Skip to content

Commit

Permalink
Add pipeline test for Juniper SRX (elastic#443)
Browse files Browse the repository at this point in the history
There were pipeline errors while evaluating pipeline. One of the `if` conditions was causing an error due to a null value
so I change them do use the null-safe `?.`. This might be due to how the tests are run without the beats processor
(.e.g. add_locale), but it's still a safe change to make.

event.risk_category and event.severity needed `convert` processors to change their types.
  • Loading branch information
andrewkroh authored Dec 9, 2020
1 parent 1a59046 commit 6af42b0
Show file tree
Hide file tree
Showing 23 changed files with 6,344 additions and 14 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
<14>1 2013-12-14T16:06:59.134Z pinarello RT_AAMW - SRX_AAMW_ACTION_LOG [junos@xxx.x.x.x.x.28 http-host="www.mytest.com" file-category="executable" action="BLOCK" verdict-number="8" verdict-source=”cloud/blacklist/whitelist” source-address="10.10.10.1" source-port="57116" destination-address="187.19.188.200" destination-port="80" protocol-id="6" application="UNKNOWN" nested-application="UNKNOWN" policy-name="argon_policy" username="user1" session-id-32="50000002" source-zone-name="untrust" destination-zone-name="trust"]
<14>1 2016-09-20T10:43:30.330-07:00 host-example RT_AAMW - AAMW_MALWARE_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp="Thu Jun 23 09:55:38 2016" tenant-id="ABC123456" sample-sha256="ABC123" client-ip="192.0.2.0" verdict-number="9" malware-info="Eicar:TestVirus" username="admin" hostname="host.example.com"]
<11>1 2016-09-20T10:40:30.050-07:00 host-example RT_AAMW - AAMW_HOST_INFECTED_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp="Thu Jun 23 09:55:38 2016" tenant-id="ABC123456" client-ip="192.0.2.0" hostname="host.example.com" status="in_progress" policy-name="default" th="7" state="added" reason="malware" message="malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123"]
<165>1 2007-02-15T09:17:15.719Z aamw1 RT_AAMW - AAMW_ACTION_LOG [junos@2636.1.1.1.2.129 hostname="dummy_host" file-category="executable" verdict-number="10" malware-info="Testfile" action="PERMIT" list-hit="N/A" file-hash-lookup="FALSE" source-address="1.1.1.1" source-port="60148" destination-address="10.0.0.1" destination-port="80" protocol-id="6" application="HTTP" nested-application="N/A" policy-name="test-policy" username="N/A" roles="N/A" session-id-32="502156" source-zone-name="Inside" destination-zone-name="Outside" sample-sha256="e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494" file-name="dummy_file" url="dummy_url"]
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
{
"dynamic_fields": {
"event.ingested": ".*"
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,316 @@
{
"expected": [
{
"server": {
"port": 80,
"ip": "187.19.188.200"
},
"_temp_": {},
"log": {
"level": "informational"
},
"destination": {
"geo": {
"continent_name": "South America",
"region_iso_code": "BR-CE",
"city_name": "Juazeiro do Norte",
"country_iso_code": "BR",
"country_name": "Brazil",
"region_name": "Ceara",
"location": {
"lon": -39.247,
"lat": -7.1467
}
},
"as": {
"number": 28126,
"organization": {
"name": "BRISANET SERVICOS DE TELECOMUNICACOES LTDA"
}
},
"port": 80,
"ip": "187.19.188.200"
},
"source": {
"port": 57116,
"user": {
"name": "user1"
},
"ip": "10.10.10.1"
},
"juniper": {
"srx": {
"process": "RT_AAMW",
"policy_name": "argon_policy",
"action": "BLOCK",
"verdict_number": "8",
"session_id_32": "50000002",
"tag": "SRX_AAMW_ACTION_LOG",
"verdict_source": "”cloud/blacklist/whitelist”",
"file_category": "executable"
}
},
"url": {
"domain": "www.mytest.com"
},
"network": {
"iana_number": "6"
},
"observer": {
"name": "pinarello",
"ingress": {
"zone": "untrust"
},
"product": "SRX",
"type": "firewall",
"vendor": "Juniper",
"egress": {
"zone": "trust"
}
},
"@timestamp": "2013-12-14T16:06:59.134Z",
"related": {
"hosts": [
"www.mytest.com"
],
"ip": [
"10.10.10.1",
"187.19.188.200"
]
},
"client": {
"port": 57116,
"ip": "10.10.10.1"
},
"event": {
"severity": 14,
"ingested": "2020-12-03T23:08:17.811974900Z",
"original": "http-host=\"www.mytest.com\" file-category=\"executable\" action=\"BLOCK\" verdict-number=\"8\" verdict-source=”cloud/blacklist/whitelist” source-address=\"10.10.10.1\" source-port=\"57116\" destination-address=\"187.19.188.200\" destination-port=\"80\" protocol-id=\"6\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" policy-name=\"argon_policy\" username=\"user1\" session-id-32=\"50000002\" source-zone-name=\"untrust\" destination-zone-name=\"trust\"",
"kind": "alert",
"module": "juniper",
"action": "malware_detected",
"category": [
"network",
"malware"
],
"type": [
"info",
"denied",
"connection"
],
"dataset": "juniper.srx",
"outcome": "success"
}
},
{
"observer": {
"name": "host-example",
"product": "SRX",
"type": "firewall",
"vendor": "Juniper"
},
"_temp_": {},
"@timestamp": "2016-09-20T17:43:30.330Z",
"related": {
"hosts": [
"host.example.com"
],
"ip": [
"192.0.2.0"
]
},
"log": {
"level": "informational"
},
"source": {
"user": {
"name": "admin"
},
"domain": "host.example.com",
"ip": "192.0.2.0"
},
"juniper": {
"srx": {
"tenant_id": "ABC123456",
"process": "RT_AAMW",
"verdict_number": "9",
"sample_sha256": "ABC123",
"tag": "AAMW_MALWARE_EVENT_LOG",
"malware_info": "Eicar:TestVirus",
"timestamp": "2016-06-23T09:55:38.000Z"
}
},
"event": {
"severity": 14,
"ingested": "2020-12-03T23:08:17.811985700Z",
"original": "timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" sample-sha256=\"ABC123\" client-ip=\"192.0.2.0\" verdict-number=\"9\" malware-info=\"Eicar:TestVirus\" username=\"admin\" hostname=\"host.example.com\"",
"kind": "alert",
"module": "juniper",
"action": "malware_detected",
"category": [
"network",
"malware"
],
"type": [
"info",
"denied",
"connection"
],
"dataset": "juniper.srx",
"outcome": "success"
}
},
{
"observer": {
"name": "host-example",
"product": "SRX",
"type": "firewall",
"vendor": "Juniper"
},
"_temp_": {},
"@timestamp": "2016-09-20T17:40:30.050Z",
"related": {
"hosts": [
"host.example.com"
],
"ip": [
"192.0.2.0"
]
},
"log": {
"level": "error"
},
"source": {
"domain": "host.example.com",
"ip": "192.0.2.0"
},
"juniper": {
"srx": {
"tenant_id": "ABC123456",
"reason": "malware",
"process": "RT_AAMW",
"th": "7",
"policy_name": "default",
"state": "added",
"tag": "AAMW_HOST_INFECTED_EVENT_LOG",
"message": "malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123",
"timestamp": "2016-06-23T09:55:38.000Z",
"status": "in_progress"
}
},
"event": {
"severity": 11,
"ingested": "2020-12-03T23:08:17.812027400Z",
"original": "timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" client-ip=\"192.0.2.0\" hostname=\"host.example.com\" status=\"in_progress\" policy-name=\"default\" th=\"7\" state=\"added\" reason=\"malware\" message=\"malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123\"",
"kind": "alert",
"module": "juniper",
"category": [
"network",
"malware"
],
"type": [
"allowed",
"connection"
],
"dataset": "juniper.srx",
"outcome": "success"
}
},
{
"server": {
"port": 80,
"ip": "10.0.0.1"
},
"_temp_": {},
"log": {
"level": "notification"
},
"destination": {
"port": 80,
"ip": "10.0.0.1"
},
"source": {
"geo": {
"continent_name": "Oceania",
"country_name": "Australia",
"location": {
"lon": 143.2104,
"lat": -33.494
},
"country_iso_code": "AU"
},
"as": {
"number": 13335,
"organization": {
"name": "Cloudflare, Inc."
}
},
"port": 60148,
"ip": "1.1.1.1",
"domain": "dummy_host"
},
"juniper": {
"srx": {
"process": "RT_AAMW",
"file_hash_lookup": "FALSE",
"file_name": "dummy_file",
"policy_name": "test-policy",
"verdict_number": "10",
"sample_sha256": "e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494",
"malware_info": "Testfile",
"url": "dummy_url",
"file_category": "executable",
"application": "HTTP",
"action": "PERMIT",
"session_id_32": "502156",
"tag": "AAMW_ACTION_LOG"
}
},
"network": {
"iana_number": "6"
},
"observer": {
"name": "aamw1",
"ingress": {
"zone": "Inside"
},
"product": "SRX",
"type": "firewall",
"vendor": "Juniper",
"egress": {
"zone": "Outside"
}
},
"@timestamp": "2007-02-15T09:17:15.719Z",
"related": {
"hosts": [
"dummy_host"
],
"ip": [
"1.1.1.1",
"10.0.0.1"
]
},
"client": {
"port": 60148,
"ip": "1.1.1.1"
},
"event": {
"severity": 165,
"ingested": "2020-12-03T23:08:17.812037900Z",
"original": "hostname=\"dummy_host\" file-category=\"executable\" verdict-number=\"10\" malware-info=\"Testfile\" action=\"PERMIT\" list-hit=\"N/A\" file-hash-lookup=\"FALSE\" source-address=\"1.1.1.1\" source-port=\"60148\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" policy-name=\"test-policy\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502156\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" sample-sha256=\"e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494\" file-name=\"dummy_file\" url=\"dummy_url\"",
"kind": "event",
"module": "juniper",
"category": [
"network"
],
"type": [
"allowed",
"connection"
],
"dataset": "juniper.srx",
"outcome": "success"
}
}
]
}
Loading

0 comments on commit 6af42b0

Please sign in to comment.