def translate(self, line, line_num, dictionary): """ Converts a given syslog line into a dictionary of (ip, port, ip, port) Args: line: The syslog line to parse line_num: The line number, for error printouts dictionary: The dictionary to write key/values pairs into Returns: 0 on success and non-zero on error. 1 => The protocol wasn't TCP and was ignored. 2 => error in parsing the line. It was too short for some reason """ # regexp to extract from ASA syslog regexp = r"^.* Built inbound (?P<asa_protocol>.*) connection (?P<asa_conn_id>\d+) for (?P<asa_src_zone>.*):(?P<asa_src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/(?P<asa_src_port>\d+) \(.*/\d+\) to (?P<asa_dst_zone>.*):(?P<asa_dst_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/(?P<asa_dst_port>\d+) .*" m = re.match(regexp, line) if m: # srcIP, srcPort, dstIP, dstPort dictionary['SourceIP'] = common.IPtoInt( *(m.group('asa_src_ip').split("."))) dictionary['SourcePort'] = m.group('asa_src_port') dictionary['DestinationIP'] = common.IPtoInt( *(m.group('asa_dst_ip').split("."))) dictionary['DestinationPort'] = m.group('asa_dst_port') # dictionary['Timestamp'] = ??? return 0 else: print("error parsing line {0}: {1}".format(line_num, line)) return 2
def translate(line, linenum, dictionary): #remove trailing newline line = line.rstrip("\n") split_data = line.split(","); if len(split_data) != 7: return 1 split_data = [i.strip(' ') for i in split_data] if split_data[0] != 'UDP': # printing this is very noisy and slow # print("Line {0}: Ignoring non-TCP entry (was {1})".format(lineNum, split_data[29])) return 2 # srcIP, srcPort, dstIP, dstPort dictionary['SourceIP'] = common.IPtoInt(*(split_data[1].split("."))) dictionary['SourcePort'] = split_data[2] dictionary['DestinationIP'] = common.IPtoInt(*(split_data[3].split("."))) dictionary['DestinationPort'] = split_data[4] return 0
def translate(self, line, line_num, dictionary): """ Converts a given syslog line into a dictionary of (ip, port, ip, port) Args: line: The syslog line to parse line_num: The line number, for error printouts dictionary: The dictionary to write key/values pairs into Returns: 0 on success and non-zero on error. """ awsLog = line.split(" ") dictionary['SourceIP'] = common.IPtoInt(*(awsLog[3].split("."))) dictionary['SourcePort'] = awsLog[5] dictionary['DestinationIP'] = common.IPtoInt(*(awsLog[4].split("."))) dictionary['DestinationPort'] = awsLog[6] # dictionary['Timestamp'] = ??? return 0
def translate(self, line, line_num, dictionary): """ Converts a given syslog line into a dictionary of (ip, port, ip, port, timestamp) Args: line: The syslog line to parse line_num: The line number, for error printouts dictionary: The dictionary to write key/values pairs into Returns: 0 on success and non-zero on error. 1 => ignoring a message that isn't network "TRAFFIC" 2 => error in parsing the line. It was too short for some reason 3 => The protocol wasn't TCP and was ignored. """ data = json.loads(line)['message'] # TODO: this assumes the data will not have any commas embedded in strings split_data = data.split(',') if split_data[3] != "TRAFFIC": print("Line {0}: Ignoring non-TRAFFIC entry (was {1})".format( line_num, split_data[3])) return 1 if len(split_data) < 29: print("error parsing line {0}: {1}".format(line_num, line)) return 2 # 29 is protocol: tcp, udp, ... # TODO: don't ignore everything but TCP if split_data[29] != 'tcp': # printing this is very noisy and slow # print("Line {0}: Ignoring non-TCP entry (was {1})".format(lineNum, split_data[29])) return 3 # srcIP, srcPort, dstIP, dstPort dictionary['SourceIP'] = common.IPtoInt(*(split_data[7].split("."))) dictionary['SourcePort'] = split_data[24] dictionary['DestinationIP'] = common.IPtoInt( *(split_data[8].split("."))) dictionary['DestinationPort'] = split_data[25] dictionary['Timestamp'] = datetime.strptime( split_data[1], "%Y/%m/%d %H:%M:%S").strftime("%Y-%m-%d %H:%M:%S") return 0
def translate(self, line, line_num, dictionary): """ Converts a given syslog line into a dictionary of (ip, port, ip, port) Args: line: The syslog line to parse line_num: The line number, for error printouts dictionary: The dictionary to write key/values pairs into Returns: 0 on success and non-zero on error. 1 => The protocol wasn't TCP and was ignored. 2 => error in parsing the line. It was too short for some reason """ # regexp to extract from ASA syslog regexp = r"^.* Built (?P<asa_in_out>in|out)bound (?P<asa_protocol>.*) connection (?P<asa_conn_id>\d+) for (?P<asa_src_zone>.*):(?P<asa_src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/(?P<asa_src_port>\d+) \(.*/\d+\) to (?P<asa_dst_zone>.*):(?P<asa_dst_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/(?P<asa_dst_port>\d+) .*" m = re.match(regexp, line) if m: # srcIP, srcPort, dstIP, dstPort # The order of the source and destination depends on the direction, i.e., inbound or outbound if m.group('asa_in_out') == 'in': dictionary['SourceIP'] = common.IPtoInt(*(m.group('asa_src_ip').split("."))) dictionary['SourcePort'] = m.group('asa_src_port') dictionary['DestinationIP'] = common.IPtoInt(*(m.group('asa_dst_ip').split("."))) dictionary['DestinationPort'] = m.group('asa_dst_port') else: dictionary['DestinationIP'] = common.IPtoInt(*(m.group('asa_src_ip').split("."))) dictionary['DestinationPort'] = m.group('asa_src_port') dictionary['SourceIP'] = common.IPtoInt(*(m.group('asa_dst_ip').split("."))) dictionary['SourcePort'] = m.group('asa_dst_port') # ASA logs don't always have a timestamp. If your logs do, you may want to edit the line below to parse it. dictionary['Timestamp'] = time.strftime(self.mysql_time_format, time.localtime()) return 0 else: print("error parsing line {0}: {1}".format(line_num, line)) return 2