# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. netscreen_idp = { info.1.manufacturer = "Juniper Networks" info.1.device = "NetScreen IDP" info.1.version.1 = "" # The name of the log format log.format.format_label = "Netscreen IDP Log Format" log.miscellaneous.log_data_type = "firewall" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "^[A-Z][a-z][a-z] [0-9 ][0-9] [0-9 ][0-9]:[0-9 ][0-9]:[0-9 ][0-9] [^ ]* *[0-9]+\\.[0-9-]+\\.[0-9]+\\.[0-9]+ [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]-[0-9]+ [0-9][0-9][0-9][0-9]/[0-9][0-9]/[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9]" # This regular expression is used to parse the log fields out of the log entry log.format.parsing_regular_expression = "^[A-Z][a-z][a-z] [0-9 ][0-9] [0-9 ][0-9]:[0-9 ][0-9]:[0-9 ][0-9] [^ ]* *[0-9.]+ [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]-[0-9]+ ([0-9][0-9][0-9][0-9]/[0-9][0-9]/[0-9][0-9]) ([0-9][0-9]:[0-9][0-9]:[0-9][0-9]) ([^ ]*) ([^:]*):([^ ]*) ([^:]*):([^ ]*) [^:]*:[^ ]* [^:]*:[^ ]* ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*):([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*) ([^ ]*)" # The format of dates and times in this log log.format.date_format = "yyyy/mm/dd" log.format.time_format = "hh:mm:ss" # Log fields log.fields = { date = { label = "$lang_stats.field_labels.date" type = "date" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # date time = { label = "$lang_stats.field_labels.time" type = "time" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # time origin_ip = { label = "$lang_stats.field_labels.origin_ip" type = "flat" index = 0 subindex = 0 } # origin_ip source_ip = { label = "$lang_stats.field_labels.source_ip" type = "host" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # source_ip source_port = { label = "$lang_stats.field_labels.source_port" type = "flat" index = 0 subindex = 0 } # source_port destination_ip = { label = "$lang_stats.field_labels.destination_ip" type = "flat" index = 0 subindex = 0 } # destination_ip destination_port = { label = "$lang_stats.field_labels.destination_port" type = "flat" index = 0 subindex = 0 } # destination_port user = { label = "$lang_stats.field_labels.user" type = "flat" index = 0 subindex = 0 } # user inbound_interface = { label = "$lang_stats.field_labels.inbound_interface" type = "flat" index = 0 subindex = 0 } # inbound_interface outbound_interface = { label = "$lang_stats.field_labels.outbound_interface" type = "flat" index = 0 subindex = 0 } # outbound_interface origin = { label = "$lang_stats.field_labels.origin" type = "flat" index = 0 subindex = 0 } # origin virtual_device = { label = "$lang_stats.field_labels.virtual_device" type = "flat" index = 0 subindex = 0 } # virtual_device attack = { label = "$lang_stats.field_labels.attack" type = "flat" index = 0 subindex = 0 } # attack policy_name = { label = "$lang_stats.field_labels.policy_name" type = "flat" index = 0 subindex = 0 } # policy_name policy_version = { label = "$lang_stats.field_labels.policy_version" type = "flat" index = 0 subindex = 0 } # policy_version rulebase = { label = "$lang_stats.field_labels.rulebase" type = "flat" index = 0 subindex = 0 } # rulebase rule_number = { label = "$lang_stats.field_labels.rule_number" type = "flat" index = 0 subindex = 0 } # rule_number bytes = { label = "$lang_stats.field_labels.bytes" type = "size" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # bytes packets = { label = "$lang_stats.field_labels.packets" type = "flat" index = 0 subindex = 0 } # packets elapsed = { label = "$lang_stats.field_labels.elapsed" type = "flat" index = 0 subindex = 0 } # elapsed protocol = { label = "$lang_stats.field_labels.protocol" type = "flat" index = 0 subindex = 0 } # protocol user_flag = { label = "$lang_stats.field_labels.user_flag" type = "flat" index = 0 subindex = 0 } # user_flag category = { label = "$lang_stats.field_labels.category" type = "flat" index = 0 subindex = 0 } # category subcategory = { label = "$lang_stats.field_labels.subcategory" type = "flat" index = 0 subindex = 0 } # subcategory is_hidden = { label = "$lang_stats.field_labels.is_hidden" type = "flat" index = 0 subindex = 0 } # is_hidden is_duplicate = { label = "$lang_stats.field_labels.is_duplicate" type = "flat" index = 0 subindex = 0 } # is_duplicate is_alert = { label = "$lang_stats.field_labels.is_alert" type = "flat" index = 0 subindex = 0 } # is_alert severity = { label = "$lang_stats.field_labels.severity" type = "flat" index = 0 subindex = 0 } # severity run_script = { label = "$lang_stats.field_labels.run_script" type = "flat" index = 0 subindex = 0 } # run_script send_email = { label = "$lang_stats.field_labels.send_email" type = "flat" index = 0 subindex = 0 } # send_email sent_snmp_trap = { label = "$lang_stats.field_labels.sent_snmp_trap" type = "flat" index = 0 subindex = 0 } # sent_snmp_trap sent_syslog = { label = "$lang_stats.field_labels.sent_syslog" type = "flat" index = 0 subindex = 0 } # sent_syslog from_external = { label = "$lang_stats.field_labels.from_external" type = "flat" index = 0 subindex = 0 } # from_external action = { label = "$lang_stats.field_labels.action" type = "flat" index = 0 subindex = 0 } # action variable_data = { label = "$lang_stats.field_labels.variable_data" type = "flat" index = 0 subindex = 0 } # variable_data } # log.fields # Database fields database.fields = { date_time = { label = "$lang_stats.field_labels.date_time" log_field = "date_time" type = "string" suppress_top = 0 suppress_bottom = 3 display_format_type = "date_time" } # date_time day_of_week = { label = "$lang_stats.field_labels.day_of_week" log_field = "day_of_week" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "day_of_week" } # day_of_week hour_of_day = { label = "$lang_stats.field_labels.hour_of_day" log_field = "hour_of_day" type = "string" suppress_top = 0 suppress_bottom = 2 display_format_type = "hour_of_day" } # hour_of_day origin_ip = { label = "$lang_stats.field_labels.origin_ip" log_field = "origin_ip" type = "string" suppress_top = 0 suppress_bottom = 2 } # origin_ip source_ip = { label = "$lang_stats.field_labels.source_ip" log_field = "source_ip" type = "string" suppress_top = 0 suppress_bottom = 2 } # source_ip source_port = { label = "$lang_stats.field_labels.source_port" log_field = "source_port" type = "string" suppress_top = 0 suppress_bottom = 2 } # source_port location = { label = "$lang_stats.field_labels.location" log_field = "location" type = "string" suppress_top = 0 suppress_bottom = 3 } # location destination_ip = { label = "$lang_stats.field_labels.destination_ip" log_field = "destination_ip" type = "string" suppress_top = 0 suppress_bottom = 2 } # destination_ip destination_port = { label = "$lang_stats.field_labels.destination_port" log_field = "destination_port" type = "string" suppress_top = 0 suppress_bottom = 2 } # destination_port user = { label = "$lang_stats.field_labels.user" log_field = "user" type = "string" suppress_top = 0 suppress_bottom = 2 } # user inbound_interface = { label = "$lang_stats.field_labels.inbound_interface" log_field = "inbound_interface" type = "string" suppress_top = 0 suppress_bottom = 2 } # inbound_interface outbound_interface = { label = "$lang_stats.field_labels.outbound_interface" log_field = "outbound_interface" type = "string" suppress_top = 0 suppress_bottom = 2 } # outbound_interface origin = { label = "$lang_stats.field_labels.origin" log_field = "origin" type = "string" suppress_top = 0 suppress_bottom = 2 } # origin virtual_device = { label = "$lang_stats.field_labels.virtual_device" log_field = "virtual_device" type = "string" suppress_top = 0 suppress_bottom = 2 } # virtual_device attack = { label = "$lang_stats.field_labels.attack" log_field = "attack" type = "string" suppress_top = 0 suppress_bottom = 2 } # attack policy_name = { label = "$lang_stats.field_labels.policy_name" log_field = "policy_name" type = "string" suppress_top = 0 suppress_bottom = 2 } # policy_name policy_version = { label = "$lang_stats.field_labels.policy_version" log_field = "policy_version" type = "string" suppress_top = 0 suppress_bottom = 2 } # policy_version rulebase = { label = "$lang_stats.field_labels.rulebase" log_field = "rulebase" type = "string" suppress_top = 0 suppress_bottom = 2 } # rulebase rule_number = { label = "$lang_stats.field_labels.rule_number" log_field = "rule_number" type = "string" suppress_top = 0 suppress_bottom = 2 } # rule_number protocol = { label = "$lang_stats.field_labels.protocol" log_field = "protocol" type = "string" suppress_top = 0 suppress_bottom = 2 } # protocol user_flag = { label = "$lang_stats.field_labels.user_flag" log_field = "user_flag" type = "string" suppress_top = 0 suppress_bottom = 2 } # user_flag category = { label = "$lang_stats.field_labels.category" log_field = "category" type = "string" suppress_top = 0 suppress_bottom = 2 } # category subcategory = { label = "$lang_stats.field_labels.subcategory" log_field = "subcategory" type = "string" suppress_top = 0 suppress_bottom = 2 } # subcategory is_hidden = { label = "$lang_stats.field_labels.is_hidden" log_field = "is_hidden" type = "string" suppress_top = 0 suppress_bottom = 2 } # is_hidden is_duplicate = { label = "$lang_stats.field_labels.is_duplicate" log_field = "is_duplicate" type = "string" suppress_top = 0 suppress_bottom = 2 } # is_duplicate is_alert = { label = "$lang_stats.field_labels.is_alert" log_field = "is_alert" type = "string" suppress_top = 0 suppress_bottom = 2 } # is_alert severity = { label = "$lang_stats.field_labels.severity" log_field = "severity" type = "string" suppress_top = 0 suppress_bottom = 2 } # severity run_script = { label = "$lang_stats.field_labels.run_script" log_field = "run_script" type = "string" suppress_top = 0 suppress_bottom = 2 } # run_script send_email = { label = "$lang_stats.field_labels.send_email" log_field = "send_email" type = "string" suppress_top = 0 suppress_bottom = 2 } # send_email sent_snmp_trap = { label = "$lang_stats.field_labels.sent_snmp_trap" log_field = "sent_snmp_trap" type = "string" suppress_top = 0 suppress_bottom = 2 } # sent_snmp_trap sent_syslog = { label = "$lang_stats.field_labels.sent_syslog" log_field = "sent_syslog" type = "string" suppress_top = 0 suppress_bottom = 2 } # sent_syslog from_external = { label = "$lang_stats.field_labels.from_external" log_field = "from_external" type = "string" suppress_top = 0 suppress_bottom = 2 } # from_external action = { label = "$lang_stats.field_labels.action" log_field = "action" type = "string" suppress_top = 0 suppress_bottom = 2 } # action variable_data = { label = "$lang_stats.field_labels.variable_data" log_field = "variable_data" type = "string" suppress_top = 0 suppress_bottom = 2 } # variable_data } # database.fields # Log Filters log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'hits = 1;' } # mark_entry } # log.filters database.numerical_fields = { hits = { label = "$lang_stats.field_labels.hits" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # hits visitors = { label = "$lang_stats.field_labels.visitors" default = false requires_log_field = true log_field = "source_ip" type = "unique" display_format_type = "integer" } # visitors bytes = { label = "$lang_stats.field_labels.bytes" default = false requires_log_field = true log_field = "bytes" type = "int" integer_bits = 64 display_format_type = "bandwidth" } # bytes } # database.numerical_fields create_profile_wizard_options = { date_time_tracking = true host_tracking = true # How the reports should be grouped in the report menu report_groups = { date_time_group = "" origin_ip = true source_ip = true source_port = true location = true destination_ip = true destination_port = true user = true inbound_interface = true outbound_interface = true origin = true virtual_device = true attack = true policy_name = true policy_version = true rulebase = true rule_number = true protocol = true user_flag = true category = true subcategory = true is_hidden = true is_duplicate = true is_alert = true severity = true run_script = true send_email = true sent_snmp_trap = true sent_syslog = true from_external = true action = true variable_data = true } # report_groups } # create_profile_wizard_options not_supported = { sessionpages = true pageviews = true } # not_supported } # netscreen_idp