# Copyright (c) 2014 Flowerfire, Inc.  All Rights Reserved.
control_security = {

  plugin_version = "1.0"

  # 2014-02-09 - 1.0 - GMF - Initial implementation

  info.1.manufacturer = "Kerio"
  info.1.device = "Control (Security)"
  info.1.version.1 = ""

  # The name of the log format
  log.format.format_label = "Kerio Control Security Log Format"
  log.miscellaneous.log_data_type = "network"  
  log.miscellaneous.log_format_type = "network_device"

  # The log is in this format if any of the first ten lines match this regular expression
#[05/Feb/2014 00:33:57] IPS: Alert, severity: Blacklist, Rule ID: 1:2406145 ET RBN Known Russian Business Network IP UDP group 73, proto:TCP, ip/port:190.123.47.234:58027 -> 192.168.100.251:8001
  log.format.autodetect_regular_expression = "^[[][0-9][0-9]/[A-Z][a-z][a-z]/[0-9][0-9][0-9][0-9] [0-9:]+[]] IPS: Alert, "

  log.format.parse_only_with_filters = true

  # Log fields
  log.fields = {

    date = ""
    time = ""

    type = "" 
    protocol = ""

    severity = ""
    rule_id = ""
    rule = ""
    
    source_ip = ""
    source_hostname = ""
    source_port = ""
    destination_ip = ""
    destination_hostname = ""
    destination_port = ""    

    # Port Scan
    source = ""
    destination = ""
    port_scan_ports = ""

    events = ""

  } # log.fields


  # This regular expression is used to parse the log fields out of the log entry
  log.parsing_filters.parse = `

if (matches_regular_expression(current_log_line(), '^[[]([0-9][0-9]/[A-Z][a-z][a-z]/[0-9][0-9][0-9][0-9]) ([0-9:]+)[]] IPS: ([^,]+), (.*)')) then (
  set_collected_field('', 'date', $1);
  set_collected_field('', 'time', $2);
  set_collected_field('', 'type', $3);
  v.remainder = $4;

  if (matches_regular_expression(v.remainder, '^protocol: ([^,]+), source: ([^,]+), destination: ([^,]+), ports: (.*)$')) then (
    set_collected_field('', 'protocol', $1);
    set_collected_field('', 'source_ip', $2);
    set_collected_field('', 'destination_ip', $3);
    set_collected_field('', 'port_scan_ports', $4);
  );

#[05/Feb/2014 16:02:55] IPS: Alert, severity: Medium, Rule ID: 1:2017453 ET CURRENT_EVENTS DRIVEBY Redirection - Forum Injection, proto:TCP, ip/port:12.34.56.78:56691 (user:abc@def.com) -> 23.45.67.89:80
#[05/Feb/2014 15:47:28] IPS: Alert, severity: Blacklist, Rule ID: 1:2406323 ET RBN Known Russian Business Network IP UDP group 162, proto:TCP, ip/port:12.34.56.78:54200 -> 23.45.67.89:80
  else if (matches_regular_expression(v.remainder, 'severity: ([^,]+), Rule ID: ([^ ]+) ([^,]+), proto:([^,]+), (.*)$')) then (
    set_collected_field('', 'severity', $1);
    set_collected_field('', 'rule_id', $2);
    set_collected_field('', 'rule', $3);
    set_collected_field('', 'protocol', $4);
    v.remainder = $5;

    if (matches_regular_expression(v.remainder, '^ip/port:(.*) -> (.*)$')) then (
      v.source = $1;
      v.destination = $2;

      if (matches_regular_expression(v.source, '^([0-9.]+):([0-9]+) [(]([^)]+)[)]')) then (
        set_collected_field('', 'source_ip', $1);
        set_collected_field('', 'source_port', $2);
        set_collected_field('', 'source_hostname', $3);
      );
      else if (matches_regular_expression(v.source, '^([0-9.]+):([0-9]+)')) then (
        set_collected_field('', 'source_ip', $1);
        set_collected_field('', 'source_port', $2);
      );

      if (matches_regular_expression(v.destination, '^([0-9.]+):([0-9]+) [(]([^)]+)[)]')) then (
        set_collected_field('', 'destination_ip', $1);
        set_collected_field('', 'destination_port', $2);
        set_collected_field('', 'destination_hostname', $3);
      );
      else if (matches_regular_expression(v.destination, '^([0-9.]+):([0-9]+)')) then (
        set_collected_field('', 'destination_ip', $1);
        set_collected_field('', 'destination_port', $2);
      );

    ); # parse source/destination

  );

  set_collected_field('', 'events', 1);
  accept_collected_entry('', false);

); 

`

  # Database fields
  database.fields = {

    date_time = ""
    day_of_week = ""
    hour_of_day = ""

    type = "" 
    protocol = ""

    severity = ""
    rule_id = ""
    rule = ""
    
    source_ip = ""
    source_hostname = ""
    source_port = ""
    destination_ip = ""
    destination_hostname = ""
    destination_port = ""    

    # Port Scan
    source = ""
    destination = ""
    port_scan_ports = ""

  } # database.fields

  database.numerical_fields = {

    events = {
      default = true
      entries_field = true
    } # events

  } # database.numerical_fields


  create_profile_wizard_options = {

    # How the reports should be grouped in the report menu
    report_groups = {
      date_time_group = ""
    } # report_groups

  } # create_profile_wizard_options

} # control_security