# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. sonic_wall = { plugin_version = "1.0.1" # Initial creation - 1.0 # 2011-07-19 - 1.0.1 - MSG - Edited info lines. info.1.manufacturer = "SonicWall" info.1.device = "SonicWall or 3COM Firewall" info.1.version.1 = "" plugin_version = "1.2" # 2006-10-24 - 1.0beta - KBB - based on sonic_wall.cfg - syntax updated, security group added # 2007-09-14 - 1.0 - KBB - renumbered per new beta policy and renamed from beta_sonic_wall.cfg # 2008-03-05 - 1.1 - KBB - Added support for another format for dst field. # 2008-04-25 - 1.2 - gas - added support for usr field # 2008-09-11 - 1.2.1 - GMF - Fixed a bug which would cause an error about empty node name when ipspri was empty. # The name of the log format log.format.format_label = "SonicWall or 3COM Firewall" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "id=.*sn=.*fw=" # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { id = "" sn = "" fw = "" pri = "" c = "" m = "" n = "" src.type = "host" src_host = "" src_port = "" src_network = "" dst = "" dstname = "" dst_host = "" dst_port = "" dst_network = "" proto = "" msg = "" code = "" sent.type = "size" rcvd.type = "size" url.type = "page" arg = "" devicetime = "" ipscat = "" ipspri = "" sid = "" ssid = "" channel = "" event_type = "" detection_device = "" detection_reason = "" virus_action = "" usr = "" } # log.fields # Log Parsing Filters log.parsing_filters.parse = ` v.line = current_log_line(); if (matches_regular_expression(v.line, '(id=.*$)')) then ( collect_listed_fields('', $1, ' ', '=', 'time=devicetime'); ); #2006-09-19 11:25:02 Local0.Alert 192.168.199.199 id=firewall sn=0006B1131E7A time="2006-09-19 11:26:43" fw=199.199.199.199 pri=1 c=32 m=608 msg="IPS Detection Alert: ICMP Destination Unreachable (Port Unreachable)" sid=310 ipscat=ICMP ipspri=3 n=17484 src=199.199.199.198:33171:X1 dst=199.199.199.197:53:X0 #May 5 13:30:08 192.168.199.199 id=firewall sn=00301E05289E time="2006-05-05 13: 30:07" fw=199.199.199.199 pri=6 c=1024 m=97 n=111466 src=192.168.199.199:63808:LAN dst=199.199.199.198:80:WAN proto=tcp/http op=GET rcvd=26556 result=200 dstname=eur.a1.yimg.com arg=/java.europe.yahoo.com/eu/any/728x90queuingfixed1.sw... if (matches_regular_expression(v.line, '^ *$')) then ( set_collected_field('', 'date', ''); set_collected_field('', 'time', ''); ); else if (matches_regular_expression(get_collected_field('', 'devicetime'), '^([0-9-]{10}) ([0-9:]{8})')) then ( set_collected_field('', 'date', $1); set_collected_field('', 'time', $2); ); else if (matches_regular_expression(get_collected_field('', 'devicetime'), '^([0-9-]{10}) ([0-9][0-9]:) ([0-9][0-9]:[0-9][0-9])')) then ( set_collected_field('', 'date', $1); set_collected_field('', 'time', $2 . $3); ); if (matches_regular_expression(get_collected_field('', 'src'), '([0-9.]*) \\\\(([A-Za-z0-9.]*)\\\\) :([0-9]*):([A-Za-z0-9]*)')) then ( set_collected_field('', 'src', $1); set_collected_field('', 'src_host', $2); set_collected_field('', 'src_port', $3); set_collected_field('', 'src_network', $4); ); else if (matches_regular_expression(get_collected_field('', 'src'), '([^:]*):([0-9]*):([A-Za-z0-9]*)')) then ( set_collected_field('', 'src', $1); set_collected_field('', 'src_port', $2); set_collected_field('', 'src_network', $3); ); if (matches_regular_expression(get_collected_field('', 'dst'), '([0-9.]*) \\\\(([A-Za-z0-9.]*)\\\\) :([0-9]*):([A-Za-z0-9]*)')) then ( set_collected_field('', 'dst', $1); set_collected_field('', 'dst_host', $2); set_collected_field('', 'dst_port', $3); set_collected_field('', 'dst_network', $4); ); #2007-11-27 00:00:17 System4.Info 192.168.33.33 id=firewall sn=0006B13924A8 time="2007-11-27 00:02:53" fw=128.233.233.133 pri=6 c=1024 m=537 msg="Connection Closed" n=699221 src=192.168.33.233:1450:X0:CWTSYSLOG1 dst=193.183.223.233:25:X1:smtp.niceview.net proto=tcp/smtp sent=1242 rcvd=635 else if (matches_regular_expression(get_collected_field('', 'dst'), '([^:]*):([0-9]*):([A-Za-z0-9]*):([^:]+)')) then ( set_collected_field('', 'dst', $1); set_collected_field('', 'dst_port', $2); set_collected_field('', 'dst_network', $3); set_collected_field('', 'dst_host', $4); ); else if (matches_regular_expression(get_collected_field('', 'dst'), '([^:]*):([0-9]*):([A-Za-z0-9]*)')) then ( set_collected_field('', 'dst', $1); set_collected_field('', 'dst_port', $2); set_collected_field('', 'dst_network', $3); ); if (matches_regular_expression(get_collected_field('', 'msg'), '^Gateway Anti-Virus Alert: (.*)$')) then ( set_collected_field('', 'event_type', lang_stats.log_formats.sonic_wall.event_type.gateway_antivirus_alert); set_collected_field('', 'virus_action', $1); ); else if (matches_regular_expression(get_collected_field('', 'msg'), 'IPS Detection Alert: (.*)')) then ( set_collected_field('', 'event_type', lang_stats.log_formats.sonic_wall.event_type.ips_detection_alert); set_collected_field('', 'detection_reason', $1); ); #2006-06-13 10:57:18 Local0.Alert 10.10.1.254 id=firewall sn=0006B10CBD28 time="2006-06-13 10:57:18" fw=60.244.125.189 pri=1 c=2097152 m=546 msg="Found Rogue Access Point" n=8 dstname="SonicPoint 176391 found: SSID:(00:16:47:0d:a2:00), Channel:9" else if (get_collected_field('', 'msg') eq 'Found Rogue Access Point') then ( set_collected_field('', 'event_type', lang_stats.log_formats.sonic_wall.event_type.found_rogue_access_point); if (matches_regular_expression(get_collected_field('', 'dstname'), '^(.*) found: (.*), Channel:([0-9]*)')) then ( set_collected_field('', 'detection_device', $1); set_collected_field('', 'ssid', $2); set_collected_field('', 'channel', $3); ); ); # this occurres a few times outside if an "IPS detection alert", so do this here # 2008-09-11 - GMF - Added a check for empty ipspri; if it's empty, the subnode operations fail with an error (empty node name) if (get_collected_field('', 'ipspri') ne '') then set_collected_field('', 'ipspri', node_value(subnode_by_name('lang_stats.log_formats.sonic_wall.ipspri', get_collected_field('', 'ipspri')))); accept_collected_entry('', false); ` # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" usr = "" src = "" src_host = "" src_port = "" src_network = "" dst = "" dstname = "" dst_host = "" dst_port = "" dst_network = "" url = "" id = "" sn = "" fw = "" c = "" m = "" proto = "" msg = "" code = "" ipscat = "" ipspri = "" sid = "" ssid = "" channel = "" event_type = "" detection_device = "" detection_reason = "" virus_action = "" } # database.fields # Log Filters log.filters = { # This filter builds the URL field from the proto, dstname and arg fields build_url = { label = "Build URL" comment = "" value = " if (proto ne '(empty)') then ( url = proto; url = replace_all(url, 'tcp/', ''); url = url . '://' . dstname . arg; if (ends_with(url, '(empty)')) then url = ''; ); " } # build_url set_page_for_worm = { label = "$lang_admin.log_filters.set_page_for_worm_label" comment = "$lang_admin.log_filters.set_page_for_worm_comment" value = "if (starts_with(worm, '(')) then '' else url = '(worm)';" } # set_page_for_worm remove_query = { label = "$lang_admin.log_filters.remove_query_label" comment = "$lang_admin.log_filters.remove_query_comment" value = "if (contains(url, '?')) then url = substr(url, 0, index(url, '?') + 1) . '(parameters)';" } # remove_query detect_page_views = { label = '$lang_admin.log_filters.detect_page_views_label' comment = '$lang_admin.log_filters.detect_page_views_comment' value = "if ((event_type ne '(empty)') or (url eq '(empty)') or (file_type eq 'JPEG') or (file_type eq 'JPG') or (file_type eq 'GIF') or (file_type eq 'ICO') or (file_type eq 'PNG') or (file_type eq 'CSS') or (file_type eq 'SWF') or (file_type eq 'JS')) then page_views = 0; else page_views = 1;" } # detect_page_views simplify_url = { label = "$lang_admin.log_filters.simplify_url_label" comment = "$lang_admin.log_filters.simplify_url_comment" value = "if (matches_regular_expression(url, '^([^:]+://[^/]+/)')) then url = $1 . '(omitted)'" } # simplify_url strip_non_page_views = { label = '$lang_admin.log_filters.strip_non_page_views_label' comment = '$lang_admin.log_filters.strip_non_page_views_comment' value = "if (page_views == 0) then url = substr(url, 0, last_index(url, '/') + 1) . '(nonpage)';" } # strip_non_page_views mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters log.field_options = { sessions_page_field = "url" sessions_visitor_id_field = "src" sessions_event_field = "page_views" } # log.field_options database.numerical_fields = { events = { requires_log_field = false entries_field = true } # events page_views = { default = true requires_log_field = false } # page_views visitors = { log_field = "src" type = "unique" } # visitors sent = { type = "float" display_format_type = "bandwidth" } # sent rcvd = { type = "float" display_format_type = "bandwidth" } # rcvd } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" source_group = { usr = true src = true src_host = true src_port = true src_network = true } destination_group = { dst = true dstname = true dst_host = true dst_port = true dst_network = true url = true } security_group = { event_type = true ipscat = true ipspri = true ssid = true channel = true detection_device = true detection_reason = true virus_action = true } other_group = { logging_device = true syslog_priority = true id = true sn = true fw = true c = true m = true n = true proto = true msg = true code = true sid = true } } # report_groups } # create_profile_wizard_options } # sonic_wall