# Copyright (c) 2012 Flowerfire, Inc. All Rights Reserved. palo_alto_networks_firewall_cef = { plugin_version = "1.2" # 2012-10-31 - 1.0 - Jonas - Initial creation # 2012-11-05 - 1.1 - Jonas - non Threat_id field # 2012-11-05 - 1.2 - Benson - Simplify fields that have no data or useless; change field repeat_count to events. info.1.manufacturer = "Paloalto" info.1.device = "Firewall(CEF)" info.1.version.1 = "4.0" # The name of the log format log.format.format_label = "Palo Alto Networks Firewall CEF Format" log.miscellaneous.log_data_type = "syslog_required" log.miscellaneous.log_format_type = "network_device" # Log Sample # 2012-10-30 10:46:38 user.info 172.18.1.4 Oct 30 10:46:38 172.18.1.4 CEF:0|Palo Alto Networks|PAN-OS|4.0.0|end|TRAFFIC|1|rt=$cefformatted-receive_time deviceExternalId=0003C105356 src=172.18.90.7 dst=68.232.44.169 sourceTranslatedAddress=210.69.104.254 destinationTranslatedAddress=68.232.44.169 cs1Label=Rule cs1=T2U-web-browsing suser= duser= app=web-browsing cs3Label=Virtual System cs3=vsys1 cs4Label=Source Zone cs4=Trust cs5Label=Destination Zone cs5=Untrust deviceInboundInterface=ethernet1/1 deviceOutboundInterface=ethernet1/3 cs6Label=LogProfile cs6=log cn1Label=SessionID cn1=261076 cnt=1 spt=3701 dpt=80 sourceTranslatedPort=24131 destinationTranslatedPort=80 flexString1Label=Flags flexString1=0x400000 proto=tcp act=allow flexNumber1Label=Totalbytes flexNumber1=1351 cn2Label=Packets cn2=10 start=$cefformatted-time_generated cn3Label=Elapsed time in seconds cn3=8 cs2Label=URL Category cs2=not-resolved # 2012-10-30 10:47:11 user.crit 172.18.1.4 Oct 30 10:47:11 172.18.1.4 CEF:0|Palo Alto Networks|PAN-OS|4.0.0|spyware Poisonivy Command and Control Traffic(13103)|THREAT|5|rt=Oct 30 2012 02:47:11 GMT deviceExternalId=0003C105356 src=101.78.151.171 dst=172.18.11.25 sourceTranslatedAddress=101.78.151.171 destinationTranslatedAddress=210.69.104.254 cs1Label=Rule cs1=T2U-Out-Going-Common suser= duser= app=unknown-tcp cs3Label=Virtual System cs3=vsys1 cs4Label=Source Zone cs4=Untrust cs5Label=Destination Zone cs5=Trust deviceInboundInterface=ethernet1/1 deviceOutboundInterface=ethernet1/3 cs6Label=LogProfile cs6=log cn1Label=SessionID cn1=245792 cnt=1 spt=443 dpt=2651 sourceTranslatedPort=443 destinationTranslatedPort=45964 flexString1Label=Flags flexString1=0x400000 proto=tcp act=alert msg="" cs2Label=URL Category cs2=any deviceDirection=server-to-client # 2012-10-30 10:47:06 user.info 172.18.1.4 Oct 30 10:47:06 172.18.1.4 CEF:0|Palo Alto Networks|PAN-OS|4.0.0|general general|SYSTEM general|1|rt=Oct 30 2012 02:47:06 GMT deviceExternalId=0003C105356 cs3Label=Virtual System cs3= fname= flexString2Label=Module flexString2=general msg=0 log.format.autodetect_regular_expression = "CEF:0[|]Palo Alto Networks" # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # Log fields log.fields = { subtype = "" #threat_id = "" type = "" severity = "" ## from number_of_severity #cef_receive_time = "" ## from rf serial = "" ## from deviceExternalId src = "" dst = "" nat_source_ip = "" ## from sourceTranslatedAddress nat_destination_ip = "" ## from destinationTranslatedAddress #cs1Label = "" rule = "" # from cs1 suser = "" duser = "" app = "" #cs3Label = "" virtual_system = "" ## from cs3 #cs4Label = "" source_zone = "" ## from cs4 #cs5Label = "" destination_zone = "" ## from cs5 inbound_interface = "" ## from deviceInboundInterface outbound_interface = "" ## from deviceOutboundInterface #cs6Label = "" #cs6 = "" #cn1Label = "" session_id = "" ## from cn1 spt = "" dpt = "" nat_source_port = "" ## from sourceTranslatedPort nat_destination_port = "" ## from destinationTranslatedPort #flexString1Label = "" flags = "" ## from flexString1 proto = "" act = "" #flexNumber1Label = "" #cn2Label = "" #start = "" #cn3Label = "" #msg = "" #cs2Label = "" cs2 = "" direction = "" ## deviceDirection #source_ip.type = "host" ## Sawmill Location events = "" ## from cnt bytes = "" ## from flexNumber1 packets = "" ## from cn2 duration = "" ## from cn3 } # log.fields # # Log Parsing Filters log.parsing_filters.parse = ` if (matches_regular_expression(v.syslog_message, '^[A-Z][a-z][a-z] +[0-9]+ [0-9:]+ [^ ]+ CEF:[0-9][|]Palo Alto Networks[|]PAN-OS[|][0-9.]+[|]([^|]+)[|]([^|]+)[|]([0-9]+)[|](.*)$')) then ( set_collected_field('', 'subtype', $1); set_collected_field('', 'type', $2); set_collected_field('', 'severity', $3); v.fields = $4; collect_listed_fields('', v.fields, ' ', '=', 'rt=cef_receive_time|deviceExternalId=serial|sourceTranslatedAddress=nat_source_ip|destinationTranslatedAddress=nat_destination_ip|cs1=rule|cs3=virtual_system|cs4=source_zone|cs5=destination_zone|deviceInboundInterface=inbound_interface|deviceOutboundInterface=outbound_interface|cn1=session_id|cnt=events|sourceTranslatedPort=nat_source_port|destinationTranslatedPort=nat_destination_port|flexString1=flags|flexNumber1=bytes|cn2=packets|cn3=duration|deviceDirection=direction'); accept_collected_entry('', false); ); ` # log.parsing_filters # Database fields database.fields = { subtype = "" #threat_id = "" type = "" severity = "" #cef_receive_time = "" serial = "" src = "" dst = "" nat_source_ip = "" nat_destination_ip = "" #cs1Label = "" rule = "" suser = "" duser = "" app = "" #cs3Label = "" virtual_system = "" #cs4Label = "" source_zone = "" #cs5Label = "" destination_zone = "" inbound_interface = "" outbound_interface = "" #cs6Label = "" #cs6 = "" #cn1Label = "" session_id = "" spt = "" dpt = "" nat_source_port = "" nat_destination_port = "" #flexString1Label = "" flags = "" proto = "" act = "" #flexNumber1Label = "" #cn2Label = "" #start = "" #cn3Label = "" #msg = "" #cs2Label = "" #cs2 = "" direction = "" #location = "" } # database.fields # Log Filters #log.filters = { # # mark_entry = { # label = '$lang_admin.log_filters.mark_entry_label' # comment = '$lang_admin.log_filters.mark_entry_comment' # value = 'events = 1;' # } # mark_entry # #} # log.filters database.numerical_fields = { events = { default = true requires_log_field = true entries_field = true } # events bytes = { type = "int" requires_log_field = true integer_bits = 64 display_format_type = "bandwidth" } # bytes packets = { type = "int" integer_bits = 64 } # packets duration = { label = "$lang_stats.field_labels.duration" default = true requires_log_field = true type = "int" display_format_type = "duration" } # duration #repeat_count = { # type = "int" # requires_log_field = true # integer_bits = 64 # display_format_type = "integer" #} # repeat_count } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" source_group = { src = true nat_source_ip = true suser = true source_zone = true spt = true nat_source_port = true location = true } # source_group destination_group = { dst = true nat_destination_ip = true duser = true destination_zone = true dpt = true nat_destination_port = true } # destination_group #threat_group = { # threat_id = true #} # threat_group other_group = { severity = true subtype = true type = true serial = true rule = true app = true virtual_system = true inbound_interface = true outbound_interface = true cs6 = true session_id = true flags = true proto = true act = true #msg = true cs2 = true direction = true #start = true #cef_receive_time = true } # other_group } # report_groups } # create_profile_wizard_options } # palo_alto_networks_firewall_cef