def translate(self, line, line_num, dictionary):
"""
Converts a given syslog line into a dictionary of (ip, port, ip, port)
Args:
line: The syslog line to parse
line_num: The line number, for error printouts
dictionary: The dictionary to write key/values pairs into
Returns:
0 on success and non-zero on error.
1 => The protocol wasn't TCP and was ignored.
2 => error in parsing the line. It was too short for some reason
"""
# regexp to extract from ASA syslog
regexp = r"^.* Built inbound (?P<asa_protocol>.*) connection (?P<asa_conn_id>\d+) for (?P<asa_src_zone>.*):(?P<asa_src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/(?P<asa_src_port>\d+) \(.*/\d+\) to (?P<asa_dst_zone>.*):(?P<asa_dst_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/(?P<asa_dst_port>\d+) .*"
m = re.match(regexp, line)
if m:
# srcIP, srcPort, dstIP, dstPort
dictionary['SourceIP'] = common.IPtoInt(
*(m.group('asa_src_ip').split(".")))
dictionary['SourcePort'] = m.group('asa_src_port')
dictionary['DestinationIP'] = common.IPtoInt(
*(m.group('asa_dst_ip').split(".")))
dictionary['DestinationPort'] = m.group('asa_dst_port')
# dictionary['Timestamp'] = ???
return 0
else:
print("error parsing line {0}: {1}".format(line_num, line))
return 2
def translate(line, linenum, dictionary):
#remove trailing newline
line = line.rstrip("\n")
split_data = line.split(",");
if len(split_data) != 7:
return 1
split_data = [i.strip(' ') for i in split_data]
if split_data[0] != 'UDP':
# printing this is very noisy and slow
# print("Line {0}: Ignoring non-TCP entry (was {1})".format(lineNum, split_data[29]))
return 2
# srcIP, srcPort, dstIP, dstPort
dictionary['SourceIP'] = common.IPtoInt(*(split_data[1].split(".")))
dictionary['SourcePort'] = split_data[2]
dictionary['DestinationIP'] = common.IPtoInt(*(split_data[3].split(".")))
dictionary['DestinationPort'] = split_data[4]
return 0
def translate(self, line, line_num, dictionary):
"""
Converts a given syslog line into a dictionary of (ip, port, ip, port)
Args:
line: The syslog line to parse
line_num: The line number, for error printouts
dictionary: The dictionary to write key/values pairs into
Returns:
0 on success and non-zero on error.
"""
awsLog = line.split(" ")
dictionary['SourceIP'] = common.IPtoInt(*(awsLog[3].split(".")))
dictionary['SourcePort'] = awsLog[5]
dictionary['DestinationIP'] = common.IPtoInt(*(awsLog[4].split(".")))
dictionary['DestinationPort'] = awsLog[6]
# dictionary['Timestamp'] = ???
return 0
def translate(self, line, line_num, dictionary):
"""
Converts a given syslog line into a dictionary of (ip, port, ip, port, timestamp)
Args:
line: The syslog line to parse
line_num: The line number, for error printouts
dictionary: The dictionary to write key/values pairs into
Returns:
0 on success and non-zero on error.
1 => ignoring a message that isn't network "TRAFFIC"
2 => error in parsing the line. It was too short for some reason
3 => The protocol wasn't TCP and was ignored.
"""
data = json.loads(line)['message']
# TODO: this assumes the data will not have any commas embedded in strings
split_data = data.split(',')
if split_data[3] != "TRAFFIC":
print("Line {0}: Ignoring non-TRAFFIC entry (was {1})".format(
line_num, split_data[3]))
return 1
if len(split_data) < 29:
print("error parsing line {0}: {1}".format(line_num, line))
return 2
# 29 is protocol: tcp, udp, ...
# TODO: don't ignore everything but TCP
if split_data[29] != 'tcp':
# printing this is very noisy and slow
# print("Line {0}: Ignoring non-TCP entry (was {1})".format(lineNum, split_data[29]))
return 3
# srcIP, srcPort, dstIP, dstPort
dictionary['SourceIP'] = common.IPtoInt(*(split_data[7].split(".")))
dictionary['SourcePort'] = split_data[24]
dictionary['DestinationIP'] = common.IPtoInt(
*(split_data[8].split(".")))
dictionary['DestinationPort'] = split_data[25]
dictionary['Timestamp'] = datetime.strptime(
split_data[1], "%Y/%m/%d %H:%M:%S").strftime("%Y-%m-%d %H:%M:%S")
return 0
def translate(self, line, line_num, dictionary):
"""
Converts a given syslog line into a dictionary of (ip, port, ip, port)
Args:
line: The syslog line to parse
line_num: The line number, for error printouts
dictionary: The dictionary to write key/values pairs into
Returns:
0 on success and non-zero on error.
1 => The protocol wasn't TCP and was ignored.
2 => error in parsing the line. It was too short for some reason
"""
# regexp to extract from ASA syslog
regexp = r"^.* Built (?P<asa_in_out>in|out)bound (?P<asa_protocol>.*) connection (?P<asa_conn_id>\d+) for (?P<asa_src_zone>.*):(?P<asa_src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/(?P<asa_src_port>\d+) \(.*/\d+\) to (?P<asa_dst_zone>.*):(?P<asa_dst_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/(?P<asa_dst_port>\d+) .*"
m = re.match(regexp, line)
if m:
# srcIP, srcPort, dstIP, dstPort
# The order of the source and destination depends on the direction, i.e., inbound or outbound
if m.group('asa_in_out') == 'in':
dictionary['SourceIP'] = common.IPtoInt(*(m.group('asa_src_ip').split(".")))
dictionary['SourcePort'] = m.group('asa_src_port')
dictionary['DestinationIP'] = common.IPtoInt(*(m.group('asa_dst_ip').split(".")))
dictionary['DestinationPort'] = m.group('asa_dst_port')
else:
dictionary['DestinationIP'] = common.IPtoInt(*(m.group('asa_src_ip').split(".")))
dictionary['DestinationPort'] = m.group('asa_src_port')
dictionary['SourceIP'] = common.IPtoInt(*(m.group('asa_dst_ip').split(".")))
dictionary['SourcePort'] = m.group('asa_dst_port')
# ASA logs don't always have a timestamp. If your logs do, you may want to edit the line below to parse it.
dictionary['Timestamp'] = time.strftime(self.mysql_time_format, time.localtime())
return 0
else:
print("error parsing line {0}: {1}".format(line_num, line))
return 2
