# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
snort2_syslog = {

  # The name of the log format
  log.format.format_label = "Snort 2 Log Format (syslog required)"
  log.miscellaneous.log_data_type = "syslog_required"  
  log.miscellaneous.log_format_type = "network_device"

  # 2007/08/29 "added 'location' database field for geoip reports" MSG

  # The log is in this format if any of the first ten lines match this regular expression

  # Added a second autodetect because sometimes it doesn't match the first.
  log.format.autodetect_regular_expression = "( \\[[0-9]+:[0-9]+:[0-9]+\\] [A-Z-]* ([^]]*) \\[Classification: [^]]*\\] \\[Priority: [^]]*\\]: \\{[A-Z]*\\} [0-9.:]* -> [0-9.:]*|\\[\\*\\*\\].*\\[\\*\\*\\])"
  statistics.miscellaneous.entry_name = "events"

  # Log fields
  log.fields = {

    classification = {
      label = "$lang_stats.field_labels.classification"
      type = "flat"
    } # classification

    snort_priority = {
      label = "$lang_stats.field_labels.snort_priority"
      type = "flat"
    } # snort_priority

    protocol = {
      label = "$lang_stats.field_labels.protocol"
      type = "flat"
    } # protocol

    source_ip = {
      label = "$lang_stats.field_labels.source_ip"
      type = "host"
    } # source_ip

    source_port = {
      label = "$lang_stats.field_labels.source_port"
      type = "flat"
    } # source_port

    destination_ip = {
      label = "$lang_stats.field_labels.destination_ip"
      type = "flat"
    } # destination_ip

    destination_port = {
      label = "$lang_stats.field_labels.destination_port"
      type = "flat"
    } # destination_port

    rule_number = {
      label = "$lang_stats.field_labels.rule_number"
      type = "flat"
    } # rule_number

    rule = {
      label = "$lang_stats.field_labels.rule"
      type = "flat"
    } # rule

    message = {
      label = "$lang_stats.field_labels.message"
      type = "flat"
    } # message

  } # log.fields


  #          
  # Log Parsing Filters
  log.parsing_filters = {


    # Parse out rule 
    1 = {
      label = "1"
      comment = ""
      value = "collect_fields_using_regexp('()\\\\[[0-9]+:([0-9]+):[0-9]+\\\\] [A-Z-]* ([^]]*) \\[', '*KEY*,rule_number,rule')"
    } # 1


    # Parse out classification,priority
    2 = {
      label = "2"
      comment = ""
      value = "collect_fields_using_regexp('()\\\\[Classification: ([^]]*)\\\\] \\\\[Priority: ([^]]*)\\\\]', '*KEY*,classification,snort_priority')"
    } # 2


    # Parse out the protocol,source IP,source port,destintation IP,destination port
    3 = {
      label = "3"
      comment = ""
      value = "collect_fields_using_regexp('()\\\\{([A-Z]*)\\\\} ([0-9]+\\\\.[0-9]+\\\\.[0-9]+\\\\.[0-9]+):([0-9]+) -> ([0-9]+\\\\.[0-9]+\\\\.[0-9]+\\\\.[0-9]+):([0-9]+)', '*KEY*,protocol,source_ip,source_port,destination_ip,destination_port')"
    } # 3


    # Parse out the protocol,source IP,destintation IP
    4 = {
      label = "4"
      comment = ""
      value = "collect_fields_using_regexp('()\\\\{([A-Z]*)\\\\} ([0-9]+\\\\.[0-9]+\\\\.[0-9]+\\\\.[0-9]+) -> ([0-9]+\\\\.[0-9]+\\\\.[0-9]+\\\\.[0-9]+)', '*KEY*,protocol,source_ip,destination_ip')"
    } # 4


    # Parse out ** lines with source and destination IP only
    5 = {
      label = "5"
      comment = ""
      value = "collect_fields_using_regexp('()\\\\[\\\\*\\\\*\\\\] ([A-Za-z ]+) \\\\[\\\\*\\\\*\\\\] ([0-9.]+) -> ([0-9.]+)', '*KEY*,message,source_ip,destination_ip')"
    } # 5


    # Parse out ** lines with source and destination IP and port
    6 = {
      label = "6"
      comment = ""
      value = "collect_fields_using_regexp('()\\\\[\\\\*\\\\*\\\\] ([A-Za-z ]+) \\\\[\\\\*\\\\*\\\\] ([0-9.]+):([0-9]+) -> ([0-9.]+):([0-9]+)', '*KEY*,message,source_ip,source_port,destination_ip,destination_port')"
    } # 6


    # Parse out the rule & source IP & message on portscan lines
    7 = {
      label = "7"
      comment = ""
      value = "collect_fields_using_regexp('()\\\\] ([^:]+): portscan status from ([0-9\\\\.]*): ([^:]*:.*)', '*KEY*,rule_number,source_ip,message')"
    } # 7


    # Accept this log entry
    8 = {
      label = "8"
      comment = ""
      value = "accept_collected_entry_using_regexp('^()', false)"
    } # 8


  } # log.parsing_filters


  # Database fields
  database.fields = {

    source_ip = {
      label = "$lang_stats.field_labels.source_ip"
      log_field = "source_ip"
      type = "string"
      suppress_top = 0
      suppress_bottom = 2
    } # source_ip

    destination_ip = {
      label = "$lang_stats.field_labels.destination_ip"
      log_field = "destination_ip"
      type = "string"
      suppress_top = 0
      suppress_bottom = 2
    } # destination_ip

    source_port = {
      label = "$lang_stats.field_labels.source_port"
      log_field = "source_port"
      type = "string"
      suppress_top = 0
      suppress_bottom = 2
    } # source_port

    destination_port = {
      label = "$lang_stats.field_labels.destination_port"
      log_field = "destination_port"
      type = "string"
      suppress_top = 0
      suppress_bottom = 2
    } # destination_port

    classification = {
      label = "$lang_stats.field_labels.classification"
      log_field = "classification"
      type = "string"
      suppress_top = 0
      suppress_bottom = 2
    } # classification

    snort_priority = {
      label = "$lang_stats.field_labels.snort_priority"
      log_field = "snort_priority"
      type = "string"
      suppress_top = 0
      suppress_bottom = 2
    } # snort_priority

    protocol = {
      label = "$lang_stats.field_labels.protocol"
      log_field = "protocol"
      type = "string"
      suppress_top = 0
      suppress_bottom = 2
    } # protocol

    rule_number = {
      label = "$lang_stats.field_labels.rule_number"
      log_field = "rule_number"
      type = "string"
    } # rule_number

    rule = {
      label = "$lang_stats.field_labels.rule"
      log_field = "rule"
      type = "string"
    } # rule

    message = {
      label = "$lang_stats.field_labels.message"
      log_field = "message"
      type = "string"
      suppress_top = 0
      suppress_bottom = 2
    } # message
    location = {
      label = "$lang_stats.field_labels.location"
      log_field = "location"
      type = "string"
      suppress_top = 0
      suppress_bottom = 3
    } # location
  } # database.fields


  # Log Filters
  log.filters = {


    # Convert the rule field to English
    rule = {
      label = "convert rule"
      comment = "convert rule"
      value = "
if (subnode_exists('lang_stats.log_formats.snort2_syslog.rule', rule_number)) then (
  rule = node_value(subnode_by_name('lang_stats.log_formats.snort2_syslog.rule', rule_number));
)
"
    } # rule
    
    mark_entry = {
      label = '$lang_admin.log_filters.mark_entry_label'
      comment = '$lang_admin.log_filters.mark_entry_comment'
      value = 'events = 1;'
    } # mark_entry

  } # log.filters

  database.numerical_fields = {

    events = {
      label = "$lang_stats.field_labels.events"
      default = true
      requires_log_field = false
      type = "int"
      display_format_type = "integer"
      entries_field = true
    } # events

  } # database.numerical_fields


  create_profile_wizard_options = {
    date_time_tracking = true
    host_tracking = true

    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""
      source_ip = true
      destination_ip = true
      source_port = true
      destination_port = true
      classification = true
      snort_priority = true
      protocol = true
      rule = true
      message = true
    } # report_groups

  } # create_profile_wizard_options

  not_supported = {
    sessions = true
    pageviews = true
    bandwidth = true
    visitors = true
  } # not_supported

} # snort2_syslog