# Copyright (c) 2012 Flowerfire, Inc. All Rights Reserved. sourcefire_dc = { plugin_version = "1.0" # 2012-02-10 - 1.0 - Benson - Initial cration. info.1.manfacturer = "Sourcefire" info.1.device = "Defense Center" info.1.version.1 = "4.10.1.4" # The name of the log format log.format.format_label = "Sourcefire Defense Center Syslog Format" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "[A-Z][a-z][a-z] [0-9]+ [0-9:]+ [^ ]+ [^ ]+ \\[[0-9:]+\\] " log.format.autodetect_lines = 1000 # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { sfims = "" message = "" impact = "" from = "" classification = "" priority = "" protocol = "" source_ip.type = "host" source_port = "" destination_ip = "" destination_port = "" events = "" } # log.fields # Log Parsing Filters # Feb 10 04:06:48 VirtualDC SFIMS: [1:19559:1] "BAD-TRAFFIC SSH brute force login attempt" [Impact: Potentially Vulnerable] From "3D2500-Inline-DE/3d2500.foo.bar.com" at Fri Feb 10 04:08:20 2012 UTC [Classification: Misc Activity] [Priority: 3] {tcp} 12.34.56.78:12345->23.45.67.89:22 log.parsing_filters.parse = ` if (matches_regular_expression(v.syslog_message, '[A-Z][a-z][a-z] [0-9]+ [0-9:]+ [^ ]+ [^ ]+ \\\\[([0-9:]+)\\\\] \\"([^"]+)\\" \\\\[Impact: ([^]]+)\\\\] From \\"([^"]+)\\" at [A-Z][a-z][a-z] ([A-Z][a-z][a-z] [0-9]+) ([0-9:]+) ([0-9][0-9][0-9][0-9]) [^ ]+ \\\\[Classification: ([^]]+)\\\\] \\\\[Priority: ([0-9]+)\\\\] \\\\{([a-z]+)\\\\} ([0-9.]+):([0-9]+)->([0-9.]+):([0-9]+)$')) then ( set_collected_field('', 'sfims', $1); set_collected_field('', 'message', $2); set_collected_field('', 'impact', $3); set_collected_field('', 'from', $4); set_collected_field('', 'date_time', $5 . " " . $7 . " " . $6); set_collected_field('', 'classification', $8); set_collected_field('', 'priority', $9); set_collected_field('', 'protocol', $10); set_collected_field('', 'source_ip', $11); set_collected_field('', 'source_port', $12); set_collected_field('', 'destination_ip', $13); set_collected_field('', 'destination_port', $14); set_collected_field('', 'events', 1); accept_collected_entry('', false); ); ` # Database fields database.fields = { sfims = "" message = "" impact = "" from = "" classification = "" priority = "" protocol = "" source_ip = "" source_port = "" destination_ip = "" destination_port = "" location = "" } # database.fields database.numerical_fields = { events = { default = true } } # database.numerical_fields create_profile_wizard_options = { host_tracking = true # How the reports should be grouped in the report menu report_groups = { date_time_group = "" source_group = { source_ip = true source_port = true location = true } destination_group = { destination_ip = true destination_port = true } } # report_groups } # create_profile_wizard_options } # sourcefire_dc