt.Get(src) + ">>"); - } - if (on_success != null) on_success(evt); - } - } - return function (evt) { - var msg = evt.Get(src); - evt.Put(dst, msg); - if (debug) { - console.debug("copy OK: " + id + " field:" + src); - console.debug(" target: '" + dst + "'"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null) on_success(evt); - } - } - - function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; - } - - function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; - } - - function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; - } - - function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; - } - - var start; - - function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); - } - - function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); - } - - function constant(value) { - return function (evt) { - return value; - }; - } - - function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; - } - - function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; - } - - // TODO: Implement - function DIRCHK(args) { - unimplemented("DIRCHK"); - } - - function strictToInt(str) { - return str * 1; - } - - function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; - } - - var quoteChars = "\"'`"; - function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; - } - - function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; - } - - function nop(evt) { - } - - function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); - } - - function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); - } - - function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; - } - - function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); - } - - function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; - } - - function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; - } - - function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; - } - - function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; - } - - function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; - } - - function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; - } - - // Make two-digit dates 00-69 interpreted as 2000-2069 - // and dates 70-99 translated to 1970-1999. - var twoDigitYearEpoch = 70; - var twoDigitYearCentury = 2000; - - // This is to accept dates up to 2 days in the future, only used when - // no year is specified in a date. 2 days should be enough to account for - // time differences between systems and different tz offsets. - var maxFutureDelta = 2*24*60*60*1000; - - // DateContainer stores date fields and then converts those fields into - // a Date. Necessary because building a Date using its set() methods gives - // different results depending on the order of components. - function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; - } - - DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } - } - - function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; - } - - function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; - } - - function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; - } - - var uA = 60 * 60 * 24; - var uD = 60 * 60 * 24; - var uF = 60 * 60; - var uG = 60 * 60 * 24 * 30; - var uH = 60 * 60; - var uI = 60 * 60; - var uJ = 60 * 60 * 24; - var uM = 60 * 60 * 24 * 30; - var uN = 60 * 60; - var uO = 1; - var uS = 1; - var uT = 60; - var uU = 60; - var uc = dc; - - function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; - } - - function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], - }; - - // var dC = undefined; - var dR = dateMonthName(true); - var dB = dateMonthName(false); - var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); - var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); - var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); - var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); - var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); - var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 - var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); - var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); - var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); - var dP = parseAMPM; // AM|PM - var dQ = parseAMPM; // A.M.|P.M - var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); - var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); - var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); - var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); - var dZ = parseHMS; - var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - - // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. - // Only works if this modifier appears after the hour has been read from logs - // which is always the case in the 300 devices. - function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; - } - - function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); - } - - function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; - } - - function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; - } - - function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; - } - - function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; - } - - function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; - } - - // Short month name (Jan..Dec). - function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; - } - - function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.debug(fn.name + " failed for '" + value + "'"); - } - }; - } - - // The following regular expression for parsing URLs from: - // https://github.com/wizard04wsu/URI_Parsing - // - // The MIT License (MIT) - // - // Copyright (c) 2014 Andrew Harrison - // - // Permission is hereby granted, free of charge, to any person obtaining a copy of - // this software and associated documentation files (the "Software"), to deal in - // the Software without restriction, including without limitation the rights to - // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - // the Software, and to permit persons to whom the Software is furnished to do so, - // subject to the following conditions: - // - // The above copyright notice and this permission notice shall be included in all - // copies or substantial portions of the Software. - // - // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - - var uriScheme = 1; - var uriDomain = 5; - var uriPort = 6; - var uriPath = 7; - var uriPathAlt = 9; - var uriQuery = 11; - - function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); - } - - function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; - } - - function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; - } - - var extFromPage = /\.[^.]+$/; - function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } - } - - function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); - } - - function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); - } - - var pageFromPathRegExp = /\/([^\/]+)$/; - var pageName = 1; - - function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; - } - - function page(dst, src) { - return url_wrapper(dst, src, extract_page); - } - - function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; - } - - function path(dst, src) { - return url_wrapper(dst, src, extract_path); - } - - // Map common schemes to their default port. - // port has to be a string (will be converted at a later stage). - var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", - }; - - function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } - } - - function port(dst, src) { - return url_wrapper(dst, src, extract_port); - } - - function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; - } - - function query(dst, src) { - return url_wrapper(dst, src, extract_query); - } - - function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } - } - - function root(dst, src) { - return url_wrapper(dst, src, extract_root); - } - - function tagval(id, src, cfg, keys, on_success) { - var fail = function(evt) { - evt.Put(FLAG_FIELD, "tagval_parsing_error"); - } - if (cfg.kv_separator.length !== 1) { - throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); - } - var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? - cfg.open_quote.length + cfg.close_quote.length : 0; - var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); - return function(evt) { - var msg = evt.Get(src); - if (msg === undefined) { - console.warn("tagval: input field is missing"); - return fail(evt); - } - var pairs = msg.split(cfg.pair_separator); - var i; - var success = false; - var prev = ""; - for (i=0; i 0 && - value.length >= cfg.open_quote.length + cfg.close_quote.length && - value.substr(0, cfg.open_quote.length) === cfg.open_quote && - value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { - value = value.substr(cfg.open_quote.length, value.length - quotes_len); - } - evt.Put(FIELDS_PREFIX + field, value); - success = true; - } - if (!success) { - return fail(evt); - } - if (on_success != null) { - on_success(evt); - } - } - } - - var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "message", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, - }; - - var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, - }; - - function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } - } - - // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. - var maxSafeInt = Math.pow(2, 53) - 1; - var minSafeInt = -maxSafeInt; - - function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; - } - - function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); - } - - var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; - var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - - function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; - } - - function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; - } - - function to_double(value) { - return parseFloat(value); - } - - function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; - } - - function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; - } - - function fld_set(dst, value) { - dst[this.field] = { v: value }; - } - - function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } - } - - function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } - } - - var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true - }; - - function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } - } - - function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } - } - - function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); - } - - var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, - ]; - - function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} n=%{fld2->} src=%{p0}"); - - var dup8 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); - - var dup9 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); - - var dup10 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{daddr}:%{dport}:%{p0}"); - - var dup11 = date_time({ - dest: "event_time", - args: ["hdate","htime"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup12 = setc("eventcategory","1502010000"); - - var dup13 = setc("eventcategory","1502020000"); - - var dup14 = setc("eventcategory","1002010000"); - - var dup15 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); - - var dup16 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}"); - - var dup17 = match("MESSAGE#28:23:01/2", "nwparser.p0", "%{p0}"); - - var dup18 = setf("hostip","hhostip"); - - var dup19 = setf("id","hid"); - - var dup20 = setf("serial_number","hserial_number"); - - var dup21 = setf("category","hcategory"); - - var dup22 = setf("severity","hseverity"); - - var dup23 = setc("eventcategory","1805010000"); - - var dup24 = call({ - dest: "nwparser.msg", - fn: RMQ, - args: [ - field("msg"), - ], - }); - - var dup25 = setc("eventcategory","1302000000"); - - var dup26 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); - - var dup27 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}"); - - var dup28 = match("MESSAGE#38:29:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); - - var dup29 = match("MESSAGE#38:29:01/2_1", "nwparser.p0", "%{daddr->} "); - - var dup30 = setc("eventcategory","1401050100"); - - var dup31 = setc("eventcategory","1401030000"); - - var dup32 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}"); - - var dup33 = setc("eventcategory","1301020000"); - - var dup34 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}"); - - var dup35 = match("MESSAGE#52:35:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}"); - - var dup36 = match_copy("MESSAGE#52:35:01/2_1", "nwparser.p0", "daddr"); - - var dup37 = match("MESSAGE#54:36:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{p0}"); - - var dup38 = match("MESSAGE#54:36:01/1_1", "nwparser.p0", "n=%{p0}"); - - var dup39 = match("MESSAGE#54:36:01/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); - - var dup40 = match("MESSAGE#54:36:01/3_1", "nwparser.p0", "%{saddr->} %{p0}"); - - var dup41 = match("MESSAGE#54:36:01/4", "nwparser.p0", "dst= %{p0}"); - - var dup42 = match("MESSAGE#54:36:01/7_1", "nwparser.p0", "rule=%{rule}"); - - var dup43 = match("MESSAGE#54:36:01/7_2", "nwparser.p0", "proto=%{protocol}"); - - var dup44 = date_time({ - dest: "event_time", - args: ["date","time"], - fmts: [ - [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], - ], - }); - - var dup45 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); - - var dup46 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}"); - - var dup47 = match_copy("MESSAGE#55:36:02/6", "nwparser.p0", "info"); - - var dup48 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} proto= %{p0}"); - - var dup49 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{dinterface->} proto= %{p0}"); - - var dup50 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{protocol->} npcs=%{info}"); - - var dup51 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}"); - - var dup52 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} type= %{p0}"); - - var dup53 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{dinterface->} type= %{p0}"); - - var dup54 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{event_description}\"%{p0}"); - - var dup55 = match("MESSAGE#64:38:03/1_0", "nwparser.p0", " app=%{fld2->} appName=\"%{application}\"%{p0}"); - - var dup56 = match_copy("MESSAGE#64:38:03/1_1", "nwparser.p0", "p0"); - - var dup57 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); - - var dup58 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}"); - - var dup59 = setc("ec_subject","NetworkComm"); - - var dup60 = setc("ec_activity","Deny"); - - var dup61 = setc("ec_theme","Communication"); - - var dup62 = setf("msg","$MSG"); - - var dup63 = setc("action","dropped"); - - var dup64 = setc("eventcategory","1608010000"); - - var dup65 = setc("eventcategory","1302010000"); - - var dup66 = setc("eventcategory","1301000000"); - - var dup67 = setc("eventcategory","1001000000"); - - var dup68 = setc("eventcategory","1003030000"); - - var dup69 = setc("eventcategory","1003050000"); - - var dup70 = setc("eventcategory","1103000000"); - - var dup71 = setc("eventcategory","1603110000"); - - var dup72 = setc("eventcategory","1605020000"); - - var dup73 = match("MESSAGE#126:89:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}"); - - var dup74 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}"); - - var dup75 = match("MESSAGE#135:97:01/6_0", "nwparser.p0", "result=%{result->} dstname=%{p0}"); - - var dup76 = match("MESSAGE#135:97:01/6_1", "nwparser.p0", "dstname=%{p0}"); - - var dup77 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}"); - - var dup78 = setc("eventcategory","1801000000"); - - var dup79 = match("MESSAGE#141:97:07/1_1", "nwparser.p0", "%{dinterface->} srcMac=%{p0}"); - - var dup80 = match("MESSAGE#147:98:01/6_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}"); - - var dup81 = match("MESSAGE#147:98:01/7_4", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes}"); - - var dup82 = match("MESSAGE#148:98:06/0", "nwparser.payload", "msg=\"%{event_description}\" %{p0}"); - - var dup83 = match("MESSAGE#148:98:06/5_0", "nwparser.p0", "%{sinterface}:%{shost->} dst= %{p0}"); - - var dup84 = match("MESSAGE#148:98:06/5_1", "nwparser.p0", "%{sinterface->} dst= %{p0}"); - - var dup85 = match("MESSAGE#148:98:06/7_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); - - var dup86 = match("MESSAGE#148:98:06/9_3", "nwparser.p0", "sent=%{sbytes}"); - - var dup87 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); - - var dup88 = setf("id","hfld1"); - - var dup89 = setc("eventcategory","1001020309"); - - var dup90 = setc("eventcategory","1303000000"); - - var dup91 = setc("eventcategory","1801010100"); - - var dup92 = setc("eventcategory","1604010000"); - - var dup93 = setc("eventcategory","1002020000"); - - var dup94 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} npcs= %{p0}"); - - var dup95 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{dinterface->} npcs= %{p0}"); - - var dup96 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{info}"); - - var dup97 = setc("eventcategory","1001010000"); - - var dup98 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} note= %{p0}"); - - var dup99 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{dinterface->} note= %{p0}"); - - var dup100 = match("MESSAGE#256:180:01/4", "nwparser.p0", "\"%{fld3}\" npcs=%{info}"); - - var dup101 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); - - var dup102 = match("MESSAGE#260:194/1_1", "nwparser.p0", "rcvd=%{rbytes}"); - - var dup103 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); - - var dup104 = match("MESSAGE#262:196/1_1", "nwparser.p0", "rcvd=%{rbytes->} cmd=%{p0}"); - - var dup105 = match_copy("MESSAGE#262:196/2", "nwparser.p0", "method"); - - var dup106 = setc("eventcategory","1401060000"); - - var dup107 = setc("eventcategory","1804000000"); - - var dup108 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); - - var dup109 = setc("eventcategory","1401070000"); - - var dup110 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); - - var dup111 = setc("eventcategory","1801030000"); - - var dup112 = setc("eventcategory","1402020300"); - - var dup113 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); - - var dup114 = match("MESSAGE#302:401/1_0", "nwparser.p0", "dstname=%{name}"); - - var dup115 = match_copy("MESSAGE#302:401/1_1", "nwparser.p0", "space"); - - var dup116 = setc("eventcategory","1402000000"); - - var dup117 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); - - var dup118 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); - - var dup119 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); - - var dup120 = setc("eventcategory","1803020000"); - - var dup121 = match("MESSAGE#318:522:01/4", "nwparser.p0", "proto=%{protocol->} npcs=%{info}"); - - var dup122 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); - - var dup123 = match_copy("MESSAGE#330:537:01/5_1", "nwparser.p0", "rbytes"); - - var dup124 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", " app=%{fld51->} appName=\"%{application}\"n=%{p0}"); - - var dup125 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", " app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); - - var dup126 = match("MESSAGE#332:537:08/1_2", "nwparser.p0", " app=%{fld51}n=%{p0}"); - - var dup127 = match("MESSAGE#332:537:08/2_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); - - var dup128 = match("MESSAGE#332:537:08/2_1", "nwparser.p0", "%{fld1}src=%{p0}"); - - var dup129 = match("MESSAGE#332:537:08/6_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{p0}"); - - var dup130 = match("MESSAGE#332:537:08/6_1", "nwparser.p0", "%{sbytes->} spkt=%{p0}"); - - var dup131 = match("MESSAGE#332:537:08/7_1", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7}"); - - var dup132 = match("MESSAGE#332:537:08/7_3", "nwparser.p0", "%{fld3->} cdur=%{fld7}"); - - var dup133 = match_copy("MESSAGE#332:537:08/7_4", "nwparser.p0", "fld3"); - - var dup134 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); - - var dup135 = match("MESSAGE#336:537:04/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}"); - - var dup136 = match("MESSAGE#336:537:04/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); - - var dup137 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); - - var dup138 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "usr=\"%{username}\" %{p0}"); - - var dup139 = match("MESSAGE#338:537:10/2", "nwparser.p0", "src=%{p0}"); - - var dup140 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); - - var dup141 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); - - var dup142 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info}"); - - var dup143 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12}"); - - var dup144 = setc("event_description","Connection Closed"); - - var dup145 = setc("eventcategory","1801020000"); - - var dup146 = setc("ec_activity","Permit"); - - var dup147 = setc("action","allowed"); - - var dup148 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{daddr}:%{dport}:%{p0}"); - - var dup149 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); - - var dup150 = match("MESSAGE#361:606/1_0", "nwparser.p0", "%{dport}:%{dinterface->} srcMac=%{p0}"); - - var dup151 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{dport->} srcMac=%{p0}"); - - var dup152 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); - - var dup153 = match("MESSAGE#362:608/4", "nwparser.p0", "%{daddr}:%{p0}"); - - var dup154 = match("MESSAGE#362:608/5_1", "nwparser.p0", "%{dport}:%{dinterface}"); - - var dup155 = match_copy("MESSAGE#362:608/5_2", "nwparser.p0", "dport"); - - var dup156 = setc("eventcategory","1001030500"); - - var dup157 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); - - var dup158 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{p0}"); - - var dup159 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); - - var dup160 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); - - var dup161 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); - - var dup162 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); - - var dup163 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); - - var dup164 = match_copy("MESSAGE#366:712:02/5", "nwparser.p0", "fld51"); - - var dup165 = setc("eventcategory","1801010000"); - - var dup166 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{p0}"); - - var dup167 = match("MESSAGE#391:908/1_1", "nwparser.p0", "%{sinterface->} dst=%{p0}"); - - var dup168 = match("MESSAGE#391:908/2", "nwparser.p0", "%{} %{daddr}:%{p0}"); - - var dup169 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); - - var dup170 = setc("eventcategory","1003010000"); - - var dup171 = setc("eventcategory","1609000000"); - - var dup172 = setc("eventcategory","1204000000"); - - var dup173 = setc("eventcategory","1602000000"); - - var dup174 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); - - var dup175 = setc("eventcategory","1803000000"); - - var dup176 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); - - var dup177 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{dport}:%{dinterface->} note=%{p0}"); - - var dup178 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{dport->} note=%{p0}"); - - var dup179 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); - - var dup180 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); - - var dup181 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); - - var dup182 = linear_select([ - dup8, - dup9, - ]); - - var dup183 = linear_select([ - dup15, - dup16, - ]); - - var dup184 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ - dup1, - dup24, - ])); - - var dup185 = linear_select([ - dup26, - dup27, - ]); - - var dup186 = linear_select([ - dup28, - dup29, - ]); - - var dup187 = linear_select([ - dup35, - dup36, - ]); - - var dup188 = linear_select([ - dup37, - dup38, - ]); - - var dup189 = linear_select([ - dup39, - dup40, - ]); - - var dup190 = linear_select([ - dup26, - dup46, - ]); - - var dup191 = linear_select([ - dup48, - dup49, - ]); - - var dup192 = linear_select([ - dup52, - dup53, - ]); - - var dup193 = linear_select([ - dup55, - dup56, - ]); - - var dup194 = linear_select([ - dup57, - dup58, - ]); - - var dup195 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ - dup70, - ])); - - var dup196 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ - dup5, - ])); - - var dup197 = linear_select([ - dup75, - dup76, - ]); - - var dup198 = linear_select([ - dup83, - dup84, - ]); - - var dup199 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([ - dup1, - ])); - - var dup200 = linear_select([ - dup94, - dup95, - ]); - - var dup201 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ - dup5, - ])); - - var dup202 = linear_select([ - dup98, - dup99, - ]); - - var dup203 = linear_select([ - dup86, - dup102, - ]); - - var dup204 = linear_select([ - dup103, - dup104, - ]); - - var dup205 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup93, - ])); - - var dup206 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup93, - ])); - - var dup207 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup1, - ])); - - var dup208 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ - dup1, - ])); - - var dup209 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ - dup1, - dup24, - ])); - - var dup210 = linear_select([ - dup114, - dup115, - ]); - - var dup211 = linear_select([ - dup117, - dup118, - ]); - - var dup212 = linear_select([ - dup43, - dup42, - ]); - - var dup213 = linear_select([ - dup8, - dup27, - ]); - - var dup214 = linear_select([ - dup8, - dup26, - dup46, - ]); - - var dup215 = linear_select([ - dup80, - dup15, - dup16, - ]); - - var dup216 = linear_select([ - dup124, - dup125, - dup126, - dup38, - ]); - - var dup217 = linear_select([ - dup127, - dup128, - ]); - - var dup218 = linear_select([ - dup129, - dup130, - ]); - - var dup219 = linear_select([ - dup135, - dup136, - dup137, - ]); - - var dup220 = linear_select([ - dup138, - dup56, - ]); - - var dup221 = linear_select([ - dup140, - dup141, - ]); - - var dup222 = linear_select([ - dup142, - dup143, - ]); - - var dup223 = linear_select([ - dup150, - dup151, - ]); - - var dup224 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup156, - ])); - - var dup225 = linear_select([ - dup158, - dup38, - ]); - - var dup226 = linear_select([ - dup160, - dup161, - ]); - - var dup227 = linear_select([ - dup162, - dup163, - ]); - - var dup228 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ - dup5, - ])); - - var dup229 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype}", processor_chain([ - dup5, - ])); - - var dup230 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ - dup5, - dup24, - ])); - - var dup231 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ - dup1, - dup24, - ])); - - var dup232 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ - dup1, - dup24, - ])); - - var dup233 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup171, - dup44, - ])); - - var dup234 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ - dup1, - ])); - - var dup235 = linear_select([ - dup177, - dup178, - ]); - - var dup236 = linear_select([ - dup180, - dup181, - ]); - - var dup237 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup1, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ])); - - var dup238 = all_match({ - processors: [ - dup32, - dup185, - dup186, - ], - on_success: processor_chain([ - dup31, - ]), - }); - - var dup239 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup91, - ]), - }); - - var dup240 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup67, - ]), - }); - - var dup241 = all_match({ - processors: [ - dup101, - dup203, - ], - on_success: processor_chain([ - dup67, - ]), - }); - - var dup242 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup106, - ]), - }); - - var dup243 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup31, - ]), - }); - - var dup244 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup30, - ]), - }); - - var dup245 = all_match({ - processors: [ - dup108, - dup185, - dup187, - ], - on_success: processor_chain([ - dup109, - ]), - }); - - var dup246 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - dup112, - ]), - }); - - var dup247 = all_match({ - processors: [ - dup113, - dup210, - ], - on_success: processor_chain([ - dup93, - ]), - }); - - var dup248 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - dup116, - ]), - }); - - var dup249 = all_match({ - processors: [ - dup51, - dup189, - dup41, - dup187, - ], - on_success: processor_chain([ - dup5, - ]), - }); - - var dup250 = all_match({ - processors: [ - dup73, - dup185, - dup183, - dup43, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var dup251 = all_match({ - processors: [ - dup157, - dup225, - dup159, - dup226, - dup227, - dup164, - ], - on_success: processor_chain([ - dup156, - dup59, - dup60, - dup61, - dup62, - dup44, - dup63, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var dup252 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup202, - dup100, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var dup253 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup200, - dup96, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var hdr1 = match("HEADER#0:0001", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{date->} %{time}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ - setc("header_id","0001"), - ])); - - var hdr2 = match("HEADER#1:0002", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{date->} %{time}\" fw=%{hhostip->} pri=%{hseverity->} %{messageid}= %{p0}", processor_chain([ - setc("header_id","0002"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant("= "), - field("p0"), - ], - }), - ])); - - var hdr3 = match("HEADER#2:0003", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{hdate->} %{htime}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ - setc("header_id","0003"), - ])); - - var hdr4 = match("HEADER#3:0004", "message", "%{hfld20->} id=%{hfld1->} sn=%{hserial_number->} time=\"%{hdate->} %{htime}\" fw=%{hhostip->} pri=%{hseverity->} c=%{hcategory->} m=%{messageid->} %{payload}", processor_chain([ - setc("header_id","0004"), - ])); - - var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - ]); - - var part1 = match("MESSAGE#0:4", "nwparser.payload", "SonicWALL activated%{}", processor_chain([ - dup1, - ])); - - var msg1 = msg("4", part1); - - var part2 = match("MESSAGE#1:5", "nwparser.payload", "Log Cleared%{}", processor_chain([ - dup1, - ])); - - var msg2 = msg("5", part2); - - var part3 = match("MESSAGE#2:5:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ - dup1, - ])); - - var msg3 = msg("5:01", part3); - - var select2 = linear_select([ - msg2, - msg3, - ]); - - var part4 = match("MESSAGE#3:6", "nwparser.payload", "Log successfully sent via email%{}", processor_chain([ - dup1, - ])); - - var msg4 = msg("6", part4); - - var part5 = match("MESSAGE#4:6:01", "nwparser.payload", "msg=\"Log successfully sent via email\" n=%{fld1}", processor_chain([ - dup1, - ])); - - var msg5 = msg("6:01", part5); - - var select3 = linear_select([ - msg4, - msg5, - ]); - - var part6 = match("MESSAGE#5:7", "nwparser.payload", "Log full; deactivating SonicWALL%{}", processor_chain([ - dup2, - ])); - - var msg6 = msg("7", part6); - - var part7 = match("MESSAGE#6:8", "nwparser.payload", "New Filter list loaded%{}", processor_chain([ - dup3, - ])); - - var msg7 = msg("8", part7); - - var part8 = match("MESSAGE#7:9", "nwparser.payload", "No new Filter list available%{}", processor_chain([ - dup4, - ])); - - var msg8 = msg("9", part8); - - var part9 = match("MESSAGE#8:10", "nwparser.payload", "Problem loading the Filter list; check Filter settings%{}", processor_chain([ - dup4, - ])); - - var msg9 = msg("10", part9); - - var part10 = match("MESSAGE#9:11", "nwparser.payload", "Problem loading the Filter list; check your DNS server%{}", processor_chain([ - dup4, - ])); - - var msg10 = msg("11", part10); - - var part11 = match("MESSAGE#10:12", "nwparser.payload", "Problem sending log email; check log settings%{}", processor_chain([ - dup5, - ])); - - var msg11 = msg("12", part11); - - var part12 = match("MESSAGE#11:12:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ - dup5, - ])); - - var msg12 = msg("12:01", part12); - - var select4 = linear_select([ - msg11, - msg12, - ]); - - var part13 = match("MESSAGE#12:13", "nwparser.payload", "Restarting SonicWALL; dumping log to email%{}", processor_chain([ - dup1, - ])); - - var msg13 = msg("13", part13); - - var part14 = match("MESSAGE#13:14/0_0", "nwparser.payload", "msg=\"Web site access denied\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstname=%{dhost->} arg=%{fld2->} code=%{icmpcode}"); - - var part15 = match("MESSAGE#13:14/0_1", "nwparser.payload", "Web site blocked%{}"); - - var select5 = linear_select([ - part14, - part15, - ]); - - var all1 = all_match({ - processors: [ - select5, - ], - on_success: processor_chain([ - dup6, - setc("action","Web site access denied"), - ]), - }); - - var msg14 = msg("14", all1); - - var part16 = match("MESSAGE#14:14:01/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} code= %{p0}"); - - var part17 = match("MESSAGE#14:14:01/3_1", "nwparser.p0", "%{dinterface->} code= %{p0}"); - - var select6 = linear_select([ - part16, - part17, - ]); - - var part18 = match("MESSAGE#14:14:01/4", "nwparser.p0", "%{fld3->} Category=%{fld4->} npcs=%{info}"); - - var all2 = all_match({ - processors: [ - dup7, - dup182, - dup10, - select6, - part18, - ], - on_success: processor_chain([ - dup6, - ]), - }); - - var msg15 = msg("14:01", all2); - - var part19 = match("MESSAGE#15:14:02", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup6, - dup11, - ])); - - var msg16 = msg("14:02", part19); - - var part20 = match("MESSAGE#16:14:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup6, - dup11, - ])); - - var msg17 = msg("14:03", part20); - - var part21 = match("MESSAGE#17:14:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup6, - dup11, - ])); - - var msg18 = msg("14:04", part21); - - var part22 = match("MESSAGE#18:14:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr}dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup6, - dup11, - ])); - - var msg19 = msg("14:05", part22); - - var select7 = linear_select([ - msg14, - msg15, - msg16, - msg17, - msg18, - msg19, - ]); - - var part23 = match("MESSAGE#19:15", "nwparser.payload", "Newsgroup blocked%{}", processor_chain([ - dup12, - ])); - - var msg20 = msg("15", part23); - - var part24 = match("MESSAGE#20:16", "nwparser.payload", "Web site accessed%{}", processor_chain([ - dup13, - ])); - - var msg21 = msg("16", part24); - - var part25 = match("MESSAGE#21:17", "nwparser.payload", "Newsgroup accessed%{}", processor_chain([ - dup13, - ])); - - var msg22 = msg("17", part25); - - var part26 = match("MESSAGE#22:18", "nwparser.payload", "ActiveX blocked%{}", processor_chain([ - dup12, - ])); - - var msg23 = msg("18", part26); - - var part27 = match("MESSAGE#23:19", "nwparser.payload", "Java blocked%{}", processor_chain([ - dup12, - ])); - - var msg24 = msg("19", part27); - - var part28 = match("MESSAGE#24:20", "nwparser.payload", "ActiveX or Java archive blocked%{}", processor_chain([ - dup12, - ])); - - var msg25 = msg("20", part28); - - var part29 = match("MESSAGE#25:21", "nwparser.payload", "Cookie removed%{}", processor_chain([ - dup1, - ])); - - var msg26 = msg("21", part29); - - var part30 = match("MESSAGE#26:22", "nwparser.payload", "Ping of death blocked%{}", processor_chain([ - dup14, - ])); - - var msg27 = msg("22", part30); - - var part31 = match("MESSAGE#27:23", "nwparser.payload", "IP spoof detected%{}", processor_chain([ - dup14, - ])); - - var msg28 = msg("23", part31); - - var part32 = match("MESSAGE#28:23:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); - - var part33 = match("MESSAGE#28:23:01/3_0", "nwparser.p0", "- MAC address: %{p0}"); - - var part34 = match("MESSAGE#28:23:01/3_1", "nwparser.p0", "mac= %{p0}"); - - var select8 = linear_select([ - part33, - part34, - ]); - - var part35 = match("MESSAGE#28:23:01/4", "nwparser.p0", "%{smacaddr}"); - - var all3 = all_match({ - processors: [ - part32, - dup183, - dup17, - select8, - part35, - ], - on_success: processor_chain([ - dup14, - ]), - }); - - var msg29 = msg("23:01", all3); - - var part36 = match("MESSAGE#29:23:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} - MAC address: %{smacaddr}", processor_chain([ - dup14, - ])); - - var msg30 = msg("23:02", part36); - - var part37 = match("MESSAGE#30:23:03/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{daddr}:%{dport}:%{p0}"); - - var part38 = match("MESSAGE#30:23:03/1_0", "nwparser.p0", "%{dinterface}:%{dhost->} srcMac= %{p0}"); - - var part39 = match("MESSAGE#30:23:03/1_1", "nwparser.p0", "%{dinterface->} srcMac= %{p0}"); - - var select9 = linear_select([ - part38, - part39, - ]); - - var part40 = match("MESSAGE#30:23:03/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}"); - - var all4 = all_match({ - processors: [ - part37, - select9, - part40, - ], - on_success: processor_chain([ - dup14, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var msg31 = msg("23:03", all4); - - var select10 = linear_select([ - msg28, - msg29, - msg30, - msg31, - ]); - - var part41 = match("MESSAGE#31:24", "nwparser.payload", "Illegal LAN address in use%{}", processor_chain([ - dup23, - ])); - - var msg32 = msg("24", part41); - - var msg33 = msg("24:01", dup184); - - var select11 = linear_select([ - msg32, - msg33, - ]); - - var part42 = match("MESSAGE#32:25", "nwparser.payload", "Possible SYN flood attack%{}", processor_chain([ - dup14, - ])); - - var msg34 = msg("25", part42); - - var part43 = match("MESSAGE#33:26", "nwparser.payload", "Probable SYN flood attack%{}", processor_chain([ - dup14, - ])); - - var msg35 = msg("26", part43); - - var part44 = match("MESSAGE#34:27", "nwparser.payload", "Land Attack Dropped%{}", processor_chain([ - dup14, - ])); - - var msg36 = msg("27", part44); - - var part45 = match("MESSAGE#35:28", "nwparser.payload", "Fragmented Packet Dropped%{}", processor_chain([ - dup14, - ])); - - var msg37 = msg("28", part45); - - var part46 = match("MESSAGE#36:28:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ - dup14, - ])); - - var msg38 = msg("28:01", part46); - - var select12 = linear_select([ - msg37, - msg38, - ]); - - var part47 = match("MESSAGE#37:29", "nwparser.payload", "Successful administrator login%{}", processor_chain([ - dup25, - ])); - - var msg39 = msg("29", part47); - - var part48 = match("MESSAGE#38:29:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} usr=%{username->} src=%{p0}"); - - var all5 = all_match({ - processors: [ - part48, - dup185, - dup186, - ], - on_success: processor_chain([ - dup30, - ]), - }); - - var msg40 = msg("29:01", all5); - - var select13 = linear_select([ - msg39, - msg40, - ]); - - var part49 = match("MESSAGE#39:30", "nwparser.payload", "Administrator login failed - incorrect password%{}", processor_chain([ - dup31, - ])); - - var msg41 = msg("30", part49); - - var msg42 = msg("30:01", dup238); - - var select14 = linear_select([ - msg41, - msg42, - ]); - - var part50 = match("MESSAGE#41:31", "nwparser.payload", "Successful user login%{}", processor_chain([ - dup25, - ])); - - var msg43 = msg("31", part50); - - var all6 = all_match({ - processors: [ - dup32, - dup185, - dup186, - ], - on_success: processor_chain([ - dup25, - ]), - }); - - var msg44 = msg("31:01", all6); - - var part51 = match("MESSAGE#43:31:02", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup25, - dup11, - ])); - - var msg45 = msg("31:02", part51); - - var part52 = match("MESSAGE#44:31:03", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration}n=%{fld1}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup25, - dup11, - ])); - - var msg46 = msg("31:03", part52); - - var part53 = match("MESSAGE#45:31:04", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup25, - dup11, - ])); - - var msg47 = msg("31:04", part53); - - var select15 = linear_select([ - msg43, - msg44, - msg45, - msg46, - msg47, - ]); - - var part54 = match("MESSAGE#46:32", "nwparser.payload", "User login failed - incorrect password%{}", processor_chain([ - dup31, - ])); - - var msg48 = msg("32", part54); - - var msg49 = msg("32:01", dup238); - - var select16 = linear_select([ - msg48, - msg49, - ]); - - var part55 = match("MESSAGE#48:33", "nwparser.payload", "Unknown user attempted to log in%{}", processor_chain([ - dup33, - ])); - - var msg50 = msg("33", part55); - - var all7 = all_match({ - processors: [ - dup34, - dup185, - dup186, - ], - on_success: processor_chain([ - dup31, - ]), - }); - - var msg51 = msg("33:01", all7); - - var select17 = linear_select([ - msg50, - msg51, - ]); - - var part56 = match("MESSAGE#50:34", "nwparser.payload", "Login screen timed out%{}", processor_chain([ - dup5, - ])); - - var msg52 = msg("34", part56); - - var part57 = match("MESSAGE#51:35", "nwparser.payload", "Attempted administrator login from WAN%{}", processor_chain([ - setc("eventcategory","1401040000"), - ])); - - var msg53 = msg("35", part57); - - var all8 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - setc("eventcategory","1401050200"), - ]), - }); - - var msg54 = msg("35:01", all8); - - var select18 = linear_select([ - msg53, - msg54, - ]); - - var part58 = match("MESSAGE#53:36", "nwparser.payload", "TCP connection dropped%{}", processor_chain([ - dup5, - ])); - - var msg55 = msg("36", part58); - - var part59 = match("MESSAGE#54:36:01/0", "nwparser.payload", "msg=\"%{msg}\" %{p0}"); - - var part60 = match("MESSAGE#54:36:01/2", "nwparser.p0", "%{fld1->} src= %{p0}"); - - var part61 = match("MESSAGE#54:36:01/7_0", "nwparser.p0", "srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); - - var select19 = linear_select([ - part61, - dup42, - dup43, - ]); - - var all9 = all_match({ - processors: [ - part59, - dup188, - part60, - dup189, - dup41, - dup183, - dup17, - select19, - ], - on_success: processor_chain([ - dup5, - dup44, - ]), - }); - - var msg56 = msg("36:01", all9); - - var part62 = match("MESSAGE#55:36:02/5_0", "nwparser.p0", "rule=%{rule->} npcs=%{p0}"); - - var part63 = match("MESSAGE#55:36:02/5_1", "nwparser.p0", "proto=%{protocol->} npcs=%{p0}"); - - var select20 = linear_select([ - part62, - part63, - ]); - - var all10 = all_match({ - processors: [ - dup45, - dup190, - dup17, - dup183, - dup17, - select20, - dup47, - ], - on_success: processor_chain([ - dup5, - ]), - }); - - var msg57 = msg("36:02", all10); - - var select21 = linear_select([ - msg55, - msg56, - msg57, - ]); - - var part64 = match("MESSAGE#56:37", "nwparser.payload", "UDP packet dropped%{}", processor_chain([ - dup5, - ])); - - var msg58 = msg("37", part64); - - var part65 = match("MESSAGE#57:37:01/0", "nwparser.payload", "msg=\"UDP packet dropped\" %{p0}"); - - var part66 = match("MESSAGE#57:37:01/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); - - var part67 = match("MESSAGE#57:37:01/3_0", "nwparser.p0", "%{dport}proto=%{protocol->} fw_action=\"%{fld3}\""); - - var part68 = match("MESSAGE#57:37:01/3_1", "nwparser.p0", "%{dport}rule=%{rule}"); - - var select22 = linear_select([ - part67, - part68, - ]); - - var all11 = all_match({ - processors: [ - part65, - dup188, - part66, - select22, - ], - on_success: processor_chain([ - dup5, - dup44, - ]), - }); - - var msg59 = msg("37:01", all11); - - var part69 = match("MESSAGE#58:37:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} rule=%{rule}", processor_chain([ - dup5, - ])); - - var msg60 = msg("37:02", part69); - - var all12 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup191, - dup50, - ], - on_success: processor_chain([ - dup5, - ]), - }); - - var msg61 = msg("37:03", all12); - - var part70 = match("MESSAGE#60:37:04", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ - dup5, - dup11, - ])); - - var msg62 = msg("37:04", part70); - - var select23 = linear_select([ - msg58, - msg59, - msg60, - msg61, - msg62, - ]); - - var part71 = match("MESSAGE#61:38", "nwparser.payload", "ICMP packet dropped%{}", processor_chain([ - dup5, - ])); - - var msg63 = msg("38", part71); - - var part72 = match("MESSAGE#62:38:01/5_0", "nwparser.p0", "type=%{type->} code=%{code}"); - - var select24 = linear_select([ - part72, - dup42, - ]); - - var all13 = all_match({ - processors: [ - dup51, - dup189, - dup41, - dup183, - dup17, - select24, - ], - on_success: processor_chain([ - dup5, - ]), - }); - - var msg64 = msg("38:01", all13); - - var part73 = match("MESSAGE#63:38:02/4", "nwparser.p0", "%{fld3->} icmpCode=%{fld4->} npcs=%{info}"); - - var all14 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup192, - part73, - ], - on_success: processor_chain([ - dup5, - ]), - }); - - var msg65 = msg("38:02", all14); - - var part74 = match("MESSAGE#64:38:03/2", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); - - var part75 = match("MESSAGE#64:38:03/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\""); - - var all15 = all_match({ - processors: [ - dup54, - dup193, - part74, - dup194, - part75, - ], - on_success: processor_chain([ - dup5, - dup11, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var msg66 = msg("38:03", all15); - - var select25 = linear_select([ - msg63, - msg64, - msg65, - msg66, - ]); - - var part76 = match("MESSAGE#65:39", "nwparser.payload", "PPTP packet dropped%{}", processor_chain([ - dup5, - ])); - - var msg67 = msg("39", part76); - - var part77 = match("MESSAGE#66:40", "nwparser.payload", "IPSec packet dropped%{}", processor_chain([ - dup5, - ])); - - var msg68 = msg("40", part77); - - var part78 = match("MESSAGE#67:41:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=\"IP Protocol: %{dclass_counter1}\"", processor_chain([ - dup5, - dup59, - dup60, - dup61, - dup62, - dup11, - dup63, - dup18, - dup19, - dup20, - dup21, - dup22, - ])); - - var msg69 = msg("41:01", part78); - - var part79 = match("MESSAGE#68:41:02", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport}:%{sinterface->} dst=%{dtransaddr}:%{dtransport}::%{dinterface}", processor_chain([ - dup5, - ])); - - var msg70 = msg("41:02", part79); - - var part80 = match("MESSAGE#69:41:03", "nwparser.payload", "Unknown protocol dropped%{}", processor_chain([ - dup5, - ])); - - var msg71 = msg("41:03", part80); - - var select26 = linear_select([ - msg69, - msg70, - msg71, - ]); - - var part81 = match("MESSAGE#70:42", "nwparser.payload", "IPSec packet dropped; waiting for pending IPSec connection%{}", processor_chain([ - dup5, - ])); - - var msg72 = msg("42", part81); - - var part82 = match("MESSAGE#71:43", "nwparser.payload", "IPSec connection interrupt%{}", processor_chain([ - dup5, - ])); - - var msg73 = msg("43", part82); - - var part83 = match("MESSAGE#72:44", "nwparser.payload", "NAT could not remap incoming packet%{}", processor_chain([ - dup5, - ])); - - var msg74 = msg("44", part83); - - var part84 = match("MESSAGE#73:45", "nwparser.payload", "ARP timeout%{}", processor_chain([ - dup5, - ])); - - var msg75 = msg("45", part84); - - var part85 = match("MESSAGE#74:45:01", "nwparser.payload", "msg=\"ARP timeout\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup5, - ])); - - var msg76 = msg("45:01", part85); - - var part86 = match("MESSAGE#75:45:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} npcs=%{info}", processor_chain([ - dup5, - ])); - - var msg77 = msg("45:02", part86); - - var select27 = linear_select([ - msg75, - msg76, - msg77, - ]); - - var part87 = match("MESSAGE#76:46:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([ - dup5, - dup59, - dup60, - dup61, - dup62, - dup11, - dup63, - dup18, - dup19, - dup20, - dup21, - dup22, - ])); - - var msg78 = msg("46:01", part87); - - var part88 = match("MESSAGE#77:46:02", "nwparser.payload", "msg=\"Broadcast packet dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ - dup5, - ])); - - var msg79 = msg("46:02", part88); - - var part89 = match("MESSAGE#78:46", "nwparser.payload", "Broadcast packet dropped%{}", processor_chain([ - dup5, - ])); - - var msg80 = msg("46", part89); - - var part90 = match("MESSAGE#79:46:03/0", "nwparser.payload", "msg=\"Broadcast packet dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); - - var all16 = all_match({ - processors: [ - part90, - dup182, - dup10, - dup191, - dup50, - ], - on_success: processor_chain([ - dup5, - ]), - }); - - var msg81 = msg("46:03", all16); - - var select28 = linear_select([ - msg78, - msg79, - msg80, - msg81, - ]); - - var part91 = match("MESSAGE#80:47", "nwparser.payload", "No ICMP redirect sent%{}", processor_chain([ - dup5, - ])); - - var msg82 = msg("47", part91); - - var part92 = match("MESSAGE#81:48", "nwparser.payload", "Out-of-order command packet dropped%{}", processor_chain([ - dup5, - ])); - - var msg83 = msg("48", part92); - - var part93 = match("MESSAGE#82:49", "nwparser.payload", "Failure to add data channel%{}", processor_chain([ - dup5, - ])); - - var msg84 = msg("49", part93); - - var part94 = match("MESSAGE#83:50", "nwparser.payload", "RealAudio decode failure%{}", processor_chain([ - dup5, - ])); - - var msg85 = msg("50", part94); - - var part95 = match("MESSAGE#84:51", "nwparser.payload", "Duplicate packet dropped%{}", processor_chain([ - dup5, - ])); - - var msg86 = msg("51", part95); - - var part96 = match("MESSAGE#85:52", "nwparser.payload", "No HOST tag found in HTTP request%{}", processor_chain([ - dup5, - ])); - - var msg87 = msg("52", part96); - - var part97 = match("MESSAGE#86:53", "nwparser.payload", "The cache is full; too many open connections; some will be dropped%{}", processor_chain([ - dup2, - ])); - - var msg88 = msg("53", part97); - - var part98 = match("MESSAGE#87:58", "nwparser.payload", "License exceeded: Connection dropped because too many IP addresses are in use on your LAN%{}", processor_chain([ - dup64, - ])); - - var msg89 = msg("58", part98); - - var part99 = match("MESSAGE#88:60", "nwparser.payload", "Access to Proxy Server Blocked%{}", processor_chain([ - dup12, - ])); - - var msg90 = msg("60", part99); - - var part100 = match("MESSAGE#89:61", "nwparser.payload", "Diagnostic Code E%{}", processor_chain([ - dup1, - ])); - - var msg91 = msg("61", part100); - - var part101 = match("MESSAGE#90:62", "nwparser.payload", "Dynamic IPSec client connected%{}", processor_chain([ - dup65, - ])); - - var msg92 = msg("62", part101); - - var part102 = match("MESSAGE#91:63", "nwparser.payload", "IPSec packet too big%{}", processor_chain([ - dup66, - ])); - - var msg93 = msg("63", part102); - - var part103 = match("MESSAGE#92:63:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup66, - ])); - - var msg94 = msg("63:01", part103); - - var select29 = linear_select([ - msg93, - msg94, - ]); - - var part104 = match("MESSAGE#93:64", "nwparser.payload", "Diagnostic Code D%{}", processor_chain([ - dup1, - ])); - - var msg95 = msg("64", part104); - - var part105 = match("MESSAGE#94:65", "nwparser.payload", "Illegal IPSec SPI%{}", processor_chain([ - dup66, - ])); - - var msg96 = msg("65", part105); - - var part106 = match("MESSAGE#95:66", "nwparser.payload", "Unknown IPSec SPI%{}", processor_chain([ - dup66, - ])); - - var msg97 = msg("66", part106); - - var part107 = match("MESSAGE#96:67", "nwparser.payload", "IPSec Authentication Failed%{}", processor_chain([ - dup66, - ])); - - var msg98 = msg("67", part107); - - var all17 = all_match({ - processors: [ - dup32, - dup185, - dup186, - ], - on_success: processor_chain([ - dup66, - ]), - }); - - var msg99 = msg("67:01", all17); - - var select30 = linear_select([ - msg98, - msg99, - ]); - - var part108 = match("MESSAGE#98:68", "nwparser.payload", "IPSec Decryption Failed%{}", processor_chain([ - dup66, - ])); - - var msg100 = msg("68", part108); - - var part109 = match("MESSAGE#99:69", "nwparser.payload", "Incompatible IPSec Security Association%{}", processor_chain([ - dup66, - ])); - - var msg101 = msg("69", part109); - - var part110 = match("MESSAGE#100:70", "nwparser.payload", "IPSec packet from illegal host%{}", processor_chain([ - dup66, - ])); - - var msg102 = msg("70", part110); - - var part111 = match("MESSAGE#101:70:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst%{p0}"); - - var part112 = match("MESSAGE#101:70:01/1_0", "nwparser.p0", "=%{daddr}"); - - var part113 = match("MESSAGE#101:70:01/1_1", "nwparser.p0", "name=%{name}"); - - var select31 = linear_select([ - part112, - part113, - ]); - - var all18 = all_match({ - processors: [ - part111, - select31, - ], - on_success: processor_chain([ - dup66, - ]), - }); - - var msg103 = msg("70:01", all18); - - var select32 = linear_select([ - msg102, - msg103, - ]); - - var part114 = match("MESSAGE#102:72", "nwparser.payload", "NetBus Attack Dropped%{}", processor_chain([ - dup67, - ])); - - var msg104 = msg("72", part114); - - var part115 = match("MESSAGE#103:72:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ - dup67, - ])); - - var msg105 = msg("72:01", part115); - - var select33 = linear_select([ - msg104, - msg105, - ]); - - var part116 = match("MESSAGE#104:73", "nwparser.payload", "Back Orifice Attack Dropped%{}", processor_chain([ - dup68, - ])); - - var msg106 = msg("73", part116); - - var part117 = match("MESSAGE#105:74", "nwparser.payload", "Net Spy Attack Dropped%{}", processor_chain([ - dup69, - ])); - - var msg107 = msg("74", part117); - - var part118 = match("MESSAGE#106:75", "nwparser.payload", "Sub Seven Attack Dropped%{}", processor_chain([ - dup68, - ])); - - var msg108 = msg("75", part118); - - var part119 = match("MESSAGE#107:76", "nwparser.payload", "Ripper Attack Dropped%{}", processor_chain([ - dup67, - ])); - - var msg109 = msg("76", part119); - - var part120 = match("MESSAGE#108:77", "nwparser.payload", "Striker Attack Dropped%{}", processor_chain([ - dup67, - ])); - - var msg110 = msg("77", part120); - - var part121 = match("MESSAGE#109:78", "nwparser.payload", "Senna Spy Attack Dropped%{}", processor_chain([ - dup69, - ])); - - var msg111 = msg("78", part121); - - var part122 = match("MESSAGE#110:79", "nwparser.payload", "Priority Attack Dropped%{}", processor_chain([ - dup67, - ])); - - var msg112 = msg("79", part122); - - var part123 = match("MESSAGE#111:80", "nwparser.payload", "Ini Killer Attack Dropped%{}", processor_chain([ - dup67, - ])); - - var msg113 = msg("80", part123); - - var part124 = match("MESSAGE#112:81", "nwparser.payload", "Smurf Amplification Attack Dropped%{}", processor_chain([ - dup14, - ])); - - var msg114 = msg("81", part124); - - var part125 = match("MESSAGE#113:82", "nwparser.payload", "Possible Port Scan%{}", processor_chain([ - dup70, - ])); - - var msg115 = msg("82", part125); - - var part126 = match("MESSAGE#114:82:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{info}\"", processor_chain([ - dup70, - ])); - - var msg116 = msg("82:02", part126); - - var part127 = match("MESSAGE#115:82:03", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([ - dup70, - ])); - - var msg117 = msg("82:03", part127); - - var msg118 = msg("82:01", dup195); - - var select34 = linear_select([ - msg115, - msg116, - msg117, - msg118, - ]); - - var part128 = match("MESSAGE#117:83", "nwparser.payload", "Probable Port Scan%{}", processor_chain([ - dup70, - ])); - - var msg119 = msg("83", part128); - - var msg120 = msg("83:01", dup196); - - var part129 = match("MESSAGE#119:83:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([ - dup5, - ])); - - var msg121 = msg("83:02", part129); - - var select35 = linear_select([ - msg119, - msg120, - msg121, - ]); - - var part130 = match("MESSAGE#120:84/0_0", "nwparser.payload", "msg=\"Failed to resolve name\" n=%{fld1->} dstname=%{dhost}"); - - var part131 = match("MESSAGE#120:84/0_1", "nwparser.payload", "Failed to resolve name%{}"); - - var select36 = linear_select([ - part130, - part131, - ]); - - var all19 = all_match({ - processors: [ - select36, - ], - on_success: processor_chain([ - dup71, - setc("action","Failed to resolve name"), - ]), - }); - - var msg122 = msg("84", all19); - - var part132 = match("MESSAGE#121:87", "nwparser.payload", "IKE Responder: Accepting IPSec proposal%{}", processor_chain([ - dup72, - ])); - - var msg123 = msg("87", part132); - - var part133 = match("MESSAGE#122:87:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup72, - ])); - - var msg124 = msg("87:01", part133); - - var select37 = linear_select([ - msg123, - msg124, - ]); - - var part134 = match("MESSAGE#123:88", "nwparser.payload", "IKE Responder: IPSec proposal not acceptable%{}", processor_chain([ - dup66, - ])); - - var msg125 = msg("88", part134); - - var part135 = match("MESSAGE#124:88:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup66, - ])); - - var msg126 = msg("88:01", part135); - - var select38 = linear_select([ - msg125, - msg126, - ]); - - var part136 = match("MESSAGE#125:89", "nwparser.payload", "IKE negotiation complete. Adding IPSec SA%{}", processor_chain([ - dup72, - ])); - - var msg127 = msg("89", part136); - - var part137 = match("MESSAGE#126:89:01/1_0", "nwparser.p0", "%{saddr}:::%{sinterface->} dst=%{daddr}:::%{dinterface}"); - - var part138 = match("MESSAGE#126:89:01/1_1", "nwparser.p0", "%{saddr->} dst=%{daddr->} dstname=%{name}"); - - var select39 = linear_select([ - part137, - part138, - ]); - - var all20 = all_match({ - processors: [ - dup73, - select39, - ], - on_success: processor_chain([ - dup72, - ]), - }); - - var msg128 = msg("89:01", all20); - - var select40 = linear_select([ - msg127, - msg128, - ]); - - var part139 = match("MESSAGE#127:90", "nwparser.payload", "Starting IKE negotiation%{}", processor_chain([ - dup72, - ])); - - var msg129 = msg("90", part139); - - var part140 = match("MESSAGE#128:91", "nwparser.payload", "Deleting IPSec SA for destination%{}", processor_chain([ - dup72, - ])); - - var msg130 = msg("91", part140); - - var part141 = match("MESSAGE#129:92", "nwparser.payload", "Deleting IPSec SA%{}", processor_chain([ - dup72, - ])); - - var msg131 = msg("92", part141); - - var part142 = match("MESSAGE#130:93", "nwparser.payload", "Diagnostic Code A%{}", processor_chain([ - dup1, - ])); - - var msg132 = msg("93", part142); - - var part143 = match("MESSAGE#131:94", "nwparser.payload", "Diagnostic Code B%{}", processor_chain([ - dup1, - ])); - - var msg133 = msg("94", part143); - - var part144 = match("MESSAGE#132:95", "nwparser.payload", "Diagnostic Code C%{}", processor_chain([ - dup1, - ])); - - var msg134 = msg("95", part144); - - var part145 = match("MESSAGE#133:96", "nwparser.payload", "Status%{}", processor_chain([ - dup1, - ])); - - var msg135 = msg("96", part145); - - var part146 = match("MESSAGE#134:97", "nwparser.payload", "Web site hit%{}", processor_chain([ - dup1, - ])); - - var msg136 = msg("97", part146); - - var part147 = match("MESSAGE#135:97:01/4", "nwparser.p0", "proto=%{protocol->} op=%{fld->} %{p0}"); - - var part148 = match("MESSAGE#135:97:01/5_0", "nwparser.p0", "rcvd=%{rbytes->} %{p0}"); - - var part149 = match("MESSAGE#135:97:01/5_1", "nwparser.p0", "sent=%{sbytes->} %{p0}"); - - var select41 = linear_select([ - part148, - part149, - ]); - - var part150 = match_copy("MESSAGE#135:97:01/7", "nwparser.p0", "name"); - - var all21 = all_match({ - processors: [ - dup74, - dup189, - dup41, - dup183, - part147, - select41, - dup197, - part150, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg137 = msg("97:01", all21); - - var part151 = match("MESSAGE#136:97:02/4", "nwparser.p0", "proto=%{protocol->} op=%{fld->} result=%{result}"); - - var all22 = all_match({ - processors: [ - dup74, - dup189, - dup41, - dup183, - part151, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg138 = msg("97:02", all22); - - var part152 = match("MESSAGE#137:97:03/4", "nwparser.p0", "proto=%{protocol->} op=%{fld3->} sent=%{sbytes->} rcvd=%{rbytes->} %{p0}"); - - var part153 = match("MESSAGE#137:97:03/6", "nwparser.p0", "%{} %{name}arg=%{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}"); - - var all23 = all_match({ - processors: [ - dup77, - dup189, - dup41, - dup183, - part152, - dup197, - part153, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg139 = msg("97:03", all23); - - var part154 = match("MESSAGE#138:97:04/4", "nwparser.p0", "proto=%{protocol->} op=%{fld3->} %{p0}"); - - var part155 = match("MESSAGE#138:97:04/6", "nwparser.p0", "%{}arg= %{name}%{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}"); - - var all24 = all_match({ - processors: [ - dup77, - dup189, - dup41, - dup183, - part154, - dup197, - part155, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg140 = msg("97:04", all24); - - var part156 = match("MESSAGE#139:97:05/4", "nwparser.p0", "proto=%{protocol->} op=%{fld2->} dstname=%{name->} arg=%{fld3->} code=%{fld4->} Category=%{category}"); - - var all25 = all_match({ - processors: [ - dup74, - dup189, - dup41, - dup183, - part156, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg141 = msg("97:05", all25); - - var part157 = match("MESSAGE#140:97:06/0", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{p0}"); - - var part158 = match("MESSAGE#140:97:06/1_0", "nwparser.p0", "%{sinterface}:%{shost}dst=%{p0}"); - - var part159 = match("MESSAGE#140:97:06/1_1", "nwparser.p0", "%{sinterface}dst=%{p0}"); - - var select42 = linear_select([ - part158, - part159, - ]); - - var part160 = match("MESSAGE#140:97:06/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\""); - - var all26 = all_match({ - processors: [ - part157, - select42, - part160, - ], - on_success: processor_chain([ - dup78, - dup11, - ]), - }); - - var msg142 = msg("97:06", all26); - - var part161 = match("MESSAGE#141:97:07/0", "nwparser.payload", "app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{p0}"); - - var part162 = match("MESSAGE#141:97:07/1_0", "nwparser.p0", "%{dinterface}:%{fld3->} srcMac=%{p0}"); - - var select43 = linear_select([ - part162, - dup79, - ]); - - var part163 = match("MESSAGE#141:97:07/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\""); - - var all27 = all_match({ - processors: [ - part161, - select43, - part163, - ], - on_success: processor_chain([ - dup78, - dup11, - ]), - }); - - var msg143 = msg("97:07", all27); - - var part164 = match("MESSAGE#142:97:08", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup78, - dup11, - ])); - - var msg144 = msg("97:08", part164); - - var part165 = match("MESSAGE#143:97:09", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup78, - dup11, - ])); - - var msg145 = msg("97:09", part165); - - var part166 = match("MESSAGE#144:97:10", "nwparser.payload", "app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup78, - dup11, - ])); - - var msg146 = msg("97:10", part166); - - var select44 = linear_select([ - msg136, - msg137, - msg138, - msg139, - msg140, - msg141, - msg142, - msg143, - msg144, - msg145, - msg146, - ]); - - var part167 = match("MESSAGE#145:98/2", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{p0}"); - - var part168 = match("MESSAGE#145:98/3_0", "nwparser.p0", "%{dinterface} %{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); - - var part169 = match("MESSAGE#145:98/3_1", "nwparser.p0", "%{dinterface} %{protocol->} sent=%{sbytes}"); - - var part170 = match("MESSAGE#145:98/3_2", "nwparser.p0", "%{dinterface} %{protocol}"); - - var select45 = linear_select([ - part168, - part169, - part170, - ]); - - var all28 = all_match({ - processors: [ - dup54, - dup193, - part167, - select45, - ], - on_success: processor_chain([ - dup78, - dup59, - setc("ec_activity","Stop"), - dup61, - dup62, - dup11, - setc("action","Opened"), - dup18, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var msg147 = msg("98", all28); - - var part171 = match("MESSAGE#146:98:07", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{protocol}/%{fld4->} sent=%{sbytes->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup1, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ])); - - var msg148 = msg("98:07", part171); - - var part172 = match("MESSAGE#147:98:01/0", "nwparser.payload", "msg=\"%{msg}\"%{p0}"); - - var part173 = match("MESSAGE#147:98:01/1_0", "nwparser.p0", " app=%{fld2->} sess=\"%{fld3}\"%{p0}"); - - var select46 = linear_select([ - part173, - dup56, - ]); - - var part174 = match("MESSAGE#147:98:01/2", "nwparser.p0", "%{}n=%{p0}"); - - var part175 = match("MESSAGE#147:98:01/3_0", "nwparser.p0", "%{fld1->} usr=%{username->} src=%{p0}"); - - var part176 = match("MESSAGE#147:98:01/3_1", "nwparser.p0", "%{fld1->} src=%{p0}"); - - var select47 = linear_select([ - part175, - part176, - ]); - - var part177 = match("MESSAGE#147:98:01/4_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}"); - - var part178 = match("MESSAGE#147:98:01/4_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); - - var part179 = match("MESSAGE#147:98:01/4_2", "nwparser.p0", "%{saddr}dst=%{p0}"); - - var select48 = linear_select([ - part177, - part178, - part179, - ]); - - var part180 = match("MESSAGE#147:98:01/5", "nwparser.p0", "%{} %{p0}"); - - var part181 = match("MESSAGE#147:98:01/6_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); - - var part182 = match("MESSAGE#147:98:01/6_2", "nwparser.p0", "%{daddr->} %{p0}"); - - var select49 = linear_select([ - dup80, - part181, - part182, - ]); - - var part183 = match("MESSAGE#147:98:01/7_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); - - var part184 = match("MESSAGE#147:98:01/7_1", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes}"); - - var part185 = match("MESSAGE#147:98:01/7_2", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\""); - - var part186 = match("MESSAGE#147:98:01/7_3", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); - - var select50 = linear_select([ - part183, - part184, - part185, - part186, - dup81, - dup43, - ]); - - var all29 = all_match({ - processors: [ - part172, - select46, - part174, - select47, - select48, - part180, - select49, - select50, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg149 = msg("98:01", all29); - - var part187 = match("MESSAGE#148:98:06/1_0", "nwparser.p0", "app=%{fld2->} appName=\"%{application}\" n=%{p0}"); - - var part188 = match("MESSAGE#148:98:06/1_1", "nwparser.p0", "app=%{fld2->} n=%{p0}"); - - var part189 = match("MESSAGE#148:98:06/1_2", "nwparser.p0", "sess=%{fld2->} n=%{p0}"); - - var select51 = linear_select([ - part187, - part188, - part189, - ]); - - var part190 = match("MESSAGE#148:98:06/2", "nwparser.p0", "%{fld1->} %{p0}"); - - var part191 = match("MESSAGE#148:98:06/3_0", "nwparser.p0", "usr=%{username->} %{p0}"); - - var select52 = linear_select([ - part191, - dup56, - ]); - - var part192 = match("MESSAGE#148:98:06/4", "nwparser.p0", "src= %{saddr}:%{sport}:%{p0}"); - - var part193 = match("MESSAGE#148:98:06/7_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{dmacaddr->} proto=%{p0}"); - - var part194 = match("MESSAGE#148:98:06/7_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{p0}"); - - var part195 = match("MESSAGE#148:98:06/7_3", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); - - var select53 = linear_select([ - part193, - part194, - dup85, - part195, - ]); - - var part196 = match("MESSAGE#148:98:06/8", "nwparser.p0", "%{protocol->} %{p0}"); - - var part197 = match("MESSAGE#148:98:06/9_0", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\""); - - var part198 = match("MESSAGE#148:98:06/9_1", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=%{action}"); - - var part199 = match("MESSAGE#148:98:06/9_2", "nwparser.p0", "sent=%{sbytes->} fw_action=\"%{action}\""); - - var part200 = match("MESSAGE#148:98:06/9_4", "nwparser.p0", "fw_action=\"%{action}\""); - - var select54 = linear_select([ - part197, - part198, - part199, - dup86, - part200, - ]); - - var all30 = all_match({ - processors: [ - dup82, - select51, - part190, - select52, - part192, - dup198, - dup17, - select53, - part196, - select54, - ], - on_success: processor_chain([ - dup78, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var msg150 = msg("98:06", all30); - - var part201 = match("MESSAGE#149:98:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=%{username->} src=%{p0}"); - - var all31 = all_match({ - processors: [ - part201, - dup185, - dup183, - dup43, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg151 = msg("98:02", all31); - - var part202 = match("MESSAGE#150:98:03/0_0", "nwparser.payload", "Connection%{}"); - - var part203 = match("MESSAGE#150:98:03/0_1", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}"); - - var select55 = linear_select([ - part202, - part203, - ]); - - var all32 = all_match({ - processors: [ - select55, - ], - on_success: processor_chain([ - dup1, - dup44, - ]), - }); - - var msg152 = msg("98:03", all32); - - var part204 = match("MESSAGE#151:98:04/3", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} vpnpolicy=\"%{policyname}\" npcs=%{info}"); - - var all33 = all_match({ - processors: [ - dup7, - dup185, - dup183, - part204, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg153 = msg("98:04", all33); - - var part205 = match("MESSAGE#152:98:05/3", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} npcs=%{info}"); - - var all34 = all_match({ - processors: [ - dup7, - dup185, - dup183, - part205, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg154 = msg("98:05", all34); - - var select56 = linear_select([ - msg147, - msg148, - msg149, - msg150, - msg151, - msg152, - msg153, - msg154, - ]); - - var part206 = match("MESSAGE#153:986", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup31, - dup11, - ])); - - var msg155 = msg("986", part206); - - var part207 = match("MESSAGE#154:427/3", "nwparser.p0", "note=\"%{event_description}\""); - - var all35 = all_match({ - processors: [ - dup73, - dup185, - dup183, - part207, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg156 = msg("427", all35); - - var part208 = match("MESSAGE#155:428/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); - - var all36 = all_match({ - processors: [ - dup87, - dup194, - part208, - ], - on_success: processor_chain([ - dup23, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg157 = msg("428", all36); - - var part209 = match("MESSAGE#156:99", "nwparser.payload", "Retransmitting DHCP DISCOVER.%{}", processor_chain([ - dup72, - ])); - - var msg158 = msg("99", part209); - - var part210 = match("MESSAGE#157:100", "nwparser.payload", "Retransmitting DHCP REQUEST (Requesting).%{}", processor_chain([ - dup72, - ])); - - var msg159 = msg("100", part210); - - var part211 = match("MESSAGE#158:101", "nwparser.payload", "Retransmitting DHCP REQUEST (Renewing).%{}", processor_chain([ - dup72, - ])); - - var msg160 = msg("101", part211); - - var part212 = match("MESSAGE#159:102", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebinding).%{}", processor_chain([ - dup72, - ])); - - var msg161 = msg("102", part212); - - var part213 = match("MESSAGE#160:103", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebooting).%{}", processor_chain([ - dup72, - ])); - - var msg162 = msg("103", part213); - - var part214 = match("MESSAGE#161:104", "nwparser.payload", "Retransmitting DHCP REQUEST (Verifying).%{}", processor_chain([ - dup72, - ])); - - var msg163 = msg("104", part214); - - var part215 = match("MESSAGE#162:105", "nwparser.payload", "Sending DHCP DISCOVER.%{}", processor_chain([ - dup72, - ])); - - var msg164 = msg("105", part215); - - var part216 = match("MESSAGE#163:106", "nwparser.payload", "DHCP Server not available. Did not get any DHCP OFFER.%{}", processor_chain([ - dup71, - ])); - - var msg165 = msg("106", part216); - - var part217 = match("MESSAGE#164:107", "nwparser.payload", "Got DHCP OFFER. Selecting.%{}", processor_chain([ - dup72, - ])); - - var msg166 = msg("107", part217); - - var part218 = match("MESSAGE#165:108", "nwparser.payload", "Sending DHCP REQUEST.%{}", processor_chain([ - dup72, - ])); - - var msg167 = msg("108", part218); - - var part219 = match("MESSAGE#166:109", "nwparser.payload", "DHCP Client did not get DHCP ACK.%{}", processor_chain([ - dup71, - ])); - - var msg168 = msg("109", part219); - - var part220 = match("MESSAGE#167:110", "nwparser.payload", "DHCP Client got NACK.%{}", processor_chain([ - dup72, - ])); - - var msg169 = msg("110", part220); - - var msg170 = msg("111:01", dup199); - - var part221 = match("MESSAGE#169:111", "nwparser.payload", "DHCP Client got ACK from server.%{}", processor_chain([ - dup72, - ])); - - var msg171 = msg("111", part221); - - var select57 = linear_select([ - msg170, - msg171, - ]); - - var part222 = match("MESSAGE#170:112", "nwparser.payload", "DHCP Client is declining address offered by the server.%{}", processor_chain([ - dup72, - ])); - - var msg172 = msg("112", part222); - - var part223 = match("MESSAGE#171:113", "nwparser.payload", "DHCP Client sending REQUEST and going to REBIND state.%{}", processor_chain([ - dup72, - ])); - - var msg173 = msg("113", part223); - - var part224 = match("MESSAGE#172:114", "nwparser.payload", "DHCP Client sending REQUEST and going to RENEW state.%{}", processor_chain([ - dup72, - ])); - - var msg174 = msg("114", part224); - - var msg175 = msg("115:01", dup199); - - var part225 = match("MESSAGE#174:115", "nwparser.payload", "Sending DHCP REQUEST (Renewing).%{}", processor_chain([ - dup72, - ])); - - var msg176 = msg("115", part225); - - var select58 = linear_select([ - msg175, - msg176, - ]); - - var part226 = match("MESSAGE#175:116", "nwparser.payload", "Sending DHCP REQUEST (Rebinding).%{}", processor_chain([ - dup72, - ])); - - var msg177 = msg("116", part226); - - var part227 = match("MESSAGE#176:117", "nwparser.payload", "Sending DHCP REQUEST (Rebooting).%{}", processor_chain([ - dup72, - ])); - - var msg178 = msg("117", part227); - - var part228 = match("MESSAGE#177:118", "nwparser.payload", "Sending DHCP REQUEST (Verifying).%{}", processor_chain([ - dup72, - ])); - - var msg179 = msg("118", part228); - - var part229 = match("MESSAGE#178:119", "nwparser.payload", "DHCP Client failed to verify and lease has expired. Go to INIT state.%{}", processor_chain([ - dup71, - ])); - - var msg180 = msg("119", part229); - - var part230 = match("MESSAGE#179:120", "nwparser.payload", "DHCP Client failed to verify and lease is still valid. Go to BOUND state.%{}", processor_chain([ - dup71, - ])); - - var msg181 = msg("120", part230); - - var part231 = match("MESSAGE#180:121", "nwparser.payload", "DHCP Client got a new IP address lease.%{}", processor_chain([ - dup72, - ])); - - var msg182 = msg("121", part231); - - var part232 = match("MESSAGE#181:122", "nwparser.payload", "Access attempt from host without Anti-Virus agent installed%{}", processor_chain([ - dup71, - ])); - - var msg183 = msg("122", part232); - - var part233 = match("MESSAGE#182:123", "nwparser.payload", "Anti-Virus agent out-of-date on host%{}", processor_chain([ - dup71, - ])); - - var msg184 = msg("123", part233); - - var part234 = match("MESSAGE#183:124", "nwparser.payload", "Received AV Alert: %s%{}", processor_chain([ - dup72, - ])); - - var msg185 = msg("124", part234); - - var part235 = match("MESSAGE#184:125", "nwparser.payload", "Unused AV log entry.%{}", processor_chain([ - dup72, - ])); - - var msg186 = msg("125", part235); - - var part236 = match("MESSAGE#185:1254", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ - dup89, - dup11, - ])); - - var msg187 = msg("1254", part236); - - var part237 = match("MESSAGE#186:1256", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ - dup78, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ])); - - var msg188 = msg("1256", part237); - - var part238 = match("MESSAGE#187:1257", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup89, - dup11, - ])); - - var msg189 = msg("1257", part238); - - var part239 = match("MESSAGE#188:126", "nwparser.payload", "Starting PPPoE discovery%{}", processor_chain([ - dup72, - ])); - - var msg190 = msg("126", part239); - - var part240 = match("MESSAGE#189:127", "nwparser.payload", "PPPoE LCP Link Up%{}", processor_chain([ - dup72, - ])); - - var msg191 = msg("127", part240); - - var part241 = match("MESSAGE#190:128", "nwparser.payload", "PPPoE LCP Link Down%{}", processor_chain([ - dup5, - ])); - - var msg192 = msg("128", part241); - - var part242 = match("MESSAGE#191:129", "nwparser.payload", "PPPoE terminated%{}", processor_chain([ - dup5, - ])); - - var msg193 = msg("129", part242); - - var part243 = match("MESSAGE#192:130", "nwparser.payload", "PPPoE Network Connected%{}", processor_chain([ - dup1, - ])); - - var msg194 = msg("130", part243); - - var part244 = match("MESSAGE#193:131", "nwparser.payload", "PPPoE Network Disconnected%{}", processor_chain([ - dup1, - ])); - - var msg195 = msg("131", part244); - - var part245 = match("MESSAGE#194:132", "nwparser.payload", "PPPoE discovery process complete%{}", processor_chain([ - dup1, - ])); - - var msg196 = msg("132", part245); - - var part246 = match("MESSAGE#195:133", "nwparser.payload", "PPPoE starting CHAP Authentication%{}", processor_chain([ - dup1, - ])); - - var msg197 = msg("133", part246); - - var part247 = match("MESSAGE#196:134", "nwparser.payload", "PPPoE starting PAP Authentication%{}", processor_chain([ - dup1, - ])); - - var msg198 = msg("134", part247); - - var part248 = match("MESSAGE#197:135", "nwparser.payload", "PPPoE CHAP Authentication Failed%{}", processor_chain([ - dup90, - ])); - - var msg199 = msg("135", part248); - - var part249 = match("MESSAGE#198:136", "nwparser.payload", "PPPoE PAP Authentication Failed%{}", processor_chain([ - dup90, - ])); - - var msg200 = msg("136", part249); - - var part250 = match("MESSAGE#199:137", "nwparser.payload", "Wan IP Changed%{}", processor_chain([ - dup3, - ])); - - var msg201 = msg("137", part250); - - var part251 = match("MESSAGE#200:138", "nwparser.payload", "XAUTH Succeeded%{}", processor_chain([ - dup3, - ])); - - var msg202 = msg("138", part251); - - var part252 = match("MESSAGE#201:139", "nwparser.payload", "XAUTH Failed%{}", processor_chain([ - dup5, - ])); - - var msg203 = msg("139", part252); - - var all37 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - setc("eventcategory","1801020100"), - ]), - }); - - var msg204 = msg("139:01", all37); - - var select59 = linear_select([ - msg203, - msg204, - ]); - - var msg205 = msg("140", dup239); - - var msg206 = msg("141", dup239); - - var part253 = match("MESSAGE#205:142", "nwparser.payload", "Primary firewall has transitioned to Active%{}", processor_chain([ - dup1, - ])); - - var msg207 = msg("142", part253); - - var part254 = match("MESSAGE#206:143", "nwparser.payload", "Backup firewall has transitioned to Active%{}", processor_chain([ - dup1, - ])); - - var msg208 = msg("143", part254); - - var part255 = match("MESSAGE#207:1431", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=::%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ - dup78, - dup11, - ])); - - var msg209 = msg("1431", part255); - - var part256 = match("MESSAGE#208:144", "nwparser.payload", "Primary firewall has transitioned to Idle%{}", processor_chain([ - dup1, - ])); - - var msg210 = msg("144", part256); - - var part257 = match("MESSAGE#209:145", "nwparser.payload", "Backup firewall has transitioned to Idle%{}", processor_chain([ - dup1, - ])); - - var msg211 = msg("145", part257); - - var part258 = match("MESSAGE#210:146", "nwparser.payload", "Primary missed heartbeats from Active Backup: Primary going Active%{}", processor_chain([ - dup92, - ])); - - var msg212 = msg("146", part258); - - var part259 = match("MESSAGE#211:147", "nwparser.payload", "Backup missed heartbeats from Active Primary: Backup going Active%{}", processor_chain([ - dup92, - ])); - - var msg213 = msg("147", part259); - - var part260 = match("MESSAGE#212:148", "nwparser.payload", "Primary received error signal from Active Backup: Primary going Active%{}", processor_chain([ - dup1, - ])); - - var msg214 = msg("148", part260); - - var part261 = match("MESSAGE#213:1480", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - setc("eventcategory","1204010000"), - dup11, - ])); - - var msg215 = msg("1480", part261); - - var part262 = match("MESSAGE#214:149", "nwparser.payload", "Backup received error signal from Active Primary: Backup going Active%{}", processor_chain([ - dup1, - ])); - - var msg216 = msg("149", part262); - - var part263 = match("MESSAGE#215:150", "nwparser.payload", "Backup firewall being preempted by Primary%{}", processor_chain([ - dup1, - ])); - - var msg217 = msg("150", part263); - - var part264 = match("MESSAGE#216:151", "nwparser.payload", "Primary firewall preempting Backup%{}", processor_chain([ - dup1, - ])); - - var msg218 = msg("151", part264); - - var part265 = match("MESSAGE#217:152", "nwparser.payload", "Active Backup detects Active Primary: Backup rebooting%{}", processor_chain([ - dup1, - ])); - - var msg219 = msg("152", part265); - - var part266 = match("MESSAGE#218:153", "nwparser.payload", "Imported HA hardware ID did not match this firewall%{}", processor_chain([ - setc("eventcategory","1603010000"), - ])); - - var msg220 = msg("153", part266); - - var part267 = match("MESSAGE#219:154", "nwparser.payload", "Received AV Alert: Your SonicWALL Network Anti-Virus subscription has expired. %s%{}", processor_chain([ - dup64, - ])); - - var msg221 = msg("154", part267); - - var part268 = match("MESSAGE#220:155", "nwparser.payload", "Primary received heartbeat from wrong source%{}", processor_chain([ - dup92, - ])); - - var msg222 = msg("155", part268); - - var part269 = match("MESSAGE#221:156", "nwparser.payload", "Backup received heartbeat from wrong source%{}", processor_chain([ - dup92, - ])); - - var msg223 = msg("156", part269); - - var part270 = match("MESSAGE#222:157:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ - dup1, - ])); - - var msg224 = msg("157:01", part270); - - var part271 = match("MESSAGE#223:157", "nwparser.payload", "HA packet processing error%{}", processor_chain([ - dup5, - ])); - - var msg225 = msg("157", part271); - - var select60 = linear_select([ - msg224, - msg225, - ]); - - var part272 = match("MESSAGE#224:158", "nwparser.payload", "Heartbeat received from incompatible source%{}", processor_chain([ - dup92, - ])); - - var msg226 = msg("158", part272); - - var part273 = match("MESSAGE#225:159", "nwparser.payload", "Diagnostic Code F%{}", processor_chain([ - dup5, - ])); - - var msg227 = msg("159", part273); - - var part274 = match("MESSAGE#226:160", "nwparser.payload", "Forbidden E-mail attachment altered%{}", processor_chain([ - setc("eventcategory","1203000000"), - ])); - - var msg228 = msg("160", part274); - - var part275 = match("MESSAGE#227:161", "nwparser.payload", "PPPoE PAP Authentication success.%{}", processor_chain([ - dup65, - ])); - - var msg229 = msg("161", part275); - - var part276 = match("MESSAGE#228:162", "nwparser.payload", "PPPoE PAP Authentication Failed. Please verify PPPoE username and password%{}", processor_chain([ - dup33, - ])); - - var msg230 = msg("162", part276); - - var part277 = match("MESSAGE#229:163", "nwparser.payload", "Disconnecting PPPoE due to traffic timeout%{}", processor_chain([ - dup5, - ])); - - var msg231 = msg("163", part277); - - var part278 = match("MESSAGE#230:164", "nwparser.payload", "No response from ISP Disconnecting PPPoE.%{}", processor_chain([ - dup5, - ])); - - var msg232 = msg("164", part278); - - var part279 = match("MESSAGE#231:165", "nwparser.payload", "Backup going Active in preempt mode after reboot%{}", processor_chain([ - dup1, - ])); - - var msg233 = msg("165", part279); - - var part280 = match("MESSAGE#232:166", "nwparser.payload", "Denied TCP connection from LAN%{}", processor_chain([ - dup12, - ])); - - var msg234 = msg("166", part280); - - var part281 = match("MESSAGE#233:167", "nwparser.payload", "Denied UDP packet from LAN%{}", processor_chain([ - dup12, - ])); - - var msg235 = msg("167", part281); - - var part282 = match("MESSAGE#234:168", "nwparser.payload", "Denied ICMP packet from LAN%{}", processor_chain([ - dup12, - ])); - - var msg236 = msg("168", part282); - - var part283 = match("MESSAGE#235:169", "nwparser.payload", "Firewall access from LAN%{}", processor_chain([ - dup1, - ])); - - var msg237 = msg("169", part283); - - var part284 = match("MESSAGE#236:170", "nwparser.payload", "Received a path MTU icmp message from router/gateway%{}", processor_chain([ - dup1, - ])); - - var msg238 = msg("170", part284); - - var part285 = match("MESSAGE#237:171", "nwparser.payload", "Probable TCP FIN scan%{}", processor_chain([ - dup70, - ])); - - var msg239 = msg("171", part285); - - var part286 = match("MESSAGE#238:171:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup93, - ])); - - var msg240 = msg("171:01", part286); - - var part287 = match("MESSAGE#239:171:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}:%{dport}", processor_chain([ - dup93, - ])); - - var msg241 = msg("171:02", part287); - - var part288 = match("MESSAGE#240:171:03/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld1}\" sess=%{fld2->} n=%{fld3->} src=%{p0}"); - - var all38 = all_match({ - processors: [ - part288, - dup182, - dup10, - dup200, - dup96, - ], - on_success: processor_chain([ - dup93, - ]), - }); - - var msg242 = msg("171:03", all38); - - var select61 = linear_select([ - msg239, - msg240, - msg241, - msg242, - ]); - - var part289 = match("MESSAGE#241:172", "nwparser.payload", "Probable TCP XMAS scan%{}", processor_chain([ - dup70, - ])); - - var msg243 = msg("172", part289); - - var part290 = match("MESSAGE#242:172:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ - dup70, - ])); - - var msg244 = msg("172:01", part290); - - var select62 = linear_select([ - msg243, - msg244, - ]); - - var part291 = match("MESSAGE#243:173", "nwparser.payload", "Probable TCP NULL scan%{}", processor_chain([ - dup70, - ])); - - var msg245 = msg("173", part291); - - var part292 = match("MESSAGE#244:174", "nwparser.payload", "IPSEC Replay Detected%{}", processor_chain([ - dup67, - ])); - - var msg246 = msg("174", part292); - - var all39 = all_match({ - processors: [ - dup73, - dup185, - dup183, - dup43, - ], - on_success: processor_chain([ - dup67, - ]), - }); - - var msg247 = msg("174:01", all39); - - var all40 = all_match({ - processors: [ - dup51, - dup189, - dup41, - dup187, - ], - on_success: processor_chain([ - dup12, - ]), - }); - - var msg248 = msg("174:02", all40); - - var all41 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup191, - dup50, - ], - on_success: processor_chain([ - dup12, - ]), - }); - - var msg249 = msg("174:03", all41); - - var select63 = linear_select([ - msg246, - msg247, - msg248, - msg249, - ]); - - var part293 = match("MESSAGE#248:175", "nwparser.payload", "TCP FIN packet dropped%{}", processor_chain([ - dup67, - ])); - - var msg250 = msg("175", part293); - - var part294 = match("MESSAGE#249:175:01", "nwparser.payload", "msg=\"ICMP packet from LAN dropped\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} type=%{type}", processor_chain([ - dup67, - ])); - - var msg251 = msg("175:01", part294); - - var part295 = match("MESSAGE#250:175:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} type=%{type->} icmpCode=%{fld3->} npcs=%{info}", processor_chain([ - dup67, - ])); - - var msg252 = msg("175:02", part295); - - var select64 = linear_select([ - msg250, - msg251, - msg252, - ]); - - var part296 = match("MESSAGE#251:176", "nwparser.payload", "Fraudulent Microsoft Certificate Blocked%{}", processor_chain([ - dup93, - ])); - - var msg253 = msg("176", part296); - - var msg254 = msg("177", dup196); - - var msg255 = msg("178", dup201); - - var msg256 = msg("179", dup196); - - var all42 = all_match({ - processors: [ - dup34, - dup185, - dup187, - ], - on_success: processor_chain([ - dup97, - ]), - }); - - var msg257 = msg("180", all42); - - var all43 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup202, - dup100, - ], - on_success: processor_chain([ - dup97, - ]), - }); - - var msg258 = msg("180:01", all43); - - var select65 = linear_select([ - msg257, - msg258, - ]); - - var msg259 = msg("181", dup195); - - var all44 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup200, - dup96, - ], - on_success: processor_chain([ - dup70, - ]), - }); - - var msg260 = msg("181:01", all44); - - var select66 = linear_select([ - msg259, - msg260, - ]); - - var msg261 = msg("193", dup240); - - var msg262 = msg("194", dup241); - - var msg263 = msg("195", dup241); - - var part297 = match("MESSAGE#262:196/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{fld2->} dst=%{daddr}:%{fld3->} sport=%{sport->} dport=%{dport->} %{p0}"); - - var all45 = all_match({ - processors: [ - part297, - dup204, - dup105, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg264 = msg("196", all45); - - var all46 = all_match({ - processors: [ - dup101, - dup204, - dup105, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg265 = msg("196:01", all46); - - var select67 = linear_select([ - msg264, - msg265, - ]); - - var msg266 = msg("199", dup242); - - var msg267 = msg("200", dup243); - - var part298 = match("MESSAGE#266:235:02", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ - dup30, - ])); - - var msg268 = msg("235:02", part298); - - var part299 = match("MESSAGE#267:235/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{p0}"); - - var all47 = all_match({ - processors: [ - part299, - dup185, - dup187, - ], - on_success: processor_chain([ - dup30, - ]), - }); - - var msg269 = msg("235", all47); - - var msg270 = msg("235:01", dup244); - - var select68 = linear_select([ - msg268, - msg269, - msg270, - ]); - - var msg271 = msg("236", dup244); - - var msg272 = msg("237", dup242); - - var msg273 = msg("238", dup242); - - var part300 = match("MESSAGE#272:239", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([ - dup107, - ])); - - var msg274 = msg("239", part300); - - var part301 = match("MESSAGE#273:240", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([ - dup107, - ])); - - var msg275 = msg("240", part301); - - var part302 = match("MESSAGE#274:241", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ - dup78, - ])); - - var msg276 = msg("241", part302); - - var part303 = match("MESSAGE#275:241:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup78, - ])); - - var msg277 = msg("241:01", part303); - - var select69 = linear_select([ - msg276, - msg277, - ]); - - var part304 = match("MESSAGE#276:242/1_0", "nwparser.p0", "%{saddr}:%{sport}:: %{p0}"); - - var part305 = match("MESSAGE#276:242/1_1", "nwparser.p0", "%{saddr}:%{sport->} %{p0}"); - - var select70 = linear_select([ - part304, - part305, - dup40, - ]); - - var part306 = match("MESSAGE#276:242/3_0", "nwparser.p0", "%{daddr}:%{dport}::"); - - var part307 = match("MESSAGE#276:242/3_1", "nwparser.p0", "%{daddr}:%{dport}"); - - var select71 = linear_select([ - part306, - part307, - dup36, - ]); - - var all48 = all_match({ - processors: [ - dup51, - select70, - dup41, - select71, - ], - on_success: processor_chain([ - dup78, - ]), - }); - - var msg278 = msg("242", all48); - - var msg279 = msg("252", dup205); - - var msg280 = msg("255", dup205); - - var msg281 = msg("257", dup205); - - var msg282 = msg("261:01", dup245); - - var msg283 = msg("261", dup205); - - var select72 = linear_select([ - msg282, - msg283, - ]); - - var msg284 = msg("262", dup245); - - var all49 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - dup111, - ]), - }); - - var msg285 = msg("273", all49); - - var msg286 = msg("328", dup246); - - var msg287 = msg("329", dup243); - - var msg288 = msg("346", dup205); - - var msg289 = msg("350", dup205); - - var msg290 = msg("351", dup205); - - var msg291 = msg("352", dup205); - - var msg292 = msg("353:01", dup201); - - var part308 = match("MESSAGE#291:353", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost->} lifeSeconds=%{misc}\"", processor_chain([ - dup5, - ])); - - var msg293 = msg("353", part308); - - var select73 = linear_select([ - msg292, - msg293, - ]); - - var part309 = match("MESSAGE#292:354", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=\"%{shost->} lifeSeconds=%{misc}\"", processor_chain([ - dup1, - ])); - - var msg294 = msg("354", part309); - - var msg295 = msg("355", dup206); - - var msg296 = msg("355:01", dup205); - - var select74 = linear_select([ - msg295, - msg296, - ]); - - var msg297 = msg("356", dup207); - - var part310 = match("MESSAGE#296:357", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} dstname=%{name}", processor_chain([ - dup93, - ])); - - var msg298 = msg("357", part310); - - var part311 = match("MESSAGE#297:357:01", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup93, - ])); - - var msg299 = msg("357:01", part311); - - var select75 = linear_select([ - msg298, - msg299, - ]); - - var msg300 = msg("358", dup208); - - var part312 = match("MESSAGE#299:371", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost}", processor_chain([ - setc("eventcategory","1503000000"), - ])); - - var msg301 = msg("371", part312); - - var msg302 = msg("371:01", dup209); - - var select76 = linear_select([ - msg301, - msg302, - ]); - - var msg303 = msg("372", dup205); - - var msg304 = msg("373", dup207); - - var msg305 = msg("401", dup247); - - var msg306 = msg("402", dup247); - - var msg307 = msg("406", dup208); - - var part313 = match("MESSAGE#305:413", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ - dup1, - ])); - - var msg308 = msg("413", part313); - - var msg309 = msg("414", dup205); - - var msg310 = msg("438", dup248); - - var msg311 = msg("439", dup248); - - var all50 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - setc("eventcategory","1501020000"), - ]), - }); - - var msg312 = msg("440", all50); - - var all51 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - setc("eventcategory","1502050000"), - ]), - }); - - var msg313 = msg("441", all51); - - var part314 = match("MESSAGE#311:441:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ - setc("eventcategory","1001020000"), - ])); - - var msg314 = msg("441:01", part314); - - var select77 = linear_select([ - msg313, - msg314, - ]); - - var all52 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - setc("eventcategory","1501030000"), - ]), - }); - - var msg315 = msg("442", all52); - - var part315 = match("MESSAGE#313:446/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{p0}"); - - var part316 = match("MESSAGE#313:446/1_0", "nwparser.p0", "%{fld1->} appName=\"%{application}\" n=%{p0}"); - - var part317 = match("MESSAGE#313:446/1_1", "nwparser.p0", "%{fld1->} n=%{p0}"); - - var select78 = linear_select([ - part316, - part317, - ]); - - var part318 = match("MESSAGE#313:446/2", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); - - var all53 = all_match({ - processors: [ - part315, - select78, - part318, - dup211, - dup119, - ], - on_success: processor_chain([ - dup67, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg316 = msg("446", all53); - - var part319 = match("MESSAGE#314:477", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=\"MAC=%{smacaddr->} HostName:%{hostname}\"", processor_chain([ - dup120, - dup59, - dup60, - dup61, - dup62, - dup11, - dup63, - dup18, - dup19, - dup20, - dup21, - dup22, - ])); - - var msg317 = msg("477", part319); - - var all54 = all_match({ - processors: [ - dup73, - dup185, - dup187, - ], - on_success: processor_chain([ - dup30, - ]), - }); - - var msg318 = msg("509", all54); - - var all55 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - dup109, - ]), - }); - - var msg319 = msg("520", all55); - - var msg320 = msg("522", dup249); - - var part320 = match("MESSAGE#318:522:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} srcV6=%{saddr_v6->} src= %{p0}"); - - var part321 = match("MESSAGE#318:522:01/2", "nwparser.p0", "dstV6=%{daddr_v6->} dst= %{p0}"); - - var all56 = all_match({ - processors: [ - part320, - dup189, - part321, - dup183, - dup121, - ], - on_success: processor_chain([ - dup5, - ]), - }); - - var msg321 = msg("522:01", all56); - - var part322 = match("MESSAGE#319:522:02/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{shost->} dst= %{p0}"); - - var select79 = linear_select([ - part322, - dup46, - ]); - - var all57 = all_match({ - processors: [ - dup45, - select79, - dup17, - dup183, - dup121, - ], - on_success: processor_chain([ - dup5, - ]), - }); - - var msg322 = msg("522:02", all57); - - var select80 = linear_select([ - msg320, - msg321, - msg322, - ]); - - var msg323 = msg("523", dup249); - - var all58 = all_match({ - processors: [ - dup73, - dup185, - dup183, - dup17, - dup212, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg324 = msg("524", all58); - - var part323 = match("MESSAGE#322:524:01/4_0", "nwparser.p0", "proto=%{protocol->} npcs= %{p0}"); - - var part324 = match("MESSAGE#322:524:01/4_1", "nwparser.p0", "rule=%{rule->} npcs= %{p0}"); - - var select81 = linear_select([ - part323, - part324, - ]); - - var all59 = all_match({ - processors: [ - dup7, - dup185, - dup183, - dup17, - select81, - dup47, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg325 = msg("524:01", all59); - - var part325 = match("MESSAGE#323:524:02/0", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}rule=\"%{rule}\"%{p0}"); - - var part326 = match("MESSAGE#323:524:02/1_0", "nwparser.p0", " note=\"%{rulename}\"%{p0}"); - - var select82 = linear_select([ - part326, - dup56, - ]); - - var part327 = match("MESSAGE#323:524:02/2", "nwparser.p0", "%{}fw_action=\"%{action}\""); - - var all60 = all_match({ - processors: [ - part325, - select82, - part327, - ], - on_success: processor_chain([ - dup6, - dup11, - ]), - }); - - var msg326 = msg("524:02", all60); - - var select83 = linear_select([ - msg324, - msg325, - msg326, - ]); - - var msg327 = msg("526", dup250); - - var part328 = match("MESSAGE#325:526:01/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{fld20->} dst= %{p0}"); - - var select84 = linear_select([ - dup26, - part328, - dup46, - ]); - - var part329 = match("MESSAGE#325:526:01/3_1", "nwparser.p0", "%{daddr}"); - - var select85 = linear_select([ - dup35, - part329, - ]); - - var all61 = all_match({ - processors: [ - dup73, - select84, - dup17, - select85, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg328 = msg("526:01", all61); - - var all62 = all_match({ - processors: [ - dup7, - dup213, - dup183, - dup121, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg329 = msg("526:02", all62); - - var part330 = match("MESSAGE#327:526:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup1, - dup11, - ])); - - var msg330 = msg("526:03", part330); - - var part331 = match("MESSAGE#328:526:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup1, - dup11, - ])); - - var msg331 = msg("526:04", part331); - - var part332 = match("MESSAGE#329:526:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup1, - dup11, - ])); - - var msg332 = msg("526:05", part332); - - var select86 = linear_select([ - msg327, - msg328, - msg329, - msg330, - msg331, - msg332, - ]); - - var part333 = match("MESSAGE#330:537:01/4", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} rcvd=%{p0}"); - - var part334 = match("MESSAGE#330:537:01/5_0", "nwparser.p0", "%{rbytes->} vpnpolicy=%{fld3}"); - - var select87 = linear_select([ - part334, - dup123, - ]); - - var all63 = all_match({ - processors: [ - dup122, - dup214, - dup17, - dup215, - part333, - select87, - ], - on_success: processor_chain([ - dup111, - ]), - }); - - var msg333 = msg("537:01", all63); - - var all64 = all_match({ - processors: [ - dup122, - dup214, - dup17, - dup215, - dup81, - ], - on_success: processor_chain([ - dup111, - ]), - }); - - var msg334 = msg("537:02", all64); - - var part335 = match("MESSAGE#332:537:08/3_0", "nwparser.p0", "%{saddr} %{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{p0}"); - - var part336 = match("MESSAGE#332:537:08/3_1", "nwparser.p0", "%{saddr->} %{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); - - var part337 = match("MESSAGE#332:537:08/3_2", "nwparser.p0", "%{saddr->} %{daddr}srcMac=%{p0}"); - - var select88 = linear_select([ - part335, - part336, - part337, - ]); - - var part338 = match("MESSAGE#332:537:08/4", "nwparser.p0", "%{} %{smacaddr->} %{p0}"); - - var part339 = match("MESSAGE#332:537:08/5_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}"); - - var part340 = match("MESSAGE#332:537:08/5_1", "nwparser.p0", "proto=%{protocol->} sent=%{p0}"); - - var select89 = linear_select([ - part339, - part340, - ]); - - var part341 = match("MESSAGE#332:537:08/7_0", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} fw_action=\"%{action}\""); - - var part342 = match("MESSAGE#332:537:08/7_2", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} fw_action=\"%{action}\""); - - var select90 = linear_select([ - part341, - dup131, - part342, - dup132, - dup133, - ]); - - var all65 = all_match({ - processors: [ - dup54, - dup216, - dup217, - select88, - part338, - select89, - dup218, - select90, - ], - on_success: processor_chain([ - dup111, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var msg335 = msg("537:08", all65); - - var select91 = linear_select([ - dup125, - dup124, - dup126, - dup38, - ]); - - var part343 = match("MESSAGE#333:537:09/3_0", "nwparser.p0", "%{saddr} %{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); - - var part344 = match("MESSAGE#333:537:09/3_1", "nwparser.p0", "%{saddr->} %{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); - - var part345 = match("MESSAGE#333:537:09/3_2", "nwparser.p0", "%{saddr->} %{daddr}dstMac=%{p0}"); - - var select92 = linear_select([ - part343, - part344, - part345, - ]); - - var part346 = match("MESSAGE#333:537:09/4", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{p0}"); - - var part347 = match("MESSAGE#333:537:09/6_0", "nwparser.p0", "%{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); - - var select93 = linear_select([ - part347, - dup131, - dup132, - dup133, - ]); - - var all66 = all_match({ - processors: [ - dup54, - select91, - dup217, - select92, - part346, - dup218, - select93, - ], - on_success: processor_chain([ - dup111, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var msg336 = msg("537:09", all66); - - var part348 = match("MESSAGE#334:537:07/3_0", "nwparser.p0", "%{saddr} %{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); - - var part349 = match("MESSAGE#334:537:07/3_1", "nwparser.p0", "%{saddr} %{fld3->} rpkt=%{fld6->} cdur=%{fld7}"); - - var part350 = match("MESSAGE#334:537:07/3_2", "nwparser.p0", "%{saddr} %{fld3->} cdur=%{fld7}"); - - var part351 = match("MESSAGE#334:537:07/3_3", "nwparser.p0", "%{saddr} %{fld3->} fw_action=\"%{action}\""); - - var part352 = match("MESSAGE#334:537:07/3_4", "nwparser.p0", "%{saddr} %{fld3}"); - - var select94 = linear_select([ - part348, - part349, - part350, - part351, - part352, - ]); - - var all67 = all_match({ - processors: [ - dup54, - dup216, - dup217, - select94, - ], - on_success: processor_chain([ - dup111, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var msg337 = msg("537:07", all67); - - var part353 = match("MESSAGE#335:537/0", "nwparser.payload", "msg=\"%{action}\"%{p0}"); - - var part354 = match("MESSAGE#335:537/1_0", "nwparser.p0", " app=%{fld51->} appName=\"%{application}\"%{p0}"); - - var select95 = linear_select([ - part354, - dup56, - ]); - - var part355 = match("MESSAGE#335:537/2", "nwparser.p0", "%{}n=%{fld1->} src= %{p0}"); - - var part356 = match("MESSAGE#335:537/3_0", "nwparser.p0", "%{saddr}%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); - - var part357 = match("MESSAGE#335:537/3_1", "nwparser.p0", "%{saddr} %{daddr}:%{dport}:%{dinterface}: proto=%{p0}"); - - var part358 = match("MESSAGE#335:537/3_2", "nwparser.p0", "%{saddr}%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); - - var part359 = match("MESSAGE#335:537/3_3", "nwparser.p0", "%{saddr}%{daddr->} proto=%{p0}"); - - var select96 = linear_select([ - part356, - part357, - part358, - part359, - ]); - - var part360 = match("MESSAGE#335:537/4", "nwparser.p0", "%{protocol->} sent=%{p0}"); - - var part361 = match("MESSAGE#335:537/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} fw_action=\"%{fld6}\""); - - var part362 = match("MESSAGE#335:537/5_1", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} fw_action=\"%{fld5}\""); - - var part363 = match("MESSAGE#335:537/5_2", "nwparser.p0", "%{sbytes->} spkt=%{fld3}fw_action=\"%{fld4}\""); - - var part364 = match("MESSAGE#335:537/5_3", "nwparser.p0", "%{sbytes}rcvd=%{rbytes}"); - - var part365 = match_copy("MESSAGE#335:537/5_4", "nwparser.p0", "sbytes"); - - var select97 = linear_select([ - part361, - part362, - part363, - part364, - part365, - ]); - - var all68 = all_match({ - processors: [ - part353, - select95, - part355, - select96, - part360, - select97, - ], - on_success: processor_chain([ - dup111, - ]), - }); - - var msg338 = msg("537", all68); - - var part366 = match("MESSAGE#336:537:04/4", "nwparser.p0", "%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} npcs=%{info}"); - - var all69 = all_match({ - processors: [ - dup134, - dup190, - dup17, - dup219, - part366, - ], - on_success: processor_chain([ - dup111, - ]), - }); - - var msg339 = msg("537:04", all69); - - var part367 = match("MESSAGE#337:537:05/4", "nwparser.p0", "%{protocol->} sent=%{sbytes->} spkt=%{fld3->} cdur=%{fld4->} %{p0}"); - - var part368 = match("MESSAGE#337:537:05/5_0", "nwparser.p0", "appcat=%{fld5->} appid=%{fld6->} npcs= %{p0}"); - - var part369 = match("MESSAGE#337:537:05/5_1", "nwparser.p0", "npcs= %{p0}"); - - var select98 = linear_select([ - part368, - part369, - ]); - - var all70 = all_match({ - processors: [ - dup134, - dup190, - dup17, - dup219, - part367, - select98, - dup96, - ], - on_success: processor_chain([ - dup111, - ]), - }); - - var msg340 = msg("537:05", all70); - - var part370 = match("MESSAGE#338:537:10/0", "nwparser.payload", "msg=\"%{event_description}\" sess=%{fld1->} n=%{fld2->} %{p0}"); - - var part371 = match("MESSAGE#338:537:10/4_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); - - var part372 = match("MESSAGE#338:537:10/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); - - var part373 = match("MESSAGE#338:537:10/4_2", "nwparser.p0", "%{daddr->} dstMac=%{p0}"); - - var select99 = linear_select([ - part371, - part372, - part373, - ]); - - var part374 = match("MESSAGE#338:537:10/5", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); - - var all71 = all_match({ - processors: [ - part370, - dup220, - dup139, - dup221, - select99, - part374, - dup222, - ], - on_success: processor_chain([ - dup111, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var msg341 = msg("537:10", all71); - - var part375 = match("MESSAGE#339:537:03/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} %{p0}"); - - var part376 = match("MESSAGE#339:537:03/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); - - var part377 = match("MESSAGE#339:537:03/4_2", "nwparser.p0", "%{daddr->} proto=%{p0}"); - - var select100 = linear_select([ - dup85, - part376, - part377, - ]); - - var part378 = match("MESSAGE#339:537:03/5", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); - - var all72 = all_match({ - processors: [ - part375, - dup220, - dup139, - dup221, - select100, - part378, - dup222, - ], - on_success: processor_chain([ - dup111, - ]), - }); - - var msg342 = msg("537:03", all72); - - var part379 = match("MESSAGE#340:537:06/4", "nwparser.p0", "%{protocol->} sent=%{sbytes->} spkt=%{fld3->} npcs=%{info}"); - - var all73 = all_match({ - processors: [ - dup134, - dup190, - dup17, - dup219, - part379, - ], - on_success: processor_chain([ - dup111, - ]), - }); - - var msg343 = msg("537:06", all73); - - var part380 = match("MESSAGE#341:537:11", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}spkt=%{fld3}rpkt=%{fld4}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup111, - dup62, - dup11, - dup144, - ])); - - var msg344 = msg("537:11", part380); - - var part381 = match("MESSAGE#342:537:12", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup111, - dup62, - dup11, - dup144, - ])); - - var msg345 = msg("537:12", part381); - - var select101 = linear_select([ - msg333, - msg334, - msg335, - msg336, - msg337, - msg338, - msg339, - msg340, - msg341, - msg342, - msg343, - msg344, - msg345, - ]); - - var msg346 = msg("538", dup240); - - var msg347 = msg("549", dup243); - - var msg348 = msg("557", dup243); - - var all74 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - setc("eventcategory","1402020200"), - ]), - }); - - var msg349 = msg("558", all74); - - var msg350 = msg("561", dup246); - - var msg351 = msg("562", dup246); - - var msg352 = msg("563", dup246); - - var all75 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - setc("eventcategory","1402020400"), - ]), - }); - - var msg353 = msg("583", all75); - - var part382 = match("MESSAGE#351:597:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ - dup145, - dup59, - dup146, - dup61, - dup62, - dup11, - dup147, - dup18, - dup19, - dup20, - dup21, - dup22, - ])); - - var msg354 = msg("597:01", part382); - - var part383 = match("MESSAGE#352:597:02", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ - dup1, - ])); - - var msg355 = msg("597:02", part383); - - var part384 = match("MESSAGE#353:597:03/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src= %{saddr}:%{sport}:%{p0}"); - - var part385 = match("MESSAGE#353:597:03/2", "nwparser.p0", "%{daddr}:%{dport}:%{p0}"); - - var all76 = all_match({ - processors: [ - part384, - dup198, - part385, - dup200, - dup96, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg356 = msg("597:03", all76); - - var select102 = linear_select([ - msg354, - msg355, - msg356, - ]); - - var part386 = match("MESSAGE#354:598", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{type->} code=%{code}", processor_chain([ - dup1, - ])); - - var msg357 = msg("598", part386); - - var part387 = match("MESSAGE#355:598:01/2", "nwparser.p0", "%{type->} npcs=%{info}"); - - var all77 = all_match({ - processors: [ - dup148, - dup192, - part387, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg358 = msg("598:01", all77); - - var all78 = all_match({ - processors: [ - dup148, - dup200, - dup96, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg359 = msg("598:02", all78); - - var select103 = linear_select([ - msg357, - msg358, - msg359, - ]); - - var part388 = match("MESSAGE#357:602:01", "nwparser.payload", "msg=\"%{event_description}allowed\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([ - dup145, - dup59, - dup146, - dup61, - dup62, - dup11, - dup147, - dup18, - dup19, - dup20, - dup21, - dup22, - ])); - - var msg360 = msg("602:01", part388); - - var msg361 = msg("602:02", dup250); - - var all79 = all_match({ - processors: [ - dup7, - dup185, - dup183, - dup43, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg362 = msg("602:03", all79); - - var select104 = linear_select([ - msg360, - msg361, - msg362, - ]); - - var msg363 = msg("605", dup208); - - var all80 = all_match({ - processors: [ - dup149, - dup223, - dup152, - dup211, - dup119, - ], - on_success: processor_chain([ - dup93, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg364 = msg("606", all80); - - var part389 = match("MESSAGE#362:608/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} ipscat=%{ipscat->} ipspri=%{p0}"); - - var part390 = match("MESSAGE#362:608/1_0", "nwparser.p0", "%{fld66->} pktdatId=%{fld11->} n=%{p0}"); - - var part391 = match("MESSAGE#362:608/1_1", "nwparser.p0", "%{ipspri->} n=%{p0}"); - - var select105 = linear_select([ - part390, - part391, - ]); - - var part392 = match("MESSAGE#362:608/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{p0}"); - - var part393 = match("MESSAGE#362:608/3_0", "nwparser.p0", "%{sport}:%{sinterface->} dst=%{p0}"); - - var part394 = match("MESSAGE#362:608/3_1", "nwparser.p0", "%{sport->} dst=%{p0}"); - - var select106 = linear_select([ - part393, - part394, - ]); - - var part395 = match("MESSAGE#362:608/5_0", "nwparser.p0", "%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{fld2}\""); - - var select107 = linear_select([ - part395, - dup154, - dup155, - ]); - - var all81 = all_match({ - processors: [ - part389, - select105, - part392, - select106, - dup153, - select107, - ], - on_success: processor_chain([ - dup1, - dup44, - ]), - }); - - var msg365 = msg("608", all81); - - var msg366 = msg("616", dup206); - - var msg367 = msg("658", dup201); - - var msg368 = msg("710", dup224); - - var msg369 = msg("712:02", dup251); - - var msg370 = msg("712", dup224); - - var all82 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup202, - dup100, - ], - on_success: processor_chain([ - dup156, - ]), - }); - - var msg371 = msg("712:01", all82); - - var select108 = linear_select([ - msg369, - msg370, - msg371, - ]); - - var part396 = match("MESSAGE#369:713:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=%{info}", processor_chain([ - dup5, - dup59, - dup60, - dup61, - dup62, - dup11, - dup63, - dup18, - dup19, - dup20, - dup21, - dup22, - ])); - - var msg372 = msg("713:01", part396); - - var msg373 = msg("713:04", dup251); - - var msg374 = msg("713:02", dup224); - - var part397 = match("MESSAGE#372:713:03", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{action}\" npcs=%{info}", processor_chain([ - dup5, - dup59, - dup60, - dup61, - dup62, - dup11, - dup63, - dup18, - dup19, - dup20, - dup21, - dup22, - ])); - - var msg375 = msg("713:03", part397); - - var select109 = linear_select([ - msg372, - msg373, - msg374, - msg375, - ]); - - var part398 = match("MESSAGE#373:760", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=%{info}", processor_chain([ - dup120, - dup59, - dup60, - dup61, - dup62, - dup11, - dup63, - dup18, - dup19, - dup20, - dup21, - dup22, - ])); - - var msg376 = msg("760", part398); - - var part399 = match("MESSAGE#374:760:01/0", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); - - var part400 = match("MESSAGE#374:760:01/4", "nwparser.p0", "%{action->} npcs=%{info}"); - - var all83 = all_match({ - processors: [ - part399, - dup182, - dup10, - dup202, - part400, - ], - on_success: processor_chain([ - dup120, - dup59, - dup60, - dup61, - dup62, - dup11, - dup63, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var msg377 = msg("760:01", all83); - - var select110 = linear_select([ - msg376, - msg377, - ]); - - var msg378 = msg("766", dup228); - - var msg379 = msg("860", dup228); - - var msg380 = msg("860:01", dup229); - - var select111 = linear_select([ - msg379, - msg380, - ]); - - var part401 = match("MESSAGE#378:866/0", "nwparser.payload", "msg=\"%{msg}\" n=%{p0}"); - - var part402 = match("MESSAGE#378:866/1_0", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); - - var part403 = match_copy("MESSAGE#378:866/1_1", "nwparser.p0", "ntype"); - - var select112 = linear_select([ - part402, - part403, - ]); - - var all84 = all_match({ - processors: [ - part401, - select112, - ], - on_success: processor_chain([ - dup5, - dup44, - ]), - }); - - var msg381 = msg("866", all84); - - var msg382 = msg("866:01", dup229); - - var select113 = linear_select([ - msg381, - msg382, - ]); - - var msg383 = msg("867", dup228); - - var msg384 = msg("867:01", dup229); - - var select114 = linear_select([ - msg383, - msg384, - ]); - - var part404 = match("MESSAGE#382:882", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ - dup1, - ])); - - var msg385 = msg("882", part404); - - var part405 = match("MESSAGE#383:882:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} npcs=%{info}", processor_chain([ - dup1, - ])); - - var msg386 = msg("882:01", part405); - - var select115 = linear_select([ - msg385, - msg386, - ]); - - var part406 = match("MESSAGE#384:888", "nwparser.payload", "msg=\"%{reason};%{action}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ - dup165, - ])); - - var msg387 = msg("888", part406); - - var part407 = match("MESSAGE#385:888:01", "nwparser.payload", "msg=\"%{reason};%{action}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=%{fld3->} npcs=%{info}", processor_chain([ - dup165, - ])); - - var msg388 = msg("888:01", part407); - - var select116 = linear_select([ - msg387, - msg388, - ]); - - var all85 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup200, - dup96, - ], - on_success: processor_chain([ - dup165, - ]), - }); - - var msg389 = msg("892", all85); - - var msg390 = msg("904", dup228); - - var msg391 = msg("905", dup228); - - var msg392 = msg("906", dup228); - - var msg393 = msg("907", dup228); - - var part408 = match("MESSAGE#391:908/1_0", "nwparser.p0", "%{sinterface}:%{shost->} dst=%{p0}"); - - var select117 = linear_select([ - part408, - dup167, - ]); - - var all86 = all_match({ - processors: [ - dup166, - select117, - dup168, - dup223, - dup169, - dup211, - dup119, - ], - on_success: processor_chain([ - dup78, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg394 = msg("908", all86); - - var msg395 = msg("909", dup228); - - var msg396 = msg("914", dup230); - - var part409 = match("MESSAGE#394:931", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ - dup72, - ])); - - var msg397 = msg("931", part409); - - var msg398 = msg("657", dup230); - - var all87 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup200, - dup96, - ], - on_success: processor_chain([ - dup5, - ]), - }); - - var msg399 = msg("657:01", all87); - - var select118 = linear_select([ - msg398, - msg399, - ]); - - var msg400 = msg("403", dup209); - - var msg401 = msg("534", dup184); - - var msg402 = msg("994", dup231); - - var part410 = match("MESSAGE#400:243", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} proto=%{protocol}", processor_chain([ - dup1, - dup24, - ])); - - var msg403 = msg("243", part410); - - var msg404 = msg("995", dup184); - - var part411 = match("MESSAGE#402:997", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{fld3->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld4->} note=\"%{info}\"", processor_chain([ - dup1, - dup59, - dup61, - dup62, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ])); - - var msg405 = msg("997", part411); - - var msg406 = msg("998", dup231); - - var part412 = match("MESSAGE#405:998:01", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup111, - dup11, - ])); - - var msg407 = msg("998:01", part412); - - var select119 = linear_select([ - msg406, - msg407, - ]); - - var msg408 = msg("1110", dup232); - - var msg409 = msg("565", dup232); - - var part413 = match("MESSAGE#408:404", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} note=\"%{event_description}\"", processor_chain([ - dup1, - dup62, - ])); - - var msg410 = msg("404", part413); - - var part414 = match("MESSAGE#409:267:01/1_0", "nwparser.p0", "%{daddr}:%{dport->} srcMac=%{p0}"); - - var select120 = linear_select([ - part414, - dup58, - ]); - - var part415 = match("MESSAGE#409:267:01/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{fld3}\" fw_action=\"%{action}\""); - - var all88 = all_match({ - processors: [ - dup87, - select120, - part415, - ], - on_success: processor_chain([ - dup111, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg411 = msg("267:01", all88); - - var part416 = match("MESSAGE#410:267", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}", processor_chain([ - dup1, - dup62, - ])); - - var msg412 = msg("267", part416); - - var select121 = linear_select([ - msg411, - msg412, - ]); - - var part417 = match("MESSAGE#411:263", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} proto=%{protocol}", processor_chain([ - dup1, - dup24, - ])); - - var msg413 = msg("263", part417); - - var part418 = match("MESSAGE#412:264", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ - dup109, - dup11, - ])); - - var msg414 = msg("264", part418); - - var msg415 = msg("412", dup209); - - var part419 = match("MESSAGE#415:793", "nwparser.payload", "msg=\"%{msg}\" af_polid=%{fld1->} af_policy=\"%{fld2}\" af_type=\"%{fld3}\" af_service=\"%{fld4}\" af_action=\"%{fld5}\" n=%{fld6->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ - dup1, - dup24, - ])); - - var msg416 = msg("793", part419); - - var part420 = match("MESSAGE#416:805", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} if=%{fld2->} ucastRx=%{fld3->} bcastRx=%{fld4->} bytesRx=%{rbytes->} ucastTx=%{fld5->} bcastTx=%{fld6->} bytesTx=%{sbytes}", processor_chain([ - dup1, - dup24, - ])); - - var msg417 = msg("805", part420); - - var part421 = match("MESSAGE#417:809", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ - dup170, - dup11, - ])); - - var msg418 = msg("809", part421); - - var part422 = match("MESSAGE#418:809:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ - dup170, - dup11, - ])); - - var msg419 = msg("809:01", part422); - - var select122 = linear_select([ - msg418, - msg419, - ]); - - var msg420 = msg("935", dup230); - - var msg421 = msg("614", dup233); - - var part423 = match("MESSAGE#421:748/0", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); - - var all89 = all_match({ - processors: [ - part423, - dup211, - dup119, - ], - on_success: processor_chain([ - dup66, - dup44, - ]), - }); - - var msg422 = msg("748", all89); - - var part424 = match("MESSAGE#422:794/0", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} spycat=%{fld1->} spypri=%{fld2->} pktdatId=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); - - var part425 = match("MESSAGE#422:794/1_0", "nwparser.p0", "%{protocol}/%{fld5->} fw_action=\"%{p0}"); - - var select123 = linear_select([ - part425, - dup118, - ]); - - var all90 = all_match({ - processors: [ - part424, - select123, - dup119, - ], - on_success: processor_chain([ - dup171, - dup44, - ]), - }); - - var msg423 = msg("794", all90); - - var msg424 = msg("1086", dup233); - - var part426 = match("MESSAGE#424:1430", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ - dup171, - dup44, - ])); - - var msg425 = msg("1430", part426); - - var msg426 = msg("1149", dup233); - - var msg427 = msg("1159", dup233); - - var part427 = match("MESSAGE#427:1195", "nwparser.payload", "n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup171, - dup44, - ])); - - var msg428 = msg("1195", part427); - - var part428 = match("MESSAGE#428:1195:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}", processor_chain([ - dup171, - dup44, - ])); - - var msg429 = msg("1195:01", part428); - - var select124 = linear_select([ - msg428, - msg429, - ]); - - var part429 = match("MESSAGE#429:1226", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup5, - dup44, - ])); - - var msg430 = msg("1226", part429); - - var part430 = match("MESSAGE#430:1222", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} note=\"%{fld3}\" fw_action=\"%{action}\"", processor_chain([ - dup5, - dup44, - ])); - - var msg431 = msg("1222", part430); - - var part431 = match("MESSAGE#431:1154", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ - dup1, - dup24, - ])); - - var msg432 = msg("1154", part431); - - var part432 = match("MESSAGE#432:1154:01/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{p0}"); - - var all91 = all_match({ - processors: [ - part432, - dup182, - dup10, - dup200, - dup96, - ], - on_success: processor_chain([ - dup1, - dup24, - ]), - }); - - var msg433 = msg("1154:01", all91); - - var part433 = match("MESSAGE#433:1154:02", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid%{fld2->} catid=%{fld3->} sess=\"%{fld4}\" n=%{fld5->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup172, - dup11, - ])); - - var msg434 = msg("1154:02", part433); - - var part434 = match("MESSAGE#434:1154:03/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid=%{fld2->} catid=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{p0}"); - - var part435 = match("MESSAGE#434:1154:03/1_0", "nwparser.p0", "%{dinterface}:%{dhost->} srcMac=%{p0}"); - - var select125 = linear_select([ - part435, - dup79, - ]); - - var part436 = match("MESSAGE#434:1154:03/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\""); - - var all92 = all_match({ - processors: [ - part434, - select125, - part436, - ], - on_success: processor_chain([ - dup172, - dup11, - ]), - }); - - var msg435 = msg("1154:03", all92); - - var select126 = linear_select([ - msg432, - msg433, - msg434, - msg435, - ]); - - var part437 = match("MESSAGE#435:msg", "nwparser.payload", "msg=\"%{msg}\" src=%{stransaddr->} dst=%{dtransaddr->} %{result}", processor_chain([ - dup173, - ])); - - var msg436 = msg("msg", part437); - - var part438 = match("MESSAGE#436:src", "nwparser.payload", "src=%{stransaddr->} dst=%{dtransaddr->} %{msg}", processor_chain([ - dup173, - ])); - - var msg437 = msg("src", part438); - - var all93 = all_match({ - processors: [ - dup7, - dup185, - dup183, - dup17, - dup212, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg438 = msg("1235", all93); - - var part439 = match("MESSAGE#438:1197/4", "nwparser.p0", "\"%{fld3->} Protocol:%{protocol}\" npcs=%{info}"); - - var all94 = all_match({ - processors: [ - dup7, - dup185, - dup10, - dup202, - part439, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg439 = msg("1197", all94); - - var part440 = match("MESSAGE#439:1199/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3->} sess=%{fld1->} n=%{fld2->} src=%{p0}"); - - var all95 = all_match({ - processors: [ - part440, - dup185, - dup174, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg440 = msg("1199", all95); - - var part441 = match("MESSAGE#440:1199:01", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup175, - dup11, - ])); - - var msg441 = msg("1199:01", part441); - - var part442 = match("MESSAGE#441:1199:02", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup175, - dup11, - ])); - - var msg442 = msg("1199:02", part442); - - var select127 = linear_select([ - msg440, - msg441, - msg442, - ]); - - var part443 = match("MESSAGE#442:1155/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} catid=%{fld3->} sess=%{fld4->} n=%{fld5->} src=%{p0}"); - - var all96 = all_match({ - processors: [ - part443, - dup182, - dup10, - dup200, - dup96, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg443 = msg("1155", all96); - - var part444 = match("MESSAGE#443:1155:01", "nwparser.payload", "msg=\"%{action}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ - dup111, - ])); - - var msg444 = msg("1155:01", part444); - - var select128 = linear_select([ - msg443, - msg444, - ]); - - var all97 = all_match({ - processors: [ - dup176, - dup213, - dup174, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg445 = msg("1198", all97); - - var all98 = all_match({ - processors: [ - dup7, - dup185, - dup174, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg446 = msg("714", all98); - - var msg447 = msg("709", dup252); - - var msg448 = msg("1005", dup252); - - var msg449 = msg("1003", dup252); - - var msg450 = msg("1007", dup253); - - var part445 = match("MESSAGE#450:1008", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}::%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup109, - dup11, - ])); - - var msg451 = msg("1008", part445); - - var msg452 = msg("708", dup253); - - var all99 = all_match({ - processors: [ - dup176, - dup182, - dup10, - dup200, - dup96, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg453 = msg("1201", all99); - - var msg454 = msg("1201:01", dup253); - - var select129 = linear_select([ - msg453, - msg454, - ]); - - var msg455 = msg("654", dup234); - - var msg456 = msg("670", dup234); - - var msg457 = msg("884", dup253); - - var part446 = match("MESSAGE#457:1153", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} rcvd=%{rbytes->} note=\"%{info}\"", processor_chain([ - dup1, - ])); - - var msg458 = msg("1153", part446); - - var part447 = match("MESSAGE#458:1153:01/1_0", "nwparser.p0", " app=%{fld1->} sess=%{fld2->} n=%{p0}"); - - var part448 = match("MESSAGE#458:1153:01/1_1", "nwparser.p0", " sess=%{fld2->} n=%{p0}"); - - var part449 = match("MESSAGE#458:1153:01/1_2", "nwparser.p0", " n=%{p0}"); - - var select130 = linear_select([ - part447, - part448, - part449, - ]); - - var part450 = match("MESSAGE#458:1153:01/2", "nwparser.p0", "%{fld3->} usr=\"%{username}\" src=%{p0}"); - - var part451 = match("MESSAGE#458:1153:01/3_0", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); - - var select131 = linear_select([ - part451, - dup26, - ]); - - var part452 = match("MESSAGE#458:1153:01/4_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac= %{p0}"); - - var part453 = match("MESSAGE#458:1153:01/4_1", "nwparser.p0", "%{daddr}:%{dport}srcMac= %{p0}"); - - var part454 = match("MESSAGE#458:1153:01/4_2", "nwparser.p0", "%{daddr}srcMac= %{p0}"); - - var select132 = linear_select([ - part452, - part453, - part454, - ]); - - var part455 = match("MESSAGE#458:1153:01/5", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} %{p0}"); - - var part456 = match("MESSAGE#458:1153:01/6_0", "nwparser.p0", "sent=%{sbytes}rcvd=%{p0}"); - - var part457 = match("MESSAGE#458:1153:01/6_1", "nwparser.p0", "type=%{fld4->} icmpCode=%{fld5->} rcvd=%{p0}"); - - var part458 = match("MESSAGE#458:1153:01/6_2", "nwparser.p0", "rcvd=%{p0}"); - - var select133 = linear_select([ - part456, - part457, - part458, - ]); - - var all100 = all_match({ - processors: [ - dup54, - select130, - part450, - select131, - select132, - part455, - select133, - dup123, - ], - on_success: processor_chain([ - dup1, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var msg459 = msg("1153:01", all100); - - var part459 = match("MESSAGE#459:1153:02/1_0", "nwparser.p0", "app=%{fld1->} n=%{fld2->} src=%{p0}"); - - var part460 = match("MESSAGE#459:1153:02/1_1", "nwparser.p0", "n=%{fld2->} src=%{p0}"); - - var select134 = linear_select([ - part459, - part460, - ]); - - var part461 = match("MESSAGE#459:1153:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes}"); - - var all101 = all_match({ - processors: [ - dup82, - select134, - part461, - ], - on_success: processor_chain([ - dup1, - dup11, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var msg460 = msg("1153:02", all101); - - var select135 = linear_select([ - msg458, - msg459, - msg460, - ]); - - var part462 = match("MESSAGE#460:1107", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1}", processor_chain([ - dup1, - ])); - - var msg461 = msg("1107", part462); - - var part463 = match("MESSAGE#461:1220/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{p0}"); - - var part464 = match("MESSAGE#461:1220/1_0", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); - - var part465 = match("MESSAGE#461:1220/1_1", "nwparser.p0", "%{fld2}src=%{saddr}:%{sport->} dst= %{p0}"); - - var select136 = linear_select([ - part464, - part465, - ]); - - var all102 = all_match({ - processors: [ - part463, - select136, - dup153, - dup235, - dup179, - ], - on_success: processor_chain([ - dup165, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg462 = msg("1220", all102); - - var all103 = all_match({ - processors: [ - dup149, - dup235, - dup179, - ], - on_success: processor_chain([ - dup165, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg463 = msg("1230", all103); - - var part466 = match("MESSAGE#463:1231", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1->} note=\"%{info}\"", processor_chain([ - dup1, - ])); - - var msg464 = msg("1231", part466); - - var part467 = match("MESSAGE#464:1233", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ - dup175, - dup11, - ])); - - var msg465 = msg("1233", part467); - - var part468 = match("MESSAGE#465:1079/0", "nwparser.payload", "msg=\"User%{username}log%{p0}"); - - var part469 = match("MESSAGE#465:1079/1_0", "nwparser.p0", "in%{p0}"); - - var part470 = match("MESSAGE#465:1079/1_1", "nwparser.p0", "out%{p0}"); - - var select137 = linear_select([ - part469, - part470, - ]); - - var part471 = match("MESSAGE#465:1079/2", "nwparser.p0", "\"%{p0}"); - - var part472 = match("MESSAGE#465:1079/3_0", "nwparser.p0", "dur=%{duration->} %{space}n=%{p0}"); - - var part473 = match("MESSAGE#465:1079/3_1", "nwparser.p0", "sess=\"%{fld2}\" n=%{p0}"); - - var select138 = linear_select([ - part472, - part473, - dup38, - ]); - - var part474 = match_copy("MESSAGE#465:1079/4", "nwparser.p0", "fld1"); - - var all104 = all_match({ - processors: [ - part468, - select137, - part471, - select138, - part474, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg466 = msg("1079", all104); - - var part475 = match("MESSAGE#466:1079:01", "nwparser.payload", "msg=\"Client%{username}is assigned IP:%{hostip}\" %{space->} n=%{fld1}", processor_chain([ - dup1, - ])); - - var msg467 = msg("1079:01", part475); - - var part476 = match("MESSAGE#467:1079:02", "nwparser.payload", "msg=\"destination for %{daddr->} is not allowed by access control\" n=%{fld2}", processor_chain([ - dup1, - dup11, - setc("event_description","destination is not allowed by access control"), - dup18, - dup19, - dup20, - dup21, - dup22, - ])); - - var msg468 = msg("1079:02", part476); - - var part477 = match("MESSAGE#468:1079:03", "nwparser.payload", "msg=\"SSLVPN Client %{username->} matched device profile Default Device Profile for Windows\" n=%{fld2}", processor_chain([ - dup1, - dup11, - setc("event_description","SSLVPN Client matched device profile Default Device Profile for Windows"), - dup18, - dup19, - dup20, - dup21, - dup22, - ])); - - var msg469 = msg("1079:03", part477); - - var select139 = linear_select([ - msg466, - msg467, - msg468, - msg469, - ]); - - var part478 = match("MESSAGE#469:1080/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=\"%{username}\" src= %{p0}"); - - var part479 = match("MESSAGE#469:1080/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); - - var select140 = linear_select([ - dup8, - part479, - ]); - - var part480 = match("MESSAGE#469:1080/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); - - var select141 = linear_select([ - dup135, - part480, - ]); - - var part481 = match_copy("MESSAGE#469:1080/3", "nwparser.p0", "protocol"); - - var all105 = all_match({ - processors: [ - part478, - select140, - select141, - part481, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var msg470 = msg("1080", all105); - - var part482 = match("MESSAGE#470:580", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ - dup5, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ])); - - var msg471 = msg("580", part482); - - var part483 = match("MESSAGE#471:1369/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{p0}"); - - var all106 = all_match({ - processors: [ - part483, - dup236, - dup119, - ], - on_success: processor_chain([ - dup78, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg472 = msg("1369", all106); - - var all107 = all_match({ - processors: [ - dup149, - dup223, - dup152, - dup236, - dup119, - ], - on_success: processor_chain([ - dup78, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg473 = msg("1370", all107); - - var all108 = all_match({ - processors: [ - dup149, - dup223, - dup169, - dup211, - dup119, - ], - on_success: processor_chain([ - dup78, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg474 = msg("1371", all108); - - var part484 = match("MESSAGE#474:1387/1_1", "nwparser.p0", " dst=%{p0}"); - - var select142 = linear_select([ - dup167, - part484, - ]); - - var all109 = all_match({ - processors: [ - dup166, - select142, - dup168, - dup223, - dup169, - dup211, - dup119, - ], - on_success: processor_chain([ - dup165, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg475 = msg("1387", all109); - - var part485 = match("MESSAGE#475:1391/0", "nwparser.payload", "pktdatId=%{fld1}pktdatNum=\"%{fld2}\" pktdatEnc=\"%{fld3}\" n=%{fld4}src=%{saddr}:%{p0}"); - - var part486 = match("MESSAGE#475:1391/1_0", "nwparser.p0", "%{sport}:%{sinterface}dst=%{p0}"); - - var part487 = match("MESSAGE#475:1391/1_1", "nwparser.p0", "%{sport}dst=%{p0}"); - - var select143 = linear_select([ - part486, - part487, - ]); - - var part488 = match("MESSAGE#475:1391/3_0", "nwparser.p0", "%{dport}:%{dinterface}:%{dhost}"); - - var select144 = linear_select([ - part488, - dup154, - dup155, - ]); - - var all110 = all_match({ - processors: [ - part485, - select143, - dup153, - select144, - ], - on_success: processor_chain([ - dup1, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg476 = msg("1391", all110); - - var part489 = match("MESSAGE#476:1253", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1}appName=\"%{application}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\"", processor_chain([ - dup5, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ])); - - var msg477 = msg("1253", part489); - - var part490 = match("MESSAGE#477:1009", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ - dup5, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ])); - - var msg478 = msg("1009", part490); - - var part491 = match("MESSAGE#478:910/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2}appName=\"%{application}\" n=%{fld3}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{p0}"); - - var part492 = match("MESSAGE#478:910/1_0", "nwparser.p0", "%{dinterface}:%{dhost}srcMac=%{p0}"); - - var part493 = match("MESSAGE#478:910/1_1", "nwparser.p0", "%{dinterface}srcMac=%{p0}"); - - var select145 = linear_select([ - part492, - part493, - ]); - - var part494 = match("MESSAGE#478:910/2", "nwparser.p0", "%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\""); - - var all111 = all_match({ - processors: [ - part491, - select145, - part494, - ], - on_success: processor_chain([ - dup5, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg479 = msg("910", all111); - - var part495 = match("MESSAGE#479:m:01", "nwparser.payload", "m=%{id1}msg=\"%{event_description}\" n=%{fld2}if=%{interface}ucastRx=%{fld3}bcastRx=%{fld4}bytesRx=%{rbytes}ucastTx=%{fld5}bcastTx=%{fld6}bytesTx=%{sbytes}", processor_chain([ - dup1, - dup62, - dup18, - dup88, - dup20, - dup22, - dup44, - ])); - - var msg480 = msg("m:01", part495); - - var part496 = match("MESSAGE#480:1011", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ - dup1, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ])); - - var msg481 = msg("1011", part496); - - var part497 = match("MESSAGE#481:609", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} ipscat=\"%{fld3}\" ipspri=%{fld4->} pktdatId=%{fld5->} n=%{fld6->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ - dup172, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ])); - - var msg482 = msg("609", part497); - - var msg483 = msg("796", dup237); - - var part498 = match("MESSAGE#483:880", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ - dup78, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ])); - - var msg484 = msg("880", part498); - - var part499 = match("MESSAGE#484:1309", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup165, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ])); - - var msg485 = msg("1309", part499); - - var msg486 = msg("1310", dup237); - - var part500 = match("MESSAGE#486:1232/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{p0}"); - - var part501 = match("MESSAGE#486:1232/1_0", "nwparser.p0", "%{dinterface}:%{dhost->} note=\"%{p0}"); - - var part502 = match("MESSAGE#486:1232/1_1", "nwparser.p0", "%{dinterface->} note=\"%{p0}"); - - var select146 = linear_select([ - part501, - part502, - ]); - - var part503 = match("MESSAGE#486:1232/2", "nwparser.p0", "%{info}\" fw_action=\"%{action}\""); - - var all112 = all_match({ - processors: [ - part500, - select146, - part503, - ], - on_success: processor_chain([ - dup1, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg487 = msg("1232", all112); - - var part504 = match("MESSAGE#487:1447/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1->} appName=\"%{application}\" n=%{fld2->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); - - var all113 = all_match({ - processors: [ - part504, - dup211, - dup119, - ], - on_success: processor_chain([ - dup165, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ]), - }); - - var msg488 = msg("1447", all113); - - var chain1 = processor_chain([ - select1, - msgid_select({ - "10": msg9, - "100": msg159, - "1003": msg449, - "1005": msg448, - "1007": msg450, - "1008": msg451, - "1009": msg478, - "101": msg160, - "1011": msg481, - "102": msg161, - "103": msg162, - "104": msg163, - "105": msg164, - "106": msg165, - "107": msg166, - "1079": select139, - "108": msg167, - "1080": msg470, - "1086": msg424, - "109": msg168, - "11": msg10, - "110": msg169, - "1107": msg461, - "111": select57, - "1110": msg408, - "112": msg172, - "113": msg173, - "114": msg174, - "1149": msg426, - "115": select58, - "1153": select135, - "1154": select126, - "1155": select128, - "1159": msg427, - "116": msg177, - "117": msg178, - "118": msg179, - "119": msg180, - "1195": select124, - "1197": msg439, - "1198": msg445, - "1199": select127, - "12": select4, - "120": msg181, - "1201": select129, - "121": msg182, - "122": msg183, - "1220": msg462, - "1222": msg431, - "1226": msg430, - "123": msg184, - "1230": msg463, - "1231": msg464, - "1232": msg487, - "1233": msg465, - "1235": msg438, - "124": msg185, - "125": msg186, - "1253": msg477, - "1254": msg187, - "1256": msg188, - "1257": msg189, - "126": msg190, - "127": msg191, - "128": msg192, - "129": msg193, - "13": msg13, - "130": msg194, - "1309": msg485, - "131": msg195, - "1310": msg486, - "132": msg196, - "133": msg197, - "134": msg198, - "135": msg199, - "136": msg200, - "1369": msg472, - "137": msg201, - "1370": msg473, - "1371": msg474, - "138": msg202, - "1387": msg475, - "139": select59, - "1391": msg476, - "14": select7, - "140": msg205, - "141": msg206, - "142": msg207, - "143": msg208, - "1430": msg425, - "1431": msg209, - "144": msg210, - "1447": msg488, - "145": msg211, - "146": msg212, - "147": msg213, - "148": msg214, - "1480": msg215, - "149": msg216, - "15": msg20, - "150": msg217, - "151": msg218, - "152": msg219, - "153": msg220, - "154": msg221, - "155": msg222, - "156": msg223, - "157": select60, - "158": msg226, - "159": msg227, - "16": msg21, - "160": msg228, - "161": msg229, - "162": msg230, - "163": msg231, - "164": msg232, - "165": msg233, - "166": msg234, - "167": msg235, - "168": msg236, - "169": msg237, - "17": msg22, - "170": msg238, - "171": select61, - "172": select62, - "173": msg245, - "174": select63, - "175": select64, - "176": msg253, - "177": msg254, - "178": msg255, - "179": msg256, - "18": msg23, - "180": select65, - "181": select66, - "19": msg24, - "193": msg261, - "194": msg262, - "195": msg263, - "196": select67, - "199": msg266, - "20": msg25, - "200": msg267, - "21": msg26, - "22": msg27, - "23": select10, - "235": select68, - "236": msg271, - "237": msg272, - "238": msg273, - "239": msg274, - "24": select11, - "240": msg275, - "241": select69, - "242": msg278, - "243": msg403, - "25": msg34, - "252": msg279, - "255": msg280, - "257": msg281, - "26": msg35, - "261": select72, - "262": msg284, - "263": msg413, - "264": msg414, - "267": select121, - "27": msg36, - "273": msg285, - "28": select12, - "29": select13, - "30": select14, - "31": select15, - "32": select16, - "328": msg286, - "329": msg287, - "33": select17, - "34": msg52, - "346": msg288, - "35": select18, - "350": msg289, - "351": msg290, - "352": msg291, - "353": select73, - "354": msg294, - "355": select74, - "356": msg297, - "357": select75, - "358": msg300, - "36": select21, - "37": select23, - "371": select76, - "372": msg303, - "373": msg304, - "38": select25, - "39": msg67, - "4": msg1, - "40": msg68, - "401": msg305, - "402": msg306, - "403": msg400, - "404": msg410, - "406": msg307, - "41": select26, - "412": msg415, - "413": msg308, - "414": msg309, - "42": msg72, - "427": msg156, - "428": msg157, - "43": msg73, - "438": msg310, - "439": msg311, - "44": msg74, - "440": msg312, - "441": select77, - "442": msg315, - "446": msg316, - "45": select27, - "46": select28, - "47": msg82, - "477": msg317, - "48": msg83, - "49": msg84, - "5": select2, - "50": msg85, - "509": msg318, - "51": msg86, - "52": msg87, - "520": msg319, - "522": select80, - "523": msg323, - "524": select83, - "526": select86, - "53": msg88, - "534": msg401, - "537": select101, - "538": msg346, - "549": msg347, - "557": msg348, - "558": msg349, - "561": msg350, - "562": msg351, - "563": msg352, - "565": msg409, - "58": msg89, - "580": msg471, - "583": msg353, - "597": select102, - "598": select103, - "6": select3, - "60": msg90, - "602": select104, - "605": msg363, - "606": msg364, - "608": msg365, - "609": msg482, - "61": msg91, - "614": msg421, - "616": msg366, - "62": msg92, - "63": select29, - "64": msg95, - "65": msg96, - "654": msg455, - "657": select118, - "658": msg367, - "66": msg97, - "67": select30, - "670": msg456, - "68": msg100, - "69": msg101, - "7": msg6, - "70": select32, - "708": msg452, - "709": msg447, - "710": msg368, - "712": select108, - "713": select109, - "714": msg446, - "72": select33, - "73": msg106, - "74": msg107, - "748": msg422, - "75": msg108, - "76": msg109, - "760": select110, - "766": msg378, - "77": msg110, - "78": msg111, - "79": msg112, - "793": msg416, - "794": msg423, - "796": msg483, - "8": msg7, - "80": msg113, - "805": msg417, - "809": select122, - "81": msg114, - "82": select34, - "83": select35, - "84": msg122, - "860": select111, - "866": select113, - "867": select114, - "87": select37, - "88": select38, - "880": msg484, - "882": select115, - "884": msg457, - "888": select116, - "89": select40, - "892": msg389, - "9": msg8, - "90": msg129, - "904": msg390, - "905": msg391, - "906": msg392, - "907": msg393, - "908": msg394, - "909": msg395, - "91": msg130, - "910": msg479, - "914": msg396, - "92": msg131, - "93": msg132, - "931": msg397, - "935": msg420, - "94": msg133, - "95": msg134, - "96": msg135, - "97": select44, - "98": select56, - "986": msg155, - "99": msg158, - "994": msg402, - "995": msg404, - "997": msg405, - "998": select119, - "m": msg480, - "msg": msg436, - "src": msg437, - }), - ]); - - var part505 = match("MESSAGE#14:14:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); - - var part506 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); - - var part507 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); - - var part508 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{daddr}:%{dport}:%{p0}"); - - var part509 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); - - var part510 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}"); - - var part511 = match("MESSAGE#28:23:01/2", "nwparser.p0", "%{p0}"); - - var part512 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); - - var part513 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}"); - - var part514 = match("MESSAGE#38:29:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); - - var part515 = match("MESSAGE#38:29:01/2_1", "nwparser.p0", "%{daddr->} "); - - var part516 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}"); - - var part517 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}"); - - var part518 = match("MESSAGE#52:35:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}"); - - var part519 = match_copy("MESSAGE#52:35:01/2_1", "nwparser.p0", "daddr"); - - var part520 = match("MESSAGE#54:36:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{p0}"); - - var part521 = match("MESSAGE#54:36:01/1_1", "nwparser.p0", "n=%{p0}"); - - var part522 = match("MESSAGE#54:36:01/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); - - var part523 = match("MESSAGE#54:36:01/3_1", "nwparser.p0", "%{saddr->} %{p0}"); - - var part524 = match("MESSAGE#54:36:01/4", "nwparser.p0", "dst= %{p0}"); - - var part525 = match("MESSAGE#54:36:01/7_1", "nwparser.p0", "rule=%{rule}"); - - var part526 = match("MESSAGE#54:36:01/7_2", "nwparser.p0", "proto=%{protocol}"); - - var part527 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); - - var part528 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}"); - - var part529 = match_copy("MESSAGE#55:36:02/6", "nwparser.p0", "info"); - - var part530 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} proto= %{p0}"); - - var part531 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{dinterface->} proto= %{p0}"); - - var part532 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{protocol->} npcs=%{info}"); - - var part533 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}"); - - var part534 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} type= %{p0}"); - - var part535 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{dinterface->} type= %{p0}"); - - var part536 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{event_description}\"%{p0}"); - - var part537 = match("MESSAGE#64:38:03/1_0", "nwparser.p0", " app=%{fld2->} appName=\"%{application}\"%{p0}"); - - var part538 = match_copy("MESSAGE#64:38:03/1_1", "nwparser.p0", "p0"); - - var part539 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); - - var part540 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}"); - - var part541 = match("MESSAGE#126:89:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}"); - - var part542 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}"); - - var part543 = match("MESSAGE#135:97:01/6_0", "nwparser.p0", "result=%{result->} dstname=%{p0}"); - - var part544 = match("MESSAGE#135:97:01/6_1", "nwparser.p0", "dstname=%{p0}"); - - var part545 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}"); - - var part546 = match("MESSAGE#141:97:07/1_1", "nwparser.p0", "%{dinterface->} srcMac=%{p0}"); - - var part547 = match("MESSAGE#147:98:01/6_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}"); - - var part548 = match("MESSAGE#147:98:01/7_4", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes}"); - - var part549 = match("MESSAGE#148:98:06/0", "nwparser.payload", "msg=\"%{event_description}\" %{p0}"); - - var part550 = match("MESSAGE#148:98:06/5_0", "nwparser.p0", "%{sinterface}:%{shost->} dst= %{p0}"); - - var part551 = match("MESSAGE#148:98:06/5_1", "nwparser.p0", "%{sinterface->} dst= %{p0}"); - - var part552 = match("MESSAGE#148:98:06/7_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); - - var part553 = match("MESSAGE#148:98:06/9_3", "nwparser.p0", "sent=%{sbytes}"); - - var part554 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); - - var part555 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} npcs= %{p0}"); - - var part556 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{dinterface->} npcs= %{p0}"); - - var part557 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{info}"); - - var part558 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} note= %{p0}"); - - var part559 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{dinterface->} note= %{p0}"); - - var part560 = match("MESSAGE#256:180:01/4", "nwparser.p0", "\"%{fld3}\" npcs=%{info}"); - - var part561 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); - - var part562 = match("MESSAGE#260:194/1_1", "nwparser.p0", "rcvd=%{rbytes}"); - - var part563 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); - - var part564 = match("MESSAGE#262:196/1_1", "nwparser.p0", "rcvd=%{rbytes->} cmd=%{p0}"); - - var part565 = match_copy("MESSAGE#262:196/2", "nwparser.p0", "method"); - - var part566 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); - - var part567 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); - - var part568 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); - - var part569 = match("MESSAGE#302:401/1_0", "nwparser.p0", "dstname=%{name}"); - - var part570 = match_copy("MESSAGE#302:401/1_1", "nwparser.p0", "space"); - - var part571 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); - - var part572 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); - - var part573 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); - - var part574 = match("MESSAGE#318:522:01/4", "nwparser.p0", "proto=%{protocol->} npcs=%{info}"); - - var part575 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); - - var part576 = match_copy("MESSAGE#330:537:01/5_1", "nwparser.p0", "rbytes"); - - var part577 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", " app=%{fld51->} appName=\"%{application}\"n=%{p0}"); - - var part578 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", " app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); - - var part579 = match("MESSAGE#332:537:08/1_2", "nwparser.p0", " app=%{fld51}n=%{p0}"); - - var part580 = match("MESSAGE#332:537:08/2_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); - - var part581 = match("MESSAGE#332:537:08/2_1", "nwparser.p0", "%{fld1}src=%{p0}"); - - var part582 = match("MESSAGE#332:537:08/6_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{p0}"); - - var part583 = match("MESSAGE#332:537:08/6_1", "nwparser.p0", "%{sbytes->} spkt=%{p0}"); - - var part584 = match("MESSAGE#332:537:08/7_1", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7}"); - - var part585 = match("MESSAGE#332:537:08/7_3", "nwparser.p0", "%{fld3->} cdur=%{fld7}"); - - var part586 = match_copy("MESSAGE#332:537:08/7_4", "nwparser.p0", "fld3"); - - var part587 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); - - var part588 = match("MESSAGE#336:537:04/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}"); - - var part589 = match("MESSAGE#336:537:04/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); - - var part590 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); - - var part591 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "usr=\"%{username}\" %{p0}"); - - var part592 = match("MESSAGE#338:537:10/2", "nwparser.p0", "src=%{p0}"); - - var part593 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); - - var part594 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); - - var part595 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info}"); - - var part596 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12}"); - - var part597 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{daddr}:%{dport}:%{p0}"); - - var part598 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); - - var part599 = match("MESSAGE#361:606/1_0", "nwparser.p0", "%{dport}:%{dinterface->} srcMac=%{p0}"); - - var part600 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{dport->} srcMac=%{p0}"); - - var part601 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); - - var part602 = match("MESSAGE#362:608/4", "nwparser.p0", "%{daddr}:%{p0}"); - - var part603 = match("MESSAGE#362:608/5_1", "nwparser.p0", "%{dport}:%{dinterface}"); - - var part604 = match_copy("MESSAGE#362:608/5_2", "nwparser.p0", "dport"); - - var part605 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); - - var part606 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{p0}"); - - var part607 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); - - var part608 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); - - var part609 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); - - var part610 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); - - var part611 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); - - var part612 = match_copy("MESSAGE#366:712:02/5", "nwparser.p0", "fld51"); - - var part613 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{p0}"); - - var part614 = match("MESSAGE#391:908/1_1", "nwparser.p0", "%{sinterface->} dst=%{p0}"); - - var part615 = match("MESSAGE#391:908/2", "nwparser.p0", "%{} %{daddr}:%{p0}"); - - var part616 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); - - var part617 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); - - var part618 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); - - var part619 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{dport}:%{dinterface->} note=%{p0}"); - - var part620 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{dport->} note=%{p0}"); - - var part621 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); - - var part622 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); - - var part623 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); - - var select147 = linear_select([ - dup8, - dup9, - ]); - - var select148 = linear_select([ - dup15, - dup16, - ]); - - var part624 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ - dup1, - dup24, - ])); - - var select149 = linear_select([ - dup26, - dup27, - ]); - - var select150 = linear_select([ - dup28, - dup29, - ]); - - var select151 = linear_select([ - dup35, - dup36, - ]); - - var select152 = linear_select([ - dup37, - dup38, - ]); - - var select153 = linear_select([ - dup39, - dup40, - ]); - - var select154 = linear_select([ - dup26, - dup46, - ]); - - var select155 = linear_select([ - dup48, - dup49, - ]); - - var select156 = linear_select([ - dup52, - dup53, - ]); - - var select157 = linear_select([ - dup55, - dup56, - ]); - - var select158 = linear_select([ - dup57, - dup58, - ]); - - var part625 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ - dup70, - ])); - - var part626 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ - dup5, - ])); - - var select159 = linear_select([ - dup75, - dup76, - ]); - - var select160 = linear_select([ - dup83, - dup84, - ]); - - var part627 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([ - dup1, - ])); - - var select161 = linear_select([ - dup94, - dup95, - ]); - - var part628 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ - dup5, - ])); - - var select162 = linear_select([ - dup98, - dup99, - ]); - - var select163 = linear_select([ - dup86, - dup102, - ]); - - var select164 = linear_select([ - dup103, - dup104, - ]); - - var part629 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup93, - ])); - - var part630 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup93, - ])); - - var part631 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup1, - ])); - - var part632 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ - dup1, - ])); - - var part633 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ - dup1, - dup24, - ])); - - var select165 = linear_select([ - dup114, - dup115, - ]); - - var select166 = linear_select([ - dup117, - dup118, - ]); - - var select167 = linear_select([ - dup43, - dup42, - ]); - - var select168 = linear_select([ - dup8, - dup27, - ]); - - var select169 = linear_select([ - dup8, - dup26, - dup46, - ]); - - var select170 = linear_select([ - dup80, - dup15, - dup16, - ]); - - var select171 = linear_select([ - dup124, - dup125, - dup126, - dup38, - ]); - - var select172 = linear_select([ - dup127, - dup128, - ]); - - var select173 = linear_select([ - dup129, - dup130, - ]); - - var select174 = linear_select([ - dup135, - dup136, - dup137, - ]); - - var select175 = linear_select([ - dup138, - dup56, - ]); - - var select176 = linear_select([ - dup140, - dup141, - ]); - - var select177 = linear_select([ - dup142, - dup143, - ]); - - var select178 = linear_select([ - dup150, - dup151, - ]); - - var part634 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup156, - ])); - - var select179 = linear_select([ - dup158, - dup38, - ]); - - var select180 = linear_select([ - dup160, - dup161, - ]); - - var select181 = linear_select([ - dup162, - dup163, - ]); - - var part635 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ - dup5, - ])); - - var part636 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype}", processor_chain([ - dup5, - ])); - - var part637 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ - dup5, - dup24, - ])); - - var part638 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ - dup1, - dup24, - ])); - - var part639 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ - dup1, - dup24, - ])); - - var part640 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup171, - dup44, - ])); - - var part641 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ - dup1, - ])); - - var select182 = linear_select([ - dup177, - dup178, - ]); - - var select183 = linear_select([ - dup180, - dup181, - ]); - - var part642 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup1, - dup62, - dup18, - dup88, - dup20, - dup21, - dup22, - dup44, - ])); - - var all114 = all_match({ - processors: [ - dup32, - dup185, - dup186, - ], - on_success: processor_chain([ - dup31, - ]), - }); - - var all115 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup91, - ]), - }); - - var all116 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup67, - ]), - }); - - var all117 = all_match({ - processors: [ - dup101, - dup203, - ], - on_success: processor_chain([ - dup67, - ]), - }); - - var all118 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup106, - ]), - }); - - var all119 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup31, - ]), - }); - - var all120 = all_match({ - processors: [ - dup32, - dup185, - dup187, - ], - on_success: processor_chain([ - dup30, - ]), - }); - - var all121 = all_match({ - processors: [ - dup108, - dup185, - dup187, - ], - on_success: processor_chain([ - dup109, - ]), - }); - - var all122 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - dup112, - ]), - }); - - var all123 = all_match({ - processors: [ - dup113, - dup210, - ], - on_success: processor_chain([ - dup93, - ]), - }); - - var all124 = all_match({ - processors: [ - dup110, - dup185, - dup187, - ], - on_success: processor_chain([ - dup116, - ]), - }); - - var all125 = all_match({ - processors: [ - dup51, - dup189, - dup41, - dup187, - ], - on_success: processor_chain([ - dup5, - ]), - }); - - var all126 = all_match({ - processors: [ - dup73, - dup185, - dup183, - dup43, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var all127 = all_match({ - processors: [ - dup157, - dup225, - dup159, - dup226, - dup227, - dup164, - ], - on_success: processor_chain([ - dup156, - dup59, - dup60, - dup61, - dup62, - dup44, - dup63, - dup18, - dup19, - dup20, - dup21, - dup22, - ]), - }); - - var all128 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup202, - dup100, - ], - on_success: processor_chain([ - dup1, - ]), - }); - - var all129 = all_match({ - processors: [ - dup7, - dup182, - dup10, - dup200, - dup96, - ], - on_success: processor_chain([ - dup1, - ]), - }); - -- community_id: -- registered_domain: - ignore_missing: true - ignore_failure: true - field: dns.question.name - target_field: dns.question.registered_domain - target_subdomain_field: dns.question.subdomain - target_etld_field: dns.question.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: client.domain - target_field: client.registered_domain - target_subdomain_field: client.subdomain - target_etld_field: client.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: server.domain - target_field: server.registered_domain - target_subdomain_field: server.subdomain - target_etld_field: server.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: destination.domain - target_field: destination.registered_domain - target_subdomain_field: destination.subdomain - target_etld_field: destination.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: source.domain - target_field: source.registered_domain - target_subdomain_field: source.subdomain - target_etld_field: source.top_level_domain -- registered_domain: - ignore_missing: true - ignore_failure: true - field: url.domain - target_field: url.registered_domain - target_subdomain_field: url.subdomain - target_etld_field: url.top_level_domain -- add_locale: ~ diff --git a/packages/sonicwall/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml b/packages/sonicwall/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml index 7dcf227cf11..35a43f3c0b5 100644 --- a/packages/sonicwall/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml +++ b/packages/sonicwall/data_stream/firewall/elasticsearch/ingest_pipeline/default.yml @@ -2,71 +2,521 @@ description: Pipeline for Sonicwall-FW processors: - # ECS event.ingested + - trim: + field: message + - rename: + field: message + target_field: event.original + - set: + field: event.module + value: sonicwall - set: field: event.ingested value: '{{_ingest.timestamp}}' + - set: + field: event.dataset + value: sonicwall.firewall - set: field: ecs.version - value: '8.0.0' - # User agent - - user_agent: - field: user_agent.original + value: 8.0.0 + - grok: + field: event.original + patterns: + - "^%{DATA}%{IP:observer.ip:ip} +%{GREEDYDATA:message}$" + - "^%{DATA}%{TIMESTAMP:event.created} %{IP:observer.ip:ip} +%{GREEDYDATA:message}$" + pattern_definitions: + TIMESTAMP: '%{MONTH} +%{MONTHDAY} %{TIME}' + - kv: + field: message + field_split: ' (?=[a-zA-Z0-9_]+=)' + value_split: = + prefix: sonicwall. ignore_missing: true - # IP Geolocation Lookup - - geoip: + trim_value: '"' + - remove: + field: message + - date: + field: sonicwall.time + formats: + - 'yyyy-MM-dd HH:mm:ss zzz' + - 'yyyy-MM-dd HH:mm:ss' + - remove: + field: sonicwall.time + - rename: + field: sonicwall.fw + target_field: observer.egress.ip + - convert: + field: observer.egress.ip + type: IP + - rename: + field: sonicwall.id + target_field: observer.hostname + - rename: + field: sonicwall.sn + target_field: observer.serial_number + - rename: + field: sonicwall.pri + target_field: event.severity + - convert: + field: event.severity + type: long + - set: + field: event.risk_score + value: '{{event.severity}}' + - convert: + field: event.risk_score + type: long + - rename: + if: ctx.sonicwall?.msg != null + field: sonicwall.msg + target_field: message + - rename: + if: ctx.sonicwall?.c != null + field: sonicwall.c + target_field: sonicwall.event.category + - convert: + if: ctx.sonicwall?.event?.category != null + field: sonicwall.event.category + type: long + - rename: + if: ctx.sonicwall?.gcat != null + field: sonicwall.gcat + target_field: sonicwall.event.group_category + - convert: + if: ctx.sonicwall?.event?.group_category != null + field: sonicwall.event.group_category + type: long + - rename: + if: ctx.sonicwall?.m != null + field: sonicwall.m + target_field: sonicwall.event.message_id + - convert: + if: ctx.sonicwall?.event?.message_id != null + field: sonicwall.event.message_id + type: long + - rename: + if: ctx.sonicwall?.srcMac != null + field: sonicwall.srcMac + target_field: source.mac + - lowercase: + if: ctx.source?.mac != null + field: source.mac + - dissect: + if: ctx.sonicwall?.src != null + field: sonicwall.src + pattern: '%{source.ip}:%{source.port}:%{observer.ingress.interface.name}' + ignore_failure: true +# Some logs don't have all fields, or both : + - dissect: + if: (ctx.source?.ip == null || ctx.source?.port == null) && ctx.sonicwall?.src != null + field: sonicwall.src + pattern: '%{source.ip}:%{source.port}' + ignore_failure: true + - remove: + if: (ctx.source?.ip != null || ctx.source?.port != null || ctx.observer?.ingress?.interface?.name != null) && ctx.sonicwall?.src != null + field: sonicwall.src + - remove: + if: ctx.source?.port == '' + field: source.port + - convert: + if: ctx.source?.ip != null field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: + type: IP + - convert: + if: ctx.source?.port != null + field: source.port + type: long + - rename: + if: ctx.sonicwall?.srcZone != null + field: sonicwall.srcZone + target_field: observer.ingress.zone + - dissect: + if: ctx.sonicwall?.natSrc != null + field: sonicwall.natSrc + pattern: '%{source.nat.ip}:%{source.nat.port}' + - remove: + if: ctx.sonicwall?.natSrc != null + field: sonicwall.natSrc + - convert: + if: ctx.source?.nat?.ip != null + field: source.nat.ip + type: IP + - rename: + if: ctx.sonicwall?.dstMac != null + field: sonicwall.dstMac + target_field: destination.mac + - lowercase: + if: ctx.destination?.mac != null + field: destination.mac + - convert: + if: ctx.source?.nat?.port != null + field: source.nat.port + type: long + - dissect: + if: ctx.sonicwall?.dst != null + field: sonicwall.dst + pattern: '%{destination.ip}:%{destination.port}:%{observer.egress.interface.name}' + ignore_failure: true +# Some logs don't have all fields, or both : + - dissect: + if: ctx.destination?.ip == null && ctx.sonicwall?.dst != null + field: sonicwall.dst + pattern: '%{destination.ip}:%{destination.port}' + - remove: + if: ctx.sonicwall?.dst != null + field: sonicwall.dst + - remove: + if: ctx.destination?.port == '' + field: destination.port + - convert: + if: ctx.destination?.ip != null field: destination.ip - target_field: destination.geo - ignore_missing: true + type: IP + - convert: + if: ctx.destination?.port != null + field: destination.port + type: long + - rename: + if: ctx.sonicwall?.dstZone != null + field: sonicwall.dstZone + target_field: observer.egress.zone + - dissect: + if: ctx.sonicwall?.natDst != null + field: sonicwall.natDst + pattern: '%{destination.nat.ip}:%{destination.nat.port}' + - remove: + if: ctx.sonicwall?.natDst != null + field: sonicwall.natDst + - convert: + if: ctx.destination?.nat?.ip != null + field: destination.nat.ip + type: IP + - convert: + if: ctx.destination?.nat?.port != null + field: destination.nat.port + type: long + - rename: + if: ctx.sonicwall?.usr != null + field: sonicwall.usr + target_field: user.name + - dissect: + if: ctx.sonicwall?.proto != null + field: sonicwall.proto + pattern: '%{network.transport}/%{network.protocol}' + ignore_failure: true +# Most logs are / format, but ips logs can be just + - rename: + if: ctx.network?.transport == null && ctx.network?.protocol == null && ctx.sonicwall?.proto != null + field: sonicwall.proto + target_field: network.protocol + - remove: + if: ctx.sonicwall?.proto != null + field: sonicwall.proto + - rename: + if: ctx.sonicwall?.type != null + field: sonicwall.type + target_field: sonicwall.event.icmp_type + - convert: + if: ctx.sonicwall?.event.icmp_type != null + field: sonicwall.event.icmp_type + type: long + - rename: + if: ctx.sonicwall?.icmpCode != null + field: sonicwall.icmpCode + target_field: sonicwall.event.icmp_code + - convert: + if: ctx.sonicwall?.event.icmp_code != null + field: sonicwall.event.icmp_code + type: long + - rename: + if: ctx.sonicwall?.sent != null + field: sonicwall.sent + target_field: source.bytes + - convert: + if: ctx.source?.bytes != null + field: source.bytes + type: long + - rename: + if: ctx.sonicwall?.op != null + field: sonicwall.op + target_field: sonicwall.event.http_op_code + - convert: + if: ctx.sonicwall?.event?.http_op_code != null + field: sonicwall.event.http_op_code + type: long + - rename: + if: ctx.sonicwall?.rcvd != null + field: sonicwall.rcvd + target_field: destination.bytes + - convert: + if: ctx.destination?.bytes != null + field: destination.bytes + type: long + - rename: + if: ctx.sonicwall?.spkt != null + field: sonicwall.spkt + target_field: source.packets + - convert: + if: ctx.source?.packets != null + field: source.packets + type: long + - rename: + if: ctx.sonicwall?.rpkt != null + field: sonicwall.rpkt + target_field: destination.packets + - convert: + if: ctx.destination?.packets != null + field: destination.packets + type: long + - rename: + if: ctx.sonicwall?.cdur != null + field: sonicwall.cdur + target_field: event.duration + - convert: + if: ctx.event?.duration != null + field: event.duration + type: long +#cdur is measured in milliseconds, so needs to be multiplied to comply with ECS + - script: + if: ctx.event?.duration != null + source: ctx.event.duration = (ctx.event.duration*100000) + - rename: + if: ctx.sonicwall?.app != null + field: sonicwall.app + target_field: sonicwall.event.application_id_number + - convert: + if: ctx.sonicwall?.event?.application_id_number != null + field: sonicwall.event.application_id_number + type: long + - rename: + if: ctx.sonicwall?.af_polid != null + field: sonicwall.af_polid + target_field: sonicwall.application.filter_id + - rename: + if: ctx.sonicwall?.appName != null + field: sonicwall.appName + target_field: sonicwall.event.app_name + - rename: + if: ctx.sonicwall?.sid != null + field: sonicwall.sid + target_field: sonicwall.event.sid_number + - convert: + if: ctx.sonicwall?.event?.sid_number != null + field: sonicwall.event.sid_number + type: long + - rename: + if: ctx.sonicwall?.ipscat != null + field: sonicwall.ipscat + target_field: ips.category + - rename: + if: ctx.sonicwall?.ipspri != null + field: sonicwall.ipspri + target_field: ips.severity +#This field occasionally matches with an extra whitespace, which breaks trying to read it as an integer + - trim: + if: ctx.ips?.severity != null + field: ips.severity + - convert: + if: ctx.ips?.severity != null + field: ips.severity + type: long + - rename: + if: ctx.sonicwall?.appcat != null + field: sonicwall.appcat + target_field: sonicwall.event.appcat + - rename: + if: ctx.sonicwall?.appid != null + field: sonicwall.appid + target_field: sonicwall.application.application_id + - convert: + if: ctx.sonicwall?.application?.application_id != null + field: sonicwall.application.application_id + type: long + - rename: + if: ctx.sonicwall?.catid != null + field: sonicwall.catid + target_field: sonicwall.event.category_id + - convert: + if: ctx.sonicwall?.event?.category_id != null + field: sonicwall.event.category_id + type: long + - rename: + if: ctx.sonicwall?.n != null + field: sonicwall.n + target_field: event.sequence + - convert: + if: ctx.event?.sequence != null + field: event.sequence + type: long + - rename: + if: ctx.sonicwall?.dstname != null + field: sonicwall.dstname + target_field: sonicwall.destination.name + - rename: + if: ctx.sonicwall?.arg != null + field: sonicwall.arg + target_field: sonicwall.event.url_path + - rename: + if: ctx.sonicwall?.code != null + field: sonicwall.code + target_field: sonicwall.event.code + - convert: + if: ctx.sonicwall?.event?.code != null + field: sonicwall.event.code + type: long + - rename: + if: ctx.sonicwall?.Category != null + field: sonicwall.Category + target_field: sonicwall.event.blocking_category + - rename: + if: ctx.sonicwall?.note != null + field: sonicwall.note + target_field: sonicwall.event.note + - rename: + if: ctx.sonicwall?.fw_action != null + field: sonicwall.fw_action + target_field: sonicwall.event.firewall_action + - rename: + if: ctx.sonicwall?.n != null + field: sonicwall.n + target_field: event.sequence + - rename: + if: ctx.sonicwall?.dpi != null + field: sonicwall.dpi + target_field: sonicwall.event.dpi + - convert: + if: ctx.sonicwall?.event?.dpi != null + field: sonicwall.event.dpi + type: long + - rename: + if: ctx.sonicwall?.rule != null + field: sonicwall.rule + target_field: sonicwall.event.rule + - rename: + if: ctx.sonicwall?.vpnpolicy != null + field: sonicwall.vpnpolicy + target_field: source.vpn_policy + + + - set: + field: _source.ingest_time + value: '{{_ingest.timestamp}}' +#Calculate the time between when the log was generated by the sonicwall and when it was ingested +#Useful for setting a monitor on to watch for ingest issues or time drift on either appliance + - script: + source: >- + if(ctx.containsKey('ingest_time') && ctx.containsKey('@timestamp')) { + ctx['ingest_lag_in_seconds'] = + ChronoUnit.MILLIS.between(ZonedDateTime.parse(ctx['@timestamp']), + ZonedDateTime.parse(ctx['ingest_time']))/1000} + + +#This field has to exist before the script processor, or it'll error out + - set: + if: ctx.sonicwall?.event?.http_op_code != null + field: http.request.method + value: '' + - script: + if: ctx.sonicwall?.event?.http_op_code != null + source: >- + if (ctx.sonicwall.http_op_code == 0){ctx.http.request.method = 'no + operation'} else if (ctx.sonicwall.event.http_op_code == + 1){ctx.http.request.method = 'GET'} else if + (ctx.sonicwall.event.http_op_code == 2){ctx.http.http_op_code = 'POST'} + else if (ctx.sonicwall.event.http_op_code == 3){ctx.http.request.method + = 'HEAD'} + + + - set: + if: ctx.message != null && ctx.message.contains('Connection') + field: event.type + value: event + - set: + if: ctx.message != null && ctx.message == 'Connection Opened' + field: event.action + value: connection opened + - set: + if: ctx.message != null && ctx.message == 'Connection Closed' + field: event.action + value: connection closed + - # IP Autonomous System (AS) Lookup - geoip: - database_file: GeoLite2-ASN.mmdb + if: ctx.source?.ip != null field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true + target_field: source.geo - geoip: + if: ctx.source?.ip != null database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as + field: source.ip + target_field: source.as properties: - - asn - - organization_name - ignore_missing: true + - asn + - organization_name - rename: + if: ctx.source?.as?.asn != null field: source.as.asn target_field: source.as.number - ignore_missing: true - rename: + if: ctx.source?.as?.organization_name != null field: source.as.organization_name target_field: source.as.organization.name - ignore_missing: true + + - geoip: + if: ctx.destination?.ip != null + field: destination.ip + target_field: destination.geo + - geoip: + if: ctx.destination?.ip != null + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name - rename: + if: ctx.destination?.as?.asn != null field: destination.as.asn target_field: destination.as.number - ignore_missing: true - rename: + if: ctx.destination?.as?.organization_name != null field: destination.as.organization_name target_field: destination.as.organization.name - ignore_missing: true - - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' - - remove: - field: event.original - if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" - ignore_failure: true - ignore_missing: true + +#Makes the message field a bit more informative at a glance + - set: + if: >- + ctx.message == 'Connection Opened' && + ctx.destination?.as?.organization_name != null + field: message + value: '{{message}} to {{destination.as.organization_name}}' + - set: + if: >- + ctx.message == 'Connection Closed' && + ctx.destination?.as?.organization_name != null + field: message + value: '{{message}} from {{destination.as.organization_name}}' + + + - script: + if: ctx.source?.bytes != null || ctx.destination?.bytes != null + source: >- + if (ctx.source.bytes != null && ctx.destination.bytes != + null){ctx.network.bytes = ctx.source.bytes+ctx.destination.bytes} else + if (ctx.source.bytes != null && ctx.destination.bytes == + null){ctx.network.bytes = ctx.source.bytes} else if (ctx.source.bytes == + null && ctx.destination.bytes != null){ctx.network.bytes = + ctx.destination.bytes} + - script: + if: ctx.source?.packets != null || ctx.destination?.packets != null + source: >- + if (ctx.source.packets != null && ctx.destination.packets != + null){ctx.network.packets = ctx.source.packets+ctx.destination.packets} + else if (ctx.source.packets != null && ctx.destination.packets == + null){ctx.network.packets = ctx.source.packets} else if + (ctx.source.packets == null && ctx.destination.packets != + null){ctx.network.packets = ctx.destination.packets} on_failure: - append: field: error.message - value: "{{ _ingest.on_failure_message }}" + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/sonicwall/data_stream/firewall/fields/ecs.yml b/packages/sonicwall/data_stream/firewall/fields/ecs.yml index 2d3915d8619..cf24fafadf1 100644 --- a/packages/sonicwall/data_stream/firewall/fields/ecs.yml +++ b/packages/sonicwall/data_stream/firewall/fields/ecs.yml @@ -42,6 +42,22 @@ name: destination.subdomain - external: ecs name: destination.top_level_domain +- external: ecs + name: destination.geo.city_name +- external: ecs + name: destination.geo.continent_name +- external: ecs + name: destination.geo.country_iso_code +- external: ecs + name: destination.geo.country_name +- description: Longitude and latitude. + level: core + name: destination.geo.location + type: geo_point +- external: ecs + name: destination.geo.region_iso_code +- external: ecs + name: destination.geo.region_name - external: ecs name: dns.answers.name - external: ecs @@ -130,6 +146,8 @@ name: network.packets - external: ecs name: network.protocol +- external: ecs + name: network.transport - external: ecs name: observer.egress.interface.name - external: ecs @@ -142,6 +160,18 @@ name: observer.vendor - external: ecs name: observer.version +- external: ecs + name: observer.egress +- external: ecs + name: observer.serial_number +- external: ecs + name: observer.ip +- external: ecs + name: observer.hostname +- external: ecs + name: observer.ingress.zone +- external: ecs + name: observer.egress.zone - external: ecs name: process.name - external: ecs @@ -208,6 +238,8 @@ name: source.nat.port - external: ecs name: source.port +- external: ecs + name: source.packets - external: ecs name: source.registered_domain - external: ecs diff --git a/packages/sonicwall/data_stream/firewall/fields/fields.yml b/packages/sonicwall/data_stream/firewall/fields/fields.yml index ea69cd79e3c..648ba25f97a 100644 --- a/packages/sonicwall/data_stream/firewall/fields/fields.yml +++ b/packages/sonicwall/data_stream/firewall/fields/fields.yml @@ -1,3 +1,83 @@ +- name: ingest_lag_in_seconds + type: long +- name: sonicwall + type: group + fields: + - name: application + type: group + fields: + - name: filter_id + type: keyword + - name: application_id + type: long + - name: destination + type: group + fields: + - name: name + type: keyword + - name: event + type: group + fields: + - name: blocking_category + type: keyword + - name: url_path + type: keyword + - name: app_id + type: keyword + - name: app_name + type: keyword + - name: appcat + type: keyword + - name: application_id_number + type: long + - name: arg + type: keyword + - name: cat_id + type: keyword + - name: category + type: long + - name: category_legacy + type: long + - name: code + type: long + - name: dpi + type: long + - name: firewall_action + type: keyword + - name: group_category + type: long + - name: http_op_code + type: long + - name: icmp_type + type: long + - name: message_id + type: long + - name: note + type: keyword + - name: request_method + type: long + - name: rule + type: keyword + - name: session + type: keyword + - name: sid_number + type: long + - name: user + type: keyword + - name: vpnpolicy + type: keyword +- name: ips + type: group + fields: + - name: category + type: keyword + - name: severity + type: long +- name: ingest_failure + type: group + fields: + - name: time + type: keyword - name: rsa type: group fields: @@ -6,7 +86,8 @@ fields: - name: msg type: keyword - description: This key is used to capture the raw message that comes into the Log Decoder + description: >- + This key is used to capture the raw message that comes into the Log Decoder - name: messageid type: keyword - name: event_desc @@ -16,16 +97,19 @@ description: This key captures the contents of instant messages - name: time type: date - description: This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. + description: >- + This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. - name: level type: long description: Deprecated key defined only in table map. - name: msg_id type: keyword - description: This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + description: >- + This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: msg_vid type: keyword - description: This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + description: >- + This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: data type: keyword description: Deprecated key defined only in table map. @@ -64,79 +148,102 @@ description: Deprecated key defined only in table map. - name: feed_desc type: keyword - description: This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + description: >- + This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: feed_name type: keyword - description: This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + description: >- + This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: cid type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + description: >- + This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_class type: keyword - description: This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + description: >- + This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_group type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + description: >- + This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_host type: keyword - description: This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + description: >- + This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ip type: ip - description: This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + description: >- + This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_ipv6 type: ip - description: This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + description: >- + This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type type: keyword - description: This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + description: >- + This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: device_type_id type: long description: Deprecated key defined only in table map. - name: did type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + description: >- + This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: entropy_req type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + description: >- + This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: entropy_res type: long - description: This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration + description: >- + This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration - name: event_name type: keyword description: Deprecated key defined only in table map. - name: feed_category type: keyword - description: This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + description: >- + This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: forward_ip type: ip - description: This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. + description: >- + This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. - name: forward_ipv6 type: ip - description: This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + description: >- + This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: header_id type: keyword - description: This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + description: >- + This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_cid type: keyword - description: This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + description: >- + This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: lc_ctime type: date - description: This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + description: >- + This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: mcb_req type: long - description: This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most + description: >- + This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most - name: mcb_res type: long - description: This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most + description: >- + This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most - name: mcbc_req type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + description: >- + This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: mcbc_res type: long - description: This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams + description: >- + This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams - name: medium type: long - description: "This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session" + description: >- + This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session - name: node_name type: keyword description: Deprecated key defined only in table map. @@ -145,65 +252,82 @@ description: This key denotes that event is endpoint related - name: parse_error type: keyword - description: This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + description: >- + This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: payload_req type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + description: >- + This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: payload_res type: long - description: This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep + description: >- + This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep - name: process_vid_dst type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. + description: >- + Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. - name: process_vid_src type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. + description: >- + Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. - name: rid type: long - description: This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + description: >- + This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: session_split type: keyword - description: This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + description: >- + This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: site type: keyword description: Deprecated key defined only in table map. - name: size type: long - description: This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + description: >- + This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: sourcefile type: keyword - description: This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + description: >- + This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: ubc_req type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + description: >- + This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: ubc_res type: long - description: This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once + description: >- + This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once - name: word type: keyword - description: This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log + description: >- + This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log - name: time type: group fields: - name: event_time type: date - description: This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form + description: >- + This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form - name: duration_time type: double - description: This key is used to capture the normalized duration/lifetime in seconds. + description: >- + This key is used to capture the normalized duration/lifetime in seconds. - name: event_time_str type: keyword - description: This key is used to capture the incomplete time mentioned in a session as a string + description: >- + This key is used to capture the incomplete time mentioned in a session as a string - name: starttime type: date - description: This key is used to capture the Start time mentioned in a session in a standard form + description: >- + This key is used to capture the Start time mentioned in a session in a standard form - name: month type: keyword - name: day type: keyword - name: endtime type: date - description: This key is used to capture the End time mentioned in a session in a standard form + description: >- + This key is used to capture the End time mentioned in a session in a standard form - name: timezone type: keyword description: This key is used to capture the timezone of the Event Time @@ -216,18 +340,20 @@ type: keyword - name: recorded_time type: date - description: The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. + description: >- + The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. - name: datetime type: keyword - name: effective_time type: date - description: This key is the effective time referenced by an individual event in a Standard Timestamp format + description: >- + This key is the effective time referenced by an individual event in a Standard Timestamp format - name: expire_time type: date description: This key is the timestamp that explicitly refers to an expiration. - name: process_time type: keyword - description: Deprecated, use duration.time + description: 'Deprecated, use duration.time' - name: hour type: keyword - name: min @@ -259,7 +385,8 @@ type: keyword - name: expire_time_str type: keyword - description: This key is used to capture incomplete timestamp that explicitly refers to an expiration. + description: >- + This key is used to capture incomplete timestamp that explicitly refers to an expiration. - name: stamp type: date description: Deprecated key defined only in table map. @@ -270,28 +397,33 @@ type: keyword - name: result type: keyword - description: This key is used to capture the outcome/result string value of an action in a session. + description: >- + This key is used to capture the outcome/result string value of an action in a session. - name: severity type: keyword description: This key is used to capture the severity given the session - name: event_type type: keyword - description: This key captures the event category type as specified by the event source. + description: >- + This key captures the event category type as specified by the event source. - name: reference_id type: keyword description: This key is used to capture an event id from the session directly - name: version type: keyword - description: This key captures Version of the application or OS which is generating the event. + description: >- + This key captures Version of the application or OS which is generating the event. - name: disposition type: keyword description: This key captures the The end state of an action. - name: result_code type: keyword - description: This key is used to capture the outcome/result numeric value of an action in a session + description: >- + This key is used to capture the outcome/result numeric value of an action in a session - name: category type: keyword - description: This key is used to capture the category of an event given by the vendor in the session + description: >- + This key is used to capture the category of an event given by the vendor in the session - name: obj_name type: keyword description: This is used to capture name of object @@ -300,7 +432,7 @@ description: This is used to capture type of object - name: event_source type: keyword - description: "This key captures Source of the event that’s not a hostname" + description: This key captures Source of the event that’s not a hostname - name: log_session_id type: keyword description: This key is used to capture a sessionid from the session directly @@ -315,52 +447,64 @@ description: This key captures the Rule Name - name: context type: keyword - description: This key captures Information which adds additional context to the event. + description: >- + This key captures Information which adds additional context to the event. - name: change_new type: keyword - description: "This key is used to capture the new values of the attribute that’s changing in a session" + description: >- + This key is used to capture the new values of the attribute that’s changing in a session - name: space type: keyword - name: client type: keyword - description: This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. + description: >- + This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. - name: msgIdPart1 type: keyword - name: msgIdPart2 type: keyword - name: change_old type: keyword - description: "This key is used to capture the old value of the attribute that’s changing in a session" + description: >- + This key is used to capture the old value of the attribute that’s changing in a session - name: operation_id type: keyword - description: An alert number or operation number. The values should be unique and non-repeating. + description: >- + An alert number or operation number. The values should be unique and non-repeating. - name: event_state type: keyword - description: This key captures the current state of the object/item referenced within the event. Describing an on-going event. + description: >- + This key captures the current state of the object/item referenced within the event. Describing an on-going event. - name: group_object type: keyword description: This key captures a collection/grouping of entities. Specific usage - name: node type: keyword - description: Common use case is the node name within a cluster. The cluster name is reflected by the host name. + description: >- + Common use case is the node name within a cluster. The cluster name is reflected by the host name. - name: rule type: keyword description: This key captures the Rule number - name: device_name type: keyword - description: 'This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc' + description: >- + This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc - name: param type: keyword - description: This key is the parameters passed as part of a command or application, etc. + description: >- + This key is the parameters passed as part of a command or application, etc. - name: change_attrib type: keyword - description: "This key is used to capture the name of the attribute that’s changing in a session" + description: >- + This key is used to capture the name of the attribute that’s changing in a session - name: event_computer type: keyword - description: This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. + description: >- + This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. - name: reference_id1 type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" + description: >- + This key is for Linked ID to be used as an addition to "reference.id" - name: event_log type: keyword description: This key captures the Name of the event log @@ -380,10 +524,12 @@ description: This key is the Serial number associated with a physical asset. - name: checksum type: keyword - description: This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. + description: >- + This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. - name: event_user type: keyword - description: This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. + description: >- + This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. - name: virusname type: keyword description: This key captures the name of the virus @@ -395,7 +541,8 @@ description: This key captures Group ID Number (related to the group name) - name: policy_id type: keyword - description: This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise + description: >- + This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise - name: vsys type: keyword description: This key captures Virtual System Name @@ -404,16 +551,19 @@ description: This key captures the Connection ID - name: reference_id2 type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. + description: >- + This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. - name: sensor type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS based devices + description: >- + This key captures Name of the sensor. Typically used in IDS/IPS based devices - name: sig_id type: long description: This key captures IDS/IPS Int Signature ID - name: port_name type: keyword - description: 'This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name).' + description: >- + This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). - name: rule_group type: keyword description: This key captures the Rule group name @@ -425,7 +575,8 @@ description: This key captures the Value of the trigger or threshold condition. - name: log_session_id1 type: keyword - description: This key is used to capture a Linked (Related) Session ID from the session directly + description: >- + This key is used to capture a Linked (Related) Session ID from the session directly - name: comp_version type: keyword description: This key captures the Version level of a sub-component of a product. @@ -434,7 +585,8 @@ description: This key captures Version level of a signature or database content. - name: hardware_id type: keyword - description: This key is used to capture unique identifier for a device or system (NOT a Mac address) + description: >- + This key is used to capture unique identifier for a device or system (NOT a Mac address) - name: risk type: keyword description: This key captures the non-numeric risk value @@ -452,7 +604,8 @@ description: This key is the Unique Identifier for a rule. - name: trigger_desc type: keyword - description: This key captures the Description of the trigger or threshold condition. + description: >- + This key captures the Description of the trigger or threshold condition. - name: inout type: keyword - name: p_msgid @@ -468,21 +621,25 @@ type: keyword - name: listnum type: keyword - description: This key is used to capture listname or listnumber, primarily for collecting access-list + description: >- + This key is used to capture listname or listnumber, primarily for collecting access-list - name: ntype type: keyword - name: observed_val type: keyword - description: This key captures the Value observed (from the perspective of the device generating the log). + description: >- + This key captures the Value observed (from the perspective of the device generating the log). - name: policy_value type: keyword - description: This key captures the contents of the policy. This contains details about the policy + description: >- + This key captures the contents of the policy. This contains details about the policy - name: pool_name type: keyword description: This key captures the name of a resource pool - name: rule_template type: keyword - description: A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template + description: >- + A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template - name: count type: keyword - name: number @@ -499,7 +656,8 @@ description: This key captures File Identification number - name: expected_val type: keyword - description: This key captures the Value expected (from the perspective of the device generating the log). + description: >- + This key captures the Value expected (from the perspective of the device generating the log). - name: job_num type: keyword description: This key captures the Job Number @@ -530,13 +688,16 @@ type: keyword - name: cpu type: long - description: This key is the CPU time used in the execution of the event being recorded. + description: >- + This key is the CPU time used in the execution of the event being recorded. - name: event_desc type: keyword - description: This key is used to capture a description of an event available directly or inferred + description: >- + This key is used to capture a description of an event available directly or inferred - name: sig_id1 type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id + description: >- + This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id - name: im_buddyid type: keyword - name: im_client @@ -549,12 +710,14 @@ type: keyword - name: context_subject type: keyword - description: This key is to be used in an audit context where the subject is the object being identified + description: >- + This key is to be used in an audit context where the subject is the object being identified - name: context_target type: keyword - name: cve type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. + description: >- + This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. - name: fcatnum type: keyword description: This key captures Filter Category Number. Legacy Usage @@ -563,10 +726,11 @@ description: This key is used to capture library information in mainframe devices - name: parent_node type: keyword - description: This key captures the Parent Node Name. Must be related to node variable. + description: >- + This key captures the Parent Node Name. Must be related to node variable. - name: risk_info type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + description: 'Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)' - name: tcp_flags type: long description: This key is captures the TCP flags set in any packet of session @@ -605,13 +769,15 @@ type: keyword - name: alert_id type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + description: 'Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)' - name: checksum_dst type: keyword - description: This key is used to capture the checksum or hash of the the target entity such as a process or file. + description: >- + This key is used to capture the checksum or hash of the the target entity such as a process or file. - name: checksum_src type: keyword - description: This key is used to capture the checksum or hash of the source entity such as a file or process. + description: >- + This key is used to capture the checksum or hash of the source entity such as a file or process. - name: fresult type: long description: This key captures the Filter Result @@ -623,10 +789,12 @@ description: This key is used to capture source payload - name: pool_id type: keyword - description: This key captures the identifier (typically numeric field) of a resource pool + description: >- + This key captures the identifier (typically numeric field) of a resource pool - name: process_id_val type: keyword - description: This key is a failure key for Process ID when it is not an integer value + description: >- + This key is a failure key for Process ID when it is not an integer value - name: risk_num_comm type: double description: This key captures Risk Number Community @@ -641,10 +809,10 @@ description: This key captures Risk Number Static - name: risk_suspicious type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + description: 'Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)' - name: risk_warning type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) + description: 'Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)' - name: snmp_oid type: keyword description: SNMP Object Identifier @@ -1111,19 +1279,22 @@ description: This is used to capture the results of regex match - name: language type: keyword - description: This is used to capture list of languages the client support and what it prefers + description: >- + This is used to capture list of languages the client support and what it prefers - name: lifetime type: long description: This key is used to capture the session lifetime in seconds. - name: link type: keyword - description: This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness + description: >- + This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness - name: match type: keyword description: This key is for regex match name from search.ini - name: param_dst type: keyword - description: This key captures the command line/launch argument of the target process or file + description: >- + This key captures the command line/launch argument of the target process or file - name: param_src type: keyword description: This key captures source parameter @@ -1150,13 +1321,15 @@ description: This key is used to capture the database server instance name - name: database type: keyword - description: This key is used to capture the name of a database or an instance as seen in a session + description: >- + This key is used to capture the name of a database or an instance as seen in a session - name: transact_id type: keyword description: This key captures the SQL transantion ID of the current session - name: permissions type: keyword - description: This key captures permission or privilege level assigned to a resource. + description: >- + This key captures permission or privilege level assigned to a resource. - name: table_name type: keyword description: This key is used to capture the table name @@ -1165,7 +1338,8 @@ description: This key is used to capture the unique identifier for a database - name: db_pid type: long - description: This key captures the process id of a connection with database server + description: >- + This key captures the process id of a connection with database server - name: lread type: long description: This key is used for the number of logical reads @@ -1180,42 +1354,46 @@ fields: - name: alias_host type: keyword - description: This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. + description: >- + This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. - name: domain type: keyword - name: host_dst type: keyword - description: "This key should only be used when it’s a Destination Hostname" + description: This key should only be used when it’s a Destination Hostname - name: network_service type: keyword description: This is used to capture layer 7 protocols/service names - name: interface type: keyword - description: This key should be used when the source or destination context of an interface is not clear + description: >- + This key should be used when the source or destination context of an interface is not clear - name: network_port type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' + description: >- + Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) - name: eth_host type: keyword - description: Deprecated, use alias.mac + description: 'Deprecated, use alias.mac' - name: sinterface type: keyword - description: "This key should only be used when it’s a Source Interface" + description: This key should only be used when it’s a Source Interface - name: dinterface type: keyword - description: "This key should only be used when it’s a Destination Interface" + description: This key should only be used when it’s a Destination Interface - name: vlan type: long description: This key should only be used to capture the ID of the Virtual LAN - name: zone_src type: keyword - description: "This key should only be used when it’s a Source Zone." + description: This key should only be used when it’s a Source Zone. - name: zone type: keyword - description: This key should be used when the source or destination context of a Zone is not clear + description: >- + This key should be used when the source or destination context of a Zone is not clear - name: zone_dst type: keyword - description: "This key should only be used when it’s a Destination Zone." + description: This key should only be used when it’s a Destination Zone. - name: gateway type: keyword description: This key is used to capture the IP Address of the gateway @@ -1236,13 +1414,15 @@ description: This key is used for Destionation Device network mask - name: port type: long - description: This key should only be used to capture a Network Port when the directionality is not clear + description: >- + This key should only be used to capture a Network Port when the directionality is not clear - name: smask type: keyword description: This key is used for capturing source Network Mask - name: netname type: keyword - description: This key is used to capture the network name associated with an IP range. This is configured by the end user. + description: >- + This key is used to capture the network name associated with an IP range. This is configured by the end user. - name: paddr type: ip description: Deprecated @@ -1272,13 +1452,15 @@ type: keyword - name: ad_computer_dst type: keyword - description: Deprecated, use host.dst + description: 'Deprecated, use host.dst' - name: eth_type type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only + description: >- + This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only - name: ip_proto type: long - description: This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI + description: >- + This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI - name: dns_cname_record type: keyword - name: dns_id @@ -1297,10 +1479,12 @@ type: keyword - name: host_orig type: keyword - description: This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. + description: >- + This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. - name: rpayload type: keyword - description: This key is used to capture the total number of payload bytes seen in the retransmitted packets. + description: >- + This key is used to capture the total number of payload bytes seen in the retransmitted packets. - name: vlan_name type: keyword description: This key should only be used to capture the name of the Virtual LAN @@ -1309,34 +1493,39 @@ fields: - name: ec_activity type: keyword - description: This key captures the particular event activity(Ex:Logoff) + description: 'This key captures the particular event activity(Ex:Logoff)' - name: ec_theme type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) + description: 'This key captures the Theme of a particular Event(Ex:Authentication)' - name: ec_subject type: keyword - description: This key captures the Subject of a particular Event(Ex:User) + description: 'This key captures the Subject of a particular Event(Ex:User)' - name: ec_outcome type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) + description: 'This key captures the outcome of a particular Event(Ex:Success)' - name: event_cat type: long description: This key captures the Event category number - name: event_cat_name type: keyword - description: This key captures the event category name corresponding to the event cat code + description: >- + This key captures the event category name corresponding to the event cat code - name: event_vcat type: keyword - description: This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. + description: >- + This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. - name: analysis_file type: keyword - description: This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file + description: >- + This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file - name: analysis_service type: keyword - description: This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service + description: >- + This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service - name: analysis_session type: keyword - description: This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session + description: >- + This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session - name: boc type: keyword description: This is used to capture behaviour of compromise @@ -1357,43 +1546,55 @@ fields: - name: dclass_c1 type: long - description: This is a generic counter key that should be used with the label dclass.c1.str only + description: >- + This is a generic counter key that should be used with the label dclass.c1.str only - name: dclass_c2 type: long - description: This is a generic counter key that should be used with the label dclass.c2.str only + description: >- + This is a generic counter key that should be used with the label dclass.c2.str only - name: event_counter type: long description: This is used to capture the number of times an event repeated - name: dclass_r1 type: keyword - description: This is a generic ratio key that should be used with the label dclass.r1.str only + description: >- + This is a generic ratio key that should be used with the label dclass.r1.str only - name: dclass_c3 type: long - description: This is a generic counter key that should be used with the label dclass.c3.str only + description: >- + This is a generic counter key that should be used with the label dclass.c3.str only - name: dclass_c1_str type: keyword - description: This is a generic counter string key that should be used with the label dclass.c1 only + description: >- + This is a generic counter string key that should be used with the label dclass.c1 only - name: dclass_c2_str type: keyword - description: This is a generic counter string key that should be used with the label dclass.c2 only + description: >- + This is a generic counter string key that should be used with the label dclass.c2 only - name: dclass_r1_str type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r1 only + description: >- + This is a generic ratio string key that should be used with the label dclass.r1 only - name: dclass_r2 type: keyword - description: This is a generic ratio key that should be used with the label dclass.r2.str only + description: >- + This is a generic ratio key that should be used with the label dclass.r2.str only - name: dclass_c3_str type: keyword - description: This is a generic counter string key that should be used with the label dclass.c3 only + description: >- + This is a generic counter string key that should be used with the label dclass.c3 only - name: dclass_r3 type: keyword - description: This is a generic ratio key that should be used with the label dclass.r3.str only + description: >- + This is a generic ratio key that should be used with the label dclass.r3.str only - name: dclass_r2_str type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r2 only + description: >- + This is a generic ratio string key that should be used with the label dclass.r2 only - name: dclass_r3_str type: keyword - description: This is a generic ratio string key that should be used with the label dclass.r3 only + description: >- + This is a generic ratio string key that should be used with the label dclass.r3 only - name: identity type: group fields: @@ -1414,7 +1615,8 @@ description: This key is used to capture the user profile - name: accesses type: keyword - description: This key is used to capture actual privileges used in accessing an object + description: >- + This key is used to capture actual privileges used in accessing an object - name: realm type: keyword description: Radius realm or similar grouping of accounts @@ -1423,19 +1625,23 @@ description: This key captures Destination User Session ID - name: dn_src type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn + description: >- + An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn - name: org type: keyword description: This key captures the User organization - name: dn_dst type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn + description: >- + An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn - name: firstname type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + description: >- + This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: lastname type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + description: >- + This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: user_dept type: keyword description: User's Department Names only @@ -1444,25 +1650,31 @@ description: This key captures Source User Session ID - name: federated_sp type: keyword - description: This key is the Federated Service Provider. This is the application requesting authentication. + description: >- + This key is the Federated Service Provider. This is the application requesting authentication. - name: federated_idp type: keyword - description: This key is the federated Identity Provider. This is the server providing the authentication. + description: >- + This key is the federated Identity Provider. This is the server providing the authentication. - name: logon_type_desc type: keyword - description: This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. + description: >- + This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. - name: middlename type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + description: >- + This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: password type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted + description: >- + This key is for Passwords seen in any session, plain text or encrypted - name: host_role type: keyword description: This key should only be used to capture the role of a Host Machine - name: ldap type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context" + description: >- + This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context - name: ldap_query type: keyword description: This key is the Search criteria from an LDAP search @@ -1471,25 +1683,30 @@ description: This key is to capture Results from an LDAP search - name: owner type: keyword - description: This is used to capture username the process or service is running as, the author of the task + description: >- + This is used to capture username the process or service is running as, the author of the task - name: service_account type: keyword - description: This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage + description: >- + This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage - name: email type: group fields: - name: email_dst type: keyword - description: This key is used to capture the Destination email address only, when the destination context is not clear use email + description: >- + This key is used to capture the Destination email address only, when the destination context is not clear use email - name: email_src type: keyword - description: This key is used to capture the source email address only, when the source context is not clear use email + description: >- + This key is used to capture the source email address only, when the source context is not clear use email - name: subject type: keyword description: This key is used to capture the subject string from an Email only. - name: email type: keyword - description: This key is used to capture a generic email address where the source or destination context is not clear + description: >- + This key is used to capture a generic email address where the source or destination context is not clear - name: trans_from type: keyword description: Deprecated key defined only in table map. @@ -1501,7 +1718,7 @@ fields: - name: privilege type: keyword - description: Deprecated, use permissions + description: 'Deprecated, use permissions' - name: attachment type: keyword description: This key captures the attachment file name @@ -1515,15 +1732,18 @@ description: This is used to capture name of the file targeted by the action - name: filename_src type: keyword - description: This is used to capture name of the parent filename, the file which performed the action + description: >- + This is used to capture name of the parent filename, the file which performed the action - name: filename_tmp type: keyword - name: directory_dst type: keyword - description: This key is used to capture the directory of the target process or file + description: >- + This key is used to capture the directory of the target process or file - name: directory_src type: keyword - description: This key is used to capture the directory of the source process or file + description: >- + This key is used to capture the directory of the source process or file - name: file_entropy type: double description: This is used to capture entropy vale of a file @@ -1588,10 +1808,12 @@ fields: - name: threat_category type: keyword - description: This key captures Threat Name/Threat Category/Categorization of alert + description: >- + This key captures Threat Name/Threat Category/Categorization of alert - name: threat_desc type: keyword - description: This key is used to capture the threat description from the session directly or inferred + description: >- + This key is used to capture the threat description from the session directly or inferred - name: alert type: keyword description: This key is used to capture name of the alert @@ -1603,7 +1825,8 @@ fields: - name: crypto type: keyword - description: This key is used to capture the Encryption Type or Encryption Key only + description: >- + This key is used to capture the Encryption Type or Encryption Key only - name: cipher_src type: keyword description: This key is for Source (Client) Cipher @@ -1624,7 +1847,7 @@ description: This key captures the Encryption scheme used - name: peer_id type: keyword - description: "This key is for Encryption peer’s identity" + description: This key is for Encryption peer’s identity - name: sig_type type: keyword description: This key captures the Signature Type @@ -1644,17 +1867,17 @@ description: This key captures Destination (Server) Cipher Size - name: ssl_ver_src type: keyword - description: Deprecated, use version + description: 'Deprecated, use version' - name: d_certauth type: keyword - name: s_certauth type: keyword - name: ike_cookie1 type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase One" + description: ID of the negotiation — sent for ISAKMP Phase One - name: ike_cookie2 type: keyword - description: "ID of the negotiation — sent for ISAKMP Phase Two" + description: ID of the negotiation — sent for ISAKMP Phase Two - name: cert_checksum type: keyword - name: cert_host_cat @@ -1668,7 +1891,7 @@ description: This key captures Certificate validation status - name: ssl_ver_dst type: keyword - description: Deprecated, use version + description: 'Deprecated, use version' - name: cert_keysize type: keyword - name: cert_username @@ -1703,7 +1926,8 @@ fields: - name: disk_volume type: keyword - description: A unique name assigned to logical units (volumes) within a physical disk + description: >- + A unique name assigned to logical units (volumes) within a physical disk - name: lun type: keyword description: Logical Unit Number.This key is a very useful concept in Storage. @@ -1715,31 +1939,37 @@ fields: - name: org_dst type: keyword - description: This is used to capture the destination organization based on the GEOPIP Maxmind database. + description: >- + This is used to capture the destination organization based on the GEOPIP Maxmind database. - name: org_src type: keyword - description: This is used to capture the source organization based on the GEOPIP Maxmind database. + description: >- + This is used to capture the source organization based on the GEOPIP Maxmind database. - name: healthcare type: group fields: - name: patient_fname type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly to capture Patients information + description: >- + This key is for First Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_id type: keyword description: This key captures the unique ID for a patient - name: patient_lname type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information + description: >- + This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information - name: patient_mname type: keyword - description: This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information + description: >- + This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information - name: endpoint type: group fields: - name: host_state type: keyword - description: This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on + description: >- + This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on - name: registry_key type: keyword description: This key captures the path to the registry key @@ -1752,3 +1982,30 @@ description: Server domain. - name: network.interface.name type: keyword +- name: source + type: group + fields: + - name: zone + type: keyword + - name: vpn_policy + type: keyword +- name: destination + type: group + fields: + - name: zone + type: keyword +- name: observer + type: group + fields: + - name: egress + type: group + fields: + - name: ip + type: ip + - name: ingress + type: group + fields: + - name: ip + type: ip +- name: ingest_time + type: date diff --git a/packages/sonicwall/docs/README.md b/packages/sonicwall/docs/README.md index 74ebf1c91be..5abc52855ec 100644 --- a/packages/sonicwall/docs/README.md +++ b/packages/sonicwall/docs/README.md @@ -27,8 +27,12 @@ The `firewall` dataset collects Sonicwall-FW logs. | destination.bytes | Bytes sent from the destination to the source. | long | | destination.domain | The domain name of the destination system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | destination.geo.city_name | City name. | keyword | +| destination.geo.continent_name | Name of the continent. | keyword | +| destination.geo.country_iso_code | Country ISO code. | keyword | | destination.geo.country_name | Country name. | keyword | | destination.geo.location | Longitude and latitude. | geo_point | +| destination.geo.region_iso_code | Region ISO code. | keyword | +| destination.geo.region_name | Region name. | keyword | | destination.ip | IP address of the destination (IPv4 or IPv6). | ip | | destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | destination.nat.ip | Translated ip of destination based NAT sessions (e.g. internet to private DMZ) Typically used with load balancers, firewalls, or routers. | ip | @@ -37,6 +41,7 @@ The `firewall` dataset collects Sonicwall-FW logs. | destination.registered_domain | The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | | destination.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | | destination.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| destination.zone | | keyword | | dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | | dns.answers.type | The type of data contained in this resource record. | keyword | | dns.question.domain | Server domain. | keyword | @@ -73,7 +78,12 @@ The `firewall` dataset collects Sonicwall-FW logs. | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | | http.request.referrer | Referrer for this HTTP request. | keyword | +| ingest_failure.time | | keyword | +| ingest_lag_in_seconds | | long | +| ingest_time | | date | | input.type | Type of Filebeat input. | keyword | +| ips.category | | keyword | +| ips.severity | | long | | log.file.path | Full path to the log file this event came from. | keyword | | log.flags | Flags for the log file. | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | @@ -90,9 +100,18 @@ The `firewall` dataset collects Sonicwall-FW logs. | network.interface.name | | keyword | | network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | | network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| observer.egress | Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. | object | | observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.egress.ip | | ip | +| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.hostname | Hostname of the observer. | keyword | | observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.ip | | ip | +| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | +| observer.ip | IP addresses of the observer. | ip | | observer.product | The product name of the observer. | keyword | +| observer.serial_number | Observer serial number. | keyword | | observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | | observer.vendor | Vendor name of the observer. | keyword | | observer.version | Observer version. | keyword | @@ -783,6 +802,33 @@ The `firewall` dataset collects Sonicwall-FW logs. | server.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | | server.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | | service.name | Name of the service data is collected from. The name of the service is normally user given. This allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the `service.name` could contain the cluster name. For Beats the `service.name` is by default a copy of the `service.type` field if no name is specified. | keyword | +| sonicwall.application.application_id | | long | +| sonicwall.application.filter_id | | keyword | +| sonicwall.destination.name | | keyword | +| sonicwall.event.app_id | | keyword | +| sonicwall.event.app_name | | keyword | +| sonicwall.event.appcat | | keyword | +| sonicwall.event.application_id_number | | long | +| sonicwall.event.arg | | keyword | +| sonicwall.event.blocking_category | | keyword | +| sonicwall.event.cat_id | | keyword | +| sonicwall.event.category | | long | +| sonicwall.event.category_legacy | | long | +| sonicwall.event.code | | long | +| sonicwall.event.dpi | | long | +| sonicwall.event.firewall_action | | keyword | +| sonicwall.event.group_category | | long | +| sonicwall.event.http_op_code | | long | +| sonicwall.event.icmp_type | | long | +| sonicwall.event.message_id | | long | +| sonicwall.event.note | | keyword | +| sonicwall.event.request_method | | long | +| sonicwall.event.rule | | keyword | +| sonicwall.event.session | | keyword | +| sonicwall.event.sid_number | | long | +| sonicwall.event.url_path | | keyword | +| sonicwall.event.user | | keyword | +| sonicwall.vpnpolicy | | keyword | | source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | | source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | source.as.organization.name | Organization name. | keyword | @@ -799,10 +845,13 @@ The `firewall` dataset collects Sonicwall-FW logs. | source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | | source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.packets | Packets sent from the source to the destination. | long | | source.port | Port of the source. | long | | source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | | source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | | source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| source.vpn_policy | | keyword | +| source.zone | | keyword | | tags | List of keywords used to tag each event. | keyword | | url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | | url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard |