[jira] [Updated] (METRON-172) Improve Palo Alto parser
[
https://issues.apache.org/jira/browse/METRON-172?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Casey Stella updated METRON-172:
Assignee: (was: James Sirota)
> Improve Palo Alto parser
>
>
> Key: METRON-172
> URL: https://issues.apache.org/jira/browse/METRON-172
> Project: Metron
> Issue Type: Improvement
>Reporter: Sunny Kumar
>Priority: Minor
> Labels: ParserExtension, platform
> Original Estimate: 72h
> Remaining Estimate: 72h
>
> Enhance the Palo Alto basic parser to support additional fields and more
> configurations.
> Samples below:
> <11>Jan 5 05:38:59 PAN1.exampleCustomer.com 1,2015/01/05
> 05:38:58,0006C110285,THREAT,vulnerability,1,2015/01/05
> 05:38:58,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,example\\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05
>
> 05:38:58,12031,1,54180,80,0,0,0x80004000,tcp,reset-both,\"ad.aspx?f=300x250=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\",HTTP:
> IIS Denial Of Service
> Attempt(40019),any,high,client-to-server,347368099,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109656,,
> -
> {"source.type":"paloalto","natDestinationIp":"0.0.0.0","threatId":"HTTP: IIS
> Denial Of Service
> Attempt(40019)","virtualSystem":"vsys1","ipSrcPort":"54180","subject":"","type":"THREAT","deviceName":"","dstUserName":"","cloud":"","hostname":"PAN1.exampleCustomer.com","protocol":"tcp","original_string":"<11>Jan
> 5 05:38:59 PAN1.exampleCustomer.com 1,2015\/01\/05
> 05:38:58,0006C110285,THREAT,vulnerability,1,2015\/01\/05
> 05:38:58,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,exampleuser.name,,web-browsing,vsys1,internal,external,ethernet1\/2,ethernet1\/1,LOG-Default,2015\/01\/05
>
> 05:38:58,12031,1,54180,80,0,0,0x80004000,tcp,reset-both,\\\"ad.aspx?f=300x250=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\\\",HTTP:
> IIS Denial Of Service
> Attempt(40019),any,high,client-to-server,347368099,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109656,,","egressInterface":"ethernet1\/1","action":"reset-both","ipSrcAddr":"10.0.0.115","contentType":"","repeatCount":"1","deviceGroupHierarchyLevel1":"","sequenceNumber":"347368099","pcapId":"1200568889751109656","deviceGroupHierarchyLevel3":"","serialNumber":"0006C110285","deviceGroupHierarchyLevel2":"","sourceZone":"internal","deviceGroupHierarchyLevel4":"","srcUserName":"exampleuser.name","priority":"11","destinationZone":"external","sender":"","ipDstPort":"80","miscellaneous":"\\\"ad.aspx?f=300x250=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\\\"","flags":"0x80004000","destinationLocation":"US","fileDigest":"","urlIndex":"","generatedTime":"2015\/01\/05
>
> 05:38:58","ipDstAddr":"216.0.10.198","subtype":"vulnerability","futureUse":"1","ruleName":"EX-Allow","logForwardingProfile":"LOG-Default","timestamp":1451972339000,"direction":"client-to-server","severity":"high","futureUse3":"2015\/01\/05
>
> 05:38:58","reportId":"","futureUse2":"1","virtualSystemName":"","natDestinationPort":"0","userAgent":"","sessionId":"12031","ingressInterface":"ethernet1\/2","natSourceIp":"0.0.0.0","receiveTime":"2015\/01\/05
>
> 05:38:58","actionFlags":"0x0","referrer":"","natSourcePort":"0","application":"web-browsing","recipient":"","sourceLocation":"10.0.0.0-10.255.255.255","futureUse5":"","futureUse4":"0","xForwardedFor":"","category":"any","fileType":""}
> ###
> <14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05
> 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05
> 12:51:33,10.0.0.53,10.1.0.174,0.0.0.0,0.0.0.0,EX-EasyAV2,,,mssql-db,vsys1,v_external,v_internal,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05
>
> 12:51:33,33621086,1,54266,40004,0,0,0x401c,tcp,allow,5325,3299,2026,25,2015/01/05
>
> 12:51:01,30,any,0,17754932075,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,11,14
> ---
> {"source.type":"paloalto","natDestinationIp":"0.0.0.0","virtualSystem":"vsys1","ipSrcPort":"54266","type":"TRAFFIC","deviceName":"","packets":"25","dstUserName":"","hostname":"PAN1.exampleCustomer.com","protocol":"tcp","original_string":"<14>Jan
> 5 12:51:34 PAN1.exampleCustomer.com 1,2015\/01\/05
> 12:51:33,0011C103117,TRAFFIC,end,1,2015\/01\/05
> 12:51:33,10.0.0.53,10.1.0.174,0.0.0.0,0.0.0.0,EX-EasyAV2,,,mssql-db,vsys1,v_external,v_internal,ethernet1\/2,ethernet1\/1,LOG-Default,2015\/01\/05
>
> 12:51:33,33621086,1,54266,40004,0,0,0x401c,tcp,allow,5325,3299,2026,25,2015\/01\/05
>
>
[jira] [Updated] (METRON-172) Improve Palo Alto parser
[
https://issues.apache.org/jira/browse/METRON-172?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David M. Lyle updated METRON-172:
-
Labels: ParserExtension platform (was: ParserExtension)
> Improve Palo Alto parser
>
>
> Key: METRON-172
> URL: https://issues.apache.org/jira/browse/METRON-172
> Project: Metron
> Issue Type: Improvement
>Reporter: Sunny Kumar
>Assignee: James Sirota
>Priority: Minor
> Labels: ParserExtension, platform
> Fix For: 0.2.2BETA
>
> Original Estimate: 72h
> Remaining Estimate: 72h
>
> Enhance the Palo Alto basic parser to support additional fields and more
> configurations.
> Samples below:
> <11>Jan 5 05:38:59 PAN1.exampleCustomer.com 1,2015/01/05
> 05:38:58,0006C110285,THREAT,vulnerability,1,2015/01/05
> 05:38:58,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,example\\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05
>
> 05:38:58,12031,1,54180,80,0,0,0x80004000,tcp,reset-both,\"ad.aspx?f=300x250=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\",HTTP:
> IIS Denial Of Service
> Attempt(40019),any,high,client-to-server,347368099,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109656,,
> -
> {"source.type":"paloalto","natDestinationIp":"0.0.0.0","threatId":"HTTP: IIS
> Denial Of Service
> Attempt(40019)","virtualSystem":"vsys1","ipSrcPort":"54180","subject":"","type":"THREAT","deviceName":"","dstUserName":"","cloud":"","hostname":"PAN1.exampleCustomer.com","protocol":"tcp","original_string":"<11>Jan
> 5 05:38:59 PAN1.exampleCustomer.com 1,2015\/01\/05
> 05:38:58,0006C110285,THREAT,vulnerability,1,2015\/01\/05
> 05:38:58,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,exampleuser.name,,web-browsing,vsys1,internal,external,ethernet1\/2,ethernet1\/1,LOG-Default,2015\/01\/05
>
> 05:38:58,12031,1,54180,80,0,0,0x80004000,tcp,reset-both,\\\"ad.aspx?f=300x250=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\\\",HTTP:
> IIS Denial Of Service
> Attempt(40019),any,high,client-to-server,347368099,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109656,,","egressInterface":"ethernet1\/1","action":"reset-both","ipSrcAddr":"10.0.0.115","contentType":"","repeatCount":"1","deviceGroupHierarchyLevel1":"","sequenceNumber":"347368099","pcapId":"1200568889751109656","deviceGroupHierarchyLevel3":"","serialNumber":"0006C110285","deviceGroupHierarchyLevel2":"","sourceZone":"internal","deviceGroupHierarchyLevel4":"","srcUserName":"exampleuser.name","priority":"11","destinationZone":"external","sender":"","ipDstPort":"80","miscellaneous":"\\\"ad.aspx?f=300x250=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\\\"","flags":"0x80004000","destinationLocation":"US","fileDigest":"","urlIndex":"","generatedTime":"2015\/01\/05
>
> 05:38:58","ipDstAddr":"216.0.10.198","subtype":"vulnerability","futureUse":"1","ruleName":"EX-Allow","logForwardingProfile":"LOG-Default","timestamp":1451972339000,"direction":"client-to-server","severity":"high","futureUse3":"2015\/01\/05
>
> 05:38:58","reportId":"","futureUse2":"1","virtualSystemName":"","natDestinationPort":"0","userAgent":"","sessionId":"12031","ingressInterface":"ethernet1\/2","natSourceIp":"0.0.0.0","receiveTime":"2015\/01\/05
>
> 05:38:58","actionFlags":"0x0","referrer":"","natSourcePort":"0","application":"web-browsing","recipient":"","sourceLocation":"10.0.0.0-10.255.255.255","futureUse5":"","futureUse4":"0","xForwardedFor":"","category":"any","fileType":""}
> ###
> <14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05
> 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05
> 12:51:33,10.0.0.53,10.1.0.174,0.0.0.0,0.0.0.0,EX-EasyAV2,,,mssql-db,vsys1,v_external,v_internal,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05
>
> 12:51:33,33621086,1,54266,40004,0,0,0x401c,tcp,allow,5325,3299,2026,25,2015/01/05
>
> 12:51:01,30,any,0,17754932075,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,11,14
> ---
> {"source.type":"paloalto","natDestinationIp":"0.0.0.0","virtualSystem":"vsys1","ipSrcPort":"54266","type":"TRAFFIC","deviceName":"","packets":"25","dstUserName":"","hostname":"PAN1.exampleCustomer.com","protocol":"tcp","original_string":"<14>Jan
> 5 12:51:34 PAN1.exampleCustomer.com 1,2015\/01\/05
> 12:51:33,0011C103117,TRAFFIC,end,1,2015\/01\/05
> 12:51:33,10.0.0.53,10.1.0.174,0.0.0.0,0.0.0.0,EX-EasyAV2,,,mssql-db,vsys1,v_external,v_internal,ethernet1\/2,ethernet1\/1,LOG-Default,2015\/01\/05
>
> 12:51:33,33621086,1,54266,40004,0,0,0x401c,tcp,allow,5325,3299,2026,25,2015\/01\/05
>
>
[jira] [Updated] (METRON-172) Improve Palo Alto parser
[
https://issues.apache.org/jira/browse/METRON-172?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
James Sirota updated METRON-172:
Assignee: Casey Stella
> Improve Palo Alto parser
>
>
> Key: METRON-172
> URL: https://issues.apache.org/jira/browse/METRON-172
> Project: Metron
> Issue Type: Improvement
>Reporter: Sunny Kumar
>Assignee: Casey Stella
>Priority: Minor
> Labels: ParserExtension
> Original Estimate: 72h
> Remaining Estimate: 72h
>
> Enhance the Palo Alto basic parser to support additional fields and more
> configurations.
> Samples below:
> <11>Jan 5 05:38:59 PAN1.exampleCustomer.com 1,2015/01/05
> 05:38:58,0006C110285,THREAT,vulnerability,1,2015/01/05
> 05:38:58,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,example\\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05
>
> 05:38:58,12031,1,54180,80,0,0,0x80004000,tcp,reset-both,\"ad.aspx?f=300x250=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\",HTTP:
> IIS Denial Of Service
> Attempt(40019),any,high,client-to-server,347368099,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109656,,
> -
> {"source.type":"paloalto","natDestinationIp":"0.0.0.0","threatId":"HTTP: IIS
> Denial Of Service
> Attempt(40019)","virtualSystem":"vsys1","ipSrcPort":"54180","subject":"","type":"THREAT","deviceName":"","dstUserName":"","cloud":"","hostname":"PAN1.exampleCustomer.com","protocol":"tcp","original_string":"<11>Jan
> 5 05:38:59 PAN1.exampleCustomer.com 1,2015\/01\/05
> 05:38:58,0006C110285,THREAT,vulnerability,1,2015\/01\/05
> 05:38:58,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,exampleuser.name,,web-browsing,vsys1,internal,external,ethernet1\/2,ethernet1\/1,LOG-Default,2015\/01\/05
>
> 05:38:58,12031,1,54180,80,0,0,0x80004000,tcp,reset-both,\\\"ad.aspx?f=300x250=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\\\",HTTP:
> IIS Denial Of Service
> Attempt(40019),any,high,client-to-server,347368099,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109656,,","egressInterface":"ethernet1\/1","action":"reset-both","ipSrcAddr":"10.0.0.115","contentType":"","repeatCount":"1","deviceGroupHierarchyLevel1":"","sequenceNumber":"347368099","pcapId":"1200568889751109656","deviceGroupHierarchyLevel3":"","serialNumber":"0006C110285","deviceGroupHierarchyLevel2":"","sourceZone":"internal","deviceGroupHierarchyLevel4":"","srcUserName":"exampleuser.name","priority":"11","destinationZone":"external","sender":"","ipDstPort":"80","miscellaneous":"\\\"ad.aspx?f=300x250=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\\\"","flags":"0x80004000","destinationLocation":"US","fileDigest":"","urlIndex":"","generatedTime":"2015\/01\/05
>
> 05:38:58","ipDstAddr":"216.0.10.198","subtype":"vulnerability","futureUse":"1","ruleName":"EX-Allow","logForwardingProfile":"LOG-Default","timestamp":1451972339000,"direction":"client-to-server","severity":"high","futureUse3":"2015\/01\/05
>
> 05:38:58","reportId":"","futureUse2":"1","virtualSystemName":"","natDestinationPort":"0","userAgent":"","sessionId":"12031","ingressInterface":"ethernet1\/2","natSourceIp":"0.0.0.0","receiveTime":"2015\/01\/05
>
> 05:38:58","actionFlags":"0x0","referrer":"","natSourcePort":"0","application":"web-browsing","recipient":"","sourceLocation":"10.0.0.0-10.255.255.255","futureUse5":"","futureUse4":"0","xForwardedFor":"","category":"any","fileType":""}
> ###
> <14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05
> 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05
> 12:51:33,10.0.0.53,10.1.0.174,0.0.0.0,0.0.0.0,EX-EasyAV2,,,mssql-db,vsys1,v_external,v_internal,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05
>
> 12:51:33,33621086,1,54266,40004,0,0,0x401c,tcp,allow,5325,3299,2026,25,2015/01/05
>
> 12:51:01,30,any,0,17754932075,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,11,14
> ---
> {"source.type":"paloalto","natDestinationIp":"0.0.0.0","virtualSystem":"vsys1","ipSrcPort":"54266","type":"TRAFFIC","deviceName":"","packets":"25","dstUserName":"","hostname":"PAN1.exampleCustomer.com","protocol":"tcp","original_string":"<14>Jan
> 5 12:51:34 PAN1.exampleCustomer.com 1,2015\/01\/05
> 12:51:33,0011C103117,TRAFFIC,end,1,2015\/01\/05
> 12:51:33,10.0.0.53,10.1.0.174,0.0.0.0,0.0.0.0,EX-EasyAV2,,,mssql-db,vsys1,v_external,v_internal,ethernet1\/2,ethernet1\/1,LOG-Default,2015\/01\/05
>
> 12:51:33,33621086,1,54266,40004,0,0,0x401c,tcp,allow,5325,3299,2026,25,2015\/01\/05
>
>
[jira] [Updated] (METRON-172) Improve Palo Alto parser
[
https://issues.apache.org/jira/browse/METRON-172?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
James Sirota updated METRON-172:
Labels: ParserExtension (was: )
> Improve Palo Alto parser
>
>
> Key: METRON-172
> URL: https://issues.apache.org/jira/browse/METRON-172
> Project: Metron
> Issue Type: Improvement
>Reporter: Sunny Kumar
>Priority: Minor
> Labels: ParserExtension
> Original Estimate: 72h
> Remaining Estimate: 72h
>
> Enhance the Palo Alto basic parser to support additional fields and more
> configurations.
> Samples below:
> <11>Jan 5 05:38:59 PAN1.exampleCustomer.com 1,2015/01/05
> 05:38:58,0006C110285,THREAT,vulnerability,1,2015/01/05
> 05:38:58,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,example\\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05
>
> 05:38:58,12031,1,54180,80,0,0,0x80004000,tcp,reset-both,\"ad.aspx?f=300x250=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\",HTTP:
> IIS Denial Of Service
> Attempt(40019),any,high,client-to-server,347368099,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109656,,
> -
> {"source.type":"paloalto","natDestinationIp":"0.0.0.0","threatId":"HTTP: IIS
> Denial Of Service
> Attempt(40019)","virtualSystem":"vsys1","ipSrcPort":"54180","subject":"","type":"THREAT","deviceName":"","dstUserName":"","cloud":"","hostname":"PAN1.exampleCustomer.com","protocol":"tcp","original_string":"<11>Jan
> 5 05:38:59 PAN1.exampleCustomer.com 1,2015\/01\/05
> 05:38:58,0006C110285,THREAT,vulnerability,1,2015\/01\/05
> 05:38:58,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,exampleuser.name,,web-browsing,vsys1,internal,external,ethernet1\/2,ethernet1\/1,LOG-Default,2015\/01\/05
>
> 05:38:58,12031,1,54180,80,0,0,0x80004000,tcp,reset-both,\\\"ad.aspx?f=300x250=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\\\",HTTP:
> IIS Denial Of Service
> Attempt(40019),any,high,client-to-server,347368099,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109656,,","egressInterface":"ethernet1\/1","action":"reset-both","ipSrcAddr":"10.0.0.115","contentType":"","repeatCount":"1","deviceGroupHierarchyLevel1":"","sequenceNumber":"347368099","pcapId":"1200568889751109656","deviceGroupHierarchyLevel3":"","serialNumber":"0006C110285","deviceGroupHierarchyLevel2":"","sourceZone":"internal","deviceGroupHierarchyLevel4":"","srcUserName":"exampleuser.name","priority":"11","destinationZone":"external","sender":"","ipDstPort":"80","miscellaneous":"\\\"ad.aspx?f=300x250=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\\\"","flags":"0x80004000","destinationLocation":"US","fileDigest":"","urlIndex":"","generatedTime":"2015\/01\/05
>
> 05:38:58","ipDstAddr":"216.0.10.198","subtype":"vulnerability","futureUse":"1","ruleName":"EX-Allow","logForwardingProfile":"LOG-Default","timestamp":1451972339000,"direction":"client-to-server","severity":"high","futureUse3":"2015\/01\/05
>
> 05:38:58","reportId":"","futureUse2":"1","virtualSystemName":"","natDestinationPort":"0","userAgent":"","sessionId":"12031","ingressInterface":"ethernet1\/2","natSourceIp":"0.0.0.0","receiveTime":"2015\/01\/05
>
> 05:38:58","actionFlags":"0x0","referrer":"","natSourcePort":"0","application":"web-browsing","recipient":"","sourceLocation":"10.0.0.0-10.255.255.255","futureUse5":"","futureUse4":"0","xForwardedFor":"","category":"any","fileType":""}
> ###
> <14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05
> 12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05
> 12:51:33,10.0.0.53,10.1.0.174,0.0.0.0,0.0.0.0,EX-EasyAV2,,,mssql-db,vsys1,v_external,v_internal,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05
>
> 12:51:33,33621086,1,54266,40004,0,0,0x401c,tcp,allow,5325,3299,2026,25,2015/01/05
>
> 12:51:01,30,any,0,17754932075,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,11,14
> ---
> {"source.type":"paloalto","natDestinationIp":"0.0.0.0","virtualSystem":"vsys1","ipSrcPort":"54266","type":"TRAFFIC","deviceName":"","packets":"25","dstUserName":"","hostname":"PAN1.exampleCustomer.com","protocol":"tcp","original_string":"<14>Jan
> 5 12:51:34 PAN1.exampleCustomer.com 1,2015\/01\/05
> 12:51:33,0011C103117,TRAFFIC,end,1,2015\/01\/05
> 12:51:33,10.0.0.53,10.1.0.174,0.0.0.0,0.0.0.0,EX-EasyAV2,,,mssql-db,vsys1,v_external,v_internal,ethernet1\/2,ethernet1\/1,LOG-Default,2015\/01\/05
>
> 12:51:33,33621086,1,54266,40004,0,0,0x401c,tcp,allow,5325,3299,2026,25,2015\/01\/05
>
>
[jira] [Updated] (METRON-172) Improve Palo Alto parser
[
https://issues.apache.org/jira/browse/METRON-172?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sunny Kumar updated METRON-172:
---
Description:
Enhance the Palo Alto basic parser to support additional fields and more
configurations.
Samples below:
<11>Jan 5 05:38:59 PAN1.exampleCustomer.com 1,2015/01/05
05:38:58,0006C110285,THREAT,vulnerability,1,2015/01/05
05:38:58,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,example\\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05
05:38:58,12031,1,54180,80,0,0,0x80004000,tcp,reset-both,\"ad.aspx?f=300x250=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\",HTTP:
IIS Denial Of Service
Attempt(40019),any,high,client-to-server,347368099,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109656,,
-
{"source.type":"paloalto","natDestinationIp":"0.0.0.0","threatId":"HTTP: IIS
Denial Of Service
Attempt(40019)","virtualSystem":"vsys1","ipSrcPort":"54180","subject":"","type":"THREAT","deviceName":"","dstUserName":"","cloud":"","hostname":"PAN1.exampleCustomer.com","protocol":"tcp","original_string":"<11>Jan
5 05:38:59 PAN1.exampleCustomer.com 1,2015\/01\/05
05:38:58,0006C110285,THREAT,vulnerability,1,2015\/01\/05
05:38:58,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,exampleuser.name,,web-browsing,vsys1,internal,external,ethernet1\/2,ethernet1\/1,LOG-Default,2015\/01\/05
05:38:58,12031,1,54180,80,0,0,0x80004000,tcp,reset-both,\\\"ad.aspx?f=300x250=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\\\",HTTP:
IIS Denial Of Service
Attempt(40019),any,high,client-to-server,347368099,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109656,,","egressInterface":"ethernet1\/1","action":"reset-both","ipSrcAddr":"10.0.0.115","contentType":"","repeatCount":"1","deviceGroupHierarchyLevel1":"","sequenceNumber":"347368099","pcapId":"1200568889751109656","deviceGroupHierarchyLevel3":"","serialNumber":"0006C110285","deviceGroupHierarchyLevel2":"","sourceZone":"internal","deviceGroupHierarchyLevel4":"","srcUserName":"exampleuser.name","priority":"11","destinationZone":"external","sender":"","ipDstPort":"80","miscellaneous":"\\\"ad.aspx?f=300x250=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\\\"","flags":"0x80004000","destinationLocation":"US","fileDigest":"","urlIndex":"","generatedTime":"2015\/01\/05
05:38:58","ipDstAddr":"216.0.10.198","subtype":"vulnerability","futureUse":"1","ruleName":"EX-Allow","logForwardingProfile":"LOG-Default","timestamp":1451972339000,"direction":"client-to-server","severity":"high","futureUse3":"2015\/01\/05
05:38:58","reportId":"","futureUse2":"1","virtualSystemName":"","natDestinationPort":"0","userAgent":"","sessionId":"12031","ingressInterface":"ethernet1\/2","natSourceIp":"0.0.0.0","receiveTime":"2015\/01\/05
05:38:58","actionFlags":"0x0","referrer":"","natSourcePort":"0","application":"web-browsing","recipient":"","sourceLocation":"10.0.0.0-10.255.255.255","futureUse5":"","futureUse4":"0","xForwardedFor":"","category":"any","fileType":""}
###
<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05
12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05
12:51:33,10.0.0.53,10.1.0.174,0.0.0.0,0.0.0.0,EX-EasyAV2,,,mssql-db,vsys1,v_external,v_internal,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05
12:51:33,33621086,1,54266,40004,0,0,0x401c,tcp,allow,5325,3299,2026,25,2015/01/05
12:51:01,30,any,0,17754932075,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,11,14
---
{"source.type":"paloalto","natDestinationIp":"0.0.0.0","virtualSystem":"vsys1","ipSrcPort":"54266","type":"TRAFFIC","deviceName":"","packets":"25","dstUserName":"","hostname":"PAN1.exampleCustomer.com","protocol":"tcp","original_string":"<14>Jan
5 12:51:34 PAN1.exampleCustomer.com 1,2015\/01\/05
12:51:33,0011C103117,TRAFFIC,end,1,2015\/01\/05
12:51:33,10.0.0.53,10.1.0.174,0.0.0.0,0.0.0.0,EX-EasyAV2,,,mssql-db,vsys1,v_external,v_internal,ethernet1\/2,ethernet1\/1,LOG-Default,2015\/01\/05
12:51:33,33621086,1,54266,40004,0,0,0x401c,tcp,allow,5325,3299,2026,25,2015\/01\/05
12:51:01,30,any,0,17754932075,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,11,14","egressInterface":"ethernet1\/1","action":"allow","packetsSent":"11","ipSrcAddr":"10.0.0.53","repeatCount":"1","deviceGroupHierarchyLevel1":"","sequenceNumber":"17754932075","deviceGroupHierarchyLevel3":"","serialNumber":"0011C103117","deviceGroupHierarchyLevel2":"","sourceZone":"v_external","deviceGroupHierarchyLevel4":"","srcUserName":"","priority":"14","destinationZone":"v_internal","packetsReceived":"14","ipDstPort":"40004","flags":"0x401c","destinationLocation":"10.0.0.0-10.255.255.255","generatedTime":"2015\/01\/05
12:51:33","ipDstAddr":"10.1.0.174","subtype":"end","futureUse":"1","ruleName":"EX-EasyAV2","startTime":"2015\/01\/05
12:51:01","logForwardingProfile":"LOG-Default","timestamp":1451998294000,"futureUse3":"2015\/01\/05
[jira] [Updated] (METRON-172) Improve Palo Alto parser
[
https://issues.apache.org/jira/browse/METRON-172?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sunny Kumar updated METRON-172:
---
Description:
Enhance the Palo Alto basic parser to support additional fields and more
configurations.
Samples below:
<11>Jan 5 05:38:59 PAN1.exampleCustomer.com 1,2015/01/05
05:38:58,0006C110285,THREAT,vulnerability,1,2015/01/05
05:38:58,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,example\\user.name,,web-browsing,vsys1,internal,external,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05
05:38:58,12031,1,54180,80,0,0,0x80004000,tcp,reset-both,\"ad.aspx?f=300x250=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\",HTTP:
IIS Denial Of Service
Attempt(40019),any,high,client-to-server,347368099,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109656,,
{"source.type":"paloalto","natDestinationIp":"0.0.0.0","threatId":"HTTP: IIS
Denial Of Service
Attempt(40019)","virtualSystem":"vsys1","ipSrcPort":"54180","subject":"","type":"THREAT","deviceName":"","dstUserName":"","cloud":"","hostname":"PAN1.exampleCustomer.com","protocol":"tcp","original_string":"<11>Jan
5 05:38:59 PAN1.exampleCustomer.com 1,2015\/01\/05
05:38:58,0006C110285,THREAT,vulnerability,1,2015\/01\/05
05:38:58,10.0.0.115,216.0.10.198,0.0.0.0,0.0.0.0,EX-Allow,exampleuser.name,,web-browsing,vsys1,internal,external,ethernet1\/2,ethernet1\/1,LOG-Default,2015\/01\/05
05:38:58,12031,1,54180,80,0,0,0x80004000,tcp,reset-both,\\\"ad.aspx?f=300x250=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\\\",HTTP:
IIS Denial Of Service
Attempt(40019),any,high,client-to-server,347368099,0x0,10.0.0.0-10.255.255.255,US,0,,1200568889751109656,,","egressInterface":"ethernet1\/1","action":"reset-both","ipSrcAddr":"10.0.0.115","contentType":"","repeatCount":"1","deviceGroupHierarchyLevel1":"","sequenceNumber":"347368099","pcapId":"1200568889751109656","deviceGroupHierarchyLevel3":"","serialNumber":"0006C110285","deviceGroupHierarchyLevel2":"","sourceZone":"internal","deviceGroupHierarchyLevel4":"","srcUserName":"exampleuser.name","priority":"11","destinationZone":"external","sender":"","ipDstPort":"80","miscellaneous":"\\\"ad.aspx?f=300x250=12;tile=1;ord=67AF705D60B1119C0F18BEA336F9\\\"","flags":"0x80004000","destinationLocation":"US","fileDigest":"","urlIndex":"","generatedTime":"2015\/01\/05
05:38:58","ipDstAddr":"216.0.10.198","subtype":"vulnerability","futureUse":"1","ruleName":"EX-Allow","logForwardingProfile":"LOG-Default","timestamp":1451972339000,"direction":"client-to-server","severity":"high","futureUse3":"2015\/01\/05
05:38:58","reportId":"","futureUse2":"1","virtualSystemName":"","natDestinationPort":"0","userAgent":"","sessionId":"12031","ingressInterface":"ethernet1\/2","natSourceIp":"0.0.0.0","receiveTime":"2015\/01\/05
05:38:58","actionFlags":"0x0","referrer":"","natSourcePort":"0","application":"web-browsing","recipient":"","sourceLocation":"10.0.0.0-10.255.255.255","futureUse5":"","futureUse4":"0","xForwardedFor":"","category":"any","fileType":""}
<14>Jan 5 12:51:34 PAN1.exampleCustomer.com 1,2015/01/05
12:51:33,0011C103117,TRAFFIC,end,1,2015/01/05
12:51:33,10.0.0.53,10.1.0.174,0.0.0.0,0.0.0.0,EX-EasyAV2,,,mssql-db,vsys1,v_external,v_internal,ethernet1/2,ethernet1/1,LOG-Default,2015/01/05
12:51:33,33621086,1,54266,40004,0,0,0x401c,tcp,allow,5325,3299,2026,25,2015/01/05
12:51:01,30,any,0,17754932075,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,11,14
{"source.type":"paloalto","natDestinationIp":"0.0.0.0","virtualSystem":"vsys1","ipSrcPort":"54266","type":"TRAFFIC","deviceName":"","packets":"25","dstUserName":"","hostname":"PAN1.exampleCustomer.com","protocol":"tcp","original_string":"<14>Jan
5 12:51:34 PAN1.exampleCustomer.com 1,2015\/01\/05
12:51:33,0011C103117,TRAFFIC,end,1,2015\/01\/05
12:51:33,10.0.0.53,10.1.0.174,0.0.0.0,0.0.0.0,EX-EasyAV2,,,mssql-db,vsys1,v_external,v_internal,ethernet1\/2,ethernet1\/1,LOG-Default,2015\/01\/05
12:51:33,33621086,1,54266,40004,0,0,0x401c,tcp,allow,5325,3299,2026,25,2015\/01\/05
12:51:01,30,any,0,17754932075,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,0,11,14","egressInterface":"ethernet1\/1","action":"allow","packetsSent":"11","ipSrcAddr":"10.0.0.53","repeatCount":"1","deviceGroupHierarchyLevel1":"","sequenceNumber":"17754932075","deviceGroupHierarchyLevel3":"","serialNumber":"0011C103117","deviceGroupHierarchyLevel2":"","sourceZone":"v_external","deviceGroupHierarchyLevel4":"","srcUserName":"","priority":"14","destinationZone":"v_internal","packetsReceived":"14","ipDstPort":"40004","flags":"0x401c","destinationLocation":"10.0.0.0-10.255.255.255","generatedTime":"2015\/01\/05
12:51:33","ipDstAddr":"10.1.0.174","subtype":"end","futureUse":"1","ruleName":"EX-EasyAV2","startTime":"2015\/01\/05
12:51:01","logForwardingProfile":"LOG-Default","timestamp":1451998294000,"futureUse3":"2015\/01\/05
