# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
net_screen_traffic_log = {
	
  plugin_version = "1.1.2"

  # 0000-00-00 : 1.0 : gas : current plug-in
  # 2007-10-23 : 1.1 : gas : added support for more fields
  #                        : added new regex auto-detect
  #                        : renamed some field to work with both variants of this log
  # 2010-09-24 - 1.1.1 - KBB - Added backslashes to autodetect regular expression so "traffic" won't be matched.
  # 2010-10-01 - 1.1.2 - MSG - Edited info lines.
  # 2011-07-07 - 1.0.1 - MSG - Edited info lines (again).
  
  info.1.manufacturer = "NetScreen"
  info.1.device = "NetScreen Traffic"
  info.1.version.1 = "SSG520" # firmware 5.4.0r2.0

  info.2.manufacturer = "Juniper Networks"
  info.2.device = "NetScreen Traffic"
  info.2.version.1 = "SSG520" # firmware 5.4.0r2.0

  # The name of the log format
  log.format.format_label = "Juniper Networks NetScreen Traffic Log Format"
  log.miscellaneous.log_data_type = "firewall"  
  log.miscellaneous.log_format_type = "firewall"

  # The log is in this format if any of the first ten lines match this regular expression
  log.format.autodetect_expression = `matches_regular_expression(volatile.log_data_line, 'Traffic Log for Policy:') or 
  matches_regular_expression(volatile.log_data_line, '\\(traffic\\)')`
  

  # Use parsing filters
  log.format.parse_only_with_filters = "true"

  # The format of dates and times in this log
  log.format.date_format = "yyyy/mm/dd"
  log.format.time_format = "hh:mm:ss"

  # Log fields
  log.fields = {

    date.type = "date"
    time.type = "time"
    action = ""
    src.type = "host"
    translated_ip = ""
    dst = ""
    src_port = ""
    port = ""
    dst_port = ""
    duration = ""
    sent.type = "size"
    rcvd.type = "size"
    application = ""
    dst_zone = ""
    icmp_type = ""
    policy_id = ""
    proto = ""
    service = ""
    start_time = ""
    src_zone = ""
    
  } # log.fields


  #          
  # Log Parsing Filters
  log.parsing_filters = {

    parse = {
      label = "parse"
      comment = ""
      value = `
if (matches_regular_expression(current_log_line(), '^([0-9-]*) ([0-9:]*) ([^ ]*)[ 	]*([^ 	].* sec)(.*)$')) then (
  set_collected_field('', 'date', $1);
  set_collected_field('', 'time', $2);
  set_collected_field('', 'action', $3);
  volatile.src_dest_duration = $4;
  volatile.remainder = $5;
  if (matches_regular_expression(volatile.src_dest_duration, '^([0-9.]*)->([0-9.]*)[ 	]*([0-9]*) sec$')) then (
    set_collected_field('', 'src', $1);
    set_collected_field('', 'dst', $2);
    set_collected_field('', 'duration', $3);
  )
  else if (matches_regular_expression(volatile.src_dest_duration, '^([0-9.]*):([0-9]+)->([0-9.]*):([0-9]+)->([0-9.]+):([0-9]+)[ 	]*([0-9]*) sec$')) then (
    set_collected_field('', 'src', $1);
    set_collected_field('', 'src_port', $2);
    set_collected_field('', 'translated_ip', $3);
    set_collected_field('', 'port', $4);
    set_collected_field('', 'dst', $5);
    set_collected_field('', 'dst_port', $6);
    set_collected_field('', 'duration', $7);
  )
  else if (matches_regular_expression(volatile.src_dest_duration, '^([0-9.]*):([0-9]+)[ 	]+([0-9.]*):([0-9]+)[ 	]+([0-9.]+):([0-9]+)[ 	]*([0-9]*) sec$')) then (
    set_collected_field('', 'src', $1);
    set_collected_field('', 'src_port', $2);
    set_collected_field('', 'translated_ip', $3);
    set_collected_field('', 'port', $4);
    set_collected_field('', 'dst', $5);
    set_collected_field('', 'dst_port', $6);
    set_collected_field('', 'duration', $7);
  );
  # Handle lines where xlt src and xlt dest exist but are empty.  If this runs up against future compatibility issues with
  # other situations where two values are present (but different values), note that xltsrc+xltdst appears as 45+ spaces.
  else if (matches_regular_expression(volatile.src_dest_duration, '^([0-9.]*):([0-9]+)[ 	]+([0-9.]*):([0-9]+)[ 	]+([0-9]*) sec$')) then (
    set_collected_field('', 'src', $1);
    set_collected_field('', 'src_port', $2);
    set_collected_field('', 'dst', $3);
    set_collected_field('', 'dst_port', $4);
    set_collected_field('', 'duration', $5);
  );
  if (matches_regular_expression(volatile.remainder, '^[ 	]+([0-9]+)[ 	]+([0-9]+) ([A-Z0-9 ]+)$')) then (
    set_collected_field('', 'sent', $1);
    set_collected_field('', 'rcvd', $2);
    set_collected_field('', 'application', $3);
  );
  else if (matches_regular_expression(volatile.remainder, '^[        ]+([A-Z0-9 ]+)$')) then
    set_collected_field('', 'application', $1);

  accept_collected_entry('', false);
);

## plugin_version = 1.1
## matches lines like:
# [00001] 2007-10-05 11:51:11 [Root]system-notification-00257(traffic): start_time="2007-10-05 11:51:11" 
# duration=0 policy_id=36 service=tcp/port:2842 proto=6 src zone=Trust dst zone=Untrust action=Deny sent=0
# rcvd=0 src=123.123.23.133 dst=123.23.123.23 src_port=47093 dst_port=2842
else if (matches_regular_expression(current_log_line(), '^\\[[0-9]+\\] ([0-9-]+) ([0-9:]+) [^:]+: (.*)$')) then (
  set_collected_field('', 'date', $1);
  set_collected_field('', 'time', $2);
  v.remainder = $3;
  while (v.remainder ne '') (
  if (matches_regular_expression(v.remainder, '^([^=]+)=\\"([^"]+)\\" (.*)$')) then (
   set_collected_field('', replace_all($1, ' ', '_'), $2);
   v.remainder = $3;
  );
  else if (matches_regular_expression(v.remainder, '^([^=]+)=(VDO Live \\(tcp\\)) (.*)$$')) then (
   set_collected_field('', replace_all($1, ' ', '_'), $2);
   v.remainder = $3;
  );
  else if (matches_regular_expression(v.remainder, '^([^=]+)=([^ ]+) (.*)$')) then (
   set_collected_field('', replace_all($1, ' ', '_'), $2);
   v.remainder = $3;
  );
  else if (matches_regular_expression(v.remainder, '^([^=]+)=([^ ]+)$')) then (
   set_collected_field('', replace_all($1, ' ', '_'), $2);
   v.remainder = '';
  );
);
accept_collected_entry('', false);
);
`
    } # parse

  } # log.parsing_filters


  # Database fields
  database.fields = {

    date_time = ""
    day_of_week = ""
    hour_of_day = ""
    action = ""
    location = ""
    proto = ""
    policy_id = ""
    service = ""
    src = ""
    src_port = ""
    src_zone = ""
    dst = ""
    dst_port = ""
    dst_zone = ""
    translated_ip = ""
    port = ""
    application = ""
    start_time = ""
    icmp_type = ""

  } # database.fields


  # Log Filters
  log.filters = {

    mark_entry = {
      label = '$lang_admin.log_filters.mark_entry_label'
      comment = '$lang_admin.log_filters.mark_entry_comment'
      value = 'accesses = 1;'
    } # mark_entry

  } # log.filters

  database.numerical_fields = {

    accesses = {
      label = "$lang_stats.field_labels.accesses"
      default = true
      requires_log_field = false
      type = "int"
      display_format_type = "integer"
      entries_field = true
    } # accesses

    visitors = {
      label = "$lang_stats.field_labels.visitors"
      default = false
      requires_log_field = true
      log_field = "src"
      type = "unique"
      display_format_type = "integer"
    } # visitors

    duration = {
      label = $lang_stats.field_labels.duration
      default = false
      requires_log_field = true
      type = int
      display_format_type = duration
    } # duration

    sent = {
      label = "$lang_stats.field_labels.sent"
      default = false
      log_field = "sent"
      requires_log_field = true
      type = "float"
      display_format_type = "bandwidth"
    }

    rcvd = {
      label = "$lang_stats.field_labels.rcvd"
      default = false
      log_field = "rcvd"
      requires_log_field = true
      type = "float"
      display_format_type = "bandwidth"
    }

  } # database.numerical_fields


  create_profile_wizard_options = {
    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""
    } # report_groups
  } # create_profile_wizard_options
} # net_screen_traffic_log