# Copyright (c) 2012 Flowerfire, Inc. All Rights Reserved. forefront_thread_management_gateway = { plugin_version = "1.1" info.1.manufacturer = "Microsoft" info.1.device = "Forefront Threat Management Gateway" info.1.version.1 = "2.0" # 2012-03-16 - 1.0 - GMF - Initial creation # 2012-04-03 - 1.1 - GMF - Added additional numerical fields; categorized reports # The name of the log format log.format.format_label = "Microsoft Forefront Threat Management Gateway" log.miscellaneous.log_data_type = "firewall" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "^#Software: Microsoft Forefront Threat Management Gateway" # Logs fields are separated by tabs log.format.field_separator = " " # This handles #Fields lines, and creates log and database fields from them log.filter_preprocessor = ` if (matches_regular_expression(current_log_line(), '^#Fields: (.*)$')) then ( string fields = $1; string fieldname; v.logfieldindex = 1; string numerical_fields = "profiles." . internal.profile_name . ".database.numerical_fields"; # This subroutine creates a database field subroutine(create_database_field(string fieldname), ( #echo("create_database_field: " . fieldname); debug_message("create_database_field(" . fieldname . ")\n"); string databasefieldpath = "profiles." . internal.profile_name . ".database.fields." . fieldname; (databasefieldpath . "") = ""; node databasefield = databasefieldpath; # set_subnode_value(databasefield, "label", fieldname); databasefield; )); subroutine(create_log_field(string fieldname, string type, bool withindex), ( debug_message("create_log_field(" . fieldname . "; type=" . type . ")\n"); string logfieldpath = "profiles." . internal.profile_name . ".log.fields." . fieldname; (logfieldpath . "") = ""; node logfield = logfieldpath; # set_subnode_value(logfield, "label", fieldname); if (withindex) then ( set_subnode_value(logfield, "index", v.logfieldindex); v.logfieldindex++; ); set_subnode_value(logfield, "subindex", 0); if (type ne '') then set_subnode_value(logfield, "type", type); logfield; )); # Extract the fields on at a time (separated by tabs) while (matches_regular_expression(fields, '^([^ ]+) (.*)$')) ( string unconverted_fieldname = $1; fields = $2; # Clean up the field name fieldname = ''; for (int i = 0; i < length(unconverted_fieldname); i++) ( string c = lowercase(substr(unconverted_fieldname, i, 1)); if (!matches_regular_expression(c, '^[a-z0-9]$')) then c = '_'; fieldname .= c; ); while (matches_regular_expression(fieldname, '^(.*)_$')) fieldname = $1; # Get the log field type string log_field_type = ''; if (fieldname eq 'original_client_ip') then log_field_type = 'host'; # Create the log field create_log_field(fieldname, log_field_type, true); # If we're creating a profile, create the database fields too. if (node_exists("volatile.creating_profile")) then ( # Handle date by creating date_time and derived database fields if (fieldname eq "date") then ( create_database_field('date_time'); create_database_field('day_of_week'); create_database_field('hour_of_day'); # ("profiles." . internal.profile_name . ".log.parsing_filters.parse_localtime.disabled") = true; ); # if date else if (fieldname eq "time") then ( create_database_field('date_time'); create_database_field('day_of_week'); create_database_field('hour_of_day'); ); # if time # Create derived field for agent else if (fieldname eq "original_client_ip") then ( create_database_field('original_client_ip'); create_database_field('location'); ); # Don't add a database field for numerical fields else if (subnode_exists(numerical_fields, fieldname)) then ( debug_message("Not adding numerical field: " . fieldname . "\n"); ); # Create a normal database field else create_database_field(fieldname); ); # if creating profile ); # while another field # Don't parse the #Fields line as a data line 'reject'; ); # if #Fields # Don't parse any other # lines as data lines else if (starts_with(current_log_line(), '#')) then ( 'reject'; ); ` # Log fields log.fields = { # original_client_ip.type = "host" } # log.fields # Database fields database.fields = { } # database.fields # Log Filters log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters database.numerical_fields = { events = { default = true requires_log_field = false entries_field = true } # events # unique_client_ips = { # log_field = "c_ip" # type = "unique" # } # unique_client_ips cs_bytes = { integer_bits = 64 display_format_type = "bandwidth" } # cs_bytes sc_bytes = { integer_bits = 64 display_format_type = "bandwidth" } # sc_bytes time_taken = { integer_bits = 64 display_format_type = duration_milliseconds } # time_taken bytes_sent = { integer_bits = 64 display_format_type = "bandwidth" } # bytes_sent bytes_sent_intermediate = { integer_bits = 64 display_format_type = "bandwidth" } # bytes_sent_intermediate bytes_received = { integer_bits = 64 display_format_type = "bandwidth" } # bytes_received bytes_received_intermediate = { integer_bits = 64 display_format_type = "bandwidth" } # bytes_received_intermediate connection_time = { integer_bits = 64 display_format_type = duration_compact } # connection_time connection_time_intermediate = { integer_bits = 64 display_format_type = duration_compact } # connection_time_intermediate } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" content_group = { cs_uri = true cs_mime_type = true s_object_source = true urlcategory = true urlcategorizationreason = true urldesthost = true } # content_group client_group = { c_ip = true cs_username = true c_agent = true } # client_group server_group = { s_svcname = true s_computername = true r_host = true r_ip = true r_port = true } # server_group security_group = { sc_authenticated = true authenticationserver = true } # security_group threat_group = { malwareinspectionduration = true malwareinspectionthreatlevel = true threatname = true malwareinspectionaction = true malwareinspectionresult = true malwareinspectioncontentdeliverymethod = true } # threat_group filter_group = { rule = true filterinfo = true } # filter_group other_group = { cs_referred = true cs_protocol = true cs_transport = true s_operation = true sc_status = true s_cache_info = true cs_network = true sc_network = true error_info = true action = true gmt_time = true nis_scan_result = true nis_signature = true mi_uagarrayid = true sc_uagversion = true mi_uagmoduleid = true sc_uagid = true mi_uagseverity = true mi_uagtype = true sc_uageventname = true sc_uageventname = true mi_uagsessionid = true mi_uagtrunkname = true mi_uagtrunkname = true mi_uagservicename = true sc_uagerrorcode = true internal_service_info = true nis_application_protocol = true nat_address = true sessiontype = true s_port = true softblockaction = true } # other_group } # report_groups } # create_profile_wizard_options } # forefront_thread_management_gateway