# Copyright (c) 2010 Flowerfire, Inc.  All Rights Reserved.
email_security_appliance = {

  plugin_version = "1.1"

  info.1.manufacturer = "McAfee"
  info.1.device = "Email Security Appliance"
  info.1.version.1 = "5.5"
  info.1.version.2 = "5.6"

  # 2010-09-21 - 1.0 - GMF - Created initial plug-in
  # 2011-10-27 - 1.1 - KBB - Added support for version 5.6.

  # The name of the log format
  log.format.format_label = "McAfee Email Security Appliance Log Format"
  log.miscellaneous.log_data_type = "syslog_required"
  log.miscellaneous.log_format_type = "mail_server"

  # e.g.
  # 2010-09-15 00:00:04     Mail.Info       abc.def.com  Sep 15 05:00:04 abcrelay1 Application=smtp, Event='Transport log. Defer, refuse and retry', From=<>, size=2977, source=(12.34.56.78), nrcpts=1, to=<someone@somewhere.com>, msgid=5118_3b21_9d67c8d2_c022_11df_b1ba_00119b929bbd, relay=(), status='The email is deferred', subject='Delivery Status'
  # 2011-08-18 00:00:00	Mail.Info	owlrelay.owl.org	Aug 18 00:00:00 OWLRELAY : Application=smtp, Event='Email Status', From=<cat@pregrine.com>, size=4156, source=(222.122.22.222), nrcpts=1, to=<torvald@smikke.dk>, msgid=4162_e47a_e99b3d86_c956_11e0_839f_00219b929a09, relay=(10.66.6.66), status='Email Delivered', subject='[SA45613] Oracle Solaris Certificate IP Address Wildcard Matching Vulnerability', attachment(s)='', number-attachment(s)='0'
  # 2011-08-18 00:05:00	Mail.Info	owlrelay.owl.org	Aug 18 00:05:00 OWLRELAY : Application=smtp, Event='Real-time Blackhole List lookup triggered', status='Reject, close and deny the connection', source=(55.55.155.155), msgid=416e_5f7d_9b7709c2_c957_11e0_9520_00219b929a09, convid=416e_5f7c_9b770986_c957_11e0_9520_00219b929a09

  # The log is in this format if any of the first ten lines match this regular expression
  log.format.autodetect_regular_expression = "Application=smtp, Event="
  #log.format.autodetect_lines = "2" # it's on every line, but this is syslog, so there could be other events

  # This covers ', ' in the fields also
  log.format.allow_spaces_in_listed_field_values = "true"

  # Log fields
  log.fields = {

    application = ""
    event = ""
    status = ""
    source = ""
    source_ip.type = "host"
    source_hostname = ""
    from = ""
    to = ""
    relay = ""
    subject = ""
    nrcpts = ""
    size = ""
    msgid = ""
    convid = ""

    # new in 5.6
    application = ""
    event = ""
    active_recipient = ""
    attachment = "" # attachment(s) 
    attachments = "" # number-attachment(s)
    filename = ""
    received_email_over_tls = ""
    sent_email_over_tls = ""
    scanner_triggered = "" # scanner(s)-triggered
    contentrule = ""
    rule = ""
    spamrules = ""
    spamscore = ""
    spamthreshold = ""
    xvalue = ""

  } # log.fields

  # Log Parsing Filters
  log.parsing_filters.parse = `

# Strip off leading "unix syslog" style header
if (matches_regular_expression(v.syslog_message, "^[A-Z][a-z][a-z] [0-9 ][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] [^ ]+ (.*)$")) then
  v.syslog_message = $1;

v.list = '';

if (matches_regular_expression(v.syslog_message, '[^A-Za-z_-]?(Application=.*)$')) then (

  v.list = $1;

  # Fix the quotes in the list so it will parse correctly.
  # Collect listed fields only recognizes ' ,' in a value if the surrounding quotes are double.
  # Other possible problems are apostrophe in values and double quotes in values.
  #Application=smtp, Event='Email Status', From=<root@lizard.com>, size=18434, source=(222.22.22.2), nrcpts=, to=, msgid=2603_066c_00dd50d8_c957_11e0_8854_00219b92b0ad, relay=(), status='Email accepted and dropped', received-email-over-tls='true', subject='The auditbot "Network Probe" has raised an alarm', attachment(s)='', number-attachment(s)='0'
  v.list = replace_all(v.list, "='", '=XXQUOTEXX');
  v.list = replace_all(v.list, "', ", 'XXQUOTEXX, ');
  v.list = replace_all(v.list, '"', '--QUOTE--');
  v.list = replace_all(v.list, 'XXQUOTEXX', '"');
  if (matches_regular_expression(v.list, "'$")) then v.list = replace_last(v.list, "'", '"');

  collect_listed_fields('', v.list, ', ', '=', 'value=xvalue|attachment_s_=attachment|number_attachment_s_=attachments|scanner_s__triggered|scanner_triggered');

  # In the log sample given for 5.6, only the subject field has double quotes in it.
  v.subject = get_collected_field('', 'subject');
  if (contains(v.subject, '--QUOTE--')) then (
    set_collected_field('', 'subject', replace_all(v.subject, '--QUOTE--', '"'));
  );

# Above clean-up makes this unnecessary
#  # Strip quotes off event and status
#  if (matches_regular_expression(get_collected_field('', 'event'), "^'(.*)'$")) then
#    set_collected_field('', 'event', $1);
#  if (matches_regular_expression(get_collected_field('', 'status'), "^'(.*)'$")) then
#    set_collected_field('', 'status', $1);

  # Strip parentheses off source
  if (matches_regular_expression(get_collected_field('', 'source'), '^([^)]*)[(]([^]]+)[)]$')) then (
    set_collected_field('', 'source_hostname', $1);
    set_collected_field('', 'source_ip', $2);
  );

  # Strip <> from "from"
  if (matches_regular_expression(get_collected_field('', 'from'), '^<([^>]*)>$')) then (
    set_collected_field('', 'from', $1);
  );
  if (matches_regular_expression(get_collected_field('', 'to'), '^<([^>]*)>$')) then (
    set_collected_field('', 'to', $1);
  );

  set_collected_field('', 'events', 1);
  accept_collected_entry('', false);
)
`

  log.filters = {
    clear_msgid = `msgid = "omitted"`
    clear_convid = `convid = "omitted"`
  }

  # Database fields
  database.fields = {

    date_time = ""
    hour_of_day = ""
    day_of_week = ""
    application = ""
    event = ""
    status = ""

    source_ip = ""
    from = ""
    source_hostname = ""
    location = ""
    organization = ""
    isp = ""
    domain = ""

    to = ""

    relay = ""
    subject = ""
    nrcpts = ""

    size = ""
    msgid = ""
    convid = ""

    # new in 5.6
    active_recipient = ""
    attachment = "" # attachment(s) 
    filename = ""
    received_email_over_tls = ""
    sent_email_over_tls = ""
    scanner_triggered = "" # scanner(s)-triggered
    contentrule = ""
    rule = ""
    spamrules = ""
    spamscore = ""
    spamthreshold = ""
    xvalue = ""

  } # database.fields

  database.numerical_fields = {

    events = {
      default = true
      requires_log_field = false
      entries_field = true
    } # events

    unique_source_ips = {
      log_field = "source_ip"
      type = "unique"
    } # unique_source_ips                                                                                                                       
    size = {
      type = "int"
      integer_bits = 64
      display_format_type = "bandwidth"
    }

    attachments = ""

  } # database.numerical_fields


  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {

      date_time_group = ""

      senders_group = {
        from = true
        source_ip = true
        source_hostname = true
        location = true
        organization = true
        isp = true
        domain = true
      }

      recipients_group = {
        to = true
        nrcpts = true
        active_recipient = true
      }

      content_group = {
        size = true
        subject = true
        attachment = true
        filename = true
      }

      security_group = {
        received_email_over_tls = true
        sent_email_over_tls = true
        scanner_triggered = true
        contentrule = true
        rule = true
        spamrules = true
        spamscore = true
        spamthreshold = true
      }

      other_group = {
        application = true
        event = true
        status = true
        msgid = true
        convid = true
        xvalue = true
        relay = true
      }

    } # report_groups

  } # create_profile_wizard_options

} # email_security_appliance