Skip to content

Commit

Permalink
Add pipeline test for Juniper SRX
Browse files Browse the repository at this point in the history 
There were pipeline errors while evaluating pipeline. One of the `if` conditions was causing an error due to a null value
so I change them do use the null-safe `?.`. This might be due to how the tests are run without the beats processor
(.e.g. add_locale), but it's still a safe change to make.

event.risk_category and event.severity needed `convert` processors to change their types.
  • Loading branch information
@andrewkroh
andrewkroh committed Dec 3, 2020
1 parent 0b59d52 commit 3ae0cca
Show file tree
Hide file tree
Showing 23 changed files with 6,344 additions and 14 deletions.
4 changes: 4 additions & 0 deletions packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
<14>1 2013-12-14T16:06:59.134Z pinarello RT_AAMW - SRX_AAMW_ACTION_LOG [junos@xxx.x.x.x.x.28 http-host="www.mytest.com" file-category="executable" action="BLOCK" verdict-number="8" verdict-source=”cloud/blacklist/whitelist” source-address="10.10.10.1" source-port="57116" destination-address="187.19.188.200" destination-port="80" protocol-id="6" application="UNKNOWN" nested-application="UNKNOWN" policy-name="argon_policy" username="user1" session-id-32="50000002" source-zone-name="untrust" destination-zone-name="trust"]
<14>1 2016-09-20T10:43:30.330-07:00 host-example RT_AAMW - AAMW_MALWARE_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp="Thu Jun 23 09:55:38 2016" tenant-id="ABC123456" sample-sha256="ABC123" client-ip="192.0.2.0" verdict-number="9" malware-info="Eicar:TestVirus" username="admin" hostname="host.example.com"]
<11>1 2016-09-20T10:40:30.050-07:00 host-example RT_AAMW - AAMW_HOST_INFECTED_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp="Thu Jun 23 09:55:38 2016" tenant-id="ABC123456" client-ip="192.0.2.0" hostname="host.example.com" status="in_progress" policy-name="default" th="7" state="added" reason="malware" message="malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123"]
<165>1 2007-02-15T09:17:15.719Z aamw1 RT_AAMW - AAMW_ACTION_LOG [junos@2636.1.1.1.2.129 hostname="dummy_host" file-category="executable" verdict-number="10" malware-info="Testfile" action="PERMIT" list-hit="N/A" file-hash-lookup="FALSE" source-address="1.1.1.1" source-port="60148" destination-address="10.0.0.1" destination-port="80" protocol-id="6" application="HTTP" nested-application="N/A" policy-name="test-policy" username="N/A" roles="N/A" session-id-32="502156" source-zone-name="Inside" destination-zone-name="Outside" sample-sha256="e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494" file-name="dummy_file" url="dummy_url"]
5 changes: 5 additions & 0 deletions packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-config.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
{
"dynamic_fields": {
"event.ingested": ".*"
}
}
316 changes: 316 additions & 0 deletions packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-expected.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,316 @@
{
"expected": [
{
"server": {
"port": 80,
"ip": "187.19.188.200"
},
"_temp_": {},
"log": {
"level": "informational"
},
"destination": {
"geo": {
"continent_name": "South America",
"region_iso_code": "BR-CE",
"city_name": "Juazeiro do Norte",
"country_iso_code": "BR",
"country_name": "Brazil",
"region_name": "Ceara",
"location": {
"lon": -39.247,
"lat": -7.1467
}
},
"as": {
"number": 28126,
"organization": {
"name": "BRISANET SERVICOS DE TELECOMUNICACOES LTDA"
}
},
"port": 80,
"ip": "187.19.188.200"
},
"source": {
"port": 57116,
"user": {
"name": "user1"
},
"ip": "10.10.10.1"
},
"juniper": {
"srx": {
"process": "RT_AAMW",
"policy_name": "argon_policy",
"action": "BLOCK",
"verdict_number": "8",
"session_id_32": "50000002",
"tag": "SRX_AAMW_ACTION_LOG",
"verdict_source": "”cloud/blacklist/whitelist”",
"file_category": "executable"
}
},
"url": {
"domain": "www.mytest.com"
},
"network": {
"iana_number": "6"
},
"observer": {
"name": "pinarello",
"ingress": {
"zone": "untrust"
},
"product": "SRX",
"type": "firewall",
"vendor": "Juniper",
"egress": {
"zone": "trust"
}
},
"@timestamp": "2013-12-14T16:06:59.134Z",
"related": {
"hosts": [
"www.mytest.com"
],
"ip": [
"10.10.10.1",
"187.19.188.200"
]
},
"client": {
"port": 57116,
"ip": "10.10.10.1"
},
"event": {
"severity": 14,
"ingested": "2020-12-03T23:08:17.811974900Z",
"original": "http-host=\"www.mytest.com\" file-category=\"executable\" action=\"BLOCK\" verdict-number=\"8\" verdict-source=”cloud/blacklist/whitelist” source-address=\"10.10.10.1\" source-port=\"57116\" destination-address=\"187.19.188.200\" destination-port=\"80\" protocol-id=\"6\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" policy-name=\"argon_policy\" username=\"user1\" session-id-32=\"50000002\" source-zone-name=\"untrust\" destination-zone-name=\"trust\"",
"kind": "alert",
"module": "juniper",
"action": "malware_detected",
"category": [
"network",
"malware"
],
"type": [
"info",
"denied",
"connection"
],
"dataset": "juniper.srx",
"outcome": "success"
}
},
{
"observer": {
"name": "host-example",
"product": "SRX",
"type": "firewall",
"vendor": "Juniper"
},
"_temp_": {},
"@timestamp": "2016-09-20T17:43:30.330Z",
"related": {
"hosts": [
"host.example.com"
],
"ip": [
"192.0.2.0"
]
},
"log": {
"level": "informational"
},
"source": {
"user": {
"name": "admin"
},
"domain": "host.example.com",
"ip": "192.0.2.0"
},
"juniper": {
"srx": {
"tenant_id": "ABC123456",
"process": "RT_AAMW",
"verdict_number": "9",
"sample_sha256": "ABC123",
"tag": "AAMW_MALWARE_EVENT_LOG",
"malware_info": "Eicar:TestVirus",
"timestamp": "2016-06-23T09:55:38.000Z"
}
},
"event": {
"severity": 14,
"ingested": "2020-12-03T23:08:17.811985700Z",
"original": "timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" sample-sha256=\"ABC123\" client-ip=\"192.0.2.0\" verdict-number=\"9\" malware-info=\"Eicar:TestVirus\" username=\"admin\" hostname=\"host.example.com\"",
"kind": "alert",
"module": "juniper",
"action": "malware_detected",
"category": [
"network",
"malware"
],
"type": [
"info",
"denied",
"connection"
],
"dataset": "juniper.srx",
"outcome": "success"
}
},
{
"observer": {
"name": "host-example",
"product": "SRX",
"type": "firewall",
"vendor": "Juniper"
},
"_temp_": {},
"@timestamp": "2016-09-20T17:40:30.050Z",
"related": {
"hosts": [
"host.example.com"
],
"ip": [
"192.0.2.0"
]
},
"log": {
"level": "error"
},
"source": {
"domain": "host.example.com",
"ip": "192.0.2.0"
},
"juniper": {
"srx": {
"tenant_id": "ABC123456",
"reason": "malware",
"process": "RT_AAMW",
"th": "7",
"policy_name": "default",
"state": "added",
"tag": "AAMW_HOST_INFECTED_EVENT_LOG",
"message": "malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123",
"timestamp": "2016-06-23T09:55:38.000Z",
"status": "in_progress"
}
},
"event": {
"severity": 11,
"ingested": "2020-12-03T23:08:17.812027400Z",
"original": "timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" client-ip=\"192.0.2.0\" hostname=\"host.example.com\" status=\"in_progress\" policy-name=\"default\" th=\"7\" state=\"added\" reason=\"malware\" message=\"malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123\"",
"kind": "alert",
"module": "juniper",
"category": [
"network",
"malware"
],
"type": [
"allowed",
"connection"
],
"dataset": "juniper.srx",
"outcome": "success"
}
},
{
"server": {
"port": 80,
"ip": "10.0.0.1"
},
"_temp_": {},
"log": {
"level": "notification"
},
"destination": {
"port": 80,
"ip": "10.0.0.1"
},
"source": {
"geo": {
"continent_name": "Oceania",
"country_name": "Australia",
"location": {
"lon": 143.2104,
"lat": -33.494
},
"country_iso_code": "AU"
},
"as": {
"number": 13335,
"organization": {
"name": "Cloudflare, Inc."
}
},
"port": 60148,
"ip": "1.1.1.1",
"domain": "dummy_host"
},
"juniper": {
"srx": {
"process": "RT_AAMW",
"file_hash_lookup": "FALSE",
"file_name": "dummy_file",
"policy_name": "test-policy",
"verdict_number": "10",
"sample_sha256": "e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494",
"malware_info": "Testfile",
"url": "dummy_url",
"file_category": "executable",
"application": "HTTP",
"action": "PERMIT",
"session_id_32": "502156",
"tag": "AAMW_ACTION_LOG"
}
},
"network": {
"iana_number": "6"
},
"observer": {
"name": "aamw1",
"ingress": {
"zone": "Inside"
},
"product": "SRX",
"type": "firewall",
"vendor": "Juniper",
"egress": {
"zone": "Outside"
}
},
"@timestamp": "2007-02-15T09:17:15.719Z",
"related": {
"hosts": [
"dummy_host"
],
"ip": [
"1.1.1.1",
"10.0.0.1"
]
},
"client": {
"port": 60148,
"ip": "1.1.1.1"
},
"event": {
"severity": 165,
"ingested": "2020-12-03T23:08:17.812037900Z",
"original": "hostname=\"dummy_host\" file-category=\"executable\" verdict-number=\"10\" malware-info=\"Testfile\" action=\"PERMIT\" list-hit=\"N/A\" file-hash-lookup=\"FALSE\" source-address=\"1.1.1.1\" source-port=\"60148\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" policy-name=\"test-policy\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502156\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" sample-sha256=\"e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494\" file-name=\"dummy_file\" url=\"dummy_url\"",
"kind": "event",
"module": "juniper",
"category": [
"network"
],
"type": [
"allowed",
"connection"
],
"dataset": "juniper.srx",
"outcome": "success"
}
}
]
}
Loading

0 comments on commit 3ae0cca

Please sign in to comment.