From 3ae0cca0aefd7708536a18286c5c7da70713a50d Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Thu, 3 Dec 2020 18:15:13 -0500 Subject: [PATCH] Add pipeline test for Juniper SRX There were pipeline errors while evaluating pipeline. One of the `if` conditions was causing an error due to a null value so I change them do use the null-safe `?.`. This might be due to how the tests are run without the beats processor (.e.g. add_locale), but it's still a safe change to make. event.risk_category and event.severity needed `convert` processors to change their types. --- .../srx/_dev/test/pipeline/test-atp.log | 4 + .../test/pipeline/test-atp.log-config.json | 5 + .../test/pipeline/test-atp.log-expected.json | 316 ++ .../srx/_dev/test/pipeline/test-flow.log | 25 + .../test/pipeline/test-flow.log-config.json | 5 + .../test/pipeline/test-flow.log-expected.json | 2992 +++++++++++++++++ .../srx/_dev/test/pipeline/test-idp.log | 7 + .../test/pipeline/test-idp.log-config.json | 5 + .../test/pipeline/test-idp.log-expected.json | 742 ++++ .../srx/_dev/test/pipeline/test-ids.log | 12 + .../test/pipeline/test-ids.log-config.json | 5 + .../test/pipeline/test-ids.log-expected.json | 999 ++++++ .../srx/_dev/test/pipeline/test-secintel.log | 2 + .../pipeline/test-secintel.log-config.json | 5 + .../pipeline/test-secintel.log-expected.json | 198 ++ .../srx/_dev/test/pipeline/test-utm.log | 12 + .../test/pipeline/test-utm.log-config.json | 5 + .../test/pipeline/test-utm.log-expected.json | 986 ++++++ .../elasticsearch/ingest_pipeline/default.yml | 17 +- .../elasticsearch/ingest_pipeline/flow.yml | 6 +- .../srx/elasticsearch/ingest_pipeline/utm.yml | 6 +- .../juniper/data_stream/srx/fields/fields.yml | 2 +- packages/juniper/manifest.yml | 2 +- 23 files changed, 6344 insertions(+), 14 deletions(-) create mode 100644 packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log create mode 100644 packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-config.json create mode 100644 packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-expected.json create mode 100644 packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log create mode 100644 packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-config.json create mode 100644 packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-expected.json create mode 100644 packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log create mode 100644 packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-config.json create mode 100644 packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-expected.json create mode 100644 packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log create mode 100644 packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-config.json create mode 100644 packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-expected.json create mode 100644 packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log create mode 100644 packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-config.json create mode 100644 packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-expected.json create mode 100644 packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log create mode 100644 packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-config.json create mode 100644 packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-expected.json diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log new file mode 100644 index 000000000000..95c8210f038a --- /dev/null +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log @@ -0,0 +1,4 @@ +<14>1 2013-12-14T16:06:59.134Z pinarello RT_AAMW - SRX_AAMW_ACTION_LOG [junos@xxx.x.x.x.x.28 http-host="www.mytest.com" file-category="executable" action="BLOCK" verdict-number="8" verdict-source=”cloud/blacklist/whitelist” source-address="10.10.10.1" source-port="57116" destination-address="187.19.188.200" destination-port="80" protocol-id="6" application="UNKNOWN" nested-application="UNKNOWN" policy-name="argon_policy" username="user1" session-id-32="50000002" source-zone-name="untrust" destination-zone-name="trust"] +<14>1 2016-09-20T10:43:30.330-07:00 host-example RT_AAMW - AAMW_MALWARE_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp="Thu Jun 23 09:55:38 2016" tenant-id="ABC123456" sample-sha256="ABC123" client-ip="192.0.2.0" verdict-number="9" malware-info="Eicar:TestVirus" username="admin" hostname="host.example.com"] +<11>1 2016-09-20T10:40:30.050-07:00 host-example RT_AAMW - AAMW_HOST_INFECTED_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp="Thu Jun 23 09:55:38 2016" tenant-id="ABC123456" client-ip="192.0.2.0" hostname="host.example.com" status="in_progress" policy-name="default" th="7" state="added" reason="malware" message="malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123"] +<165>1 2007-02-15T09:17:15.719Z aamw1 RT_AAMW - AAMW_ACTION_LOG [junos@2636.1.1.1.2.129 hostname="dummy_host" file-category="executable" verdict-number="10" malware-info="Testfile" action="PERMIT" list-hit="N/A" file-hash-lookup="FALSE" source-address="1.1.1.1" source-port="60148" destination-address="10.0.0.1" destination-port="80" protocol-id="6" application="HTTP" nested-application="N/A" policy-name="test-policy" username="N/A" roles="N/A" session-id-32="502156" source-zone-name="Inside" destination-zone-name="Outside" sample-sha256="e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494" file-name="dummy_file" url="dummy_url"] diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-config.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-config.json new file mode 100644 index 000000000000..f71947c2f042 --- /dev/null +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-config.json @@ -0,0 +1,5 @@ +{ + "dynamic_fields": { + "event.ingested": ".*" + } +} \ No newline at end of file diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-expected.json new file mode 100644 index 000000000000..50232a41bd7b --- /dev/null +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-expected.json @@ -0,0 +1,316 @@ +{ + "expected": [ + { + "server": { + "port": 80, + "ip": "187.19.188.200" + }, + "_temp_": {}, + "log": { + "level": "informational" + }, + "destination": { + "geo": { + "continent_name": "South America", + "region_iso_code": "BR-CE", + "city_name": "Juazeiro do Norte", + "country_iso_code": "BR", + "country_name": "Brazil", + "region_name": "Ceara", + "location": { + "lon": -39.247, + "lat": -7.1467 + } + }, + "as": { + "number": 28126, + "organization": { + "name": "BRISANET SERVICOS DE TELECOMUNICACOES LTDA" + } + }, + "port": 80, + "ip": "187.19.188.200" + }, + "source": { + "port": 57116, + "user": { + "name": "user1" + }, + "ip": "10.10.10.1" + }, + "juniper": { + "srx": { + "process": "RT_AAMW", + "policy_name": "argon_policy", + "action": "BLOCK", + "verdict_number": "8", + "session_id_32": "50000002", + "tag": "SRX_AAMW_ACTION_LOG", + "verdict_source": "”cloud/blacklist/whitelist”", + "file_category": "executable" + } + }, + "url": { + "domain": "www.mytest.com" + }, + "network": { + "iana_number": "6" + }, + "observer": { + "name": "pinarello", + "ingress": { + "zone": "untrust" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "zone": "trust" + } + }, + "@timestamp": "2013-12-14T16:06:59.134Z", + "related": { + "hosts": [ + "www.mytest.com" + ], + "ip": [ + "10.10.10.1", + "187.19.188.200" + ] + }, + "client": { + "port": 57116, + "ip": "10.10.10.1" + }, + "event": { + "severity": 14, + "ingested": "2020-12-03T23:08:17.811974900Z", + "original": "http-host=\"www.mytest.com\" file-category=\"executable\" action=\"BLOCK\" verdict-number=\"8\" verdict-source=”cloud/blacklist/whitelist” source-address=\"10.10.10.1\" source-port=\"57116\" destination-address=\"187.19.188.200\" destination-port=\"80\" protocol-id=\"6\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" policy-name=\"argon_policy\" username=\"user1\" session-id-32=\"50000002\" source-zone-name=\"untrust\" destination-zone-name=\"trust\"", + "kind": "alert", + "module": "juniper", + "action": "malware_detected", + "category": [ + "network", + "malware" + ], + "type": [ + "info", + "denied", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "observer": { + "name": "host-example", + "product": "SRX", + "type": "firewall", + "vendor": "Juniper" + }, + "_temp_": {}, + "@timestamp": "2016-09-20T17:43:30.330Z", + "related": { + "hosts": [ + "host.example.com" + ], + "ip": [ + "192.0.2.0" + ] + }, + "log": { + "level": "informational" + }, + "source": { + "user": { + "name": "admin" + }, + "domain": "host.example.com", + "ip": "192.0.2.0" + }, + "juniper": { + "srx": { + "tenant_id": "ABC123456", + "process": "RT_AAMW", + "verdict_number": "9", + "sample_sha256": "ABC123", + "tag": "AAMW_MALWARE_EVENT_LOG", + "malware_info": "Eicar:TestVirus", + "timestamp": "2016-06-23T09:55:38.000Z" + } + }, + "event": { + "severity": 14, + "ingested": "2020-12-03T23:08:17.811985700Z", + "original": "timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" sample-sha256=\"ABC123\" client-ip=\"192.0.2.0\" verdict-number=\"9\" malware-info=\"Eicar:TestVirus\" username=\"admin\" hostname=\"host.example.com\"", + "kind": "alert", + "module": "juniper", + "action": "malware_detected", + "category": [ + "network", + "malware" + ], + "type": [ + "info", + "denied", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "observer": { + "name": "host-example", + "product": "SRX", + "type": "firewall", + "vendor": "Juniper" + }, + "_temp_": {}, + "@timestamp": "2016-09-20T17:40:30.050Z", + "related": { + "hosts": [ + "host.example.com" + ], + "ip": [ + "192.0.2.0" + ] + }, + "log": { + "level": "error" + }, + "source": { + "domain": "host.example.com", + "ip": "192.0.2.0" + }, + "juniper": { + "srx": { + "tenant_id": "ABC123456", + "reason": "malware", + "process": "RT_AAMW", + "th": "7", + "policy_name": "default", + "state": "added", + "tag": "AAMW_HOST_INFECTED_EVENT_LOG", + "message": "malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123", + "timestamp": "2016-06-23T09:55:38.000Z", + "status": "in_progress" + } + }, + "event": { + "severity": 11, + "ingested": "2020-12-03T23:08:17.812027400Z", + "original": "timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" client-ip=\"192.0.2.0\" hostname=\"host.example.com\" status=\"in_progress\" policy-name=\"default\" th=\"7\" state=\"added\" reason=\"malware\" message=\"malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123\"", + "kind": "alert", + "module": "juniper", + "category": [ + "network", + "malware" + ], + "type": [ + "allowed", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "port": 80, + "ip": "10.0.0.1" + }, + "_temp_": {}, + "log": { + "level": "notification" + }, + "destination": { + "port": 80, + "ip": "10.0.0.1" + }, + "source": { + "geo": { + "continent_name": "Oceania", + "country_name": "Australia", + "location": { + "lon": 143.2104, + "lat": -33.494 + }, + "country_iso_code": "AU" + }, + "as": { + "number": 13335, + "organization": { + "name": "Cloudflare, Inc." + } + }, + "port": 60148, + "ip": "1.1.1.1", + "domain": "dummy_host" + }, + "juniper": { + "srx": { + "process": "RT_AAMW", + "file_hash_lookup": "FALSE", + "file_name": "dummy_file", + "policy_name": "test-policy", + "verdict_number": "10", + "sample_sha256": "e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494", + "malware_info": "Testfile", + "url": "dummy_url", + "file_category": "executable", + "application": "HTTP", + "action": "PERMIT", + "session_id_32": "502156", + "tag": "AAMW_ACTION_LOG" + } + }, + "network": { + "iana_number": "6" + }, + "observer": { + "name": "aamw1", + "ingress": { + "zone": "Inside" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "zone": "Outside" + } + }, + "@timestamp": "2007-02-15T09:17:15.719Z", + "related": { + "hosts": [ + "dummy_host" + ], + "ip": [ + "1.1.1.1", + "10.0.0.1" + ] + }, + "client": { + "port": 60148, + "ip": "1.1.1.1" + }, + "event": { + "severity": 165, + "ingested": "2020-12-03T23:08:17.812037900Z", + "original": "hostname=\"dummy_host\" file-category=\"executable\" verdict-number=\"10\" malware-info=\"Testfile\" action=\"PERMIT\" list-hit=\"N/A\" file-hash-lookup=\"FALSE\" source-address=\"1.1.1.1\" source-port=\"60148\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" policy-name=\"test-policy\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502156\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" sample-sha256=\"e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494\" file-name=\"dummy_file\" url=\"dummy_url\"", + "kind": "event", + "module": "juniper", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + } + ] +} \ No newline at end of file diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log new file mode 100644 index 000000000000..400bceceeeef --- /dev/null +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log @@ -0,0 +1,25 @@ +<14>1 2019-11-14T09:37:51.184+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.134 source-address="10.0.0.1" source-port="594" destination-address="10.128.0.1" destination-port="10400" connection-tag="0" service-name="icmp" nat-source-address="10.0.0.1" nat-source-port="594" nat-destination-address="10.128.0.1" nat-destination-port="10400" nat-connection-tag="0" src-nat-rule-type="N/A" src-nat-rule-name="N/A" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="1" policy-name="vpn_trust_permit-all" source-zone-name="vpn" destination-zone-name="trust" session-id-32="6093" username="N/A" roles="N/A" packet-incoming-interface="st0.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A"] +<14>1 2019-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.134 source-address="10.0.0.26" source-port="37233" destination-address="10.128.0.1" destination-port="161" connection-tag="0" service-name="None" protocol-id="17" icmp-type="0" policy-name="MgmtAccess-trust-cleanup" source-zone-name="trust" destination-zone-name="junos-host" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface=".local..0" encrypted="No" reason="Denied by policy" session-id-32="7087" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A"] +<14>1 2014-05-01T08:26:51.179Z fw01 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.39 source-address="1.2.3.4" source-port="56639" destination-address="5.6.7.8" destination-port="2003" service-name="None" protocol-id="6" icmp-type="0" policy-name="log-all-else" source-zone-name="campus" destination-zone-name="mngmt" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth6.0" encrypted="No "] +<14>1 2014-05-01T08:28:10.933Z fw01 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.39 reason="unset" source-address="1.2.3.4" source-port="63456" destination-address="5.6.7.8" destination-port="902" service-name="None" nat-source-address="1.2.3.4" nat-source-port="63456" nat-destination-address="5.6.7.8" nat-destination-port="902" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="17" policy-name="mngmt-to-vcenter" source-zone-name="mngmt" destination-zone-name="intra" session-id-32="15353" packets-from-client="1" bytes-from-client="94" packets-from-server="0" bytes-from-server="0" elapsed-time="60" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth3.5" encrypted="No "] +<14>1 2013-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.35 source-address="50.0.0.100" source-port="24065" destination-address="30.0.0.100" destination-port="768" service-name="icmp" nat-source-address="50.0.0.100" nat-source-port="24065" nat-destination-address="30.0.0.100" nat-destination-port="768" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="alg-policy" source-zone-name="untrust" destination-zone-name="trust" session-id-32="100000165" username="N/A" roles="N/A" packet-incoming-interface="reth2.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN"] +<14>1 2010-09-30T14:55:04.323+08:00 mrpp-srx550-dut01 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2626.192.0.2.1.40 source-address="192.0.2.1" source-port="1" destination-address="198.51.100.12" destination-port="46384" service-name="icmp" nat-source-address="192.0.2.1" nat-source-port="1" nat-destination-address="18.51.100.12" nat-destination-port="46384" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="policy1" source-zone-name="trustZone" destination-zone-name="untrustZone" session-id-32="41" packet-incoming-interface="ge-0/0/1.0"] +<14>1 2010-09-30T14:55:07.188+08:00 mrpp-srx550-dut01 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2626.192.0.2.1.40 reason="response received" source-address="192.0.2.1" source-port="1" destination-address="198.51.100.12" destination-port="46384" service-name="icmp" nat-source-address="192.0.2.1" nat-source-port="1" nat-destination-address="18.51.100.12" nat-destination-port="46384" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="policy1" source-zone-name="trustZone" destination-zone-name="untrustZone" session-id-32="41" packets-from-client="1" bytes-from-client="84" packets-from-server="1" bytes-from-server="84" elapsed-time="0" packet-incoming-interface="ge-0/0/1.0"] +<14>1 2019-04-12T14:29:06.576Z cixi RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason="TCP FIN" source-address="10.3.255.203" source-port="47776" destination-address="8.23.224.110" destination-port="80" connection-tag="0" service-name="junos-http" nat-source-address="10.3.136.49" nat-source-port="19162" nat-destination-address="8.23.224.110" nat-destination-port="80" nat-connection-tag="0" src-nat-rule-type="source rule" src-nat-rule-name="nat1" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit_all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="5" packets-from-client="6" bytes-from-client="337" packets-from-server="4" bytes-from-server="535" elapsed-time="1" application="HTTP" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/0.0" encrypted="No" application-category="Web" application-sub-category="N/A" application-risk="4" application-characteristics="Can Leak Information;Supports File Transfer;Prone to Misuse;Known Vulnerabilities;Carrier of Malware;Capable of Tunneling;"] +<14>1 2019-04-13T14:33:06.576Z cixi RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.58 reason="TCP RST" source-address="192.168.2.164" source-port="53232" destination-address="172.16.1.19" destination-port="445" service-name="junos-smb" nat-source-address="192.168.2.164" nat-source-port="53232" nat-destination-address="172.16.1.19" nat-destination-port="445" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="6" policy-name="35" source-zone-name="Trust" destination-zone-name="Trust" session-id-32="206" packets-from-client="13" bytes-from-client="4274" packets-from-server="9" bytes-from-server="1575" elapsed-time="16" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/2.0"] +<14>1 2018-10-07T01:32:20.898Z TestFW2 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.34 reason="idle Timeout" source-address="100.73.10.92" source-port="52890" destination-address="58.68.126.198" destination-port="53" service-name="junos-dns-udp" nat-source-address="58.78.140.131" nat-source-port="11152" nat-destination-address="58.68.126.198" nat-destination-port="53" src-nat-rule-type="source rule" src-nat-rule-name="NAT_S" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="17" policy-name="NAT" source-zone-name="Gi_nat" destination-zone-name="Internet" session-id-32="220368889" packets-from-client="1" bytes-from-client="72" packets-from-server="1" bytes-from-server="136" elapsed-time="8" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth0.108" encrypted="UNKNOWN"] +<14>1 2018-06-30T02:17:22.753Z fw0001 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.41 reason="idle Timeout" source-address="192.168.255.2" source-port="62047" destination-address="8.8.8.8" destination-port="53" service-name="junos-dns-udp" nat-source-address="192.168.0.47" nat-source-port="20215" nat-destination-address="8.8.8.8" nat-destination-port="53" src-nat-rule-type="source rule" src-nat-rule-name="rule001" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="17" policy-name="trust-to-untrust-001" source-zone-name="trust" destination-zone-name="untrust" session-id-32="9621" packets-from-client="1" bytes-from-client="67" packets-from-server="1" bytes-from-server="116" elapsed-time="3" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="fe-0/0/1.0" encrypted="UNKNOWN"] +<14>1 2015-09-25T14:19:53.846Z VPNBox-A RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.36 reason="application failure or action" source-address="10.164.110.223" source-port="9057" destination-address="10.104.12.161" destination-port="21" service-name="junos-ftp" nat-source-address="10.9.1.150" nat-source-port="58020" nat-destination-address="10.12.70.1" nat-destination-port="21" src-nat-rule-name="SNAT-Policy5" dst-nat-rule-name="NAT-Policy10" protocol-id="6" policy-name="FW-FTP" source-zone-name="trust" destination-zone-name="untrust" session-id-32="24311" packets-from-client="0" bytes-from-client="0" packets-from-server="0" bytes-from-server="0" elapsed-time="1" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="reth0.0" encrypted="No "] +<14>1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CREATE [junos@2636.1.1.1.2.41 source-address="192.168.224.30" source-port="3129" destination-address="207.17.137.56" destination-port="21" service-name="junos-ftp" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="173.167.224.7" nat-source-port="14406" nat-destination-address="207.17.137.56" nat-destination-port="21" src-nat-rule-name="1" dst-nat-rule-name="None" protocol-id="6" policy-name="General-Outbound" source-zone-name="LAN" destination-zone-name="Danger" session-id-32="5058" username="N/A" roles="N/A" encrypted="N/A"] +<14>1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@2636.1.1.1.2.41 source-address="192.168.224.30" source-port="3129" destination-address="207.17.137.56" destination-port="21" service-name="junos-ftp" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="173.167.224.7" nat-source-port="14406" nat-destination-address="207.17.137.56" nat-destination-port="21" src-nat-rule-name="1" dst-nat-rule-name="None" protocol-id="6" policy-name="General-Outbound" source-zone-name="LAN" destination-zone-name="Danger" session-id-32="5058" packets-from-client="1" bytes-from-client="48" packets-from-server="0" bytes-from-server="0" elapsed-time="0" username="N/A" roles="N/A" encrypted="N/A"] +<14>1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.41 reason="application failure or action" source-address="192.168.224.30" source-port="3129" destination-address="207.17.137.56" destination-port="21" service-name="junos-ftp" application="FTP" nested-application="UNKNOWN" nat-source-address="173.167.224.7" nat-source-port="14406" nat-destination-address="207.17.137.56" nat-destination-port="21" src-nat-rule-name="1" dst-nat-rule-name="None" protocol-id="6" policy-name="General-Outbound" source-zone-name="LAN" destination-zone-name="Danger" session-id-32="5058" packets-from-client="3" bytes-from-client="144" packets-from-server="2" bytes-from-server="104" elapsed-time="1" username="N/A" roles="N/A" encrypted="N/A"] +<14>1 2013-01-19T15:18:18.040 SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@2636.1.1.1.2.129 source-address="4.0.0.1" source-port="33040" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="HTTP" nested-application="FACEBOOK-SOCIALRSS" nat-source-address="4.0.0.1" nat-source-port="33040" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="28" packets-from-client="371" bytes-from-client="19592" packets-from-server="584" bytes-from-server="686432" elapsed-time="60" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” apbr-rule-type=”default”] +<14>1 2013-01-19T15:18:19.040 SRX100HM RT_FLOW - APPTRACK_SESSION_ROUTE_UPDATE [junos@2636.1.1.1.2.129 source-address="4.0.0.1" source-port="33040" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="HTTP" nested-application="FACEBOOK-SOCIALRSS" nat-source-address="4.0.0.1" nat-source-port="33040" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="28" username="user1" roles="DEPT1" encrypted="No" profile-name=”pf1” rule-name=”facebook1” routing-instance=”instance1” destination-interface-name=”st0.0” apbr-rule-type=”default”] +<14>1 2013-01-19T15:18:20.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason="TCP CLIENT RST" source-address="4.0.0.1" source-port="48873" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="4.0.0.1" nat-source-port="48873" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="32" packets-from-client="5" bytes-from-client="392" packets-from-server="3" bytes-from-server="646" elapsed-time="3" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” apbr-rule-type=”default”] +<14>1 2020-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE_LS [junos@2636.1.1.1.2.35 source-address="50.0.0.100" source-port="24065" destination-address="30.0.0.100" destination-port="768" service-name="icmp" nat-source-address="50.0.0.100" nat-source-port="24065" nat-destination-address="30.0.0.100" nat-destination-port="768" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="alg-policy" source-zone-name="untrust" destination-zone-name="trust" session-id-32="100000165" username="N/A" roles="N/A" packet-incoming-interface="reth2.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN"] +<14>1 2020-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY_LS [junos@2636.1.1.1.2.134 source-address="10.0.0.26" source-port="37233" destination-address="10.128.0.1" destination-port="161" connection-tag="0" service-name="None" protocol-id="17" icmp-type="0" policy-name="MgmtAccess-trust-cleanup" source-zone-name="trust" destination-zone-name="junos-host" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface=".local..0" encrypted="No" reason="Denied by policy" session-id-32="7087" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A"] +<14>1 2020-01-19T15:18:20.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE_LS [junos@2636.1.1.1.2.129 reason="TCP CLIENT RST" source-address="4.0.0.1" source-port="48873" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="4.0.0.1" nat-source-port="48873" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="32" packets-from-client="5" bytes-from-client="392" packets-from-server="3" bytes-from-server="646" elapsed-time="3" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” apbr-rule-type=”default”] +<14>1 2020-07-14T14:17:11.928Z SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@2636.1.1.1.2.129 source-address="10.1.1.100" source-port="58943" destination-address="46.165.154.241" destination-port="80" service-name="junos-http" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="172.19.34.100" nat-source-port="6018" nat-destination-address="46.165.154.241" nat-destination-port="80" src-nat-rule-name="our-nat-rule" dst-nat-rule-name="N/A" protocol-id="6" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="16118" packets-from-client="42" bytes-from-client="2322" packets-from-server="34" bytes-from-server="2132" elapsed-time="60" username="N/A" roles="N/A" encrypted="No" destination-interface-name="ge-0/0/0.0" category="N/A" sub-category="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A"] +<14>1 2020-07-13T16:43:05.041Z SRX100HM RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason="idle Timeout" source-address="10.1.1.100" source-port="64720" destination-address="91.228.167.172" destination-port="8883" connection-tag="0" service-name="None" nat-source-address="172.19.34.100" nat-source-port="24519" nat-destination-address="91.228.167.172" nat-destination-port="8883" nat-connection-tag="0" src-nat-rule-type="source rule" src-nat-rule-name="our-nat-rule" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="3851" packets-from-client="161" bytes-from-client="9530" packets-from-server="96" bytes-from-server="9670" elapsed-time="23755" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/1.0" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A" secure-web-proxy-session-type="NA" peer-session-id="0" peer-source-address="0.0.0.0" peer-source-port="0" peer-destination-address="0.0.0.0" peer-destination-port="0" hostname="NA NA" src-vrf-grp="N/A" dst-vrf-grp="N/A"] +<14>1 2020-07-13T16:12:05.530Z SRX100HM RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.129 source-address="10.1.1.100" source-port="49583" destination-address="8.8.8.8" destination-port="53" connection-tag="0" service-name="junos-dns-udp" nat-source-address="172.19.34.100" nat-source-port="30838" nat-destination-address="8.8.8.8" nat-destination-port="53" nat-connection-tag="0" src-nat-rule-type="source rule" src-nat-rule-name="our-nat-rule" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="17" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="15399" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/1.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A"] +<14>1 2020-07-13T16:12:05.530Z SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason="Closed by junos-alg" source-address="10.1.1.100" source-port="63381" destination-address="8.8.8.8" destination-port="53" service-name="junos-dns-udp" application="UNKNOWN" nested-application="UNKNOWN" nat-source-address="172.19.34.100" nat-source-port="26764" nat-destination-address="8.8.8.8" nat-destination-port="53" src-nat-rule-name="our-nat-rule" dst-nat-rule-name="N/A" protocol-id="17" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="15361" packets-from-client="1" bytes-from-client="66" packets-from-server="1" bytes-from-server="82" elapsed-time="3" username="N/A" roles="N/A" encrypted="No" profile-name="N/A" rule-name="N/A" routing-instance="default" destination-interface-name="ge-0/0/0.0" uplink-incoming-interface-name="N/A" uplink-tx-bytes="0" uplink-rx-bytes="0" category="N/A" sub-category="N/A" apbr-policy-name="N/A" multipath-rule-name="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A"] diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-config.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-config.json new file mode 100644 index 000000000000..f71947c2f042 --- /dev/null +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-config.json @@ -0,0 +1,5 @@ +{ + "dynamic_fields": { + "event.ingested": ".*" + } +} \ No newline at end of file diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-expected.json new file mode 100644 index 000000000000..65597f0e563e --- /dev/null +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-expected.json @@ -0,0 +1,2992 @@ +{ + "expected": [ + { + "server": { + "nat": { + "port": 10400 + }, + "port": 10400, + "ip": "10.128.0.1" + }, + "_temp_": {}, + "log": { + "level": "informational" + }, + "destination": { + "nat": { + "port": 10400, + "ip": "10.128.0.1" + }, + "port": 10400, + "ip": "10.128.0.1" + }, + "rule": { + "name": "vpn_trust_permit-all" + }, + "source": { + "nat": { + "port": 594, + "ip": "10.0.0.1" + }, + "port": 594, + "ip": "10.0.0.1" + }, + "juniper": { + "srx": { + "process": "RT_FLOW", + "session_id_32": "6093", + "connection_tag": "0", + "nat_connection_tag": "0", + "tag": "RT_FLOW_SESSION_CREATE", + "service_name": "icmp" + } + }, + "network": { + "iana_number": "1" + }, + "observer": { + "name": "SRX-GW1", + "ingress": { + "interface": { + "name": "st0.0" + }, + "zone": "vpn" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "zone": "trust" + } + }, + "@timestamp": "2019-11-14T08:37:51.184Z", + "related": { + "ip": [ + "10.0.0.1", + "10.128.0.1", + "10.0.0.1", + "10.128.0.1" + ] + }, + "client": { + "nat": { + "port": 594 + }, + "port": 594, + "ip": "10.0.0.1" + }, + "event": { + "severity": 14, + "ingested": "2020-12-03T23:08:18.680407Z", + "original": "source-address=\"10.0.0.1\" source-port=\"594\" destination-address=\"10.128.0.1\" destination-port=\"10400\" connection-tag=\"0\" service-name=\"icmp\" nat-source-address=\"10.0.0.1\" nat-source-port=\"594\" nat-destination-address=\"10.128.0.1\" nat-destination-port=\"10400\" nat-connection-tag=\"0\" src-nat-rule-type=\"N/A\" src-nat-rule-name=\"N/A\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"1\" policy-name=\"vpn_trust_permit-all\" source-zone-name=\"vpn\" destination-zone-name=\"trust\" session-id-32=\"6093\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"st0.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"", + "risk_score": 1.0, + "kind": "event", + "module": "juniper", + "action": "flow_started", + "category": [ + "network" + ], + "type": [ + "start", + "allowed", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "port": 161, + "ip": "10.128.0.1" + }, + "_temp_": {}, + "log": { + "level": "informational" + }, + "destination": { + "port": 161, + "ip": "10.128.0.1" + }, + "rule": { + "name": "MgmtAccess-trust-cleanup" + }, + "source": { + "port": 37233, + "ip": "10.0.0.26" + }, + "juniper": { + "srx": { + "reason": "Denied by policy", + "icmp_type": "0", + "process": "RT_FLOW", + "connection_tag": "0", + "encrypted": "No", + "session_id_32": "7087", + "tag": "RT_FLOW_SESSION_DENY" + } + }, + "network": { + "iana_number": "17" + }, + "observer": { + "name": "SRX-GW1", + "ingress": { + "interface": { + "name": ".local..0" + }, + "zone": "trust" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "zone": "junos-host" + } + }, + "@timestamp": "2019-11-14T10:12:46.573Z", + "related": { + "ip": [ + "10.0.0.26", + "10.128.0.1" + ] + }, + "client": { + "port": 37233, + "ip": "10.0.0.26" + }, + "event": { + "severity": 14, + "ingested": "2020-12-03T23:08:18.680420600Z", + "original": "source-address=\"10.0.0.26\" source-port=\"37233\" destination-address=\"10.128.0.1\" destination-port=\"161\" connection-tag=\"0\" service-name=\"None\" protocol-id=\"17\" icmp-type=\"0\" policy-name=\"MgmtAccess-trust-cleanup\" source-zone-name=\"trust\" destination-zone-name=\"junos-host\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\".local..0\" encrypted=\"No\" reason=\"Denied by policy\" session-id-32=\"7087\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"", + "risk_score": 1.0, + "kind": "event", + "module": "juniper", + "action": "flow_deny", + "category": [ + "network" + ], + "type": [ + "denied", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "port": 2003, + "ip": "5.6.7.8" + }, + "_temp_": {}, + "log": { + "level": "informational" + }, + "destination": { + "geo": { + "continent_name": "Europe", + "country_name": "Germany", + "location": { + "lon": 9.491, + "lat": 51.2993 + }, + "country_iso_code": "DE" + }, + "as": { + "number": 6805, + "organization": { + "name": "Telefonica Germany" + } + }, + "port": 2003, + "ip": "5.6.7.8" + }, + "rule": { + "name": "log-all-else" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "RU-MOW", + "city_name": "Moscow", + "country_iso_code": "RU", + "country_name": "Russia", + "region_name": "Moscow", + "location": { + "lon": 37.6172, + "lat": 55.7527 + } + }, + "port": 56639, + "ip": "1.2.3.4" + }, + "juniper": { + "srx": { + "icmp_type": "0", + "process": "RT_FLOW", + "tag": "RT_FLOW_SESSION_DENY", + "encrypted": "No " + } + }, + "network": { + "iana_number": "6" + }, + "observer": { + "name": "fw01", + "ingress": { + "interface": { + "name": "reth6.0" + }, + "zone": "campus" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "zone": "mngmt" + } + }, + "@timestamp": "2014-05-01T08:26:51.179Z", + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "client": { + "port": 56639, + "ip": "1.2.3.4" + }, + "event": { + "severity": 14, + "ingested": "2020-12-03T23:08:18.680430500Z", + "original": "source-address=\"1.2.3.4\" source-port=\"56639\" destination-address=\"5.6.7.8\" destination-port=\"2003\" service-name=\"None\" protocol-id=\"6\" icmp-type=\"0\" policy-name=\"log-all-else\" source-zone-name=\"campus\" destination-zone-name=\"mngmt\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth6.0\" encrypted=\"No \"", + "kind": "event", + "module": "juniper", + "action": "flow_deny", + "category": [ + "network" + ], + "type": [ + "denied", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "nat": { + "port": 902 + }, + "port": 902, + "bytes": 0, + "packets": 0, + "ip": "5.6.7.8" + }, + "_temp_": {}, + "log": { + "level": "informational" + }, + "destination": { + "nat": { + "port": 902, + "ip": "5.6.7.8" + }, + "geo": { + "continent_name": "Europe", + "country_name": "Germany", + "location": { + "lon": 9.491, + "lat": 51.2993 + }, + "country_iso_code": "DE" + }, + "as": { + "number": 6805, + "organization": { + "name": "Telefonica Germany" + } + }, + "port": 902, + "bytes": 0, + "ip": "5.6.7.8", + "packets": 0 + }, + "rule": { + "name": "mngmt-to-vcenter" + }, + "source": { + "nat": { + "port": 63456, + "ip": "1.2.3.4" + }, + "geo": { + "continent_name": "Europe", + "region_iso_code": "RU-MOW", + "city_name": "Moscow", + "country_iso_code": "RU", + "country_name": "Russia", + "region_name": "Moscow", + "location": { + "lon": 37.6172, + "lat": 55.7527 + } + }, + "port": 63456, + "bytes": 94, + "packets": 1, + "ip": "1.2.3.4" + }, + "juniper": { + "srx": { + "reason": "unset", + "process": "RT_FLOW", + "session_id_32": "15353", + "tag": "RT_FLOW_SESSION_CLOSE", + "encrypted": "No " + } + }, + "network": { + "bytes": 94, + "iana_number": "17", + "packets": 1 + }, + "observer": { + "name": "fw01", + "ingress": { + "interface": { + "name": "reth3.5" + }, + "zone": "mngmt" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "zone": "intra" + } + }, + "@timestamp": "2014-05-01T08:28:10.933Z", + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8", + "1.2.3.4", + "5.6.7.8" + ] + }, + "client": { + "nat": { + "port": 63456 + }, + "port": 63456, + "bytes": 94, + "packets": 1, + "ip": "1.2.3.4" + }, + "event": { + "severity": 14, + "original": "reason=\"unset\" source-address=\"1.2.3.4\" source-port=\"63456\" destination-address=\"5.6.7.8\" destination-port=\"902\" service-name=\"None\" nat-source-address=\"1.2.3.4\" nat-source-port=\"63456\" nat-destination-address=\"5.6.7.8\" nat-destination-port=\"902\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"17\" policy-name=\"mngmt-to-vcenter\" source-zone-name=\"mngmt\" destination-zone-name=\"intra\" session-id-32=\"15353\" packets-from-client=\"1\" bytes-from-client=\"94\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"60\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth3.5\" encrypted=\"No \"", + "kind": "event", + "module": "juniper", + "start": "2014-05-01T08:28:10.933Z", + "type": [ + "end", + "allowed", + "connection" + ], + "duration": 60000000000, + "ingested": "2020-12-03T23:08:18.680439200Z", + "action": "flow_close", + "end": "2014-05-01T08:29:10.933Z", + "category": [ + "network" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "nat": { + "port": 768 + }, + "port": 768, + "ip": "30.0.0.100" + }, + "_temp_": {}, + "log": { + "level": "informational" + }, + "destination": { + "nat": { + "port": 768, + "ip": "30.0.0.100" + }, + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "port": 768, + "ip": "30.0.0.100" + }, + "rule": { + "name": "alg-policy" + }, + "source": { + "nat": { + "port": 24065, + "ip": "50.0.0.100" + }, + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "port": 24065, + "ip": "50.0.0.100" + }, + "juniper": { + "srx": { + "process": "RT_FLOW", + "session_id_32": "100000165", + "tag": "RT_FLOW_SESSION_CREATE", + "service_name": "icmp" + } + }, + "network": { + "iana_number": "1" + }, + "observer": { + "name": "cixi", + "ingress": { + "interface": { + "name": "reth2.0" + }, + "zone": "untrust" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "zone": "trust" + } + }, + "@timestamp": "2013-11-04T16:23:09.264Z", + "related": { + "ip": [ + "50.0.0.100", + "30.0.0.100", + "50.0.0.100", + "30.0.0.100" + ] + }, + "client": { + "nat": { + "port": 24065 + }, + "port": 24065, + "ip": "50.0.0.100" + }, + "event": { + "severity": 14, + "ingested": "2020-12-03T23:08:18.680449500Z", + "original": "source-address=\"50.0.0.100\" source-port=\"24065\" destination-address=\"30.0.0.100\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"50.0.0.100\" nat-source-port=\"24065\" nat-destination-address=\"30.0.0.100\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"", + "kind": "event", + "module": "juniper", + "action": "flow_started", + "category": [ + "network" + ], + "type": [ + "start", + "allowed", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "nat": { + "port": 46384 + }, + "port": 46384, + "ip": "198.51.100.12" + }, + "_temp_": {}, + "log": { + "level": "informational" + }, + "destination": { + "nat": { + "port": 46384, + "ip": "18.51.100.12" + }, + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "port": 46384, + "ip": "198.51.100.12" + }, + "rule": { + "name": "policy1" + }, + "source": { + "nat": { + "port": 1, + "ip": "192.0.2.1" + }, + "port": 1, + "ip": "192.0.2.1" + }, + "juniper": { + "srx": { + "process": "RT_FLOW", + "session_id_32": "41", + "tag": "RT_FLOW_SESSION_CREATE", + "service_name": "icmp" + } + }, + "network": { + "iana_number": "1" + }, + "observer": { + "name": "mrpp-srx550-dut01", + "ingress": { + "interface": { + "name": "ge-0/0/1.0" + }, + "zone": "trustZone" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "zone": "untrustZone" + } + }, + "@timestamp": "2010-09-30T06:55:04.323Z", + "related": { + "ip": [ + "192.0.2.1", + "198.51.100.12", + "192.0.2.1", + "18.51.100.12" + ] + }, + "client": { + "nat": { + "port": 1 + }, + "port": 1, + "ip": "192.0.2.1" + }, + "event": { + "severity": 14, + "ingested": "2020-12-03T23:08:18.680457500Z", + "original": "source-address=\"192.0.2.1\" source-port=\"1\" destination-address=\"198.51.100.12\" destination-port=\"46384\" service-name=\"icmp\" nat-source-address=\"192.0.2.1\" nat-source-port=\"1\" nat-destination-address=\"18.51.100.12\" nat-destination-port=\"46384\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"policy1\" source-zone-name=\"trustZone\" destination-zone-name=\"untrustZone\" session-id-32=\"41\" packet-incoming-interface=\"ge-0/0/1.0\"", + "kind": "event", + "module": "juniper", + "action": "flow_started", + "category": [ + "network" + ], + "type": [ + "start", + "allowed", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "nat": { + "port": 46384 + }, + "port": 46384, + "bytes": 84, + "packets": 1, + "ip": "198.51.100.12" + }, + "_temp_": {}, + "log": { + "level": "informational" + }, + "destination": { + "nat": { + "port": 46384, + "ip": "18.51.100.12" + }, + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "port": 46384, + "bytes": 84, + "packets": 1, + "ip": "198.51.100.12" + }, + "rule": { + "name": "policy1" + }, + "source": { + "nat": { + "port": 1, + "ip": "192.0.2.1" + }, + "port": 1, + "bytes": 84, + "packets": 1, + "ip": "192.0.2.1" + }, + "juniper": { + "srx": { + "reason": "response received", + "process": "RT_FLOW", + "session_id_32": "41", + "tag": "RT_FLOW_SESSION_CLOSE", + "service_name": "icmp" + } + }, + "network": { + "bytes": 168, + "iana_number": "1", + "packets": 2 + }, + "observer": { + "name": "mrpp-srx550-dut01", + "ingress": { + "interface": { + "name": "ge-0/0/1.0" + }, + "zone": "trustZone" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "zone": "untrustZone" + } + }, + "@timestamp": "2010-09-30T06:55:07.188Z", + "related": { + "ip": [ + "192.0.2.1", + "198.51.100.12", + "192.0.2.1", + "18.51.100.12" + ] + }, + "client": { + "nat": { + "port": 1 + }, + "port": 1, + "bytes": 84, + "packets": 1, + "ip": "192.0.2.1" + }, + "event": { + "severity": 14, + "original": "reason=\"response received\" source-address=\"192.0.2.1\" source-port=\"1\" destination-address=\"198.51.100.12\" destination-port=\"46384\" service-name=\"icmp\" nat-source-address=\"192.0.2.1\" nat-source-port=\"1\" nat-destination-address=\"18.51.100.12\" nat-destination-port=\"46384\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"policy1\" source-zone-name=\"trustZone\" destination-zone-name=\"untrustZone\" session-id-32=\"41\" packets-from-client=\"1\" bytes-from-client=\"84\" packets-from-server=\"1\" bytes-from-server=\"84\" elapsed-time=\"0\" packet-incoming-interface=\"ge-0/0/1.0\"", + "kind": "event", + "module": "juniper", + "start": "2010-09-30T06:55:07.188Z", + "type": [ + "end", + "allowed", + "connection" + ], + "duration": 0, + "ingested": "2020-12-03T23:08:18.680465900Z", + "action": "flow_close", + "end": "2010-09-30T06:55:07.188Z", + "category": [ + "network" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "nat": { + "port": 80 + }, + "port": 80, + "bytes": 535, + "packets": 4, + "ip": "8.23.224.110" + }, + "_temp_": {}, + "log": { + "level": "informational" + }, + "destination": { + "nat": { + "port": 80, + "ip": "8.23.224.110" + }, + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 14627, + "organization": { + "name": "Vitalwerks Internet Solutions, LLC" + } + }, + "port": 80, + "bytes": 535, + "ip": "8.23.224.110", + "packets": 4 + }, + "rule": { + "name": "permit_all" + }, + "source": { + "nat": { + "port": 19162, + "ip": "10.3.136.49" + }, + "port": 47776, + "bytes": 337, + "packets": 6, + "ip": "10.3.255.203" + }, + "juniper": { + "srx": { + "src_nat_rule_name": "nat1", + "reason": "TCP FIN", + "application_category": "Web", + "application_characteristics": "Can Leak Information;Supports File Transfer;Prone to Misuse;Known Vulnerabilities;Carrier of Malware;Capable of Tunneling;", + "process": "RT_FLOW", + "connection_tag": "0", + "service_name": "junos-http", + "application": "HTTP", + "encrypted": "No", + "session_id_32": "5", + "nat_connection_tag": "0", + "tag": "RT_FLOW_SESSION_CLOSE", + "src_nat_rule_type": "source rule" + } + }, + "network": { + "bytes": 872, + "iana_number": "6", + "packets": 10 + }, + "observer": { + "name": "cixi", + "ingress": { + "interface": { + "name": "ge-0/0/0.0" + }, + "zone": "trust" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "zone": "untrust" + } + }, + "@timestamp": "2019-04-12T14:29:06.576Z", + "related": { + "ip": [ + "10.3.255.203", + "8.23.224.110", + "10.3.136.49", + "8.23.224.110" + ] + }, + "client": { + "nat": { + "port": 19162 + }, + "port": 47776, + "bytes": 337, + "packets": 6, + "ip": "10.3.255.203" + }, + "event": { + "severity": 14, + "original": "reason=\"TCP FIN\" source-address=\"10.3.255.203\" source-port=\"47776\" destination-address=\"8.23.224.110\" destination-port=\"80\" connection-tag=\"0\" service-name=\"junos-http\" nat-source-address=\"10.3.136.49\" nat-source-port=\"19162\" nat-destination-address=\"8.23.224.110\" nat-destination-port=\"80\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"nat1\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit_all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"5\" packets-from-client=\"6\" bytes-from-client=\"337\" packets-from-server=\"4\" bytes-from-server=\"535\" elapsed-time=\"1\" application=\"HTTP\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/0.0\" encrypted=\"No\" application-category=\"Web\" application-sub-category=\"N/A\" application-risk=\"4\" application-characteristics=\"Can Leak Information;Supports File Transfer;Prone to Misuse;Known Vulnerabilities;Carrier of Malware;Capable of Tunneling;\"", + "risk_score": 4.0, + "kind": "event", + "module": "juniper", + "start": "2019-04-12T14:29:06.576Z", + "type": [ + "end", + "allowed", + "connection" + ], + "duration": 1000000000, + "ingested": "2020-12-03T23:08:18.680476200Z", + "action": "flow_close", + "end": "2019-04-12T14:29:07.576Z", + "category": [ + "network" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "nat": { + "port": 445 + }, + "port": 445, + "bytes": 1575, + "packets": 9, + "ip": "172.16.1.19" + }, + "_temp_": {}, + "log": { + "level": "informational" + }, + "destination": { + "nat": { + "port": 445, + "ip": "172.16.1.19" + }, + "port": 445, + "bytes": 1575, + "packets": 9, + "ip": "172.16.1.19" + }, + "rule": { + "name": "35" + }, + "source": { + "nat": { + "port": 53232, + "ip": "192.168.2.164" + }, + "port": 53232, + "bytes": 4274, + "packets": 13, + "ip": "192.168.2.164" + }, + "juniper": { + "srx": { + "reason": "TCP RST", + "process": "RT_FLOW", + "session_id_32": "206", + "tag": "RT_FLOW_SESSION_CLOSE", + "service_name": "junos-smb" + } + }, + "network": { + "bytes": 5849, + "iana_number": "6", + "packets": 22 + }, + "observer": { + "name": "cixi", + "ingress": { + "interface": { + "name": "ge-0/0/2.0" + }, + "zone": "Trust" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "zone": "Trust" + } + }, + "@timestamp": "2019-04-13T14:33:06.576Z", + "related": { + "ip": [ + "192.168.2.164", + "172.16.1.19", + "192.168.2.164", + "172.16.1.19" + ] + }, + "client": { + "nat": { + "port": 53232 + }, + "port": 53232, + "bytes": 4274, + "packets": 13, + "ip": "192.168.2.164" + }, + "event": { + "severity": 14, + "original": "reason=\"TCP RST\" source-address=\"192.168.2.164\" source-port=\"53232\" destination-address=\"172.16.1.19\" destination-port=\"445\" service-name=\"junos-smb\" nat-source-address=\"192.168.2.164\" nat-source-port=\"53232\" nat-destination-address=\"172.16.1.19\" nat-destination-port=\"445\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"35\" source-zone-name=\"Trust\" destination-zone-name=\"Trust\" session-id-32=\"206\" packets-from-client=\"13\" bytes-from-client=\"4274\" packets-from-server=\"9\" bytes-from-server=\"1575\" elapsed-time=\"16\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/2.0\"", + "kind": "event", + "module": "juniper", + "start": "2019-04-13T14:33:06.576Z", + "type": [ + "end", + "allowed", + "connection" + ], + "duration": 16000000000, + "ingested": "2020-12-03T23:08:18.680486700Z", + "action": "flow_close", + "end": "2019-04-13T14:33:22.576Z", + "category": [ + "network" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "nat": { + "port": 53 + }, + "port": 53, + "bytes": 136, + "packets": 1, + "ip": "58.68.126.198" + }, + "_temp_": {}, + "log": { + "level": "informational" + }, + "destination": { + "nat": { + "port": 53, + "ip": "58.68.126.198" + }, + "geo": { + "continent_name": "Asia", + "country_name": "India", + "location": { + "lon": 77.0, + "lat": 20.0 + }, + "country_iso_code": "IN" + }, + "as": { + "number": 10201, + "organization": { + "name": "Dishnet Wireless Limited. Broadband Wireless" + } + }, + "port": 53, + "bytes": 136, + "ip": "58.68.126.198", + "packets": 1 + }, + "rule": { + "name": "NAT" + }, + "source": { + "nat": { + "port": 11152, + "ip": "58.78.140.131" + }, + "geo": { + "continent_name": "Asia", + "region_iso_code": "KR-49", + "city_name": "Seogwipo", + "country_iso_code": "KR", + "country_name": "South Korea", + "region_name": "Jeju-do", + "location": { + "lon": 126.5628, + "lat": 33.2486 + } + }, + "as": { + "number": 3786, + "organization": { + "name": "LG DACOM Corporation" + } + }, + "port": 52890, + "bytes": 72, + "ip": "100.73.10.92", + "packets": 1 + }, + "juniper": { + "srx": { + "src_nat_rule_name": "NAT_S", + "reason": "idle Timeout", + "process": "RT_FLOW", + "service_name": "junos-dns-udp", + "session_id_32": "220368889", + "tag": "RT_FLOW_SESSION_CLOSE", + "src_nat_rule_type": "source rule" + } + }, + "network": { + "bytes": 208, + "iana_number": "17", + "packets": 2 + }, + "observer": { + "name": "TestFW2", + "ingress": { + "interface": { + "name": "reth0.108" + }, + "zone": "Gi_nat" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "zone": "Internet" + } + }, + "@timestamp": "2018-10-07T01:32:20.898Z", + "related": { + "ip": [ + "100.73.10.92", + "58.68.126.198", + "58.78.140.131", + "58.68.126.198" + ] + }, + "client": { + "nat": { + "port": 11152 + }, + "port": 52890, + "bytes": 72, + "packets": 1, + "ip": "100.73.10.92" + }, + "event": { + "severity": 14, + "original": "reason=\"idle Timeout\" source-address=\"100.73.10.92\" source-port=\"52890\" destination-address=\"58.68.126.198\" destination-port=\"53\" service-name=\"junos-dns-udp\" nat-source-address=\"58.78.140.131\" nat-source-port=\"11152\" nat-destination-address=\"58.68.126.198\" nat-destination-port=\"53\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"NAT_S\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"NAT\" source-zone-name=\"Gi_nat\" destination-zone-name=\"Internet\" session-id-32=\"220368889\" packets-from-client=\"1\" bytes-from-client=\"72\" packets-from-server=\"1\" bytes-from-server=\"136\" elapsed-time=\"8\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth0.108\" encrypted=\"UNKNOWN\"", + "kind": "event", + "module": "juniper", + "start": "2018-10-07T01:32:20.898Z", + "type": [ + "end", + "allowed", + "connection" + ], + "duration": 8000000000, + "ingested": "2020-12-03T23:08:18.680492400Z", + "action": "flow_close", + "end": "2018-10-07T01:32:28.898Z", + "category": [ + "network" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "nat": { + "port": 53 + }, + "port": 53, + "bytes": 116, + "packets": 1, + "ip": "8.8.8.8" + }, + "_temp_": {}, + "log": { + "level": "informational" + }, + "destination": { + "nat": { + "port": 53, + "ip": "8.8.8.8" + }, + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 53, + "bytes": 116, + "ip": "8.8.8.8", + "packets": 1 + }, + "rule": { + "name": "trust-to-untrust-001" + }, + "source": { + "nat": { + "port": 20215, + "ip": "192.168.0.47" + }, + "port": 62047, + "bytes": 67, + "packets": 1, + "ip": "192.168.255.2" + }, + "juniper": { + "srx": { + "src_nat_rule_name": "rule001", + "reason": "idle Timeout", + "process": "RT_FLOW", + "service_name": "junos-dns-udp", + "session_id_32": "9621", + "tag": "RT_FLOW_SESSION_CLOSE", + "src_nat_rule_type": "source rule" + } + }, + "network": { + "bytes": 183, + "iana_number": "17", + "packets": 2 + }, + "observer": { + "name": "fw0001", + "ingress": { + "interface": { + "name": "fe-0/0/1.0" + }, + "zone": "trust" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "zone": "untrust" + } + }, + "@timestamp": "2018-06-30T02:17:22.753Z", + "related": { + "ip": [ + "192.168.255.2", + "8.8.8.8", + "192.168.0.47", + "8.8.8.8" + ] + }, + "client": { + "nat": { + "port": 20215 + }, + "port": 62047, + "bytes": 67, + "packets": 1, + "ip": "192.168.255.2" + }, + "event": { + "severity": 14, + "original": "reason=\"idle Timeout\" source-address=\"192.168.255.2\" source-port=\"62047\" destination-address=\"8.8.8.8\" destination-port=\"53\" service-name=\"junos-dns-udp\" nat-source-address=\"192.168.0.47\" nat-source-port=\"20215\" nat-destination-address=\"8.8.8.8\" nat-destination-port=\"53\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"rule001\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"trust-to-untrust-001\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"9621\" packets-from-client=\"1\" bytes-from-client=\"67\" packets-from-server=\"1\" bytes-from-server=\"116\" elapsed-time=\"3\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"fe-0/0/1.0\" encrypted=\"UNKNOWN\"", + "kind": "event", + "module": "juniper", + "start": "2018-06-30T02:17:22.753Z", + "type": [ + "end", + "allowed", + "connection" + ], + "duration": 3000000000, + "ingested": "2020-12-03T23:08:18.680500400Z", + "action": "flow_close", + "end": "2018-06-30T02:17:25.753Z", + "category": [ + "network" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "nat": { + "port": 21 + }, + "port": 21, + "bytes": 0, + "packets": 0, + "ip": "10.104.12.161" + }, + "_temp_": {}, + "log": { + "level": "informational" + }, + "destination": { + "nat": { + "port": 21, + "ip": "10.12.70.1" + }, + "port": 21, + "bytes": 0, + "packets": 0, + "ip": "10.104.12.161" + }, + "rule": { + "name": "FW-FTP" + }, + "source": { + "nat": { + "port": 58020, + "ip": "10.9.1.150" + }, + "port": 9057, + "bytes": 0, + "packets": 0, + "ip": "10.164.110.223" + }, + "juniper": { + "srx": { + "src_nat_rule_name": "SNAT-Policy5", + "reason": "application failure or action", + "process": "RT_FLOW", + "dst_nat_rule_name": "NAT-Policy10", + "encrypted": "No ", + "service_name": "junos-ftp", + "session_id_32": "24311", + "tag": "RT_FLOW_SESSION_CLOSE" + } + }, + "network": { + "bytes": 0, + "iana_number": "6", + "packets": 0 + }, + "observer": { + "name": "VPNBox-A", + "ingress": { + "interface": { + "name": "reth0.0" + }, + "zone": "trust" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "zone": "untrust" + } + }, + "@timestamp": "2015-09-25T14:19:53.846Z", + "related": { + "ip": [ + "10.164.110.223", + "10.104.12.161", + "10.9.1.150", + "10.12.70.1" + ] + }, + "client": { + "nat": { + "port": 58020 + }, + "port": 9057, + "bytes": 0, + "packets": 0, + "ip": "10.164.110.223" + }, + "event": { + "severity": 14, + "original": "reason=\"application failure or action\" source-address=\"10.164.110.223\" source-port=\"9057\" destination-address=\"10.104.12.161\" destination-port=\"21\" service-name=\"junos-ftp\" nat-source-address=\"10.9.1.150\" nat-source-port=\"58020\" nat-destination-address=\"10.12.70.1\" nat-destination-port=\"21\" src-nat-rule-name=\"SNAT-Policy5\" dst-nat-rule-name=\"NAT-Policy10\" protocol-id=\"6\" policy-name=\"FW-FTP\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"24311\" packets-from-client=\"0\" bytes-from-client=\"0\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"1\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth0.0\" encrypted=\"No \"", + "kind": "event", + "module": "juniper", + "start": "2015-09-25T14:19:53.846Z", + "type": [ + "end", + "allowed", + "connection" + ], + "duration": 1000000000, + "ingested": "2020-12-03T23:08:18.680508900Z", + "action": "flow_close", + "end": "2015-09-25T14:19:54.846Z", + "category": [ + "network" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "nat": { + "port": 21 + }, + "port": 21, + "ip": "207.17.137.56" + }, + "_temp_": {}, + "log": { + "level": "informational" + }, + "destination": { + "nat": { + "port": 21, + "ip": "207.17.137.56" + }, + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 701, + "organization": { + "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + } + }, + "port": 21, + "ip": "207.17.137.56" + }, + "rule": { + "name": "General-Outbound" + }, + "source": { + "nat": { + "port": 14406, + "ip": "173.167.224.7" + }, + "geo": { + "continent_name": "North America", + "region_iso_code": "US-MI", + "city_name": "Plymouth", + "country_iso_code": "US", + "country_name": "United States", + "region_name": "Michigan", + "location": { + "lon": -83.4769, + "lat": 42.3695 + } + }, + "as": { + "number": 7922, + "organization": { + "name": "Comcast Cable Communications, LLC" + } + }, + "port": 3129, + "ip": "192.168.224.30" + }, + "juniper": { + "srx": { + "src_nat_rule_name": "1", + "process": "RT_FLOW", + "session_id_32": "5058", + "tag": "APPTRACK_SESSION_CREATE", + "service_name": "junos-ftp" + } + }, + "network": { + "iana_number": "6" + }, + "observer": { + "name": "SRX100HM", + "ingress": { + "zone": "LAN" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "zone": "Danger" + } + }, + "@timestamp": "2013-01-19T15:18:17.040Z", + "related": { + "ip": [ + "192.168.224.30", + "207.17.137.56", + "173.167.224.7", + "207.17.137.56" + ] + }, + "client": { + "nat": { + "port": 14406 + }, + "port": 3129, + "ip": "192.168.224.30" + }, + "event": { + "severity": 14, + "ingested": "2020-12-03T23:08:18.680531200Z", + "original": "source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"207.17.137.56\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"173.167.224.7\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"", + "kind": "event", + "module": "juniper", + "action": "flow_started", + "category": [ + "network" + ], + "type": [ + "start", + "allowed", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "nat": { + "port": 21 + }, + "port": 21, + "bytes": 0, + "packets": 0, + "ip": "207.17.137.56" + }, + "_temp_": {}, + "log": { + "level": "informational" + }, + "destination": { + "nat": { + "port": 21, + "ip": "207.17.137.56" + }, + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 701, + "organization": { + "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + } + }, + "port": 21, + "bytes": 0, + "ip": "207.17.137.56", + "packets": 0 + }, + "rule": { + "name": "General-Outbound" + }, + "source": { + "nat": { + "port": 14406, + "ip": "173.167.224.7" + }, + "geo": { + "continent_name": "North America", + "region_iso_code": "US-MI", + "city_name": "Plymouth", + "country_iso_code": "US", + "country_name": "United States", + "region_name": "Michigan", + "location": { + "lon": -83.4769, + "lat": 42.3695 + } + }, + "as": { + "number": 7922, + "organization": { + "name": "Comcast Cable Communications, LLC" + } + }, + "port": 3129, + "bytes": 48, + "ip": "192.168.224.30", + "packets": 1 + }, + "juniper": { + "srx": { + "src_nat_rule_name": "1", + "process": "RT_FLOW", + "session_id_32": "5058", + "tag": "APPTRACK_SESSION_VOL_UPDATE", + "service_name": "junos-ftp" + } + }, + "network": { + "bytes": 48, + "iana_number": "6", + "packets": 1 + }, + "observer": { + "name": "SRX100HM", + "ingress": { + "zone": "LAN" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "zone": "Danger" + } + }, + "@timestamp": "2013-01-19T15:18:17.040Z", + "related": { + "ip": [ + "192.168.224.30", + "207.17.137.56", + "173.167.224.7", + "207.17.137.56" + ] + }, + "client": { + "nat": { + "port": 14406 + }, + "port": 3129, + "bytes": 48, + "packets": 1, + "ip": "192.168.224.30" + }, + "event": { + "severity": 14, + "original": "source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"207.17.137.56\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"173.167.224.7\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" packets-from-client=\"1\" bytes-from-client=\"48\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"0\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"", + "kind": "event", + "module": "juniper", + "start": "2013-01-19T15:18:17.040Z", + "type": [ + "start", + "allowed", + "connection" + ], + "duration": 0, + "ingested": "2020-12-03T23:08:18.680539200Z", + "action": "flow_started", + "end": "2013-01-19T15:18:17.040Z", + "category": [ + "network" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "nat": { + "port": 21 + }, + "port": 21, + "bytes": 104, + "packets": 2, + "ip": "207.17.137.56" + }, + "_temp_": {}, + "log": { + "level": "informational" + }, + "destination": { + "nat": { + "port": 21, + "ip": "207.17.137.56" + }, + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 701, + "organization": { + "name": "MCI Communications Services, Inc. d/b/a Verizon Business" + } + }, + "port": 21, + "bytes": 104, + "ip": "207.17.137.56", + "packets": 2 + }, + "rule": { + "name": "General-Outbound" + }, + "source": { + "nat": { + "port": 14406, + "ip": "173.167.224.7" + }, + "geo": { + "continent_name": "North America", + "region_iso_code": "US-MI", + "city_name": "Plymouth", + "country_iso_code": "US", + "country_name": "United States", + "region_name": "Michigan", + "location": { + "lon": -83.4769, + "lat": 42.3695 + } + }, + "as": { + "number": 7922, + "organization": { + "name": "Comcast Cable Communications, LLC" + } + }, + "port": 3129, + "bytes": 144, + "ip": "192.168.224.30", + "packets": 3 + }, + "juniper": { + "srx": { + "src_nat_rule_name": "1", + "reason": "application failure or action", + "process": "RT_FLOW", + "application": "FTP", + "service_name": "junos-ftp", + "session_id_32": "5058", + "tag": "APPTRACK_SESSION_CLOSE" + } + }, + "network": { + "bytes": 248, + "iana_number": "6", + "packets": 5 + }, + "observer": { + "name": "SRX100HM", + "ingress": { + "zone": "LAN" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "zone": "Danger" + } + }, + "@timestamp": "2013-01-19T15:18:17.040Z", + "related": { + "ip": [ + "192.168.224.30", + "207.17.137.56", + "173.167.224.7", + "207.17.137.56" + ] + }, + "client": { + "nat": { + "port": 14406 + }, + "port": 3129, + "bytes": 144, + "packets": 3, + "ip": "192.168.224.30" + }, + "event": { + "severity": 14, + "original": "reason=\"application failure or action\" source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"207.17.137.56\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"FTP\" nested-application=\"UNKNOWN\" nat-source-address=\"173.167.224.7\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" packets-from-client=\"3\" bytes-from-client=\"144\" packets-from-server=\"2\" bytes-from-server=\"104\" elapsed-time=\"1\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"", + "kind": "event", + "module": "juniper", + "start": "2013-01-19T15:18:17.040Z", + "type": [ + "end", + "allowed", + "connection" + ], + "duration": 1000000000, + "ingested": "2020-12-03T23:08:18.680549200Z", + "action": "flow_close", + "end": "2013-01-19T15:18:18.040Z", + "category": [ + "network" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "nat": { + "port": 80 + }, + "port": 80, + "bytes": 686432, + "packets": 584, + "ip": "5.0.0.1" + }, + "_temp_": {}, + "log": { + "level": "informational" + }, + "destination": { + "nat": { + "port": 80, + "ip": "5.0.0.1" + }, + "geo": { + "continent_name": "Asia", + "country_name": "Syria", + "location": { + "lon": 38.0, + "lat": 35.0 + }, + "country_iso_code": "SY" + }, + "as": { + "number": 29256, + "organization": { + "name": "Syrian Telecom" + } + }, + "port": 80, + "bytes": 686432, + "ip": "5.0.0.1", + "packets": 584 + }, + "rule": { + "name": "permit-all" + }, + "source": { + "nat": { + "port": 33040, + "ip": "4.0.0.1" + }, + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 3356, + "organization": { + "name": "Level 3 Parent, LLC" + } + }, + "port": 33040, + "bytes": 19592, + "ip": "4.0.0.1", + "user": { + "name": "user1" + }, + "packets": 371 + }, + "juniper": { + "srx": { + "process": "RT_FLOW", + "application": "HTTP", + "encrypted": "No", + "service_name": "junos-http", + "roles": "DEPT1", + "apbr_rule_type": "”default”", + "session_id_32": "28", + "tag": "APPTRACK_SESSION_VOL_UPDATE", + "nested_application": "FACEBOOK-SOCIALRSS" + } + }, + "network": { + "bytes": 706024, + "iana_number": "6", + "packets": 955 + }, + "observer": { + "name": "SRX100HM", + "ingress": { + "zone": "trust" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "interface": { + "name": "”st0.0”" + }, + "zone": "untrust" + } + }, + "@timestamp": "2013-01-19T15:18:18.040Z", + "related": { + "ip": [ + "4.0.0.1", + "5.0.0.1", + "4.0.0.1", + "5.0.0.1" + ] + }, + "client": { + "nat": { + "port": 33040 + }, + "port": 33040, + "bytes": 19592, + "packets": 371, + "ip": "4.0.0.1" + }, + "event": { + "severity": 14, + "original": "source-address=\"4.0.0.1\" source-port=\"33040\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"HTTP\" nested-application=\"FACEBOOK-SOCIALRSS\" nat-source-address=\"4.0.0.1\" nat-source-port=\"33040\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"28\" packets-from-client=\"371\" bytes-from-client=\"19592\" packets-from-server=\"584\" bytes-from-server=\"686432\" elapsed-time=\"60\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=”st0.0” apbr-rule-type=”default”", + "kind": "event", + "module": "juniper", + "start": "2013-01-19T15:18:18.040Z", + "type": [ + "start", + "allowed", + "connection" + ], + "duration": 60000000000, + "ingested": "2020-12-03T23:08:18.680599100Z", + "action": "flow_started", + "end": "2013-01-19T15:19:18.040Z", + "category": [ + "network" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "nat": { + "port": 80 + }, + "port": 80, + "ip": "5.0.0.1" + }, + "_temp_": {}, + "log": { + "level": "informational" + }, + "destination": { + "nat": { + "port": 80, + "ip": "5.0.0.1" + }, + "geo": { + "continent_name": "Asia", + "country_name": "Syria", + "location": { + "lon": 38.0, + "lat": 35.0 + }, + "country_iso_code": "SY" + }, + "as": { + "number": 29256, + "organization": { + "name": "Syrian Telecom" + } + }, + "port": 80, + "ip": "5.0.0.1" + }, + "rule": { + "name": "permit-all" + }, + "source": { + "nat": { + "port": 33040, + "ip": "4.0.0.1" + }, + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 3356, + "organization": { + "name": "Level 3 Parent, LLC" + } + }, + "port": 33040, + "user": { + "name": "user1" + }, + "ip": "4.0.0.1" + }, + "juniper": { + "srx": { + "profile_name": "”pf1”", + "process": "RT_FLOW", + "routing_instance": "”instance1”", + "application": "HTTP", + "encrypted": "No", + "rule_name": "”facebook1”", + "service_name": "junos-http", + "roles": "DEPT1", + "apbr_rule_type": "”default”", + "session_id_32": "28", + "tag": "APPTRACK_SESSION_ROUTE_UPDATE", + "nested_application": "FACEBOOK-SOCIALRSS" + } + }, + "network": { + "iana_number": "6" + }, + "observer": { + "name": "SRX100HM", + "ingress": { + "zone": "trust" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "interface": { + "name": "”st0.0”" + }, + "zone": "untrust" + } + }, + "@timestamp": "2013-01-19T15:18:19.040Z", + "related": { + "ip": [ + "4.0.0.1", + "5.0.0.1", + "4.0.0.1", + "5.0.0.1" + ] + }, + "client": { + "nat": { + "port": 33040 + }, + "port": 33040, + "ip": "4.0.0.1" + }, + "event": { + "severity": 14, + "ingested": "2020-12-03T23:08:18.680609900Z", + "original": "source-address=\"4.0.0.1\" source-port=\"33040\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"HTTP\" nested-application=\"FACEBOOK-SOCIALRSS\" nat-source-address=\"4.0.0.1\" nat-source-port=\"33040\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"28\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" profile-name=”pf1” rule-name=”facebook1” routing-instance=”instance1” destination-interface-name=”st0.0” apbr-rule-type=”default”", + "kind": "event", + "module": "juniper", + "action": "flow_started", + "category": [ + "network" + ], + "type": [ + "start", + "allowed", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "nat": { + "port": 80 + }, + "port": 80, + "bytes": 646, + "packets": 3, + "ip": "5.0.0.1" + }, + "_temp_": {}, + "log": { + "level": "informational" + }, + "destination": { + "nat": { + "port": 80, + "ip": "5.0.0.1" + }, + "geo": { + "continent_name": "Asia", + "country_name": "Syria", + "location": { + "lon": 38.0, + "lat": 35.0 + }, + "country_iso_code": "SY" + }, + "as": { + "number": 29256, + "organization": { + "name": "Syrian Telecom" + } + }, + "port": 80, + "bytes": 646, + "ip": "5.0.0.1", + "packets": 3 + }, + "rule": { + "name": "permit-all" + }, + "source": { + "nat": { + "port": 48873, + "ip": "4.0.0.1" + }, + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 3356, + "organization": { + "name": "Level 3 Parent, LLC" + } + }, + "port": 48873, + "bytes": 392, + "ip": "4.0.0.1", + "user": { + "name": "user1" + }, + "packets": 5 + }, + "juniper": { + "srx": { + "reason": "TCP CLIENT RST", + "process": "RT_FLOW", + "encrypted": "No", + "service_name": "junos-http", + "roles": "DEPT1", + "apbr_rule_type": "”default”", + "session_id_32": "32", + "tag": "APPTRACK_SESSION_CLOSE" + } + }, + "network": { + "bytes": 1038, + "iana_number": "6", + "packets": 8 + }, + "observer": { + "name": "SRX100HM", + "ingress": { + "zone": "trust" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "interface": { + "name": "”st0.0”" + }, + "zone": "untrust" + } + }, + "@timestamp": "2013-01-19T15:18:20.040Z", + "related": { + "ip": [ + "4.0.0.1", + "5.0.0.1", + "4.0.0.1", + "5.0.0.1" + ] + }, + "client": { + "nat": { + "port": 48873 + }, + "port": 48873, + "bytes": 392, + "packets": 5, + "ip": "4.0.0.1" + }, + "event": { + "severity": 14, + "original": "reason=\"TCP CLIENT RST\" source-address=\"4.0.0.1\" source-port=\"48873\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"4.0.0.1\" nat-source-port=\"48873\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"32\" packets-from-client=\"5\" bytes-from-client=\"392\" packets-from-server=\"3\" bytes-from-server=\"646\" elapsed-time=\"3\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=”st0.0” apbr-rule-type=”default”", + "kind": "event", + "module": "juniper", + "start": "2013-01-19T15:18:20.040Z", + "type": [ + "end", + "allowed", + "connection" + ], + "duration": 3000000000, + "ingested": "2020-12-03T23:08:18.680618800Z", + "action": "flow_close", + "end": "2013-01-19T15:18:23.040Z", + "category": [ + "network" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "nat": { + "port": 768 + }, + "port": 768, + "ip": "30.0.0.100" + }, + "_temp_": {}, + "log": { + "level": "informational" + }, + "destination": { + "nat": { + "port": 768, + "ip": "30.0.0.100" + }, + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "port": 768, + "ip": "30.0.0.100" + }, + "rule": { + "name": "alg-policy" + }, + "source": { + "nat": { + "port": 24065, + "ip": "50.0.0.100" + }, + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "port": 24065, + "ip": "50.0.0.100" + }, + "juniper": { + "srx": { + "process": "RT_FLOW", + "session_id_32": "100000165", + "tag": "RT_FLOW_SESSION_CREATE_LS", + "service_name": "icmp" + } + }, + "network": { + "iana_number": "1" + }, + "observer": { + "name": "cixi", + "ingress": { + "interface": { + "name": "reth2.0" + }, + "zone": "untrust" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "zone": "trust" + } + }, + "@timestamp": "2020-11-04T16:23:09.264Z", + "related": { + "ip": [ + "50.0.0.100", + "30.0.0.100", + "50.0.0.100", + "30.0.0.100" + ] + }, + "client": { + "nat": { + "port": 24065 + }, + "port": 24065, + "ip": "50.0.0.100" + }, + "event": { + "severity": 14, + "ingested": "2020-12-03T23:08:18.680627Z", + "original": "source-address=\"50.0.0.100\" source-port=\"24065\" destination-address=\"30.0.0.100\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"50.0.0.100\" nat-source-port=\"24065\" nat-destination-address=\"30.0.0.100\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"", + "kind": "event", + "module": "juniper", + "action": "flow_started", + "category": [ + "network" + ], + "type": [ + "start", + "allowed", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "port": 161, + "ip": "10.128.0.1" + }, + "_temp_": {}, + "log": { + "level": "informational" + }, + "destination": { + "port": 161, + "ip": "10.128.0.1" + }, + "rule": { + "name": "MgmtAccess-trust-cleanup" + }, + "source": { + "port": 37233, + "ip": "10.0.0.26" + }, + "juniper": { + "srx": { + "reason": "Denied by policy", + "icmp_type": "0", + "process": "RT_FLOW", + "connection_tag": "0", + "encrypted": "No", + "session_id_32": "7087", + "tag": "RT_FLOW_SESSION_DENY_LS" + } + }, + "network": { + "iana_number": "17" + }, + "observer": { + "name": "SRX-GW1", + "ingress": { + "interface": { + "name": ".local..0" + }, + "zone": "trust" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "zone": "junos-host" + } + }, + "@timestamp": "2020-11-14T10:12:46.573Z", + "related": { + "ip": [ + "10.0.0.26", + "10.128.0.1" + ] + }, + "client": { + "port": 37233, + "ip": "10.0.0.26" + }, + "event": { + "severity": 14, + "ingested": "2020-12-03T23:08:18.680635500Z", + "original": "source-address=\"10.0.0.26\" source-port=\"37233\" destination-address=\"10.128.0.1\" destination-port=\"161\" connection-tag=\"0\" service-name=\"None\" protocol-id=\"17\" icmp-type=\"0\" policy-name=\"MgmtAccess-trust-cleanup\" source-zone-name=\"trust\" destination-zone-name=\"junos-host\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\".local..0\" encrypted=\"No\" reason=\"Denied by policy\" session-id-32=\"7087\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"", + "risk_score": 1.0, + "kind": "event", + "module": "juniper", + "action": "flow_deny", + "category": [ + "network" + ], + "type": [ + "denied", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "nat": { + "port": 80 + }, + "port": 80, + "bytes": 646, + "packets": 3, + "ip": "5.0.0.1" + }, + "_temp_": {}, + "log": { + "level": "informational" + }, + "destination": { + "nat": { + "port": 80, + "ip": "5.0.0.1" + }, + "geo": { + "continent_name": "Asia", + "country_name": "Syria", + "location": { + "lon": 38.0, + "lat": 35.0 + }, + "country_iso_code": "SY" + }, + "as": { + "number": 29256, + "organization": { + "name": "Syrian Telecom" + } + }, + "port": 80, + "bytes": 646, + "ip": "5.0.0.1", + "packets": 3 + }, + "rule": { + "name": "permit-all" + }, + "source": { + "nat": { + "port": 48873, + "ip": "4.0.0.1" + }, + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 3356, + "organization": { + "name": "Level 3 Parent, LLC" + } + }, + "port": 48873, + "bytes": 392, + "ip": "4.0.0.1", + "user": { + "name": "user1" + }, + "packets": 5 + }, + "juniper": { + "srx": { + "reason": "TCP CLIENT RST", + "process": "RT_FLOW", + "encrypted": "No", + "service_name": "junos-http", + "roles": "DEPT1", + "apbr_rule_type": "”default”", + "session_id_32": "32", + "tag": "APPTRACK_SESSION_CLOSE_LS" + } + }, + "network": { + "bytes": 1038, + "iana_number": "6", + "packets": 8 + }, + "observer": { + "name": "SRX100HM", + "ingress": { + "zone": "trust" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "interface": { + "name": "”st0.0”" + }, + "zone": "untrust" + } + }, + "@timestamp": "2020-01-19T15:18:20.040Z", + "related": { + "ip": [ + "4.0.0.1", + "5.0.0.1", + "4.0.0.1", + "5.0.0.1" + ] + }, + "client": { + "nat": { + "port": 48873 + }, + "port": 48873, + "bytes": 392, + "packets": 5, + "ip": "4.0.0.1" + }, + "event": { + "severity": 14, + "original": "reason=\"TCP CLIENT RST\" source-address=\"4.0.0.1\" source-port=\"48873\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"4.0.0.1\" nat-source-port=\"48873\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"32\" packets-from-client=\"5\" bytes-from-client=\"392\" packets-from-server=\"3\" bytes-from-server=\"646\" elapsed-time=\"3\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=”st0.0” apbr-rule-type=”default”", + "kind": "event", + "module": "juniper", + "start": "2020-01-19T15:18:20.040Z", + "type": [ + "end", + "allowed", + "connection" + ], + "duration": 3000000000, + "ingested": "2020-12-03T23:08:18.680642200Z", + "action": "flow_close", + "end": "2020-01-19T15:18:23.040Z", + "category": [ + "network" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "nat": { + "port": 80 + }, + "port": 80, + "bytes": 2132, + "packets": 34, + "ip": "46.165.154.241" + }, + "_temp_": {}, + "log": { + "level": "informational" + }, + "destination": { + "nat": { + "port": 80, + "ip": "46.165.154.241" + }, + "geo": { + "continent_name": "Europe", + "region_iso_code": "DE-BW", + "city_name": "Philippsburg", + "country_iso_code": "DE", + "country_name": "Germany", + "region_name": "Baden-Württemberg", + "location": { + "lon": 8.4607, + "lat": 49.2317 + } + }, + "as": { + "number": 42652, + "organization": { + "name": "inexio Informationstechnologie und Telekommunikation Gmbh" + } + }, + "port": 80, + "bytes": 2132, + "ip": "46.165.154.241", + "packets": 34 + }, + "rule": { + "name": "default-permit" + }, + "source": { + "nat": { + "port": 6018, + "ip": "172.19.34.100" + }, + "port": 58943, + "bytes": 2322, + "packets": 42, + "ip": "10.1.1.100" + }, + "juniper": { + "srx": { + "src_nat_rule_name": "our-nat-rule", + "process": "RT_FLOW", + "session_id_32": "16118", + "tag": "APPTRACK_SESSION_VOL_UPDATE", + "encrypted": "No", + "service_name": "junos-http" + } + }, + "network": { + "bytes": 4454, + "iana_number": "6", + "packets": 76 + }, + "observer": { + "name": "SRX100HM", + "ingress": { + "zone": "trust" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "interface": { + "name": "ge-0/0/0.0" + }, + "zone": "untrust" + } + }, + "@timestamp": "2020-07-14T14:17:11.928Z", + "related": { + "ip": [ + "10.1.1.100", + "46.165.154.241", + "172.19.34.100", + "46.165.154.241" + ] + }, + "client": { + "nat": { + "port": 6018 + }, + "port": 58943, + "bytes": 2322, + "packets": 42, + "ip": "10.1.1.100" + }, + "event": { + "severity": 14, + "original": "source-address=\"10.1.1.100\" source-port=\"58943\" destination-address=\"46.165.154.241\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"172.19.34.100\" nat-source-port=\"6018\" nat-destination-address=\"46.165.154.241\" nat-destination-port=\"80\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"16118\" packets-from-client=\"42\" bytes-from-client=\"2322\" packets-from-server=\"34\" bytes-from-server=\"2132\" elapsed-time=\"60\" username=\"N/A\" roles=\"N/A\" encrypted=\"No\" destination-interface-name=\"ge-0/0/0.0\" category=\"N/A\" sub-category=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"", + "kind": "event", + "module": "juniper", + "start": "2020-07-14T14:17:11.928Z", + "type": [ + "start", + "allowed", + "connection" + ], + "duration": 60000000000, + "ingested": "2020-12-03T23:08:18.680650Z", + "action": "flow_started", + "end": "2020-07-14T14:18:11.928Z", + "category": [ + "network" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "nat": { + "port": 8883 + }, + "port": 8883, + "bytes": 9670, + "packets": 96, + "ip": "91.228.167.172" + }, + "_temp_": {}, + "log": { + "level": "informational" + }, + "destination": { + "nat": { + "port": 8883, + "ip": "91.228.167.172" + }, + "geo": { + "continent_name": "Europe", + "region_iso_code": "SK-BL", + "city_name": "Bratislava", + "country_iso_code": "SK", + "country_name": "Slovakia", + "region_name": "Bratislava", + "location": { + "lon": 17.1078, + "lat": 48.15 + } + }, + "as": { + "number": 50881, + "organization": { + "name": "ESET, spol. s r.o." + } + }, + "port": 8883, + "bytes": 9670, + "ip": "91.228.167.172", + "packets": 96 + }, + "rule": { + "name": "default-permit" + }, + "source": { + "nat": { + "port": 24519, + "ip": "172.19.34.100" + }, + "port": 64720, + "bytes": 9530, + "packets": 161, + "ip": "10.1.1.100" + }, + "juniper": { + "srx": { + "src_nat_rule_name": "our-nat-rule", + "reason": "idle Timeout", + "process": "RT_FLOW", + "connection_tag": "0", + "peer_source_address": "0.0.0.0", + "peer_destination_address": "0.0.0.0", + "hostname": "NA NA", + "peer_source_port": "0", + "peer_session_id": "0", + "peer_destination_port": "0", + "secure_web_proxy_session_type": "NA", + "session_id_32": "3851", + "nat_connection_tag": "0", + "tag": "RT_FLOW_SESSION_CLOSE", + "src_nat_rule_type": "source rule" + } + }, + "network": { + "bytes": 19200, + "iana_number": "6", + "packets": 257 + }, + "observer": { + "name": "SRX100HM", + "ingress": { + "interface": { + "name": "ge-0/0/1.0" + }, + "zone": "trust" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "zone": "untrust" + } + }, + "@timestamp": "2020-07-13T16:43:05.041Z", + "related": { + "ip": [ + "10.1.1.100", + "91.228.167.172", + "172.19.34.100", + "91.228.167.172" + ] + }, + "client": { + "nat": { + "port": 24519 + }, + "port": 64720, + "bytes": 9530, + "packets": 161, + "ip": "10.1.1.100" + }, + "event": { + "severity": 14, + "original": "reason=\"idle Timeout\" source-address=\"10.1.1.100\" source-port=\"64720\" destination-address=\"91.228.167.172\" destination-port=\"8883\" connection-tag=\"0\" service-name=\"None\" nat-source-address=\"172.19.34.100\" nat-source-port=\"24519\" nat-destination-address=\"91.228.167.172\" nat-destination-port=\"8883\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"3851\" packets-from-client=\"161\" bytes-from-client=\"9530\" packets-from-server=\"96\" bytes-from-server=\"9670\" elapsed-time=\"23755\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/1.0\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\" secure-web-proxy-session-type=\"NA\" peer-session-id=\"0\" peer-source-address=\"0.0.0.0\" peer-source-port=\"0\" peer-destination-address=\"0.0.0.0\" peer-destination-port=\"0\" hostname=\"NA NA\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"", + "risk_score": 1.0, + "kind": "event", + "module": "juniper", + "start": "2020-07-13T16:43:05.041Z", + "type": [ + "end", + "allowed", + "connection" + ], + "duration": 23755000000000, + "ingested": "2020-12-03T23:08:18.680660200Z", + "action": "flow_close", + "end": "2020-07-13T23:19:00.041Z", + "category": [ + "network" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "nat": { + "port": 53 + }, + "port": 53, + "ip": "8.8.8.8" + }, + "_temp_": {}, + "log": { + "level": "informational" + }, + "destination": { + "nat": { + "port": 53, + "ip": "8.8.8.8" + }, + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 53, + "ip": "8.8.8.8" + }, + "rule": { + "name": "default-permit" + }, + "source": { + "nat": { + "port": 30838, + "ip": "172.19.34.100" + }, + "port": 49583, + "ip": "10.1.1.100" + }, + "juniper": { + "srx": { + "src_nat_rule_name": "our-nat-rule", + "process": "RT_FLOW", + "connection_tag": "0", + "service_name": "junos-dns-udp", + "session_id_32": "15399", + "nat_connection_tag": "0", + "tag": "RT_FLOW_SESSION_CREATE", + "src_nat_rule_type": "source rule" + } + }, + "network": { + "iana_number": "17" + }, + "observer": { + "name": "SRX100HM", + "ingress": { + "interface": { + "name": "ge-0/0/1.0" + }, + "zone": "trust" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "zone": "untrust" + } + }, + "@timestamp": "2020-07-13T16:12:05.530Z", + "related": { + "ip": [ + "10.1.1.100", + "8.8.8.8", + "172.19.34.100", + "8.8.8.8" + ] + }, + "client": { + "nat": { + "port": 30838 + }, + "port": 49583, + "ip": "10.1.1.100" + }, + "event": { + "severity": 14, + "ingested": "2020-12-03T23:08:18.680670200Z", + "original": "source-address=\"10.1.1.100\" source-port=\"49583\" destination-address=\"8.8.8.8\" destination-port=\"53\" connection-tag=\"0\" service-name=\"junos-dns-udp\" nat-source-address=\"172.19.34.100\" nat-source-port=\"30838\" nat-destination-address=\"8.8.8.8\" nat-destination-port=\"53\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"15399\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/1.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"", + "risk_score": 1.0, + "kind": "event", + "module": "juniper", + "action": "flow_started", + "category": [ + "network" + ], + "type": [ + "start", + "allowed", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "nat": { + "port": 53 + }, + "port": 53, + "bytes": 82, + "packets": 1, + "ip": "8.8.8.8" + }, + "_temp_": {}, + "log": { + "level": "informational" + }, + "destination": { + "nat": { + "port": 53, + "ip": "8.8.8.8" + }, + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 53, + "bytes": 82, + "ip": "8.8.8.8", + "packets": 1 + }, + "rule": { + "name": "default-permit" + }, + "source": { + "nat": { + "port": 26764, + "ip": "172.19.34.100" + }, + "port": 63381, + "bytes": 66, + "packets": 1, + "ip": "10.1.1.100" + }, + "juniper": { + "srx": { + "src_nat_rule_name": "our-nat-rule", + "reason": "Closed by junos-alg", + "process": "RT_FLOW", + "routing_instance": "default", + "encrypted": "No", + "service_name": "junos-dns-udp", + "uplink_tx_bytes": "0", + "uplink_rx_bytes": "0", + "session_id_32": "15361", + "tag": "APPTRACK_SESSION_CLOSE" + } + }, + "network": { + "bytes": 148, + "iana_number": "17", + "packets": 2 + }, + "observer": { + "name": "SRX100HM", + "ingress": { + "zone": "trust" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "interface": { + "name": "ge-0/0/0.0" + }, + "zone": "untrust" + } + }, + "@timestamp": "2020-07-13T16:12:05.530Z", + "related": { + "ip": [ + "10.1.1.100", + "8.8.8.8", + "172.19.34.100", + "8.8.8.8" + ] + }, + "client": { + "nat": { + "port": 26764 + }, + "port": 63381, + "bytes": 66, + "packets": 1, + "ip": "10.1.1.100" + }, + "event": { + "severity": 14, + "original": "reason=\"Closed by junos-alg\" source-address=\"10.1.1.100\" source-port=\"63381\" destination-address=\"8.8.8.8\" destination-port=\"53\" service-name=\"junos-dns-udp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"172.19.34.100\" nat-source-port=\"26764\" nat-destination-address=\"8.8.8.8\" nat-destination-port=\"53\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"15361\" packets-from-client=\"1\" bytes-from-client=\"66\" packets-from-server=\"1\" bytes-from-server=\"82\" elapsed-time=\"3\" username=\"N/A\" roles=\"N/A\" encrypted=\"No\" profile-name=\"N/A\" rule-name=\"N/A\" routing-instance=\"default\" destination-interface-name=\"ge-0/0/0.0\" uplink-incoming-interface-name=\"N/A\" uplink-tx-bytes=\"0\" uplink-rx-bytes=\"0\" category=\"N/A\" sub-category=\"N/A\" apbr-policy-name=\"N/A\" multipath-rule-name=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"", + "kind": "event", + "module": "juniper", + "start": "2020-07-13T16:12:05.530Z", + "type": [ + "end", + "allowed", + "connection" + ], + "duration": 3000000000, + "ingested": "2020-12-03T23:08:18.680680200Z", + "action": "flow_close", + "end": "2020-07-13T16:12:08.530Z", + "category": [ + "network" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + } + ] +} \ No newline at end of file diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log new file mode 100644 index 000000000000..c05d9732fb5d --- /dev/null +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log @@ -0,0 +1,7 @@ +<165>1 2020-03-02T23:13:03.193Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.28 epoch-time="1583190783" message-type="SIG" source-address="10.11.11.1" source-port="12345" destination-address="187.188.188.10" destination-port="123" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="3" rulebase-name="IPS" policy-name="Recommended" export-id="20175" repeat-count="0" action="DROP" threat-severity="HIGH" attack-name="HTTP:MISC:GENERIC-DIR-TRAVERSAL" nat-source-address="0.0.0.0" nat-source-port="13312" nat-destination-address="3.3.10.11" nat-destination-port="9757" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="UNTRUST" source-interface-name="reth1.24" destination-zone-name="DMZ" destination-interface-name="reth2.21" packet-log-id="0" alert="no" username="unknown-user" roles="N/A" index="cnm" type="idp" message="-"] +<165>1 2020-03-02T23:13:03.197Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.28 epoch-time="1583190783" message-type="SIG" source-address="10.11.11.1" source-port="12345" destination-address="187.188.188.10" destination-port="123" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="3" rulebase-name="IPS" policy-name="Recommended" export-id="20175" repeat-count="0" action="DROP" threat-severity="CRITICAL" attack-name="TCP:C2S:AMBIG:C2S-SYN-DATA" nat-source-address="0.0.0.0" nat-source-port="13312" nat-destination-address="3.3.10.11" nat-destination-port="9757" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="UNTRUST" source-interface-name="reth1.24" destination-zone-name="DMZ" destination-interface-name="reth2.21" packet-log-id="0" alert="no" username="unknown-user" roles="N/A" index="cnm" type="idp" message="-"] +<165>1 2007-02-15T09:17:15.719Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.135 epoch-time="1507845354" message-type="SIG" source-address="183.78.180.27" source-port="45610" destination-address="118.127.111.1" destination-port="80" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="9" rulebase-name="IPS" policy-name="Recommended" export-id="15229" repeat-count="0" action="DROP" threat-severity="HIGH" attack-name="TROJAN:ZMEU-BOT-SCAN" nat-source-address="0.0.0.0" nat-source-port="0" nat-destination-address="172.19.13.11" nat-destination-port="0" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="sec-zone-name-internet" source-interface-name="reth0.11" destination-zone-name="dst-sec-zone1-outside" destination-interface-name="reth1.1" packet-log-id="0" alert="no" username="N/A" roles="N/A" message="-"] +<165>1 2017-10-13T08:55:55.792+11:00 idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.135 epoch-time="1507845354" message-type="SIG" source-address="183.78.180.27" source-port="45610" destination-address="118.127.30.11" destination-port="80" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="9" rulebase-name="IPS" policy-name="Recommended" export-id="15229" repeat-count="0" action="DROP" threat-severity="HIGH" attack-name="TROJAN:ZMEU-BOT-SCAN" nat-source-address="0.0.0.0" nat-source-port="0" nat-destination-address="172.16.1.10" nat-destination-port="0" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="sec-zone-name-internet" source-interface-name="reth0.11" destination-zone-name="dst-sec-zone1-outside" destination-interface-name="reth1.1" packet-log-id="0" alert="no" username="N/A" roles="N/A" message="-"] +<165>1 2011-10-23T02:06:26.544 SRX34001 RT_IDP - IDP_APPDDOS_APP_STATE_EVENT [junos@2636.1.1.1.2.35 epoch-time="1319367986" ddos-application-name="Webserver" destination-zone-name="untrust" destination-interface-name="reth0.0" destination-address="172.27.14.203" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" rulebase-name="DDOS" policy-name="A DoS-Webserver" repeat-count="0" message="Connection rate exceeded limit 60" context-value="N/A"] +<165>1 2011-10-23T16:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT [junos@2636.1.1.1.2.35 epoch-time="1319419711" ddos-application-name="Webserver" source-zone-name="trust" source-interface-name="reth1.O" source-address="192.168.14.214" source-port="50825" destination-zone-name="untrust" destination-interface-name="reth0.0" destination-address="172.27.14.203" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" ruleebase-name="DDOS" policy-name="AppDoS-Webserver" repeat-count="0" action="NONE" threat-severity="INFO" connection-hit-rate="30" context-name="http-get-url" context-hit-rate="123" context-value-hit-rate="0" time-scope="PEER" time-count="3" time-period="60" context-value="N/A"] +<165>1 2012-10-23T17:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT_LS [junos@2636.1.1.1.2.35 epoch-time="1419419711" ddos-application-name="Webserver" source-zone-name="trust" source-interface-name="reth3.0" source-address="193.168.14.214" source-port="50825" destination-zone-name="untrust" destination-interface-name="reth0.1" destination-address="172.30.20.201" destination-port="80" protocol-name="TCP" service-name="HTTP" rule-name="1" ruleebase-name="DDOS02" policy-name="AppDoS-Webserver" repeat-count="0" action="NONE" threat-severity="INFO" connection-hit-rate="30" context-name="http-get-url" context-hit-rate="123" context-value-hit-rate="0" time-scope="PEER" time-count="3" time-period="60" context-value="N/A"] diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-config.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-config.json new file mode 100644 index 000000000000..f71947c2f042 --- /dev/null +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-config.json @@ -0,0 +1,5 @@ +{ + "dynamic_fields": { + "event.ingested": ".*" + } +} \ No newline at end of file diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-expected.json new file mode 100644 index 000000000000..28a296cd6bcc --- /dev/null +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-expected.json @@ -0,0 +1,742 @@ +{ + "expected": [ + { + "server": { + "nat": { + "port": 9757 + }, + "port": 123, + "bytes": 0, + "packets": 0, + "ip": "187.188.188.10" + }, + "_temp_": {}, + "log": { + "level": "notification" + }, + "destination": { + "nat": { + "port": 9757, + "ip": "3.3.10.11" + }, + "port": 123, + "bytes": 0, + "packets": 0, + "ip": "187.188.188.10" + }, + "rule": { + "name": "IPS", + "id": "3" + }, + "source": { + "nat": { + "port": 13312, + "ip": "0.0.0.0" + }, + "port": 12345, + "user": { + "name": "unknown-user" + }, + "bytes": 0, + "packets": 0, + "ip": "10.11.11.1" + }, + "juniper": { + "srx": { + "process": "RT_IDP", + "threat_severity": "HIGH", + "service_name": "SERVICE_IDP", + "policy_name": "Recommended", + "index": "cnm", + "message_type": "SIG", + "repeat_count": "0", + "export_id": "20175", + "type": "idp", + "attack_name": "HTTP:MISC:GENERIC-DIR-TRAVERSAL", + "application_name": "HTTP", + "alert": "no", + "packet_log_id": "0", + "action": "DROP", + "tag": "IDP_ATTACK_LOG_EVENT", + "epoch_time": "1583190783" + } + }, + "network": { + "protocol": "TCP" + }, + "observer": { + "name": "idp1", + "ingress": { + "interface": { + "name": "reth1.24" + }, + "zone": "UNTRUST" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "interface": { + "name": "reth2.21" + }, + "zone": "DMZ" + } + }, + "@timestamp": "2020-03-02T23:13:03.193Z", + "related": { + "ip": [ + "10.11.11.1", + "187.188.188.10", + "0.0.0.0", + "3.3.10.11" + ] + }, + "client": { + "nat": { + "port": 13312 + }, + "port": 12345, + "bytes": 0, + "packets": 0, + "ip": "10.11.11.1" + }, + "event": { + "severity": 165, + "original": "epoch-time=\"1583190783\" message-type=\"SIG\" source-address=\"10.11.11.1\" source-port=\"12345\" destination-address=\"187.188.188.10\" destination-port=\"123\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"3\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"20175\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"HTTP:MISC:GENERIC-DIR-TRAVERSAL\" nat-source-address=\"0.0.0.0\" nat-source-port=\"13312\" nat-destination-address=\"3.3.10.11\" nat-destination-port=\"9757\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"UNTRUST\" source-interface-name=\"reth1.24\" destination-zone-name=\"DMZ\" destination-interface-name=\"reth2.21\" packet-log-id=\"0\" alert=\"no\" username=\"unknown-user\" roles=\"N/A\" index=\"cnm\" type=\"idp\" message=\"-\"", + "kind": "alert", + "module": "juniper", + "start": "2020-03-02T23:13:03.193Z", + "type": [ + "info", + "denied", + "connection" + ], + "duration": 0, + "ingested": "2020-12-03T23:08:26.174041200Z", + "action": "security_threat", + "end": "2020-03-02T23:13:03.193Z", + "category": [ + "network", + "intrusion_detection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "nat": { + "port": 9757 + }, + "port": 123, + "bytes": 0, + "packets": 0, + "ip": "187.188.188.10" + }, + "_temp_": {}, + "log": { + "level": "notification" + }, + "destination": { + "nat": { + "port": 9757, + "ip": "3.3.10.11" + }, + "port": 123, + "bytes": 0, + "packets": 0, + "ip": "187.188.188.10" + }, + "rule": { + "name": "IPS", + "id": "3" + }, + "source": { + "nat": { + "port": 13312, + "ip": "0.0.0.0" + }, + "port": 12345, + "user": { + "name": "unknown-user" + }, + "bytes": 0, + "packets": 0, + "ip": "10.11.11.1" + }, + "juniper": { + "srx": { + "process": "RT_IDP", + "threat_severity": "CRITICAL", + "service_name": "SERVICE_IDP", + "policy_name": "Recommended", + "index": "cnm", + "message_type": "SIG", + "repeat_count": "0", + "export_id": "20175", + "type": "idp", + "attack_name": "TCP:C2S:AMBIG:C2S-SYN-DATA", + "application_name": "HTTP", + "alert": "no", + "packet_log_id": "0", + "action": "DROP", + "tag": "IDP_ATTACK_LOG_EVENT", + "epoch_time": "1583190783" + } + }, + "network": { + "protocol": "TCP" + }, + "observer": { + "name": "idp1", + "ingress": { + "interface": { + "name": "reth1.24" + }, + "zone": "UNTRUST" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "interface": { + "name": "reth2.21" + }, + "zone": "DMZ" + } + }, + "@timestamp": "2020-03-02T23:13:03.197Z", + "related": { + "ip": [ + "10.11.11.1", + "187.188.188.10", + "0.0.0.0", + "3.3.10.11" + ] + }, + "client": { + "nat": { + "port": 13312 + }, + "port": 12345, + "bytes": 0, + "packets": 0, + "ip": "10.11.11.1" + }, + "event": { + "severity": 165, + "original": "epoch-time=\"1583190783\" message-type=\"SIG\" source-address=\"10.11.11.1\" source-port=\"12345\" destination-address=\"187.188.188.10\" destination-port=\"123\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"3\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"20175\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"CRITICAL\" attack-name=\"TCP:C2S:AMBIG:C2S-SYN-DATA\" nat-source-address=\"0.0.0.0\" nat-source-port=\"13312\" nat-destination-address=\"3.3.10.11\" nat-destination-port=\"9757\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"UNTRUST\" source-interface-name=\"reth1.24\" destination-zone-name=\"DMZ\" destination-interface-name=\"reth2.21\" packet-log-id=\"0\" alert=\"no\" username=\"unknown-user\" roles=\"N/A\" index=\"cnm\" type=\"idp\" message=\"-\"", + "kind": "alert", + "module": "juniper", + "start": "2020-03-02T23:13:03.197Z", + "type": [ + "info", + "denied", + "connection" + ], + "duration": 0, + "ingested": "2020-12-03T23:08:26.174080100Z", + "action": "security_threat", + "end": "2020-03-02T23:13:03.197Z", + "category": [ + "network", + "intrusion_detection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "nat": { + "port": 0 + }, + "port": 80, + "bytes": 0, + "packets": 0, + "ip": "118.127.111.1" + }, + "_temp_": {}, + "log": { + "level": "notification" + }, + "destination": { + "nat": { + "port": 0, + "ip": "172.19.13.11" + }, + "port": 80, + "bytes": 0, + "packets": 0, + "ip": "118.127.111.1" + }, + "rule": { + "name": "IPS", + "id": "9" + }, + "source": { + "nat": { + "port": 0, + "ip": "0.0.0.0" + }, + "port": 45610, + "bytes": 0, + "packets": 0, + "ip": "183.78.180.27" + }, + "juniper": { + "srx": { + "process": "RT_IDP", + "threat_severity": "HIGH", + "service_name": "SERVICE_IDP", + "policy_name": "Recommended", + "message_type": "SIG", + "repeat_count": "0", + "export_id": "15229", + "attack_name": "TROJAN:ZMEU-BOT-SCAN", + "application_name": "HTTP", + "alert": "no", + "packet_log_id": "0", + "action": "DROP", + "tag": "IDP_ATTACK_LOG_EVENT", + "epoch_time": "1507845354" + } + }, + "network": { + "protocol": "TCP" + }, + "observer": { + "name": "idp1", + "ingress": { + "interface": { + "name": "reth0.11" + }, + "zone": "sec-zone-name-internet" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "interface": { + "name": "reth1.1" + }, + "zone": "dst-sec-zone1-outside" + } + }, + "@timestamp": "2007-02-15T09:17:15.719Z", + "related": { + "ip": [ + "183.78.180.27", + "118.127.111.1", + "0.0.0.0", + "172.19.13.11" + ] + }, + "client": { + "nat": { + "port": 0 + }, + "port": 45610, + "bytes": 0, + "packets": 0, + "ip": "183.78.180.27" + }, + "event": { + "severity": 165, + "original": "epoch-time=\"1507845354\" message-type=\"SIG\" source-address=\"183.78.180.27\" source-port=\"45610\" destination-address=\"118.127.111.1\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"9\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"15229\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"TROJAN:ZMEU-BOT-SCAN\" nat-source-address=\"0.0.0.0\" nat-source-port=\"0\" nat-destination-address=\"172.19.13.11\" nat-destination-port=\"0\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"sec-zone-name-internet\" source-interface-name=\"reth0.11\" destination-zone-name=\"dst-sec-zone1-outside\" destination-interface-name=\"reth1.1\" packet-log-id=\"0\" alert=\"no\" username=\"N/A\" roles=\"N/A\" message=\"-\"", + "kind": "alert", + "module": "juniper", + "start": "2007-02-15T09:17:15.719Z", + "type": [ + "info", + "denied", + "connection" + ], + "duration": 0, + "ingested": "2020-12-03T23:08:26.174089600Z", + "action": "security_threat", + "end": "2007-02-15T09:17:15.719Z", + "category": [ + "network", + "intrusion_detection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "nat": { + "port": 0 + }, + "port": 80, + "bytes": 0, + "packets": 0, + "ip": "118.127.30.11" + }, + "_temp_": {}, + "log": { + "level": "notification" + }, + "destination": { + "nat": { + "port": 0, + "ip": "172.16.1.10" + }, + "port": 80, + "bytes": 0, + "packets": 0, + "ip": "118.127.30.11" + }, + "rule": { + "name": "IPS", + "id": "9" + }, + "source": { + "nat": { + "port": 0, + "ip": "0.0.0.0" + }, + "port": 45610, + "bytes": 0, + "packets": 0, + "ip": "183.78.180.27" + }, + "juniper": { + "srx": { + "process": "RT_IDP", + "threat_severity": "HIGH", + "service_name": "SERVICE_IDP", + "policy_name": "Recommended", + "message_type": "SIG", + "repeat_count": "0", + "export_id": "15229", + "attack_name": "TROJAN:ZMEU-BOT-SCAN", + "application_name": "HTTP", + "alert": "no", + "packet_log_id": "0", + "action": "DROP", + "tag": "IDP_ATTACK_LOG_EVENT", + "epoch_time": "1507845354" + } + }, + "network": { + "protocol": "TCP" + }, + "observer": { + "name": "idp1", + "ingress": { + "interface": { + "name": "reth0.11" + }, + "zone": "sec-zone-name-internet" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "interface": { + "name": "reth1.1" + }, + "zone": "dst-sec-zone1-outside" + } + }, + "@timestamp": "2017-10-12T21:55:55.792Z", + "related": { + "ip": [ + "183.78.180.27", + "118.127.30.11", + "0.0.0.0", + "172.16.1.10" + ] + }, + "client": { + "nat": { + "port": 0 + }, + "port": 45610, + "bytes": 0, + "packets": 0, + "ip": "183.78.180.27" + }, + "event": { + "severity": 165, + "original": "epoch-time=\"1507845354\" message-type=\"SIG\" source-address=\"183.78.180.27\" source-port=\"45610\" destination-address=\"118.127.30.11\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"9\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"15229\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"TROJAN:ZMEU-BOT-SCAN\" nat-source-address=\"0.0.0.0\" nat-source-port=\"0\" nat-destination-address=\"172.16.1.10\" nat-destination-port=\"0\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"sec-zone-name-internet\" source-interface-name=\"reth0.11\" destination-zone-name=\"dst-sec-zone1-outside\" destination-interface-name=\"reth1.1\" packet-log-id=\"0\" alert=\"no\" username=\"N/A\" roles=\"N/A\" message=\"-\"", + "kind": "alert", + "module": "juniper", + "start": "2017-10-12T21:55:55.792Z", + "type": [ + "info", + "denied", + "connection" + ], + "duration": 0, + "ingested": "2020-12-03T23:08:26.174130800Z", + "action": "security_threat", + "end": "2017-10-12T21:55:55.792Z", + "category": [ + "network", + "intrusion_detection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "port": 80, + "ip": "172.27.14.203" + }, + "_temp_": {}, + "log": { + "level": "notification" + }, + "destination": { + "port": 80, + "ip": "172.27.14.203" + }, + "rule": { + "name": "DDOS", + "id": "1" + }, + "juniper": { + "srx": { + "process": "RT_IDP", + "service_name": "HTTP", + "ddos_application_name": "Webserver", + "policy_name": "A DoS-Webserver", + "repeat_count": "0", + "tag": "IDP_APPDDOS_APP_STATE_EVENT", + "epoch_time": "1319367986" + } + }, + "message": "Connection rate exceeded limit 60", + "network": { + "protocol": "TCP" + }, + "observer": { + "name": "SRX34001", + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "interface": { + "name": "reth0.0" + }, + "zone": "untrust" + } + }, + "@timestamp": "2011-10-23T02:06:26.544Z", + "related": { + "ip": [ + "172.27.14.203" + ] + }, + "event": { + "severity": 165, + "ingested": "2020-12-03T23:08:26.174135900Z", + "original": "epoch-time=\"1319367986\" ddos-application-name=\"Webserver\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.0\" destination-address=\"172.27.14.203\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" rulebase-name=\"DDOS\" policy-name=\"A DoS-Webserver\" repeat-count=\"0\" message=\"Connection rate exceeded limit 60\" context-value=\"N/A\"", + "kind": "alert", + "module": "juniper", + "action": "application_ddos", + "category": [ + "network", + "intrusion_detection" + ], + "type": [ + "info", + "denied", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "port": 80, + "ip": "172.27.14.203" + }, + "_temp_": {}, + "log": { + "level": "notification" + }, + "destination": { + "port": 80, + "ip": "172.27.14.203" + }, + "rule": { + "id": "1" + }, + "source": { + "port": 50825, + "ip": "192.168.14.214" + }, + "juniper": { + "srx": { + "process": "RT_IDP", + "connection_hit_rate": "30", + "threat_severity": "INFO", + "context_hit_rate": "123", + "service_name": "HTTP", + "ddos_application_name": "Webserver", + "policy_name": "AppDoS-Webserver", + "repeat_count": "0", + "context_name": "http-get-url", + "time_count": "3", + "time_scope": "PEER", + "ruleebase_name": "DDOS", + "context_value_hit_rate": "0", + "action": "NONE", + "tag": "IDP_APPDDOS_APP_ATTACK_EVENT", + "epoch_time": "1319419711", + "time_period": "60" + } + }, + "network": { + "protocol": "TCP" + }, + "observer": { + "name": "SRX34001", + "ingress": { + "interface": { + "name": "reth1.O" + }, + "zone": "trust" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "interface": { + "name": "reth0.0" + }, + "zone": "untrust" + } + }, + "@timestamp": "2011-10-23T16:28:31.696Z", + "related": { + "ip": [ + "192.168.14.214", + "172.27.14.203" + ] + }, + "client": { + "port": 50825, + "ip": "192.168.14.214" + }, + "event": { + "severity": 165, + "ingested": "2020-12-03T23:08:26.174143300Z", + "original": "epoch-time=\"1319419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth1.O\" source-address=\"192.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.0\" destination-address=\"172.27.14.203\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS\" policy-name=\"AppDoS-Webserver\" repeat-count=\"0\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"0\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"", + "kind": "alert", + "module": "juniper", + "action": "application_ddos", + "category": [ + "network", + "intrusion_detection" + ], + "type": [ + "info", + "denied", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "port": 80, + "ip": "172.30.20.201" + }, + "_temp_": {}, + "log": { + "level": "notification" + }, + "destination": { + "port": 80, + "ip": "172.30.20.201" + }, + "rule": { + "id": "1" + }, + "source": { + "port": 50825, + "ip": "193.168.14.214" + }, + "juniper": { + "srx": { + "process": "RT_IDP", + "connection_hit_rate": "30", + "threat_severity": "INFO", + "context_hit_rate": "123", + "service_name": "HTTP", + "ddos_application_name": "Webserver", + "policy_name": "AppDoS-Webserver", + "repeat_count": "0", + "context_name": "http-get-url", + "time_count": "3", + "time_scope": "PEER", + "ruleebase_name": "DDOS02", + "context_value_hit_rate": "0", + "action": "NONE", + "tag": "IDP_APPDDOS_APP_ATTACK_EVENT_LS", + "epoch_time": "1419419711", + "time_period": "60" + } + }, + "network": { + "protocol": "TCP" + }, + "observer": { + "name": "SRX34001", + "ingress": { + "interface": { + "name": "reth3.0" + }, + "zone": "trust" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "interface": { + "name": "reth0.1" + }, + "zone": "untrust" + } + }, + "@timestamp": "2012-10-23T17:28:31.696Z", + "related": { + "ip": [ + "193.168.14.214", + "172.30.20.201" + ] + }, + "client": { + "port": 50825, + "ip": "193.168.14.214" + }, + "event": { + "severity": 165, + "ingested": "2020-12-03T23:08:26.174152600Z", + "original": "epoch-time=\"1419419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth3.0\" source-address=\"193.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.1\" destination-address=\"172.30.20.201\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS02\" policy-name=\"AppDoS-Webserver\" repeat-count=\"0\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"0\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"", + "kind": "alert", + "module": "juniper", + "action": "application_ddos", + "category": [ + "network", + "intrusion_detection" + ], + "type": [ + "info", + "denied", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + } + ] +} \ No newline at end of file diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log new file mode 100644 index 000000000000..5b87817da868 --- /dev/null +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log @@ -0,0 +1,12 @@ +<11>1 2018-07-19T18:17:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.137 attack-name="TCP sweep!" source-address="113.113.17.17" source-port="6000" destination-address="40.177.177.1" destination-port="1433" source-zone-name="untrust" interface-name="fe-0/0/2.0" action="drop"] +<11>1 2018-07-19T18:18:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.36 attack-name="WinNuke attack!" source-address="2000:0000:0000:0000:0000:0000:0000:0002" source-port="3240" destination-address="2001:0000:0000:0000:0000:0000:0000:0002" destination-port="139" source-zone-name="untrust" interface-name="fe-0/0/2.0" action="drop"] +<11>1 2018-07-19T18:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.40 attack-name="SYN flood!" source-address="1.1.1.2" source-port="40001" destination-address="2.2.2.2" destination-port="50010" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T18:22:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_UDP [junos@2636.1.1.1.2.40 attack-name="UDP flood!" source-address="111.1.1.3" source-port="40001" destination-address="3.4.2.2" destination-port="53" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T18:25:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_ICMP [junos@2636.1.1.1.2.40 attack-name="ICMP fragment!" source-address="111.1.1.3" destination-address="3.4.2.2" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T18:26:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.1.1.1.2.40 attack-name="Record Route IP option!" source-address="111.1.1.3" destination-address="3.4.2.2" protocol-id="1" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T18:27:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.1.1.1.2.40 attack-name="Tunnel GRE 6in6!" source-address="1212::12" destination-address="1111::11" protocol-id="1" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T18:28:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.1.1.1.2.40 attack-name="Tunnel GRE 4in4!" source-address="12.12.12.1" destination-address="11.11.11.1" protocol-id="1" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_DST_IP [junos@2636.1.1.1.2.40 attack-name="SYN flood!" destination-address="2.2.2.2" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="alarm-without-drop"] +<11>1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_SRC_IP [junos@2636.1.1.1.2.40 attack-name="SYN flood!" source-address="111.1.1.3" source-zone-name="trustZone" interface-name="ge-0/0/1.0" action="alarm-without-drop"] +<11>1 2020-07-17T09:54:43.912+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.129 attack-name="TCP port scan!" source-address="10.1.1.100" source-port="50630" destination-address="10.1.1.1" destination-port="10778" source-zone-name="trust" interface-name="ge-0/0/1.0" action="drop"] +<11>1 2020-07-17T10:01:43.006+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.129 attack-name="FIN but no ACK bit!" source-address="10.1.1.100" source-port="42799" destination-address="10.1.1.1" destination-port="7" source-zone-name="trust" interface-name="ge-0/0/1.0" action="drop"] diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-config.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-config.json new file mode 100644 index 000000000000..f71947c2f042 --- /dev/null +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-config.json @@ -0,0 +1,5 @@ +{ + "dynamic_fields": { + "event.ingested": ".*" + } +} \ No newline at end of file diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-expected.json new file mode 100644 index 000000000000..7cec736d7a9d --- /dev/null +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-expected.json @@ -0,0 +1,999 @@ +{ + "expected": [ + { + "server": { + "port": 1433, + "ip": "40.177.177.1" + }, + "_temp_": {}, + "log": { + "level": "error" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 4249, + "organization": { + "name": "Eli Lilly and Company" + } + }, + "port": 1433, + "ip": "40.177.177.1" + }, + "source": { + "geo": { + "continent_name": "Asia", + "region_iso_code": "CN-GD", + "country_name": "China", + "region_name": "Guangdong", + "location": { + "lon": 113.25, + "lat": 23.1167 + }, + "country_iso_code": "CN" + }, + "as": { + "number": 4134, + "organization": { + "name": "No.31,Jin-rong Street" + } + }, + "port": 6000, + "ip": "113.113.17.17" + }, + "juniper": { + "srx": { + "action": "drop", + "attack_name": "TCP sweep!", + "process": "RT_IDS", + "tag": "RT_SCREEN_TCP" + } + }, + "observer": { + "name": "rtr199", + "ingress": { + "interface": { + "name": "fe-0/0/2.0" + }, + "zone": "untrust" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper" + }, + "@timestamp": "2018-07-19T23:17:02.309Z", + "related": { + "ip": [ + "113.113.17.17", + "40.177.177.1" + ] + }, + "client": { + "port": 6000, + "ip": "113.113.17.17" + }, + "event": { + "severity": 11, + "ingested": "2020-12-03T23:08:28.278036Z", + "original": "attack-name=\"TCP sweep!\" source-address=\"113.113.17.17\" source-port=\"6000\" destination-address=\"40.177.177.1\" destination-port=\"1433\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"", + "kind": "alert", + "module": "juniper", + "action": "sweep_detected", + "category": [ + "network", + "intrusion_detection" + ], + "type": [ + "info", + "denied", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "port": 139, + "ip": "2001:0000:0000:0000:0000:0000:0000:0002" + }, + "_temp_": {}, + "log": { + "level": "error" + }, + "destination": { + "port": 139, + "ip": "2001:0000:0000:0000:0000:0000:0000:0002" + }, + "source": { + "port": 3240, + "ip": "2000:0000:0000:0000:0000:0000:0000:0002" + }, + "juniper": { + "srx": { + "action": "drop", + "attack_name": "WinNuke attack!", + "process": "RT_IDS", + "tag": "RT_SCREEN_TCP" + } + }, + "observer": { + "name": "rtr199", + "ingress": { + "interface": { + "name": "fe-0/0/2.0" + }, + "zone": "untrust" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper" + }, + "@timestamp": "2018-07-19T23:18:02.309Z", + "related": { + "ip": [ + "2000:0000:0000:0000:0000:0000:0000:0002", + "2001:0000:0000:0000:0000:0000:0000:0002" + ] + }, + "client": { + "port": 3240, + "ip": "2000:0000:0000:0000:0000:0000:0000:0002" + }, + "event": { + "severity": 11, + "ingested": "2020-12-03T23:08:28.278045900Z", + "original": "attack-name=\"WinNuke attack!\" source-address=\"2000:0000:0000:0000:0000:0000:0000:0002\" source-port=\"3240\" destination-address=\"2001:0000:0000:0000:0000:0000:0000:0002\" destination-port=\"139\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"", + "kind": "alert", + "module": "juniper", + "action": "attack_detected", + "category": [ + "network", + "intrusion_detection" + ], + "type": [ + "info", + "denied", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "port": 50010, + "ip": "2.2.2.2" + }, + "_temp_": {}, + "log": { + "level": "error" + }, + "destination": { + "geo": { + "continent_name": "Europe", + "country_name": "France", + "location": { + "lon": 2.3387, + "lat": 48.8582 + }, + "country_iso_code": "FR" + }, + "as": { + "number": 3215, + "organization": { + "name": "Orange" + } + }, + "port": 50010, + "ip": "2.2.2.2" + }, + "source": { + "geo": { + "continent_name": "Oceania", + "country_name": "Australia", + "location": { + "lon": 143.2104, + "lat": -33.494 + }, + "country_iso_code": "AU" + }, + "as": { + "number": 13335, + "organization": { + "name": "Cloudflare, Inc." + } + }, + "port": 40001, + "ip": "1.1.1.2" + }, + "juniper": { + "srx": { + "action": "drop", + "attack_name": "SYN flood!", + "process": "RT_IDS", + "tag": "RT_SCREEN_TCP" + } + }, + "observer": { + "name": "rtr199", + "ingress": { + "interface": { + "name": "ge-0/0/1.0" + }, + "zone": "trustZone" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper" + }, + "@timestamp": "2018-07-19T23:19:02.309Z", + "related": { + "ip": [ + "1.1.1.2", + "2.2.2.2" + ] + }, + "client": { + "port": 40001, + "ip": "1.1.1.2" + }, + "event": { + "severity": 11, + "ingested": "2020-12-03T23:08:28.278052400Z", + "original": "attack-name=\"SYN flood!\" source-address=\"1.1.1.2\" source-port=\"40001\" destination-address=\"2.2.2.2\" destination-port=\"50010\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "kind": "alert", + "module": "juniper", + "action": "flood_detected", + "category": [ + "network", + "intrusion_detection" + ], + "type": [ + "info", + "denied", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "port": 53, + "ip": "3.4.2.2" + }, + "_temp_": {}, + "log": { + "level": "error" + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-WA", + "city_name": "Seattle", + "country_iso_code": "US", + "country_name": "United States", + "region_name": "Washington", + "location": { + "lon": -122.3451, + "lat": 47.6348 + } + }, + "port": 53, + "ip": "3.4.2.2" + }, + "source": { + "geo": { + "continent_name": "Asia", + "region_iso_code": "CN-ZJ", + "city_name": "Wenzhou", + "country_iso_code": "CN", + "country_name": "China", + "region_name": "Zhejiang", + "location": { + "lon": 120.6666, + "lat": 27.9983 + } + }, + "as": { + "number": 56041, + "organization": { + "name": "China Mobile communications corporation" + } + }, + "port": 40001, + "ip": "111.1.1.3" + }, + "juniper": { + "srx": { + "action": "drop", + "attack_name": "UDP flood!", + "process": "RT_IDS", + "tag": "RT_SCREEN_UDP" + } + }, + "observer": { + "name": "rtr199", + "ingress": { + "interface": { + "name": "ge-0/0/1.0" + }, + "zone": "trustZone" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper" + }, + "@timestamp": "2018-07-19T23:22:02.309Z", + "related": { + "ip": [ + "111.1.1.3", + "3.4.2.2" + ] + }, + "client": { + "port": 40001, + "ip": "111.1.1.3" + }, + "event": { + "severity": 11, + "ingested": "2020-12-03T23:08:28.278059800Z", + "original": "attack-name=\"UDP flood!\" source-address=\"111.1.1.3\" source-port=\"40001\" destination-address=\"3.4.2.2\" destination-port=\"53\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "kind": "alert", + "module": "juniper", + "action": "flood_detected", + "category": [ + "network", + "intrusion_detection" + ], + "type": [ + "info", + "denied", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "ip": "3.4.2.2" + }, + "_temp_": {}, + "log": { + "level": "error" + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-WA", + "city_name": "Seattle", + "country_iso_code": "US", + "country_name": "United States", + "region_name": "Washington", + "location": { + "lon": -122.3451, + "lat": 47.6348 + } + }, + "ip": "3.4.2.2" + }, + "source": { + "geo": { + "continent_name": "Asia", + "region_iso_code": "CN-ZJ", + "city_name": "Wenzhou", + "country_iso_code": "CN", + "country_name": "China", + "region_name": "Zhejiang", + "location": { + "lon": 120.6666, + "lat": 27.9983 + } + }, + "as": { + "number": 56041, + "organization": { + "name": "China Mobile communications corporation" + } + }, + "ip": "111.1.1.3" + }, + "juniper": { + "srx": { + "action": "drop", + "attack_name": "ICMP fragment!", + "process": "RT_IDS", + "tag": "RT_SCREEN_ICMP" + } + }, + "observer": { + "name": "rtr199", + "ingress": { + "interface": { + "name": "ge-0/0/1.0" + }, + "zone": "trustZone" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper" + }, + "@timestamp": "2018-07-19T23:25:02.309Z", + "related": { + "ip": [ + "111.1.1.3", + "3.4.2.2" + ] + }, + "client": { + "ip": "111.1.1.3" + }, + "event": { + "severity": 11, + "ingested": "2020-12-03T23:08:28.278069Z", + "original": "attack-name=\"ICMP fragment!\" source-address=\"111.1.1.3\" destination-address=\"3.4.2.2\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "kind": "alert", + "module": "juniper", + "action": "fragment_detected", + "category": [ + "network", + "intrusion_detection" + ], + "type": [ + "info", + "denied", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "ip": "3.4.2.2" + }, + "_temp_": {}, + "log": { + "level": "error" + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-WA", + "city_name": "Seattle", + "country_iso_code": "US", + "country_name": "United States", + "region_name": "Washington", + "location": { + "lon": -122.3451, + "lat": 47.6348 + } + }, + "ip": "3.4.2.2" + }, + "source": { + "geo": { + "continent_name": "Asia", + "region_iso_code": "CN-ZJ", + "city_name": "Wenzhou", + "country_iso_code": "CN", + "country_name": "China", + "region_name": "Zhejiang", + "location": { + "lon": 120.6666, + "lat": 27.9983 + } + }, + "as": { + "number": 56041, + "organization": { + "name": "China Mobile communications corporation" + } + }, + "ip": "111.1.1.3" + }, + "juniper": { + "srx": { + "action": "drop", + "attack_name": "Record Route IP option!", + "process": "RT_IDS", + "tag": "RT_SCREEN_IP" + } + }, + "network": { + "iana_number": "1" + }, + "observer": { + "name": "rtr199", + "ingress": { + "interface": { + "name": "ge-0/0/1.0" + }, + "zone": "trustZone" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper" + }, + "@timestamp": "2018-07-19T23:26:02.309Z", + "related": { + "ip": [ + "111.1.1.3", + "3.4.2.2" + ] + }, + "client": { + "ip": "111.1.1.3" + }, + "event": { + "severity": 11, + "ingested": "2020-12-03T23:08:28.278209100Z", + "original": "attack-name=\"Record Route IP option!\" source-address=\"111.1.1.3\" destination-address=\"3.4.2.2\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "kind": "alert", + "module": "juniper", + "category": [ + "network", + "intrusion_detection" + ], + "type": [ + "info", + "denied", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "ip": "1111::11" + }, + "_temp_": {}, + "log": { + "level": "error" + }, + "destination": { + "ip": "1111::11" + }, + "source": { + "ip": "1212::12" + }, + "juniper": { + "srx": { + "action": "drop", + "attack_name": "Tunnel GRE 6in6!", + "process": "RT_IDS", + "tag": "RT_SCREEN_IP" + } + }, + "network": { + "iana_number": "1" + }, + "observer": { + "name": "rtr199", + "ingress": { + "interface": { + "name": "ge-0/0/1.0" + }, + "zone": "trustZone" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper" + }, + "@timestamp": "2018-07-19T23:27:02.309Z", + "related": { + "ip": [ + "1212::12", + "1111::11" + ] + }, + "client": { + "ip": "1212::12" + }, + "event": { + "severity": 11, + "ingested": "2020-12-03T23:08:28.278220300Z", + "original": "attack-name=\"Tunnel GRE 6in6!\" source-address=\"1212::12\" destination-address=\"1111::11\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "kind": "alert", + "module": "juniper", + "action": "tunneling_screen", + "category": [ + "network", + "intrusion_detection" + ], + "type": [ + "info", + "denied", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "ip": "11.11.11.1" + }, + "_temp_": {}, + "log": { + "level": "error" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "ip": "11.11.11.1" + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 32328, + "organization": { + "name": "Alascom, Inc." + } + }, + "ip": "12.12.12.1" + }, + "juniper": { + "srx": { + "action": "drop", + "attack_name": "Tunnel GRE 4in4!", + "process": "RT_IDS", + "tag": "RT_SCREEN_IP" + } + }, + "network": { + "iana_number": "1" + }, + "observer": { + "name": "rtr199", + "ingress": { + "interface": { + "name": "ge-0/0/1.0" + }, + "zone": "trustZone" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper" + }, + "@timestamp": "2018-07-19T23:28:02.309Z", + "related": { + "ip": [ + "12.12.12.1", + "11.11.11.1" + ] + }, + "client": { + "ip": "12.12.12.1" + }, + "event": { + "severity": 11, + "ingested": "2020-12-03T23:08:28.278258300Z", + "original": "attack-name=\"Tunnel GRE 4in4!\" source-address=\"12.12.12.1\" destination-address=\"11.11.11.1\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "kind": "alert", + "module": "juniper", + "action": "tunneling_screen", + "category": [ + "network", + "intrusion_detection" + ], + "type": [ + "info", + "denied", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "ip": "2.2.2.2" + }, + "observer": { + "name": "rtr199", + "ingress": { + "interface": { + "name": "ge-0/0/1.0" + }, + "zone": "trustZone" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper" + }, + "_temp_": {}, + "@timestamp": "2018-07-20T00:19:02.309Z", + "related": { + "ip": [ + "2.2.2.2" + ] + }, + "log": { + "level": "error" + }, + "destination": { + "geo": { + "continent_name": "Europe", + "country_name": "France", + "location": { + "lon": 2.3387, + "lat": 48.8582 + }, + "country_iso_code": "FR" + }, + "as": { + "number": 3215, + "organization": { + "name": "Orange" + } + }, + "ip": "2.2.2.2" + }, + "juniper": { + "srx": { + "action": "alarm-without-drop", + "attack_name": "SYN flood!", + "process": "RT_IDS", + "tag": "RT_SCREEN_TCP_DST_IP" + } + }, + "event": { + "severity": 11, + "ingested": "2020-12-03T23:08:28.278371700Z", + "original": "attack-name=\"SYN flood!\" destination-address=\"2.2.2.2\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"", + "kind": "alert", + "module": "juniper", + "action": "flood_detected", + "category": [ + "network", + "intrusion_detection" + ], + "type": [ + "info", + "denied", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "observer": { + "name": "rtr199", + "ingress": { + "interface": { + "name": "ge-0/0/1.0" + }, + "zone": "trustZone" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper" + }, + "_temp_": {}, + "@timestamp": "2018-07-20T00:19:02.309Z", + "related": { + "ip": [ + "111.1.1.3" + ] + }, + "log": { + "level": "error" + }, + "client": { + "ip": "111.1.1.3" + }, + "source": { + "geo": { + "continent_name": "Asia", + "region_iso_code": "CN-ZJ", + "city_name": "Wenzhou", + "country_iso_code": "CN", + "country_name": "China", + "region_name": "Zhejiang", + "location": { + "lon": 120.6666, + "lat": 27.9983 + } + }, + "as": { + "number": 56041, + "organization": { + "name": "China Mobile communications corporation" + } + }, + "ip": "111.1.1.3" + }, + "juniper": { + "srx": { + "action": "alarm-without-drop", + "attack_name": "SYN flood!", + "process": "RT_IDS", + "tag": "RT_SCREEN_TCP_SRC_IP" + } + }, + "event": { + "severity": 11, + "ingested": "2020-12-03T23:08:28.278382400Z", + "original": "attack-name=\"SYN flood!\" source-address=\"111.1.1.3\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"", + "kind": "alert", + "module": "juniper", + "action": "flood_detected", + "category": [ + "network", + "intrusion_detection" + ], + "type": [ + "info", + "denied", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "port": 10778, + "ip": "10.1.1.1" + }, + "_temp_": {}, + "log": { + "level": "error" + }, + "destination": { + "port": 10778, + "ip": "10.1.1.1" + }, + "source": { + "port": 50630, + "ip": "10.1.1.100" + }, + "juniper": { + "srx": { + "action": "drop", + "attack_name": "TCP port scan!", + "process": "RT_IDS", + "tag": "RT_SCREEN_TCP" + } + }, + "observer": { + "name": "rtr199", + "ingress": { + "interface": { + "name": "ge-0/0/1.0" + }, + "zone": "trust" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper" + }, + "@timestamp": "2020-07-17T07:54:43.912Z", + "related": { + "ip": [ + "10.1.1.100", + "10.1.1.1" + ] + }, + "client": { + "port": 50630, + "ip": "10.1.1.100" + }, + "event": { + "severity": 11, + "ingested": "2020-12-03T23:08:28.278389400Z", + "original": "attack-name=\"TCP port scan!\" source-address=\"10.1.1.100\" source-port=\"50630\" destination-address=\"10.1.1.1\" destination-port=\"10778\" source-zone-name=\"trust\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "kind": "alert", + "module": "juniper", + "action": "scan_detected", + "category": [ + "network", + "intrusion_detection" + ], + "type": [ + "info", + "denied", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "port": 7, + "ip": "10.1.1.1" + }, + "_temp_": {}, + "log": { + "level": "error" + }, + "destination": { + "port": 7, + "ip": "10.1.1.1" + }, + "source": { + "port": 42799, + "ip": "10.1.1.100" + }, + "juniper": { + "srx": { + "action": "drop", + "attack_name": "FIN but no ACK bit!", + "process": "RT_IDS", + "tag": "RT_SCREEN_TCP" + } + }, + "observer": { + "name": "rtr199", + "ingress": { + "interface": { + "name": "ge-0/0/1.0" + }, + "zone": "trust" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper" + }, + "@timestamp": "2020-07-17T08:01:43.006Z", + "related": { + "ip": [ + "10.1.1.100", + "10.1.1.1" + ] + }, + "client": { + "port": 42799, + "ip": "10.1.1.100" + }, + "event": { + "severity": 11, + "ingested": "2020-12-03T23:08:28.278397Z", + "original": "attack-name=\"FIN but no ACK bit!\" source-address=\"10.1.1.100\" source-port=\"42799\" destination-address=\"10.1.1.1\" destination-port=\"7\" source-zone-name=\"trust\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "kind": "alert", + "module": "juniper", + "action": "illegal_tcp_flag_detected", + "category": [ + "network", + "intrusion_detection" + ], + "type": [ + "info", + "denied", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + } + ] +} \ No newline at end of file diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log new file mode 100644 index 000000000000..12f8f137c7f3 --- /dev/null +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log @@ -0,0 +1,2 @@ +<14>1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@2636.1.1.1.2.129 category="secintel" sub-category="Blacklist" action="BLOCK" action-detail="DROP" http-host="N/A" threat-severity="0" source-address="5.196.121.161" source-port="1" destination-address="10.10.0.10" destination-port="24039" protocol-id="1" application="N/A" nested-application="N/A" feed-name="Tor_Exit_Nodes" policy-name="cc_policy" profile-name="Blacklist" username="N/A" roles="N/A" session-id-32="572564" source-zone-name="Outside" destination-zone-name="DMZ"] +<14>1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@2636.1.1.1.2.129 category="secintel" sub-category="CC" action="BLOCK" action-detail="CLOSE REDIRECT MSG" http-host="dummy_host" threat-severity="10" source-address="1.1.1.1" source-port="36612" destination-address="10.0.0.1" destination-port="80" protocol-id="6" application="HTTP" nested-application="N/A" feed-name="cc_url_data" policy-name="test" profile-name="test-profile" username="N/A" roles="N/A" session-id-32="502362" source-zone-name="Inside" destination-zone-name="Outside" occur-count="0"] diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-config.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-config.json new file mode 100644 index 000000000000..f71947c2f042 --- /dev/null +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-config.json @@ -0,0 +1,5 @@ +{ + "dynamic_fields": { + "event.ingested": ".*" + } +} \ No newline at end of file diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-expected.json new file mode 100644 index 000000000000..ffb214235a16 --- /dev/null +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-expected.json @@ -0,0 +1,198 @@ +{ + "expected": [ + { + "server": { + "port": 24039, + "ip": "10.10.0.10" + }, + "_temp_": {}, + "log": { + "level": "informational" + }, + "destination": { + "port": 24039, + "ip": "10.10.0.10" + }, + "source": { + "geo": { + "continent_name": "Europe", + "country_name": "France", + "location": { + "lon": 2.3387, + "lat": 48.8582 + }, + "country_iso_code": "FR" + }, + "as": { + "number": 16276, + "organization": { + "name": "OVH SAS" + } + }, + "port": 1, + "ip": "5.196.121.161" + }, + "juniper": { + "srx": { + "profile_name": "Blacklist", + "process": "RT_SECINTEL", + "threat_severity": "0", + "sub_category": "Blacklist", + "policy_name": "cc_policy", + "action": "BLOCK", + "action_detail": "DROP", + "session_id_32": "572564", + "tag": "SECINTEL_ACTION_LOG", + "category": "secintel", + "feed_name": "Tor_Exit_Nodes" + } + }, + "network": { + "iana_number": "1" + }, + "observer": { + "name": "SRX-1500", + "ingress": { + "zone": "Outside" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "zone": "DMZ" + } + }, + "@timestamp": "2016-10-17T15:18:11.618Z", + "related": { + "ip": [ + "5.196.121.161", + "10.10.0.10" + ] + }, + "client": { + "port": 1, + "ip": "5.196.121.161" + }, + "event": { + "severity": 14, + "ingested": "2020-12-03T23:08:30.578036600Z", + "original": "category=\"secintel\" sub-category=\"Blacklist\" action=\"BLOCK\" action-detail=\"DROP\" http-host=\"N/A\" threat-severity=\"0\" source-address=\"5.196.121.161\" source-port=\"1\" destination-address=\"10.10.0.10\" destination-port=\"24039\" protocol-id=\"1\" application=\"N/A\" nested-application=\"N/A\" feed-name=\"Tor_Exit_Nodes\" policy-name=\"cc_policy\" profile-name=\"Blacklist\" username=\"N/A\" roles=\"N/A\" session-id-32=\"572564\" source-zone-name=\"Outside\" destination-zone-name=\"DMZ\"", + "kind": "alert", + "module": "juniper", + "action": "malware_detected", + "category": [ + "network", + "malware" + ], + "type": [ + "info", + "denied", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "port": 80, + "ip": "10.0.0.1" + }, + "_temp_": {}, + "log": { + "level": "informational" + }, + "destination": { + "port": 80, + "ip": "10.0.0.1" + }, + "source": { + "geo": { + "continent_name": "Oceania", + "country_name": "Australia", + "location": { + "lon": 143.2104, + "lat": -33.494 + }, + "country_iso_code": "AU" + }, + "as": { + "number": 13335, + "organization": { + "name": "Cloudflare, Inc." + } + }, + "port": 36612, + "ip": "1.1.1.1" + }, + "juniper": { + "srx": { + "process": "RT_SECINTEL", + "threat_severity": "10", + "sub_category": "CC", + "occur_count": "0", + "policy_name": "test", + "feed_name": "cc_url_data", + "profile_name": "test-profile", + "application": "HTTP", + "action": "BLOCK", + "action_detail": "CLOSE REDIRECT MSG", + "session_id_32": "502362", + "tag": "SECINTEL_ACTION_LOG", + "category": "secintel" + } + }, + "url": { + "domain": "dummy_host" + }, + "network": { + "iana_number": "6" + }, + "observer": { + "name": "SRX-1500", + "ingress": { + "zone": "Inside" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "zone": "Outside" + } + }, + "@timestamp": "2016-10-17T15:18:11.618Z", + "related": { + "hosts": [ + "dummy_host" + ], + "ip": [ + "1.1.1.1", + "10.0.0.1" + ] + }, + "client": { + "port": 36612, + "ip": "1.1.1.1" + }, + "event": { + "severity": 14, + "ingested": "2020-12-03T23:08:30.578045900Z", + "original": "category=\"secintel\" sub-category=\"CC\" action=\"BLOCK\" action-detail=\"CLOSE REDIRECT MSG\" http-host=\"dummy_host\" threat-severity=\"10\" source-address=\"1.1.1.1\" source-port=\"36612\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" feed-name=\"cc_url_data\" policy-name=\"test\" profile-name=\"test-profile\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502362\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" occur-count=\"0\"", + "kind": "alert", + "module": "juniper", + "action": "malware_detected", + "category": [ + "network", + "malware" + ], + "type": [ + "info", + "denied", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + } + ] +} \ No newline at end of file diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log new file mode 100644 index 000000000000..61c320ae8859 --- /dev/null +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log @@ -0,0 +1,12 @@ +<12>1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED [junos@2636.1.1.1.2.86 source-address="192.168.1.100" source-port="58071" destination-address="103.235.46.39" destination-port="80" category="cat1" reason="BY_BLACK_LIST" profile="uf1" url="www.baidu.com" obj="/" username="user01" roles="N/A"] +<12>1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_PERMITTED [junos@2636.1.1.1.2.86 source-address="10.10.10.50" source-port="1402" destination-address="216.200.241.66" destination-port="80" category="N/A" reason="BY_OTHER" profile="wf-profile" url="www.checkpoint.com" obj="/css/homepage2012.css" username="user02" roles="N/A"] +<12>1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT [junos@2636.1.1.1.2.40 source-address="188.40.238.250" source-port="80" destination-address="10.1.1.103" destination-port="47095" source-zone-name="untrust" filename="www.eicar.org/download/eicar.com" temporary-filename="www.eicar.org/download/eicar.com" name="EICAR-Test-File" url="EICAR-Test-File"] +<12>1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_SCANNER_DROP_FILE_MT [junos@2636.1.1.1.2.40 source-address="74.125.155.147" source-port="80" destination-address="10.1.1.103" destination-port="33578" filename="www.google.com/" error-code="14" error-message="scan engine is not ready"] +<12>1 2010-01-29T10:59:59.660Z SRX650-1 RT_UTM - AV_HUGE_FILE_DROPPED_MT [junos@2636.1.1.1.2.40 source-address="10.2.1.101" source-port="80" destination-address="10.1.1.103" destination-port="51727" filename="10.2.1.101/images/junos- srxsme-10.2-20100106.0-domestic.tgz"] +<14>1 2016-02-18T01:33:50.391Z utm-srx550-b RT_UTM - ANTISPAM_SPAM_DETECTED_MT [junos@2636.1.1.1.2.86 source-zone="trust" destination-zone="untrust" source-name="N/A" source-address="10.10.10.1" profile-name="antispam01" action="drop" reason="Match local blacklist" username="user01" roles="N/A"] +<14>1 2016-02-18T01:34:50.391Z utm-srx550-b RT_UTM - CONTENT_FILTERING_BLOCKED_MT [junos@2636.1.1.1.2.86 source-zone="untrust" destination-zone="trust" protocol="http" source-address="192.0.2.3" source-port="58071" destination-address="198.51.100.2" destination-port="80" profile-name="content02" action="drop" reason="blocked due to file extension block list" username="user01@testuser.com" roles="N/A" filename="test.cmd"] +<12>1 2016-02-19T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED_LS [junos@2636.1.1.1.2.86 source-address="192.168.1.100" source-port="58071" destination-address="103.235.46.39" destination-port="80" category="cat1" reason="BY_BLACK_LIST" profile="uf1" url="www.baidu.com" obj="/" username="user01" roles="N/A"] +<12>1 2011-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT_LS [junos@2636.1.1.1.2.40 source-address="188.40.238.250" source-port="80" destination-address="10.1.1.103" destination-port="47095" source-zone-name="untrust" filename="www.eicar.org/download/eicar.com" temporary-filename="www.eicar.org/download/eicar.com" name="EICAR-Test-File" url="EICAR-Test-File"] +<14>1 2020-07-14T14:16:18.345Z SRX650-1 RT_UTM - WEBFILTER_URL_PERMITTED [junos@2636.1.1.1.2.129 source-zone="trust" destination-zone="untrust" source-address="10.1.1.100" source-port="58974" destination-address="104.26.15.142" destination-port="443" session-id="16297" application="UNKNOWN" nested-application="UNKNOWN" category="Enhanced_Information_Technology" reason="BY_SITE_REPUTATION_MODERATELY_SAFE" profile="WCF1" url="datawrapper.dwcdn.net" obj="/" username="N/A" roles="N/A" application-sub-category="N/A" urlcategory-risk="0"] +<12>1 2020-07-14T14:16:29.541Z SRX650-1 RT_UTM - WEBFILTER_URL_BLOCKED [junos@2636.1.1.1.2.129 source-zone="trust" destination-zone="untrust" source-address="10.1.1.100" source-port="59075" destination-address="85.114.159.93" destination-port="443" session-id="16490" application="UNKNOWN" nested-application="UNKNOWN" category="Enhanced_Advertisements" reason="BY_SITE_REPUTATION_SUSPICIOUS" profile="WCF1" url="dsp.adfarm1.adition.com" obj="/" username="N/A" roles="N/A" application-sub-category="N/A" urlcategory-risk="3"] +<12>1 2020-07-14T14:17:04.733Z SRX650-1 RT_UTM - AV_FILE_NOT_SCANNED_DROPPED_MT [junos@2636.1.1.1.2.129 source-zone="trust" destination-zone="untrust" source-address="23.209.86.45" source-port="80" destination-address="10.1.1.100" destination-port="58954" profile-name="Custom-Sophos-Profile" filename="download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar" action="BLOCKED" reason="exceeding maximum content size" error-code="7" username="N/A" roles="N/A"] diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-config.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-config.json new file mode 100644 index 000000000000..f71947c2f042 --- /dev/null +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-config.json @@ -0,0 +1,5 @@ +{ + "dynamic_fields": { + "event.ingested": ".*" + } +} \ No newline at end of file diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-expected.json new file mode 100644 index 000000000000..7fb2108f13fa --- /dev/null +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-expected.json @@ -0,0 +1,986 @@ +{ + "expected": [ + { + "server": { + "port": 80, + "ip": "103.235.46.39" + }, + "_temp_": {}, + "log": { + "level": "warning" + }, + "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Hong Kong", + "location": { + "lon": 114.1667, + "lat": 22.25 + }, + "country_iso_code": "HK" + }, + "as": { + "number": 55967, + "organization": { + "name": "Beijing Baidu Netcom Science and Technology Co., Ltd." + } + }, + "port": 80, + "ip": "103.235.46.39" + }, + "source": { + "port": 58071, + "user": { + "name": "user01" + }, + "ip": "192.168.1.100" + }, + "juniper": { + "srx": { + "reason": "BY_BLACK_LIST", + "process": "RT_UTM", + "tag": "WEBFILTER_URL_BLOCKED", + "category": "cat1", + "profile": "uf1" + } + }, + "url": { + "path": "/", + "domain": "www.baidu.com" + }, + "observer": { + "name": "utm-srx550-b", + "product": "SRX", + "type": "firewall", + "vendor": "Juniper" + }, + "@timestamp": "2016-02-18T01:32:50.391Z", + "related": { + "hosts": [ + "www.baidu.com" + ], + "ip": [ + "192.168.1.100", + "103.235.46.39" + ] + }, + "client": { + "port": 58071, + "ip": "192.168.1.100" + }, + "event": { + "severity": 12, + "ingested": "2020-12-03T23:08:31.033423300Z", + "original": "source-address=\"192.168.1.100\" source-port=\"58071\" destination-address=\"103.235.46.39\" destination-port=\"80\" category=\"cat1\" reason=\"BY_BLACK_LIST\" profile=\"uf1\" url=\"www.baidu.com\" obj=\"/\" username=\"user01\" roles=\"N/A\"", + "kind": "alert", + "module": "juniper", + "action": "web_filter", + "category": [ + "network", + "malware" + ], + "type": [ + "info", + "denied", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "port": 80, + "ip": "216.200.241.66" + }, + "_temp_": {}, + "log": { + "level": "warning" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 6461, + "organization": { + "name": "Zayo Bandwidth" + } + }, + "port": 80, + "ip": "216.200.241.66" + }, + "source": { + "port": 1402, + "user": { + "name": "user02" + }, + "ip": "10.10.10.50" + }, + "juniper": { + "srx": { + "reason": "BY_OTHER", + "process": "RT_UTM", + "tag": "WEBFILTER_URL_PERMITTED", + "profile": "wf-profile" + } + }, + "url": { + "path": "/css/homepage2012.css", + "domain": "www.checkpoint.com" + }, + "observer": { + "name": "utm-srx550-b", + "product": "SRX", + "type": "firewall", + "vendor": "Juniper" + }, + "@timestamp": "2016-02-18T01:32:50.391Z", + "related": { + "hosts": [ + "www.checkpoint.com" + ], + "ip": [ + "10.10.10.50", + "216.200.241.66" + ] + }, + "client": { + "port": 1402, + "ip": "10.10.10.50" + }, + "event": { + "severity": 12, + "ingested": "2020-12-03T23:08:31.033436300Z", + "original": "source-address=\"10.10.10.50\" source-port=\"1402\" destination-address=\"216.200.241.66\" destination-port=\"80\" category=\"N/A\" reason=\"BY_OTHER\" profile=\"wf-profile\" url=\"www.checkpoint.com\" obj=\"/css/homepage2012.css\" username=\"user02\" roles=\"N/A\"", + "kind": "event", + "module": "juniper", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "port": 47095, + "ip": "10.1.1.103" + }, + "_temp_": {}, + "log": { + "level": "warning" + }, + "destination": { + "port": 47095, + "ip": "10.1.1.103" + }, + "source": { + "geo": { + "continent_name": "Europe", + "country_name": "Germany", + "location": { + "lon": 9.491, + "lat": 51.2993 + }, + "country_iso_code": "DE" + }, + "as": { + "number": 24940, + "organization": { + "name": "Hetzner Online GmbH" + } + }, + "port": 80, + "ip": "188.40.238.250" + }, + "juniper": { + "srx": { + "name": "EICAR-Test-File", + "process": "RT_UTM", + "tag": "AV_VIRUS_DETECTED_MT", + "temporary_filename": "www.eicar.org/download/eicar.com" + } + }, + "url": { + "domain": "EICAR-Test-File" + }, + "observer": { + "name": "SRX650-1", + "ingress": { + "zone": "untrust" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper" + }, + "@timestamp": "2010-02-08T08:29:28.565Z", + "file": { + "name": "www.eicar.org/download/eicar.com" + }, + "related": { + "hosts": [ + "EICAR-Test-File" + ], + "ip": [ + "188.40.238.250", + "10.1.1.103" + ] + }, + "client": { + "port": 80, + "ip": "188.40.238.250" + }, + "event": { + "severity": 12, + "ingested": "2020-12-03T23:08:31.033445400Z", + "original": "source-address=\"188.40.238.250\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"", + "kind": "alert", + "module": "juniper", + "action": "virus_detected", + "category": [ + "network", + "malware" + ], + "type": [ + "info", + "denied", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "port": 33578, + "ip": "10.1.1.103" + }, + "_temp_": {}, + "log": { + "level": "warning" + }, + "destination": { + "port": 33578, + "ip": "10.1.1.103" + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 15169, + "organization": { + "name": "Google LLC" + } + }, + "port": 80, + "ip": "74.125.155.147" + }, + "juniper": { + "srx": { + "error_message": "scan engine is not ready", + "process": "RT_UTM", + "error_code": "14", + "tag": "AV_SCANNER_DROP_FILE_MT" + } + }, + "observer": { + "name": "SRX650-1", + "product": "SRX", + "type": "firewall", + "vendor": "Juniper" + }, + "@timestamp": "2010-02-08T08:29:28.565Z", + "file": { + "name": "www.google.com/" + }, + "related": { + "ip": [ + "74.125.155.147", + "10.1.1.103" + ] + }, + "client": { + "port": 80, + "ip": "74.125.155.147" + }, + "event": { + "severity": 12, + "ingested": "2020-12-03T23:08:31.033452200Z", + "original": "source-address=\"74.125.155.147\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"33578\" filename=\"www.google.com/\" error-code=\"14\" error-message=\"scan engine is not ready\"", + "kind": "event", + "module": "juniper", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "port": 51727, + "ip": "10.1.1.103" + }, + "_temp_": {}, + "log": { + "level": "warning" + }, + "destination": { + "port": 51727, + "ip": "10.1.1.103" + }, + "source": { + "port": 80, + "ip": "10.2.1.101" + }, + "juniper": { + "srx": { + "process": "RT_UTM", + "tag": "AV_HUGE_FILE_DROPPED_MT" + } + }, + "observer": { + "name": "SRX650-1", + "product": "SRX", + "type": "firewall", + "vendor": "Juniper" + }, + "@timestamp": "2010-01-29T10:59:59.660Z", + "file": { + "name": "10.2.1.101/images/junos- srxsme-10.2-20100106.0-domestic.tgz" + }, + "related": { + "ip": [ + "10.2.1.101", + "10.1.1.103" + ] + }, + "client": { + "port": 80, + "ip": "10.2.1.101" + }, + "event": { + "severity": 12, + "ingested": "2020-12-03T23:08:31.033462300Z", + "original": "source-address=\"10.2.1.101\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"51727\" filename=\"10.2.1.101/images/junos- srxsme-10.2-20100106.0-domestic.tgz\"", + "kind": "event", + "module": "juniper", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "observer": { + "name": "utm-srx550-b", + "ingress": { + "zone": "trust" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "zone": "untrust" + } + }, + "_temp_": {}, + "@timestamp": "2016-02-18T01:33:50.391Z", + "related": { + "ip": [ + "10.10.10.1" + ] + }, + "log": { + "level": "informational" + }, + "client": { + "ip": "10.10.10.1" + }, + "source": { + "user": { + "name": "user01" + }, + "ip": "10.10.10.1" + }, + "juniper": { + "srx": { + "profile_name": "antispam01", + "reason": "Match local blacklist", + "action": "drop", + "process": "RT_UTM", + "tag": "ANTISPAM_SPAM_DETECTED_MT" + } + }, + "event": { + "severity": 14, + "ingested": "2020-12-03T23:08:31.033469900Z", + "original": "source-zone=\"trust\" destination-zone=\"untrust\" source-name=\"N/A\" source-address=\"10.10.10.1\" profile-name=\"antispam01\" action=\"drop\" reason=\"Match local blacklist\" username=\"user01\" roles=\"N/A\"", + "kind": "alert", + "module": "juniper", + "action": "antispam_filter", + "category": [ + "network", + "malware" + ], + "type": [ + "info", + "denied", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "port": 80, + "ip": "198.51.100.2" + }, + "_temp_": {}, + "log": { + "level": "informational" + }, + "destination": { + "port": 80, + "ip": "198.51.100.2" + }, + "source": { + "port": 58071, + "user": { + "name": "user01@testuser.com" + }, + "ip": "192.0.2.3" + }, + "juniper": { + "srx": { + "reason": "blocked due to file extension block list", + "profile_name": "content02", + "action": "drop", + "process": "RT_UTM", + "tag": "CONTENT_FILTERING_BLOCKED_MT" + } + }, + "network": { + "protocol": "http" + }, + "observer": { + "name": "utm-srx550-b", + "ingress": { + "zone": "untrust" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "zone": "trust" + } + }, + "@timestamp": "2016-02-18T01:34:50.391Z", + "file": { + "name": "test.cmd" + }, + "related": { + "ip": [ + "192.0.2.3", + "198.51.100.2" + ] + }, + "client": { + "port": 58071, + "ip": "192.0.2.3" + }, + "event": { + "severity": 14, + "ingested": "2020-12-03T23:08:31.033476Z", + "original": "source-zone=\"untrust\" destination-zone=\"trust\" protocol=\"http\" source-address=\"192.0.2.3\" source-port=\"58071\" destination-address=\"198.51.100.2\" destination-port=\"80\" profile-name=\"content02\" action=\"drop\" reason=\"blocked due to file extension block list\" username=\"user01@testuser.com\" roles=\"N/A\" filename=\"test.cmd\"", + "kind": "alert", + "module": "juniper", + "action": "content_filter", + "category": [ + "network", + "malware" + ], + "type": [ + "info", + "denied", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "port": 80, + "ip": "103.235.46.39" + }, + "_temp_": {}, + "log": { + "level": "warning" + }, + "destination": { + "geo": { + "continent_name": "Asia", + "country_name": "Hong Kong", + "location": { + "lon": 114.1667, + "lat": 22.25 + }, + "country_iso_code": "HK" + }, + "as": { + "number": 55967, + "organization": { + "name": "Beijing Baidu Netcom Science and Technology Co., Ltd." + } + }, + "port": 80, + "ip": "103.235.46.39" + }, + "source": { + "port": 58071, + "user": { + "name": "user01" + }, + "ip": "192.168.1.100" + }, + "juniper": { + "srx": { + "reason": "BY_BLACK_LIST", + "process": "RT_UTM", + "tag": "WEBFILTER_URL_BLOCKED_LS", + "category": "cat1", + "profile": "uf1" + } + }, + "url": { + "path": "/", + "domain": "www.baidu.com" + }, + "observer": { + "name": "utm-srx550-b", + "product": "SRX", + "type": "firewall", + "vendor": "Juniper" + }, + "@timestamp": "2016-02-19T01:32:50.391Z", + "related": { + "hosts": [ + "www.baidu.com" + ], + "ip": [ + "192.168.1.100", + "103.235.46.39" + ] + }, + "client": { + "port": 58071, + "ip": "192.168.1.100" + }, + "event": { + "severity": 12, + "ingested": "2020-12-03T23:08:31.033483800Z", + "original": "source-address=\"192.168.1.100\" source-port=\"58071\" destination-address=\"103.235.46.39\" destination-port=\"80\" category=\"cat1\" reason=\"BY_BLACK_LIST\" profile=\"uf1\" url=\"www.baidu.com\" obj=\"/\" username=\"user01\" roles=\"N/A\"", + "kind": "alert", + "module": "juniper", + "action": "web_filter", + "category": [ + "network", + "malware" + ], + "type": [ + "info", + "denied", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "port": 47095, + "ip": "10.1.1.103" + }, + "_temp_": {}, + "log": { + "level": "warning" + }, + "destination": { + "port": 47095, + "ip": "10.1.1.103" + }, + "source": { + "geo": { + "continent_name": "Europe", + "country_name": "Germany", + "location": { + "lon": 9.491, + "lat": 51.2993 + }, + "country_iso_code": "DE" + }, + "as": { + "number": 24940, + "organization": { + "name": "Hetzner Online GmbH" + } + }, + "port": 80, + "ip": "188.40.238.250" + }, + "juniper": { + "srx": { + "name": "EICAR-Test-File", + "process": "RT_UTM", + "tag": "AV_VIRUS_DETECTED_MT_LS", + "temporary_filename": "www.eicar.org/download/eicar.com" + } + }, + "url": { + "domain": "EICAR-Test-File" + }, + "observer": { + "name": "SRX650-1", + "ingress": { + "zone": "untrust" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper" + }, + "@timestamp": "2011-02-08T08:29:28.565Z", + "file": { + "name": "www.eicar.org/download/eicar.com" + }, + "related": { + "hosts": [ + "EICAR-Test-File" + ], + "ip": [ + "188.40.238.250", + "10.1.1.103" + ] + }, + "client": { + "port": 80, + "ip": "188.40.238.250" + }, + "event": { + "severity": 12, + "ingested": "2020-12-03T23:08:31.033499200Z", + "original": "source-address=\"188.40.238.250\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"", + "kind": "alert", + "module": "juniper", + "action": "virus_detected", + "category": [ + "network", + "malware" + ], + "type": [ + "info", + "denied", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "ip": "104.26.15.142" + }, + "_temp_": {}, + "log": { + "level": "informational" + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 13335, + "organization": { + "name": "Cloudflare, Inc." + } + }, + "port": 443, + "ip": "104.26.15.142" + }, + "source": { + "port": 58974, + "ip": "10.1.1.100" + }, + "juniper": { + "srx": { + "reason": "BY_SITE_REPUTATION_MODERATELY_SAFE", + "session_id": "16297", + "process": "RT_UTM", + "tag": "WEBFILTER_URL_PERMITTED", + "category": "Enhanced_Information_Technology", + "profile": "WCF1" + } + }, + "url": { + "path": "/", + "domain": "datawrapper.dwcdn.net" + }, + "observer": { + "name": "SRX650-1", + "ingress": { + "zone": "trust" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "zone": "untrust" + } + }, + "@timestamp": "2020-07-14T14:16:18.345Z", + "related": { + "hosts": [ + "datawrapper.dwcdn.net" + ], + "ip": [ + "10.1.1.100", + "104.26.15.142" + ] + }, + "client": { + "port": 58974, + "ip": "10.1.1.100" + }, + "event": { + "severity": 14, + "ingested": "2020-12-03T23:08:31.033512500Z", + "original": "source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"10.1.1.100\" source-port=\"58974\" destination-address=\"104.26.15.142\" destination-port=\"443\" session-id=\"16297\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" category=\"Enhanced_Information_Technology\" reason=\"BY_SITE_REPUTATION_MODERATELY_SAFE\" profile=\"WCF1\" url=\"datawrapper.dwcdn.net\" obj=\"/\" username=\"N/A\" roles=\"N/A\" application-sub-category=\"N/A\" urlcategory-risk=\"0\"", + "risk_score": 0.0, + "kind": "event", + "module": "juniper", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "port": 443, + "ip": "85.114.159.93" + }, + "_temp_": {}, + "log": { + "level": "warning" + }, + "destination": { + "geo": { + "continent_name": "Europe", + "country_name": "Germany", + "location": { + "lon": 9.491, + "lat": 51.2993 + }, + "country_iso_code": "DE" + }, + "as": { + "number": 24961, + "organization": { + "name": "myLoc managed IT AG" + } + }, + "port": 443, + "ip": "85.114.159.93" + }, + "source": { + "port": 59075, + "ip": "10.1.1.100" + }, + "juniper": { + "srx": { + "reason": "BY_SITE_REPUTATION_SUSPICIOUS", + "session_id": "16490", + "process": "RT_UTM", + "tag": "WEBFILTER_URL_BLOCKED", + "category": "Enhanced_Advertisements", + "profile": "WCF1" + } + }, + "url": { + "path": "/", + "domain": "dsp.adfarm1.adition.com" + }, + "observer": { + "name": "SRX650-1", + "ingress": { + "zone": "trust" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "zone": "untrust" + } + }, + "@timestamp": "2020-07-14T14:16:29.541Z", + "related": { + "hosts": [ + "dsp.adfarm1.adition.com" + ], + "ip": [ + "10.1.1.100", + "85.114.159.93" + ] + }, + "client": { + "port": 59075, + "ip": "10.1.1.100" + }, + "event": { + "severity": 12, + "ingested": "2020-12-03T23:08:31.033518700Z", + "original": "source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"10.1.1.100\" source-port=\"59075\" destination-address=\"85.114.159.93\" destination-port=\"443\" session-id=\"16490\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" category=\"Enhanced_Advertisements\" reason=\"BY_SITE_REPUTATION_SUSPICIOUS\" profile=\"WCF1\" url=\"dsp.adfarm1.adition.com\" obj=\"/\" username=\"N/A\" roles=\"N/A\" application-sub-category=\"N/A\" urlcategory-risk=\"3\"", + "risk_score": 3.0, + "kind": "alert", + "module": "juniper", + "action": "web_filter", + "category": [ + "network", + "malware" + ], + "type": [ + "info", + "denied", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + }, + { + "server": { + "port": 58954, + "ip": "10.1.1.100" + }, + "_temp_": {}, + "log": { + "level": "warning" + }, + "destination": { + "port": 58954, + "ip": "10.1.1.100" + }, + "source": { + "geo": { + "continent_name": "Europe", + "country_name": "Netherlands", + "location": { + "lon": 4.8995, + "lat": 52.3824 + }, + "country_iso_code": "NL" + }, + "as": { + "number": 16625, + "organization": { + "name": "Akamai Technologies, Inc." + } + }, + "port": 80, + "ip": "23.209.86.45" + }, + "juniper": { + "srx": { + "reason": "exceeding maximum content size", + "profile_name": "Custom-Sophos-Profile", + "action": "BLOCKED", + "process": "RT_UTM", + "error_code": "7", + "tag": "AV_FILE_NOT_SCANNED_DROPPED_MT" + } + }, + "observer": { + "name": "SRX650-1", + "ingress": { + "zone": "trust" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper", + "egress": { + "zone": "untrust" + } + }, + "@timestamp": "2020-07-14T14:17:04.733Z", + "file": { + "name": "download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar" + }, + "related": { + "ip": [ + "23.209.86.45", + "10.1.1.100" + ] + }, + "client": { + "port": 80, + "ip": "23.209.86.45" + }, + "event": { + "severity": 12, + "ingested": "2020-12-03T23:08:31.033533600Z", + "original": "source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"23.209.86.45\" source-port=\"80\" destination-address=\"10.1.1.100\" destination-port=\"58954\" profile-name=\"Custom-Sophos-Profile\" filename=\"download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar\" action=\"BLOCKED\" reason=\"exceeding maximum content size\" error-code=\"7\" username=\"N/A\" roles=\"N/A\"", + "kind": "event", + "module": "juniper", + "category": [ + "network" + ], + "type": [ + "allowed", + "connection" + ], + "dataset": "juniper.srx", + "outcome": "success" + } + } + ] +} \ No newline at end of file diff --git a/packages/juniper/data_stream/srx/elasticsearch/ingest_pipeline/default.yml b/packages/juniper/data_stream/srx/elasticsearch/ingest_pipeline/default.yml index 1b99e450325d..fa7ebf34998d 100644 --- a/packages/juniper/data_stream/srx/elasticsearch/ingest_pipeline/default.yml +++ b/packages/juniper/data_stream/srx/elasticsearch/ingest_pipeline/default.yml @@ -28,7 +28,7 @@ processors: # Parse the date # - date: - if: "ctx.event.timezone == null" + if: "ctx?.event?.timezone == null" field: _temp_.raw_date target_field: "@timestamp" formats: @@ -37,7 +37,7 @@ processors: - yyyy-MM-dd HH:mm:ss Z - ISO8601 - date: - if: "ctx.event.timezone != null" + if: "ctx?.event?.timezone != null" timezone: "{{ event.timezone }}" field: _temp_.raw_date target_field: "@timestamp" @@ -56,7 +56,7 @@ processors: - rename: field: juniper.srx.elapsed_time target_field: juniper.srx.duration - if: "ctx.juniper?.srx?.elapsed_time != null" + if: "ctx?.juniper?.srx?.elapsed_time != null" # Sets starts, end and duration when start and duration is known - script: @@ -89,9 +89,11 @@ processors: - set: field: event.dataset value: juniper.srx -- set: - field: event.severity - value: '{{syslog_pri}}' +- convert: + field: syslog_pri + type: long + target_field: event.severity + ignore_failure: true - rename: field: log.original target_field: event.original @@ -198,8 +200,7 @@ processors: - remove: field: - message - - _temp_ - - _temp + - _temp_.raw_date - juniper.srx.duration - juniper.srx.dir_disp - juniper.srx.srczone diff --git a/packages/juniper/data_stream/srx/elasticsearch/ingest_pipeline/flow.yml b/packages/juniper/data_stream/srx/elasticsearch/ingest_pipeline/flow.yml index 59c2ee2ca48b..bf9fcbeb05e8 100644 --- a/packages/juniper/data_stream/srx/elasticsearch/ingest_pipeline/flow.yml +++ b/packages/juniper/data_stream/srx/elasticsearch/ingest_pipeline/flow.yml @@ -14,11 +14,12 @@ processors: - append: field: event.category value: network -- rename: +- convert: field: juniper.srx.application_risk + type: float target_field: event.risk_score ignore_missing: true - if: "ctx.juniper?.srx?.application_risk != null" + ignore_failure: true - append: field: event.type value: @@ -345,6 +346,7 @@ processors: ############# - remove: field: + - juniper.srx.application_risk - juniper.srx.destination_port - juniper.srx.nat_destination_port - juniper.srx.bytes_from_client diff --git a/packages/juniper/data_stream/srx/elasticsearch/ingest_pipeline/utm.yml b/packages/juniper/data_stream/srx/elasticsearch/ingest_pipeline/utm.yml index 89043ceed174..056f23dbe1b5 100644 --- a/packages/juniper/data_stream/srx/elasticsearch/ingest_pipeline/utm.yml +++ b/packages/juniper/data_stream/srx/elasticsearch/ingest_pipeline/utm.yml @@ -14,11 +14,12 @@ processors: - append: field: event.category value: network -- rename: +- convert: field: juniper.srx.urlcategory_risk + type: float target_field: event.risk_score ignore_missing: true - if: "ctx.juniper?.srx?.urlcategory_risk != null" + ignore_failure: true - set: field: event.kind value: alert @@ -381,6 +382,7 @@ processors: - juniper.srx.nat_source_port - juniper.srx.bytes_from_server - juniper.srx.packets_from_server + - juniper.srx.urlcategory_risk ignore_missing: true on_failure: diff --git a/packages/juniper/data_stream/srx/fields/fields.yml b/packages/juniper/data_stream/srx/fields/fields.yml index abcdd38e98e4..7b50efa6dcda 100644 --- a/packages/juniper/data_stream/srx/fields/fields.yml +++ b/packages/juniper/data_stream/srx/fields/fields.yml @@ -384,5 +384,5 @@ occur count - name: tag type: keyword - description: | + description: |- system log message tag, which uniquely identifies the message. diff --git a/packages/juniper/manifest.yml b/packages/juniper/manifest.yml index 1ffe7637dfb8..e09bedb6e13c 100644 --- a/packages/juniper/manifest.yml +++ b/packages/juniper/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: juniper title: Juniper -version: 0.4.2 +version: 0.4.3 description: Juniper Integration categories: ["network", "security"] release: experimental