# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. cisco_ips = { info.1.manfacturer = "Cisco" info.1.device = "IPS" info.1.version.1 = "" plugin_version = "1.0.1" # 2007/12/18 - 1.0 - GMF - Initial plug-in # 2007/12/19 - 1.0.1 - GMF - Changed date/time extraction to the local time field # The name of the log format log.format.format_label = "Cisco IPS Log Format" log.miscellaneous.log_data_type = "network" log.miscellaneous.log_format_type = "network_device" log.format.ignore_format_lines = "true" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "^'[0-9]+','[0-9]+','[0-9]+','[^']+','[^']+','[0-9]+','[0-9]+','[0-9]+','[0-9]+','[^']+','[0-9]+',\\\\N,'[^']+','[0-9]+[.][0-9]+[.][0-9]+[.][0-9]+'," # The format of dates and times in this log log.format.date_format = "seconds_since_jan1_1970" log.format.time_format = "seconds_since_jan1_1970" # All log field parsing will be done using the parsing filters # log.format.parse_only_with_filters = "true" # Log fields log.fields = { date_time = "" f1 = "" event_id = "" severity = "" sensor = "" f5 = "" received_time = "" event_utc_time = "" event_local_time = "" sig_id = "" signature_name = "" f11 = "" f12 = "" signature_version = "" src_address = "" src_port = "" variable = "" dst_address = "" dst_port = "" f19 = "" direction = "" f21 = "" f22 = "" f23 = "" f24 = "" f25 = "" interface = "" f27 = "" virtual_sensor = "" f29 = "" f30 = "" f31 = "" f32 = "" risk_rating = "" threat_rating = "" protocol = "" alarm_status = "" f37 = "" } # log.fields # # Log Parsing Filters log.parsing_filters.parse = ` if (matches_regular_expression(current_log_line(), "^'([0-9]+)','([0-9]+)','([0-9]+)','([^']+)','([^']+)','([0-9]+)','([0-9]+)','([0-9]+)','([0-9]+)','([^']+)','([0-9]+)',([^,]+),'([^']+)','([0-9.]+)',([^,]+),'([^']+)','([^']+)',([^,]+),'([^']+)','([^']+)','([^']+)','([^']+)',([^,]+),([^,]+),([^,]+),'([^']+)','([^']+)','([^']+)',([^,]+),([^,]+),([^,]+),'([^']+)','([^']+)','([^']+)','([^']+)','([^']+)',")) then ( f1 = $1; event_id = $2; severity = $3; sensor = $4; f5 = $5; received_time = $6; event_utc_time = $7; event_local_time = $8; date_time = substr(event_local_time, 0, 13); sig_id = $9; signature_name = $10; f11 = $11; f12 = $12; signature_version = $13; src_address = $14; src_port = $15; variable = $16; dst_address = $17; dst_port = $18; f19 = $19; direction = $20; f21 = $21; f22 = $22; f23 = $23; f24 = $24; f25 = $25; interface = $26; f27 = $27; virtual_sensor = $28; f29 = $29; f30 = $30; f31 = $31; f32 = $32; risk_rating = $33; threat_rating = $34; protocol = $35; alarm_status = $36; f37 = $37; ); ` # Database fields database.fields = { date_time = "" hour_of_day = "" day_of_week = "" f1 = "" event_id = "" severity = "" sensor = "" f5 = "" #received_time = "" #event_utc_time = "" #event_local_time = "" sig_id = "" signature_name = "" f11 = "" f12 = "" signature_version = "" src_address = "" src_port = "" variable = "" dst_address = "" dst_port = "" f19 = "" direction = "" #f21 = "" f22 = "" f23 = "" f24 = "" f25 = "" interface = "" f27 = "" virtual_sensor = "" f29 = "" f30 = "" f31 = "" f32 = "" risk_rating = "" threat_rating = "" protocol = "" alarm_status = "" f37 = "" } # database.fields # Log Filters log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters database.numerical_fields = { events = { default = true requires_log_field = false entries_field = true } # events } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" event_id = "" severity = "" sensor = "" received_time = "" event_utc_time = "" event_local_time = "" sig_id = "" signature_name = "" signature_version = "" src_address = "" src_port = "" variable = "" dst_address = "" dst_port = "" direction = "" interface = "" virtual_sensor = "" risk_rating = "" threat_rating = "" protocol = "" alarm_status = "" other_group = { f1 = "" f5 = "" f19 = "" f11 = "" f12 = "" f21 = "" f22 = "" f23 = "" f24 = "" f25 = "" f27 = "" f29 = "" f30 = "" f31 = "" f32 = "" f37 = "" } } # report_groups } # create_profile_wizard_options } # cisco_ips