# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
juniper_rt_flow = {

  plugin_version = "1.1"

  info.1.manfacturer = "Juniper"
  info.1.device = "SRX3400"
  info.1.version.1 = "firmware JunOS 10.2"
  info.1.version.2 = "firmware JunOS 10.0R3"

  # 2010-08-06 - 1.0 - Benson - Initial creation.
  # 2010-08-20 - 1.1 - Benson - Add suppport for JunOS 10.0R3.

  # The name of the log format
  log.format.format_label = "Juniper JunOS RT_FLOW Log format"
  log.miscellaneous.log_data_type = "syslog_required"  
  log.miscellaneous.log_format_type = "firewall"

  # The log is in this format if any of the first ten lines match this regular expression
  #log.format.autodetect_regular_expression = '(RT_FLOW: RT_FLOW_|RT_FLOW - RT_FLOW)'
  log.format.autodetect_expression = `
matches_regular_expression(volatile.log_data_line, "RT_FLOW: RT_FLOW_") or
matches_regular_expression(volatile.log_data_line, "RT_FLOW - RT_FLOW")
`

  # All log field parsing will be done using the parsing filters
  log.format.parse_only_with_filters = "true"
  
  log.fields = {

    action = ""
    reason = ""
    src_ip.type = "host"
    src_port = ""
    dst_ip = ""
    dst_port = ""
    service = ""
    src_ip_nat = ""
    src_port_nat = ""
    dst_ip_nat = ""
    dst_port_nat = ""
    src_nat_rule = ""
    dst_nat_rule = ""
    protocol_id = ""
    policy_name = ""
    src_zone = ""
    dst_zone = ""
    session_id = ""
    packets_from_client = ""
    bytes_from_client = ""
    packets_from_server = ""
    bytes_from_server = ""
    elapsed_time = ""
    icmp_type = ""
    events = ""

  } # log.fields


  log.parsing_filters.parse = `

v.message = v.syslog_message;

# JunOS 10.2
# RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed unset: 192.168.2.22/59396->168.95.192.1/53 junos-dns-udp 210.65.75.37/59396->168.95.192.1/53 None None 17 367448 dmz untrust 332779 1(73) 1(316) 5
if (matches_regular_expression(v.message, "RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed ([^:]+): ([0-9.]+)/([0-9]+)->([0-9.]+)/([0-9]+) ([^ ]+) ([0-9.]+)/([0-9]+)->([0-9.]+)/([0-9]+) ([^ ]+) ([^ ]+) ([0-9]+) ([^ ]+) ([^ ]+) ([^ ]+) ([0-9]+) ([0-9]+)\\(([0-9]+)\\) ([0-9]+)\\(([0-9]+)\\) ([0-9]+)")) then (
  set_collected_field('', 'action', "RT_FLOW_SESSION_CLOSE");
  set_collected_field('', 'reason', $1);
  set_collected_field('', 'src_ip', $2);
  set_collected_field('', 'src_port', $3);
  set_collected_field('', 'dst_ip', $4);
  set_collected_field('', 'dst_port', $5);
  set_collected_field('', 'service', $6);
  set_collected_field('', 'src_ip_nat', $7);
  set_collected_field('', 'src_port_nat', $8);
  set_collected_field('', 'dst_ip_nat', $9);
  set_collected_field('', 'dst_port_nat', $10);
  set_collected_field('', 'src_nat_rule', $11);
  set_collected_field('', 'dst_nat_rule', $12);
  set_collected_field('', 'protocol_id', $13);
  set_collected_field('', 'policy_name', $14);
  set_collected_field('', 'src_zone', $15);
  set_collected_field('', 'dst_zone', $16);
  set_collected_field('', 'session_id', $17);
  set_collected_field('', 'packets_from_client', $18);
  set_collected_field('', 'bytes_from_client', $19);
  set_collected_field('', 'packets_from_server', $20);
  set_collected_field('', 'bytes_from_server', $21);
  set_collected_field('', 'elapsed_time', $22);
);
# RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.56.19.24/1505->10.11.64.133/80 junos-http 10.56.19.24/1505->10.11.64.133/80 None None 6 520132 ipvpn trust 437301
else if (matches_regular_expression(v.message, "RT_FLOW: RT_FLOW_SESSION_CREATE: session created ([0-9.]+)/([0-9]+)->([0-9.]+)/([0-9]+) ([^ ]+) ([0-9.]+)/([0-9]+)->([0-9.]+)/([0-9]+) ([^ ]+) ([^ ]+) ([0-9]+) ([^ ]+) ([^ ]+) ([^ ]+) ([0-9]+)")) then (
  set_collected_field('', 'action', "RT_FLOW_SESSION_CREATE");
  set_collected_field('', 'reason', 'session created');
  set_collected_field('', 'src_ip', $1);
  set_collected_field('', 'src_port', $2);
  set_collected_field('', 'dst_ip', $3);
  set_collected_field('', 'dst_port', $4);
  set_collected_field('', 'service', $5);
  set_collected_field('', 'src_ip_nat', $6);
  set_collected_field('', 'src_port_nat', $7);
  set_collected_field('', 'dst_ip_nat', $8);
  set_collected_field('', 'dst_port_nat', $9);
  set_collected_field('', 'src_nat_rule', $10);
  set_collected_field('', 'dst_nat_rule', $11);
  set_collected_field('', 'protocol_id', $12);
  set_collected_field('', 'policy_name', $13);
  set_collected_field('', 'src_zone', $14);
  set_collected_field('', 'dst_zone', $15);
  set_collected_field('', 'session_id', $16);
);
# RT_FLOW: RT_FLOW_SESSION_DENY: session denied 220.255.7.159/52272->210.65.75.2/80 junos-http 6(0) 496066 untrust dmz
else if (matches_regular_expression(v.message, "RT_FLOW: RT_FLOW_SESSION_DENY: session denied ([0-9.]+)/([0-9]+)->([0-9.]+)/([0-9]+) ([^ ]+) ([0-9]+)\\(([0-9]+)\\) ([0-9]+) ([^ ]+) ([^ ]+)")) then (
  set_collected_field('', 'action', "RT_FLOW_SESSION_DENY");
  set_collected_field('', 'reason', 'session denied');
  set_collected_field('', 'src_ip', $1);
  set_collected_field('', 'src_port', $2);
  set_collected_field('', 'dst_ip', $3);
  set_collected_field('', 'dst_port', $4);
  set_collected_field('', 'service', $5);
  set_collected_field('', 'protocol_id', $6);
  set_collected_field('', 'icmp_type', $7);
  set_collected_field('', 'policy_name', $8);
  set_collected_field('', 'src_zone', $9);
  set_collected_field('', 'dst_zone', $10);

);
# JunOS 10.0R3
# SRX3400-1 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.35 reason="response received" source-address="10.11.10.77" source-port="3" destination-address="192.168.2.33" destination-port="60939" service-name="icmp" nat-source-address="10.11.10.77" nat-source-port="3" nat-destination-address="192.168.2.33" nat-destination-port="60939" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="979435" source-zone-name="trust" destination-zone-name="dmz" session-id-32="100373049" packets-from-client="1" bytes-from-client="84" packets-from-server="1" bytes-from-server="84" elapsed-time="3"]
# SRX3400-1 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.35 source-address="203.66.215.100" source-port="50552" destination-address="210.65.75.2" destination-port="21" service-name="junos-ftp" nat-source-address="203.66.215.100" nat-source-port="50552" nat-destination-address="192.168.2.2" nat-destination-port="21" src-nat-rule-name="None" dst-nat-rule-name="r18" protocol-id="6" policy-name="481575" source-zone-name="untrust" destination-zone-name="dmz" session-id-32="100447174"]
else if (matches_regular_expression(v.message, "RT_FLOW - ([^ ]+) \\\\[[^ ]+ (.*)\\\\]")) then (
  set_collected_field('', 'action', $1);
  collect_listed_fields('', $2, ' ', '=', 'reason=reason|source-address=src_ip|source-port=src_port|destination-address=dst_ip|destination-port=dst_port|service-name=service|nat-source-address=src_ip_nat|nat-source-port=src_port_nat|nat-destination-address=dst_ip_nat|nat-destination-port=dst_port_nat|src-nat-rule-name=src_nat_rule|dst-nat-rule-name=dst_nat_rule|protocol-id=protocol_id|policy-name=policy_name|source-zone-name=src_zone|destination-zone-name=dst_zone|session-id-32=session_id|packets-from-client=packets_from_client|bytes-from-client=bytes_from_client|packets-from-server=packets_from_server|bytes-from-server=bytes_from_server|elapsed-time=elapsed_time');
  if (matches_regular_expression($1, "RT_FLOW_SESSION_CREATE")) then (
    set_collected_field('', 'reason', "session created");
  );
);
  set_collected_field('', 'events', 1);
  accept_collected_entry('', false);
`  

  # Database fields
  database.fields = {

    action = ""
    reason = ""
    src_ip = ""
    location = ""
    src_port = ""
    dst_ip = ""
    dst_port = ""
    service = ""
    src_ip_nat = ""
    src_port_nat = ""
    dst_ip_nat = ""
    dst_port_nat = ""
    src_nat_rule = ""
    dst_nat_rule = ""
    protocol_id = ""
    policy_name = ""
    src_zone = ""
    dst_zone = ""
    session_id = ""
    icmp_type = ""

  } # database.fields

  database.numerical_fields = {

    events = {
      default = true
      entries_field = true
    } # events
    packets_from_client = {
      entries_field = true
    }
    bytes_from_client = {
      default = true
      type = "float"
      display_format_type = "bandwidth"
    }
    packets_from_server = {
      entries_field = true
    }
    bytes_from_server = {
      default = true
      type = "float"
      display_format_type = "bandwidth"
    }
    elapsed_time = {
      type = "float"
      display_format_type = "duration_milliseconds"
      #display_format_type = "duration_compact"
    }

  } # database.numerical_fields

  create_profile_wizard_options = {
    host_tracking = true
    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""
      source_group = {
        src_ip = true
        location = true
        src_port = true
        src_ip_nat = true
        src_port_nat = true
        src_nat_rule = true
        src_zone = true
      }
      destination_group = {
        dst_ip = true
        dst_port = true
        service = true
        dst_ip_nat = true
        dst_port_nat = true
        dst_nat_rule = true
        dst_zone = true
      }

    } # report_groups

  } # create_profile_wizard_options

} # juniper_rt_flow