# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. tipping_point_sms = { plugin_version = "1.1" info.1.manfacturer = "TippingPoint Technologies" info.1.device = "TippingPoint SMS" info.1.version = "" info.2.manfacturer = "3Com" info.2.device = "TippingPoint SMS" info.2.version = "" # 2008-04-18 - GMF - 1.0 - Initial implementation # 2008-04-25 - GMF - 1.1 - Mapped action_type and severity to human-readable values. # The name of the log format log.format.format_label = "Tipping Point SMS Log Format" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_expression = ` #e.g. 2008-04-02 09:01:01 Local4.Notice 12.34.56.78 7 1 00000002-0002-0002-0002-000000002222 00000001-0001-0001-0001-000000001111 4691: HTTP: Adobe Macromedia Flash Download 4691 tcp 98.76.54.32 80 12.34.56.78 1169 1 1A 1B 1 0 TippingPoint200E 67108259 1217097941015 matches_regular_expression(volatile.log_data_line, ' [7-9] [0-4] [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]-[0-9][0-9][0-9][0-9]-[0-9][0-9][0-9][0-9]-[0-9][0-9][0-9][0-9]-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]-[0-9][0-9][0-9][0-9]-[0-9][0-9][0-9][0-9]-[0-9][0-9][0-9][0-9]-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] [0-9]+: ') ` # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { action_type = "" severity = "" policy_uuid = "" signature_uuid = "" signature_name = "" signature_number = "" signature_protocol = "" source_address.type = "host" source_port = "" destination_address = "" destination_port = "" source_zone_name = "" destination_zone_name = "" incoming_physical_port = "" vlan_id = "" device_segment = "" device_name = "" taxonomy_id = "" timestamp = "" } # log.fields # Log Parsing Filters log.parsing_filters.parse = ` #e.g. 2008-04-02 09:01:01 Local4.Notice 12.34.56.78 7 1 00000002-0002-0002-0002-000000002222 00000001-0001-0001-0001-000000001111 4691: HTTP: Adobe Macromedia Flash Download 4691 tcp 98.76.54.32 80 12.34.56.78 1169 1 1A 1B 1 0 TippingPoint200E 67108259 1217097941015 if (matches_regular_expression(v.syslog_message, '^([0-9]+) ([0-9]+) ([0-9-]+) ([0-9-]+) ([^ ]+) ([0-9]+) ([^ ]+) ([0-9.]+) ([0-9]+) ([0-9.]+) ([0-9]+) ([0-9]+) ([^ ]+) ([^ ]+) ([0-9]+) ([0-9]+) ([^ ]+) ([0-9]+) ([0-9]+)')) then ( #if (matches_regular_expression(v.syslog_message, '^([0-9]+) ([0-9]+) ([0-9-]+) ([0-9-]+) ([^ ]+) ([0-9]+)')) then ( v.action_type = $1; v.severity = $2; set_collected_field('', 'policy_uuid', $3); set_collected_field('', 'signature_uuid', $4); set_collected_field('', 'signature_name', $5); set_collected_field('', 'signature_number', $6); set_collected_field('', 'signature_protocol', $7); set_collected_field('', 'source_address', $8); set_collected_field('', 'source_port', $9); set_collected_field('', 'destination_address', $10); set_collected_field('', 'destination_port', $11); set_collected_field('', 'source_zone_name', $12); set_collected_field('', 'destination_zone_name', $13); set_collected_field('', 'incoming_physical_port', $14); set_collected_field('', 'vlan_id', $15); set_collected_field('', 'device_segment', $16); set_collected_field('', 'device_name', $17); set_collected_field('', 'taxonomy_id', $18); v.timestamp = ($19) / 1000.0; # set_collected_field('', 'timestamp', $19); set_collected_field('', 'events', 1); # events set from field in other format, so no log filter set_collected_field('', 'date', normalize_date(v.timestamp, 'seconds_since_jan1_1970')); set_collected_field('', 'time', normalize_time(v.timestamp, 'seconds_since_jan1_1970')); # 2008-04-25 - GMF - Convert numerical action_type to human-readable if (subnode_exists('lang_stats.log_formats.tipping_point_sms.action_type', v.action_type)) then v.action_type = node_value(subnode_by_name("lang_stats.log_formats.tipping_point_sms.action_type", v.action_type)); set_collected_field('', 'action_type', v.action_type); # 2008-04-25 - GMF - Convert numerical severity to human-readable if (subnode_exists('lang_stats.log_formats.tipping_point_sms.severity', v.severity)) then v.severity = node_value(subnode_by_name("lang_stats.log_formats.tipping_point_sms.severity", v.severity)); set_collected_field('', 'severity', v.severity); accept_collected_entry('', false); ); ` # Database fields database.fields = { action_type = "" severity = "" policy_uuid = "" signature_uuid = "" signature_name = "" signature_number = "" signature_protocol = "" source_address = "" location = "" source_port = "" destination_address = "" destination_port = "" source_zone_name = "" destination_zone_name = "" incoming_physical_port = "" vlan_id = "" device_segment = "" device_name = "" taxonomy_id = "" # timestamp = "" } # database.fields database.numerical_fields = { events = { default = true requires_log_field = false entries_field = true } # events unique_source_addresses = { log_field = "source_address" type = "unique" } # unique_source_ips } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { } # report_groups } # create_profile_wizard_options } # tipping_point_sms