# Copyright (c) 2012 Flowerfire, Inc. All Rights Reserved. mcafee_ips = { plugin_version = "1.1" info.1.manufacturer = "McAfee" info.1.device = "IntruShield Alert Log format" info.1.version = "syslog export" # 2012-04-10 - Benson - 1.0 - Initial Creation # 2012-06-01 - Benson - 1.1 - Fixed for source_ip field type issue with value "N/A". # The name of the log format log.format.format_label = "McAfee IntruShield Alert Log Format" log.miscellaneous.log_data_type = "firewall" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression # sensor_alert_uuid;alert_type;attack_time;attack_name;attack_id;attack_severity;attack_signature;attack_confidence;admin_domain;sensor_name;interface;source_ip;source_port;destination_ip;destination_port;category;sub_category;direction;result_status;detection_mechanism;application_protocol;network_protocol;relevance;quarantine_end_time;mcafee_nac_forwarded_status;mcafee_nac_managed_status;mcafee_nac_error_status;mcafee_nac_action_status;sensor_cluster_member;alert_id;attack_count;vlan_id;layer_7_data;vlan_id;protection_category;source_vm_name;target_vm_name;source_vm_esx_name;target_vm_esx_name;proxy_server_ip log.format.autodetect_regular_expression = "SyslogAlertForwarder: " # The format of dates and times in this log log.format.time_format = "hh:mm:ss" log.format.date_format = "yyyy-mm-dd" # All log field parsing will be done using the parsing filters log.format.parse_only_with_filters = "true" # These logs use ; as the separator log.format.field_separator = ";" statistics.miscellaneous.entry_name = "accesses" # Log fields log.fields = { date = { label = "$lang_stats.field_labels.date" type = "date" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # date time = { label = "$lang_stats.field_labels.time" type = "time" index = 0 subindex = 0 hierarchy_dividers = "" left_to_right = false leading_divider = "false" } # time #sensor_alert_uuid = "" alert_type = "" attack_name = "" attack_id = "" attack_severity = "" attack_signature = "" attack_confidence = "" admin_domain = "" sensor_name = "" interface = "" source_ip.type = "host" source_port = "" destination_ip = "" destination_port = "" category = "" sub_category = "" direction = "" result_status = "" detection_mechanism = "" application_protocol = "" network_protocol = "" #relevance = "" #quarantine_end_time = "" #mcafee_nac_forwarded_status = "" #mcafee_nac_managed_status = "" #mcafee_nac_error_status = "" #mcafee_nac_action_status = "" sensor_cluster_member = "" #alert_id = "" attack_count = "" #vlan_id = "" #layer_7_data = "" #vlan_id = "" #protection_category = "" #source_vm_name = "" #target_vm_name = "" #source_vm_esx_name = "" #target_vm_esx_name = "" #proxy_server_ip = "" accesses = "" } # log.fields log.parsing_filters.parse = ` # sensor_alert_uuid;alert_type;attack_time;attack_name;attack_id;attack_severity;attack_signature;attack_confidence;admin_domain;sensor_name;interface;source_ip;source_port; # destination_ip;destination_port;category;sub_category;direction;result_status;detection_mechanism;application_protocol;network_protocol;relevance;quarantine_end_time; # mcafee_nac_forwarded_status;mcafee_nac_managed_status;mcafee_nac_error_status;mcafee_nac_action_status;sensor_cluster_member;alert_id;attack_count;vlan_id;layer_7_data; # vlan_id;protection_category;source_vm_name;target_vm_name;source_vm_esx_name;target_vm_esx_name;proxy_server_ip # 5693074923902938059;Host Sweep;2012-04-09 00:00:08 CST;TCP: SYN Host Sweep;0x40009b00;Medium;N/A;N/A;My Company;M1450;1AB FW_Core(1A-1B);10.1.25.234;0;N/A;445;Reconnaissance;host-sweep;Inbound;Suspicious;multi-flow-correlation;N/A;N/A;Unknown;N/A;Not Forwarded;Unknown;No error;Unknown;M1450;1389026234129979172;1;N/A if (matches_regular_expression(current_log_line(), "([0-9]*);([^;]*);([0-9-]+) ([0-9:]+) [^;]*;([^;]*);([^;]*);([^;]*);([^;]*);([^;]*);([^;]*);([^;]*);([^;]*);([^;]*);([^;]*);([^;]*);([^;]*);([^;]*);([^;]*);([^;]*);([^;]*);([^;]*);([^;]*);([^;]*);([^;]*);([^;]*);([^;]*);([^;]*);([^;]*);([^;]*);([^;]*);([0-9]*);([0-9]*);([^;]*)")) then ( #set_collected_field('', 'sensor_alert_uuid', $1); set_collected_field('', 'alert_type', $2); set_collected_field('', 'date', $3); set_collected_field('', 'time', $4); set_collected_field('', 'attack_name', $5); set_collected_field('', 'attack_id', $6); set_collected_field('', 'attack_severity', $7); set_collected_field('', 'attack_signature', $8); set_collected_field('', 'attack_confidence', $9); set_collected_field('', 'admin_domain', $10); set_collected_field('', 'sensor_name', $11); set_collected_field('', 'interface', $12); set_collected_field('', 'source_ip', $13); set_collected_field('', 'source_port', $14); set_collected_field('', 'destination_ip', $15); set_collected_field('', 'destination_port', $16); set_collected_field('', 'category', $17); set_collected_field('', 'sub_category', $18); set_collected_field('', 'direction', $19); set_collected_field('', 'result_status', $20); set_collected_field('', 'detection_mechanism', $21); set_collected_field('', 'application_protocol', $22); set_collected_field('', 'network_protocol', $23); #set_collected_field('', 'relevance', $24); #set_collected_field('', 'quarantine_end_time', $25); #set_collected_field('', 'mcafee_nac_forwarded_status', $26); #set_collected_field('', 'mcafee_nac_managed_status', $27); #set_collected_field('', 'mcafee_nac_error_status', $28); #set_collected_field('', 'mcafee_nac_action_status', $29); set_collected_field('', 'sensor_cluster_member', $30); #set_collected_field('', 'alert_id', $31); set_collected_field('', 'attack_count', $32); #set_collected_field('', 'vlan_id', $33); #set_collected_field('', 'layer_7_data', $34); #set_collected_field('', 'vlan_id', $35); #set_collected_field('', 'protection_category', $36); #set_collected_field('', 'source_vm_name', $37); #set_collected_field('', 'target_vm_name', $38); #set_collected_field('', 'source_vm_esx_name', $39); #set_collected_field('', 'target_vm_esx_name', $40); #set_collected_field('', 'proxy_server_ip', $41); ); set_collected_field('', 'events', 1); accept_collected_entry('', false); ` database.fields = { date_time = "" day_of_week = "" hour_of_day = "" #sensor_alert_uuid = "" alert_type = "" attack_name = "" attack_id = "" attack_severity = "" attack_signature = "" attack_confidence = "" admin_domain = "" sensor_name = "" interface = "" source_ip = "" location = "" source_port = "" destination_ip = "" destination_port = "" category = "" sub_category = "" direction = "" result_status = "" detection_mechanism = "" application_protocol = "" network_protocol = "" #relevance = "" #quarantine_end_time = "" #mcafee_nac_forwarded_status = "" #mcafee_nac_managed_status = "" #mcafee_nac_error_status = "" #mcafee_nac_action_status = "" sensor_cluster_member = "" #alert_id = "" #vlan_id = "" #layer_7_data = "" #vlan_id = "" #protection_category = "" #source_vm_name = "" #target_vm_name = "" #source_vm_esx_name = "" #target_vm_esx_name = "" #proxy_server_ip = "" } # database.fields # Log Filters log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'accesses = 1;' } # mark_entry rewrite_source_ip_if_empty = { label = "Rewrite N/A to (empty)" comment = "avoid source_ip field type issue" value = "if (source_ip eq 'N/A') then source_ip = '(empty)'" } # rewrite_source_ip_if_empty } # log.filters database.numerical_fields = { attack_count = { label = "$lang_stats.field_labels.attack" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # attack_count accesses = { label = "$lang_stats.field_labels.accesses" default = true requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # accesses } # database.numerical_fields create_profile_wizard_options = { date_time_tracking = true # How the reports should be grouped in the report menu report_groups = { date_time_group = "" attack_group = { #sensor_alert_uuid = true alert_type = true attack_name = true attack_id = true attack_severity = true attack_signature = true attack_confidence = true } # attack_group source_group = { source_ip = true source_port = true location = true } # source_group destination_group = { destination_ip = true destination_port = true application_protocol = true network_protocol = true } # destination_group #status_group = { # mcafee_nac_forwarded_status = true # mcafee_nac_managed_status = true # mcafee_nac_error_status = true # mcafee_nac_action_status = true #} # status_group other_group = { admin_domain = true sensor_name = true interface = true category = true sub_category = true direction = true result_status = true detection_mechanism = true #relevance = true #quarantine_end_time = true sensor_cluster_member = true #alert_id = true vlan_id = true #layer_7_data = true #vlan_id = true #protection_category = true #source_vm_name = true #target_vm_name = true #source_vm_esx_name = true #target_vm_esx_name = true #proxy_server_ip = true } # others_group } # report_groups } # create_profile_wizard_options } # mcafee_ips