[jira] [Updated] (METRON-172) Improve Palo Alto parser
[ https://issues.apache.org/jira/browse/METRON-172?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Casey Stella updated METRON-172: Assignee: (was: James Sirota) > Improve Palo Alto parser > > > Key: METRON-172 > URL: https://issues.apache.org/jira/browse/METRON-172 > Project: Metron > Issue Type: Improvement >Reporter: Sunny Kumar >Priority: Minor > Labels: ParserExtension, platform > Original Estimate: 72h > Remaining Estimate: 72h > > Enhance the Palo Alto basic parser to support additional fields and more > configurations. > Samples below: > <11>Jan 5 05:38:59 PAN1.exampleCustomer.com 1,2015/01/05 > 05:38:58,0006C110285,THREAT,vulnerability,1,2015/01/05 > 05:38:58,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,example\\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 > > 05:38:58,12031,1,54180,80,0,0,0x80004000,tcp,reset-both,\"ad.aspx?f=300x250=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\",HTTP: > IIS Denial Of Service > Attempt(40019),any,high,client-to-server,347368099,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109656,, > - > {"source.type":"paloalto","natDestinationIp":"0.0.0.0","threatId":"HTTP: IIS > Denial Of Service > Attempt(40019)","virtualSystem":"vsys1","ipSrcPort":"54180","subject":"","type":"THREAT","deviceName":"","dstUserName":"","cloud":"","hostname":"PAN1.exampleCustomer.com","protocol":"tcp","original_string":"<11>Jan > 5 05:38:59 PAN1.exampleCustomer.com 1,2015\/01\/05 > 05:38:58,0006C110285,THREAT,vulnerability,1,2015\/01\/05 > 05:38:58,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,exampleuser.name,,web-browsing,vsys1,internal,external,ethernet1\/2,ethernet1\/1,LOG-Default,2015\/01\/05 > > 05:38:58,12031,1,54180,80,0,0,0x80004000,tcp,reset-both,\\\"ad.aspx?f=300x250=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\\\",HTTP: > IIS Denial Of Service > Attempt(40019),any,high,client-to-server,347368099,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109656,,","egressInterface":"ethernet1\/1","action":"reset-both","ipSrcAddr":"10.0.0.115","contentType":"","repeatCount":"1","deviceGroupHierarchyLevel1":"","sequenceNumber":"347368099","pcapId":"1200568889751109656","deviceGroupHierarchyLevel3":"","serialNumber":"0006C110285","deviceGroupHierarchyLevel2":"","sourceZone":"internal","deviceGroupHierarchyLevel4":"","srcUserName":"exampleuser.name","priority":"11","destinationZone":"external","sender":"","ipDstPort":"80","miscellaneous":"\\\"ad.aspx?f=300x250=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\\\"","flags":"0x80004000","destinationLocation":"US","fileDigest":"","urlIndex":"","generatedTime":"2015\/01\/05 > > 05:38:58","ipDstAddr":"216.0.10.198","subtype":"vulnerability","futureUse":"1","ruleName":"EX-Allow","logForwardingProfile":"LOG-Default","timestamp":1451972339000,"direction":"client-to-server","severity":"high","futureUse3":"2015\/01\/05 > > 05:38:58","reportId":"","futureUse2":"1","virtualSystemName":"","natDestinationPort":"0","userAgent":"","sessionId":"12031","ingressInterface":"ethernet1\/2","natSourceIp":"0.0.0.0","receiveTime":"2015\/01\/05 > > 05:38:58","actionFlags":"0x0","referrer":"","natSourcePort":"0","application":"web-browsing","recipient":"","sourceLocation":"10.0.0.0-10.255.255.255","futureUse5":"","futureUse4":"0","xForwardedFor":"","category":"any","fileType":""} > ### > <14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 > 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05 > 12:51:33,10.0.0.53,10.1.0.174,0.0.0.0,0.0.0.0,EX-EasyAV2,,,mssql-db,vsys1,v_external,v_internal,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 > > 12:51:33,33621086,1,54266,40004,0,0,0x401c,tcp,allow,5325,3299,2026,25,2015/01/05 > > 12:51:01,30,any,0,17754932075,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,11,14 > --- > {"source.type":"paloalto","natDestinationIp":"0.0.0.0","virtualSystem":"vsys1","ipSrcPort":"54266","type":"TRAFFIC","deviceName":"","packets":"25","dstUserName":"","hostname":"PAN1.exampleCustomer.com","protocol":"tcp","original_string":"<14>Jan > 5 12:51:34 PAN1.exampleCustomer.com 1,2015\/01\/05 > 12:51:33,0011C103117,TRAFFIC,end,1,2015\/01\/05 > 12:51:33,10.0.0.53,10.1.0.174,0.0.0.0,0.0.0.0,EX-EasyAV2,,,mssql-db,vsys1,v_external,v_internal,ethernet1\/2,ethernet1\/1,LOG-Default,2015\/01\/05 > > 12:51:33,33621086,1,54266,40004,0,0,0x401c,tcp,allow,5325,3299,2026,25,2015\/01\/05 > >
[jira] [Updated] (METRON-172) Improve Palo Alto parser
[ https://issues.apache.org/jira/browse/METRON-172?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] David M. Lyle updated METRON-172: - Labels: ParserExtension platform (was: ParserExtension) > Improve Palo Alto parser > > > Key: METRON-172 > URL: https://issues.apache.org/jira/browse/METRON-172 > Project: Metron > Issue Type: Improvement >Reporter: Sunny Kumar >Assignee: James Sirota >Priority: Minor > Labels: ParserExtension, platform > Fix For: 0.2.2BETA > > Original Estimate: 72h > Remaining Estimate: 72h > > Enhance the Palo Alto basic parser to support additional fields and more > configurations. > Samples below: > <11>Jan 5 05:38:59 PAN1.exampleCustomer.com 1,2015/01/05 > 05:38:58,0006C110285,THREAT,vulnerability,1,2015/01/05 > 05:38:58,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,example\\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 > > 05:38:58,12031,1,54180,80,0,0,0x80004000,tcp,reset-both,\"ad.aspx?f=300x250=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\",HTTP: > IIS Denial Of Service > Attempt(40019),any,high,client-to-server,347368099,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109656,, > - > {"source.type":"paloalto","natDestinationIp":"0.0.0.0","threatId":"HTTP: IIS > Denial Of Service > Attempt(40019)","virtualSystem":"vsys1","ipSrcPort":"54180","subject":"","type":"THREAT","deviceName":"","dstUserName":"","cloud":"","hostname":"PAN1.exampleCustomer.com","protocol":"tcp","original_string":"<11>Jan > 5 05:38:59 PAN1.exampleCustomer.com 1,2015\/01\/05 > 05:38:58,0006C110285,THREAT,vulnerability,1,2015\/01\/05 > 05:38:58,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,exampleuser.name,,web-browsing,vsys1,internal,external,ethernet1\/2,ethernet1\/1,LOG-Default,2015\/01\/05 > > 05:38:58,12031,1,54180,80,0,0,0x80004000,tcp,reset-both,\\\"ad.aspx?f=300x250=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\\\",HTTP: > IIS Denial Of Service > Attempt(40019),any,high,client-to-server,347368099,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109656,,","egressInterface":"ethernet1\/1","action":"reset-both","ipSrcAddr":"10.0.0.115","contentType":"","repeatCount":"1","deviceGroupHierarchyLevel1":"","sequenceNumber":"347368099","pcapId":"1200568889751109656","deviceGroupHierarchyLevel3":"","serialNumber":"0006C110285","deviceGroupHierarchyLevel2":"","sourceZone":"internal","deviceGroupHierarchyLevel4":"","srcUserName":"exampleuser.name","priority":"11","destinationZone":"external","sender":"","ipDstPort":"80","miscellaneous":"\\\"ad.aspx?f=300x250=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\\\"","flags":"0x80004000","destinationLocation":"US","fileDigest":"","urlIndex":"","generatedTime":"2015\/01\/05 > > 05:38:58","ipDstAddr":"216.0.10.198","subtype":"vulnerability","futureUse":"1","ruleName":"EX-Allow","logForwardingProfile":"LOG-Default","timestamp":1451972339000,"direction":"client-to-server","severity":"high","futureUse3":"2015\/01\/05 > > 05:38:58","reportId":"","futureUse2":"1","virtualSystemName":"","natDestinationPort":"0","userAgent":"","sessionId":"12031","ingressInterface":"ethernet1\/2","natSourceIp":"0.0.0.0","receiveTime":"2015\/01\/05 > > 05:38:58","actionFlags":"0x0","referrer":"","natSourcePort":"0","application":"web-browsing","recipient":"","sourceLocation":"10.0.0.0-10.255.255.255","futureUse5":"","futureUse4":"0","xForwardedFor":"","category":"any","fileType":""} > ### > <14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 > 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05 > 12:51:33,10.0.0.53,10.1.0.174,0.0.0.0,0.0.0.0,EX-EasyAV2,,,mssql-db,vsys1,v_external,v_internal,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 > > 12:51:33,33621086,1,54266,40004,0,0,0x401c,tcp,allow,5325,3299,2026,25,2015/01/05 > > 12:51:01,30,any,0,17754932075,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,11,14 > --- > {"source.type":"paloalto","natDestinationIp":"0.0.0.0","virtualSystem":"vsys1","ipSrcPort":"54266","type":"TRAFFIC","deviceName":"","packets":"25","dstUserName":"","hostname":"PAN1.exampleCustomer.com","protocol":"tcp","original_string":"<14>Jan > 5 12:51:34 PAN1.exampleCustomer.com 1,2015\/01\/05 > 12:51:33,0011C103117,TRAFFIC,end,1,2015\/01\/05 > 12:51:33,10.0.0.53,10.1.0.174,0.0.0.0,0.0.0.0,EX-EasyAV2,,,mssql-db,vsys1,v_external,v_internal,ethernet1\/2,ethernet1\/1,LOG-Default,2015\/01\/05 > > 12:51:33,33621086,1,54266,40004,0,0,0x401c,tcp,allow,5325,3299,2026,25,2015\/01\/05 > >
[jira] [Updated] (METRON-172) Improve Palo Alto parser
[ https://issues.apache.org/jira/browse/METRON-172?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] James Sirota updated METRON-172: Assignee: Casey Stella > Improve Palo Alto parser > > > Key: METRON-172 > URL: https://issues.apache.org/jira/browse/METRON-172 > Project: Metron > Issue Type: Improvement >Reporter: Sunny Kumar >Assignee: Casey Stella >Priority: Minor > Labels: ParserExtension > Original Estimate: 72h > Remaining Estimate: 72h > > Enhance the Palo Alto basic parser to support additional fields and more > configurations. > Samples below: > <11>Jan 5 05:38:59 PAN1.exampleCustomer.com 1,2015/01/05 > 05:38:58,0006C110285,THREAT,vulnerability,1,2015/01/05 > 05:38:58,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,example\\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 > > 05:38:58,12031,1,54180,80,0,0,0x80004000,tcp,reset-both,\"ad.aspx?f=300x250=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\",HTTP: > IIS Denial Of Service > Attempt(40019),any,high,client-to-server,347368099,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109656,, > - > {"source.type":"paloalto","natDestinationIp":"0.0.0.0","threatId":"HTTP: IIS > Denial Of Service > Attempt(40019)","virtualSystem":"vsys1","ipSrcPort":"54180","subject":"","type":"THREAT","deviceName":"","dstUserName":"","cloud":"","hostname":"PAN1.exampleCustomer.com","protocol":"tcp","original_string":"<11>Jan > 5 05:38:59 PAN1.exampleCustomer.com 1,2015\/01\/05 > 05:38:58,0006C110285,THREAT,vulnerability,1,2015\/01\/05 > 05:38:58,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,exampleuser.name,,web-browsing,vsys1,internal,external,ethernet1\/2,ethernet1\/1,LOG-Default,2015\/01\/05 > > 05:38:58,12031,1,54180,80,0,0,0x80004000,tcp,reset-both,\\\"ad.aspx?f=300x250=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\\\",HTTP: > IIS Denial Of Service > Attempt(40019),any,high,client-to-server,347368099,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109656,,","egressInterface":"ethernet1\/1","action":"reset-both","ipSrcAddr":"10.0.0.115","contentType":"","repeatCount":"1","deviceGroupHierarchyLevel1":"","sequenceNumber":"347368099","pcapId":"1200568889751109656","deviceGroupHierarchyLevel3":"","serialNumber":"0006C110285","deviceGroupHierarchyLevel2":"","sourceZone":"internal","deviceGroupHierarchyLevel4":"","srcUserName":"exampleuser.name","priority":"11","destinationZone":"external","sender":"","ipDstPort":"80","miscellaneous":"\\\"ad.aspx?f=300x250=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\\\"","flags":"0x80004000","destinationLocation":"US","fileDigest":"","urlIndex":"","generatedTime":"2015\/01\/05 > > 05:38:58","ipDstAddr":"216.0.10.198","subtype":"vulnerability","futureUse":"1","ruleName":"EX-Allow","logForwardingProfile":"LOG-Default","timestamp":1451972339000,"direction":"client-to-server","severity":"high","futureUse3":"2015\/01\/05 > > 05:38:58","reportId":"","futureUse2":"1","virtualSystemName":"","natDestinationPort":"0","userAgent":"","sessionId":"12031","ingressInterface":"ethernet1\/2","natSourceIp":"0.0.0.0","receiveTime":"2015\/01\/05 > > 05:38:58","actionFlags":"0x0","referrer":"","natSourcePort":"0","application":"web-browsing","recipient":"","sourceLocation":"10.0.0.0-10.255.255.255","futureUse5":"","futureUse4":"0","xForwardedFor":"","category":"any","fileType":""} > ### > <14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 > 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05 > 12:51:33,10.0.0.53,10.1.0.174,0.0.0.0,0.0.0.0,EX-EasyAV2,,,mssql-db,vsys1,v_external,v_internal,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 > > 12:51:33,33621086,1,54266,40004,0,0,0x401c,tcp,allow,5325,3299,2026,25,2015/01/05 > > 12:51:01,30,any,0,17754932075,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,11,14 > --- > {"source.type":"paloalto","natDestinationIp":"0.0.0.0","virtualSystem":"vsys1","ipSrcPort":"54266","type":"TRAFFIC","deviceName":"","packets":"25","dstUserName":"","hostname":"PAN1.exampleCustomer.com","protocol":"tcp","original_string":"<14>Jan > 5 12:51:34 PAN1.exampleCustomer.com 1,2015\/01\/05 > 12:51:33,0011C103117,TRAFFIC,end,1,2015\/01\/05 > 12:51:33,10.0.0.53,10.1.0.174,0.0.0.0,0.0.0.0,EX-EasyAV2,,,mssql-db,vsys1,v_external,v_internal,ethernet1\/2,ethernet1\/1,LOG-Default,2015\/01\/05 > > 12:51:33,33621086,1,54266,40004,0,0,0x401c,tcp,allow,5325,3299,2026,25,2015\/01\/05 > >
[jira] [Updated] (METRON-172) Improve Palo Alto parser
[ https://issues.apache.org/jira/browse/METRON-172?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] James Sirota updated METRON-172: Labels: ParserExtension (was: ) > Improve Palo Alto parser > > > Key: METRON-172 > URL: https://issues.apache.org/jira/browse/METRON-172 > Project: Metron > Issue Type: Improvement >Reporter: Sunny Kumar >Priority: Minor > Labels: ParserExtension > Original Estimate: 72h > Remaining Estimate: 72h > > Enhance the Palo Alto basic parser to support additional fields and more > configurations. > Samples below: > <11>Jan 5 05:38:59 PAN1.exampleCustomer.com 1,2015/01/05 > 05:38:58,0006C110285,THREAT,vulnerability,1,2015/01/05 > 05:38:58,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,example\\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 > > 05:38:58,12031,1,54180,80,0,0,0x80004000,tcp,reset-both,\"ad.aspx?f=300x250=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\",HTTP: > IIS Denial Of Service > Attempt(40019),any,high,client-to-server,347368099,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109656,, > - > {"source.type":"paloalto","natDestinationIp":"0.0.0.0","threatId":"HTTP: IIS > Denial Of Service > Attempt(40019)","virtualSystem":"vsys1","ipSrcPort":"54180","subject":"","type":"THREAT","deviceName":"","dstUserName":"","cloud":"","hostname":"PAN1.exampleCustomer.com","protocol":"tcp","original_string":"<11>Jan > 5 05:38:59 PAN1.exampleCustomer.com 1,2015\/01\/05 > 05:38:58,0006C110285,THREAT,vulnerability,1,2015\/01\/05 > 05:38:58,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,exampleuser.name,,web-browsing,vsys1,internal,external,ethernet1\/2,ethernet1\/1,LOG-Default,2015\/01\/05 > > 05:38:58,12031,1,54180,80,0,0,0x80004000,tcp,reset-both,\\\"ad.aspx?f=300x250=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\\\",HTTP: > IIS Denial Of Service > Attempt(40019),any,high,client-to-server,347368099,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109656,,","egressInterface":"ethernet1\/1","action":"reset-both","ipSrcAddr":"10.0.0.115","contentType":"","repeatCount":"1","deviceGroupHierarchyLevel1":"","sequenceNumber":"347368099","pcapId":"1200568889751109656","deviceGroupHierarchyLevel3":"","serialNumber":"0006C110285","deviceGroupHierarchyLevel2":"","sourceZone":"internal","deviceGroupHierarchyLevel4":"","srcUserName":"exampleuser.name","priority":"11","destinationZone":"external","sender":"","ipDstPort":"80","miscellaneous":"\\\"ad.aspx?f=300x250=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\\\"","flags":"0x80004000","destinationLocation":"US","fileDigest":"","urlIndex":"","generatedTime":"2015\/01\/05 > > 05:38:58","ipDstAddr":"216.0.10.198","subtype":"vulnerability","futureUse":"1","ruleName":"EX-Allow","logForwardingProfile":"LOG-Default","timestamp":1451972339000,"direction":"client-to-server","severity":"high","futureUse3":"2015\/01\/05 > > 05:38:58","reportId":"","futureUse2":"1","virtualSystemName":"","natDestinationPort":"0","userAgent":"","sessionId":"12031","ingressInterface":"ethernet1\/2","natSourceIp":"0.0.0.0","receiveTime":"2015\/01\/05 > > 05:38:58","actionFlags":"0x0","referrer":"","natSourcePort":"0","application":"web-browsing","recipient":"","sourceLocation":"10.0.0.0-10.255.255.255","futureUse5":"","futureUse4":"0","xForwardedFor":"","category":"any","fileType":""} > ### > <14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 > 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05 > 12:51:33,10.0.0.53,10.1.0.174,0.0.0.0,0.0.0.0,EX-EasyAV2,,,mssql-db,vsys1,v_external,v_internal,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 > > 12:51:33,33621086,1,54266,40004,0,0,0x401c,tcp,allow,5325,3299,2026,25,2015/01/05 > > 12:51:01,30,any,0,17754932075,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,11,14 > --- > {"source.type":"paloalto","natDestinationIp":"0.0.0.0","virtualSystem":"vsys1","ipSrcPort":"54266","type":"TRAFFIC","deviceName":"","packets":"25","dstUserName":"","hostname":"PAN1.exampleCustomer.com","protocol":"tcp","original_string":"<14>Jan > 5 12:51:34 PAN1.exampleCustomer.com 1,2015\/01\/05 > 12:51:33,0011C103117,TRAFFIC,end,1,2015\/01\/05 > 12:51:33,10.0.0.53,10.1.0.174,0.0.0.0,0.0.0.0,EX-EasyAV2,,,mssql-db,vsys1,v_external,v_internal,ethernet1\/2,ethernet1\/1,LOG-Default,2015\/01\/05 > > 12:51:33,33621086,1,54266,40004,0,0,0x401c,tcp,allow,5325,3299,2026,25,2015\/01\/05 > >
[jira] [Updated] (METRON-172) Improve Palo Alto parser
[ https://issues.apache.org/jira/browse/METRON-172?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sunny Kumar updated METRON-172: --- Description: Enhance the Palo Alto basic parser to support additional fields and more configurations. Samples below: <11>Jan 5 05:38:59 PAN1.exampleCustomer.com 1,2015/01/05 05:38:58,0006C110285,THREAT,vulnerability,1,2015/01/05 05:38:58,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,example\\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 05:38:58,12031,1,54180,80,0,0,0x80004000,tcp,reset-both,\"ad.aspx?f=300x250=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\",HTTP: IIS Denial Of Service Attempt(40019),any,high,client-to-server,347368099,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109656,, - {"source.type":"paloalto","natDestinationIp":"0.0.0.0","threatId":"HTTP: IIS Denial Of Service Attempt(40019)","virtualSystem":"vsys1","ipSrcPort":"54180","subject":"","type":"THREAT","deviceName":"","dstUserName":"","cloud":"","hostname":"PAN1.exampleCustomer.com","protocol":"tcp","original_string":"<11>Jan 5 05:38:59 PAN1.exampleCustomer.com 1,2015\/01\/05 05:38:58,0006C110285,THREAT,vulnerability,1,2015\/01\/05 05:38:58,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,exampleuser.name,,web-browsing,vsys1,internal,external,ethernet1\/2,ethernet1\/1,LOG-Default,2015\/01\/05 05:38:58,12031,1,54180,80,0,0,0x80004000,tcp,reset-both,\\\"ad.aspx?f=300x250=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\\\",HTTP: IIS Denial Of Service Attempt(40019),any,high,client-to-server,347368099,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109656,,","egressInterface":"ethernet1\/1","action":"reset-both","ipSrcAddr":"10.0.0.115","contentType":"","repeatCount":"1","deviceGroupHierarchyLevel1":"","sequenceNumber":"347368099","pcapId":"1200568889751109656","deviceGroupHierarchyLevel3":"","serialNumber":"0006C110285","deviceGroupHierarchyLevel2":"","sourceZone":"internal","deviceGroupHierarchyLevel4":"","srcUserName":"exampleuser.name","priority":"11","destinationZone":"external","sender":"","ipDstPort":"80","miscellaneous":"\\\"ad.aspx?f=300x250=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\\\"","flags":"0x80004000","destinationLocation":"US","fileDigest":"","urlIndex":"","generatedTime":"2015\/01\/05 05:38:58","ipDstAddr":"216.0.10.198","subtype":"vulnerability","futureUse":"1","ruleName":"EX-Allow","logForwardingProfile":"LOG-Default","timestamp":1451972339000,"direction":"client-to-server","severity":"high","futureUse3":"2015\/01\/05 05:38:58","reportId":"","futureUse2":"1","virtualSystemName":"","natDestinationPort":"0","userAgent":"","sessionId":"12031","ingressInterface":"ethernet1\/2","natSourceIp":"0.0.0.0","receiveTime":"2015\/01\/05 05:38:58","actionFlags":"0x0","referrer":"","natSourcePort":"0","application":"web-browsing","recipient":"","sourceLocation":"10.0.0.0-10.255.255.255","futureUse5":"","futureUse4":"0","xForwardedFor":"","category":"any","fileType":""} ### <14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05 12:51:33,10.0.0.53,10.1.0.174,0.0.0.0,0.0.0.0,EX-EasyAV2,,,mssql-db,vsys1,v_external,v_internal,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 12:51:33,33621086,1,54266,40004,0,0,0x401c,tcp,allow,5325,3299,2026,25,2015/01/05 12:51:01,30,any,0,17754932075,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,11,14 --- {"source.type":"paloalto","natDestinationIp":"0.0.0.0","virtualSystem":"vsys1","ipSrcPort":"54266","type":"TRAFFIC","deviceName":"","packets":"25","dstUserName":"","hostname":"PAN1.exampleCustomer.com","protocol":"tcp","original_string":"<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015\/01\/05 12:51:33,0011C103117,TRAFFIC,end,1,2015\/01\/05 12:51:33,10.0.0.53,10.1.0.174,0.0.0.0,0.0.0.0,EX-EasyAV2,,,mssql-db,vsys1,v_external,v_internal,ethernet1\/2,ethernet1\/1,LOG-Default,2015\/01\/05 12:51:33,33621086,1,54266,40004,0,0,0x401c,tcp,allow,5325,3299,2026,25,2015\/01\/05 12:51:01,30,any,0,17754932075,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,11,14","egressInterface":"ethernet1\/1","action":"allow","packetsSent":"11","ipSrcAddr":"10.0.0.53","repeatCount":"1","deviceGroupHierarchyLevel1":"","sequenceNumber":"17754932075","deviceGroupHierarchyLevel3":"","serialNumber":"0011C103117","deviceGroupHierarchyLevel2":"","sourceZone":"v_external","deviceGroupHierarchyLevel4":"","srcUserName":"","priority":"14","destinationZone":"v_internal","packetsReceived":"14","ipDstPort":"40004","flags":"0x401c","destinationLocation":"10.0.0.0-10.255.255.255","generatedTime":"2015\/01\/05 12:51:33","ipDstAddr":"10.1.0.174","subtype":"end","futureUse":"1","ruleName":"EX-EasyAV2","startTime":"2015\/01\/05 12:51:01","logForwardingProfile":"LOG-Default","timestamp":1451998294000,"futureUse3":"2015\/01\/05
[jira] [Updated] (METRON-172) Improve Palo Alto parser
[ https://issues.apache.org/jira/browse/METRON-172?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sunny Kumar updated METRON-172: --- Description: Enhance the Palo Alto basic parser to support additional fields and more configurations. Samples below: <11>Jan 5 05:38:59 PAN1.exampleCustomer.com 1,2015/01/05 05:38:58,0006C110285,THREAT,vulnerability,1,2015/01/05 05:38:58,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,example\\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 05:38:58,12031,1,54180,80,0,0,0x80004000,tcp,reset-both,\"ad.aspx?f=300x250=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\",HTTP: IIS Denial Of Service Attempt(40019),any,high,client-to-server,347368099,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109656,, {"source.type":"paloalto","natDestinationIp":"0.0.0.0","threatId":"HTTP: IIS Denial Of Service Attempt(40019)","virtualSystem":"vsys1","ipSrcPort":"54180","subject":"","type":"THREAT","deviceName":"","dstUserName":"","cloud":"","hostname":"PAN1.exampleCustomer.com","protocol":"tcp","original_string":"<11>Jan 5 05:38:59 PAN1.exampleCustomer.com 1,2015\/01\/05 05:38:58,0006C110285,THREAT,vulnerability,1,2015\/01\/05 05:38:58,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,exampleuser.name,,web-browsing,vsys1,internal,external,ethernet1\/2,ethernet1\/1,LOG-Default,2015\/01\/05 05:38:58,12031,1,54180,80,0,0,0x80004000,tcp,reset-both,\\\"ad.aspx?f=300x250=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\\\",HTTP: IIS Denial Of Service Attempt(40019),any,high,client-to-server,347368099,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109656,,","egressInterface":"ethernet1\/1","action":"reset-both","ipSrcAddr":"10.0.0.115","contentType":"","repeatCount":"1","deviceGroupHierarchyLevel1":"","sequenceNumber":"347368099","pcapId":"1200568889751109656","deviceGroupHierarchyLevel3":"","serialNumber":"0006C110285","deviceGroupHierarchyLevel2":"","sourceZone":"internal","deviceGroupHierarchyLevel4":"","srcUserName":"exampleuser.name","priority":"11","destinationZone":"external","sender":"","ipDstPort":"80","miscellaneous":"\\\"ad.aspx?f=300x250=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\\\"","flags":"0x80004000","destinationLocation":"US","fileDigest":"","urlIndex":"","generatedTime":"2015\/01\/05 05:38:58","ipDstAddr":"216.0.10.198","subtype":"vulnerability","futureUse":"1","ruleName":"EX-Allow","logForwardingProfile":"LOG-Default","timestamp":1451972339000,"direction":"client-to-server","severity":"high","futureUse3":"2015\/01\/05 05:38:58","reportId":"","futureUse2":"1","virtualSystemName":"","natDestinationPort":"0","userAgent":"","sessionId":"12031","ingressInterface":"ethernet1\/2","natSourceIp":"0.0.0.0","receiveTime":"2015\/01\/05 05:38:58","actionFlags":"0x0","referrer":"","natSourcePort":"0","application":"web-browsing","recipient":"","sourceLocation":"10.0.0.0-10.255.255.255","futureUse5":"","futureUse4":"0","xForwardedFor":"","category":"any","fileType":""} <14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05 12:51:33,10.0.0.53,10.1.0.174,0.0.0.0,0.0.0.0,EX-EasyAV2,,,mssql-db,vsys1,v_external,v_internal,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05 12:51:33,33621086,1,54266,40004,0,0,0x401c,tcp,allow,5325,3299,2026,25,2015/01/05 12:51:01,30,any,0,17754932075,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,11,14 {"source.type":"paloalto","natDestinationIp":"0.0.0.0","virtualSystem":"vsys1","ipSrcPort":"54266","type":"TRAFFIC","deviceName":"","packets":"25","dstUserName":"","hostname":"PAN1.exampleCustomer.com","protocol":"tcp","original_string":"<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015\/01\/05 12:51:33,0011C103117,TRAFFIC,end,1,2015\/01\/05 12:51:33,10.0.0.53,10.1.0.174,0.0.0.0,0.0.0.0,EX-EasyAV2,,,mssql-db,vsys1,v_external,v_internal,ethernet1\/2,ethernet1\/1,LOG-Default,2015\/01\/05 12:51:33,33621086,1,54266,40004,0,0,0x401c,tcp,allow,5325,3299,2026,25,2015\/01\/05 12:51:01,30,any,0,17754932075,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,11,14","egressInterface":"ethernet1\/1","action":"allow","packetsSent":"11","ipSrcAddr":"10.0.0.53","repeatCount":"1","deviceGroupHierarchyLevel1":"","sequenceNumber":"17754932075","deviceGroupHierarchyLevel3":"","serialNumber":"0011C103117","deviceGroupHierarchyLevel2":"","sourceZone":"v_external","deviceGroupHierarchyLevel4":"","srcUserName":"","priority":"14","destinationZone":"v_internal","packetsReceived":"14","ipDstPort":"40004","flags":"0x401c","destinationLocation":"10.0.0.0-10.255.255.255","generatedTime":"2015\/01\/05 12:51:33","ipDstAddr":"10.1.0.174","subtype":"end","futureUse":"1","ruleName":"EX-EasyAV2","startTime":"2015\/01\/05 12:51:01","logForwardingProfile":"LOG-Default","timestamp":1451998294000,"futureUse3":"2015\/01\/05