From 157e50ccfcc87ad3939ad20af38c59d66874b8fc Mon Sep 17 00:00:00 2001 From: Artem Rys <79191415+arys-splunk@users.noreply.github.com> Date: Fri, 20 Aug 2021 15:51:37 +0200 Subject: [PATCH] chore: pre-commit (#1240) --- .github/CODEOWNERS | 1 + .pre-commit-config.yaml | 24 +++ README.md | 5 + package/etc/conf.d/sc4slib/dest_hec/plugin.py | 10 +- .../sc4slib/lp_dest_alts_global/plugin.py | 2 - .../conf.d/sc4slib/source_syslog/plugin.py | 52 +++-- poetry.lock | 145 +++++++++++++- pyproject.toml | 1 + tests/conftest.py | 18 +- tests/sendmessage.py | 5 +- tests/splunkutils.py | 12 +- tests/test_alcatel.py | 11 +- tests/test_alsid.py | 11 +- tests/test_aruba.py | 21 +- tests/test_avi_vantage.py | 17 +- tests/test_brocade.py | 15 +- tests/test_checkpoint.py | 13 +- tests/test_checkpoint_syslog_rfc5424.py | 41 ++-- tests/test_cisco_ace.py | 1 - tests/test_cisco_esa.py | 109 ++++++----- tests/test_cisco_hyperflex.py | 50 +++-- tests/test_cisco_ise.py | 109 +++++++---- tests/test_cisco_meraki.py | 17 +- tests/test_cisco_ucs_manager.py | 11 +- tests/test_cisco_wsa.py | 4 +- tests/test_citrix_netscaler.py | 1 - tests/test_common.py | 9 +- tests/test_cyberark.py | 29 ++- tests/test_dell_emc_networking.py | 10 +- tests/test_dell_idrac.py | 25 ++- tests/test_dell_rsa_secureid.py | 43 +++-- tests/test_f5_bigip.py | 34 ++-- tests/test_fireye.py | 5 +- tests/test_forcepoint_web.py | 17 +- tests/test_fortinet_ngfw.py | 87 ++++++--- tests/test_fortinet_web.py | 45 +++-- tests/test_haproxy.py | 14 +- tests/test_imperva.py | 10 +- tests/test_imperva_waf.py | 41 ++-- tests/test_isc.py | 15 +- tests/test_juniper_junos_rfc3164.py | 1 - tests/test_juniper_junos_rfc5424.py | 59 ++++-- tests/test_juniper_legacy.py | 35 +++- tests/test_linux_syslog.py | 53 ++++-- tests/test_loggen.py | 20 +- tests/test_mcafee_epo.py | 27 ++- tests/test_mcafee_nsp.py | 180 ++++++++++-------- tests/test_mcafee_web_gateway.py | 10 +- tests/test_microfocus_arcsight.py | 1 - tests/test_ossec.py | 14 +- tests/test_palo_alto.py | 1 - tests/test_pfsense.py | 30 +-- tests/test_plugin_example.py | 9 +- tests/test_polycom.py | 11 +- tests/test_proofpoint.py | 24 ++- tests/test_pulsesecure.py | 6 +- tests/test_radware.py | 6 +- tests/test_ricoh.py | 6 +- tests/test_schneider_electric_apc.py | 13 +- tests/test_spectracom_ntp.py | 30 ++- tests/test_splunk.py | 20 +- tests/test_symantec_brightmail.py | 23 ++- tests/test_symantec_ep.py | 74 +++++-- tests/test_symantec_proxy.py | 22 ++- tests/test_tanium.py | 2 - tests/test_tenable.py | 17 +- tests/test_tintri.py | 13 +- tests/test_ubiquiti_unifi.py | 52 +++-- tests/test_varonis.py | 1 - tests/test_vmware.py | 110 ++++++++--- tests/test_zscaler_proxy.py | 105 +++++++--- tests/timeutils.py | 6 +- 72 files changed, 1412 insertions(+), 659 deletions(-) create mode 100644 .pre-commit-config.yaml diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 02a8cd1724..995c04acff 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,2 +1,3 @@ * @rfaircloth-splunk package/etc/ @rfaircloth @nandinivij +.pre-commit-config.yaml @arys-splunk diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000000..d4eb15f6fd --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,24 @@ +# +# Copyright 2021 Splunk Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +repos: +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.0.1 + hooks: + - id: check-merge-conflict +- repo: https://github.com/psf/black + rev: 21.7b0 + hooks: + - id: black diff --git a/README.md b/README.md index 89aee662c5..06046b23d1 100644 --- a/README.md +++ b/README.md @@ -34,6 +34,11 @@ Get involved, try it out, ask questions, contribute filters, and make new friend We welcome feedback and contributions from the community! Please see our [contribution guidelines](/docs/CONTRIBUTING.md) for more information on how to get involved. PR contributions require acceptance of both the code of conduct and the contributor license agreement. +This repository uses `pre-commit`. After installing dependencies, please do +```bash +pre-commit install +``` + ## License * Configuration and documentation licensed subject to [CC0](LICENSE-CC0) diff --git a/package/etc/conf.d/sc4slib/dest_hec/plugin.py b/package/etc/conf.d/sc4slib/dest_hec/plugin.py index 7531e291bb..ab69a91084 100755 --- a/package/etc/conf.d/sc4slib/dest_hec/plugin.py +++ b/package/etc/conf.d/sc4slib/dest_hec/plugin.py @@ -55,13 +55,11 @@ workers = os.getenv(f"SC4S_DEST_SPLUNK_HEC_{ group }_WORKERS", 10) headers = [] - user_headers = os.getenv( - f"SC4S_DEST_SPLUNK_HEC_{ group }_HEADERS", "" - ) - if user_headers!="": + user_headers = os.getenv(f"SC4S_DEST_SPLUNK_HEC_{ group }_HEADERS", "") + if user_headers != "": headers += user_headers.split(",") - token=os.getenv(f"SC4S_DEST_SPLUNK_HEC_{ group }_TOKEN") + token = os.getenv(f"SC4S_DEST_SPLUNK_HEC_{ group }_TOKEN") headers.append(f"Authorization: Splunk {token}") if os.getenv(f"SC4S_DEST_SPLUNK_HEC_{ group }_CONNECTION_CLOSE", "yes").lower() in [ @@ -75,7 +73,6 @@ else: headers.append(f"Connection: keep-alive") - msg = tm.render( group=group, altname=altname, @@ -108,7 +105,6 @@ peer_verify=os.getenv(f"SC4S_DEST_SPLUNK_HEC_{ group }_TLS_VERIFY", "yes"), cipher_suite=os.getenv(f"SC4S_DEST_SPLUNK_HEC_{ group }_CIPHER_SUITE"), ssl_version=os.getenv(f"SC4S_DEST_SPLUNK_HEC_{ group }_SSL_VERSION"), - ) print(msg) diff --git a/package/etc/conf.d/sc4slib/lp_dest_alts_global/plugin.py b/package/etc/conf.d/sc4slib/lp_dest_alts_global/plugin.py index ba9ce7bb7f..157be46fba 100755 --- a/package/etc/conf.d/sc4slib/lp_dest_alts_global/plugin.py +++ b/package/etc/conf.d/sc4slib/lp_dest_alts_global/plugin.py @@ -12,5 +12,3 @@ for d in os.getenv("SC4S_DEST_GLOBAL_ALTERNATES").split(","): msg = tm.render(destination=d) print(msg) - - diff --git a/package/etc/conf.d/sc4slib/source_syslog/plugin.py b/package/etc/conf.d/sc4slib/source_syslog/plugin.py index a9f9be549e..c259871842 100755 --- a/package/etc/conf.d/sc4slib/source_syslog/plugin.py +++ b/package/etc/conf.d/sc4slib/source_syslog/plugin.py @@ -55,11 +55,11 @@ use_tls = False if os.getenv(f"SC4S_RUNTIME_ENV", "unknown").lower() == "k8s": - cert_file="tls.crt" - key_file="tls.key" + cert_file = "tls.crt" + key_file = "tls.key" else: - cert_file="server.pem" - key_file="server.key" + cert_file = "server.pem" + key_file = "server.key" for port_id in ports.split(","): @@ -76,42 +76,56 @@ port_udp=os.getenv(f"SC4S_LISTEN_{ port_id }_UDP_PORT", "disabled").split(","), port_udp_sockets=int(os.getenv(f"SC4S_SOURCE_LISTEN_UDP_SOCKETS", 4)), port_udp_sorecvbuff=os.getenv(f"SC4S_SOURCE_UDP_SO_RCVBUFF", 17039360), - port_tcp=os.getenv(f"SC4S_LISTEN_{ port_id }_TCP_PORT", "disabled").split(","), port_tcp_sockets=int(os.getenv(f"SC4S_SOURCE_LISTEN_TCP_SOCKETS", 1)), port_tcp_max_connections=os.getenv(f"SC4S_SOURCE_TCP_MAX_CONNECTIONS", "2000"), port_tcp_log_iw_size=os.getenv(f"SC4S_SOURCE_TCP_IW_SIZE", "20000000"), port_tcp_log_fetch_limit=os.getenv(f"SC4S_SOURCE_TCP_FETCH_LIMIT", "2000"), port_tcp_so_recvbuff=os.getenv(f"SC4S_SOURCE_TCP_SO_RCVBUFF", "17039360"), - port_tls=os.getenv(f"SC4S_LISTEN_{ port_id }_TLS_PORT", "disabled").split(","), port_tls_sockets=int(os.getenv(f"SC4S_SOURCE_LISTEN_TLS_SOCKETS", 1)), port_tls_max_connections=os.getenv(f"SC4S_SOURCE_TLS_MAX_CONNECTIONS", "2000"), port_tls_log_iw_size=os.getenv(f"SC4S_SOURCE_TCP_IW_SIZE", "20000000"), port_tls_log_fetch_limit=os.getenv(f"SC4S_SOURCE_TCP_FETCH_LIMIT", "2000"), port_tls_so_recvbuff=os.getenv(f"SC4S_SOURCE_TLS_SO_RCVBUFF", "17039360"), - port_tls_tls_options=os.getenv(f"SC4S_SOURCE_TLS_OPTIONS", "no-sslv2, no-sslv3, no-tlsv1"), - port_tls_cipher_suit=os.getenv(f"SC4S_SOURCE_TLS_CIPHER_SUITE", "HIGH:!aNULL:!eNULL:!kECDH:!aDH:!RC4:!3DES:!CAMELLIA:!MD5:!PSK:!SRP:!KRB5:@STRENGTH"), - - port_5426=os.getenv(f"SC4S_LISTEN_{ port_id }_RFC5426_PORT", "disabled").split(","), + port_tls_tls_options=os.getenv( + f"SC4S_SOURCE_TLS_OPTIONS", "no-sslv2, no-sslv3, no-tlsv1" + ), + port_tls_cipher_suit=os.getenv( + f"SC4S_SOURCE_TLS_CIPHER_SUITE", + "HIGH:!aNULL:!eNULL:!kECDH:!aDH:!RC4:!3DES:!CAMELLIA:!MD5:!PSK:!SRP:!KRB5:@STRENGTH", + ), + port_5426=os.getenv(f"SC4S_LISTEN_{ port_id }_RFC5426_PORT", "disabled").split( + "," + ), port_5426_sockets=int(os.getenv(f"SC4S_SOURCE_LISTEN_RFC5426_SOCKETS", 1)), port_5426_sorecvbuff=os.getenv(f"SC4S_SOURCE_RFC5426_SO_RCVBUFF", 17039360), - - port_6587=os.getenv(f"SC4S_LISTEN_{ port_id }_RFC6587_PORT", "disabled").split(","), + port_6587=os.getenv(f"SC4S_LISTEN_{ port_id }_RFC6587_PORT", "disabled").split( + "," + ), port_6587_sockets=os.getenv(f"SC4S_SOURCE_LISTEN_RFC6587_SOCKETS", 1), - port_6587_max_connections=os.getenv(f"SC4S_SOURCE_RFC6587_MAX_CONNECTIONS", "2000"), + port_6587_max_connections=os.getenv( + f"SC4S_SOURCE_RFC6587_MAX_CONNECTIONS", "2000" + ), port_6587_log_iw_size=os.getenv(f"SC4S_SOURCE_RFC6587_IW_SIZE", "20000000"), port_6587_log_fetch_limit=os.getenv(f"SC4S_SOURCE_RFC6587_FETCH_LIMIT", "2000"), port_6587_so_recvbuff=os.getenv(f"SC4S_SOURCE_RFC6587_SO_RCVBUFF", "17039360"), - - port_5425=os.getenv(f"SC4S_LISTEN_{ port_id }_RFC5425_PORT", "disabled").split(","), + port_5425=os.getenv(f"SC4S_LISTEN_{ port_id }_RFC5425_PORT", "disabled").split( + "," + ), port_5425_sockets=int(os.getenv(f"SC4S_SOURCE_LISTEN_RFC5425_SOCKETS", 1)), - port_5425_max_connections=os.getenv(f"SC4S_SOURCE_RFC5425_MAX_CONNECTIONS", "2000"), + port_5425_max_connections=os.getenv( + f"SC4S_SOURCE_RFC5425_MAX_CONNECTIONS", "2000" + ), port_5425_log_iw_size=os.getenv(f"SC4S_SOURCE_RFC5425_IW_SIZE", "20000000"), port_5425_log_fetch_limit=os.getenv(f"SC4S_SOURCE_RFC5425_FETCH_LIMIT", "2000"), port_5425_so_recvbuff=os.getenv(f"SC4S_SOURCE_RFC5425_SO_RCVBUFF", "17039360"), - port_5425_tls_options=os.getenv(f"SC4S_SOURCE_RFC5425_OPTIONS", "no-sslv2, no-sslv3, no-tlsv1"), - port_5425_cipher_suit=os.getenv(f"SC4S_SOURCE_RFC5425_CIPHER_SUITE", "HIGH:!aNULL:!eNULL:!kECDH:!aDH:!RC4:!3DES:!CAMELLIA:!MD5:!PSK:!SRP:!KRB5:@STRENGTH"), - + port_5425_tls_options=os.getenv( + f"SC4S_SOURCE_RFC5425_OPTIONS", "no-sslv2, no-sslv3, no-tlsv1" + ), + port_5425_cipher_suit=os.getenv( + f"SC4S_SOURCE_RFC5425_CIPHER_SUITE", + "HIGH:!aNULL:!eNULL:!kECDH:!aDH:!RC4:!3DES:!CAMELLIA:!MD5:!PSK:!SRP:!KRB5:@STRENGTH", + ), ) print(outputText) diff --git a/poetry.lock b/poetry.lock index b8d9765860..d4bd1b190f 100644 --- a/poetry.lock +++ b/poetry.lock @@ -32,6 +32,21 @@ docs = ["furo", "sphinx", "zope.interface", "sphinx-notfound-page"] tests = ["coverage[toml] (>=5.0.2)", "hypothesis", "pympler", "pytest (>=4.3.0)", "six", "mypy", "pytest-mypy-plugins", "zope.interface"] tests_no_zope = ["coverage[toml] (>=5.0.2)", "hypothesis", "pympler", "pytest (>=4.3.0)", "six", "mypy", "pytest-mypy-plugins"] +[[package]] +name = "backports.entry-points-selectable" +version = "1.1.0" +description = "Compatibility shim providing selectable entry points for older implementations" +category = "dev" +optional = false +python-versions = ">=2.7" + +[package.dependencies] +importlib-metadata = {version = "*", markers = "python_version < \"3.8\""} + +[package.extras] +docs = ["sphinx", "jaraco.packaging (>=8.2)", "rst.linker (>=1.9)"] +testing = ["pytest (>=4.6)", "pytest-flake8", "pytest-cov", "pytest-black (>=0.3.7)", "pytest-mypy", "pytest-checkdocs (>=2.4)", "pytest-enabler (>=1.0.1)"] + [[package]] name = "certifi" version = "2021.5.30" @@ -40,6 +55,14 @@ category = "dev" optional = false python-versions = "*" +[[package]] +name = "cfgv" +version = "3.3.0" +description = "Validate configuration and produce human readable error messages." +category = "dev" +optional = false +python-versions = ">=3.6.1" + [[package]] name = "charset-normalizer" version = "2.0.4" @@ -71,6 +94,14 @@ category = "dev" optional = false python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*" +[[package]] +name = "distlib" +version = "0.3.2" +description = "Distribution utilities" +category = "dev" +optional = false +python-versions = "*" + [[package]] name = "execnet" version = "1.9.0" @@ -82,6 +113,14 @@ python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*" [package.extras] testing = ["pre-commit"] +[[package]] +name = "filelock" +version = "3.0.12" +description = "A platform independent file lock." +category = "dev" +optional = false +python-versions = "*" + [[package]] name = "flake8" version = "3.9.2" @@ -118,6 +157,17 @@ python-dateutil = ">=2.8.1" [package.extras] dev = ["twine", "markdown", "flake8"] +[[package]] +name = "identify" +version = "2.2.13" +description = "File identification library for Python" +category = "dev" +optional = false +python-versions = ">=3.6.1" + +[package.extras] +license = ["editdistance-s"] + [[package]] name = "idna" version = "3.2" @@ -304,6 +354,14 @@ python-versions = ">=3.5" [package.dependencies] mkdocs-material = ">=5.0.0" +[[package]] +name = "nodeenv" +version = "1.6.0" +description = "Node.js virtual environment builder" +category = "dev" +optional = false +python-versions = "*" + [[package]] name = "packaging" version = "21.0" @@ -326,6 +384,18 @@ python-versions = "*" [package.dependencies] six = "*" +[[package]] +name = "platformdirs" +version = "2.2.0" +description = "A small Python module for determining appropriate platform-specific dirs, e.g. a \"user data dir\"." +category = "dev" +optional = false +python-versions = ">=3.6" + +[package.extras] +docs = ["Sphinx (>=4)", "furo (>=2021.7.5b38)", "proselint (>=0.10.2)", "sphinx-autodoc-typehints (>=1.12)"] +test = ["appdirs (==1.4.4)", "pytest (>=6)", "pytest-cov (>=2.7)", "pytest-mock (>=3.6)"] + [[package]] name = "pluggy" version = "0.13.1" @@ -340,6 +410,23 @@ importlib-metadata = {version = ">=0.12", markers = "python_version < \"3.8\""} [package.extras] dev = ["pre-commit", "tox"] +[[package]] +name = "pre-commit" +version = "2.14.0" +description = "A framework for managing and maintaining multi-language pre-commit hooks." +category = "dev" +optional = false +python-versions = ">=3.6.1" + +[package.dependencies] +cfgv = ">=2.0.0" +identify = ">=1.0.0" +importlib-metadata = {version = "*", markers = "python_version < \"3.8\""} +nodeenv = ">=0.11.1" +pyyaml = ">=5.1" +toml = "*" +virtualenv = ">=20.0.8" + [[package]] name = "py" version = "1.10.0" @@ -554,6 +641,26 @@ python-versions = "*" [package.extras] test = ["coverage", "flake8 (>=3.7)", "mypy", "pretend", "pytest"] +[[package]] +name = "virtualenv" +version = "20.7.2" +description = "Virtual Python Environment builder" +category = "dev" +optional = false +python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,>=2.7" + +[package.dependencies] +"backports.entry-points-selectable" = ">=1.0.4" +distlib = ">=0.3.1,<1" +filelock = ">=3.0.0,<4" +importlib-metadata = {version = ">=0.12", markers = "python_version < \"3.8\""} +platformdirs = ">=2,<3" +six = ">=1.9.0,<2" + +[package.extras] +docs = ["proselint (>=0.10.2)", "sphinx (>=3)", "sphinx-argparse (>=0.2.5)", "sphinx-rtd-theme (>=0.4.3)", "towncrier (>=19.9.0rc1)"] +testing = ["coverage (>=4)", "coverage-enable-subprocess (>=1)", "flaky (>=3)", "pytest (>=4)", "pytest-env (>=0.6.2)", "pytest-freezegun (>=0.4.1)", "pytest-mock (>=2)", "pytest-randomly (>=1)", "pytest-timeout (>=1)", "packaging (>=20.0)"] + [[package]] name = "watchdog" version = "2.1.3" @@ -580,7 +687,7 @@ testing = ["pytest (>=4.6)", "pytest-checkdocs (>=2.4)", "pytest-flake8", "pytes [metadata] lock-version = "1.1" python-versions = "^3.7" -content-hash = "9c1276286bf39b8bdab275a15845eba115e050c04d613a3499a9ee2f1f4252c0" +content-hash = "55dd92cb7188cfa1d360c2b3712cbc1fa5358a0fed0456484b742f5c1973c1d5" [metadata.files] arrow = [ @@ -595,10 +702,18 @@ attrs = [ {file = "attrs-21.2.0-py2.py3-none-any.whl", hash = "sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1"}, {file = "attrs-21.2.0.tar.gz", hash = "sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb"}, ] +"backports.entry-points-selectable" = [ + {file = "backports.entry_points_selectable-1.1.0-py2.py3-none-any.whl", hash = "sha256:a6d9a871cde5e15b4c4a53e3d43ba890cc6861ec1332c9c2428c92f977192acc"}, + {file = "backports.entry_points_selectable-1.1.0.tar.gz", hash = "sha256:988468260ec1c196dab6ae1149260e2f5472c9110334e5d51adcb77867361f6a"}, +] certifi = [ {file = "certifi-2021.5.30-py2.py3-none-any.whl", hash = "sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8"}, {file = "certifi-2021.5.30.tar.gz", hash = "sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee"}, ] +cfgv = [ + {file = "cfgv-3.3.0-py2.py3-none-any.whl", hash = "sha256:b449c9c6118fe8cca7fa5e00b9ec60ba08145d281d52164230a69211c5d597a1"}, + {file = "cfgv-3.3.0.tar.gz", hash = "sha256:9e600479b3b99e8af981ecdfc80a0296104ee610cab48a5ae4ffd0b668650eb1"}, +] charset-normalizer = [ {file = "charset-normalizer-2.0.4.tar.gz", hash = "sha256:f23667ebe1084be45f6ae0538e4a5a865206544097e4e8bbcacf42cd02a348f3"}, {file = "charset_normalizer-2.0.4-py3-none-any.whl", hash = "sha256:0c8911edd15d19223366a194a513099a302055a962bca2cec0f54b8b63175d8b"}, @@ -611,10 +726,18 @@ colorama = [ {file = "colorama-0.4.4-py2.py3-none-any.whl", hash = "sha256:9f47eda37229f68eee03b24b9748937c7dc3868f906e8ba69fbcbdd3bc5dc3e2"}, {file = "colorama-0.4.4.tar.gz", hash = "sha256:5941b2b48a20143d2267e95b1c2a7603ce057ee39fd88e7329b0c292aa16869b"}, ] +distlib = [ + {file = "distlib-0.3.2-py2.py3-none-any.whl", hash = "sha256:23e223426b28491b1ced97dc3bbe183027419dfc7982b4fa2f05d5f3ff10711c"}, + {file = "distlib-0.3.2.zip", hash = "sha256:106fef6dc37dd8c0e2c0a60d3fca3e77460a48907f335fa28420463a6f799736"}, +] execnet = [ {file = "execnet-1.9.0-py2.py3-none-any.whl", hash = "sha256:a295f7cc774947aac58dde7fdc85f4aa00c42adf5d8f5468fc630c1acf30a142"}, {file = "execnet-1.9.0.tar.gz", hash = "sha256:8f694f3ba9cc92cab508b152dcfe322153975c29bda272e2fd7f3f00f36e47c5"}, ] +filelock = [ + {file = "filelock-3.0.12-py3-none-any.whl", hash = "sha256:929b7d63ec5b7d6b71b0fa5ac14e030b3f70b75747cef1b10da9b879fef15836"}, + {file = "filelock-3.0.12.tar.gz", hash = "sha256:18d82244ee114f543149c66a6e0c14e9c4f8a1044b5cdaadd0f82159d6a6ff59"}, +] flake8 = [ {file = "flake8-3.9.2-py2.py3-none-any.whl", hash = "sha256:bf8fd333346d844f616e8d47905ef3a3384edae6b4e9beb0c5101e25e3110907"}, {file = "flake8-3.9.2.tar.gz", hash = "sha256:07528381786f2a6237b061f6e96610a4167b226cb926e2aa2b6b1d78057c576b"}, @@ -626,6 +749,10 @@ flaky = [ ghp-import = [ {file = "ghp-import-2.0.1.tar.gz", hash = "sha256:753de2eace6e0f7d4edfb3cce5e3c3b98cd52aadb80163303d1d036bda7b4483"}, ] +identify = [ + {file = "identify-2.2.13-py2.py3-none-any.whl", hash = "sha256:7199679b5be13a6b40e6e19ea473e789b11b4e3b60986499b1f589ffb03c217c"}, + {file = "identify-2.2.13.tar.gz", hash = "sha256:7bc6e829392bd017236531963d2d937d66fc27cadc643ac0aba2ce9f26157c79"}, +] idna = [ {file = "idna-3.2-py3-none-any.whl", hash = "sha256:14475042e284991034cb48e06f6851428fb14c4dc953acd9be9a5e95c7b6dd7a"}, {file = "idna-3.2.tar.gz", hash = "sha256:467fbad99067910785144ce333826c71fb0e63a425657295239737f7ecd125f3"}, @@ -716,6 +843,10 @@ mkdocs-material-extensions = [ {file = "mkdocs-material-extensions-1.0.1.tar.gz", hash = "sha256:6947fb7f5e4291e3c61405bad3539d81e0b3cd62ae0d66ced018128af509c68f"}, {file = "mkdocs_material_extensions-1.0.1-py3-none-any.whl", hash = "sha256:d90c807a88348aa6d1805657ec5c0b2d8d609c110e62b9dce4daf7fa981fa338"}, ] +nodeenv = [ + {file = "nodeenv-1.6.0-py2.py3-none-any.whl", hash = "sha256:621e6b7076565ddcacd2db0294c0381e01fd28945ab36bcf00f41c5daf63bef7"}, + {file = "nodeenv-1.6.0.tar.gz", hash = "sha256:3ef13ff90291ba2a4a7a4ff9a979b63ffdd00a464dbe04acf0ea6471517a4c2b"}, +] packaging = [ {file = "packaging-21.0-py3-none-any.whl", hash = "sha256:c86254f9220d55e31cc94d69bade760f0847da8000def4dfe1c6b872fd14ff14"}, {file = "packaging-21.0.tar.gz", hash = "sha256:7dc96269f53a4ccec5c0670940a4281106dd0bb343f47b7471f779df49c2fbe7"}, @@ -724,10 +855,18 @@ pathlib2 = [ {file = "pathlib2-2.3.6-py2.py3-none-any.whl", hash = "sha256:3a130b266b3a36134dcc79c17b3c7ac9634f083825ca6ea9d8f557ee6195c9c8"}, {file = "pathlib2-2.3.6.tar.gz", hash = "sha256:7d8bcb5555003cdf4a8d2872c538faa3a0f5d20630cb360e518ca3b981795e5f"}, ] +platformdirs = [ + {file = "platformdirs-2.2.0-py3-none-any.whl", hash = "sha256:4666d822218db6a262bdfdc9c39d21f23b4cfdb08af331a81e92751daf6c866c"}, + {file = "platformdirs-2.2.0.tar.gz", hash = "sha256:632daad3ab546bd8e6af0537d09805cec458dce201bccfe23012df73332e181e"}, +] pluggy = [ {file = "pluggy-0.13.1-py2.py3-none-any.whl", hash = "sha256:966c145cd83c96502c3c3868f50408687b38434af77734af1e9ca461a4081d2d"}, {file = "pluggy-0.13.1.tar.gz", hash = "sha256:15b2acde666561e1298d71b523007ed7364de07029219b604cf808bfa1c765b0"}, ] +pre-commit = [ + {file = "pre_commit-2.14.0-py2.py3-none-any.whl", hash = "sha256:ec3045ae62e1aa2eecfb8e86fa3025c2e3698f77394ef8d2011ce0aedd85b2d4"}, + {file = "pre_commit-2.14.0.tar.gz", hash = "sha256:2386eeb4cf6633712c7cc9ede83684d53c8cafca6b59f79c738098b51c6d206c"}, +] py = [ {file = "py-1.10.0-py2.py3-none-any.whl", hash = "sha256:3b80836aa6d1feeaa108e046da6423ab8f6ceda6468545ae8d02d9d58d18818a"}, {file = "py-1.10.0.tar.gz", hash = "sha256:21b81bda15b66ef5e1a777a21c4dcd9c20ad3efd0b3f817e7a809035269e1bd3"}, @@ -835,6 +974,10 @@ verspec = [ {file = "verspec-0.1.0-py3-none-any.whl", hash = "sha256:741877d5633cc9464c45a469ae2a31e801e6dbbaa85b9675d481cda100f11c31"}, {file = "verspec-0.1.0.tar.gz", hash = "sha256:c4504ca697b2056cdb4bfa7121461f5a0e81809255b41c03dda4ba823637c01e"}, ] +virtualenv = [ + {file = "virtualenv-20.7.2-py2.py3-none-any.whl", hash = "sha256:e4670891b3a03eb071748c569a87cceaefbf643c5bac46d996c5a45c34aa0f06"}, + {file = "virtualenv-20.7.2.tar.gz", hash = "sha256:9ef4e8ee4710826e98ff3075c9a4739e2cb1040de6a2a8d35db0055840dc96a0"}, +] watchdog = [ {file = "watchdog-2.1.3-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:9628f3f85375a17614a2ab5eac7665f7f7be8b6b0a2a228e6f6a2e91dd4bfe26"}, {file = "watchdog-2.1.3-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:acc4e2d5be6f140f02ee8590e51c002829e2c33ee199036fcd61311d558d89f4"}, diff --git a/pyproject.toml b/pyproject.toml index 6740a8aeb3..f222d44eb1 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -24,6 +24,7 @@ junit-xml = "^1.9" mkdocs = "^1.2.2" mkdocs-material = "^7.2.4" mike = "^1.0.1" +pre-commit = "^2.14.0" [build-system] requires = ["poetry-core>=1.0.0"] diff --git a/tests/conftest.py b/tests/conftest.py index 49698fe84c..1b6e85709f 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -196,12 +196,15 @@ def splunk_external(request): def sc4s_docker(docker_services): docker_services.start("sc4s") - ports = {514: docker_services.port_for("sc4s", 514),601: docker_services.port_for("sc4s", 601)} + ports = { + 514: docker_services.port_for("sc4s", 514), + 601: docker_services.port_for("sc4s", 601), + } ports.update({5514: docker_services.port_for("sc4s", 5514)}) ports.update({5601: docker_services.port_for("sc4s", 5601)}) ports.update({6000: docker_services.port_for("sc4s", 6000)}) - #ports.update({6001: docker_services.port_for("sc4s", 6001)}) + # ports.update({6001: docker_services.port_for("sc4s", 6001)}) ports.update({6002: docker_services.port_for("sc4s", 6002)}) return docker_services.docker_ip, ports @@ -209,8 +212,15 @@ def sc4s_docker(docker_services): @pytest.fixture(scope="session") def sc4s_external(request): - ports = {514: 514, 601: 601, 5514: 5514, 5601:5601, 6000: 6000 , 6001: 6001, 6002: 6002} - + ports = { + 514: 514, + 601: 601, + 5514: 5514, + 5601: 5601, + 6000: 6000, + 6001: 6001, + 6002: 6002, + } return request.config.getoption("sc4s_host"), ports diff --git a/tests/sendmessage.py b/tests/sendmessage.py index 7618b97b1f..20f5a69256 100644 --- a/tests/sendmessage.py +++ b/tests/sendmessage.py @@ -8,9 +8,8 @@ from time import sleep import os -def sendsingle(message, - host, - port): + +def sendsingle(message, host, port): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server_address = (host, port) diff --git a/tests/splunkutils.py b/tests/splunkutils.py index 205fcfa338..574c0bcad8 100644 --- a/tests/splunkutils.py +++ b/tests/splunkutils.py @@ -16,11 +16,13 @@ def splunk_single(service, search): while True: while not job.is_ready(): pass - stats = {"isDone": job["isDone"], - "doneProgress": float(job["doneProgress"]) * 100, - "scanCount": int(job["scanCount"]), - "eventCount": int(job["eventCount"]), - "resultCount": int(job["resultCount"])} + stats = { + "isDone": job["isDone"], + "doneProgress": float(job["doneProgress"]) * 100, + "scanCount": int(job["scanCount"]), + "eventCount": int(job["eventCount"]), + "resultCount": int(job["resultCount"]), + } if stats["isDone"] == "1": break diff --git a/tests/test_alcatel.py b/tests/test_alcatel.py index 70bdb8ffd2..e3e16bb67b 100644 --- a/tests/test_alcatel.py +++ b/tests/test_alcatel.py @@ -11,16 +11,20 @@ from .timeutils import * import pytest + env = Environment() -#<134>Feb 18 09:37:41 xxxxxx swlogd: bcmd esm info(5) phy_nlp_enable_set: u=0 p=1 enable:1 phyPresent:YES +# <134>Feb 18 09:37:41 xxxxxx swlogd: bcmd esm info(5) phy_nlp_enable_set: u=0 p=1 enable:1 phyPresent:YES testdata = [ "{{ mark }}{{ bsd }} {{ host }} swlogd: bcmd esm info(5) phy_nlp_enable_set: u=0 p=1 enable:1 phyPresent:YES", ] + @pytest.mark.parametrize("event", testdata) -def test_alcatel(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event): +def test_alcatel( + record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event +): host = get_host_key dt = datetime.datetime.now() @@ -35,7 +39,8 @@ def test_alcatel(record_property, setup_wordlist, get_host_key, setup_splunk, se sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( - "search index=netops _time={{ epoch }} sourcetype=\"alcatel:switch\" (host=\"{{ host }}\" OR \"{{ host }}\")") + 'search index=netops _time={{ epoch }} sourcetype="alcatel:switch" (host="{{ host }}" OR "{{ host }}")' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) diff --git a/tests/test_alsid.py b/tests/test_alsid.py index 0fec3208f1..183b9af0aa 100644 --- a/tests/test_alsid.py +++ b/tests/test_alsid.py @@ -11,16 +11,20 @@ from .timeutils import * import pytest + env = Environment() -#<134>Feb 18 09:37:41 xxxxxx swlogd: bcmd esm info(5) phy_nlp_enable_set: u=0 p=1 enable:1 phyPresent:YES +# <134>Feb 18 09:37:41 xxxxxx swlogd: bcmd esm info(5) phy_nlp_enable_set: u=0 p=1 enable:1 phyPresent:YES testdata = [ '{{ mark }}{{ bsd }} {{ host }} AlsidForAD[4]: "0" "1" "EXAMPLE_AD_FOREST" "EXAMPLE_AD_DOMAIN" "C-DANG-PRIMGROUPID" "critical" "CN=CN=EXAMPLE_AD_ACCOUNT,OU=EXAMPLE_OU,OU=EXAMPLE_OU,DC=EXAMPLE_AD_FOREST,DC=EXAMPLE_AD_DOMAIN,DC=EXAMPLE_AD_FOREST_FQDN,DC=com,DC=au" "427573" "2" "R-DANG-PRIMGROUPID" "1727453" "AccountCn"="EXAMPLE_AD_ACCOUNT" "PrimaryGroupId"="16611" "GroupCn"="EXAMPLE_AD_GROUP_NAME" "DomainName"="EXAMPLE_AD_DOMAIN" "ObjectType"="User" "ObjectTypePrimaryGroupId"="513"', ] + @pytest.mark.parametrize("event", testdata) -def test_alsid(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event): +def test_alsid( + record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event +): host = get_host_key dt = datetime.datetime.now() @@ -35,7 +39,8 @@ def test_alsid(record_property, setup_wordlist, get_host_key, setup_splunk, setu sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( - "search index=oswinsec _time={{ epoch }} sourcetype=\"alsid:syslog\" (host=\"{{ host }}\" OR \"{{ host }}\")") + 'search index=oswinsec _time={{ epoch }} sourcetype="alsid:syslog" (host="{{ host }}" OR "{{ host }}")' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) diff --git a/tests/test_aruba.py b/tests/test_aruba.py index 797890ea14..79186b52c3 100644 --- a/tests/test_aruba.py +++ b/tests/test_aruba.py @@ -11,13 +11,14 @@ from .timeutils import * import pytest + env = Environment() -#time format for Apr 5 22:51:54 2021 -#<187>{{ arubadate }} {{ host }} authmgr[4130]: <124198> <4130> <{{ host }} 10.10.10.10> {00:00:00:00:00:00-??} Missing server in attribute list, auth=VPN, utype=L3. -#<187>{{ arubadate }} {{ host }} stm[4133]: <399803> <4133> <{{ host }} 10.10.10.10> An internal system error has occurred at file sapm_ap_mgmt.c function sapm_get_img_build_version_str line 11853 error stat /mswitch/sap/mips64.ari failed: No such file or directory. -#<188>{{ arubadate }} {{ host }} wms[4096]: <126005> <4096> <{{ host }} 10.10.10.10> |ids| Interfering AP: The system classified an access point (BSSID 00:0e:8e:96:f4:32 and SSID on CHANNEL 36) as interfering. Additional Info: Detector-AP-Name:00:0b:86:9e:6b:5f; Detector-AP-MAC:24:de:c6:70:2c:90; Detector-AP-Radio:1. -#<191>{{ arubadate }} 10.10.10.10 dnsmasq: reading /etc/resolv.conf +# time format for Apr 5 22:51:54 2021 +# <187>{{ arubadate }} {{ host }} authmgr[4130]: <124198> <4130> <{{ host }} 10.10.10.10> {00:00:00:00:00:00-??} Missing server in attribute list, auth=VPN, utype=L3. +# <187>{{ arubadate }} {{ host }} stm[4133]: <399803> <4133> <{{ host }} 10.10.10.10> An internal system error has occurred at file sapm_ap_mgmt.c function sapm_get_img_build_version_str line 11853 error stat /mswitch/sap/mips64.ari failed: No such file or directory. +# <188>{{ arubadate }} {{ host }} wms[4096]: <126005> <4096> <{{ host }} 10.10.10.10> |ids| Interfering AP: The system classified an access point (BSSID 00:0e:8e:96:f4:32 and SSID on CHANNEL 36) as interfering. Additional Info: Detector-AP-Name:00:0b:86:9e:6b:5f; Detector-AP-MAC:24:de:c6:70:2c:90; Detector-AP-Radio:1. +# <191>{{ arubadate }} 10.10.10.10 dnsmasq: reading /etc/resolv.conf testdata = [ "<187>{{ arubadate }} {{ host }} authmgr[4130]: <124198> <4130> <{{ host }} 10.10.10.10> {00:00:00:00:00:00-??} Missing server in attribute list, auth=VPN, utype=L3.", @@ -26,8 +27,11 @@ "<188>{{ arubadate }} {{ host }} sapd[1362]: <127037> |AP 00:0b:86:eb:4e:32@10.10.10.10 sapd| |ids-ap| AP(04:bd:88:8a:3a:60): Station Associated to Rogue AP: An AP detected a client a4:8d:3b:ae:68:68 associated to a rogue access point (BSSID 98:1e:19:31:63:b6 and SSID MySpectrumWiFib0-2G on CHANNEL 11).", ] + @pytest.mark.parametrize("event", testdata) -def test_aruba(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event): +def test_aruba( + record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event +): host = get_host_key dt = datetime.datetime.now() @@ -38,12 +42,13 @@ def test_aruba(record_property, setup_wordlist, get_host_key, setup_splunk, setu epoch = epoch[:-7] mt = env.from_string(event + "\n") - message = mt.render(mark="<188>", bsd=bsd, host=host,arubadate=arubadate) + message = mt.render(mark="<188>", bsd=bsd, host=host, arubadate=arubadate) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( - "search index=netops _time={{ epoch }} sourcetype=\"aruba:syslog\" host={{ host }}") + 'search index=netops _time={{ epoch }} sourcetype="aruba:syslog" host={{ host }}' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) diff --git a/tests/test_avi_vantage.py b/tests/test_avi_vantage.py index ff31500ef3..28e09dde03 100644 --- a/tests/test_avi_vantage.py +++ b/tests/test_avi_vantage.py @@ -16,10 +16,19 @@ env = Environment() -test_rfc5424 = [r'{{ mark }}1 {{ iso }} {{ host }} aer01-abc-cde-fgh 0 711603 - "adf":1,"virtualservice":"virtualservice-12345-678-9810-b456-123456","vs_ip":"10.0.0.1","client_ip":"10.0.0.1","client_src_port":123,"client_dest_port":123,"start_timestamp":"2020-05-07T14:11:52.550629Z","report_timestamp":"2020-05-07T14:11:52.550629Z","connection_ended":1,"mss":1500,"rx_bytes":99,"rx_pkts":1,"service_engine":"aer01-abc-cde-fgh","log_id":711603,"server_ip":"0.0.0.0","server_conn_src_ip":"0.0.0.0","significant_log":["ADF_CLIENT_DNS_FAILED_GS_DOWN"],"dns_fqdn":"abc-cde-efg.cisco.com","dns_qtype":"DNS_RECORD_A","gslbservice":"gslbservice-xyz","gslbservice_name":"Naga-GSLB","dns_etype":"DNS_ENTRY_GSLB","protocol":"PROTOCOL_UDP","dns_request":{"question_count":1,"identifier":12345},"vs_name":"aer01-abc-cde-fgh"'] -test_data_rfc = [r'{{ mark }}{{ date }} {{ avi_time }} {{ host }} Avi-Controller - - - INFO [abc-cde.gen: reason: Syslog for Confiqg Events occured] At 2020-04-07 15:27:10+00:00 event USER_AUTHORIZED_BY_RULE occurred on object abc-cde.gen in tenant admin as User abc-cde.gen was authorized by mapping rule user is member of groups "["abcd-efgh-ij-klmn"]" and ignore user attribute values.'] -test_data_JSON = [r'{{ mark }}{{ date }} {{ avi_time }} {{ host }} Avi-Controller - - - INFO [abc-cde.gen: reason: Syslog for Config Events occured] {"level": "ALERT_LOW", "timestamp": "2020-04-07 15:35:26", "obj_name": "abc-cde.gen", "tenant_uuid": "admin", "summary": "Syslog for Config Events occured", "obj_key": "abc-cde.gen", "reason": "threshold_exceeded", "obj_uuid": "abc-cde.gen", "related_objects": [""], "threshold": 0, "events": [{"obj_type": "USER", "tenant_name": "", "event_id": "USER_AUTHORIZED_BY_RULE", "related_uuids": ["abc-cde.gen"], "event_details": {"config_user_authrz_rule_details": {"roles": "readonly-all", "tenants": "All Tenants", "user": "abc-cde.gen", "rule": "user is member of groups \"[\"abcd-efgh-ij-klmn\"]\" and ignore user attribute values"}}, "event_description": "User abc-cde.gen was authorized by mapping rule user is member of groups \"[\"abcd-efgh-ij-klmn\"]\" and ignore user attribute values", "module": "CONFIG", "report_timestamp": "2020-04-07 15:35:26", "internal": "EVENT_EXTERNAL", "event_pages": ["EVENT_PAGE_AUDIT", "EVENT_PAGE_ALL"], "context": "EVENT_CONTEXT_CONFIG", "obj_name": "abc-cde.gen", "obj_uuid": "abc-cde.gen", "tenant": "admin"}], "name": "abc-syslog"}'] -test_data_no_host = [r'{{ mark }} {{ bsd }} {{ host }} [{{ date }} {{ avi_time }}: Avi-Controller: INFO: ] [abc-cde.gen: reason: Syslog for Config Events occured] At 2020-04-07 15:32:09+00:00 event USER_AUTHORIZED_BY_RULE occurred on object abc-cde.gen in tenant admin as User abc-cde.gen was authorized by mapping rule user is member of groups "["abcd-efgh-ij-klmn"]" and ignore user attribute values. {{ host }} '] +test_rfc5424 = [ + r'{{ mark }}1 {{ iso }} {{ host }} aer01-abc-cde-fgh 0 711603 - "adf":1,"virtualservice":"virtualservice-12345-678-9810-b456-123456","vs_ip":"10.0.0.1","client_ip":"10.0.0.1","client_src_port":123,"client_dest_port":123,"start_timestamp":"2020-05-07T14:11:52.550629Z","report_timestamp":"2020-05-07T14:11:52.550629Z","connection_ended":1,"mss":1500,"rx_bytes":99,"rx_pkts":1,"service_engine":"aer01-abc-cde-fgh","log_id":711603,"server_ip":"0.0.0.0","server_conn_src_ip":"0.0.0.0","significant_log":["ADF_CLIENT_DNS_FAILED_GS_DOWN"],"dns_fqdn":"abc-cde-efg.cisco.com","dns_qtype":"DNS_RECORD_A","gslbservice":"gslbservice-xyz","gslbservice_name":"Naga-GSLB","dns_etype":"DNS_ENTRY_GSLB","protocol":"PROTOCOL_UDP","dns_request":{"question_count":1,"identifier":12345},"vs_name":"aer01-abc-cde-fgh"' +] +test_data_rfc = [ + r'{{ mark }}{{ date }} {{ avi_time }} {{ host }} Avi-Controller - - - INFO [abc-cde.gen: reason: Syslog for Confiqg Events occured] At 2020-04-07 15:27:10+00:00 event USER_AUTHORIZED_BY_RULE occurred on object abc-cde.gen in tenant admin as User abc-cde.gen was authorized by mapping rule user is member of groups "["abcd-efgh-ij-klmn"]" and ignore user attribute values.' +] +test_data_JSON = [ + r'{{ mark }}{{ date }} {{ avi_time }} {{ host }} Avi-Controller - - - INFO [abc-cde.gen: reason: Syslog for Config Events occured] {"level": "ALERT_LOW", "timestamp": "2020-04-07 15:35:26", "obj_name": "abc-cde.gen", "tenant_uuid": "admin", "summary": "Syslog for Config Events occured", "obj_key": "abc-cde.gen", "reason": "threshold_exceeded", "obj_uuid": "abc-cde.gen", "related_objects": [""], "threshold": 0, "events": [{"obj_type": "USER", "tenant_name": "", "event_id": "USER_AUTHORIZED_BY_RULE", "related_uuids": ["abc-cde.gen"], "event_details": {"config_user_authrz_rule_details": {"roles": "readonly-all", "tenants": "All Tenants", "user": "abc-cde.gen", "rule": "user is member of groups \"[\"abcd-efgh-ij-klmn\"]\" and ignore user attribute values"}}, "event_description": "User abc-cde.gen was authorized by mapping rule user is member of groups \"[\"abcd-efgh-ij-klmn\"]\" and ignore user attribute values", "module": "CONFIG", "report_timestamp": "2020-04-07 15:35:26", "internal": "EVENT_EXTERNAL", "event_pages": ["EVENT_PAGE_AUDIT", "EVENT_PAGE_ALL"], "context": "EVENT_CONTEXT_CONFIG", "obj_name": "abc-cde.gen", "obj_uuid": "abc-cde.gen", "tenant": "admin"}], "name": "abc-syslog"}' +] +test_data_no_host = [ + r'{{ mark }} {{ bsd }} {{ host }} [{{ date }} {{ avi_time }}: Avi-Controller: INFO: ] [abc-cde.gen: reason: Syslog for Config Events occured] At 2020-04-07 15:32:09+00:00 event USER_AUTHORIZED_BY_RULE occurred on object abc-cde.gen in tenant admin as User abc-cde.gen was authorized by mapping rule user is member of groups "["abcd-efgh-ij-klmn"]" and ignore user attribute values. {{ host }} ' +] + @pytest.mark.parametrize("event", test_data_rfc) def test_avi_event_rfc( diff --git a/tests/test_brocade.py b/tests/test_brocade.py index df21cf37d4..f6ecfb0efe 100644 --- a/tests/test_brocade.py +++ b/tests/test_brocade.py @@ -11,21 +11,25 @@ from .timeutils import * import pytest + env = Environment() # -#Mar 25 13:53:24 xxxxxx-xxxx STP: VLAN 125 Port 1/1/24 STP State -> FORWARDING (DOT1wTransition) -#Mar 25 13:53:25 xxxxx-xxxxx System: PoE: Power disabled on port 1/1/24 because of detection of non-PD. PD detection will be disabled on port. -#Mar 25 11:50:21 xxxxx-xxxxx Security: SSH terminated by uuuuuuu from src IP 10.1.1.1 from src MAC dddd.dddd.dddd from USER EXEC mode using RSA as Server Host Key. +# Mar 25 13:53:24 xxxxxx-xxxx STP: VLAN 125 Port 1/1/24 STP State -> FORWARDING (DOT1wTransition) +# Mar 25 13:53:25 xxxxx-xxxxx System: PoE: Power disabled on port 1/1/24 because of detection of non-PD. PD detection will be disabled on port. +# Mar 25 11:50:21 xxxxx-xxxxx Security: SSH terminated by uuuuuuu from src IP 10.1.1.1 from src MAC dddd.dddd.dddd from USER EXEC mode using RSA as Server Host Key. testdata = [ "{{ mark }}{{ bsd }} {{ host }} STP: VLAN 125 Port 1/1/24 STP State -> FORWARDING (DOT1wTransition)", "{{ mark }}{{ bsd }} {{ host }} System: PoE: Power disabled on port 1/1/24 because of detection of non-PD. PD detection will be disabled on port.", "{{ mark }}{{ bsd }} {{ host }} Security: SSH terminated by uuuuuuu from src IP 10.1.1.1 from src MAC dddd.dddd.dddd from USER EXEC mode using RSA as Server Host Key. ", ] + @pytest.mark.parametrize("event", testdata) -def test_brocade(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event): +def test_brocade( + record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event +): host = "test_brocade-" + get_host_key dt = datetime.datetime.now() @@ -40,7 +44,8 @@ def test_brocade(record_property, setup_wordlist, get_host_key, setup_splunk, se sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( - "search index=netops _time={{ epoch }} sourcetype=\"brocade:syslog\" (host=\"{{ host }}\" OR \"{{ host }}\")") + 'search index=netops _time={{ epoch }} sourcetype="brocade:syslog" (host="{{ host }}" OR "{{ host }}")' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) diff --git a/tests/test_checkpoint.py b/tests/test_checkpoint.py index 7c606bd9c5..c27c4d7951 100644 --- a/tests/test_checkpoint.py +++ b/tests/test_checkpoint.py @@ -391,6 +391,7 @@ def test_checkpoint_splunk_os_nested( assert resultCount == 1 + # Test endpoint source event # time=1586182935|hostname=abc|product=Endpoint Management|action=Drop|ifdir=inbound|loguid={0x60069850,0x0,0xe03ea00a,0x23654691}|origin=10.160.62.224|originsicname=cn\=cp_mgmt,o\=gw-8be69c..ba5xxz|sequencenum=2|version=5|audit_status=Success|endpointname=C7553927437.WORKGROUP|endpointuser=Administrator@C7553927437|operation=Access Key For Encryptor|subject=Endpoint Activity|uid=2E5FD596-BAEF-4453-BFB0-85598CD43DF6 def test_checkpoint_splunk_Endpoint_Management( @@ -426,7 +427,8 @@ def test_checkpoint_splunk_Endpoint_Management( assert resultCount == 1 -#Test network source event + +# Test network source event # time=1586182935|hostname=abc|severity=Medium|product=iOS Profiles|ifdir=inbound|loguid={0x6012bc4c,0x15b,0xd10617ac,0x21e842d}|origin=10.1.46.86|sequencenum=164|time={{ epoch }}|version=5|calc_geo_location=calc_geo_location0|client_name=SandBlast Mobile Protect|client_version=2.71.0.3799|dashboard_orig=dashboard_orig0|device_identification=4839|email_address=email_address16|hardware_model=iPhone / iPhone 6S|host_type=Mobile|incident_time=2018-06-03T22:13:11Z|jailbreak_message=False|mdm_id=DEBD25BA-4609-4E81-BC33-3F8C5683F3DF|os_name=IPhone|os_version=11.2.6|phone_number=phone_number0|protection_type=Active proxy|src_user_name=Marsha Hoskins|status=Installed def test_checkpoint_splunk_ios_profile( record_property, setup_wordlist, setup_splunk, setup_sc4s @@ -461,6 +463,7 @@ def test_checkpoint_splunk_ios_profile( assert resultCount == 1 + # Test audit source event # time=1586182935|hostname=abc|product=SmartUpdate|action=Accept|ifdir=outbound|loguid={0x6023d54c,0x0,0x6563a00a,0x3431e7e4}|origin=10.160.99.101|originsicname=cn\=cp_mgmt,o\=gw-02bd87..4zrt7d|sequencenum=6|time={{ epoch }}|version=5|additional_info=Performed 'Attach License' on 10.160.99.101|administrator=admin|client_ip=10.160.99.102|machine=C1359997769|operation=Modify Object|operation_number=1|subject=Object Manipulation def test_checkpoint_splunk_SmartUpdate( @@ -496,7 +499,8 @@ def test_checkpoint_splunk_SmartUpdate( assert resultCount == 1 -#time=1611044939|hostname=gw-8be69c|severity=Low|product=Endpoint Compliance|ifdir=inbound|loguid={0x60069d03,0x0,0xe03ea00a,0x23654691}|origin=10.160.62.224|sequencenum=1|version=1|action_comment= |client_name=Check Point Endpoint Security Client|client_version=84.30.6614|description= |event_type=Policy Update|host_type=Desktop|installed_products=Media Encryption & Port Protection; Compliance; Anti-Malware; Url Filtering; Anti-Bot; Forensics; Threat Emulation|local_time=1611044939|machine_guid= |os_name=Windows Server 10.0 Standard Server Edition|os_version=10.0-14393-SP0.0-SMP|policy_date=1610103648|policy_guid={5E122911-49AE-40ED-A91B-0B56576E4549}|policy_name=default_compliance_policy|policy_type=60|policy_version=1|product_family=Endpoint|src=10.160.177.73|src_machine_name=C7553927437|src_user_name=Administrator|user_name= |user_sid=S-1-5-21-1704411108-3626445783-306313190-500 + +# time=1611044939|hostname=gw-8be69c|severity=Low|product=Endpoint Compliance|ifdir=inbound|loguid={0x60069d03,0x0,0xe03ea00a,0x23654691}|origin=10.160.62.224|sequencenum=1|version=1|action_comment= |client_name=Check Point Endpoint Security Client|client_version=84.30.6614|description= |event_type=Policy Update|host_type=Desktop|installed_products=Media Encryption & Port Protection; Compliance; Anti-Malware; Url Filtering; Anti-Bot; Forensics; Threat Emulation|local_time=1611044939|machine_guid= |os_name=Windows Server 10.0 Standard Server Edition|os_version=10.0-14393-SP0.0-SMP|policy_date=1610103648|policy_guid={5E122911-49AE-40ED-A91B-0B56576E4549}|policy_name=default_compliance_policy|policy_type=60|policy_version=1|product_family=Endpoint|src=10.160.177.73|src_machine_name=C7553927437|src_user_name=Administrator|user_name= |user_sid=S-1-5-21-1704411108-3626445783-306313190-500 def test_checkpoint_splunk_Endpoint_Compliance( record_property, setup_wordlist, setup_splunk, setup_sc4s ): @@ -530,7 +534,8 @@ def test_checkpoint_splunk_Endpoint_Compliance( assert resultCount == 1 -#time=1613022553|hostname=gw-02bd87|product=Mobile Access|ifdir=outbound|loguid={0x6024c55a,0x2,0x6563a00a,0x346ce8b1}|origin=10.160.99.101|originsicname=cn\=cp_mgmt,o\=gw-02bd87..4zrt7d|sequencenum=2|time=1613022553|version=5|message=All gateways successfully notified about the revocation of certificate with serial no. '49681' + +# time=1613022553|hostname=gw-02bd87|product=Mobile Access|ifdir=outbound|loguid={0x6024c55a,0x2,0x6563a00a,0x346ce8b1}|origin=10.160.99.101|originsicname=cn\=cp_mgmt,o\=gw-02bd87..4zrt7d|sequencenum=2|time=1613022553|version=5|message=All gateways successfully notified about the revocation of certificate with serial no. '49681' def test_checkpoint_splunk_Mobile_Access( record_property, setup_wordlist, setup_splunk, setup_sc4s ): @@ -562,4 +567,4 @@ def test_checkpoint_splunk_Mobile_Access( record_property("resultCount", resultCount) record_property("message", message) - assert resultCount == 1 \ No newline at end of file + assert resultCount == 1 diff --git a/tests/test_checkpoint_syslog_rfc5424.py b/tests/test_checkpoint_syslog_rfc5424.py index 4a2b286dc1..fc9e070411 100644 --- a/tests/test_checkpoint_syslog_rfc5424.py +++ b/tests/test_checkpoint_syslog_rfc5424.py @@ -13,7 +13,7 @@ env = Environment() -# Test Anti Malware +# Test Anti Malware # <134>1 2021-02-08T10:19:34Z gw-02bd87 CheckPoint 26203 - [sc4s@2620 action="Detect" flags="311552" ifdir="outbound" ifname="eth0" loguid="{0xbbf1236f,0xd5d32253,0xc1bcfade,0x3753c3e6}" origin="10.160.99.101" originsicname="cn={{ host }},o=gw-02bd87..4zrt7d" sequencenum="1" time="1612779574" version="5" __policy_id_tag="product=VPN-1 & FireWall-1[db_tag={93CEED8D-9ADE-6343-8B89-54FB5A068DC3};mgmt=gw-02bd87;date=1610491680;policy_name=Standard\]" confidence_level="5" dst="91.195.240.13" http_host="update-help.com" lastupdatetime="1612779738" log_id="2" malware_action="Communication with C&C site" malware_rule_id="{A2B8ED86-C9D0-4B0E-9334-C3CFA223CFC2}" method="GET" packet_capture_name="src-10.160.59.141.cap" packet_capture_time="1612779677" packet_capture_unique_id="time1612779574.id1c3adad8.blade04" policy="Standard" policy_time="1612776132" product="Anti Malware" protection_id="00591E0A5" protection_name="APT_RampantKitten.TC.ah" protection_type="URL reputation" proto="6" proxy_src_ip="10.160.59.141" received_bytes="44245" resource="http://update-help.com/" s_port="54470" scope="10.160.59.141" sent_bytes="2624" service="80" session_id="{0x60211036,0x0,0xb3d6e900,0xc68052fb}" severity="4" smartdefense_profile="Optimized" src="10.160.59.141" suppressed_logs="6" layer_name="Standard Threat Prevention" layer_uuid="{75CC4D40-8C8C-4CD6-AF25-51063A9D2AD1}" malware_rule_id="{A2B8ED86-C9D0-4B0E-9334-C3CFA223CFC2}" smartdefense_profile="Optimized" user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36" vendor_list="Check Point ThreatCloud" web_client_type="Chrome"] def test_checkpoint_syslog_anti_malware( record_property, setup_wordlist, setup_splunk, setup_sc4s @@ -27,7 +27,7 @@ def test_checkpoint_syslog_anti_malware( epoch = epoch[:-7] mt = env.from_string( - "{{ mark }} {{ iso }} {{ host }} CheckPoint 26203 - [sc4s@2620 action=\"Detect\" flags=\"311552\" ifdir=\"outbound\" ifname=\"eth0\" loguid=\"{0xbbf1236f,0xd5d32253,0xc1bcfade,0x3753c3e6}\" origin=\"10.160.99.101\" originsicname=\"cn={{ host }},o=gw-02bd87..4zrt7d\" sequencenum=\"1\" time=\"{{ epoch }}\" version=\"5\" __policy_id_tag=\"product=VPN-1 & FireWall-1[db_tag={93CEED8D-9ADE-6343-8B89-54FB5A068DC3};mgmt=gw-02bd87;date=1610491680;policy_name=Standard\]\" confidence_level=\"5\" dst=\"91.195.240.13\" http_host=\"update-help.com\" lastupdatetime=\"1612779738\" log_id=\"2\" malware_action=\"Communication with C&C site\" malware_rule_id=\"{A2B8ED86-C9D0-4B0E-9334-C3CFA223CFC2}\" method=\"GET\" packet_capture_name=\"src-10.160.59.141.cap\" packet_capture_time=\"1612779677\" packet_capture_unique_id=\"time1612779574.id1c3adad8.blade04\" policy=\"Standard\" policy_time=\"1612776132\" product=\"Anti Malware\" protection_id=\"00591E0A5\" protection_name=\"APT_RampantKitten.TC.ah\" protection_type=\"URL reputation\" proto=\"6\" proxy_src_ip=\"10.160.59.141\" received_bytes=\"44245\" resource=\"http://update-help.com/\" s_port=\"54470\" scope=\"10.160.59.141\" sent_bytes=\"2624\" service=\"80\" session_id=\"{0x60211036,0x0,0xb3d6e900,0xc68052fb}\" severity=\"4\" smartdefense_profile=\"Optimized\" src=\"10.160.59.141\" suppressed_logs=\"6\" layer_name=\"Standard Threat Prevention\" layer_uuid=\"{75CC4D40-8C8C-4CD6-AF25-51063A9D2AD1}\" malware_rule_id=\"{A2B8ED86-C9D0-4B0E-9334-C3CFA223CFC2}\" smartdefense_profile=\"Optimized\" user_agent=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36\" vendor_list=\"Check Point ThreatCloud\" web_client_type=\"Chrome\"]" + '{{ mark }} {{ iso }} {{ host }} CheckPoint 26203 - [sc4s@2620 action="Detect" flags="311552" ifdir="outbound" ifname="eth0" loguid="{0xbbf1236f,0xd5d32253,0xc1bcfade,0x3753c3e6}" origin="10.160.99.101" originsicname="cn={{ host }},o=gw-02bd87..4zrt7d" sequencenum="1" time="{{ epoch }}" version="5" __policy_id_tag="product=VPN-1 & FireWall-1[db_tag={93CEED8D-9ADE-6343-8B89-54FB5A068DC3};mgmt=gw-02bd87;date=1610491680;policy_name=Standard\]" confidence_level="5" dst="91.195.240.13" http_host="update-help.com" lastupdatetime="1612779738" log_id="2" malware_action="Communication with C&C site" malware_rule_id="{A2B8ED86-C9D0-4B0E-9334-C3CFA223CFC2}" method="GET" packet_capture_name="src-10.160.59.141.cap" packet_capture_time="1612779677" packet_capture_unique_id="time1612779574.id1c3adad8.blade04" policy="Standard" policy_time="1612776132" product="Anti Malware" protection_id="00591E0A5" protection_name="APT_RampantKitten.TC.ah" protection_type="URL reputation" proto="6" proxy_src_ip="10.160.59.141" received_bytes="44245" resource="http://update-help.com/" s_port="54470" scope="10.160.59.141" sent_bytes="2624" service="80" session_id="{0x60211036,0x0,0xb3d6e900,0xc68052fb}" severity="4" smartdefense_profile="Optimized" src="10.160.59.141" suppressed_logs="6" layer_name="Standard Threat Prevention" layer_uuid="{75CC4D40-8C8C-4CD6-AF25-51063A9D2AD1}" malware_rule_id="{A2B8ED86-C9D0-4B0E-9334-C3CFA223CFC2}" smartdefense_profile="Optimized" user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36" vendor_list="Check Point ThreatCloud" web_client_type="Chrome"]' ) message = mt.render(mark="<134>1", host=host, bsd=bsd, iso=iso, epoch=epoch) @@ -36,9 +36,7 @@ def test_checkpoint_syslog_anti_malware( st = env.from_string( 'search _time={{ epoch }} index=netids host="{{ host }}" sourcetype="cp_log:syslog" source="checkpoint:ids_malware"' ) - search = st.render( - epoch=epoch, bsd=bsd, host=host - ) + search = st.render(epoch=epoch, bsd=bsd, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -48,9 +46,11 @@ def test_checkpoint_syslog_anti_malware( assert resultCount == 1 + # Test Threat Emulation # <134>1 2021-02-08T10:19:34Z gw-02bd87 CheckPoint 26203 - [sc4s@2620 action="Accept" flags="280832" ifdir="inbound" ifname="eth0" loguid="{0x4b397cf0,0x530e24fb,0x1b71ea26,0x27225237}" origin="10.160.99.101" originsicname="cn={{ host }},o=gw-02bd87..4zrt7d" sequencenum="5" time="1612815085" version="5" __policy_id_tag="product=VPN-1 & FireWall-1[db_tag={93CEED8D-9ADE-6343-8B89-54FB5A068DC3};mgmt=gw-02bd87;date=1610491680;policy_name=Standard\]" analyzed_on="Check Point Threat Cloud" confidence_level="0" content_length="456201" content_type="application/octet-stream" dst="173.194.184.234" emulated_on="Win7 64b,Office 2010,Adobe 11" http_host="r5---sn-p5qlsndd.gvt1.com" http_server="downloads" http_status="206" lastupdatetime="1612815085" log_id="4000" log_uid="{3C6AD7C2-72C9-6146-BDD0-BC61D8C2720D}" malware_rule_id="{A2B8ED86-C9D0-4B0E-9334-C3CFA223CFC2}" method="GET" policy="Standard" policy_time="1612783608" product="Threat Emulation" protection_type="HTTPEmulation" proto="6" protocol="HTTP" proxy_src_ip="10.160.59.141" resource="dummy_resource" s_port="54750" scope="10.160.59.141" service="80" session_id="{0x3c6ad7c2,0x72c96146,0xbdd0bc61,0xd8c2720d}" severity="0" sig_id="0" smartdefense_profile="Optimized" src="10.160.59.141" te_verdict_determined_by="Win7 64b,Office 2010,Adobe 11: trusted source. " layer_name="Standard Threat Prevention" layer_uuid="{75CC4D40-8C8C-4CD6-AF25-51063A9D2AD1}" malware_rule_id="{A2B8ED86-C9D0-4B0E-9334-C3CFA223CFC2}" smartdefense_profile="Optimized" user_agent="Microsoft BITS/7.8" verdict="Benign" web_client_type="Other: Microsoft BITS\/7.8"] + def test_checkpoint_syslog_threat_emulation( record_property, setup_wordlist, setup_splunk, setup_sc4s ): @@ -62,7 +62,7 @@ def test_checkpoint_syslog_threat_emulation( epoch = epoch[:-7] mt = env.from_string( - "{{ mark }} {{ iso }} {{ host }} CheckPoint 26203 - [sc4s@2620 action=\"Accept\" flags=\"280832\" ifdir=\"inbound\" ifname=\"eth0\" loguid=\"{0x4b397cf0,0x530e24fb,0x1b71ea26,0x27225237}\" origin=\"10.160.99.101\" originsicname=\"cn={{ host }},o=gw-02bd87..4zrt7d\" sequencenum=\"5\" time=\"{{ epoch }}\" version=\"5\" __policy_id_tag=\"product=VPN-1 & FireWall-1[db_tag={93CEED8D-9ADE-6343-8B89-54FB5A068DC3};mgmt=gw-02bd87;date=1610491680;policy_name=Standard\]\" analyzed_on=\"Check Point Threat Cloud\" confidence_level=\"0\" content_length=\"456201\" content_type=\"application/octet-stream\" dst=\"173.194.184.234\" emulated_on=\"Win7 64b,Office 2010,Adobe 11\" http_host=\"r5---sn-p5qlsndd.gvt1.com\" http_server=\"downloads\" http_status=\"206\" lastupdatetime=\"1612815085\" log_id=\"4000\" log_uid=\"{3C6AD7C2-72C9-6146-BDD0-BC61D8C2720D}\" malware_rule_id=\"{A2B8ED86-C9D0-4B0E-9334-C3CFA223CFC2}\" method=\"GET\" policy=\"Standard\" policy_time=\"1612783608\" product=\"Threat Emulation\" protection_type=\"HTTPEmulation\" proto=\"6\" protocol=\"HTTP\" proxy_src_ip=\"10.160.59.141\" resource=\"dummy_resource\" s_port=\"54750\" scope=\"10.160.59.141\" service=\"80\" session_id=\"{0x3c6ad7c2,0x72c96146,0xbdd0bc61,0xd8c2720d}\" severity=\"0\" sig_id=\"0\" smartdefense_profile=\"Optimized\" src=\"10.160.59.141\" te_verdict_determined_by=\"Win7 64b,Office 2010,Adobe 11: trusted source. \" layer_name=\"Standard Threat Prevention\" layer_uuid=\"{75CC4D40-8C8C-4CD6-AF25-51063A9D2AD1}\" malware_rule_id=\"{A2B8ED86-C9D0-4B0E-9334-C3CFA223CFC2}\" smartdefense_profile=\"Optimized\" user_agent=\"Microsoft BITS/7.8\" verdict=\"Benign\" web_client_type=\"Other: Microsoft BITS\/7.8\"]" + '{{ mark }} {{ iso }} {{ host }} CheckPoint 26203 - [sc4s@2620 action="Accept" flags="280832" ifdir="inbound" ifname="eth0" loguid="{0x4b397cf0,0x530e24fb,0x1b71ea26,0x27225237}" origin="10.160.99.101" originsicname="cn={{ host }},o=gw-02bd87..4zrt7d" sequencenum="5" time="{{ epoch }}" version="5" __policy_id_tag="product=VPN-1 & FireWall-1[db_tag={93CEED8D-9ADE-6343-8B89-54FB5A068DC3};mgmt=gw-02bd87;date=1610491680;policy_name=Standard\]" analyzed_on="Check Point Threat Cloud" confidence_level="0" content_length="456201" content_type="application/octet-stream" dst="173.194.184.234" emulated_on="Win7 64b,Office 2010,Adobe 11" http_host="r5---sn-p5qlsndd.gvt1.com" http_server="downloads" http_status="206" lastupdatetime="1612815085" log_id="4000" log_uid="{3C6AD7C2-72C9-6146-BDD0-BC61D8C2720D}" malware_rule_id="{A2B8ED86-C9D0-4B0E-9334-C3CFA223CFC2}" method="GET" policy="Standard" policy_time="1612783608" product="Threat Emulation" protection_type="HTTPEmulation" proto="6" protocol="HTTP" proxy_src_ip="10.160.59.141" resource="dummy_resource" s_port="54750" scope="10.160.59.141" service="80" session_id="{0x3c6ad7c2,0x72c96146,0xbdd0bc61,0xd8c2720d}" severity="0" sig_id="0" smartdefense_profile="Optimized" src="10.160.59.141" te_verdict_determined_by="Win7 64b,Office 2010,Adobe 11: trusted source. " layer_name="Standard Threat Prevention" layer_uuid="{75CC4D40-8C8C-4CD6-AF25-51063A9D2AD1}" malware_rule_id="{A2B8ED86-C9D0-4B0E-9334-C3CFA223CFC2}" smartdefense_profile="Optimized" user_agent="Microsoft BITS/7.8" verdict="Benign" web_client_type="Other: Microsoft BITS\/7.8"]' ) message = mt.render(mark="<134>1", host=host, bsd=bsd, iso=iso, epoch=epoch) @@ -83,9 +83,11 @@ def test_checkpoint_syslog_threat_emulation( assert resultCount == 1 + # Test URL Filtering # <134>1 2021-02-08T10:19:34Z gw-02bd87 CheckPoint 26203 - [sc4s@2620 flags="166216" ifdir="outbound" loguid="{0x6021fc5b,0x1,0x6563a00a,0x335f665b}" origin="10.160.99.101" originsicname="cn={{ host }},o=gw-02bd87..4zrt7d" sequencenum="2" time="1612840025" version="5" db_ver="21020901" description="Gateway was updated with database version: 3022101." product="URL Filtering" severity="1" update_status="updated"] + def test_checkpoint_syslog_url_filtering( record_property, setup_wordlist, setup_splunk, setup_sc4s ): @@ -97,7 +99,7 @@ def test_checkpoint_syslog_url_filtering( epoch = epoch[:-7] mt = env.from_string( - "{{ mark }} {{ iso }} {{ host }} CheckPoint 26203 - [sc4s@2620 flags=\"166216\" ifdir=\"outbound\" loguid=\"{0x6021fc5b,0x1,0x6563a00a,0x335f665b}\" origin=\"10.160.99.101\" originsicname=\"cn={{ host }},o=gw-02bd87..4zrt7d\" sequencenum=\"2\" time=\"{{ epoch }}\" version=\"5\" db_ver=\"21020901\" description=\"Gateway was updated with database version: 3022101.\" product=\"URL Filtering\" severity=\"1\" update_status=\"updated\"]" + '{{ mark }} {{ iso }} {{ host }} CheckPoint 26203 - [sc4s@2620 flags="166216" ifdir="outbound" loguid="{0x6021fc5b,0x1,0x6563a00a,0x335f665b}" origin="10.160.99.101" originsicname="cn={{ host }},o=gw-02bd87..4zrt7d" sequencenum="2" time="{{ epoch }}" version="5" db_ver="21020901" description="Gateway was updated with database version: 3022101." product="URL Filtering" severity="1" update_status="updated"]' ) message = mt.render(mark="<134>1", host=host, bsd=bsd, iso=iso, epoch=epoch) @@ -122,6 +124,7 @@ def test_checkpoint_syslog_url_filtering( # Test VPN-1 & FireWall-1 # <134>1 2021-02-08T10:19:34Z gw-02bd87 CheckPoint 26203 - [sc4s@2620 action="Accept" flags="810244" ifdir="inbound" ifname="eth0" logid="0" loguid="{0x4d4d455b,0x35b8a7f2,0xdf15314d,0x5765225e}" origin="10.160.99.101" originsicname="cn={{ host }},o=gw-02bd87..4zrt7d" sequencenum="74" time="1612518129" version="5" __policy_id_tag="product=VPN-1 & FireWall-1[db_tag={93CEED8D-9ADE-6343-8B89-54FB5A068DC3};mgmt=gw-02bd87;date=1610491680;policy_name=Standard\]" dst="10.160.99.101" hll_key="9901336306766781296" inzone="Internal" layer_name="Network" layer_name="Web" layer_uuid="f5cec687-05e5-4573-b1dc-08119f24cbc9" layer_uuid="d9050599-e213-4537-b7b5-3d203031a58f" match_id="1" match_id="16777217" parent_rule="0" parent_rule="0" rule_action="Accept" rule_action="Accept" rule_name="Cleanup rule" rule_uid="d7a2b9f5-9c83-4ea4-b22d-a07db9d24490" rule_uid="c8c796c4-64ce-4c4d-a9db-0534737f89d9" outzone="Local" product="VPN-1 & FireWall-1" proto="17" s_port="443" service="26796" src="8.8.8.8"] + def test_checkpoint_syslog_vpn_and_firewall( record_property, setup_wordlist, setup_splunk, setup_sc4s ): @@ -134,7 +137,7 @@ def test_checkpoint_syslog_vpn_and_firewall( epoch = epoch[:-7] mt = env.from_string( - "{{ mark }} {{ iso }} {{ host }} CheckPoint 26203 - [sc4s@2620 action=\"Accept\" flags=\"810244\" ifdir=\"inbound\" ifname=\"eth0\" logid=\"0\" loguid=\"{0x4d4d455b,0x35b8a7f2,0xdf15314d,0x5765225e}\" origin=\"10.160.99.101\" originsicname=\"cn={{ host }},o=gw-02bd87..4zrt7d\" sequencenum=\"74\" time=\"{{ epoch }}\" version=\"5\" __policy_id_tag=\"product=VPN-1 & FireWall-1[db_tag={93CEED8D-9ADE-6343-8B89-54FB5A068DC3};mgmt=gw-02bd87;date=1610491680;policy_name=Standard\]\" dst=\"10.160.99.101\" hll_key=\"9901336306766781296\" inzone=\"Internal\" layer_name=\"Network\" layer_name=\"Web\" layer_uuid=\"f5cec687-05e5-4573-b1dc-08119f24cbc9\" layer_uuid=\"d9050599-e213-4537-b7b5-3d203031a58f\" match_id=\"1\" match_id=\"16777217\" parent_rule=\"0\" parent_rule=\"0\" rule_action=\"Accept\" rule_action=\"Accept\" rule_name=\"Cleanup rule\" rule_uid=\"d7a2b9f5-9c83-4ea4-b22d-a07db9d24490\" rule_uid=\"c8c796c4-64ce-4c4d-a9db-0534737f89d9\" outzone=\"Local\" product=\"VPN-1 & FireWall-1\" proto=\"17\" s_port=\"443\" service=\"26796\" src=\"8.8.8.8\"]" + '{{ mark }} {{ iso }} {{ host }} CheckPoint 26203 - [sc4s@2620 action="Accept" flags="810244" ifdir="inbound" ifname="eth0" logid="0" loguid="{0x4d4d455b,0x35b8a7f2,0xdf15314d,0x5765225e}" origin="10.160.99.101" originsicname="cn={{ host }},o=gw-02bd87..4zrt7d" sequencenum="74" time="{{ epoch }}" version="5" __policy_id_tag="product=VPN-1 & FireWall-1[db_tag={93CEED8D-9ADE-6343-8B89-54FB5A068DC3};mgmt=gw-02bd87;date=1610491680;policy_name=Standard\]" dst="10.160.99.101" hll_key="9901336306766781296" inzone="Internal" layer_name="Network" layer_name="Web" layer_uuid="f5cec687-05e5-4573-b1dc-08119f24cbc9" layer_uuid="d9050599-e213-4537-b7b5-3d203031a58f" match_id="1" match_id="16777217" parent_rule="0" parent_rule="0" rule_action="Accept" rule_action="Accept" rule_name="Cleanup rule" rule_uid="d7a2b9f5-9c83-4ea4-b22d-a07db9d24490" rule_uid="c8c796c4-64ce-4c4d-a9db-0534737f89d9" outzone="Local" product="VPN-1 & FireWall-1" proto="17" s_port="443" service="26796" src="8.8.8.8"]' ) message = mt.render(mark="<134>1", host=host, bsd=bsd, iso=iso, epoch=epoch) @@ -155,9 +158,11 @@ def test_checkpoint_syslog_vpn_and_firewall( assert resultCount == 1 + # Test WEB_API_INTERNAL # <134>1 2021-02-08T10:19:34Z gw-02bd87 CheckPoint 26203 - [sc4s@2620 action="Accept" flags="163872" ifdir="outbound" loguid="{0x60251375,0x0,0x6563a00a,0x34bbe8bb}" origin="10.160.99.101" originsicname="cn={{ host }},o=gw-02bd87..4zrt7d" sequencenum="1" time="1613042548" version="5" additional_info="Authentication method: Password based application token" administrator="admin" client_ip="10.160.99.102" machine="10.160.99.102" operation="Log In" operation_number="10" product="WEB_API_INTERNAL" subject="Administrator Login"] + def test_checkpoint_syslog_web_api_internal( record_property, setup_wordlist, setup_splunk, setup_sc4s ): @@ -169,7 +174,7 @@ def test_checkpoint_syslog_web_api_internal( epoch = epoch[:-7] mt = env.from_string( - "{{ mark }} {{ iso }} {{ host }} CheckPoint 26203 - [sc4s@2620 action=\"Accept\" flags=\"163872\" ifdir=\"outbound\" loguid=\"{0x60251375,0x0,0x6563a00a,0x34bbe8bb}\" origin=\"10.160.99.101\" originsicname=\"cn={{ host }},o=gw-02bd87..4zrt7d\" sequencenum=\"1\" time=\"{{ epoch }}\" version=\"5\" additional_info=\"Authentication method: Password based application token\" administrator=\"admin\" client_ip=\"10.160.99.102\" machine=\"10.160.99.102\" operation=\"Log In\" operation_number=\"10\" product=\"WEB_API_INTERNAL\" subject=\"Administrator Login\"]" + '{{ mark }} {{ iso }} {{ host }} CheckPoint 26203 - [sc4s@2620 action="Accept" flags="163872" ifdir="outbound" loguid="{0x60251375,0x0,0x6563a00a,0x34bbe8bb}" origin="10.160.99.101" originsicname="cn={{ host }},o=gw-02bd87..4zrt7d" sequencenum="1" time="{{ epoch }}" version="5" additional_info="Authentication method: Password based application token" administrator="admin" client_ip="10.160.99.102" machine="10.160.99.102" operation="Log In" operation_number="10" product="WEB_API_INTERNAL" subject="Administrator Login"]' ) message = mt.render(mark="<134>1", host=host, bsd=bsd, iso=iso, epoch=epoch) @@ -190,9 +195,11 @@ def test_checkpoint_syslog_web_api_internal( assert resultCount == 1 + # Test iOS Profiles # <134>1 2021-02-08T10:19:34Z gw-02bd87 CheckPoint 26203 - [sc4s@2620 flags="131072" ifdir="inbound" loguid="{0x60215107,0x169a,0xd10617ac,0x4468886}" origin="10.1.46.86" sequencenum="4138" time="1612795822" version="5" calc_geo_location="calc_geo_location0" client_name="SandBlast Mobile Protect" client_version="2.72.8.3943" dashboard_orig="dashboard_orig0" device_identification="4624" email_address="email_address44" hardware_model="iPhone / iPhone 8" host_type="Mobile" incident_time="2018-06-03T17:33:09Z" jailbreak_message="False" mdm_id="E726405B-4BCF-46C6-8D1B-6F1A71E67D5D" os_name="IPhone" os_version="11.3.1" phone_number="phone_number24" product="iOS Profiles" protection_type="Global proxy" severity="0" src_user_name="Mike Johnson1" status="Removed"] + def test_checkpoint_syslog_iOS_profiles( record_property, setup_wordlist, setup_splunk, setup_sc4s ): @@ -204,7 +211,7 @@ def test_checkpoint_syslog_iOS_profiles( epoch = epoch[:-7] mt = env.from_string( - "{{ mark }} {{ iso }} {{ host }} CheckPoint 26203 - [sc4s@2620 flags=\"131072\" ifdir=\"inbound\" loguid=\"{0x60215102,0x269a,0xd20617ac,0x2468886}\" origin=\"10.1.46.86\" sequencenum=\"4138\" time=\"{{ epoch }}\" version=\"5\" calc_geo_location=\"calc_geo_location0\" client_name=\"SandBlast Mobile Protect\" client_version=\"2.72.8.3943\" dashboard_orig=\"dashboard_orig0\" device_identification=\"4624\" email_address=\"email_address44\" hardware_model=\"iPhone / iPhone 8\" host_type=\"Mobile\" incident_time=\"2018-06-03T17:33:09Z\" jailbreak_message=\"False\" mdm_id=\"E726405B-4BCF-46C6-8D1B-6F1A71E67D5D\" os_name=\"IPhone\" os_version=\"11.3.1\" phone_number=\"phone_number24\" product=\"iOS Profiles\" protection_type=\"Global proxy\" severity=\"0\" src_user_name=\"Mike Johnson1\" status=\"Removed\"]" + '{{ mark }} {{ iso }} {{ host }} CheckPoint 26203 - [sc4s@2620 flags="131072" ifdir="inbound" loguid="{0x60215102,0x269a,0xd20617ac,0x2468886}" origin="10.1.46.86" sequencenum="4138" time="{{ epoch }}" version="5" calc_geo_location="calc_geo_location0" client_name="SandBlast Mobile Protect" client_version="2.72.8.3943" dashboard_orig="dashboard_orig0" device_identification="4624" email_address="email_address44" hardware_model="iPhone / iPhone 8" host_type="Mobile" incident_time="2018-06-03T17:33:09Z" jailbreak_message="False" mdm_id="E726405B-4BCF-46C6-8D1B-6F1A71E67D5D" os_name="IPhone" os_version="11.3.1" phone_number="phone_number24" product="iOS Profiles" protection_type="Global proxy" severity="0" src_user_name="Mike Johnson1" status="Removed"]' ) message = mt.render(mark="<134>1", host=host, bsd=bsd, iso=iso, epoch=epoch) @@ -225,9 +232,11 @@ def test_checkpoint_syslog_iOS_profiles( assert resultCount == 1 + # Test Endpoint Compliance # <134>1 2021-02-08T10:19:34Z gw-02bd87 CheckPoint 26203 - [sc4s@2620 flags="131072" ifdir="inbound" loguid="{0x60215107,0x169a,0xd10617ac,0x4468886}" origin="10.1.46.86" sequencenum="4138" time="1612795822" version="5" calc_geo_location="calc_geo_location0" client_name="SandBlast Mobile Protect" client_version="2.72.8.3943" dashboard_orig="dashboard_orig0" device_identification="4624" email_address="email_address44" hardware_model="iPhone / iPhone 8" host_type="Mobile" incident_time="2018-06-03T17:33:09Z" jailbreak_message="False" mdm_id="E726405B-4BCF-46C6-8D1B-6F1A71E67D5D" os_name="IPhone" os_version="11.3.1" phone_number="phone_number24" product="Endpoint Compliance" protection_type="Global proxy" severity="0" src_user_name="Mike Johnson1" status="Removed"] + def test_checkpoint_syslog_Endpoint_Compliance( record_property, setup_wordlist, setup_splunk, setup_sc4s ): @@ -239,7 +248,7 @@ def test_checkpoint_syslog_Endpoint_Compliance( epoch = epoch[:-7] mt = env.from_string( - "{{ mark }} {{ iso }} {{ host }} CheckPoint 26203 - [sc4s@2620 flags=\"131072\" ifdir=\"inbound\" loguid=\"{0x60215107,0x169a,0xd10617ac,0x4468886}\" origin=\"10.1.46.86\" sequencenum=\"4138\" time=\"{{ epoch }}\" version=\"5\" calc_geo_location=\"calc_geo_location0\" client_name=\"SandBlast Mobile Protect\" client_version=\"2.72.8.3943\" dashboard_orig=\"dashboard_orig0\" device_identification=\"4624\" email_address=\"email_address44\" hardware_model=\"iPhone / iPhone 8\" host_type=\"Mobile\" incident_time=\"2018-06-03T17:33:09Z\" jailbreak_message=\"False\" mdm_id=\"E726405B-4BCF-46C6-8D1B-6F1A71E67D5D\" os_name=\"IPhone\" os_version=\"11.3.1\" phone_number=\"phone_number24\" product=\"Endpoint Compliance\" protection_type=\"Global proxy\" severity=\"0\" src_user_name=\"Mike Johnson1\" status=\"Removed\"]" + '{{ mark }} {{ iso }} {{ host }} CheckPoint 26203 - [sc4s@2620 flags="131072" ifdir="inbound" loguid="{0x60215107,0x169a,0xd10617ac,0x4468886}" origin="10.1.46.86" sequencenum="4138" time="{{ epoch }}" version="5" calc_geo_location="calc_geo_location0" client_name="SandBlast Mobile Protect" client_version="2.72.8.3943" dashboard_orig="dashboard_orig0" device_identification="4624" email_address="email_address44" hardware_model="iPhone / iPhone 8" host_type="Mobile" incident_time="2018-06-03T17:33:09Z" jailbreak_message="False" mdm_id="E726405B-4BCF-46C6-8D1B-6F1A71E67D5D" os_name="IPhone" os_version="11.3.1" phone_number="phone_number24" product="Endpoint Compliance" protection_type="Global proxy" severity="0" src_user_name="Mike Johnson1" status="Removed"]' ) message = mt.render(mark="<134>1", host=host, bsd=bsd, iso=iso, epoch=epoch) @@ -260,8 +269,10 @@ def test_checkpoint_syslog_Endpoint_Compliance( assert resultCount == 1 -#Test Mobile Access -#<134>1 2021-02-08T14:50:06Z r81-t279-leui-main-take-2 CheckPoint 2182 - [sc4s@2620 flags="131072" ifdir="inbound" loguid="{0x60215106,0xb,0xd10617ac,0x4468886}" origin="10.2.46.86" sequencenum="12" time="1612795806" version="5" app_repackaged="False" app_sig_id="3343cf41cb8736ad452453276b4f7c806ab83143eca0b3ad1e1bc6045e37f6a9" app_version="3.1.15" appi_name="iPGMail" calc_geo_location="calc_geo_location0" client_name="SandBlast Mobile Protect" client_version="2.73.0.3968" dashboard_orig="dashboard_orig0" device_identification="4768" email_address="email_address0" hardware_model="iPhone / iPhone 5S" host_type="Mobile" incident_time="2018-06-04T00:03:41Z" jailbreak_message="False" mdm_id="F2FCB053-5C28-4917-9FED-4821349B86A5" os_name="IPhone" os_version="11.4" phone_number="phone_number0" product="Mobile Access" protection_type="Backup Tool" severity="0" src_user_name="Allen Newsom" status="Installed" + +# Test Mobile Access +# <134>1 2021-02-08T14:50:06Z r81-t279-leui-main-take-2 CheckPoint 2182 - [sc4s@2620 flags="131072" ifdir="inbound" loguid="{0x60215106,0xb,0xd10617ac,0x4468886}" origin="10.2.46.86" sequencenum="12" time="1612795806" version="5" app_repackaged="False" app_sig_id="3343cf41cb8736ad452453276b4f7c806ab83143eca0b3ad1e1bc6045e37f6a9" app_version="3.1.15" appi_name="iPGMail" calc_geo_location="calc_geo_location0" client_name="SandBlast Mobile Protect" client_version="2.73.0.3968" dashboard_orig="dashboard_orig0" device_identification="4768" email_address="email_address0" hardware_model="iPhone / iPhone 5S" host_type="Mobile" incident_time="2018-06-04T00:03:41Z" jailbreak_message="False" mdm_id="F2FCB053-5C28-4917-9FED-4821349B86A5" os_name="IPhone" os_version="11.4" phone_number="phone_number0" product="Mobile Access" protection_type="Backup Tool" severity="0" src_user_name="Allen Newsom" status="Installed" + def test_checkpoint_syslog_Mobile_Access( record_property, setup_wordlist, setup_splunk, setup_sc4s @@ -274,7 +285,7 @@ def test_checkpoint_syslog_Mobile_Access( epoch = epoch[:-7] mt = env.from_string( - "{{ mark }} {{ iso }} {{ host }} CheckPoint 26203 - [sc4s@2620 flags=\"131072\" ifdir=\"inbound\" loguid=\"{0x60215106,0xb,0xd10617ac,0x4468886}\" origin=\"10.2.46.86\" sequencenum=\"12\" time=\"{{ epoch }}\" version=\"5\" app_repackaged=\"False\" app_sig_id=\"3343cf41cb8736ad452453276b4f7c806ab83143eca0b3ad1e1bc6045e37f6a9\" app_version=\"3.1.15\" appi_name=\"iPGMail\" calc_geo_location=\"calc_geo_location0\" client_name=\"SandBlast Mobile Protect\" client_version=\"2.73.0.3968\" dashboard_orig=\"dashboard_orig0\" device_identification=\"4768\" email_address=\"email_address0\" hardware_model=\"iPhone / iPhone 5S\" host_type=\"Mobile\" incident_time=\"2018-06-04T00:03:41Z\" jailbreak_message=\"False\" mdm_id=\"F2FCB053-5C28-4917-9FED-4821349B86A5\" os_name=\"IPhone\" os_version=\"11.4\" phone_number=\"phone_number0\" product=\"Mobile Access\" protection_type=\"Backup Tool\" severity=\"0\" src_user_name=\"Allen Newsom\" status=\"Installed\"]" + '{{ mark }} {{ iso }} {{ host }} CheckPoint 26203 - [sc4s@2620 flags="131072" ifdir="inbound" loguid="{0x60215106,0xb,0xd10617ac,0x4468886}" origin="10.2.46.86" sequencenum="12" time="{{ epoch }}" version="5" app_repackaged="False" app_sig_id="3343cf41cb8736ad452453276b4f7c806ab83143eca0b3ad1e1bc6045e37f6a9" app_version="3.1.15" appi_name="iPGMail" calc_geo_location="calc_geo_location0" client_name="SandBlast Mobile Protect" client_version="2.73.0.3968" dashboard_orig="dashboard_orig0" device_identification="4768" email_address="email_address0" hardware_model="iPhone / iPhone 5S" host_type="Mobile" incident_time="2018-06-04T00:03:41Z" jailbreak_message="False" mdm_id="F2FCB053-5C28-4917-9FED-4821349B86A5" os_name="IPhone" os_version="11.4" phone_number="phone_number0" product="Mobile Access" protection_type="Backup Tool" severity="0" src_user_name="Allen Newsom" status="Installed"]' ) message = mt.render(mark="<134>1", host=host, bsd=bsd, iso=iso, epoch=epoch) @@ -293,4 +304,4 @@ def test_checkpoint_syslog_Mobile_Access( record_property("resultCount", resultCount) record_property("message", message) - assert resultCount == 1 \ No newline at end of file + assert resultCount == 1 diff --git a/tests/test_cisco_ace.py b/tests/test_cisco_ace.py index 3d672d5e48..c9ec815a6d 100644 --- a/tests/test_cisco_ace.py +++ b/tests/test_cisco_ace.py @@ -45,4 +45,3 @@ def test_cisco_ace_traditional( record_property("message", message) assert resultCount == 1 - diff --git a/tests/test_cisco_esa.py b/tests/test_cisco_esa.py index c95a9d4b04..f9bb002b8c 100644 --- a/tests/test_cisco_esa.py +++ b/tests/test_cisco_esa.py @@ -15,46 +15,49 @@ env = Environment() testdata_http = [ - '{{mark}} {{ bsd }} {{ host }} {{ app }}: Thu Aug 07 11:57:16 2020 Info: http service on 195.166.21.135:16872 redirecting to https port 16872', - '{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 10:08:00 2020 Info: Session LH09MofqDf2j21zW9QN4 from 157.38.13.214 not found', - '{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 10:10:30 2020 Info: PERIODIC REPORTS: PERIODIC_REPORTS.SYSTEM.STARTED', - '{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 09:40:17 2020 Info: req:40.40.13.164 user:dummy_user1 id:LH09MofqDf2j21zW9QN2 200 GET /css/xyz HTTP/1.1 Mozilla/5.0 (Linux; U; Android 2.2.3; en-us; Droid Build/FRK76) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1', - '{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 09:12:39 2020 7.37.118.246 testmaillog: Info: Version: 8.7.2-004 SN: 942B2B684C96-29WTPQ2', - '{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 09:25:08 2020 Info: System is coming up.', -]; + "{{mark}} {{ bsd }} {{ host }} {{ app }}: Thu Aug 07 11:57:16 2020 Info: http service on 195.166.21.135:16872 redirecting to https port 16872", + "{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 10:08:00 2020 Info: Session LH09MofqDf2j21zW9QN4 from 157.38.13.214 not found", + "{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 10:10:30 2020 Info: PERIODIC REPORTS: PERIODIC_REPORTS.SYSTEM.STARTED", + "{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 09:40:17 2020 Info: req:40.40.13.164 user:dummy_user1 id:LH09MofqDf2j21zW9QN2 200 GET /css/xyz HTTP/1.1 Mozilla/5.0 (Linux; U; Android 2.2.3; en-us; Droid Build/FRK76) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1", + "{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 09:12:39 2020 7.37.118.246 testmaillog: Info: Version: 8.7.2-004 SN: 942B2B684C96-29WTPQ2", + "{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 09:25:08 2020 Info: System is coming up.", +] testdata_textmail = [ - '{{mark}} {{ bsd }} {{ host }} {{ app }}: Jul 16 10:46:46 2013 dummy_source_Domain2 mail_logs: Info: Version: 8.7.2-001 SN: 942B2B684C96-29WTPQ2', - '{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 10:00:24 2020 Info: MID 192034 not completely scanned by SDS. Error: The number of URLs in the message attachments exceeded the URL scan limit.', - '{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 09:52:59 2020 Info: ICID 442736 ACCEPT SG UNKNOWNLIST match sbrs[-2.0:10.0] SBRS -0.9', - '{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 09:58:54 2020 Info: DCID 112095 TLS success protocol TLSv1 cipher AES128-SHA for dummy_domain.com', - '{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 09:56:56 2020 Info: Message 548799 to RID [712290] pending till Mon Aug 10 09:56:56 2020', - '{{mark}} {{ bsd }} {{ host }} {{ app }}: Aug 2 23:59:52 10.0.1.1 MAIL_SecurityAudit: Info: MID 308049623 using engine: SPF Verdict Cache using cached verdict', - '{{mark}} {{ bsd }} {{ host }} {{ app }}: Jul 26 23:48:23 10.0.1.1 CES_VPN_Mail_SecurityAudit: Info: ICID 67542 Delayed HAT REJECT continuing session for recipient logging (223.71.167.166)', - '{{mark}} {{ bsd }} {{ host }} {{ app }}: Jul 23 12:23:59 SplunkMailSyslog: Info: SenderBase upload: 734 hosts totaling 201887 bytes', -]; + "{{mark}} {{ bsd }} {{ host }} {{ app }}: Jul 16 10:46:46 2013 dummy_source_Domain2 mail_logs: Info: Version: 8.7.2-001 SN: 942B2B684C96-29WTPQ2", + "{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 10:00:24 2020 Info: MID 192034 not completely scanned by SDS. Error: The number of URLs in the message attachments exceeded the URL scan limit.", + "{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 09:52:59 2020 Info: ICID 442736 ACCEPT SG UNKNOWNLIST match sbrs[-2.0:10.0] SBRS -0.9", + "{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 09:58:54 2020 Info: DCID 112095 TLS success protocol TLSv1 cipher AES128-SHA for dummy_domain.com", + "{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 09:56:56 2020 Info: Message 548799 to RID [712290] pending till Mon Aug 10 09:56:56 2020", + "{{mark}} {{ bsd }} {{ host }} {{ app }}: Aug 2 23:59:52 10.0.1.1 MAIL_SecurityAudit: Info: MID 308049623 using engine: SPF Verdict Cache using cached verdict", + "{{mark}} {{ bsd }} {{ host }} {{ app }}: Jul 26 23:48:23 10.0.1.1 CES_VPN_Mail_SecurityAudit: Info: ICID 67542 Delayed HAT REJECT continuing session for recipient logging (223.71.167.166)", + "{{mark}} {{ bsd }} {{ host }} {{ app }}: Jul 23 12:23:59 SplunkMailSyslog: Info: SenderBase upload: 734 hosts totaling 201887 bytes", +] testdata_amp = [ - '{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 10:04:39 2020 Info: File uploaded for analysis. SHA256: 0172405634de890c729397377d975f059ef0becc3d072e8181d875a58eab1861, file name: Agenda_March15v3.doc', - '{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 09:38:44 2020 Info: File not uploaded for analysis. MID = 357876 File SHA256[d7e25b63dcfe76d5528188fc801b847b4a98d6ad7234a3b2d93725d94b010e77] file mime[application/pdf] Reason: Analysis request is takenup', - '{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 09:41:02 2020 Info: Response received for file reputation query from Cloud. File Name = \'tqps.rtf\', MID = 166267, Disposition = MALICIOUS, Malware = W32.C78352D892-95.SBX.TG, Reputation Score = 1, sha256 = 756a0c3fc7d82abb243795751174053f106b7b54e431778068fa7920064268e0, upload_action = 1', - '{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 09:45:53 2020 Info: File reputation query initiating. File Name = \'Nursing Management Agenda.pdf\', MID = 852867, File Size = 189 bytes, File Type = application/pdf', -]; + "{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 10:04:39 2020 Info: File uploaded for analysis. SHA256: 0172405634de890c729397377d975f059ef0becc3d072e8181d875a58eab1861, file name: Agenda_March15v3.doc", + "{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 09:38:44 2020 Info: File not uploaded for analysis. MID = 357876 File SHA256[d7e25b63dcfe76d5528188fc801b847b4a98d6ad7234a3b2d93725d94b010e77] file mime[application/pdf] Reason: Analysis request is takenup", + "{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 09:41:02 2020 Info: Response received for file reputation query from Cloud. File Name = 'tqps.rtf', MID = 166267, Disposition = MALICIOUS, Malware = W32.C78352D892-95.SBX.TG, Reputation Score = 1, sha256 = 756a0c3fc7d82abb243795751174053f106b7b54e431778068fa7920064268e0, upload_action = 1", + "{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 09:45:53 2020 Info: File reputation query initiating. File Name = 'Nursing Management Agenda.pdf', MID = 852867, File Size = 189 bytes, File Type = application/pdf", +] testdata_authentication = [ - '{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 10:11:29 2020 Info: Begin Logfile', - '{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 09:51:36 2020 Info: User dummy_user from 125.65.72.214 was authenticated successfully.', - '{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 10:01:26 2020 Info: The user admin successfully logged on from 74.151.97.24 using an HTTPS connection.', - '{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 09:21:59 2020 Info: An authentication attempt by the user dummy_user1 from 27.148.207.85 failed', - '{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 09:44:11 2020 Info: Time offset from UTC: 19207 seconds', - '{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 09:43:53 2020 Info: User dummy_user2 from 184.186.3.161 failed authentication.', - '{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 09:37:45 2020 Info: Version: 8.7.2-004 SN: 1024E857D276-JXKWBK2', - '{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 09:44:51 2020 Info: logout:64.205.160.240 user:dummy_user1 session:LH09MofqDf2j21zW9QN1', - '{{mark}} {{ bsd }} {{ host }} {{ app }}: Aug 3 07:26:33 10.0.1.1 MAR_SecurityAudit: Info: Message containing attachment(s) for which verdict update was(were) available was not found in the recipient\'s () mailbox.', -]; + "{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 10:11:29 2020 Info: Begin Logfile", + "{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 09:51:36 2020 Info: User dummy_user from 125.65.72.214 was authenticated successfully.", + "{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 10:01:26 2020 Info: The user admin successfully logged on from 74.151.97.24 using an HTTPS connection.", + "{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 09:21:59 2020 Info: An authentication attempt by the user dummy_user1 from 27.148.207.85 failed", + "{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 09:44:11 2020 Info: Time offset from UTC: 19207 seconds", + "{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 09:43:53 2020 Info: User dummy_user2 from 184.186.3.161 failed authentication.", + "{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 09:37:45 2020 Info: Version: 8.7.2-004 SN: 1024E857D276-JXKWBK2", + "{{mark}} {{ bsd }} {{ host }} {{ app }}: Mon Aug 10 09:44:51 2020 Info: logout:64.205.160.240 user:dummy_user1 session:LH09MofqDf2j21zW9QN1", + "{{mark}} {{ bsd }} {{ host }} {{ app }}: Aug 3 07:26:33 10.0.1.1 MAR_SecurityAudit: Info: Message containing attachment(s) for which verdict update was(were) available was not found in the recipient's () mailbox.", +] + @pytest.mark.parametrize("event", testdata_http) -def test_cisco_esa_http(record_property, setup_wordlist, setup_splunk, setup_sc4s, event): +def test_cisco_esa_http( + record_property, setup_wordlist, setup_splunk, setup_sc4s, event +): host = "cisco_esa" dt = datetime.datetime.now() @@ -64,14 +67,14 @@ def test_cisco_esa_http(record_property, setup_wordlist, setup_splunk, setup_sc4 epoch = epoch[:-7] mt = env.from_string(event + "\n") - message = mt.render(mark="<111>", bsd=bsd, host=host, app='ESA') + message = mt.render(mark="<111>", bsd=bsd, host=host, app="ESA") sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( 'search index=email _time={{ epoch }} sourcetype="cisco:esa:http" host="{{ host }}" _raw="{{ message }}"' ) - + message1 = mt.render(mark="", bsd="", host="", app="") message1 = message1.lstrip() search = st.render(epoch=epoch, host=host, message=message1[2:]) @@ -84,8 +87,11 @@ def test_cisco_esa_http(record_property, setup_wordlist, setup_splunk, setup_sc4 assert resultCount == 1 + @pytest.mark.parametrize("event", testdata_textmail) -def test_cisco_esa_textmail(record_property, setup_wordlist, setup_splunk, setup_sc4s, event): +def test_cisco_esa_textmail( + record_property, setup_wordlist, setup_splunk, setup_sc4s, event +): host = "cisco_esa" dt = datetime.datetime.now() @@ -95,14 +101,14 @@ def test_cisco_esa_textmail(record_property, setup_wordlist, setup_splunk, setup epoch = epoch[:-7] mt = env.from_string(event + "\n") - message = mt.render(mark="<111>", bsd=bsd, host=host, app='ESA') + message = mt.render(mark="<111>", bsd=bsd, host=host, app="ESA") sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( 'search index=email _time={{ epoch }} sourcetype="cisco:esa:textmail" host="{{ host }}" _raw="{{ message }}"' ) - + message1 = mt.render(mark="", bsd="", host="", app="") message1 = message1.lstrip() search = st.render(epoch=epoch, host=host, message=message1[2:]) @@ -115,8 +121,11 @@ def test_cisco_esa_textmail(record_property, setup_wordlist, setup_splunk, setup assert resultCount == 1 + @pytest.mark.parametrize("event", testdata_amp) -def test_cisco_esa_amp(record_property, setup_wordlist, setup_splunk, setup_sc4s, event): +def test_cisco_esa_amp( + record_property, setup_wordlist, setup_splunk, setup_sc4s, event +): host = "cisco_esa" dt = datetime.datetime.now() @@ -126,14 +135,14 @@ def test_cisco_esa_amp(record_property, setup_wordlist, setup_splunk, setup_sc4s epoch = epoch[:-7] mt = env.from_string(event + "\n") - message = mt.render(mark="<111>", bsd=bsd, host=host, app='ESA') + message = mt.render(mark="<111>", bsd=bsd, host=host, app="ESA") sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( 'search index=email _time={{ epoch }} sourcetype="cisco:esa:amp" host="{{ host }}" _raw="{{ message }}"' ) - + message1 = mt.render(mark="", bsd="", host="", app="") message1 = message1.lstrip() search = st.render(epoch=epoch, host=host, message=message1[2:]) @@ -146,8 +155,11 @@ def test_cisco_esa_amp(record_property, setup_wordlist, setup_splunk, setup_sc4s assert resultCount == 1 + @pytest.mark.parametrize("event", testdata_authentication) -def test_cisco_esa_authentication(record_property, setup_wordlist, setup_splunk, setup_sc4s, event): +def test_cisco_esa_authentication( + record_property, setup_wordlist, setup_splunk, setup_sc4s, event +): host = "cisco_esa" dt = datetime.datetime.now() @@ -157,14 +169,14 @@ def test_cisco_esa_authentication(record_property, setup_wordlist, setup_splunk, epoch = epoch[:-7] mt = env.from_string(event + "\n") - message = mt.render(mark="<111>", bsd=bsd, host=host, app='ESA') + message = mt.render(mark="<111>", bsd=bsd, host=host, app="ESA") sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( 'search index=email _time={{ epoch }} sourcetype="cisco:esa:authentication" host="{{ host }}" _raw="{{ message }}"' ) - + message1 = mt.render(mark="", bsd="", host="", app="") message1 = message1.lstrip() search = st.render(epoch=epoch, host=host, message=message1[2:]) @@ -177,6 +189,7 @@ def test_cisco_esa_authentication(record_property, setup_wordlist, setup_splunk, assert resultCount == 1 + def test_cisco_esa_cef(record_property, setup_wordlist, setup_splunk, setup_sc4s): host = "cisco-esa" @@ -187,12 +200,16 @@ def test_cisco_esa_cef(record_property, setup_wordlist, setup_splunk, setup_sc4s epoch = epoch[:-7] mt = env.from_string( - "{{ bsd }} {{ host }}: CEF:0|Cisco|C100V Email Security Virtual Appliance|13.0.0-283|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5| cs6Label={{ host }} cs6=Weak deviceExternalId=111111111111-ZZZZZZZZZZZ ESAMID=81 startTime=Mon Aug 10 09:26:47 2020 deviceInboundInterface=Incoming ESADMARCVerdict=Skipped dvc=1.1.1.1 ESAAttachmentDetails={'sample_ESA_attachment': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': 'c4b06a7c1886e6785b19a5e59d595b3e6fb38be4903b55b06087948db2a4dc8b'}, 'BodyScanner': {}}} ESAFriendlyFrom=sample_user deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=sample_user cs1Label=MailPolicy cs1=DEFAULT act=DQ ESAFinalActionDetails=To POLICY cs4Label=ExternalMsgID cs4='' duser=sample_duser ESAHeloIP=10.0.0.1 cfp1Label=SBRSScore cfp1=None ESASDRDomainAge=50 years 10 months 17 days cs3Label=SDRThreatCategory cs3=N/A ESASPFVerdict=None sourceHostName=unknown ESASenderGroup=UNKNOWNLIST sourceAddress=192.11.36.3 ESAICID=91 cs5Label=ESAMsgLanguage cs5=English msg=This is a sample subject cs2Label=GeoLocation cs2=India ESAMsgTooBigFromSender=true ESARateLimitedIP=10.0.0.2 ESADHASource=10.0.0.3 ESAHeloDomain=test.com ESATLSOutConnStatus=Success ESATLSOutProtocol=TLSv1.2 ESATLSOutCipher=ECDHE-RSA-AES128-GCM-SHA256 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESATLSInCipher=ECDHE-RSA-AES128-GCM-SHA256 ESADKIMVerdict=None ESAReplyTo=demo@test.com ESAASVerdict=SOCIAL_MAIL ESAAMPVerdict=UNSCANNABLE ESAAVVerdict=UNSCANNABLE ESAGMVerdict=POSITIVE ESACFVerdict=MATCH ESAOFVerdict=POSITIVE ESADLPVerdict=VIOLATION ESAURLDetails={url1:{expanded_url: sample_expanded_url, category: sample_category, wbrs_score: 45, in_attachment: dummy_attachment_file, Attachment_with_url: www.sample.attachment.url.com,},url2:{…}} ESAMARAction= {action:failure;succesful_rcpts=0;failed_recipients=41;filename=dummy_filename.txt} Message Filters Verdict=NO MATCH ESADCID=857 EndTime=Mon Aug 10 09:26:47 2020 ESADaneStatus=failure ESADaneHost=testdomain.com" + "\n") + "{{ bsd }} {{ host }}: CEF:0|Cisco|C100V Email Security Virtual Appliance|13.0.0-283|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5| cs6Label={{ host }} cs6=Weak deviceExternalId=111111111111-ZZZZZZZZZZZ ESAMID=81 startTime=Mon Aug 10 09:26:47 2020 deviceInboundInterface=Incoming ESADMARCVerdict=Skipped dvc=1.1.1.1 ESAAttachmentDetails={'sample_ESA_attachment': {'AMP': {'Verdict': 'FILE UNKNOWN', 'fileHash': 'c4b06a7c1886e6785b19a5e59d595b3e6fb38be4903b55b06087948db2a4dc8b'}, 'BodyScanner': {}}} ESAFriendlyFrom=sample_user deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=sample_user cs1Label=MailPolicy cs1=DEFAULT act=DQ ESAFinalActionDetails=To POLICY cs4Label=ExternalMsgID cs4='' duser=sample_duser ESAHeloIP=10.0.0.1 cfp1Label=SBRSScore cfp1=None ESASDRDomainAge=50 years 10 months 17 days cs3Label=SDRThreatCategory cs3=N/A ESASPFVerdict=None sourceHostName=unknown ESASenderGroup=UNKNOWNLIST sourceAddress=192.11.36.3 ESAICID=91 cs5Label=ESAMsgLanguage cs5=English msg=This is a sample subject cs2Label=GeoLocation cs2=India ESAMsgTooBigFromSender=true ESARateLimitedIP=10.0.0.2 ESADHASource=10.0.0.3 ESAHeloDomain=test.com ESATLSOutConnStatus=Success ESATLSOutProtocol=TLSv1.2 ESATLSOutCipher=ECDHE-RSA-AES128-GCM-SHA256 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESATLSInCipher=ECDHE-RSA-AES128-GCM-SHA256 ESADKIMVerdict=None ESAReplyTo=demo@test.com ESAASVerdict=SOCIAL_MAIL ESAAMPVerdict=UNSCANNABLE ESAAVVerdict=UNSCANNABLE ESAGMVerdict=POSITIVE ESACFVerdict=MATCH ESAOFVerdict=POSITIVE ESADLPVerdict=VIOLATION ESAURLDetails={url1:{expanded_url: sample_expanded_url, category: sample_category, wbrs_score: 45, in_attachment: dummy_attachment_file, Attachment_with_url: www.sample.attachment.url.com,},url2:{…}} ESAMARAction= {action:failure;succesful_rcpts=0;failed_recipients=41;filename=dummy_filename.txt} Message Filters Verdict=NO MATCH ESADCID=857 EndTime=Mon Aug 10 09:26:47 2020 ESADaneStatus=failure ESADaneHost=testdomain.com" + + "\n" + ) message = mt.render(mark="<111>", bsd=bsd, host=host, app="ESA") sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=email \"{{ host }}\" sourcetype=\"cisco:esa:cef\" source=\"esa:consolidated\"") + st = env.from_string( + 'search _time={{ epoch }} index=email "{{ host }}" sourcetype="cisco:esa:cef" source="esa:consolidated"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -201,4 +218,4 @@ def test_cisco_esa_cef(record_property, setup_wordlist, setup_splunk, setup_sc4s record_property("resultCount", resultCount) record_property("message", message) - assert resultCount == 1 \ No newline at end of file + assert resultCount == 1 diff --git a/tests/test_cisco_hyperflex.py b/tests/test_cisco_hyperflex.py index 64bab491eb..e8d973c852 100644 --- a/tests/test_cisco_hyperflex.py +++ b/tests/test_cisco_hyperflex.py @@ -11,19 +11,28 @@ from .splunkutils import * from .timeutils import * import pytest + env = Environment() # https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2017/pdf/TECUCC-3000.pdf -test_device_connector = [r'{{mark}} {{bsd}} {{ host }} hx-device-connector: 433 Running job task {"traceId": "AS44b5d3f67f8b7d1911a2615bde31b566", "traceId": "DCJOBf51022fbb9992e2623cdb1f415bdb838", "jobName": "duracell:health"}'] -#<13>Oct 26 09:22:27.524 hostname hx-ssl-access: - - [26/Oct/2020:17:22:26 +0800] "GET /coreapi/v1/clusters/000000:0000000/alarms HTTP/1.1" 200 2 "-" "Go-http-client/1.1" -test_audit_data = [r'{{mark}} {{bsd}} {{ host }} hx-audit-rest: 22:26.678 - PERFORMANCE TRACE - HxSvcMgrClient.getHxClusterIdentifier -> 4 ms'] -test_ssl_data =[r'{{mark}} {{bsd}} {{ host }} hx-ssl-access: - - [26/Oct/2020:17:22:26 +0800] "GET /coreapi/v1/clusters/000000:0000000/alarms HTTP/1.1" 200 2 "-" "Go-http-client/1.1"'] +test_device_connector = [ + r'{{mark}} {{bsd}} {{ host }} hx-device-connector: 433 Running job task {"traceId": "AS44b5d3f67f8b7d1911a2615bde31b566", "traceId": "DCJOBf51022fbb9992e2623cdb1f415bdb838", "jobName": "duracell:health"}' +] +# <13>Oct 26 09:22:27.524 hostname hx-ssl-access: - - [26/Oct/2020:17:22:26 +0800] "GET /coreapi/v1/clusters/000000:0000000/alarms HTTP/1.1" 200 2 "-" "Go-http-client/1.1" +test_audit_data = [ + r"{{mark}} {{bsd}} {{ host }} hx-audit-rest: 22:26.678 - PERFORMANCE TRACE - HxSvcMgrClient.getHxClusterIdentifier -> 4 ms" +] +test_ssl_data = [ + r'{{mark}} {{bsd}} {{ host }} hx-ssl-access: - - [26/Oct/2020:17:22:26 +0800] "GET /coreapi/v1/clusters/000000:0000000/alarms HTTP/1.1" 200 2 "-" "Go-http-client/1.1"' +] + @pytest.mark.parametrize("event", test_device_connector) -def test_cisco_ucs_hyperflex(record_property, setup_wordlist, setup_splunk, setup_sc4s, event): - host = "{}-{}".format(random.choice(setup_wordlist), - random.choice(setup_wordlist)) +def test_cisco_ucs_hyperflex( + record_property, setup_wordlist, setup_splunk, setup_sc4s, event +): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now() iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) @@ -35,7 +44,8 @@ def test_cisco_ucs_hyperflex(record_property, setup_wordlist, setup_splunk, setu sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( - "search _time={{ epoch }} index=infraops host={{ host }} sourcetype=\"cisco:ucs:hx\"") + 'search _time={{ epoch }} index=infraops host={{ host }} sourcetype="cisco:ucs:hx"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -46,10 +56,12 @@ def test_cisco_ucs_hyperflex(record_property, setup_wordlist, setup_splunk, setu assert resultCount == 1 + @pytest.mark.parametrize("event", test_audit_data) -def test_cisco_ucs_hyperflex_audit(record_property, setup_wordlist, setup_splunk, setup_sc4s, event): - host = "{}-{}".format(random.choice(setup_wordlist), - random.choice(setup_wordlist)) +def test_cisco_ucs_hyperflex_audit( + record_property, setup_wordlist, setup_splunk, setup_sc4s, event +): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now() iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) @@ -61,7 +73,8 @@ def test_cisco_ucs_hyperflex_audit(record_property, setup_wordlist, setup_splunk sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( - "search _time={{ epoch }} index=infraops host={{ host }} sourcetype=\"cisco:ucs:hx\"") + 'search _time={{ epoch }} index=infraops host={{ host }} sourcetype="cisco:ucs:hx"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -72,10 +85,12 @@ def test_cisco_ucs_hyperflex_audit(record_property, setup_wordlist, setup_splunk assert resultCount == 1 + @pytest.mark.parametrize("event", test_ssl_data) -def test_cisco_ucs_hyperflex_ssl(record_property, setup_wordlist, setup_splunk, setup_sc4s, event): - host = "{}-{}".format(random.choice(setup_wordlist), - random.choice(setup_wordlist)) +def test_cisco_ucs_hyperflex_ssl( + record_property, setup_wordlist, setup_splunk, setup_sc4s, event +): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now() iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) @@ -87,7 +102,8 @@ def test_cisco_ucs_hyperflex_ssl(record_property, setup_wordlist, setup_splunk, sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( - "search _time={{ epoch }} index=infraops host={{ host }} sourcetype=\"cisco:ucs:hx\"") + 'search _time={{ epoch }} index=infraops host={{ host }} sourcetype="cisco:ucs:hx"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -96,4 +112,4 @@ def test_cisco_ucs_hyperflex_ssl(record_property, setup_wordlist, setup_splunk, record_property("resultCount", resultCount) record_property("message", message) - assert resultCount == 1 \ No newline at end of file + assert resultCount == 1 diff --git a/tests/test_cisco_ise.py b/tests/test_cisco_ise.py index 093f961efe..89ba8f378b 100644 --- a/tests/test_cisco_ise.py +++ b/tests/test_cisco_ise.py @@ -14,10 +14,11 @@ env = Environment() -#<165>Apr 24 15:00:48 ICDC-ISE03 CISE_Passed_Authentications 0001939187 4 0 2019-04-24 15:00:48.610 +00:00 0042009748 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=128, Device IP Address=10.6.64.15, DestinationIPAddress=10.16.20.23, DestinationPort=1812, UserName=90-1B-0E-34-EA-92, Protocol=Radius, RequestLatency=8, NetworkDeviceName=ICPAV2-SW15, User-Name=901b0e34ea92, NAS-IP-Address=10.6.64.15, NAS-Port=50104, Service-Type=Call Check, Framed-IP-Address=10.6.226.138, Framed-MTU=1500, Called-Station-ID=B0-FA-EB-11-70-04, Calling-Station-ID=90-1B-0E-34-EA-92, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet0/4, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=0A06400F000006AA6F83C371, cisco-av-pair=method=mab, OriginalUserName=901b0e34ea92, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b2652f13-5b3f-41ba-ada2-8385c8870809, IsThirdPartyDeviceFlow=false, RadiusFlowType=WiredMAB, SSID=B0-FA-EB-11-70-04, -#<165>Apr 24 15:00:48 ICDC-ISE03 CISE_Passed_Authentications 0001939187 4 1 AcsSessionID=ICDC-ISE03/341048949/1407358, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=WIRED_GUEST_REDIRECT, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Unknown, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15041, Step=15013, Step=24209, Step=24211, Step=22037, Step=24715, Step=15036, Step=15048, Step=15048, Step=15016, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, AuthenticationStatus=AuthenticationPassed, NetworkDeviceGroups=Location#All Locations#Provo, NetworkDeviceGroups=Device Type#All Device Types#Switches, NetworkDeviceGroups=Migrated NDGs#All Migrated NDGs, IdentityPolicyMatchedRule=Default, AuthorizationPolicyMatchedRule=Guest Web Auth, UserType=Host, CPMSessionID=0A06400F000006AA6F83C371, EndPointMACAddress=90-1B-0E-34-EA-92, -#<165>Apr 24 15:00:48 ICDC-ISE03 CISE_Passed_Authentications 0001939187 4 2 PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Unknown, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Wired MAB, IdentitySelectionMatchedRule=Default, StepData=5= Aruba.Aruba-Essid-Name, StepData=6= DEVICE.Device Type, StepData=8=Internal Endpoints, StepData=14= EndPoints.LogicalProfile, StepData=15= Network Access.Protocol, allowEasyWiredSession=false, DTLSSupport=Unknown, HostIdentityGroup=Endpoint Identity Groups:Unknown, Network Device Profile=Cisco, Location=Location#All Locations#Provo, Device Type=Device Type#All Device Types#Switches, Migrated NDGs=Migrated NDGs#All Migrated NDGs, Name=Endpoint Identity Groups:Unknown, -#<165>Apr 24 15:00:48 ICDC-ISE03 CISE_Passed_Authentications 0001939187 4 3 Response={UserName=90:1B:0E:34:EA:92; User-Name=90-1B-0E-34-EA-92; State=ReauthSession:0A06400F000006AA6F83C371; Class=CACS:0A06400F000006AA6F83C371:ICDC-ISE03/341048949/1407358; Session-Timeout=300; Idle-Timeout=240; Termination-Action=RADIUS-Request; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; cisco-av-pair=url-redirect=https://ICDC-ISE03.example.com:8443/portal/gateway?sessionId=0A06400F000006AA6F83C371&portal=c5a76cb0-6150-11e5-b062-0050568d954e&action=cwa&type=drw&token=6ded1943789b345f7afdd09e91549047; cisco-av-pair=profile-name=Unknown; LicenseTypes=1; }, +# <165>Apr 24 15:00:48 ICDC-ISE03 CISE_Passed_Authentications 0001939187 4 0 2019-04-24 15:00:48.610 +00:00 0042009748 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=128, Device IP Address=10.6.64.15, DestinationIPAddress=10.16.20.23, DestinationPort=1812, UserName=90-1B-0E-34-EA-92, Protocol=Radius, RequestLatency=8, NetworkDeviceName=ICPAV2-SW15, User-Name=901b0e34ea92, NAS-IP-Address=10.6.64.15, NAS-Port=50104, Service-Type=Call Check, Framed-IP-Address=10.6.226.138, Framed-MTU=1500, Called-Station-ID=B0-FA-EB-11-70-04, Calling-Station-ID=90-1B-0E-34-EA-92, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet0/4, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=0A06400F000006AA6F83C371, cisco-av-pair=method=mab, OriginalUserName=901b0e34ea92, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b2652f13-5b3f-41ba-ada2-8385c8870809, IsThirdPartyDeviceFlow=false, RadiusFlowType=WiredMAB, SSID=B0-FA-EB-11-70-04, +# <165>Apr 24 15:00:48 ICDC-ISE03 CISE_Passed_Authentications 0001939187 4 1 AcsSessionID=ICDC-ISE03/341048949/1407358, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=WIRED_GUEST_REDIRECT, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Unknown, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15041, Step=15013, Step=24209, Step=24211, Step=22037, Step=24715, Step=15036, Step=15048, Step=15048, Step=15016, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, AuthenticationStatus=AuthenticationPassed, NetworkDeviceGroups=Location#All Locations#Provo, NetworkDeviceGroups=Device Type#All Device Types#Switches, NetworkDeviceGroups=Migrated NDGs#All Migrated NDGs, IdentityPolicyMatchedRule=Default, AuthorizationPolicyMatchedRule=Guest Web Auth, UserType=Host, CPMSessionID=0A06400F000006AA6F83C371, EndPointMACAddress=90-1B-0E-34-EA-92, +# <165>Apr 24 15:00:48 ICDC-ISE03 CISE_Passed_Authentications 0001939187 4 2 PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Unknown, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Wired MAB, IdentitySelectionMatchedRule=Default, StepData=5= Aruba.Aruba-Essid-Name, StepData=6= DEVICE.Device Type, StepData=8=Internal Endpoints, StepData=14= EndPoints.LogicalProfile, StepData=15= Network Access.Protocol, allowEasyWiredSession=false, DTLSSupport=Unknown, HostIdentityGroup=Endpoint Identity Groups:Unknown, Network Device Profile=Cisco, Location=Location#All Locations#Provo, Device Type=Device Type#All Device Types#Switches, Migrated NDGs=Migrated NDGs#All Migrated NDGs, Name=Endpoint Identity Groups:Unknown, +# <165>Apr 24 15:00:48 ICDC-ISE03 CISE_Passed_Authentications 0001939187 4 3 Response={UserName=90:1B:0E:34:EA:92; User-Name=90-1B-0E-34-EA-92; State=ReauthSession:0A06400F000006AA6F83C371; Class=CACS:0A06400F000006AA6F83C371:ICDC-ISE03/341048949/1407358; Session-Timeout=300; Idle-Timeout=240; Termination-Action=RADIUS-Request; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; cisco-av-pair=url-redirect=https://ICDC-ISE03.example.com:8443/portal/gateway?sessionId=0A06400F000006AA6F83C371&portal=c5a76cb0-6150-11e5-b062-0050568d954e&action=cwa&type=drw&token=6ded1943789b345f7afdd09e91549047; cisco-av-pair=profile-name=Unknown; LicenseTypes=1; }, + def test_cisco_ise_multi(record_property, setup_wordlist, setup_splunk, setup_sc4s): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) @@ -31,8 +32,11 @@ def test_cisco_ise_multi(record_property, setup_wordlist, setup_splunk, setup_sc epoch = epoch[:-3] mt = env.from_string( - "{{ mark }} {{ bsd }} {{ host }} CISE_Passed_Authentications 0001939187 4 0 {{ date }} {{ time }} {{ tzoffset }} 0042009748 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=128, Device IP Address=10.6.64.15, DestinationIPAddress=10.16.20.23, DestinationPort=1812, UserName=90-1B-0E-34-EA-92, Protocol=Radius, RequestLatency=8, NetworkDeviceName=ICPAV2-SW15, User-Name=901b0e34ea92, NAS-IP-Address=10.6.64.15, NAS-Port=50104, Service-Type=Call Check, Framed-IP-Address=10.6.226.138, Framed-MTU=1500, Called-Station-ID=B0-FA-EB-11-70-04, Calling-Station-ID=90-1B-0E-34-EA-92, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet0/4, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=0A06400F000006AA6F83C371, cisco-av-pair=method=mab, OriginalUserName=901b0e34ea92, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b2652f13-5b3f-41ba-ada2-8385c8870809, IsThirdPartyDeviceFlow=false, RadiusFlowType=WiredMAB, SSID=B0-FA-EB-11-70-04,\n") - message = mt.render(mark="<165>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset) + "{{ mark }} {{ bsd }} {{ host }} CISE_Passed_Authentications 0001939187 4 0 {{ date }} {{ time }} {{ tzoffset }} 0042009748 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=128, Device IP Address=10.6.64.15, DestinationIPAddress=10.16.20.23, DestinationPort=1812, UserName=90-1B-0E-34-EA-92, Protocol=Radius, RequestLatency=8, NetworkDeviceName=ICPAV2-SW15, User-Name=901b0e34ea92, NAS-IP-Address=10.6.64.15, NAS-Port=50104, Service-Type=Call Check, Framed-IP-Address=10.6.226.138, Framed-MTU=1500, Called-Station-ID=B0-FA-EB-11-70-04, Calling-Station-ID=90-1B-0E-34-EA-92, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet0/4, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=0A06400F000006AA6F83C371, cisco-av-pair=method=mab, OriginalUserName=901b0e34ea92, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b2652f13-5b3f-41ba-ada2-8385c8870809, IsThirdPartyDeviceFlow=false, RadiusFlowType=WiredMAB, SSID=B0-FA-EB-11-70-04,\n" + ) + message = mt.render( + mark="<165>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset + ) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) # Generate new datetime for subsequent messages; not used in log path parser so actually could be anything @@ -40,34 +44,45 @@ def test_cisco_ise_multi(record_property, setup_wordlist, setup_splunk, setup_sc bsd = dt.strftime("%b %d %H:%M:%S") mt = env.from_string( - "{{ mark }} {{ bsd }} {{ host }} CISE_Passed_Authentications 0001939187 4 1 AcsSessionID=ICDC-ISE03/341048949/1407358, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=WIRED_GUEST_REDIRECT, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Unknown, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15041, Step=15013, Step=24209, Step=24211, Step=22037, Step=24715, Step=15036, Step=15048, Step=15048, Step=15016, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, AuthenticationStatus=AuthenticationPassed, NetworkDeviceGroups=Location#All Locations#Provo, NetworkDeviceGroups=Device Type#All Device Types#Switches, NetworkDeviceGroups=Migrated NDGs#All Migrated NDGs, IdentityPolicyMatchedRule=Default, AuthorizationPolicyMatchedRule=Guest Web Auth, UserType=Host, CPMSessionID=0A06400F000006AA6F83C371, EndPointMACAddress=90-1B-0E-34-EA-92,\n") - message = mt.render(mark="<111>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset) + "{{ mark }} {{ bsd }} {{ host }} CISE_Passed_Authentications 0001939187 4 1 AcsSessionID=ICDC-ISE03/341048949/1407358, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=WIRED_GUEST_REDIRECT, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Unknown, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15041, Step=15013, Step=24209, Step=24211, Step=22037, Step=24715, Step=15036, Step=15048, Step=15048, Step=15016, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, AuthenticationStatus=AuthenticationPassed, NetworkDeviceGroups=Location#All Locations#Provo, NetworkDeviceGroups=Device Type#All Device Types#Switches, NetworkDeviceGroups=Migrated NDGs#All Migrated NDGs, IdentityPolicyMatchedRule=Default, AuthorizationPolicyMatchedRule=Guest Web Auth, UserType=Host, CPMSessionID=0A06400F000006AA6F83C371, EndPointMACAddress=90-1B-0E-34-EA-92,\n" + ) + message = mt.render( + mark="<111>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset + ) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) mt = env.from_string( - "{{ mark }} {{ bsd }} {{ host }} CISE_Passed_Authentications 0001939187 4 2 PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Unknown, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Wired MAB, IdentitySelectionMatchedRule=Default, StepData=5= Aruba.Aruba-Essid-Name, StepData=6= DEVICE.Device Type, StepData=8=Internal Endpoints, StepData=14= EndPoints.LogicalProfile, StepData=15= Network Access.Protocol, allowEasyWiredSession=false, DTLSSupport=Unknown, HostIdentityGroup=Endpoint Identity Groups:Unknown, Network Device Profile=Cisco, Location=Location#All Locations#Provo, Device Type=Device Type#All Device Types#Switches, Migrated NDGs=Migrated NDGs#All Migrated NDGs, Name=Endpoint Identity Groups:Unknown,\n") - message = mt.render(mark="<111>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset) + "{{ mark }} {{ bsd }} {{ host }} CISE_Passed_Authentications 0001939187 4 2 PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=Unknown, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Wired MAB, IdentitySelectionMatchedRule=Default, StepData=5= Aruba.Aruba-Essid-Name, StepData=6= DEVICE.Device Type, StepData=8=Internal Endpoints, StepData=14= EndPoints.LogicalProfile, StepData=15= Network Access.Protocol, allowEasyWiredSession=false, DTLSSupport=Unknown, HostIdentityGroup=Endpoint Identity Groups:Unknown, Network Device Profile=Cisco, Location=Location#All Locations#Provo, Device Type=Device Type#All Device Types#Switches, Migrated NDGs=Migrated NDGs#All Migrated NDGs, Name=Endpoint Identity Groups:Unknown,\n" + ) + message = mt.render( + mark="<111>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset + ) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) mt = env.from_string( - "{{ mark }} {{ bsd }} {{ host }} CISE_Passed_Authentications 0001939187 4 3 Response={UserName=90:1B:0E:34:EA:92; User-Name=90-1B-0E-34-EA-92; State=ReauthSession:0A06400F000006AA6F83C371; Class=CACS:0A06400F000006AA6F83C371:ICDC-ISE03/341048949/1407358; Session-Timeout=300; Idle-Timeout=240; Termination-Action=RADIUS-Request; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; cisco-av-pair=url-redirect=https://ICDC-ISE03.example.com:8443/portal/gateway?sessionId=0A06400F000006AA6F83C371&portal=c5a76cb0-6150-11e5-b062-0050568d954e&action=cwa&type=drw&token=6ded1943789b345f7afdd09e91549047; cisco-av-pair=profile-name=Unknown; LicenseTypes=1; },\n") - message = mt.render(mark="<111>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset) + "{{ mark }} {{ bsd }} {{ host }} CISE_Passed_Authentications 0001939187 4 3 Response={UserName=90:1B:0E:34:EA:92; User-Name=90-1B-0E-34-EA-92; State=ReauthSession:0A06400F000006AA6F83C371; Class=CACS:0A06400F000006AA6F83C371:ICDC-ISE03/341048949/1407358; Session-Timeout=300; Idle-Timeout=240; Termination-Action=RADIUS-Request; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; cisco-av-pair=url-redirect=https://ICDC-ISE03.example.com:8443/portal/gateway?sessionId=0A06400F000006AA6F83C371&portal=c5a76cb0-6150-11e5-b062-0050568d954e&action=cwa&type=drw&token=6ded1943789b345f7afdd09e91549047; cisco-av-pair=profile-name=Unknown; LicenseTypes=1; },\n" + ) + message = mt.render( + mark="<111>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset + ) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netauth host=\"{{ host }}\" sourcetype=\"cisco:ise:syslog\" LicenseTypes=1") + st = env.from_string( + 'search _time={{ epoch }} index=netauth host="{{ host }}" sourcetype="cisco:ise:syslog" LicenseTypes=1' + ) search = st.render(epoch=epoch, host=host) sleep(35) - + resultCount, eventCount = splunk_single(setup_splunk, search) record_property("host", host) record_property("resultCount", resultCount) record_property("message", message) - assert resultCount == 1 + def test_cisco_ise_merge(record_property, setup_wordlist, setup_splunk, setup_sc4s): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) @@ -80,8 +95,11 @@ def test_cisco_ise_merge(record_property, setup_wordlist, setup_splunk, setup_sc epoch = epoch[:-3] mt = env.from_string( - "{{ mark }} {{ bsd }} {{ host }} CISE_Passed_Authentications 0001939187 4 0 {{ date }} {{ time }} {{ tzoffset }} 0042009748 5200 NOTICE Passed-Authentication: part one,\n") - message = mt.render(mark="<165>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset) + "{{ mark }} {{ bsd }} {{ host }} CISE_Passed_Authentications 0001939187 4 0 {{ date }} {{ time }} {{ tzoffset }} 0042009748 5200 NOTICE Passed-Authentication: part one,\n" + ) + message = mt.render( + mark="<165>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset + ) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) # Generate new datetime for subsequent messages; not used in log path parser so actually could be anything @@ -89,21 +107,32 @@ def test_cisco_ise_merge(record_property, setup_wordlist, setup_splunk, setup_sc bsd = dt.strftime("%b %d %H:%M:%S") mt = env.from_string( - "{{ mark }} {{ bsd }} {{ host }} CISE_Passed_Authentications 0001939187 4 1 part two,\n") - message = mt.render(mark="<111>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset) + "{{ mark }} {{ bsd }} {{ host }} CISE_Passed_Authentications 0001939187 4 1 part two,\n" + ) + message = mt.render( + mark="<111>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset + ) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) mt = env.from_string( - "{{ mark }} {{ bsd }} {{ host }} CISE_Passed_Authentications 0001939187 4 2 part three,\n") - message = mt.render(mark="<111>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset) + "{{ mark }} {{ bsd }} {{ host }} CISE_Passed_Authentications 0001939187 4 2 part three,\n" + ) + message = mt.render( + mark="<111>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset + ) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) mt = env.from_string( - "{{ mark }} {{ bsd }} {{ host }} CISE_Passed_Authentications 0001939187 4 3 part four,\n") - message = mt.render(mark="<111>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset) + "{{ mark }} {{ bsd }} {{ host }} CISE_Passed_Authentications 0001939187 4 3 part four,\n" + ) + message = mt.render( + mark="<111>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset + ) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netauth host=\"{{ host }}\" sourcetype=\"cisco:ise:syslog\" one two three four") + st = env.from_string( + 'search _time={{ epoch }} index=netauth host="{{ host }}" sourcetype="cisco:ise:syslog" one two three four' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -114,7 +143,8 @@ def test_cisco_ise_merge(record_property, setup_wordlist, setup_splunk, setup_sc assert resultCount == 1 -#<181>Oct 24 21:00:02 ciscohost CISE_RADIUS_Accounting 0006028545 1 0 2019-10-24 21:00:02.305 +00:00 0088472694 3002 NOTICE Radius-Accounting: RADIUS Accounting watchdog update, ConfigVersionId=336, Device IP Address=10.0.0.3, RequestLatency=3, NetworkDeviceName=nc-aaa-aaa1, User-Name=U100000.ent.corp, NAS-IP-Address=10.0.0.3, NAS-Port=50047, Service-Type=Framed, Framed-IP-Address=10.0.0.80, Class=CACS:0AEF12345677832097B3F362:ncsilsepsuie212/356139633/9969901, Called-Station-ID=00-08-00-00-1B-AF, Calling-Station-ID=00-00-00-00-A0-7E, Acct-Status-Type=Interim-Update, Acct-Delay-Time=0, Acct-Input-Octets=653293631, Acct-Output-Octets=1497972244, Acct-Session-Id=00000B68, Acct-Authentic=RADIUS, Acct-Session-Time=241598, Acct-Input-Packets=2656224, Acct-Output-Packets=7614179, Acct-Input-Gigawords=0, Acct-Output-Gigawords=1, NAS-Port-Type=Ethernet, NAS-Port-Id=FastEthernet0/47, undefined-151=31D7AADD, cisco-av-pair=audit-session-id=0AEF10030000032097B3F362, cisco-av-pair=connect-progress=Auth Open, AcsSessionID=ncsilsepsuie205/359238109/4017186, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15004, Step=22094, Step=11005, NetworkDeviceGroups=Location#All Locations#NC, NetworkDeviceGroups=Device Type#All Device Types#Switch#2960-Switches, NetworkDeviceGroups=All Network Device Groups#All Network Device Groups, CPMSessionID=0AEF10030000032097B3F362, AllowedProtocolMatchedRule=EAP-TLS, All Network Device Groups=All Network Device Groups#All Network Device Groups, Location=Location#All Locations#NC, Device Type=Device Type#All Device Types#Switch#2960-Switches, Network Device Profile=Cisco, + +# <181>Oct 24 21:00:02 ciscohost CISE_RADIUS_Accounting 0006028545 1 0 2019-10-24 21:00:02.305 +00:00 0088472694 3002 NOTICE Radius-Accounting: RADIUS Accounting watchdog update, ConfigVersionId=336, Device IP Address=10.0.0.3, RequestLatency=3, NetworkDeviceName=nc-aaa-aaa1, User-Name=U100000.ent.corp, NAS-IP-Address=10.0.0.3, NAS-Port=50047, Service-Type=Framed, Framed-IP-Address=10.0.0.80, Class=CACS:0AEF12345677832097B3F362:ncsilsepsuie212/356139633/9969901, Called-Station-ID=00-08-00-00-1B-AF, Calling-Station-ID=00-00-00-00-A0-7E, Acct-Status-Type=Interim-Update, Acct-Delay-Time=0, Acct-Input-Octets=653293631, Acct-Output-Octets=1497972244, Acct-Session-Id=00000B68, Acct-Authentic=RADIUS, Acct-Session-Time=241598, Acct-Input-Packets=2656224, Acct-Output-Packets=7614179, Acct-Input-Gigawords=0, Acct-Output-Gigawords=1, NAS-Port-Type=Ethernet, NAS-Port-Id=FastEthernet0/47, undefined-151=31D7AADD, cisco-av-pair=audit-session-id=0AEF10030000032097B3F362, cisco-av-pair=connect-progress=Auth Open, AcsSessionID=ncsilsepsuie205/359238109/4017186, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15004, Step=22094, Step=11005, NetworkDeviceGroups=Location#All Locations#NC, NetworkDeviceGroups=Device Type#All Device Types#Switch#2960-Switches, NetworkDeviceGroups=All Network Device Groups#All Network Device Groups, CPMSessionID=0AEF10030000032097B3F362, AllowedProtocolMatchedRule=EAP-TLS, All Network Device Groups=All Network Device Groups#All Network Device Groups, Location=Location#All Locations#NC, Device Type=Device Type#All Device Types#Switch#2960-Switches, Network Device Profile=Cisco, def test_cisco_ise_single(record_property, setup_wordlist, setup_splunk, setup_sc4s): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) @@ -127,11 +157,16 @@ def test_cisco_ise_single(record_property, setup_wordlist, setup_splunk, setup_s epoch = epoch[:-3] mt = env.from_string( - "{{ mark }} {{ bsd }} {{ host }} CISE_RADIUS_Accounting 0006028545 1 0 {{ date }} {{ time }} {{ tzoffset }} 0088472694 3002 NOTICE Radius-Accounting: RADIUS Accounting watchdog update, ConfigVersionId=336, Device IP Address=10.0.0.3, RequestLatency=3, NetworkDeviceName=nc-aaa-aaa1, User-Name=U100000.ent.corp, NAS-IP-Address=10.0.0.3, NAS-Port=50047, Service-Type=Framed, Framed-IP-Address=10.0.0.80, Class=CACS:0AEF12345677832097B3F362:ncsilsepsuie212/356139633/9969901, Called-Station-ID=00-08-00-00-1B-AF, Calling-Station-ID=00-00-00-00-A0-7E, Acct-Status-Type=Interim-Update, Acct-Delay-Time=0, Acct-Input-Octets=653293631, Acct-Output-Octets=1497972244, Acct-Session-Id=00000B68, Acct-Authentic=RADIUS, Acct-Session-Time=241598, Acct-Input-Packets=2656224, Acct-Output-Packets=7614179, Acct-Input-Gigawords=0, Acct-Output-Gigawords=1, NAS-Port-Type=Ethernet, NAS-Port-Id=FastEthernet0/47, undefined-151=31D7AADD, cisco-av-pair=audit-session-id=0AEF10030000032097B3F362, cisco-av-pair=connect-progress=Auth Open, AcsSessionID=ncsilsepsuie205/359238109/4017186, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15004, Step=22094, Step=11005, NetworkDeviceGroups=Location#All Locations#NC, NetworkDeviceGroups=Device Type#All Device Types#Switch#2960-Switches, NetworkDeviceGroups=All Network Device Groups#All Network Device Groups, CPMSessionID=0AEF10030000032097B3F362, AllowedProtocolMatchedRule=EAP-TLS, All Network Device Groups=All Network Device Groups#All Network Device Groups, Location=Location#All Locations#NC, Device Type=Device Type#All Device Types#Switch#2960-Switches, Network Device Profile=Cisco,\n") - message = mt.render(mark="<165>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset) + "{{ mark }} {{ bsd }} {{ host }} CISE_RADIUS_Accounting 0006028545 1 0 {{ date }} {{ time }} {{ tzoffset }} 0088472694 3002 NOTICE Radius-Accounting: RADIUS Accounting watchdog update, ConfigVersionId=336, Device IP Address=10.0.0.3, RequestLatency=3, NetworkDeviceName=nc-aaa-aaa1, User-Name=U100000.ent.corp, NAS-IP-Address=10.0.0.3, NAS-Port=50047, Service-Type=Framed, Framed-IP-Address=10.0.0.80, Class=CACS:0AEF12345677832097B3F362:ncsilsepsuie212/356139633/9969901, Called-Station-ID=00-08-00-00-1B-AF, Calling-Station-ID=00-00-00-00-A0-7E, Acct-Status-Type=Interim-Update, Acct-Delay-Time=0, Acct-Input-Octets=653293631, Acct-Output-Octets=1497972244, Acct-Session-Id=00000B68, Acct-Authentic=RADIUS, Acct-Session-Time=241598, Acct-Input-Packets=2656224, Acct-Output-Packets=7614179, Acct-Input-Gigawords=0, Acct-Output-Gigawords=1, NAS-Port-Type=Ethernet, NAS-Port-Id=FastEthernet0/47, undefined-151=31D7AADD, cisco-av-pair=audit-session-id=0AEF10030000032097B3F362, cisco-av-pair=connect-progress=Auth Open, AcsSessionID=ncsilsepsuie205/359238109/4017186, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15004, Step=22094, Step=11005, NetworkDeviceGroups=Location#All Locations#NC, NetworkDeviceGroups=Device Type#All Device Types#Switch#2960-Switches, NetworkDeviceGroups=All Network Device Groups#All Network Device Groups, CPMSessionID=0AEF10030000032097B3F362, AllowedProtocolMatchedRule=EAP-TLS, All Network Device Groups=All Network Device Groups#All Network Device Groups, Location=Location#All Locations#NC, Device Type=Device Type#All Device Types#Switch#2960-Switches, Network Device Profile=Cisco,\n" + ) + message = mt.render( + mark="<165>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset + ) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netauth host=\"{{ host }}\" sourcetype=\"cisco:ise:syslog\"") + st = env.from_string( + 'search _time={{ epoch }} index=netauth host="{{ host }}" sourcetype="cisco:ise:syslog"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -142,8 +177,11 @@ def test_cisco_ise_single(record_property, setup_wordlist, setup_splunk, setup_s assert resultCount == 1 -#<181>Oct 24 21:00:02 ciscohost CISE_Alarm WARN: RADIUS Authentication Request dropped : Server=10.0.0.5; NAS IP Address=10.29.29.27; NAS Identifier=Dumm_d5:02:4f; Failure Reason=12508 EAP-TLS handshake failed -def test_cisco_ise_cise_alarm_single(record_property, setup_wordlist, setup_splunk, setup_sc4s): + +# <181>Oct 24 21:00:02 ciscohost CISE_Alarm WARN: RADIUS Authentication Request dropped : Server=10.0.0.5; NAS IP Address=10.29.29.27; NAS Identifier=Dumm_d5:02:4f; Failure Reason=12508 EAP-TLS handshake failed +def test_cisco_ise_cise_alarm_single( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now() @@ -155,11 +193,16 @@ def test_cisco_ise_cise_alarm_single(record_property, setup_wordlist, setup_splu epoch = epoch[:-3] mt = env.from_string( - "{{ mark }} {{ bsd }} {{ host }} CISE_Alarm WARN: RADIUS Authentication Request dropped : Server=10.0.0.5; NAS IP Address=10.29.29.27; NAS Identifier=Dumm_d5:02:4f; Failure Reason=12508 EAP-TLS handshake failed\n") - message = mt.render(mark="<165>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset) + "{{ mark }} {{ bsd }} {{ host }} CISE_Alarm WARN: RADIUS Authentication Request dropped : Server=10.0.0.5; NAS IP Address=10.29.29.27; NAS Identifier=Dumm_d5:02:4f; Failure Reason=12508 EAP-TLS handshake failed\n" + ) + message = mt.render( + mark="<165>", bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset + ) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search index=netauth host=\"{{ host }}\" sourcetype=\"cisco:ise:syslog\" \"Server=10.0.0.5\"") + st = env.from_string( + 'search index=netauth host="{{ host }}" sourcetype="cisco:ise:syslog" "Server=10.0.0.5"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) diff --git a/tests/test_cisco_meraki.py b/tests/test_cisco_meraki.py index d92c443383..a6d890a9d0 100644 --- a/tests/test_cisco_meraki.py +++ b/tests/test_cisco_meraki.py @@ -13,8 +13,10 @@ env = Environment() -#<134>1 1563249630.774247467 devicename security_event ids_alerted signature=1:28423:1 priority=1 timestamp=1468531589.810079 dhost=98:5A:EB:E1:81:2F direction=ingress protocol=tcp/ip src=151.101.52.238:80 dst=192.168.128.2:53023 message: EXPLOIT-KIT Multiple exploit kit single digit exe detection -def test_cisco_meraki_security_event(record_property, setup_wordlist, setup_splunk, setup_sc4s): +# <134>1 1563249630.774247467 devicename security_event ids_alerted signature=1:28423:1 priority=1 timestamp=1468531589.810079 dhost=98:5A:EB:E1:81:2F direction=ingress protocol=tcp/ip src=151.101.52.238:80 dst=192.168.128.2:53023 message: EXPLOIT-KIT Multiple exploit kit single digit exe detection +def test_cisco_meraki_security_event( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now() @@ -24,12 +26,15 @@ def test_cisco_meraki_security_event(record_property, setup_wordlist, setup_splu epoch_ms = epoch[:-3] mt = env.from_string( - "{{ mark }}1 {{ epoch }}123 testcm-{{ host }} security_event ids_alerted signature=1:28423:1 priority=1 timestamp={{ epoch }} dhost=98:5A:EB:E1:81:2F direction=ingress protocol=tcp/ip src=151.101.52.238:80 dst=192.168.128.2:53023 message: EXPLOIT-KIT Multiple exploit kit single digit exe detection\n") + "{{ mark }}1 {{ epoch }}123 testcm-{{ host }} security_event ids_alerted signature=1:28423:1 priority=1 timestamp={{ epoch }} dhost=98:5A:EB:E1:81:2F direction=ingress protocol=tcp/ip src=151.101.52.238:80 dst=192.168.128.2:53023 message: EXPLOIT-KIT Multiple exploit kit single digit exe detection\n" + ) message = mt.render(mark="<134>", epoch=epoch, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch_ms }} index=netfw host=\"testcm-{{ host }}\" sourcetype=\"meraki\"") + st = env.from_string( + 'search _time={{ epoch_ms }} index=netfw host="testcm-{{ host }}" sourcetype="meraki"' + ) search = st.render(epoch_ms=epoch_ms, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -39,4 +44,6 @@ def test_cisco_meraki_security_event(record_property, setup_wordlist, setup_splu record_property("message", message) assert resultCount == 1 -#<134>1 Dec 6 08:41:44 192.168.1.1 1 1386337316.207232138 MX84 events Cellular connection up + + +# <134>1 Dec 6 08:41:44 192.168.1.1 1 1386337316.207232138 MX84 events Cellular connection up diff --git a/tests/test_cisco_ucs_manager.py b/tests/test_cisco_ucs_manager.py index af87b6ac0b..9c58192a51 100644 --- a/tests/test_cisco_ucs_manager.py +++ b/tests/test_cisco_ucs_manager.py @@ -19,8 +19,7 @@ def test_cisco_ucm_manager(record_property, setup_wordlist, setup_splunk, setup_sc4s): - host = "{}-{}".format(random.choice(setup_wordlist), - random.choice(setup_wordlist)) + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now() iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) @@ -29,12 +28,14 @@ def test_cisco_ucm_manager(record_property, setup_wordlist, setup_splunk, setup_ epoch = epoch[:-7] mt = env.from_string( - "{{ mark }}: {{ bsd }} {{ tzname }} : %UCSM-6-AUDIT: [session][internal][creation][internal][3852391][sys/user-ext/web-login-username-web_40207_B][id:web_40207_B, name:username, policyOwner:local][] Web B: remote user username logged in from {{ host }}\n") + "{{ mark }}: {{ bsd }} {{ tzname }} : %UCSM-6-AUDIT: [session][internal][creation][internal][3852391][sys/user-ext/web-login-username-web_40207_B][id:web_40207_B, name:username, policyOwner:local][] Web B: remote user username logged in from {{ host }}\n" + ) message = mt.render(mark="<189>", tzname=tzname, bsd=bsd, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( - "search _time={{ epoch }} index=infraops {{ host }} sourcetype=\"cisco:ucs\"") + 'search _time={{ epoch }} index=infraops {{ host }} sourcetype="cisco:ucs"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -43,4 +44,4 @@ def test_cisco_ucm_manager(record_property, setup_wordlist, setup_splunk, setup_ record_property("resultCount", resultCount) record_property("message", message) - assert resultCount == 1 \ No newline at end of file + assert resultCount == 1 diff --git a/tests/test_cisco_wsa.py b/tests/test_cisco_wsa.py index 8f27cafff5..2efde4f04e 100644 --- a/tests/test_cisco_wsa.py +++ b/tests/test_cisco_wsa.py @@ -155,6 +155,7 @@ def test_cisco_wsa_l4tm( assert resultCount == 1 + @pytest.mark.parametrize("event", testdata_w3c_recommended) def test_cisco_wsa_w3c_recommended( record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event @@ -190,6 +191,7 @@ def test_cisco_wsa_w3c_recommended( assert resultCount == 1 + @pytest.mark.parametrize("event", testdata_squid_11_8) def test_cisco_wsa_squid_11_8( record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event @@ -224,6 +226,7 @@ def test_cisco_wsa_squid_11_8( assert resultCount == 1 + @pytest.mark.parametrize("event", testdata_squid_12_5) def test_cisco_wsa_squid_12_5( record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event @@ -257,4 +260,3 @@ def test_cisco_wsa_squid_12_5( record_property("message", message) assert resultCount == 1 - diff --git a/tests/test_citrix_netscaler.py b/tests/test_citrix_netscaler.py index 68072f028d..6daa66b9f8 100644 --- a/tests/test_citrix_netscaler.py +++ b/tests/test_citrix_netscaler.py @@ -129,4 +129,3 @@ def test_citrix_netscaler_sdx_AAA( record_property("message", message) assert resultCount == 1 - diff --git a/tests/test_common.py b/tests/test_common.py index 1d86d09daa..10c4a9b350 100644 --- a/tests/test_common.py +++ b/tests/test_common.py @@ -82,7 +82,9 @@ def test_fallback(record_property, setup_wordlist, setup_splunk, setup_sc4s): # Tune time functions epoch = epoch[:-7] - mt = env.from_string("{{ mark }} {{ bsd }} testvp-{{ host }} test,test thist,thisdfsdf\n") + mt = env.from_string( + "{{ mark }} {{ bsd }} testvp-{{ host }} test,test thist,thisdfsdf\n" + ) message = mt.render(mark="<111>", bsd=bsd, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) @@ -148,7 +150,6 @@ def test_tz_guess(record_property, setup_wordlist, setup_splunk, setup_sc4s): assert resultCount == 1 - def test_tz_fix_ny(record_property, setup_wordlist, setup_splunk, setup_sc4s): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) @@ -156,7 +157,9 @@ def test_tz_fix_ny(record_property, setup_wordlist, setup_splunk, setup_sc4s): # 10 minute offset (reserved for future use) # dt = datetime.datetime.now(pytz.timezone('America/New_York')) - datetime.timedelta(minutes=10) - dt = datetime.datetime.now(pytz.timezone("America/New_York")) - datetime.timedelta(minutes=15) + dt = datetime.datetime.now(pytz.timezone("America/New_York")) - datetime.timedelta( + minutes=15 + ) iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) # Tune time functions diff --git a/tests/test_cyberark.py b/tests/test_cyberark.py index f4376cee06..f23729afd4 100644 --- a/tests/test_cyberark.py +++ b/tests/test_cyberark.py @@ -13,7 +13,7 @@ env = Environment() -#<5>1 2020-01-24T22:53:03Z REDACTEDHOSTNAME CEF:0|Cyber-Ark|Vault|10.9.0000|22|CPM Verify Password|5|act="CPM Verify Password" suser=PasswordManager fname=Root\Operating System-OBO-ISSO-Windows-Domain-Account-redacted dvc= shost=10.0.0.10 dhost= duser=redacted externalId= app= reason= cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2="re-dact-ted" cs3Label="Device Type" cs3="Operating System" cs4Label="Database" cs4= cs5Label="Other info" cs5= cn1Label="Request Id" cn1= cn2Label="Ticket Id" cn2="VerificationPeriod" msg="VerificationPeriod" +# <5>1 2020-01-24T22:53:03Z REDACTEDHOSTNAME CEF:0|Cyber-Ark|Vault|10.9.0000|22|CPM Verify Password|5|act="CPM Verify Password" suser=PasswordManager fname=Root\Operating System-OBO-ISSO-Windows-Domain-Account-redacted dvc= shost=10.0.0.10 dhost= duser=redacted externalId= app= reason= cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2="re-dact-ted" cs3Label="Device Type" cs3="Operating System" cs4Label="Database" cs4= cs5Label="Other info" cs5= cn1Label="Request Id" cn1= cn2Label="Ticket Id" cn2="VerificationPeriod" msg="VerificationPeriod" def test_cyberark_epv_5424(record_property, setup_wordlist, setup_splunk, setup_sc4s): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) @@ -25,12 +25,15 @@ def test_cyberark_epv_5424(record_property, setup_wordlist, setup_splunk, setup_ epoch = epoch[:-7] mt = env.from_string( - "{{ mark }}1 {{ iso }}Z {{ host }} CEF:0|Cyber-Ark|Vault|9.20.0000|7|Logon|5|act=\"Logon\" suser=PasswordManager fname= dvc= shost=10.0.0.10 dhost= duser= externalId= app= reason= cs1Label=\"Affected User Name\" cs1= cs2Label=\"Safe Name\" cs2= cs3Label=\"Device Type\" cs3=11111 cs4Label=\"Database\" cs4=222222 cs5Label=\"Other info\" cs5= cn1Label=\"Request Id\" cn1= cn2Label=\"Ticket Id\" cn2= msg=\n") + '{{ mark }}1 {{ iso }}Z {{ host }} CEF:0|Cyber-Ark|Vault|9.20.0000|7|Logon|5|act="Logon" suser=PasswordManager fname= dvc= shost=10.0.0.10 dhost= duser= externalId= app= reason= cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2= cs3Label="Device Type" cs3=11111 cs4Label="Database" cs4=222222 cs5Label="Other info" cs5= cn1Label="Request Id" cn1= cn2Label="Ticket Id" cn2= msg=\n' + ) message = mt.render(mark="<111>", iso=iso, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netauth host=\"{{ host }}\" sourcetype=\"cyberark:epv:cef\"| head 2") + st = env.from_string( + 'search _time={{ epoch }} index=netauth host="{{ host }}" sourcetype="cyberark:epv:cef"| head 2' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -41,7 +44,8 @@ def test_cyberark_epv_5424(record_property, setup_wordlist, setup_splunk, setup_ assert resultCount == 1 -#<190>Jul 27 23:31:58 VAULT CEF:0|Cyber-Ark|Vault|9.20.0000|7|Logon|5|act="Logon" suser=user2 fname= dvc= shost=127.0.0.1 dhost= duser= externalId= app= reason= cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2= cs3Label="Device Type" cs3=11111 cs4Label="Database" cs4=222222 cs5Label="Other info" cs5= cn1Label="Request Id" cn1= cn2Label="Ticket Id" cn2= msg= + +# <190>Jul 27 23:31:58 VAULT CEF:0|Cyber-Ark|Vault|9.20.0000|7|Logon|5|act="Logon" suser=user2 fname= dvc= shost=127.0.0.1 dhost= duser= externalId= app= reason= cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2= cs3Label="Device Type" cs3=11111 cs4Label="Database" cs4=222222 cs5Label="Other info" cs5= cn1Label="Request Id" cn1= cn2Label="Ticket Id" cn2= msg= def test_cyberark_epv(record_property, setup_wordlist, setup_splunk, setup_sc4s): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) @@ -52,12 +56,15 @@ def test_cyberark_epv(record_property, setup_wordlist, setup_splunk, setup_sc4s) epoch = epoch[:-7] mt = env.from_string( - "{{ mark }}{{ bsd }} {{ host }} CEF:0|Cyber-Ark|Vault|9.20.0000|7|Logon|5|act=\"Logon\" suser=user2 fname= dvc= shost=127.0.0.1 dhost= duser= externalId= app= reason= cs1Label=\"Affected User Name\" cs1= cs2Label=\"Safe Name\" cs2= cs3Label=\"Device Type\" cs3=11111 cs4Label=\"Database\" cs4=222222 cs5Label=\"Other info\" cs5= cn1Label=\"Request Id\" cn1= cn2Label=\"Ticket Id\" cn2= msg=\n") + '{{ mark }}{{ bsd }} {{ host }} CEF:0|Cyber-Ark|Vault|9.20.0000|7|Logon|5|act="Logon" suser=user2 fname= dvc= shost=127.0.0.1 dhost= duser= externalId= app= reason= cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2= cs3Label="Device Type" cs3=11111 cs4Label="Database" cs4=222222 cs5Label="Other info" cs5= cn1Label="Request Id" cn1= cn2Label="Ticket Id" cn2= msg=\n' + ) message = mt.render(mark="<111>", bsd=bsd, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netauth host=\"{{ host }}\" sourcetype=\"cyberark:epv:cef\"| head 2") + st = env.from_string( + 'search _time={{ epoch }} index=netauth host="{{ host }}" sourcetype="cyberark:epv:cef"| head 2' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -68,7 +75,8 @@ def test_cyberark_epv(record_property, setup_wordlist, setup_splunk, setup_sc4s) assert resultCount == 1 -#<190>Jul 12 23:44:25 10.0.0.1 CEF:0|CyberArk|PTA|2.6.1|20|Privileged account anomaly|8|cs1Label=incidentId cs1=55a32ed8e4b0e4a90114e12c start=1436755482000 deviceCustomDate1Label=detectionDate deviceCustomDate1=1436759065017 msg=Incident updated. Now contains 7 anomalies cs2Label=link cs2=https://10.0.0.1/incidents/55a32ed8e4b0e4a90114e12c + +# <190>Jul 12 23:44:25 10.0.0.1 CEF:0|CyberArk|PTA|2.6.1|20|Privileged account anomaly|8|cs1Label=incidentId cs1=55a32ed8e4b0e4a90114e12c start=1436755482000 deviceCustomDate1Label=detectionDate deviceCustomDate1=1436759065017 msg=Incident updated. Now contains 7 anomalies cs2Label=link cs2=https://10.0.0.1/incidents/55a32ed8e4b0e4a90114e12c def test_cyberark_pta(record_property, setup_wordlist, setup_splunk, setup_sc4s): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) @@ -79,12 +87,15 @@ def test_cyberark_pta(record_property, setup_wordlist, setup_splunk, setup_sc4s) epoch = epoch[:-7] mt = env.from_string( - "{{ mark }}{{ bsd }} {{ host }} CEF:0|CyberArk|PTA|2.6.1|20|Privileged account anomaly|8|cs1Label=incidentId cs1=55a32ed8e4b0e4a90114e12c start=1436755482000 deviceCustomDate1Label=detectionDate deviceCustomDate1=1436759065017 msg=Incident updated. Now contains 7 anomalies cs2Label=link cs2=https://10.0.0.1/incidents/55a32ed8e4b0e4a90114e12c\n") + "{{ mark }}{{ bsd }} {{ host }} CEF:0|CyberArk|PTA|2.6.1|20|Privileged account anomaly|8|cs1Label=incidentId cs1=55a32ed8e4b0e4a90114e12c start=1436755482000 deviceCustomDate1Label=detectionDate deviceCustomDate1=1436759065017 msg=Incident updated. Now contains 7 anomalies cs2Label=link cs2=https://10.0.0.1/incidents/55a32ed8e4b0e4a90114e12c\n" + ) message = mt.render(mark="<111>", bsd=bsd, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=main host=\"{{ host }}\" sourcetype=\"cyberark:pta:cef\"| head 2") + st = env.from_string( + 'search _time={{ epoch }} index=main host="{{ host }}" sourcetype="cyberark:pta:cef"| head 2' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) diff --git a/tests/test_dell_emc_networking.py b/tests/test_dell_emc_networking.py index 0080f35b96..9faf4efb44 100644 --- a/tests/test_dell_emc_networking.py +++ b/tests/test_dell_emc_networking.py @@ -15,9 +15,9 @@ env = Environment() # -#<189> Oct 21 09:10:54 10.201.1.110-1 CMDLOGGER[emWeb]: cmd_logger_api.c(83) 29333 %% NOTE CLI:10.1.3.211:administrator:User logged in -#<189> Oct 21 09:10:20 10.201.1.110-1 TRAPMGR[trapTask]: traputil.c(721) 29331 %% NOTE 'startup-config' has changed. -#<190> Oct 21 09:10:20 10.201.1.110-1 UNITMGR[emWeb]: unitmgr.c(6905) 29330 %% INFO Configuration propagation successful for config type 0 +# <189> Oct 21 09:10:54 10.201.1.110-1 CMDLOGGER[emWeb]: cmd_logger_api.c(83) 29333 %% NOTE CLI:10.1.3.211:administrator:User logged in +# <189> Oct 21 09:10:20 10.201.1.110-1 TRAPMGR[trapTask]: traputil.c(721) 29331 %% NOTE 'startup-config' has changed. +# <190> Oct 21 09:10:20 10.201.1.110-1 UNITMGR[emWeb]: unitmgr.c(6905) 29330 %% INFO Configuration propagation successful for config type 0 testdata_admin = [ @@ -25,6 +25,8 @@ "{{ mark }} {{ bsd }} {{ host }}-1 TRAPMGR[trapTask]: traputil.c(721) 29331 %% NOTE 'startup-config' has changed.", "{{ mark }} {{ bsd }} {{ host }}-1 UNITMGR[emWeb]: unitmgr.c(6905) 29330 %% INFO Configuration propagation successful for config type 0", ] + + @pytest.mark.parametrize("event", testdata_admin) def test_dell_emc_powerswitch_nseries( record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event @@ -33,7 +35,7 @@ def test_dell_emc_powerswitch_nseries( dt = datetime.datetime.now() iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) - + # Tune time functions epoch = epoch[:-7] diff --git a/tests/test_dell_idrac.py b/tests/test_dell_idrac.py index e6dee78590..e1206a559f 100644 --- a/tests/test_dell_idrac.py +++ b/tests/test_dell_idrac.py @@ -11,10 +11,11 @@ from .timeutils import * import pytest + env = Environment() -#<134>Feb 18 09:37:41 xxxxxx swlogd: bcmd esm info(5) phy_nlp_enable_set: u=0 p=1 enable:1 phyPresent:YES +# <134>Feb 18 09:37:41 xxxxxx swlogd: bcmd esm info(5) phy_nlp_enable_set: u=0 p=1 enable:1 phyPresent:YES testdata = [ "{{ mark }}{{ bsd }} {{ host }} Severity: Informational, Category: Audit, MessageID: LOG007, Message: The previous log entry was repeated 0 times.", "{{ mark }}{{ bsd }} {{ host }} Severity: Informational, Category: Audit, MessageID: LOG006, Message: Test event generated for message ID LOG007.", @@ -22,8 +23,11 @@ "{{ mark }}{{ bsd }} {{ host }} Severity: Informational, Category: Audit, MessageID: USR0030, Message: Successfully logged in using root, from 10.110.161.37 and GUI.", ] + @pytest.mark.parametrize("event", testdata) -def test_dell_idrac(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event): +def test_dell_idrac( + record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event +): host = get_host_key dt = datetime.datetime.now() @@ -38,7 +42,8 @@ def test_dell_idrac(record_property, setup_wordlist, get_host_key, setup_splunk, sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( - "search index=infraops _time={{ epoch }} sourcetype=\"dell:poweredge:idrac:syslog\" (host=\"{{ host }}\" OR \"{{ host }}\")") + 'search index=infraops _time={{ epoch }} sourcetype="dell:poweredge:idrac:syslog" (host="{{ host }}" OR "{{ host }}")' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -48,13 +53,18 @@ def test_dell_idrac(record_property, setup_wordlist, get_host_key, setup_splunk, record_property("message", message) assert resultCount == 1 -#<134>Feb 18 09:37:41 xxxxxx swlogd: bcmd esm info(5) phy_nlp_enable_set: u=0 p=1 enable:1 phyPresent:YES + + +# <134>Feb 18 09:37:41 xxxxxx swlogd: bcmd esm info(5) phy_nlp_enable_set: u=0 p=1 enable:1 phyPresent:YES cmcdata = [ - "{{ mark }}{{ bsd }} {{ host }} webcgi: session close succeeds: sid=23628", + "{{ mark }}{{ bsd }} {{ host }} webcgi: session close succeeds: sid=23628", ] + @pytest.mark.parametrize("event", cmcdata) -def test_dell_cmc(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event): +def test_dell_cmc( + record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event +): host = "test-dell-cmc-" + get_host_key dt = datetime.datetime.now() @@ -69,7 +79,8 @@ def test_dell_cmc(record_property, setup_wordlist, get_host_key, setup_splunk, s sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( - "search index=infraops _time={{ epoch }} sourcetype=\"dell:poweredge:cmc:syslog\" (host=\"{{ host }}\" OR \"{{ host }}\")") + 'search index=infraops _time={{ epoch }} sourcetype="dell:poweredge:cmc:syslog" (host="{{ host }}" OR "{{ host }}")' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) diff --git a/tests/test_dell_rsa_secureid.py b/tests/test_dell_rsa_secureid.py index e19e16e952..dda2b4ad81 100644 --- a/tests/test_dell_rsa_secureid.py +++ b/tests/test_dell_rsa_secureid.py @@ -23,6 +23,8 @@ testdata_admin = [ "{{ mark }}{{ bsd }} {{ host }} {{ date }} {{ rsatime }}, {{ host }}.example.net, audit.admin.com.rsa.authmgr.internal.admin.principalmgt.impl.AMPrincipalAdministrationImpl, INFO,", ] + + @pytest.mark.parametrize("event", testdata_admin) def test_dell_rsa_secureid_admin( record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event @@ -54,9 +56,12 @@ def test_dell_rsa_secureid_admin( assert resultCount == 1 + testdata_system = [ "{{ mark }}{{ bsd }} {{ host }} {{ date }} {{ rsatime }}, {{ host }}.example.net, system.com.rsa.ims.configuration.impl.AuthorizationEnabledConfigurationServiceImpl, ERROR, xxxxx,xxxxx,10.0.0.1,10.0.0.1,CONF_READ,16153,FAIL,INSUFFICIENT_PRIVILEGE,xxxx-fnIz0FpnFNO0,xxxxx,xxx,xxx,xxxx,xxx,xxxx,0000-Global-0000,auth_manager.dashboard.hide.grpagent,,,,,", ] + + @pytest.mark.parametrize("event", testdata_system) def test_dell_rsa_secureid_system( record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event @@ -88,9 +93,12 @@ def test_dell_rsa_secureid_system( assert resultCount == 1 + testdata_runtime = [ "{{ mark }}{{ bsd }} {{ host }} {{ date }} {{ rsatime }}, {{ host }}.example.net, audit.runtime.com.rsa.ims.authn.impl.AuthenticationBrokerImpl, INFO, xxxxx,xxxxx,10.0.0.1,10.0.0.1,AUTHN_LOGIN_EVENT,13002,SUCCESS,AUTHN_METHOD_SUCCESS,xxxx-Dnj467rNRh++,xxxx,xxx,xxxx,xxx,xxx,xxx,xxxx,946367dcb9f859941af8aee9b2462acc,10.0.0.1,hst-xxxxx.example.net,7,000000000000000000002000f1022000,SecurID_Native,,,AUTHN_LOGIN_EVENT,5,1,,,,,xxxxxxx,xxxxxxxx8632,,", ] + + @pytest.mark.parametrize("event", testdata_runtime) def test_dell_rsa_secureid_runtime( record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event @@ -122,28 +130,29 @@ def test_dell_rsa_secureid_runtime( assert resultCount == 1 + def test_dell_rsa_secureid_trace( record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s ): host = "test_rsasecureid-" + get_host_key events = [ - '{{ mark }}{{ bsd }} {{ host }} Caused by: org.postgresql.util.PSQLException: The column index is out of range: 3, number of columns: 2.', - '{{ mark }}{{ bsd }} {{ host }} at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:131)', - '{{ mark }}{{ bsd }} {{ host }} at sun.reflect.GeneratedMethodAccessor250.invoke(Unknown Source)', - '{{ mark }}{{ bsd }} {{ host }} at weblogic.rmi.internal.wls.WLSExecuteRequest.run(WLSExecuteRequest.java:138)', - '{{ mark }}{{ bsd }} {{ host }} at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)', - '{{ mark }}{{ bsd }} {{ host }} at com.rsa.command.CommandServerEjb30_vraifm_CommandServerEjb30Impl.__WL_invoke(Unknown Source)', - '{{ mark }}{{ bsd }} {{ host }} at org.postgresql.core.v3.SimpleParameterList.setStringParameter(SimpleParameterList.java:118)', - '{{ mark }}{{ bsd }} {{ host }} Caused by: org.postgresql.util.PSQLException: The column index is out of range: 3, number of columns: 2.', - '{{ mark }}{{ bsd }} {{ host }} at weblogic.work.ExecuteThread.execute(ExecuteThread.java:420)', - '{{ mark }}{{ bsd }} {{ host }} at com.rsa.security.SecurityContext.doAs(SecurityContext.java:439)', - '{{ mark }}{{ bsd }} {{ host }} at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:133)', - '{{ mark }}{{ bsd }} {{ host }} at weblogic.work.SelfTuningWorkManagerImpl.runWorkUnderContext(SelfTuningWorkManagerImpl.java:652)', - '{{ mark }}{{ bsd }} {{ host }} at com.rsa.ims.command.LocalTransactionalCommandTarget$2.doInTransaction(LocalTransactionalCommandTarget.java:1)', - '{{ mark }}{{ bsd }} {{ host }} at org.jboss.weld.ejb.SessionBeanInterceptor.aroundInvoke(SessionBeanInterceptor.java:52)', - '{{ mark }}{{ bsd }} {{ host }} at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:531)', - '{{ mark }}{{ bsd }} {{ host }} at com.rsa.command.CommandServerEngine$CommandExecutor.run(CommandServerEngine.java:933)', + "{{ mark }}{{ bsd }} {{ host }} Caused by: org.postgresql.util.PSQLException: The column index is out of range: 3, number of columns: 2.", + "{{ mark }}{{ bsd }} {{ host }} at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:131)", + "{{ mark }}{{ bsd }} {{ host }} at sun.reflect.GeneratedMethodAccessor250.invoke(Unknown Source)", + "{{ mark }}{{ bsd }} {{ host }} at weblogic.rmi.internal.wls.WLSExecuteRequest.run(WLSExecuteRequest.java:138)", + "{{ mark }}{{ bsd }} {{ host }} at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)", + "{{ mark }}{{ bsd }} {{ host }} at com.rsa.command.CommandServerEjb30_vraifm_CommandServerEjb30Impl.__WL_invoke(Unknown Source)", + "{{ mark }}{{ bsd }} {{ host }} at org.postgresql.core.v3.SimpleParameterList.setStringParameter(SimpleParameterList.java:118)", + "{{ mark }}{{ bsd }} {{ host }} Caused by: org.postgresql.util.PSQLException: The column index is out of range: 3, number of columns: 2.", + "{{ mark }}{{ bsd }} {{ host }} at weblogic.work.ExecuteThread.execute(ExecuteThread.java:420)", + "{{ mark }}{{ bsd }} {{ host }} at com.rsa.security.SecurityContext.doAs(SecurityContext.java:439)", + "{{ mark }}{{ bsd }} {{ host }} at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:133)", + "{{ mark }}{{ bsd }} {{ host }} at weblogic.work.SelfTuningWorkManagerImpl.runWorkUnderContext(SelfTuningWorkManagerImpl.java:652)", + "{{ mark }}{{ bsd }} {{ host }} at com.rsa.ims.command.LocalTransactionalCommandTarget$2.doInTransaction(LocalTransactionalCommandTarget.java:1)", + "{{ mark }}{{ bsd }} {{ host }} at org.jboss.weld.ejb.SessionBeanInterceptor.aroundInvoke(SessionBeanInterceptor.java:52)", + "{{ mark }}{{ bsd }} {{ host }} at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:531)", + "{{ mark }}{{ bsd }} {{ host }} at com.rsa.command.CommandServerEngine$CommandExecutor.run(CommandServerEngine.java:933)", ] dt = datetime.datetime.now() iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) @@ -166,4 +175,4 @@ def test_dell_rsa_secureid_trace( record_property("resultCount", resultCount) record_property("message", message) - assert resultCount >0 \ No newline at end of file + assert resultCount > 0 diff --git a/tests/test_f5_bigip.py b/tests/test_f5_bigip.py index 666dae440d..a7e2982351 100644 --- a/tests/test_f5_bigip.py +++ b/tests/test_f5_bigip.py @@ -42,22 +42,22 @@ ] testdata_tmm_ltm_ssl_error = [ - "{{ mark }}{{ bsd }} {{ host }} warning tmm1[23068]: 01260009:4: Connection error: ssl_passthru:5234: not SSL (40)", - "{{ mark }}{{ bsd }} {{ host }} warning tmm1[75593]: 01260009:4: Connection error: ssl_hs_rxhello:10026: unsupported version (40)", - "{{ mark }}{{ bsd }} {{ host }} warning tmm2[217019]: 01260009:4: Connection error: ssl_select_suite:9301: TLS_FALLBACK_SCSV with a lower protocol (86)", - ] + "{{ mark }}{{ bsd }} {{ host }} warning tmm1[23068]: 01260009:4: Connection error: ssl_passthru:5234: not SSL (40)", + "{{ mark }}{{ bsd }} {{ host }} warning tmm1[75593]: 01260009:4: Connection error: ssl_hs_rxhello:10026: unsupported version (40)", + "{{ mark }}{{ bsd }} {{ host }} warning tmm2[217019]: 01260009:4: Connection error: ssl_select_suite:9301: TLS_FALLBACK_SCSV with a lower protocol (86)", +] testdata_tmm_ltm_tcl_error = [ - "{{ mark }}{{ bsd }} {{ host }} err tmm1[72331]: 01220001:3: TCL error: /Common/dummy-Artifactory-iRule2 - ERR_NOT_SUPPORTED (line 8) invoked from within \"HTTP::method\"", - ] + '{{ mark }}{{ bsd }} {{ host }} err tmm1[72331]: 01220001:3: TCL error: /Common/dummy-Artifactory-iRule2 - ERR_NOT_SUPPORTED (line 8) invoked from within "HTTP::method"', +] testdata_tmm_ltm_log_error = [ - "{{ mark }}{{ bsd }} {{ host }} err tmm1[380498]: 011f0016:3: http_process_state_prepend - Invalid action:0x100005 Server sends too much data. serverside (10.0.0.3:21729 -> 10.0.0.3:33489) clientside (10.0.0.5:59455 -> 10.0.0.1:19459) (Server side: vip=/Common/dummy-vip1 profile=http pool=/Common/dummy-pool3 server_ip=10.0.0.2)", - ] + "{{ mark }}{{ bsd }} {{ host }} err tmm1[380498]: 011f0016:3: http_process_state_prepend - Invalid action:0x100005 Server sends too much data. serverside (10.0.0.3:21729 -> 10.0.0.3:33489) clientside (10.0.0.5:59455 -> 10.0.0.1:19459) (Server side: vip=/Common/dummy-vip1 profile=http pool=/Common/dummy-pool3 server_ip=10.0.0.2)", +] testdata_tmm_ltm_traffic = [ - "{{ mark }}{{ bsd }} {{ host }} warning tmm3[184585]: 011e0001:4: Limiting open port RST response from 501 to 500 packets/sec for traffic-group /Common/dummy-traffic-group3", - ] + "{{ mark }}{{ bsd }} {{ host }} warning tmm3[184585]: 011e0001:4: Limiting open port RST response from 501 to 500 packets/sec for traffic-group /Common/dummy-traffic-group3", +] testdata_f5bigip_syslog = [ '{{ mark }}{{ bsd }} {{ host }} notice sshd(pam_audit)[27425]: user=root(root) partition=[All] level=Administrator tty=ssh host=192.168.2.100 attempts=1 start="Mon Dec 22 18:40:19 2014" end="Mon Dec 22 18:45:50 2014".', @@ -79,9 +79,9 @@ ] testdata_f5bigip_syslog_failure_events = [ - '{{ mark }} {{ bsd }} {{ host }} notice mcpd[6760]: 01070417:5: AUDIT - client Unknown, user admin - transaction #29194914-3 - object 0 - modify { gtm_rule { gtm_rule_name "/Common/Splunk_DNS_REQUEST" gtm_rule_definition "when DNS_REQUEST { set client_addr [IP::client_addr] set dns_server_addr [IP::local_addr] set question_name [DNS::question name] set question_class [DNS::question class] set question_type [DNS::question type] set data_center [whereami] set geo_information [join [whereis $client_addr] ;] set gtm_server [whoami] set wideip [wideip name] set dns_len [DNS::len] set hsl [HSL::open -proto UDP -pool Pool-syslog] HSL::send $hsl \"<190>,f5_irule=Splunk-iRule-DNS_REQUEST,src_ip=##src_ip##,dns_server_ip=##dns_server_ip##,src_geo_info=dummy_geo_information,question_name=##question_name##,question_class=##question_class##,question_type=##question_type##,data_center=##data_center##,gtm_server=##gtm_server##,wideip=##wideip##,dns_len=34 } } [Status=Command OK]', - '{{ mark }} {{ bsd }} {{ host }} notice mcpd[6760]: 01070417:5: AUDIT - client Unknown, user admin - transaction #29190393-2 - object 0 - modify { rule { rule_name "/Common/Splunk_DNS_RESPONSE" rule_definition "when CLIENT_ACCEPTED { set client_addr [IP::client_addr] set dns_server_addr [IP::local_addr] } when DNS_RESPONSE { set question_name [DNS::question name] set is_wideip [DNS::is_wideip [DNS::question name]] set answer [string map -nocase {\"\\n\" \"\"} [join [DNS::answer] ;]] set hsl [HSL::open -proto UDP -pool Pool-syslog] HSL::send $hsl \"<190>,f5_irule=Splunk-iRule-DNS_RESPONSE,src_ip=##src_ip##,dns_server_ip=##dns_server_ip##,question_name=##question_name##,is_wideip=##is_wideip##,answer=##answer##\\\"\\r\\n\" }" rule_ignore_verification 0 } } [Status=Command OK]', - '{{ mark }} {{ bsd }} {{ host }} notice mcpd[6760]: 01070417:5: AUDIT - client Unknown, user admin - transaction #29186841-2 - object 0 - modify { rule { rule_name "/Common/Splunk_HTTP_test" rule_definition "when CLIENT_ACCEPTED { set client_address [IP::client_addr] set vip [IP::local_addr] } when HTTP_REQUEST { set http_host [HTTP::host]:[TCP::local_port] set http_uri [HTTP::uri] set http_url ##http_host####http_uri## set http_method [HTTP::method] set http_version [HTTP::version] set http_user_agent [HTTP::header \"User-Agent\"] set http_content_type [HTTP::header \"Content-Type\"] set http_referrer [HTTP::header \"Referer\"] set tcp_start_time [clock clicks -milliseconds] set req_start_time [clock format [clock seconds] -format \"%Y/%m/%d %H:%M:%S\"] set cookie [HTTP::cookie names] set user [HTTP::username] set virtual_server [LB::server] if { [HTTP::header Content-Length] > 0 } then { set req_length [HTTP::header \"Content-Length\"] } else { set req_length 0 } } when HTTP_RESPONSE { set res_start_time [clock format [clock seconds] -format \"%Y/%m/%d %H:%M:%S\"] set node [IP::server_addr] set node_port [TCP::server_port] set http_status [HTTP::status] set req_elapsed_time [expr {[clock clicks -milliseconds] - $tcp_start_time}] if { [HTTP::header Content-Length] > 0 } then { set res_length [HTTP::header \"Content-Length\"] } else { set res_length 0 } set hsl [HSL::open -proto UDP -pool Pool-syslog] HSL::send $hsl \"<190>,f5_irule=Splunk-iRule-HTTP,src_ip=##src_ip##,vip=##ipv4##,http_method=##http_method##,http_host=##http_host##,http_uri=##http_uri##,http_url=##http_url##,http_method=##http_method##,http_version=##http_version##,http_user_agent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36,http_content_type=##http_content_type##,http_referrer=##http_referrer##,req_start_time=##req_start_time##,cookie=##cookie##,user=user1,virtual_server=##virtual_server##,bytes_in=##bytes_in##,res_start_time=##res_start_time##,node=##node##,node_port=##node_port##,http_status=##http_status##,req_elapsed_time=##req_elapsed_time##,bytes_out=##bytes_out## } when LB_FAILED { set hsl [HSL::open -proto UDP -pool Pool-syslog] HSL::send $hsl \"<190>,f5_irule=Splunk-iRule-LB_FAILED,src_ip=##ipv4##,vip=##ipv4##,http_method=##http_method##,http_host=##http_host##,http_uri=##http_uri##,http_url=##http_host####http_uri##,http_method=##http_method##,http_version=##http_version##,http_user_agent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36,http_content_type=##http_content_type##,http_referrer=##http_referrer##,req_start_time=##req_start_time##,cookie=##cookie##,user=user1,virtual_server=##virtual_server##,bytes_in=##bytes_in##\\r\\n\" }" rule_ignore_verification 0 } } [Status=Command OK]' + '{{ mark }} {{ bsd }} {{ host }} notice mcpd[6760]: 01070417:5: AUDIT - client Unknown, user admin - transaction #29194914-3 - object 0 - modify { gtm_rule { gtm_rule_name "/Common/Splunk_DNS_REQUEST" gtm_rule_definition "when DNS_REQUEST { set client_addr [IP::client_addr] set dns_server_addr [IP::local_addr] set question_name [DNS::question name] set question_class [DNS::question class] set question_type [DNS::question type] set data_center [whereami] set geo_information [join [whereis $client_addr] ;] set gtm_server [whoami] set wideip [wideip name] set dns_len [DNS::len] set hsl [HSL::open -proto UDP -pool Pool-syslog] HSL::send $hsl "<190>,f5_irule=Splunk-iRule-DNS_REQUEST,src_ip=##src_ip##,dns_server_ip=##dns_server_ip##,src_geo_info=dummy_geo_information,question_name=##question_name##,question_class=##question_class##,question_type=##question_type##,data_center=##data_center##,gtm_server=##gtm_server##,wideip=##wideip##,dns_len=34 } } [Status=Command OK]', + '{{ mark }} {{ bsd }} {{ host }} notice mcpd[6760]: 01070417:5: AUDIT - client Unknown, user admin - transaction #29190393-2 - object 0 - modify { rule { rule_name "/Common/Splunk_DNS_RESPONSE" rule_definition "when CLIENT_ACCEPTED { set client_addr [IP::client_addr] set dns_server_addr [IP::local_addr] } when DNS_RESPONSE { set question_name [DNS::question name] set is_wideip [DNS::is_wideip [DNS::question name]] set answer [string map -nocase {"\\n" ""} [join [DNS::answer] ;]] set hsl [HSL::open -proto UDP -pool Pool-syslog] HSL::send $hsl "<190>,f5_irule=Splunk-iRule-DNS_RESPONSE,src_ip=##src_ip##,dns_server_ip=##dns_server_ip##,question_name=##question_name##,is_wideip=##is_wideip##,answer=##answer##\\"\\r\\n" }" rule_ignore_verification 0 } } [Status=Command OK]', + '{{ mark }} {{ bsd }} {{ host }} notice mcpd[6760]: 01070417:5: AUDIT - client Unknown, user admin - transaction #29186841-2 - object 0 - modify { rule { rule_name "/Common/Splunk_HTTP_test" rule_definition "when CLIENT_ACCEPTED { set client_address [IP::client_addr] set vip [IP::local_addr] } when HTTP_REQUEST { set http_host [HTTP::host]:[TCP::local_port] set http_uri [HTTP::uri] set http_url ##http_host####http_uri## set http_method [HTTP::method] set http_version [HTTP::version] set http_user_agent [HTTP::header "User-Agent"] set http_content_type [HTTP::header "Content-Type"] set http_referrer [HTTP::header "Referer"] set tcp_start_time [clock clicks -milliseconds] set req_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"] set cookie [HTTP::cookie names] set user [HTTP::username] set virtual_server [LB::server] if { [HTTP::header Content-Length] > 0 } then { set req_length [HTTP::header "Content-Length"] } else { set req_length 0 } } when HTTP_RESPONSE { set res_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"] set node [IP::server_addr] set node_port [TCP::server_port] set http_status [HTTP::status] set req_elapsed_time [expr {[clock clicks -milliseconds] - $tcp_start_time}] if { [HTTP::header Content-Length] > 0 } then { set res_length [HTTP::header "Content-Length"] } else { set res_length 0 } set hsl [HSL::open -proto UDP -pool Pool-syslog] HSL::send $hsl "<190>,f5_irule=Splunk-iRule-HTTP,src_ip=##src_ip##,vip=##ipv4##,http_method=##http_method##,http_host=##http_host##,http_uri=##http_uri##,http_url=##http_url##,http_method=##http_method##,http_version=##http_version##,http_user_agent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36,http_content_type=##http_content_type##,http_referrer=##http_referrer##,req_start_time=##req_start_time##,cookie=##cookie##,user=user1,virtual_server=##virtual_server##,bytes_in=##bytes_in##,res_start_time=##res_start_time##,node=##node##,node_port=##node_port##,http_status=##http_status##,req_elapsed_time=##req_elapsed_time##,bytes_out=##bytes_out## } when LB_FAILED { set hsl [HSL::open -proto UDP -pool Pool-syslog] HSL::send $hsl "<190>,f5_irule=Splunk-iRule-LB_FAILED,src_ip=##ipv4##,vip=##ipv4##,http_method=##http_method##,http_host=##http_host##,http_uri=##http_uri##,http_url=##http_host####http_uri##,http_method=##http_method##,http_version=##http_version##,http_user_agent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36,http_content_type=##http_content_type##,http_referrer=##http_referrer##,req_start_time=##req_start_time##,cookie=##cookie##,user=user1,virtual_server=##virtual_server##,bytes_in=##bytes_in##\\r\\n" }" rule_ignore_verification 0 } } [Status=Command OK]', ] @@ -146,6 +146,7 @@ def test_f5_bigip_app( assert resultCount == 1 + @pytest.mark.parametrize("event", testdata_tmm_ltm_ssl_error) def test_f5_bigip_app_ltm_ssl_error( record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event @@ -176,6 +177,7 @@ def test_f5_bigip_app_ltm_ssl_error( assert resultCount == 1 + @pytest.mark.parametrize("event", testdata_tmm_ltm_tcl_error) def test_f5_bigip_app_ltm_tcl_error( record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event @@ -206,6 +208,7 @@ def test_f5_bigip_app_ltm_tcl_error( assert resultCount == 1 + @pytest.mark.parametrize("event", testdata_tmm_ltm_log_error) def test_f5_bigip_app_ltm_log_error( record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event @@ -236,6 +239,7 @@ def test_f5_bigip_app_ltm_log_error( assert resultCount == 1 + @pytest.mark.parametrize("event", testdata_tmm_ltm_traffic) def test_f5_bigip_app_ltm_traffic( record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event @@ -628,6 +632,7 @@ def test_f5_bigip_irule_json( assert resultCount == 1 + @pytest.mark.parametrize("event", testdata_nix_failure_events) def test_f5_bigip_nix_failure_events( record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event @@ -658,6 +663,7 @@ def test_f5_bigip_nix_failure_events( assert resultCount == 1 + @pytest.mark.parametrize("event", testdata_f5bigip_syslog_failure_events) def test_f5_bigip_syslog_failure_events( record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event @@ -686,4 +692,4 @@ def test_f5_bigip_syslog_failure_events( record_property("resultCount", resultCount) record_property("message", message) - assert resultCount == 1 \ No newline at end of file + assert resultCount == 1 diff --git a/tests/test_fireye.py b/tests/test_fireye.py index b444b3455d..7bc33c80f9 100644 --- a/tests/test_fireye.py +++ b/tests/test_fireye.py @@ -109,6 +109,7 @@ def test_fireeye_etp(record_property, setup_wordlist, setup_splunk, setup_sc4s): assert resultCount == 1 + def test_fireeye_hx_json(record_property, setup_wordlist, setup_splunk, setup_sc4s): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) @@ -139,7 +140,9 @@ def test_fireeye_hx_json(record_property, setup_wordlist, setup_splunk, setup_sc assert resultCount == 1 -def test_fireeye_hx_json_with_hdr(record_property, setup_wordlist, setup_splunk, setup_sc4s): +def test_fireeye_hx_json_with_hdr( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) # dt = datetime.datetime.now(datetime.timezone.utc) diff --git a/tests/test_forcepoint_web.py b/tests/test_forcepoint_web.py index e99c9a7a31..39e17e006f 100644 --- a/tests/test_forcepoint_web.py +++ b/tests/test_forcepoint_web.py @@ -13,8 +13,10 @@ env = Environment() -#<134>Oct 16 12:13:06 sourcehost2 vendor=Websense 9f product=Security product_version=7.7.0 action=permitted severity=7 category=755 user=LDAP://user7 OU=Users,OU=Beijing,DC=com/TEST\, TEST_NAME src_host=10.0.0.4 src_port=61435 dst_host=HOST-013 dst_ip=10.0.0.19 dst_port=25404 bytes_out=4074 bytes_in=12328 http_response=200 http_method=POST http_content_type=image/gif;charset=UTF-8 http_user_agent=Mozilla/3.0 (Windows; U; Windows NT 6.1; es-def; rv:1.7.0.11) Gecko/2009060215 Firefox/8.0.11 (.NET CLR 8.5.30729) http_proxy_status_code=200 reason=- disposition=2573 policy=role-8**Default role=4 duration=63 url=http://test_web.com/contents/content1.jpg -def test_forcepoint_webprotect_kv(record_property, setup_wordlist, setup_splunk, setup_sc4s): +# <134>Oct 16 12:13:06 sourcehost2 vendor=Websense 9f product=Security product_version=7.7.0 action=permitted severity=7 category=755 user=LDAP://user7 OU=Users,OU=Beijing,DC=com/TEST\, TEST_NAME src_host=10.0.0.4 src_port=61435 dst_host=HOST-013 dst_ip=10.0.0.19 dst_port=25404 bytes_out=4074 bytes_in=12328 http_response=200 http_method=POST http_content_type=image/gif;charset=UTF-8 http_user_agent=Mozilla/3.0 (Windows; U; Windows NT 6.1; es-def; rv:1.7.0.11) Gecko/2009060215 Firefox/8.0.11 (.NET CLR 8.5.30729) http_proxy_status_code=200 reason=- disposition=2573 policy=role-8**Default role=4 duration=63 url=http://test_web.com/contents/content1.jpg +def test_forcepoint_webprotect_kv( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now() @@ -24,12 +26,15 @@ def test_forcepoint_webprotect_kv(record_property, setup_wordlist, setup_splunk, epoch = epoch[:-7] mt = env.from_string( - "{{ mark }}{{ bsd }} {{ host }} vendor=Websense 9f product=Security product_version=7.7.0 action=permitted severity=7 category=755 user=LDAP://user7 OU=Users,OU=Beijing,DC=com/TEST\, TEST_NAME src_host=10.0.0.4 src_port=61435 dst_host=HOST-013 dst_ip=10.0.0.19 dst_port=25404 bytes_out=4074 bytes_in=12328 http_response=200 http_method=POST http_content_type=image/gif;charset=UTF-8 http_user_agent=Mozilla/3.0 (Windows; U; Windows NT 6.1; es-def; rv:1.7.0.11) Gecko/2009060215 Firefox/8.0.11 (.NET CLR 8.5.30729) http_proxy_status_code=200 reason=- disposition=2573 policy=role-8**Default role=4 duration=63 url=http://test_web.com/contents/content1.jpg unknownfield=-\n") + "{{ mark }}{{ bsd }} {{ host }} vendor=Websense 9f product=Security product_version=7.7.0 action=permitted severity=7 category=755 user=LDAP://user7 OU=Users,OU=Beijing,DC=com/TEST\, TEST_NAME src_host=10.0.0.4 src_port=61435 dst_host=HOST-013 dst_ip=10.0.0.19 dst_port=25404 bytes_out=4074 bytes_in=12328 http_response=200 http_method=POST http_content_type=image/gif;charset=UTF-8 http_user_agent=Mozilla/3.0 (Windows; U; Windows NT 6.1; es-def; rv:1.7.0.11) Gecko/2009060215 Firefox/8.0.11 (.NET CLR 8.5.30729) http_proxy_status_code=200 reason=- disposition=2573 policy=role-8**Default role=4 duration=63 url=http://test_web.com/contents/content1.jpg unknownfield=-\n" + ) message = mt.render(mark="<134>", bsd=bsd, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netproxy host=\"{{ host }}\" sourcetype=\"websense:cg:kv\"") + st = env.from_string( + 'search _time={{ epoch }} index=netproxy host="{{ host }}" sourcetype="websense:cg:kv"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -39,4 +44,6 @@ def test_forcepoint_webprotect_kv(record_property, setup_wordlist, setup_splunk, record_property("message", message) assert resultCount == 1 -#<134>1 Dec 6 08:41:44 192.168.1.1 1 1386337316.207232138 MX84 events Cellular connection up + + +# <134>1 Dec 6 08:41:44 192.168.1.1 1 1386337316.207232138 MX84 events Cellular connection up diff --git a/tests/test_fortinet_ngfw.py b/tests/test_fortinet_ngfw.py index 795bb2d1e9..983f6a48b1 100644 --- a/tests/test_fortinet_ngfw.py +++ b/tests/test_fortinet_ngfw.py @@ -16,8 +16,7 @@ # <111> Aug 17 00:00:00 fortigate date=2015-08-11 time=19:19:43 devname=Nosey devid=FG800C3912801080 logid=0004000017 type=traffic subtype=sniffer level=notice vd=root srcip=fe80::20c:29ff:fe77:20d4 srcintf="port3" dstip=ff02::1:ff77:20d4 dstintf="port3" sessionid=408903 proto=58 action=accept policyid=2 dstcountry="Reserved" srccountry="Reserved" trandisp=snat transip=:: transport=0 service="icmp6/131/0" duration=36 sentbyte=0 rcvdbyte=40 sentpkt=0 rcvdpkt=0 appid=16321 app="IPv6.ICMP" appcat="Network.Service" apprisk=elevated applist="sniffer-profile" appact=detected utmaction=allow countapp=1 def test_fortinet_fgt_event(record_property, setup_wordlist, setup_splunk, setup_sc4s): - host = "{}-{}".format(random.choice(setup_wordlist), - random.choice(setup_wordlist)) + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now() iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) @@ -28,14 +27,18 @@ def test_fortinet_fgt_event(record_property, setup_wordlist, setup_splunk, setup epoch = epoch[:-7] mt = env.from_string( -# "{{ mark }} {{ bsd }} fortigate date={{ date }} time={{ time }} devname={{ host }} devid=FGT60D4614044725 logid=0100040704 type=event subtype=system level=notice tz=\"{{ tzoffset }}\" vd=root logdesc=\"System performance statistics\" action=\"perf-stats\" cpu=2 mem=35 totalsession=61 disk=2 bandwidth=158/138 setuprate=2 disklograte=0 fazlograte=0 msg=\"Performance statistics: average CPU: 2, memory: 35, concurrent sessions: 61, setup-rate: 2\"\n") - "{{ mark }} {{ bsd }} fortigate date={{ date }} time={{ time }} devname={{ host }} devid=FGT60D4614044725 logid=0100040704 type=event subtype=system level=notice vd=root logdesc=\"System performance statistics\" action=\"perf-stats\" cpu=2 mem=35 totalsession=61 disk=2 bandwidth=158/138 setuprate=2 disklograte=0 fazlograte=0 msg=\"Performance statistics: average CPU: 2, memory: 35, concurrent sessions: 61, setup-rate: 2\"\n") - message = mt.render(mark="<111>", bsd=bsd, date=date, time=time, host=host, tzoffset=tzoffset) + # "{{ mark }} {{ bsd }} fortigate date={{ date }} time={{ time }} devname={{ host }} devid=FGT60D4614044725 logid=0100040704 type=event subtype=system level=notice tz=\"{{ tzoffset }}\" vd=root logdesc=\"System performance statistics\" action=\"perf-stats\" cpu=2 mem=35 totalsession=61 disk=2 bandwidth=158/138 setuprate=2 disklograte=0 fazlograte=0 msg=\"Performance statistics: average CPU: 2, memory: 35, concurrent sessions: 61, setup-rate: 2\"\n") + '{{ mark }} {{ bsd }} fortigate date={{ date }} time={{ time }} devname={{ host }} devid=FGT60D4614044725 logid=0100040704 type=event subtype=system level=notice vd=root logdesc="System performance statistics" action="perf-stats" cpu=2 mem=35 totalsession=61 disk=2 bandwidth=158/138 setuprate=2 disklograte=0 fazlograte=0 msg="Performance statistics: average CPU: 2, memory: 35, concurrent sessions: 61, setup-rate: 2"\n' + ) + message = mt.render( + mark="<111>", bsd=bsd, date=date, time=time, host=host, tzoffset=tzoffset + ) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( - "search _time={{ epoch }} index=netops host=\"{{ host }}\" sourcetype=\"fgt_event\"") + 'search _time={{ epoch }} index=netops host="{{ host }}" sourcetype="fgt_event"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -46,10 +49,12 @@ def test_fortinet_fgt_event(record_property, setup_wordlist, setup_splunk, setup assert resultCount == 1 + # <111> Aug 17 00:00:00 fortigate date=2015-08-11 time=19:19:43 devname=Nosey devid=FG800C3912801080 logid=0004000017 type=traffic subtype=sniffer level=notice vd=root srcip=fe80::20c:29ff:fe77:20d4 srcintf="port3" dstip=ff02::1:ff77:20d4 dstintf="port3" sessionid=408903 proto=58 action=accept policyid=2 dstcountry="Reserved" srccountry="Reserved" trandisp=snat transip=:: transport=0 service="icmp6/131/0" duration=36 sentbyte=0 rcvdbyte=40 sentpkt=0 rcvdpkt=0 appid=16321 app="IPv6.ICMP" appcat="Network.Service" apprisk=elevated applist="sniffer-profile" appact=detected utmaction=allow countapp=1 -def test_fortinet_fgt_traffic(record_property, setup_wordlist, setup_splunk, setup_sc4s): - host = "{}-{}".format(random.choice(setup_wordlist), - random.choice(setup_wordlist)) +def test_fortinet_fgt_traffic( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now() iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) @@ -60,12 +65,16 @@ def test_fortinet_fgt_traffic(record_property, setup_wordlist, setup_splunk, set epoch = epoch[:-7] mt = env.from_string( - "{{ mark }} {{ bsd }} fortigate date={{ date }} time={{ time }} devname={{ host }} devid=FG800C3912801080 logid=0004000017 type=traffic subtype=sniffer level=notice vd=root srcip=fe80::20c:29ff:fe77:20d4 srcintf=\"port3\" dstip=ff02::1:ff77:20d4 dstintf=\"port3\" sessionid=408903 proto=58 action=accept policyid=2 dstcountry=\"Reserved\" srccountry=\"Reserved\" trandisp=snat transip=:: transport=0 service=\"icmp6/131/0\" duration=36 sentbyte=0 rcvdbyte=40 sentpkt=0 rcvdpkt=0 appid=16321 app=\"IPv6.ICMP\" appcat=\"Network.Service\" apprisk=elevated applist=\"sniffer-profile\" appact=detected utmaction=allow countapp=1\n") - message = mt.render(mark="<111>", bsd=bsd, date=date, time=time, host=host, tzoffset=tzoffset) + '{{ mark }} {{ bsd }} fortigate date={{ date }} time={{ time }} devname={{ host }} devid=FG800C3912801080 logid=0004000017 type=traffic subtype=sniffer level=notice vd=root srcip=fe80::20c:29ff:fe77:20d4 srcintf="port3" dstip=ff02::1:ff77:20d4 dstintf="port3" sessionid=408903 proto=58 action=accept policyid=2 dstcountry="Reserved" srccountry="Reserved" trandisp=snat transip=:: transport=0 service="icmp6/131/0" duration=36 sentbyte=0 rcvdbyte=40 sentpkt=0 rcvdpkt=0 appid=16321 app="IPv6.ICMP" appcat="Network.Service" apprisk=elevated applist="sniffer-profile" appact=detected utmaction=allow countapp=1\n' + ) + message = mt.render( + mark="<111>", bsd=bsd, date=date, time=time, host=host, tzoffset=tzoffset + ) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( - "search _time={{ epoch }} index=netfw host=\"{{ host }}\" sourcetype=\"fgt_traffic\"") + 'search _time={{ epoch }} index=netfw host="{{ host }}" sourcetype="fgt_traffic"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -76,10 +85,10 @@ def test_fortinet_fgt_traffic(record_property, setup_wordlist, setup_splunk, set assert resultCount == 1 + # <111> Aug 17 00:00:00 fortigate date=2015-08-11 time=19:21:40 logver=52 devname=US-Corp_Main1 devid=FGT37D4613800138 logid=0317013312 type=utm subtype=webfilter eventtype=ftgd_allow level=notice vd=root sessionid=1490845588 user="" srcip=172.30.16.119 srcport=53235 srcintf="Internal" dstip=114.112.67.75 dstport=80 dstintf="External-SDC" proto=6 service=HTTP hostname="popo.wan.ijinshan.com" profile="scan" action=passthrough reqtype=direct url="/popo/launch?c=cHA9d29vZHMxOTgyQGhvdG1haWwuY29tJnV1aWQ9NDBiNDkyZDRmNzdhNjFmOTNlMjQwMjhiYjE3ZGRlYTYmY29tcGl" sentbyte=525 rcvdbyte=325 direction=outgoing msg="URL belongs to an allowed category in policy" method=domain cat=52 catdesc="Information Technology" def test_fortinet_fgt_utm(record_property, setup_wordlist, setup_splunk, setup_sc4s): - host = "{}-{}".format(random.choice(setup_wordlist), - random.choice(setup_wordlist)) + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now() iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) @@ -90,12 +99,16 @@ def test_fortinet_fgt_utm(record_property, setup_wordlist, setup_splunk, setup_s epoch = epoch[:-7] mt = env.from_string( - "{{ mark }} {{ bsd }} fortigate date={{ date }} time={{ time }} devname={{ host }} devid=FGT37D4613800138 logid=0317013312 type=utm subtype=webfilter eventtype=ftgd_allow level=notice vd=root sessionid=1490845588 user=\"\" srcip=172.30.16.119 srcport=53235 srcintf=\"Internal\" dstip=114.112.67.75 dstport=80 dstintf=\"External-SDC\" proto=6 service=HTTP hostname=\"popo.wan.ijinshan.com\" profile=\"scan\" action=passthrough reqtype=direct url=\"/popo/launch?c=cHA9d29vZHMxOTgyQGhvdG1haWwuY29tJnV1aWQ9NDBiNDkyZDRmNzdhNjFmOTNlMjQwMjhiYjE3ZGRlYTYmY29tcGl\" sentbyte=525 rcvdbyte=325 direction=outgoing msg=\"URL belongs to an allowed category in policy\" method=domain cat=52 catdesc=\"Information Technology\"\n") - message = mt.render(mark="<111>", bsd=bsd, date=date, time=time, host=host, tzoffset=tzoffset) + '{{ mark }} {{ bsd }} fortigate date={{ date }} time={{ time }} devname={{ host }} devid=FGT37D4613800138 logid=0317013312 type=utm subtype=webfilter eventtype=ftgd_allow level=notice vd=root sessionid=1490845588 user="" srcip=172.30.16.119 srcport=53235 srcintf="Internal" dstip=114.112.67.75 dstport=80 dstintf="External-SDC" proto=6 service=HTTP hostname="popo.wan.ijinshan.com" profile="scan" action=passthrough reqtype=direct url="/popo/launch?c=cHA9d29vZHMxOTgyQGhvdG1haWwuY29tJnV1aWQ9NDBiNDkyZDRmNzdhNjFmOTNlMjQwMjhiYjE3ZGRlYTYmY29tcGl" sentbyte=525 rcvdbyte=325 direction=outgoing msg="URL belongs to an allowed category in policy" method=domain cat=52 catdesc="Information Technology"\n' + ) + message = mt.render( + mark="<111>", bsd=bsd, date=date, time=time, host=host, tzoffset=tzoffset + ) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( - "search _time={{ epoch }} index=netfw host=\"{{ host }}\" sourcetype=\"fgt_utm\"") + 'search _time={{ epoch }} index=netfw host="{{ host }}" sourcetype="fgt_utm"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -106,10 +119,12 @@ def test_fortinet_fgt_utm(record_property, setup_wordlist, setup_splunk, setup_s assert resultCount == 1 + # <111> date=2015-08-11 time=19:19:43 devname=Nosey devid=FG800C3912801080 logid=0004000017 type=traffic subtype=sniffer level=notice vd=root srcip=fe80::20c:29ff:fe77:20d4 srcintf="port3" dstip=ff02::1:ff77:20d4 dstintf="port3" sessionid=408903 proto=58 action=accept policyid=2 dstcountry="Reserved" srccountry="Reserved" trandisp=snat transip=:: transport=0 service="icmp6/131/0" duration=36 sentbyte=0 rcvdbyte=40 sentpkt=0 rcvdpkt=0 appid=16321 app="IPv6.ICMP" appcat="Network.Service" apprisk=elevated applist="sniffer-profile" appact=detected utmaction=allow countapp=1 -def test_fortinet_fgt_traffic_framed(record_property, setup_wordlist, setup_splunk, setup_sc4s): - host = "{}-{}".format(random.choice(setup_wordlist), - random.choice(setup_wordlist)) +def test_fortinet_fgt_traffic_framed( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now() iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) @@ -120,15 +135,19 @@ def test_fortinet_fgt_traffic_framed(record_property, setup_wordlist, setup_splu epoch = epoch[:-7] mt = env.from_string( - "{{ mark }}date={{ date }} time={{ time }} devname={{ host }} devid=FG800C3912801080 logid=0004000017 type=traffic subtype=sniffer level=notice vd=root srcip=fe80::20c:29ff:fe77:20d4 srcintf=\"port3\" dstip=ff02::1:ff77:20d4 dstintf=\"port3\" sessionid=408903 proto=58 action=accept policyid=2 dstcountry=\"Reserved\" srccountry=\"Reserved\" trandisp=snat transip=:: transport=0 service=\"icmp6/131/0\" duration=36 sentbyte=0 rcvdbyte=40 sentpkt=0 rcvdpkt=0 appid=16321 app=\"IPv6.ICMP\" appcat=\"Network.Service\" apprisk=elevated applist=\"sniffer-profile\" appact=detected utmaction=allow countapp=1\n") - message = mt.render(mark="<111>", bsd=bsd, date=date, time=time, host=host, tzoffset=tzoffset) + '{{ mark }}date={{ date }} time={{ time }} devname={{ host }} devid=FG800C3912801080 logid=0004000017 type=traffic subtype=sniffer level=notice vd=root srcip=fe80::20c:29ff:fe77:20d4 srcintf="port3" dstip=ff02::1:ff77:20d4 dstintf="port3" sessionid=408903 proto=58 action=accept policyid=2 dstcountry="Reserved" srccountry="Reserved" trandisp=snat transip=:: transport=0 service="icmp6/131/0" duration=36 sentbyte=0 rcvdbyte=40 sentpkt=0 rcvdpkt=0 appid=16321 app="IPv6.ICMP" appcat="Network.Service" apprisk=elevated applist="sniffer-profile" appact=detected utmaction=allow countapp=1\n' + ) + message = mt.render( + mark="<111>", bsd=bsd, date=date, time=time, host=host, tzoffset=tzoffset + ) message_len = len(message) ietf = f"{message_len} {message}" - + sendsingle(ietf, setup_sc4s[0], setup_sc4s[1][601]) st = env.from_string( - "search _time={{ epoch }} index=netfw host=\"{{ host }}\" sourcetype=\"fgt_traffic\"") + 'search _time={{ epoch }} index=netfw host="{{ host }}" sourcetype="fgt_traffic"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -139,9 +158,11 @@ def test_fortinet_fgt_traffic_framed(record_property, setup_wordlist, setup_splu assert resultCount == 1 -def test_fortinet_fgt_traffic_nohdr(record_property, setup_wordlist, setup_splunk, setup_sc4s): - host = "{}-{}".format(random.choice(setup_wordlist), - random.choice(setup_wordlist)) + +def test_fortinet_fgt_traffic_nohdr( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now() iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) @@ -152,12 +173,16 @@ def test_fortinet_fgt_traffic_nohdr(record_property, setup_wordlist, setup_splun epoch = epoch[:-7] mt = env.from_string( - "{{ mark }}date={{ date }} time={{ time }} devname={{ host }} devid=FG800C3912801080 logid=0004000017 type=traffic subtype=sniffer level=notice vd=root srcip=fe80::20c:29ff:fe77:20d4 srcintf=\"port3\" dstip=ff02::1:ff77:20d4 dstintf=\"port3\" sessionid=408903 proto=58 action=accept policyid=2 dstcountry=\"Reserved\" srccountry=\"Reserved\" trandisp=snat transip=:: transport=0 service=\"icmp6/131/0\" duration=36 sentbyte=0 rcvdbyte=40 sentpkt=0 rcvdpkt=0 appid=16321 app=\"IPv6.ICMP\" appcat=\"Network.Service\" apprisk=elevated applist=\"sniffer-profile\" appact=detected utmaction=allow countapp=1\n") - message = mt.render(mark="<111>", bsd=bsd, date=date, time=time, host=host, tzoffset=tzoffset) + '{{ mark }}date={{ date }} time={{ time }} devname={{ host }} devid=FG800C3912801080 logid=0004000017 type=traffic subtype=sniffer level=notice vd=root srcip=fe80::20c:29ff:fe77:20d4 srcintf="port3" dstip=ff02::1:ff77:20d4 dstintf="port3" sessionid=408903 proto=58 action=accept policyid=2 dstcountry="Reserved" srccountry="Reserved" trandisp=snat transip=:: transport=0 service="icmp6/131/0" duration=36 sentbyte=0 rcvdbyte=40 sentpkt=0 rcvdpkt=0 appid=16321 app="IPv6.ICMP" appcat="Network.Service" apprisk=elevated applist="sniffer-profile" appact=detected utmaction=allow countapp=1\n' + ) + message = mt.render( + mark="<111>", bsd=bsd, date=date, time=time, host=host, tzoffset=tzoffset + ) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( - "search _time={{ epoch }} index=netfw host=\"{{ host }}\" sourcetype=\"fgt_traffic\"") + 'search _time={{ epoch }} index=netfw host="{{ host }}" sourcetype="fgt_traffic"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -166,4 +191,4 @@ def test_fortinet_fgt_traffic_nohdr(record_property, setup_wordlist, setup_splun record_property("resultCount", resultCount) record_property("message", message) - assert resultCount == 1 \ No newline at end of file + assert resultCount == 1 diff --git a/tests/test_fortinet_web.py b/tests/test_fortinet_web.py index 9338567511..32b7df20b2 100644 --- a/tests/test_fortinet_web.py +++ b/tests/test_fortinet_web.py @@ -15,8 +15,7 @@ # <111> Oct 25 13:08:00 fortiweb date=2013-10-07 time=11:30:53 devname=FortiWeb-A log_id=10000017 msg_id=000000001117 device_id=FVVM040000010871 vd="root" timezone="(GMT-5:00)Eastern Time(US & Canada)" type=event subtype="system" pri=information trigger_policy="" user=admin ui=GUI action=login status=success msg="User admin login successfully from GUI(172.20.120.47)" def test_fortinet_fwb_event(record_property, setup_wordlist, setup_splunk, setup_sc4s): - host = "{}-{}".format(random.choice(setup_wordlist), - random.choice(setup_wordlist)) + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now() iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) @@ -27,13 +26,15 @@ def test_fortinet_fwb_event(record_property, setup_wordlist, setup_splunk, setup epoch = epoch[:-7] mt = env.from_string( - "{{ mark }} {{ bsd }} fortiweb date={{ date }} time={{ time }} devname={{ host }} log_id=10000017 msg_id=000000001117 device_id=FVVM040000010871 vd=\"root\" timezone=\"(GMT{{ tzoffset }})Region,City\" type=event subtype=\"system\" pri=information trigger_policy=\"\" user=admin ui=GUI action=login status=success msg=\"User admin login successfully from GUI(172.20.120.47)\"") - message = mt.render(mark="<111>", bsd=bsd, host=host, time=time, date=date, tzoffset=tzoffset) + '{{ mark }} {{ bsd }} fortiweb date={{ date }} time={{ time }} devname={{ host }} log_id=10000017 msg_id=000000001117 device_id=FVVM040000010871 vd="root" timezone="(GMT{{ tzoffset }})Region,City" type=event subtype="system" pri=information trigger_policy="" user=admin ui=GUI action=login status=success msg="User admin login successfully from GUI(172.20.120.47)"' + ) + message = mt.render( + mark="<111>", bsd=bsd, host=host, time=time, date=date, tzoffset=tzoffset + ) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string( - "search _time={{epoch}} index=netops sourcetype=\"fwb_event\"") + st = env.from_string('search _time={{epoch}} index=netops sourcetype="fwb_event"') search = st.render(host=host, epoch=epoch) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -44,10 +45,12 @@ def test_fortinet_fwb_event(record_property, setup_wordlist, setup_splunk, setup assert resultCount == 1 + # <111> Oct 25 13:08:00 fortiweb date=2013-10-07 time=11:30:53 devname=FortiWeb-A log_id=30000000 msg_id=000001351251 device_id=FV-1KD3A14800059 vd="root" timezone="(GMT-8:00)Pacific Time(US&Canada)" type=traffic subtype="http" pri=notice proto=tcp service=http status=success reason=none policy=Auto-policy src=10.0.8.103 src_port=8142 dst=10.20.8.22 dst_port=80 http_request_time=0 http_response_time=0 http_request_bytes=444 http_response_bytes=401 http_method=get http_url="/" http_host="10.0.8.22" http_agent="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; " http_retcode=200 msg="HTTP GET request from 10.0.8.103:8142 to 10.20.8.22:80" srccountry="Reserved" content_switch_name="testa" server_pool_name="Auto-ServerFarm" -def test_fortinet_fwb_traffic(record_property, setup_wordlist, setup_splunk, setup_sc4s): - host = "{}-{}".format(random.choice(setup_wordlist), - random.choice(setup_wordlist)) +def test_fortinet_fwb_traffic( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now() iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) @@ -58,13 +61,15 @@ def test_fortinet_fwb_traffic(record_property, setup_wordlist, setup_splunk, set epoch = epoch[:-7] mt = env.from_string( - "{{ mark }} {{ bsd }} fortiweb date={{ date }} time={{ time }} devname={{ host }} log_id=30000000 msg_id=000001351251 device_id=FV-1KD3A14800059 vd=\"root\" timezone=\"(GMT{{ tzoffset }})Region,City\" type=traffic subtype=\"http\" pri=notice proto=tcp service=http status=success reason=none policy=Auto-policy src=10.0.8.103 src_port=8142 dst=10.20.8.22 dst_port=80 http_request_time=0 http_response_time=0 http_request_bytes=444 http_response_bytes=401 http_method=get http_url=\"/\" http_host=\"10.0.8.22\" http_agent=\"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; \" http_retcode=200 msg=\"HTTP GET request from 10.0.8.103:8142 to 10.20.8.22:80\" srccountry=\"Reserved\" content_switch_name=\"testa\" server_pool_name=\"Auto-ServerFarm\"") - message = mt.render(mark="<111>", bsd=bsd, host=host, time=time, date=date, tzoffset=tzoffset) + '{{ mark }} {{ bsd }} fortiweb date={{ date }} time={{ time }} devname={{ host }} log_id=30000000 msg_id=000001351251 device_id=FV-1KD3A14800059 vd="root" timezone="(GMT{{ tzoffset }})Region,City" type=traffic subtype="http" pri=notice proto=tcp service=http status=success reason=none policy=Auto-policy src=10.0.8.103 src_port=8142 dst=10.20.8.22 dst_port=80 http_request_time=0 http_response_time=0 http_request_bytes=444 http_response_bytes=401 http_method=get http_url="/" http_host="10.0.8.22" http_agent="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; " http_retcode=200 msg="HTTP GET request from 10.0.8.103:8142 to 10.20.8.22:80" srccountry="Reserved" content_switch_name="testa" server_pool_name="Auto-ServerFarm"' + ) + message = mt.render( + mark="<111>", bsd=bsd, host=host, time=time, date=date, tzoffset=tzoffset + ) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string( - "search _time={{epoch}} index=netfw sourcetype=\"fwb_traffic\"") + st = env.from_string('search _time={{epoch}} index=netfw sourcetype="fwb_traffic"') search = st.render(host=host, epoch=epoch) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -75,10 +80,10 @@ def test_fortinet_fwb_traffic(record_property, setup_wordlist, setup_splunk, set assert resultCount == 1 + # <111> Oct 25 13:08:00 fortiweb date=2013-10-07 time=11:30:53 devname=FortiWeb-A log_id=20000010 msg_id=000139289631 device_id=FV-1KD3A15800072 vd="root" timezone="(GMT+8:00)Beijing,ChongQing,HongKong,Urumgi" type=attack subtype="waf_signature_detection" pri=alert trigger_policy="" severity_level=Medium proto=tcp service=http action=Alert policy="123" src=172.22.6.234 src_port=60554 dst=10.0.9.13 dst_port=80 http_method=get http_url="/preview.php?file==../" http_host="10.0.9.123" http_agent="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0" http_session_id=3B9864AEKNQSLLODNTILCG37M2FZ6A88 msg="[Signatures name: 123] [main class name: Generic Attacks(Extended)] [sub class name: Directory Traversal]: 060150002" signature_subclass="Directory Traversal" signature_id="060150002" srccountry="Reserved" content_switch_name="none" server_pool_name="123" false_positive_mitigation="none" log_type=LOG_TYPE_SCORE_SUM event_score=3 score_message="[score_type: total_score] [score_scope: TCP Session] [score_threshold: 5] [score_sum: 7]" entry_sequence="000139289630" def test_fortinet_fwb_attack(record_property, setup_wordlist, setup_splunk, setup_sc4s): - host = "{}-{}".format(random.choice(setup_wordlist), - random.choice(setup_wordlist)) + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now() iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) @@ -89,13 +94,15 @@ def test_fortinet_fwb_attack(record_property, setup_wordlist, setup_splunk, setu epoch = epoch[:-7] mt = env.from_string( - "{{ mark }} {{ bsd }} fortiweb date={{ date }} time={{ time }} devname={{ host }} log_id=20000010 msg_id=000139289631 device_id=FV-1KD3A15800072 vd=\"root\" timezone=\"(GMT{{ tzoffset }})Region,City\" type=attack subtype=\"waf_signature_detection\" pri=alert trigger_policy=\"\" severity_level=Medium proto=tcp service=http action=Alert policy=\"123\" src=172.22.6.234 src_port=60554 dst=10.0.9.13 dst_port=80 http_method=get http_url=\"/preview.php?file==../\" http_host=\"10.0.9.123\" http_agent=\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0\" http_session_id=3B9864AEKNQSLLODNTILCG37M2FZ6A88 msg=\"[Signatures name: 123] [main class name: Generic Attacks(Extended)] [sub class name: Directory Traversal]: 060150002\" signature_subclass=\"Directory Traversal\" signature_id=\"060150002\" srccountry=\"Reserved\" content_switch_name=\"none\" server_pool_name=\"123\" false_positive_mitigation=\"none\" log_type=LOG_TYPE_SCORE_SUM event_score=3 score_message=\"[score_type: total_score] [score_scope: TCP Session] [score_threshold: 5] [score_sum: 7]\" entry_sequence=\"000139289630\"") - message = mt.render(mark="<111>", bsd=bsd, host=host, time=time, date=date, tzoffset=tzoffset) + '{{ mark }} {{ bsd }} fortiweb date={{ date }} time={{ time }} devname={{ host }} log_id=20000010 msg_id=000139289631 device_id=FV-1KD3A15800072 vd="root" timezone="(GMT{{ tzoffset }})Region,City" type=attack subtype="waf_signature_detection" pri=alert trigger_policy="" severity_level=Medium proto=tcp service=http action=Alert policy="123" src=172.22.6.234 src_port=60554 dst=10.0.9.13 dst_port=80 http_method=get http_url="/preview.php?file==../" http_host="10.0.9.123" http_agent="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0" http_session_id=3B9864AEKNQSLLODNTILCG37M2FZ6A88 msg="[Signatures name: 123] [main class name: Generic Attacks(Extended)] [sub class name: Directory Traversal]: 060150002" signature_subclass="Directory Traversal" signature_id="060150002" srccountry="Reserved" content_switch_name="none" server_pool_name="123" false_positive_mitigation="none" log_type=LOG_TYPE_SCORE_SUM event_score=3 score_message="[score_type: total_score] [score_scope: TCP Session] [score_threshold: 5] [score_sum: 7]" entry_sequence="000139289630"' + ) + message = mt.render( + mark="<111>", bsd=bsd, host=host, time=time, date=date, tzoffset=tzoffset + ) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string( - "search _time={{epoch}} index=netids sourcetype=\"fwb_attack\"") + st = env.from_string('search _time={{epoch}} index=netids sourcetype="fwb_attack"') search = st.render(host=host, epoch=epoch) resultCount, eventCount = splunk_single(setup_splunk, search) diff --git a/tests/test_haproxy.py b/tests/test_haproxy.py index e789810251..e4453eed1c 100644 --- a/tests/test_haproxy.py +++ b/tests/test_haproxy.py @@ -21,11 +21,10 @@ r"{{ mark }}{{ bsd }} {{ host }} haproxy[{{ pid }}]: 10.0.0.0:1000 [something]", ] + @pytest.mark.parametrize("event", haproxy_testdata) def test_haproxy(record_property, setup_wordlist, setup_splunk, setup_sc4s, event): - host = "{}-{}".format( - random.choice(setup_wordlist), random.choice(setup_wordlist) - ) + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) pid = random.randint(1000, 32000) dt = datetime.datetime.now() @@ -57,11 +56,12 @@ def test_haproxy(record_property, setup_wordlist, setup_splunk, setup_sc4s, even r"{{ mark }}{{ bsd }} {{ host }} haproxy[{{ pid }}]: client_ip=10.0.0.0 client_port=1000", ] + @pytest.mark.parametrize("event", haproxy_testdata_splunk) -def test_haproxy_splunk(record_property, setup_wordlist, setup_splunk, setup_sc4s, event): - host = "{}-{}".format( - random.choice(setup_wordlist), random.choice(setup_wordlist) - ) +def test_haproxy_splunk( + record_property, setup_wordlist, setup_splunk, setup_sc4s, event +): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) pid = random.randint(1000, 32000) dt = datetime.datetime.now() diff --git a/tests/test_imperva.py b/tests/test_imperva.py index a3654f3aca..454eef7bdf 100644 --- a/tests/test_imperva.py +++ b/tests/test_imperva.py @@ -13,6 +13,7 @@ env = Environment() + def test_imperva_incapsula(record_property, setup_wordlist, setup_splunk, setup_sc4s): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) @@ -23,12 +24,17 @@ def test_imperva_incapsula(record_property, setup_wordlist, setup_splunk, setup_ epoch = epoch[:-7] mt = env.from_string( - "{{ bsd }} {{ host }} " + 'CEF:0|Incapsula|SIEMintegration|1|1|Illegal Resource Access|3| fileid=3412341160002518171 sourceServiceName=site123.abcd.info siteid=1509732 suid=50005477 requestClientApplication=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 deviceFacility=mia cs2=true cs2Label=Javascript Support cs3=true cs3Label=CO Support src=12.12.12.12 caIP=13.13.13.13 ccode=IL tag=www.elvis.com cn1=200 in=54 xff=44.44.44.44 cs1=NOT_SUPPORTED cs1Label=Cap Support cs4=c2e72124-0e8a-4dd8-b13b-3da246af3ab2 cs4Label=VID cs5=de3c633ac428e0678f3aac20cf7f239431e54cbb8a17e8302f53653923305e1835a9cd871db32aa4fc7b8a9463366cc4 cs5Label=clappsigdproc=Browser cs6=Firefox cs6Label=clapp ccode=IL cicode=Rehovot cs7=31.8969 cs7Label=latitude cs8=34.8186 cs8Label=longitude Customer=CEFcustomer123 ver=TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 start=1453290121336 request=site123.abcd.info/ requestmethod=GET qstr=p\=%2fetc%2fpasswd app=HTTP act=REQ_CHALLENGE_CAPTCHA deviceExternalID=33411452762204224 cpt=443 filetype=30037,1001, filepermission=2,1, cs9=Block Malicious User,High Risk Resources, cs9Label=Rule name' + "\n") + "{{ bsd }} {{ host }} " + + "CEF:0|Incapsula|SIEMintegration|1|1|Illegal Resource Access|3| fileid=3412341160002518171 sourceServiceName=site123.abcd.info siteid=1509732 suid=50005477 requestClientApplication=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 deviceFacility=mia cs2=true cs2Label=Javascript Support cs3=true cs3Label=CO Support src=12.12.12.12 caIP=13.13.13.13 ccode=IL tag=www.elvis.com cn1=200 in=54 xff=44.44.44.44 cs1=NOT_SUPPORTED cs1Label=Cap Support cs4=c2e72124-0e8a-4dd8-b13b-3da246af3ab2 cs4Label=VID cs5=de3c633ac428e0678f3aac20cf7f239431e54cbb8a17e8302f53653923305e1835a9cd871db32aa4fc7b8a9463366cc4 cs5Label=clappsigdproc=Browser cs6=Firefox cs6Label=clapp ccode=IL cicode=Rehovot cs7=31.8969 cs7Label=latitude cs8=34.8186 cs8Label=longitude Customer=CEFcustomer123 ver=TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 start=1453290121336 request=site123.abcd.info/ requestmethod=GET qstr=p\=%2fetc%2fpasswd app=HTTP act=REQ_CHALLENGE_CAPTCHA deviceExternalID=33411452762204224 cpt=443 filetype=30037,1001, filepermission=2,1, cs9=Block Malicious User,High Risk Resources, cs9Label=Rule name" + + "\n" + ) message = mt.render(mark="<111>", bsd=bsd, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netwaf host=\"{{ host }}\" sourcetype=\"cef\" source=\"Imperva:Incapsula\"") + st = env.from_string( + 'search _time={{ epoch }} index=netwaf host="{{ host }}" sourcetype="cef" source="Imperva:Incapsula"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) diff --git a/tests/test_imperva_waf.py b/tests/test_imperva_waf.py index 55527ad395..dff7891494 100644 --- a/tests/test_imperva_waf.py +++ b/tests/test_imperva_waf.py @@ -11,16 +11,21 @@ from .timeutils import * import pytest + env = Environment() # Nov 15 23:57:28 3.3.3.3 CEF:0|Imperva Inc.|SecureSphere|13.5.0.10_0|Custom|custom-policy-violation|High|act=block dst=1.1.1.1 dpt=80 duser=GeritaMija3s src=1.0.0.1 spt=59774 proto=TCP rt=Nov 15 2019 15:52:28 cat=Alert cs1=Suspicious File Access Attempt - 1 cs1Label=Policy cs2=WebCloud (simulation) cs2Label=ServerGroup cs3=WebCloud HTTP Service (simulation) cs3Label=ServiceName cs4=english.hku.hk Application cs4Label=ApplicationName cs5=custom-policy-violation cs5Label=Description cs6=POST cs6Label=HTTPHeaderRequest-URLMethod cs7=/uploads/dede/sys_verifies.php cs7Label=HTTPHeaderRequest-URLPath cs8=Connection, Content-Type, Accept, Referer, User-Agent, Content-Length, Host Keep-Alive, application/x-www-form-urlencoded, */*, http://aaaaa.bbb.cc/uploads/dede/sys_verifies.php?action=down, Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2), 231, english.hku.hk cs8Label=HttpHeaderRequest-Header cs9=down action cs9Label=HttpHeaderRequest-Parameters cs10=6704543119945989736 cs10Label=EventID cs11=7500662780438769543 cs11Label=SessionID # Nov 15 23:45:44 3.3.3.3 CEF:0|Imperva Inc.|SecureSphere|13.5.0.10_0|Correlation|sql-injection|High|act=block dst=1.1.1.1 dpt=80 duser=Marcelavms src=1.0.0.1 spt=46814 proto=TCP rt=Nov 15 2019 15:45:42 cat=Alert cs1=Web Correlation Policy cs1Label=Policy cs2=AAA Wildcard (Dept) (simulation cs2Label=ServerGroup cs3=AAA Wildcard (Dept) HTTP Service (simulation) cs3Label=ServiceName cs4=aaa.bbb.hk Application cs4Label=ApplicationName cs5=sql-injection cs5Label=Description cs6=GET cs6Label=HTTPHeaderRequest-URLMethod cs7=/cdblog/wp-trackback.php cs7Label=HTTPHeaderRequest-URLPath cs8=Accept-Language, Accept-Charset, Accept, User-Agent, Host, Connection en-us,en, utf-8,*, text/html,image/jpeg,image/gif,text/xml,text/plain,image/png, Opera/9.27, aaa.bbb.hk, close cs8Label=HttpHeaderRequest-Header cs9=555&&BeNChMaRK(2999999,MD5(NOW())) p cs9Label=HttpHeaderRequest-Parameters cs10=6704543119945954386 cs10Label=EventID cs11= cs11Label=SessionID test_fallback_events = [ - '{{ mark }} {{ bsd }} {{ host }} CEF:0|Imperva Inc.|SecureSphere|13.5.0.10_0|Custom|custom-policy-violation|High|act=block dst=1.1.1.1 dpt=80 duser=GeritaMija3s src=1.0.0.1 spt=59774 proto=TCP rt={{ bsd }} cat=Alert cs1=Suspicious File Access Attempt - 1 cs1Label=Policy cs2=WebCloud (simulation) cs2Label=ServerGroup cs3=WebCloud HTTP Service (simulation) cs3Label=ServiceName cs4=aaaa.bbb.cc Application cs4Label=ApplicationName cs5=custom-policy-violation cs5Label=Description cs6=POST cs6Label=HTTPHeaderRequest-URLMethod cs7=/uploads/dede/sys_verifies.php cs7Label=HTTPHeaderRequest-URLPath cs8=Connection, Content-Type, Accept, Referer, User-Agent, Content-Length, Host Keep-Alive, application/x-www-form-urlencoded, */*, http://aaaaa.bbb.cc/uploads/dede/sys_verifies.php?action=down, Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2), 231, aaaa.bbb.cc cs8Label=HttpHeaderRequest-Header cs9=down action cs9Label=HttpHeaderRequest-Parameters cs10=6704543119945989736 cs10Label=EventID cs11=7500662780438769543 cs11Label=SessionID', - '{{ mark }} {{ bsd }} {{ host }} CEF:0|Imperva Inc.|SecureSphere|13.5.0.10_0|Correlation|sql-injection|High|act=block dst=1.1.1.1 dpt=80 duser=Marcelavms src=1.0.0.1 spt=46814 proto=TCP rt={{ bsd }} cat=Alert cs1=Web Correlation Policy cs1Label=Policy cs2=AAA Wildcard (Dept) (simulation cs2Label=ServerGroup cs3=AAA Wildcard (Dept) HTTP Service (simulation) cs3Label=ServiceName cs4=aaa.bbb.hk Application cs4Label=ApplicationName cs5=sql-injection cs5Label=Description cs6=GET cs6Label=HTTPHeaderRequest-URLMethod cs7=/cdblog/wp-trackback.php cs7Label=HTTPHeaderRequest-URLPath cs8=Accept-Language, Accept-Charset, Accept, User-Agent, Host, Connection en-us,en, utf-8,*, text/html,image/jpeg,image/gif,text/xml,text/plain,image/png, Opera/9.27, aaa.bbb.hk, close cs8Label=HttpHeaderRequest-Header cs9=555&&BeNChMaRK(2999999,MD5(NOW())) p cs9Label=HttpHeaderRequest-Parameters cs10=6704543119945954386 cs10Label=EventID cs11= cs11Label=SessionID', + "{{ mark }} {{ bsd }} {{ host }} CEF:0|Imperva Inc.|SecureSphere|13.5.0.10_0|Custom|custom-policy-violation|High|act=block dst=1.1.1.1 dpt=80 duser=GeritaMija3s src=1.0.0.1 spt=59774 proto=TCP rt={{ bsd }} cat=Alert cs1=Suspicious File Access Attempt - 1 cs1Label=Policy cs2=WebCloud (simulation) cs2Label=ServerGroup cs3=WebCloud HTTP Service (simulation) cs3Label=ServiceName cs4=aaaa.bbb.cc Application cs4Label=ApplicationName cs5=custom-policy-violation cs5Label=Description cs6=POST cs6Label=HTTPHeaderRequest-URLMethod cs7=/uploads/dede/sys_verifies.php cs7Label=HTTPHeaderRequest-URLPath cs8=Connection, Content-Type, Accept, Referer, User-Agent, Content-Length, Host Keep-Alive, application/x-www-form-urlencoded, */*, http://aaaaa.bbb.cc/uploads/dede/sys_verifies.php?action=down, Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2), 231, aaaa.bbb.cc cs8Label=HttpHeaderRequest-Header cs9=down action cs9Label=HttpHeaderRequest-Parameters cs10=6704543119945989736 cs10Label=EventID cs11=7500662780438769543 cs11Label=SessionID", + "{{ mark }} {{ bsd }} {{ host }} CEF:0|Imperva Inc.|SecureSphere|13.5.0.10_0|Correlation|sql-injection|High|act=block dst=1.1.1.1 dpt=80 duser=Marcelavms src=1.0.0.1 spt=46814 proto=TCP rt={{ bsd }} cat=Alert cs1=Web Correlation Policy cs1Label=Policy cs2=AAA Wildcard (Dept) (simulation cs2Label=ServerGroup cs3=AAA Wildcard (Dept) HTTP Service (simulation) cs3Label=ServiceName cs4=aaa.bbb.hk Application cs4Label=ApplicationName cs5=sql-injection cs5Label=Description cs6=GET cs6Label=HTTPHeaderRequest-URLMethod cs7=/cdblog/wp-trackback.php cs7Label=HTTPHeaderRequest-URLPath cs8=Accept-Language, Accept-Charset, Accept, User-Agent, Host, Connection en-us,en, utf-8,*, text/html,image/jpeg,image/gif,text/xml,text/plain,image/png, Opera/9.27, aaa.bbb.hk, close cs8Label=HttpHeaderRequest-Header cs9=555&&BeNChMaRK(2999999,MD5(NOW())) p cs9Label=HttpHeaderRequest-Parameters cs10=6704543119945954386 cs10Label=EventID cs11= cs11Label=SessionID", ] + + @pytest.mark.parametrize("event", test_fallback_events) -def test_imperva_waf_fallback(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event): +def test_imperva_waf_fallback( + record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event +): host = get_host_key dt = datetime.datetime.now() @@ -35,7 +40,8 @@ def test_imperva_waf_fallback(record_property, setup_wordlist, get_host_key, set sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( - "search index=netwaf _time={{ epoch }} sourcetype=\"imperva:waf\" host=\"{{ host }}\"") + 'search index=netwaf _time={{ epoch }} sourcetype="imperva:waf" host="{{ host }}"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -46,16 +52,21 @@ def test_imperva_waf_fallback(record_property, setup_wordlist, get_host_key, set assert resultCount == 1 + # Jan 30 14:43:13 146.222.1.43 CEF:0|Imperva Inc.|SecureSphere|13.0.0|Signature|Sql Signature Violation|Low|act=None dst=10.222.17.15 dpt=1521 duser=Multiple src=10.222.17.15 spt=51462 proto=TCP rt=Jan 30 2020 08:43:15 cat=Alert cs1=Recommended Signatures Policy for Database Applications cs1Label=Policy cs2=hklp320p cs2Label=ServerGroup cs3=Multiple EXECUTE IMMEDIATE attempt(+) from 10.222.17.15 cs3Label=Description # Jan 30 14:50:39 146.222.1.43 CEF:0|Imperva Inc.|SecureSphere|13.0.0|Protocol|Extremely Long SQL Request|High|act=None dst=146.222.96.180 dpt=0 duser=n/a src=10.222.57.18 spt=46205 proto=TCP rt=Jan 30 2020 04:50:35 cat=Alert cs1=SQL Protocol Policy cs1Label=Policy cs2=hklp743p cs2Label=ServerGroup cs3=hklp743p_oracle cs3Label=ServiceName cs4=Default Oracle Application cs4Label=ApplicationName cs5=Multiple Extremely Long SQL Request from 10.222.57.18 cs5Label=Description # Jul 16 18:19:52 3.3.3.3 CEF:0|Imperva Inc.|SecureSphere|10.5.0|Worm|Web Worm|High|act=Block dst=1.1.1.1 dpt=80 duser=n/a src=1.0.0.1 spt=65535 proto=TCP rt=Jul 16 2015 18:19:50 cat=Alert cs1=Web Worm Policy cs1Label=Policy cs2=Server3 cs2Label=ServerGroup cs3=ServiceName3 cs3Label=ServiceName cs4=ApplicationName3 cs4Label=ApplicationName cs5=Access to: /cgi-system/rtpd.cgi cs5Label=Description test_security_events = [ - '{{ mark }}{{ bsd }} {{ host }} CEF:0|Imperva Inc.|SecureSphere|13.0.0|Signature|Sql Signature Violation|Low|act=None dst=10.222.17.15 dpt=1521 duser=Multiple src=10.222.17.15 spt=51462 proto=TCP rt={{ bsd }} cat=Alert cs1=Recommended Signatures Policy for Database Applications cs1Label=Policy cs2=hklp320p cs2Label=ServerGroup cs3=Multiple EXECUTE IMMEDIATE attempt(+) from 10.222.17.15 cs3Label=Description', - '{{ mark }}{{ bsd }} {{ host }} CEF:0|Imperva Inc.|SecureSphere|13.0.0|Protocol|Extremely Long SQL Request|High|act=None dst=146.222.96.180 dpt=0 duser=n/a src=10.222.57.18 spt=46205 proto=TCP rt={{ bsd }} cat=Alert cs1=SQL Protocol Policy cs1Label=Policy cs2=hklp743p cs2Label=ServerGroup cs3=hklp743p_oracle cs3Label=ServiceName cs4=Default Oracle Application cs4Label=ApplicationName cs5=Multiple Extremely Long SQL Request from 10.222.57.18 cs5Label=Description', - '{{ mark }}{{ bsd }} {{ host }} CEF:0|Imperva Inc.|SecureSphere|10.5.0|Worm|Web Worm|High|act=Block dst=1.1.1.1 dpt=80 duser=n/a src=1.0.0.1 spt=65535 proto=TCP rt={{ epoch }} cat=Alert cs1=Web Worm Policy cs1Label=Policy cs2=Server3 cs2Label=ServerGroup cs3=ServiceName3 cs3Label=ServiceName cs4=ApplicationName3 cs4Label=ApplicationName cs5=Access to: /cgi-system/rtpd.cgi cs5Label=Description', + "{{ mark }}{{ bsd }} {{ host }} CEF:0|Imperva Inc.|SecureSphere|13.0.0|Signature|Sql Signature Violation|Low|act=None dst=10.222.17.15 dpt=1521 duser=Multiple src=10.222.17.15 spt=51462 proto=TCP rt={{ bsd }} cat=Alert cs1=Recommended Signatures Policy for Database Applications cs1Label=Policy cs2=hklp320p cs2Label=ServerGroup cs3=Multiple EXECUTE IMMEDIATE attempt(+) from 10.222.17.15 cs3Label=Description", + "{{ mark }}{{ bsd }} {{ host }} CEF:0|Imperva Inc.|SecureSphere|13.0.0|Protocol|Extremely Long SQL Request|High|act=None dst=146.222.96.180 dpt=0 duser=n/a src=10.222.57.18 spt=46205 proto=TCP rt={{ bsd }} cat=Alert cs1=SQL Protocol Policy cs1Label=Policy cs2=hklp743p cs2Label=ServerGroup cs3=hklp743p_oracle cs3Label=ServiceName cs4=Default Oracle Application cs4Label=ApplicationName cs5=Multiple Extremely Long SQL Request from 10.222.57.18 cs5Label=Description", + "{{ mark }}{{ bsd }} {{ host }} CEF:0|Imperva Inc.|SecureSphere|10.5.0|Worm|Web Worm|High|act=Block dst=1.1.1.1 dpt=80 duser=n/a src=1.0.0.1 spt=65535 proto=TCP rt={{ epoch }} cat=Alert cs1=Web Worm Policy cs1Label=Policy cs2=Server3 cs2Label=ServerGroup cs3=ServiceName3 cs3Label=ServiceName cs4=ApplicationName3 cs4Label=ApplicationName cs5=Access to: /cgi-system/rtpd.cgi cs5Label=Description", ] + + @pytest.mark.parametrize("event", test_security_events) -def test_imperva_waf_security(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event): +def test_imperva_waf_security( + record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event +): host = get_host_key dt = datetime.datetime.now() @@ -70,7 +81,8 @@ def test_imperva_waf_security(record_property, setup_wordlist, get_host_key, set sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( - "search index=netwaf _time={{ epoch }} sourcetype=\"imperva:waf:security:cef\" host=\"{{ host }}\"") + 'search index=netwaf _time={{ epoch }} sourcetype="imperva:waf:security:cef" host="{{ host }}"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -81,8 +93,11 @@ def test_imperva_waf_security(record_property, setup_wordlist, get_host_key, set assert resultCount == 1 + # Apr 19 10:29:53 3.3.3.3 CEF:0|Imperva Inc.|SecureSphere|12.0.0|Firewall|SSL Untraceable Connection|Medium|act=Block dst=160.131.222.235 dpt=2157 duser=Mathbelliin src=49.93.221.243 spt=11286 proto=TCP rt=Jan 30 2020 14:41:23 cat=Alert cs1=Automated Vulnerability Scanning cs1Label=Policy cs2=IRIS_1 cs2Label=ServerGroup cs3=app1-5.host1.com [Multi_VIP] cs3Label=ServiceName cs4=For Monitor ONLY cs4Label=ApplicationName cs5=Distributed Too Many Headers per Response cs5Label=Description -def test_imperva_waf_firewall(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s): +def test_imperva_waf_firewall( + record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s +): host = get_host_key dt = datetime.datetime.now() @@ -92,13 +107,15 @@ def test_imperva_waf_firewall(record_property, setup_wordlist, get_host_key, set epoch = epoch[:-7] mt = env.from_string( - '{{ bsd }} {{ host }} CEF:0|Imperva Inc.|SecureSphere|12.0.0|Firewall|SSL Untraceable Connection|Medium|act=Block dst=160.131.222.235 dpt=2157 duser=Mathbelliin src=49.93.221.243 spt=11286 proto=TCP rt={{ bsd }} cat=Alert cs1=Automated Vulnerability Scanning cs1Label=Policy cs2=IRIS_1 cs2Label=ServerGroup cs3=app1-5.host1.com [Multi_VIP] cs3Label=ServiceName cs4=For Monitor ONLY cs4Label=ApplicationName cs5=Distributed Too Many Headers per Response cs5Label=Description') + "{{ bsd }} {{ host }} CEF:0|Imperva Inc.|SecureSphere|12.0.0|Firewall|SSL Untraceable Connection|Medium|act=Block dst=160.131.222.235 dpt=2157 duser=Mathbelliin src=49.93.221.243 spt=11286 proto=TCP rt={{ bsd }} cat=Alert cs1=Automated Vulnerability Scanning cs1Label=Policy cs2=IRIS_1 cs2Label=ServerGroup cs3=app1-5.host1.com [Multi_VIP] cs3Label=ServiceName cs4=For Monitor ONLY cs4Label=ApplicationName cs5=Distributed Too Many Headers per Response cs5Label=Description" + ) message = mt.render(bsd=bsd, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( - "search index=netwaf _time={{ epoch }} sourcetype=\"imperva:waf:firewall:cef\" host=\"{{ host }}\"") + 'search index=netwaf _time={{ epoch }} sourcetype="imperva:waf:firewall:cef" host="{{ host }}"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) diff --git a/tests/test_isc.py b/tests/test_isc.py index c40f6703d5..2adf6cf231 100644 --- a/tests/test_isc.py +++ b/tests/test_isc.py @@ -42,9 +42,7 @@ @pytest.mark.parametrize("event", isc_dns_testdata) def test_isc_dns(record_property, setup_wordlist, setup_splunk, setup_sc4s, event): - host = "{}-{}".format( - random.choice(setup_wordlist), random.choice(setup_wordlist) - ) + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) pid = random.randint(1000, 32000) dt = datetime.datetime.now() @@ -71,11 +69,12 @@ def test_isc_dns(record_property, setup_wordlist, setup_splunk, setup_sc4s, even assert resultCount == 1 + @pytest.mark.parametrize("event", isc_dnsfailed_testdata) -def test_isc_dnsfailed(record_property, setup_wordlist, setup_splunk, setup_sc4s, event): - host = "{}-{}".format( - random.choice(setup_wordlist), random.choice(setup_wordlist) - ) +def test_isc_dnsfailed( + record_property, setup_wordlist, setup_splunk, setup_sc4s, event +): + host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) pid = random.randint(1000, 32000) dt = datetime.datetime.now() @@ -102,6 +101,7 @@ def test_isc_dnsfailed(record_property, setup_wordlist, setup_splunk, setup_sc4s assert resultCount == 1 + @pytest.mark.parametrize("event", isc_dhcp_testdata) def test_isc_dhcp(record_property, setup_wordlist, setup_splunk, setup_sc4s, event): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) @@ -130,4 +130,3 @@ def test_isc_dhcp(record_property, setup_wordlist, setup_splunk, setup_sc4s, eve record_property("message", message) assert resultCount == 1 - diff --git a/tests/test_juniper_junos_rfc3164.py b/tests/test_juniper_junos_rfc3164.py index 3b1aebbaaf..d6bbfe6e3d 100644 --- a/tests/test_juniper_junos_rfc3164.py +++ b/tests/test_juniper_junos_rfc3164.py @@ -255,4 +255,3 @@ def test_juniper_junos_switch_rpd( record_property("message", message) assert resultCount == 1 - diff --git a/tests/test_juniper_junos_rfc5424.py b/tests/test_juniper_junos_rfc5424.py index c7ff8e982a..faa1d0b6dd 100644 --- a/tests/test_juniper_junos_rfc5424.py +++ b/tests/test_juniper_junos_rfc5424.py @@ -14,7 +14,9 @@ # <165>1 2007-02-15T09:17:15.719Z router1 mgd 3046 UI_DBASE_LOGOUT_EVENT [junos@2636.1.1.1.2.18 username="user"] User 'user' exiting configuration mode # @pytest.mark.xfail -def test_juniper_junos_structured(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s): +def test_juniper_junos_structured( + record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s +): host = get_host_key dt = datetime.datetime.now(datetime.timezone.utc) @@ -25,12 +27,15 @@ def test_juniper_junos_structured(record_property, setup_wordlist, get_host_key, epoch = epoch[:-3] mt = env.from_string( - "{{ mark }} {{ iso }}Z {{ host }} mgd 3046 UI_DBASE_LOGOUT_EVENT [junos@2636.1.1.1.2.18 username=\"user\"] User 'user' exiting configuration mode\n") + "{{ mark }} {{ iso }}Z {{ host }} mgd 3046 UI_DBASE_LOGOUT_EVENT [junos@2636.1.1.1.2.18 username=\"user\"] User 'user' exiting configuration mode\n" + ) message = mt.render(mark="<165>1", iso=iso, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netops host=\"{{ host }}\" sourcetype=\"juniper:structured\"") + st = env.from_string( + 'search _time={{ epoch }} index=netops host="{{ host }}" sourcetype="juniper:structured"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -41,9 +46,12 @@ def test_juniper_junos_structured(record_property, setup_wordlist, get_host_key, assert resultCount == 1 + # <165>1 2007-02-15T09:17:15.719Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.135 epoch-time="1507845354" message-type="SIG" source-address="183.78.180.27" source-port="45610" destination-address="118.127.xx.xx" destination-port="80" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="9" rulebase-name="IPS" policy-name="Recommended" export-id="15229" repeat-count="0" action="DROP" threat-severity="HIGH" attack-name="TROJAN:ZMEU-BOT-SCAN" nat-source-address="0.0.0.0" nat-source-port="0" nat-destination-address="172.xx.xx.xx" nat-destination-port="0" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="sec-zone-name-internet" source-interface-name="reth0.XXX" destination-zone-name="dst-sec-zone1-outside" destination-interface-name="reth1.xxx" packet-log-id="0" alert="no" username="N/A" roles="N/A" message="-"] # @pytest.mark.xfail -def test_juniper_junos_idp_structured(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s): +def test_juniper_junos_idp_structured( + record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s +): host = get_host_key dt = datetime.datetime.now(datetime.timezone.utc) @@ -54,12 +62,15 @@ def test_juniper_junos_idp_structured(record_property, setup_wordlist, get_host_ epoch = epoch[:-3] mt = env.from_string( - "{{ mark }} {{ iso }}Z {{ host }} RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.135 epoch-time=\"1507845354\" message-type=\"SIG\" source-address=\"183.78.180.27\" source-port=\"45610\" destination-address=\"118.127.xx.xx\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"9\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"15229\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"TROJAN:ZMEU-BOT-SCAN\" nat-source-address=\"0.0.0.0\" nat-source-port=\"0\" nat-destination-address=\"172.xx.xx.xx\" nat-destination-port=\"0\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"sec-zone-name-internet\" source-interface-name=\"reth0.XXX\" destination-zone-name=\"dst-sec-zone1-outside\" destination-interface-name=\"reth1.xxx\" packet-log-id=\"0\" alert=\"no\" username=\"N/A\" roles=\"N/A\" message=\"-\"]") + '{{ mark }} {{ iso }}Z {{ host }} RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.135 epoch-time="1507845354" message-type="SIG" source-address="183.78.180.27" source-port="45610" destination-address="118.127.xx.xx" destination-port="80" protocol-name="TCP" service-name="SERVICE_IDP" application-name="HTTP" rule-name="9" rulebase-name="IPS" policy-name="Recommended" export-id="15229" repeat-count="0" action="DROP" threat-severity="HIGH" attack-name="TROJAN:ZMEU-BOT-SCAN" nat-source-address="0.0.0.0" nat-source-port="0" nat-destination-address="172.xx.xx.xx" nat-destination-port="0" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="sec-zone-name-internet" source-interface-name="reth0.XXX" destination-zone-name="dst-sec-zone1-outside" destination-interface-name="reth1.xxx" packet-log-id="0" alert="no" username="N/A" roles="N/A" message="-"]' + ) message = mt.render(mark="<165>1", iso=iso, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netids host=\"{{ host }}\" sourcetype=\"juniper:junos:idp:structured\"") + st = env.from_string( + 'search _time={{ epoch }} index=netids host="{{ host }}" sourcetype="juniper:junos:idp:structured"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -70,9 +81,12 @@ def test_juniper_junos_idp_structured(record_property, setup_wordlist, get_host_ assert resultCount == 1 + # <134> Aug 02 14:45:04 10.0.0.1 65.197.254.193 20090320, 17331, 2009/03/20 14:47:45, 2009/03/20 14:47:50, global, 53, [FW NAME], [FW IP], traffic, traffic log, trust, (NULL), 10.1.1.20, 1725, 82.2.19.2, 2383, untrust, (NULL), 84.5.78.4, 80, 84.53.178.64, 80, tcp, global, 53, [FW NAME], fw/vpn, 4, accepted, info, no, Creation, (NULL), (NULL), (NULL), 0, 0, 0, 0, 0, 0, 0, 1, no, 0, Not Set, sos # @pytest.mark.xfail -def test_juniper_junos_fw_structured(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s): +def test_juniper_junos_fw_structured( + record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s +): host = get_host_key dt = datetime.datetime.now(datetime.timezone.utc) @@ -83,12 +97,15 @@ def test_juniper_junos_fw_structured(record_property, setup_wordlist, get_host_k epoch = epoch[:-3] mt = env.from_string( - "{{ mark }} {{ iso }}Z {{ host }} RT_FLOW - RT_FLOW_SESSION_CREATE_LS [junos@2636.1.1.1.2.26 logical-system-name=\"test-lsys\" source-address=\"10.10.10.100\" source-port=\"4206\" destination-address=\"10.20.20.15\" destination-port=\"445\" service-name=\"junos-smb\" nat-source-address=\"10.10.10.100\" nat-source-port=\"4206\" nat-destination-address=\"10.20.20.15\" nat-destination-port=\"445\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"123\" source-zone-name=\"TEST1\" destination-zone-name=\"TEST2\" session-id-32=\"14285714\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth1.100\"]") + '{{ mark }} {{ iso }}Z {{ host }} RT_FLOW - RT_FLOW_SESSION_CREATE_LS [junos@2636.1.1.1.2.26 logical-system-name="test-lsys" source-address="10.10.10.100" source-port="4206" destination-address="10.20.20.15" destination-port="445" service-name="junos-smb" nat-source-address="10.10.10.100" nat-source-port="4206" nat-destination-address="10.20.20.15" nat-destination-port="445" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="6" policy-name="123" source-zone-name="TEST1" destination-zone-name="TEST2" session-id-32="14285714" username="N/A" roles="N/A" packet-incoming-interface="reth1.100"]' + ) message = mt.render(mark="<23>1", iso=iso, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netfw host=\"{{ host }}\" sourcetype=\"juniper:junos:firewall:structured\"") + st = env.from_string( + 'search _time={{ epoch }} index=netfw host="{{ host }}" sourcetype="juniper:junos:firewall:structured"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -99,9 +116,12 @@ def test_juniper_junos_fw_structured(record_property, setup_wordlist, get_host_k assert resultCount == 1 + # <165>1 2007-02-15T09:17:15.719Z aamw1 RT_AAMW - AAMW_ACTION_LOG [junos@2636.1.1.1.2.129 hostname="dummy_host" file-category="executable" verdict-number="10" malware-info="Testfile" action="PERMIT" list-hit="N/A" file-hash-lookup="FALSE" source-address="1.1.1.1" source-port="60148" destination-address="10.0.0.1" destination-port="80" protocol-id="6" application="HTTP" nested-application="N/A" policy-name="test-policy" username="N/A" roles="N/A" session-id-32="502156" source-zone-name="Inside" destination-zone-name="Outside" sample-sha256="e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494" file-name="dummy_file" url="dummy_url"] # @pytest.mark.xfail -def test_juniper_junos_aamw_structured(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s): +def test_juniper_junos_aamw_structured( + record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s +): host = get_host_key dt = datetime.datetime.now(datetime.timezone.utc) @@ -112,12 +132,15 @@ def test_juniper_junos_aamw_structured(record_property, setup_wordlist, get_host epoch = epoch[:-3] mt = env.from_string( - "{{ mark }} {{ iso }}Z {{ host }} RT_AAMW - AAMW_ACTION_LOG [junos@2636.1.1.1.2.129 hostname=\"dummy_host\" file-category=\"executable\" verdict-number=\"10\" malware-info=\"Testfile\" action=\"PERMIT\" list-hit=\"N/A\" file-hash-lookup=\"FALSE\" source-address=\"1.1.1.1\" source-port=\"60148\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" policy-name=\"test-policy\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502156\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" sample-sha256=\"e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494\" file-name=\"dummy_file\" url=\"dummy_url\"]") + '{{ mark }} {{ iso }}Z {{ host }} RT_AAMW - AAMW_ACTION_LOG [junos@2636.1.1.1.2.129 hostname="dummy_host" file-category="executable" verdict-number="10" malware-info="Testfile" action="PERMIT" list-hit="N/A" file-hash-lookup="FALSE" source-address="1.1.1.1" source-port="60148" destination-address="10.0.0.1" destination-port="80" protocol-id="6" application="HTTP" nested-application="N/A" policy-name="test-policy" username="N/A" roles="N/A" session-id-32="502156" source-zone-name="Inside" destination-zone-name="Outside" sample-sha256="e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494" file-name="dummy_file" url="dummy_url"]' + ) message = mt.render(mark="<165>1", iso=iso, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netfw host=\"{{ host }}\" sourcetype=\"juniper:junos:aamw:structured\"") + st = env.from_string( + 'search _time={{ epoch }} index=netfw host="{{ host }}" sourcetype="juniper:junos:aamw:structured"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -128,9 +151,12 @@ def test_juniper_junos_aamw_structured(record_property, setup_wordlist, get_host assert resultCount == 1 + # <165>1 2007-02-15T09:17:15.719Z secintel1 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@2636.1.1.1.2.129 category="secintel" sub-category="CC" action="BLOCK" action-detail="CLOSE REDIRECT MSG" http-host="dummy_host" threat-severity="10" source-address="1.1.1.1" source-port="36612" destination-address="10.0.0.1" destination-port="80" protocol-id="6" application="HTTP" nested-application="N/A" feed-name="cc_url_data" policy-name="test" profile-name="test-profile" username="N/A" roles="N/A" session-id-32="502362" source-zone-name="Inside" destination-zone-name="Outside" occur-count="0"] # @pytest.mark.xfail -def test_juniper_junos_secintel_structured(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s): +def test_juniper_junos_secintel_structured( + record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s +): host = get_host_key dt = datetime.datetime.now(datetime.timezone.utc) @@ -141,12 +167,15 @@ def test_juniper_junos_secintel_structured(record_property, setup_wordlist, get_ epoch = epoch[:-3] mt = env.from_string( - "{{ mark }} {{ iso }}Z {{ host }} RT_SECINTEL - SECINTEL_ACTION_LOG [junos@2636.1.1.1.2.129 category=\"secintel\" sub-category=\"CC\" action=\"BLOCK\" action-detail=\"CLOSE REDIRECT MSG\" http-host=\"dummy_host\" threat-severity=\"10\" source-address=\"1.1.1.1\" source-port=\"36612\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" feed-name=\"cc_url_data\" policy-name=\"test\" profile-name=\"test-profile\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502362\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" occur-count=\"0\"]") + '{{ mark }} {{ iso }}Z {{ host }} RT_SECINTEL - SECINTEL_ACTION_LOG [junos@2636.1.1.1.2.129 category="secintel" sub-category="CC" action="BLOCK" action-detail="CLOSE REDIRECT MSG" http-host="dummy_host" threat-severity="10" source-address="1.1.1.1" source-port="36612" destination-address="10.0.0.1" destination-port="80" protocol-id="6" application="HTTP" nested-application="N/A" feed-name="cc_url_data" policy-name="test" profile-name="test-profile" username="N/A" roles="N/A" session-id-32="502362" source-zone-name="Inside" destination-zone-name="Outside" occur-count="0"]' + ) message = mt.render(mark="<23>1", iso=iso, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netfw host=\"{{ host }}\" sourcetype=\"juniper:junos:secintel:structured\"") + st = env.from_string( + 'search _time={{ epoch }} index=netfw host="{{ host }}" sourcetype="juniper:junos:secintel:structured"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) diff --git a/tests/test_juniper_legacy.py b/tests/test_juniper_legacy.py index 59dfffd874..e2b7e4041d 100644 --- a/tests/test_juniper_legacy.py +++ b/tests/test_juniper_legacy.py @@ -14,7 +14,9 @@ # <23> Apr 24 12:30:05 cs-loki3 RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1303673404, ANOMALY Attack log <64.1.2.1/48397->198.87.233.110/80> for TCP protocol and service HTTP application NONE by rule 3 of rulebase IPS in policy Recommended. attack: repeat=0, action=DROP, threat-severity=HIGH, name=HTTP:INVALID:MSNG-HTTP-VER, NAT <46.0.3.254:55870->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:trust:fe-0/0/2.0->untrust:fe-0/0/3.0, packet-log-id: 0 and misc-message - # <23> Mar 18 17:56:52 [FW IP] [FW Model]: NetScreen device_id=netscreen2 [Root]system-notification-00257(traffic): start_time="2009-03-18 16:07:06" duration=0 policy_id=320001 service=msrpc Endpoint Mapper(tcp) proto=6 src zone=Null dst zone=self action=Deny sent=0 rcvd=16384 src=21.10.90.125 dst=23.16.1.1 -def test_juniper_netscreen_fw(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s): +def test_juniper_netscreen_fw( + record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s +): host = get_host_key dt = datetime.datetime.now() @@ -24,12 +26,15 @@ def test_juniper_netscreen_fw(record_property, setup_wordlist, get_host_key, set epoch = epoch[:-7] mt = env.from_string( - "{{ mark }} {{ bsd }} {{ host }} ns204: NetScreen device_id=netscreen2 [Root]system-notification-00257(traffic): start_time=\"2009-03-18 16:07:06\" duration=0 policy_id=320001 service=msrpc Endpoint Mapper(tcp) proto=6 src zone=Null dst zone=self action=Deny sent=0 rcvd=16384 src=21.10.90.125 dst=23.16.1.1\n") + '{{ mark }} {{ bsd }} {{ host }} ns204: NetScreen device_id=netscreen2 [Root]system-notification-00257(traffic): start_time="2009-03-18 16:07:06" duration=0 policy_id=320001 service=msrpc Endpoint Mapper(tcp) proto=6 src zone=Null dst zone=self action=Deny sent=0 rcvd=16384 src=21.10.90.125 dst=23.16.1.1\n' + ) message = mt.render(mark="<23>", bsd=bsd, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netfw host=\"{{ host }}\" sourcetype=\"netscreen:firewall\"") + st = env.from_string( + 'search _time={{ epoch }} index=netfw host="{{ host }}" sourcetype="netscreen:firewall"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -40,9 +45,12 @@ def test_juniper_netscreen_fw(record_property, setup_wordlist, get_host_key, set assert resultCount == 1 + # <23> Apr 24 12:30:05 cs-loki3 RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1303673404, ANOMALY Attack log <64.1.2.1/48397->198.87.233.110/80> for TCP protocol and service HTTP application NONE by rule 3 of rulebase IPS in policy Recommended. attack: repeat=0, action=DROP, threat-severity=HIGH, name=HTTP:INVALID:MSNG-HTTP-VER, NAT <46.0.3.254:55870->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:trust:fe-0/0/2.0->untrust:fe-0/0/3.0, packet-log-id: 0 and misc-message - # <23> Mar 18 17:56:52 [FW IP] [FW Model]: NetScreen device_id=netscreen2 [Root]system-notification-00257(traffic): start_time="2009-03-18 16:07:06" duration=0 policy_id=320001 service=msrpc Endpoint Mapper(tcp) proto=6 src zone=Null dst zone=self action=Deny sent=0 rcvd=16384 src=21.10.90.125 dst=23.16.1.1 -def test_juniper_netscreen_fw_singleport(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s): +def test_juniper_netscreen_fw_singleport( + record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s +): host = get_host_key dt = datetime.datetime.now() @@ -52,12 +60,15 @@ def test_juniper_netscreen_fw_singleport(record_property, setup_wordlist, get_ho epoch = epoch[:-7] mt = env.from_string( - "{{ mark }} {{ bsd }} {{ host }} ns204: NetScreen device_id=netscreen2 [Root]system-notification-00257(traffic): start_time=\"2009-03-18 16:07:06\" duration=0 policy_id=320001 service=msrpc Endpoint Mapper(tcp) proto=6 src zone=Null dst zone=self action=Deny sent=0 rcvd=16384 src=21.10.90.125 dst=23.16.1.1 singleport=5000\n") + '{{ mark }} {{ bsd }} {{ host }} ns204: NetScreen device_id=netscreen2 [Root]system-notification-00257(traffic): start_time="2009-03-18 16:07:06" duration=0 policy_id=320001 service=msrpc Endpoint Mapper(tcp) proto=6 src zone=Null dst zone=self action=Deny sent=0 rcvd=16384 src=21.10.90.125 dst=23.16.1.1 singleport=5000\n' + ) message = mt.render(mark="<23>", bsd=bsd, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netfw host=\"{{ host }}\" sourcetype=\"netscreen:firewall\"") + st = env.from_string( + 'search _time={{ epoch }} index=netfw host="{{ host }}" sourcetype="netscreen:firewall"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -68,7 +79,10 @@ def test_juniper_netscreen_fw_singleport(record_property, setup_wordlist, get_ho assert resultCount == 1 -def test_juniper_netscreen_fw_singleport_soup(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s): + +def test_juniper_netscreen_fw_singleport_soup( + record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s +): host = get_host_key dt = datetime.datetime.now() @@ -77,13 +91,14 @@ def test_juniper_netscreen_fw_singleport_soup(record_property, setup_wordlist, g # Tune time functions epoch = epoch[:-7] - mt = env.from_string( - "{{ mark }}{{ host }}: NetScreen this is a messagen") + mt = env.from_string("{{ mark }}{{ host }}: NetScreen this is a messagen") message = mt.render(mark="<23>", bsd=bsd, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search index=netfw host=\"{{ host }}\" sourcetype=\"netscreen:firewall\"") + st = env.from_string( + 'search index=netfw host="{{ host }}" sourcetype="netscreen:firewall"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) diff --git a/tests/test_linux_syslog.py b/tests/test_linux_syslog.py index 3801d8fe2b..0d9d34d63f 100644 --- a/tests/test_linux_syslog.py +++ b/tests/test_linux_syslog.py @@ -15,8 +15,10 @@ env = Environment() -#<78>Oct 25 09:10:00 /usr/sbin/cron[54928]: (root) CMD (/usr/libexec/atrun) -def test_linux__nohost_program_as_path(record_property, setup_wordlist, setup_splunk, setup_sc4s): +# <78>Oct 25 09:10:00 /usr/sbin/cron[54928]: (root) CMD (/usr/libexec/atrun) +def test_linux__nohost_program_as_path( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) pid = random.randint(1000, 32000) @@ -26,12 +28,16 @@ def test_linux__nohost_program_as_path(record_property, setup_wordlist, setup_sp # Tune time functions epoch = epoch[:-7] - mt = env.from_string("{{ mark }} {{ bsd }} /usr/sbin/cron[{{ pid }}]: (root) CMD (/usr/libexec/atrun)\n") + mt = env.from_string( + "{{ mark }} {{ bsd }} /usr/sbin/cron[{{ pid }}]: (root) CMD (/usr/libexec/atrun)\n" + ) message = mt.render(mark="<111>", host=host, bsd=bsd, pid=pid) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=osnix \"[{{ pid }}]\" sourcetype=\"nix:syslog\"") + st = env.from_string( + 'search _time={{ epoch }} index=osnix "[{{ pid }}]" sourcetype="nix:syslog"' + ) search = st.render(epoch=epoch, pid=pid) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -42,7 +48,10 @@ def test_linux__nohost_program_as_path(record_property, setup_wordlist, setup_sp assert resultCount == 1 -def test_linux__host_program_as_path(record_property, setup_wordlist, setup_splunk, setup_sc4s): + +def test_linux__host_program_as_path( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) pid = random.randint(1000, 32000) @@ -52,12 +61,16 @@ def test_linux__host_program_as_path(record_property, setup_wordlist, setup_splu # Tune time functions epoch = epoch[:-7] - mt = env.from_string("{{ mark }} {{ bsd }} {{ host }} /usr/sbin/cron[{{ pid }}]: (root) CMD (/usr/libexec/atrun)\n") + mt = env.from_string( + "{{ mark }} {{ bsd }} {{ host }} /usr/sbin/cron[{{ pid }}]: (root) CMD (/usr/libexec/atrun)\n" + ) message = mt.render(mark="<111>", bsd=bsd, host=host, pid=pid) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=osnix \"[{{ pid }}]\" host={{ host }} sourcetype=\"nix:syslog\"") + st = env.from_string( + 'search _time={{ epoch }} index=osnix "[{{ pid }}]" host={{ host }} sourcetype="nix:syslog"' + ) search = st.render(epoch=epoch, pid=pid, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -68,7 +81,10 @@ def test_linux__host_program_as_path(record_property, setup_wordlist, setup_splu assert resultCount == 1 -def test_linux__nohost_program_conforms(record_property, setup_wordlist, setup_splunk, setup_sc4s): + +def test_linux__nohost_program_conforms( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) pid = random.randint(1000, 32000) @@ -78,12 +94,16 @@ def test_linux__nohost_program_conforms(record_property, setup_wordlist, setup_s # Tune time functions epoch = epoch[:-7] - mt = env.from_string("{{ mark }} {{ bsd }} cron[{{ pid }}]: (root) CMD (/usr/libexec/atrun)\n") + mt = env.from_string( + "{{ mark }} {{ bsd }} cron[{{ pid }}]: (root) CMD (/usr/libexec/atrun)\n" + ) message = mt.render(mark="<111>", bsd=bsd, host=host, pid=pid) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=osnix \"[{{ pid }}]\" sourcetype=\"nix:syslog\"") + st = env.from_string( + 'search _time={{ epoch }} index=osnix "[{{ pid }}]" sourcetype="nix:syslog"' + ) search = st.render(epoch=epoch, pid=pid) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -94,7 +114,10 @@ def test_linux__nohost_program_conforms(record_property, setup_wordlist, setup_s assert resultCount == 1 -def test_linux__host_program_conforms(record_property, setup_wordlist, setup_splunk, setup_sc4s): + +def test_linux__host_program_conforms( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) pid = random.randint(1000, 32000) @@ -104,12 +127,16 @@ def test_linux__host_program_conforms(record_property, setup_wordlist, setup_spl # Tune time functions epoch = epoch[:-7] - mt = env.from_string("{{ mark }} {{ bsd }} {{ host }} cron[{{ pid }}]: (root) CMD (/usr/libexec/atrun)\n") + mt = env.from_string( + "{{ mark }} {{ bsd }} {{ host }} cron[{{ pid }}]: (root) CMD (/usr/libexec/atrun)\n" + ) message = mt.render(mark="<111>", bsd=bsd, host=host, pid=pid) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=osnix \"[{{ pid }}]\" host={{ host }} sourcetype=\"nix:syslog\"") + st = env.from_string( + 'search _time={{ epoch }} index=osnix "[{{ pid }}]" host={{ host }} sourcetype="nix:syslog"' + ) search = st.render(epoch=epoch, pid=pid, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) diff --git a/tests/test_loggen.py b/tests/test_loggen.py index 5b1278a5db..5e4c86f99c 100644 --- a/tests/test_loggen.py +++ b/tests/test_loggen.py @@ -5,6 +5,7 @@ from .sendmessage import * from .splunkutils import * from .timeutils import * + env = Environment() @@ -17,10 +18,14 @@ def test_loggen_rfc(record_property, setup_wordlist, setup_splunk, setup_sc4s): iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) epoch = epoch[:-3] - mt = env.from_string("<38>1 {{ iso }} {{ host }} prg00000 1234 - - seq: 0000000000, thread: 0000, runid: 1595365556, stamp: {{iso}} PADDPADDPADDPADDPADDP\n") + mt = env.from_string( + "<38>1 {{ iso }} {{ host }} prg00000 1234 - - seq: 0000000000, thread: 0000, runid: 1595365556, stamp: {{iso}} PADDPADDPADDPADDPADDP\n" + ) message = mt.render(iso=iso, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=main host=\"{{ host }}\" sourcetype=\"syslogng:loggen\"") + st = env.from_string( + 'search _time={{ epoch }} index=main host="{{ host }}" sourcetype="syslogng:loggen"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -30,7 +35,8 @@ def test_loggen_rfc(record_property, setup_wordlist, setup_splunk, setup_sc4s): assert resultCount == 1 -#<38>2020-07-24T17:04:52 localhost prg00000[1234]: seq: 0000000008, thread: 0000, runid: 1595610292, stamp: 2020-07-24T17:04:52 PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADD + +# <38>2020-07-24T17:04:52 localhost prg00000[1234]: seq: 0000000008, thread: 0000, runid: 1595610292, stamp: 2020-07-24T17:04:52 PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADD def test_loggen_bsd(record_property, setup_wordlist, setup_splunk, setup_sc4s): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) @@ -39,10 +45,14 @@ def test_loggen_bsd(record_property, setup_wordlist, setup_splunk, setup_sc4s): iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) iso = dt.isoformat()[0:19] epoch = epoch[:-7] - mt = env.from_string("<38>{{iso}} {{ host }} prg00000[1234]: seq: 0000000008, thread: 0000, runid: 1595610292, stamp: {{iso}} PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDBSD\n") + mt = env.from_string( + "<38>{{iso}} {{ host }} prg00000[1234]: seq: 0000000008, thread: 0000, runid: 1595610292, stamp: {{iso}} PADDPADDPADDPADDPADDPADDPADDPADDPADDPADDPADDBSD\n" + ) message = mt.render(iso=iso, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=main host=\"{{ host }}\" sourcetype=\"syslogng:loggen\"") + st = env.from_string( + 'search _time={{ epoch }} index=main host="{{ host }}" sourcetype="syslogng:loggen"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) diff --git a/tests/test_mcafee_epo.py b/tests/test_mcafee_epo.py index e9e17e660c..695b8c1dc5 100644 --- a/tests/test_mcafee_epo.py +++ b/tests/test_mcafee_epo.py @@ -26,8 +26,11 @@ r'{{ mark }} {{ iso }}Z {{ host }} EPOEvents - EventFwd [agentInfo@4444 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] {0011aacc-eeee-0000-0000-000011223311}THEMBP1000011223311172.16.23.1231.1.1.103Linux0GARY189050{{ iso }}Policy Auditor Vulnerability Assessment1.1.0Security020eJx1jjELgzAUhPf+ipCpBYWoS+smOHYQHEuR1xjKK+YZzEupiP+9j+7d7o7vuNs0gXe61l2jmhgd qxYYVG+BCOmprkjpo45N1/UnnemUcBS4NKIZvYsMPvyC0uSmyouLKqramLo8C7G4mCYeeA2ysGkI YUILjDMN8+PlLEsTyS7OO2KY9J6JfYuel3UY5ce/1u2+74cvff89lg==', ] + @pytest.mark.parametrize("event", mcafee_endpoint_security_testdata) -def test_mcafee_epo_structured_mcafee_endpoint_security(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s,event): +def test_mcafee_epo_structured_mcafee_endpoint_security( + record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event +): host = get_host_key dt = datetime.datetime.now(datetime.timezone.utc) @@ -42,7 +45,9 @@ def test_mcafee_epo_structured_mcafee_endpoint_security(record_property, setup_w sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string('search _time={{ epoch }} index=epav host="{{ host }}" sourcetype="mcafee:epo:syslog" source="mcafee_endpoint_security"') + st = env.from_string( + 'search _time={{ epoch }} index=epav host="{{ host }}" sourcetype="mcafee:epo:syslog" source="mcafee_endpoint_security"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -53,8 +58,11 @@ def test_mcafee_epo_structured_mcafee_endpoint_security(record_property, setup_w assert resultCount == 1 + @pytest.mark.parametrize("event", mcafee_agent_testdata) -def test_mcafee_epo_structured_mcafee_agent(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s,event): +def test_mcafee_epo_structured_mcafee_agent( + record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event +): host = get_host_key dt = datetime.datetime.now(datetime.timezone.utc) @@ -69,7 +77,9 @@ def test_mcafee_epo_structured_mcafee_agent(record_property, setup_wordlist, get sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string('search _time={{ epoch }} index=epav host="{{ host }}" sourcetype="mcafee:epo:syslog" source="mcafee_agent"') + st = env.from_string( + 'search _time={{ epoch }} index=epav host="{{ host }}" sourcetype="mcafee:epo:syslog" source="mcafee_agent"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -80,8 +90,11 @@ def test_mcafee_epo_structured_mcafee_agent(record_property, setup_wordlist, get assert resultCount == 1 + @pytest.mark.parametrize("event", policy_auditor_vulnerability_assessment_testdata) -def test_mcafee_epo_structured_policy_auditor_vulnerability_assessment(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s,event): +def test_mcafee_epo_structured_policy_auditor_vulnerability_assessment( + record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event +): host = get_host_key dt = datetime.datetime.now(datetime.timezone.utc) @@ -96,7 +109,9 @@ def test_mcafee_epo_structured_policy_auditor_vulnerability_assessment(record_pr sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string('search _time={{ epoch }} index=epav host="{{ host }}" sourcetype="mcafee:epo:syslog" source="policy_auditor_vulnerability_assessment"') + st = env.from_string( + 'search _time={{ epoch }} index=epav host="{{ host }}" sourcetype="mcafee:epo:syslog" source="policy_auditor_vulnerability_assessment"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) diff --git a/tests/test_mcafee_nsp.py b/tests/test_mcafee_nsp.py index 07ae7f32bb..06108ac969 100644 --- a/tests/test_mcafee_nsp.py +++ b/tests/test_mcafee_nsp.py @@ -10,126 +10,146 @@ env = Environment() testdata_mcafee_nsp_audit = [ - '{{ mark }} {{ bsd }} {{ host }} {{ app }}: audit_action="Audit Syslog Forwarder Message Customization" audit_result="succeeded" audit_time="2020-12-28 18:23:36 UTC" user="Administrator" category="Admin Domain" audit_domain="My Company" detail_comment="N/A" detail_delta="N/A"' + '{{ mark }} {{ bsd }} {{ host }} {{ app }}: audit_action="Audit Syslog Forwarder Message Customization" audit_result="succeeded" audit_time="2020-12-28 18:23:36 UTC" user="Administrator" category="Admin Domain" audit_domain="My Company" detail_comment="N/A" detail_delta="N/A"' ] testdata_mcafee_nsp_alert = [ - '{{ mark }} {{ bsd }} {{ host }} {{ app }}: domain="My Company" alertid="6845473495895750289" alert_type="Statistical Anomaly" app_protocol="N/A" confidence="N/A" attack_count="1" attackid="Ox40008200" attack_name="Inbound UDP Packet Volume Too High" severity="High" alert_signature="N/A" attack_time="2020-12-28 19:08:26 UTC" category="VolumeDos" dest_ip="N/A" dest_name="N/A" dest_port="N/A" device_name="Mcafee_ips" direction="Inbound" confidence="N/A" file_name="N/A" file_hash="N/A" file_type="N/A" virus_name="N/A" action_status="Unknown" error_status="No error" protocol="N/A" result="n/a" src_ip="N/A" src_name="N/A" src_port="N/A" alert_uuid="2669053482585045088"' + '{{ mark }} {{ bsd }} {{ host }} {{ app }}: domain="My Company" alertid="6845473495895750289" alert_type="Statistical Anomaly" app_protocol="N/A" confidence="N/A" attack_count="1" attackid="Ox40008200" attack_name="Inbound UDP Packet Volume Too High" severity="High" alert_signature="N/A" attack_time="2020-12-28 19:08:26 UTC" category="VolumeDos" dest_ip="N/A" dest_name="N/A" dest_port="N/A" device_name="Mcafee_ips" direction="Inbound" confidence="N/A" file_name="N/A" file_hash="N/A" file_type="N/A" virus_name="N/A" action_status="Unknown" error_status="No error" protocol="N/A" result="n/a" src_ip="N/A" src_name="N/A" src_port="N/A" alert_uuid="2669053482585045088"' ] testdata_mcafee_nsp_acl = [ - '{{ mark }} {{ bsd }} {{ host }} {{ app }}: acl_action="PERMIT" description="" policy="Test Firewall Policy" rule_id="1" admin_domain="My Company" alert_count="N/A" direction="Inbound" duration="N/A" application="N/A" app="N/A" dest_country="N/A" dest_hostname="N/A" dest_ip="10.160.29.34" dest_port="514" interface="1-2" acl_protocol="udp" sensor_name="Mcafee_ips" src_country="N/A" src_host="N/A" src_ip="10.160.0.2" src_port="32825" user="N/A"' + '{{ mark }} {{ bsd }} {{ host }} {{ app }}: acl_action="PERMIT" description="" policy="Test Firewall Policy" rule_id="1" admin_domain="My Company" alert_count="N/A" direction="Inbound" duration="N/A" application="N/A" app="N/A" dest_country="N/A" dest_hostname="N/A" dest_ip="10.160.29.34" dest_port="514" interface="1-2" acl_protocol="udp" sensor_name="Mcafee_ips" src_country="N/A" src_host="N/A" src_ip="10.160.0.2" src_port="32825" user="N/A"' ] testdata_mcafee_nsp_fault = [ - '{{ mark }} {{ bsd }} {{ host }} {{ app }}: Fault : dvc="Manager" description="The Manager is unable to connect to the McAfee Update Server." ack_information="" additional_text="The Manager is unable to connect to the McAfee Update Server." admin_domain="My Company:" fault_component="UpdateServer" fault_level="Manager system level" fault_name="Update Server Connectivity Error" fault_source="Generated by Manager" fault_time="2020-12-28 18:26:57 UTC" fault_type="cleared" member_device="N/A" owner_id="0" recommended_action="Consult the system log for details and confirm that the Manager can resolve names and communicate with its default gateway and proxy server, as applicable." severity="Critical"' + '{{ mark }} {{ bsd }} {{ host }} {{ app }}: Fault : dvc="Manager" description="The Manager is unable to connect to the McAfee Update Server." ack_information="" additional_text="The Manager is unable to connect to the McAfee Update Server." admin_domain="My Company:" fault_component="UpdateServer" fault_level="Manager system level" fault_name="Update Server Connectivity Error" fault_source="Generated by Manager" fault_time="2020-12-28 18:26:57 UTC" fault_type="cleared" member_device="N/A" owner_id="0" recommended_action="Consult the system log for details and confirm that the Manager can resolve names and communicate with its default gateway and proxy server, as applicable." severity="Critical"' ] + @pytest.mark.parametrize("event", testdata_mcafee_nsp_audit) -def test_mcafee_nsp_audit(record_property, setup_wordlist, setup_splunk, setup_sc4s, event): - host = "mcafee-nsp" - dt = datetime.datetime.now() - iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) +def test_mcafee_nsp_audit( + record_property, setup_wordlist, setup_splunk, setup_sc4s, event +): + host = "mcafee-nsp" + dt = datetime.datetime.now() + iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) + + epoch = epoch[:-7] - epoch = epoch[:-7] + mt = env.from_string(event + "\n") + message = mt.render(mark="<36>", bsd=bsd, host=host, app="SyslogAuditLogForwarder") - mt = env.from_string(event + "\n") - message = mt.render(mark="<36>", bsd=bsd, host=host, app="SyslogAuditLogForwarder") + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + st = env.from_string( + 'search index=netids _time={{ epoch }} host={{ host }} sourcetype="mcafee:nsp" _raw="{{ message }}"' + ) - st = env.from_string( - 'search index=netids _time={{ epoch }} host={{ host }} sourcetype="mcafee:nsp" _raw="{{ message }}"' - ) + message1 = mt.render(mark="", bsd="", host="", app="") + search = st.render( + epoch=epoch, host=host, message=message1.lstrip().replace('"', '\\"')[2:] + ) + print("search:", search) + resultCount, eventCount = splunk_single(setup_splunk, search) - message1 = mt.render(mark="", bsd="", host="", app="") - search = st.render(epoch=epoch, host=host, message=message1.lstrip().replace('"', '\\"')[2:]) - print("search:", search) - resultCount, eventCount = splunk_single(setup_splunk, search) + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) - record_property("host", host) - record_property("resultCount", resultCount) - record_property("message", message) + assert resultCount == 1 - assert resultCount == 1 @pytest.mark.parametrize("event", testdata_mcafee_nsp_alert) -def test_mcafee_nsp_alert(record_property, setup_wordlist, setup_splunk, setup_sc4s, event): - host = "mcafee-nsp" - dt = datetime.datetime.now() - iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) +def test_mcafee_nsp_alert( + record_property, setup_wordlist, setup_splunk, setup_sc4s, event +): + host = "mcafee-nsp" + dt = datetime.datetime.now() + iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) - epoch = epoch[:-7] + epoch = epoch[:-7] - mt = env.from_string(event + "\n") - message = mt.render(mark="<36>", bsd=bsd, host=host, app="SyslogAlertForwarder") + mt = env.from_string(event + "\n") + message = mt.render(mark="<36>", bsd=bsd, host=host, app="SyslogAlertForwarder") - sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string( - 'search index=netids _time={{ epoch }} host={{ host }} sourcetype="mcafee:nsp" _raw="{{ message }}"' - ) + st = env.from_string( + 'search index=netids _time={{ epoch }} host={{ host }} sourcetype="mcafee:nsp" _raw="{{ message }}"' + ) - message1 = mt.render(mark="", bsd="", host="", app="") - search = st.render(epoch=epoch, host=host, message=message1.lstrip().replace('"', '\\"')[2:]) - print("search:", search) - resultCount, eventCount = splunk_single(setup_splunk, search) + message1 = mt.render(mark="", bsd="", host="", app="") + search = st.render( + epoch=epoch, host=host, message=message1.lstrip().replace('"', '\\"')[2:] + ) + print("search:", search) + resultCount, eventCount = splunk_single(setup_splunk, search) - record_property("host", host) - record_property("resultCount", resultCount) - record_property("message", message) + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) + + assert resultCount == 1 - assert resultCount == 1 @pytest.mark.parametrize("event", testdata_mcafee_nsp_acl) -def test_mcafee_nsp_acl(record_property, setup_wordlist, setup_splunk, setup_sc4s, event): - host = "mcafee-nsp" - dt = datetime.datetime.now() - iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) +def test_mcafee_nsp_acl( + record_property, setup_wordlist, setup_splunk, setup_sc4s, event +): + host = "mcafee-nsp" + dt = datetime.datetime.now() + iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) + + epoch = epoch[:-7] - epoch = epoch[:-7] + mt = env.from_string(event + "\n") + message = mt.render(mark="<36>", bsd=bsd, host=host, app="SyslogACLLogForwarder") - mt = env.from_string(event + "\n") - message = mt.render(mark="<36>", bsd=bsd, host=host, app="SyslogACLLogForwarder") + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + st = env.from_string( + 'search index=netids _time={{ epoch }} host={{ host }} sourcetype="mcafee:nsp" _raw="{{ message }}"' + ) - st = env.from_string( - 'search index=netids _time={{ epoch }} host={{ host }} sourcetype="mcafee:nsp" _raw="{{ message }}"' - ) + message1 = mt.render(mark="", bsd="", host="", app="") + search = st.render( + epoch=epoch, host=host, message=message1.lstrip().replace('"', '\\"')[2:] + ) + print("search:", search) + resultCount, eventCount = splunk_single(setup_splunk, search) - message1 = mt.render(mark="", bsd="", host="", app="") - search = st.render(epoch=epoch, host=host, message=message1.lstrip().replace('"', '\\"')[2:]) - print("search:", search) - resultCount, eventCount = splunk_single(setup_splunk, search) + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) - record_property("host", host) - record_property("resultCount", resultCount) - record_property("message", message) + assert resultCount == 1 - assert resultCount == 1 @pytest.mark.parametrize("event", testdata_mcafee_nsp_fault) -def test_mcafee_nsp_fault(record_property, setup_wordlist, setup_splunk, setup_sc4s, event): - host = "mcafee-nsp" - dt = datetime.datetime.now() - iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) +def test_mcafee_nsp_fault( + record_property, setup_wordlist, setup_splunk, setup_sc4s, event +): + host = "mcafee-nsp" + dt = datetime.datetime.now() + iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) - epoch = epoch[:-7] + epoch = epoch[:-7] - mt = env.from_string(event + "\n") - message = mt.render(mark="<36>", bsd=bsd, host=host, app="SyslogFaultForwarder") + mt = env.from_string(event + "\n") + message = mt.render(mark="<36>", bsd=bsd, host=host, app="SyslogFaultForwarder") - sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) + sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string( - 'search index=netids _time={{ epoch }} host={{ host }} sourcetype="mcafee:nsp" _raw="{{ message }}"' - ) + st = env.from_string( + 'search index=netids _time={{ epoch }} host={{ host }} sourcetype="mcafee:nsp" _raw="{{ message }}"' + ) - message1 = mt.render(mark="", bsd="", host="", app="") - search = st.render(epoch=epoch, host=host, message=message1.lstrip().replace('"', '\\"')[2:]) - print("search:", search) - resultCount, eventCount = splunk_single(setup_splunk, search) + message1 = mt.render(mark="", bsd="", host="", app="") + search = st.render( + epoch=epoch, host=host, message=message1.lstrip().replace('"', '\\"')[2:] + ) + print("search:", search) + resultCount, eventCount = splunk_single(setup_splunk, search) - record_property("host", host) - record_property("resultCount", resultCount) - record_property("message", message) + record_property("host", host) + record_property("resultCount", resultCount) + record_property("message", message) - assert resultCount == 1 \ No newline at end of file + assert resultCount == 1 diff --git a/tests/test_mcafee_web_gateway.py b/tests/test_mcafee_web_gateway.py index 0ee3b11fd3..1ab79c6db1 100644 --- a/tests/test_mcafee_web_gateway.py +++ b/tests/test_mcafee_web_gateway.py @@ -23,18 +23,18 @@ def test_data_mcafeewg(record_property, setup_wordlist, setup_splunk, setup_sc4s # Tune time functions epoch = epoch[:-7] - event = "{{mark}}{{ bsd }} {{ host }} {{ app }}: status=\"403/80\" srcip=\"192.168.57.1\" user=\"-\" dhost=\"s3-eu-west-1.amazonaws.com\" urlp=\"80\" proto=\"HTTP/http\" mtd=\"GET\" urlc=\"Internet Services\" rep=\"-31\" mt=\"application/pdf\" mlwr=\"BehavesLike.PDF.Exploit.vx\" app=\"-\" bytes=\"458/509/2813889/3001\" ua=\"Chrome87-10.0\" http_referrer=\"http://www.cpcheckme.com/\" lat=\"0/0/165/2638\" rule=\"Block If Virus Was Found\" url=\"http://s3-eu-west-1.amazonaws.com/cp-chk-files/win7_64bit_big.pdf?static=CPCheckMe&rand=1608029225651\" file_name=\"win7_64bit_big.pdf\" destip=\"52.218.52.116\" rep_level=\"Minimal Risk\"" - + event = '{{mark}}{{ bsd }} {{ host }} {{ app }}: status="403/80" srcip="192.168.57.1" user="-" dhost="s3-eu-west-1.amazonaws.com" urlp="80" proto="HTTP/http" mtd="GET" urlc="Internet Services" rep="-31" mt="application/pdf" mlwr="BehavesLike.PDF.Exploit.vx" app="-" bytes="458/509/2813889/3001" ua="Chrome87-10.0" http_referrer="http://www.cpcheckme.com/" lat="0/0/165/2638" rule="Block If Virus Was Found" url="http://s3-eu-west-1.amazonaws.com/cp-chk-files/win7_64bit_big.pdf?static=CPCheckMe&rand=1608029225651" file_name="win7_64bit_big.pdf" destip="52.218.52.116" rep_level="Minimal Risk"' + mt = env.from_string(event + "\n") - message = mt.render(mark="<30>", bsd=bsd, host=host, app='mwg') + message = mt.render(mark="<30>", bsd=bsd, host=host, app="mwg") sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( 'search index=netproxy _time={{ epoch }} sourcetype="mcafee:wg:kv" source="mcafee:wg" host="{{ host }}" _raw="{{ message }}"' ) - - message1='mwg: status=\\"403/80\\" srcip=\\"192.168.57.1\\" user=\\"-\\" dhost=\\"s3-eu-west-1.amazonaws.com\\" urlp=\\"80\\" proto=\\"HTTP/http\\" mtd=\\"GET\\" urlc=\\"Internet Services\\" rep=\\"-31\\" mt=\\"application/pdf\\" mlwr=\\"BehavesLike.PDF.Exploit.vx\\" app=\\"-\\" bytes=\\"458/509/2813889/3001\\" ua=\\"Chrome87-10.0\\" http_referrer=\\"http://www.cpcheckme.com/\\" lat=\\"0/0/165/2638\\" rule=\\"Block If Virus Was Found\\" url=\\"http://s3-eu-west-1.amazonaws.com/cp-chk-files/win7_64bit_big.pdf?static=CPCheckMe&rand=1608029225651\\" file_name=\\"win7_64bit_big.pdf\\" destip=\\"52.218.52.116\\" rep_level=\\"Minimal Risk\\"' + + message1 = 'mwg: status=\\"403/80\\" srcip=\\"192.168.57.1\\" user=\\"-\\" dhost=\\"s3-eu-west-1.amazonaws.com\\" urlp=\\"80\\" proto=\\"HTTP/http\\" mtd=\\"GET\\" urlc=\\"Internet Services\\" rep=\\"-31\\" mt=\\"application/pdf\\" mlwr=\\"BehavesLike.PDF.Exploit.vx\\" app=\\"-\\" bytes=\\"458/509/2813889/3001\\" ua=\\"Chrome87-10.0\\" http_referrer=\\"http://www.cpcheckme.com/\\" lat=\\"0/0/165/2638\\" rule=\\"Block If Virus Was Found\\" url=\\"http://s3-eu-west-1.amazonaws.com/cp-chk-files/win7_64bit_big.pdf?static=CPCheckMe&rand=1608029225651\\" file_name=\\"win7_64bit_big.pdf\\" destip=\\"52.218.52.116\\" rep_level=\\"Minimal Risk\\"' search = st.render(epoch=epoch, host=host, message=message1) diff --git a/tests/test_microfocus_arcsight.py b/tests/test_microfocus_arcsight.py index ece5bb9043..5d0dd39b7f 100644 --- a/tests/test_microfocus_arcsight.py +++ b/tests/test_microfocus_arcsight.py @@ -227,4 +227,3 @@ def test_microfocus_unknown(record_property, setup_wordlist, setup_splunk, setup record_property("message", message) assert resultCount == 1 - diff --git a/tests/test_ossec.py b/tests/test_ossec.py index d647558803..b308e9a31f 100644 --- a/tests/test_ossec.py +++ b/tests/test_ossec.py @@ -15,11 +15,11 @@ env = Environment() testdata_ossec = [ - '{{mark}}{{ bsd }} {{ host }} {{ app }}: Alert Level: 2; Rule: 1002 - Unknown problem somewhere in the system.; Location: so1->/var/log/messages; classification: syslog,errors,; Oct 1 21:33:07 so1 amazon-ssm-agent: Error occurred fetching the seelog config file path: open /etc/amazon/ssm/seelog.xml: no such file or directory', - '{{mark}}{{ bsd }} {{ host }} {{ app }}: Alert Level: 3; Rule: 18145 - Service startup type was changed.; Location: (windows_os) 10.202.37.29->WinEvtLog; classification: windows,policy_changed,; user: SYSTEM; 2020 Sep 28 02:33:16 WinEvtLog: System: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: IP-0ACA251D: The start type of the Background Intelligent Transfer Service service was changed from auto start to demand start.', - '{{mark}}{{ bsd }} {{ host }} {{ app }}: Alert Level: 3; Rule: 5502 - Login session closed.; Location: so1->/var/log/secure; classification: pam,syslog,; Sep 25 10:12:15 so1 sshd[3201]: pam_unix(sshd:session): session closed for user splunker', - '{{mark}}{{ bsd }} {{ host }} {{ app }}: Alert Level: 7; Rule: 552 - Integrity checksum changed again (3rd time).; Location: so1->syscheck; classification: ossec,syscheck,; Previous MD5: \'3e244ac47c346cc252f093a4e4f000fb\'; Current MD5: \'d9ba8c6e3f0da05a67e24ac00668b6cc\'; Previous SHA1: \'116719c7294da657ff936b5676a82e6bf18a5a28\'; Current SHA1: \'1b1f0eaa6884e8398fd6ab92d9ebd96705d00a6b\'; Size changed: from \'409\' to \'446\'; Integrity checksum changed for: \'/etc/firewalld/zones/public.xml\'', -]; + "{{mark}}{{ bsd }} {{ host }} {{ app }}: Alert Level: 2; Rule: 1002 - Unknown problem somewhere in the system.; Location: so1->/var/log/messages; classification: syslog,errors,; Oct 1 21:33:07 so1 amazon-ssm-agent: Error occurred fetching the seelog config file path: open /etc/amazon/ssm/seelog.xml: no such file or directory", + "{{mark}}{{ bsd }} {{ host }} {{ app }}: Alert Level: 3; Rule: 18145 - Service startup type was changed.; Location: (windows_os) 10.202.37.29->WinEvtLog; classification: windows,policy_changed,; user: SYSTEM; 2020 Sep 28 02:33:16 WinEvtLog: System: INFORMATION(7040): Service Control Manager: SYSTEM: NT AUTHORITY: IP-0ACA251D: The start type of the Background Intelligent Transfer Service service was changed from auto start to demand start.", + "{{mark}}{{ bsd }} {{ host }} {{ app }}: Alert Level: 3; Rule: 5502 - Login session closed.; Location: so1->/var/log/secure; classification: pam,syslog,; Sep 25 10:12:15 so1 sshd[3201]: pam_unix(sshd:session): session closed for user splunker", + "{{mark}}{{ bsd }} {{ host }} {{ app }}: Alert Level: 7; Rule: 552 - Integrity checksum changed again (3rd time).; Location: so1->syscheck; classification: ossec,syscheck,; Previous MD5: '3e244ac47c346cc252f093a4e4f000fb'; Current MD5: 'd9ba8c6e3f0da05a67e24ac00668b6cc'; Previous SHA1: '116719c7294da657ff936b5676a82e6bf18a5a28'; Current SHA1: '1b1f0eaa6884e8398fd6ab92d9ebd96705d00a6b'; Size changed: from '409' to '446'; Integrity checksum changed for: '/etc/firewalld/zones/public.xml'", +] @pytest.mark.parametrize("event", testdata_ossec) @@ -32,14 +32,14 @@ def test_data_ossec(record_property, setup_wordlist, setup_splunk, setup_sc4s, e epoch = epoch[:-7] mt = env.from_string(event + "\n") - message = mt.render(mark="<132>", bsd=bsd, host=host, app='ossec') + message = mt.render(mark="<132>", bsd=bsd, host=host, app="ossec") sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( 'search index=main _time={{ epoch }} sourcetype="ossec" source="ossec:alerts" host="{{ host }}" _raw="{{ message }}"' ) - + message1 = mt.render(mark="", bsd="", host="", app="ossec") message1 = message1.lstrip() search = st.render(epoch=epoch, host=host, message=message1) diff --git a/tests/test_palo_alto.py b/tests/test_palo_alto.py index 856306949d..2499d60491 100644 --- a/tests/test_palo_alto.py +++ b/tests/test_palo_alto.py @@ -348,4 +348,3 @@ def test_palo_alto_system_futureproof( record_property("message", message) assert resultCount == 1 - diff --git a/tests/test_pfsense.py b/tests/test_pfsense.py index 9cb823636e..15c9c6a041 100644 --- a/tests/test_pfsense.py +++ b/tests/test_pfsense.py @@ -13,7 +13,7 @@ env = Environment() -#<27>Jan 25 01:58:06 filterlog: 82,,,1000002666,mvneta2,match,pass,out,6,0x00,0x00000,64,ICMPv6,58,8,fe80::208:a2ff:fe0f:cb66,fe80::56a6:5cff:fe7d:1d43, +# <27>Jan 25 01:58:06 filterlog: 82,,,1000002666,mvneta2,match,pass,out,6,0x00,0x00000,64,ICMPv6,58,8,fe80::208:a2ff:fe0f:cb66,fe80::56a6:5cff:fe7d:1d43, def test_pfsense_filterlog(record_property, setup_wordlist, setup_splunk, setup_sc4s): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) @@ -24,11 +24,14 @@ def test_pfsense_filterlog(record_property, setup_wordlist, setup_splunk, setup_ epoch = epoch[:-7] mt = env.from_string( - "{{mark}}{{ bsd }} filterlog: 82,,,1000002666,mvneta2,match,pass,out,6,0x00,0x00000,64,ICMPv6,58,8,{{key}},\n") + "{{mark}}{{ bsd }} filterlog: 82,,,1000002666,mvneta2,match,pass,out,6,0x00,0x00000,64,ICMPv6,58,8,{{key}},\n" + ) message = mt.render(mark="<27>", bsd=bsd, key=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][6000]) - st = env.from_string("search _time={{ epoch }} index=netfw sourcetype=pfsense:filterlog \"{{key}}\"") + st = env.from_string( + 'search _time={{ epoch }} index=netfw sourcetype=pfsense:filterlog "{{key}}"' + ) search = st.render(epoch=epoch, key=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -39,7 +42,8 @@ def test_pfsense_filterlog(record_property, setup_wordlist, setup_splunk, setup_ assert resultCount == 1 -#<27>Jan 25 01:58:06 kqueue error: unknown + +# <27>Jan 25 01:58:06 kqueue error: unknown def test_pfsense_other(record_property, setup_wordlist, setup_splunk, setup_sc4s): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) @@ -49,13 +53,13 @@ def test_pfsense_other(record_property, setup_wordlist, setup_splunk, setup_sc4s # Tune time functions epoch = epoch[:-7] - - mt = env.from_string( - "{{mark}}{{ bsd }} kqueue error: {{key}}\n") + mt = env.from_string("{{mark}}{{ bsd }} kqueue error: {{key}}\n") message = mt.render(mark="<27>", bsd=bsd, key=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][6000]) - st = env.from_string("search _time={{ epoch }} index=netops sourcetype=pfsense:* \"{{key}}\"") + st = env.from_string( + 'search _time={{ epoch }} index=netops sourcetype=pfsense:* "{{key}}"' + ) search = st.render(epoch=epoch, key=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -66,7 +70,8 @@ def test_pfsense_other(record_property, setup_wordlist, setup_splunk, setup_sc4s assert resultCount == 1 -#<27>Jan 25 01:58:06 syslogd: restart + +# <27>Jan 25 01:58:06 syslogd: restart def test_pfsense_syslogd(record_property, setup_wordlist, setup_splunk, setup_sc4s): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) @@ -76,12 +81,13 @@ def test_pfsense_syslogd(record_property, setup_wordlist, setup_splunk, setup_sc # Tune time functions epoch = epoch[:-7] - mt = env.from_string( - "{{mark}}{{ bsd }} syslogd: restart {{key}}\n") + mt = env.from_string("{{mark}}{{ bsd }} syslogd: restart {{key}}\n") message = mt.render(mark="<27>", bsd=bsd, key=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][6000]) - st = env.from_string("search _time={{ epoch }} index=netops sourcetype=pfsense:syslogd \"{{key}}\"") + st = env.from_string( + 'search _time={{ epoch }} index=netops sourcetype=pfsense:syslogd "{{key}}"' + ) search = st.render(epoch=epoch, key=host) resultCount, eventCount = splunk_single(setup_splunk, search) diff --git a/tests/test_plugin_example.py b/tests/test_plugin_example.py index 2ff045be75..6dd74ab021 100644 --- a/tests/test_plugin_example.py +++ b/tests/test_plugin_example.py @@ -13,7 +13,10 @@ env = Environment() -def test_plugin_local_example(record_property, setup_wordlist, setup_splunk, setup_sc4s): + +def test_plugin_local_example( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now() @@ -27,7 +30,9 @@ def test_plugin_local_example(record_property, setup_wordlist, setup_splunk, set sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=main host=\"{{ host }}\" sourcetype=\"sc4s:local_example\"") + st = env.from_string( + 'search _time={{ epoch }} index=main host="{{ host }}" sourcetype="sc4s:local_example"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) diff --git a/tests/test_polycom.py b/tests/test_polycom.py index 9bbb20d6c0..109f822faa 100644 --- a/tests/test_polycom.py +++ b/tests/test_polycom.py @@ -14,11 +14,14 @@ env = Environment() polycom_data = [ - r'{{ mark }} {{ iso }}Z {{ host }} RPRM 107463 Jserver - DEBUG|||http-nio-5443-exec-22|com.polycom.rpum.epm.engine.ruleengine.ProfileFillingAction| ...df8-46f4-8ed1-2acc1bd62f97, profileUuid=47e0d340-5c83-4f6b-9692-9507cb6b3e83, tagName=call.autoOffHook.3.enabled, tagValue=1, required=true, canModify=true], ProfileTag [tagId=3e2fb279-c386-410b-866e-b427aaea80c4, profileUuid=47e0d340-5c83-4f6b-9692-9507cb6b3e83, tagName=call.teluri.showPrompt, tagValue=0, required=true, canModify=true], ProfileTag [tagId=6168b060-fe0e-414d-a25a-acbe629f963c, profileUuid=47e0d340-5c83-4f6b-9692-9507cb6b3e83, tagName=dialplan.3.applyToDirectoryDial, tagValue=1, required=true, canModify=true], ProfileTag [tagId=a835bbaf-1202-415a-8933-360a54acced1, profileUuid=47e0d340-5c83-4f6b-9692-9507cb6b3e83, tagName=dialplan.3.digitmap, tagValue=sip\:x.\.x.\@zoomcrc\.com|sip\:x.\@zoomcrc\.com|x.\.x.\@zoomcrc\.com|x.\@zoomcrc\.com|xxxxxxxxx.T|xxxxxxxxxx| , required=true, canModify=true], ProfileTag [tagId=67e41d5e-1112-4e36-8f78-e682ed61b4cc, profileUuid=47e0d340-5c83-4f6b-9692-9507cb6b3e83, tagName=dialplan.3.digitmap.timeOut, tagValue=4, required=true, canModify=true], ProfileTag [tagId=577dd248-7fdd-4730-aa90-ef7f1aa2f19b, profileUuid=47e0d340-5c83-4f6b-9692-9507cb6b3e83, tagName=dialplan.applyToDirectoryDial, tagValue=1, required=true, canModify=true], ProfileTag [tagId=f44bd920-fa45-4d11-90ff-2e294a45d1e1, profileUuid=47e0d340-5c83-4f6b-9692-9507cb6b3e83, tagName=dialplan.digitmap.lineSwitching.enable, tagValue=1, required=true, canModify=true], ProfileTag [tagId=5d1f9d8f-6583-4f5d-83c3-76194c299971, profileUuid=47e0d340-5c83-4f6b-9692-9507cb6b3e83, tagName=exchange.meeting.parseAllowedSipUriDomains, tagValue=zoomcrc.com,zoom.us,vip2.zoomus.com,bjn.vc,polycom.com, required=true, canModify=true], ProfileTag [tagId=b8a2dd79-7b8f-48be-b452-e529e2071003, profileUuid=47e0d340-5c83-4f6b-9692-9507cb6b3e83, tagName=exchange.meeting.parseEmailsAsSipUris, tagValue=1, required=true, canModify=true], ProfileTag [tagId=bfe8cd05...2048', + r"{{ mark }} {{ iso }}Z {{ host }} RPRM 107463 Jserver - DEBUG|||http-nio-5443-exec-22|com.polycom.rpum.epm.engine.ruleengine.ProfileFillingAction| ...df8-46f4-8ed1-2acc1bd62f97, profileUuid=47e0d340-5c83-4f6b-9692-9507cb6b3e83, tagName=call.autoOffHook.3.enabled, tagValue=1, required=true, canModify=true], ProfileTag [tagId=3e2fb279-c386-410b-866e-b427aaea80c4, profileUuid=47e0d340-5c83-4f6b-9692-9507cb6b3e83, tagName=call.teluri.showPrompt, tagValue=0, required=true, canModify=true], ProfileTag [tagId=6168b060-fe0e-414d-a25a-acbe629f963c, profileUuid=47e0d340-5c83-4f6b-9692-9507cb6b3e83, tagName=dialplan.3.applyToDirectoryDial, tagValue=1, required=true, canModify=true], ProfileTag [tagId=a835bbaf-1202-415a-8933-360a54acced1, profileUuid=47e0d340-5c83-4f6b-9692-9507cb6b3e83, tagName=dialplan.3.digitmap, tagValue=sip\:x.\.x.\@zoomcrc\.com|sip\:x.\@zoomcrc\.com|x.\.x.\@zoomcrc\.com|x.\@zoomcrc\.com|xxxxxxxxx.T|xxxxxxxxxx| , required=true, canModify=true], ProfileTag [tagId=67e41d5e-1112-4e36-8f78-e682ed61b4cc, profileUuid=47e0d340-5c83-4f6b-9692-9507cb6b3e83, tagName=dialplan.3.digitmap.timeOut, tagValue=4, required=true, canModify=true], ProfileTag [tagId=577dd248-7fdd-4730-aa90-ef7f1aa2f19b, profileUuid=47e0d340-5c83-4f6b-9692-9507cb6b3e83, tagName=dialplan.applyToDirectoryDial, tagValue=1, required=true, canModify=true], ProfileTag [tagId=f44bd920-fa45-4d11-90ff-2e294a45d1e1, profileUuid=47e0d340-5c83-4f6b-9692-9507cb6b3e83, tagName=dialplan.digitmap.lineSwitching.enable, tagValue=1, required=true, canModify=true], ProfileTag [tagId=5d1f9d8f-6583-4f5d-83c3-76194c299971, profileUuid=47e0d340-5c83-4f6b-9692-9507cb6b3e83, tagName=exchange.meeting.parseAllowedSipUriDomains, tagValue=zoomcrc.com,zoom.us,vip2.zoomus.com,bjn.vc,polycom.com, required=true, canModify=true], ProfileTag [tagId=b8a2dd79-7b8f-48be-b452-e529e2071003, profileUuid=47e0d340-5c83-4f6b-9692-9507cb6b3e83, tagName=exchange.meeting.parseEmailsAsSipUris, tagValue=1, required=true, canModify=true], ProfileTag [tagId=bfe8cd05...2048", ] + @pytest.mark.parametrize("event", polycom_data) -def test_polycom(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s,event): +def test_polycom( + record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event +): host = get_host_key dt = datetime.datetime.now(datetime.timezone.utc) @@ -33,7 +36,9 @@ def test_polycom(record_property, setup_wordlist, get_host_key, setup_splunk, se sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string('search _time={{ epoch }} index=netops host="{{ host }}" sourcetype="polycom:rprm:syslog"') + st = env.from_string( + 'search _time={{ epoch }} index=netops host="{{ host }}" sourcetype="polycom:rprm:syslog"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) diff --git a/tests/test_proofpoint.py b/tests/test_proofpoint.py index be5ddcba0a..7d8b9c5135 100644 --- a/tests/test_proofpoint.py +++ b/tests/test_proofpoint.py @@ -13,7 +13,9 @@ env = Environment() # Apr 17 18:33:26 aplegw01 filter_instance1[195529]: rprt s=2hdryp02r6 m=1 x=2hdryp02r6-1 cmd=send profile=mail qid=w3HMWjG3039079 rcpts=rfaircloth@splunk.com -def test_proofpoint_pps_filter(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s): +def test_proofpoint_pps_filter( + record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s +): host = "pps-" + get_host_key dt = datetime.datetime.now() @@ -23,12 +25,15 @@ def test_proofpoint_pps_filter(record_property, setup_wordlist, get_host_key, se epoch = epoch[:-7] mt = env.from_string( - "{{ mark }} {{ bsd }} {{ host }} filter_instance1[195529]: rprt s=2hdryp02r6 m=1 x=2hdryp02r6-1 cmd=send profile=mail qid=w3HMWjG3039079 rcpts=rfaircloth@splunk.com\n") + "{{ mark }} {{ bsd }} {{ host }} filter_instance1[195529]: rprt s=2hdryp02r6 m=1 x=2hdryp02r6-1 cmd=send profile=mail qid=w3HMWjG3039079 rcpts=rfaircloth@splunk.com\n" + ) message = mt.render(mark="<166>", bsd=bsd, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=email host=\"{{ host }}\" sourcetype=\"pps_filter_log\"") + st = env.from_string( + 'search _time={{ epoch }} index=email host="{{ host }}" sourcetype="pps_filter_log"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -39,8 +44,11 @@ def test_proofpoint_pps_filter(record_property, setup_wordlist, get_host_key, se assert resultCount == 1 + # Apr 17 18:35:26 aplegw02 sendmail[56106]: w3HMZPVT056101: to=, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, tls_verify=FAIL, pri=133527, relay=mx1.splunk.iphmx.com. [216.71.153.223], dsn=2.0.0, stat=Sent (ok: Message 22675962 accepted) -def test_proofpoint_pps_mail(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s): +def test_proofpoint_pps_mail( + record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s +): host = "pps-" + get_host_key dt = datetime.datetime.now() @@ -50,12 +58,15 @@ def test_proofpoint_pps_mail(record_property, setup_wordlist, get_host_key, setu epoch = epoch[:-7] mt = env.from_string( - "{{ mark }} {{ bsd }} pps-{{ host }} sendmail[195529]: w3HMZPVT056101: to=, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, tls_verify=FAIL, pri=133527, relay=mx1.splunk.iphmx.com. [216.71.153.223], dsn=2.0.0, stat=Sent (ok: Message 22675962 accepted)\n") + "{{ mark }} {{ bsd }} pps-{{ host }} sendmail[195529]: w3HMZPVT056101: to=, delay=00:00:01, xdelay=00:00:01, mailer=esmtp, tls_verify=FAIL, pri=133527, relay=mx1.splunk.iphmx.com. [216.71.153.223], dsn=2.0.0, stat=Sent (ok: Message 22675962 accepted)\n" + ) message = mt.render(mark="<166>", bsd=bsd, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=email host=\"pps-{{ host }}\" sourcetype=\"pps_mail_log\"") + st = env.from_string( + 'search _time={{ epoch }} index=email host="pps-{{ host }}" sourcetype="pps_mail_log"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -65,4 +76,3 @@ def test_proofpoint_pps_mail(record_property, setup_wordlist, get_host_key, setu record_property("message", message) assert resultCount == 1 - diff --git a/tests/test_pulsesecure.py b/tests/test_pulsesecure.py index 1fe7643bd7..d677ed7c8e 100644 --- a/tests/test_pulsesecure.py +++ b/tests/test_pulsesecure.py @@ -72,8 +72,9 @@ def test_pulse_secure_6587(record_property, setup_wordlist, setup_splunk, setup_ assert resultCount == 1 - -def test_pulse_secure_6587_web(record_property, setup_wordlist, setup_splunk, setup_sc4s): +def test_pulse_secure_6587_web( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now() @@ -100,4 +101,3 @@ def test_pulse_secure_6587_web(record_property, setup_wordlist, setup_splunk, se record_property("message", message) assert resultCount == 1 - diff --git a/tests/test_radware.py b/tests/test_radware.py index f998f001e3..ff4bd228de 100644 --- a/tests/test_radware.py +++ b/tests/test_radware.py @@ -52,12 +52,14 @@ def test_radware_sample_2(record_property, setup_wordlist, setup_splunk, setup_s epoch = epoch[:-7] mt = env.from_string( - "{{mark}}[Device: {{key}} 10.200.193.135] M_20000: 2 attacks of type \"Intrusions\" started between 15:36:06 UTC and 15:36:21 UTC. Detected by policiess: 206-212-144-0-POL, 206-212-128-0-POL; Attack name: DNS-named-version-attempt-UDP; Source IP: 92.1.1.1; Destination IPs: 206.1.1.1, 206.11.1.1; Destination port: 53; Action: drop.\n" + '{{mark}}[Device: {{key}} 10.200.193.135] M_20000: 2 attacks of type "Intrusions" started between 15:36:06 UTC and 15:36:21 UTC. Detected by policiess: 206-212-144-0-POL, 206-212-128-0-POL; Attack name: DNS-named-version-attempt-UDP; Source IP: 92.1.1.1; Destination IPs: 206.1.1.1, 206.11.1.1; Destination port: 53; Action: drop.\n' ) message = mt.render(mark="<27>", bsd=bsd, key=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string('search index=netops host={{key}} sourcetype=radware:defensepro') + st = env.from_string( + "search index=netops host={{key}} sourcetype=radware:defensepro" + ) search = st.render(epoch=epoch, key=host) resultCount, eventCount = splunk_single(setup_splunk, search) diff --git a/tests/test_ricoh.py b/tests/test_ricoh.py index c752c8648f..0568486465 100644 --- a/tests/test_ricoh.py +++ b/tests/test_ricoh.py @@ -13,11 +13,9 @@ env = Environment() -#note prt5454 is host this is a bug but for now its real +# note prt5454 is host this is a bug but for now its real # <38>1 2021-03-04T11:44:30.190-08:00 foo-gw1 prt5454 - RICOH_MFPLP_ACCESS - {"logVersion":"3.6"}' -def test_ricoh( - record_property, setup_wordlist, setup_splunk, setup_sc4s -): +def test_ricoh(record_property, setup_wordlist, setup_splunk, setup_sc4s): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now() diff --git a/tests/test_schneider_electric_apc.py b/tests/test_schneider_electric_apc.py index 73f9d48305..18bafcf23d 100644 --- a/tests/test_schneider_electric_apc.py +++ b/tests/test_schneider_electric_apc.py @@ -13,9 +13,11 @@ env = Environment() -#<27>Mar 24 21:45:28 10.1.1.1 Detected an unauthorized user attempting to access the SNMP interface from 10.1.1.1 0x0004 +# <27>Mar 24 21:45:28 10.1.1.1 Detected an unauthorized user attempting to access the SNMP interface from 10.1.1.1 0x0004 def test_apc(record_property, setup_wordlist, setup_splunk, setup_sc4s): - host = "test_apc-{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + host = "test_apc-{}-{}".format( + random.choice(setup_wordlist), random.choice(setup_wordlist) + ) dt = datetime.datetime.now() iso, bsd, time, date, tzoffset, tzname, epoch = time_operations(dt) @@ -24,11 +26,14 @@ def test_apc(record_property, setup_wordlist, setup_splunk, setup_sc4s): epoch = epoch[:-7] mt = env.from_string( - "{{mark}}{{ bsd }} {{ host }} Detected an unauthorized user attempting to access the SNMP interface from 10.1.1.1 0x0004\n") + "{{mark}}{{ bsd }} {{ host }} Detected an unauthorized user attempting to access the SNMP interface from 10.1.1.1 0x0004\n" + ) message = mt.render(mark="<27>", bsd=bsd, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=main sourcetype=apc:syslog host=\"{{key}}\"") + st = env.from_string( + 'search _time={{ epoch }} index=main sourcetype=apc:syslog host="{{key}}"' + ) search = st.render(epoch=epoch, key=host) resultCount, eventCount = splunk_single(setup_splunk, search) diff --git a/tests/test_spectracom_ntp.py b/tests/test_spectracom_ntp.py index 7ef9ef797d..1ef8c9c946 100644 --- a/tests/test_spectracom_ntp.py +++ b/tests/test_spectracom_ntp.py @@ -45,23 +45,20 @@ def test_spectracom( assert resultCount == 1 -#<35>PAM-tacplus[12023]: auth failed: 2 + +# <35>PAM-tacplus[12023]: auth failed: 2 def test_spectracom_nix( record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s ): - host =get_host_key + host = get_host_key - mt = env.from_string( - "{{ mark }}PAM-tacplus[12023]: auth failed: 2 {{ host }}\n" - ) + mt = env.from_string("{{ mark }}PAM-tacplus[12023]: auth failed: 2 {{ host }}\n") message = mt.render(mark="<35>", host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][6002]) - st = env.from_string( - 'search index=osnix "{{ host }}" sourcetype="nix:syslog"' - ) - search = st.render( host=host) + st = env.from_string('search index=osnix "{{ host }}" sourcetype="nix:syslog"') + search = st.render(host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -71,23 +68,22 @@ def test_spectracom_nix( assert resultCount == 1 -#<86>apache2: pam_succeed_if(httpd:auth): requirement "user ingroup root" not met by user "aajramirez" + +# <86>apache2: pam_succeed_if(httpd:auth): requirement "user ingroup root" not met by user "aajramirez" def test_spectracom_nix2( record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s ): - host =get_host_key - + host = get_host_key + mt = env.from_string( - "{{ mark }}apache2: pam_succeed_if(httpd:auth): requirement \"user ingroup root\" not met by user \"{{ host }}\"\n" + '{{ mark }}apache2: pam_succeed_if(httpd:auth): requirement "user ingroup root" not met by user "{{ host }}"\n' ) message = mt.render(mark="<86>", host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][6002]) - st = env.from_string( - 'search index=osnix "{{ host }}" sourcetype="nix:syslog"' - ) - search = st.render( host=host) + st = env.from_string('search index=osnix "{{ host }}" sourcetype="nix:syslog"') + search = st.render(host=host) resultCount, eventCount = splunk_single(setup_splunk, search) diff --git a/tests/test_splunk.py b/tests/test_splunk.py index e49df176b3..4ecf7b7466 100644 --- a/tests/test_splunk.py +++ b/tests/test_splunk.py @@ -13,10 +13,8 @@ env = Environment() -#<1>1 - - SPLUNK - COOKED [fields@274489 t="1627772621.099" h="so1" i="_internal" st="splunkd" s="/opt/splunk/var/log/splunk/metrics.log"] ~~~SM~~~timestartpos::0 timeendpos::29 _subsecond::.099 date_second::41 date_hour::23 date_minute::3 date_year::2021 date_month::july date_mday::31 date_wday::saturday date_zone::0 group::mpool max_used_interval::0 max_used::0 avg_rsv::0 capacity::134217728 used::0 rep_used::0 metric_name::spl.mlog.mpool~~~EM~~~07-31-2021 23:03:41.099 +0000 INFO Metrics - group=mpool, max_used_interval=0, max_used=0, avg_rsv=0, capacity=134217728, used=0, rep_used=0 -def test_splunk_diode_event( - record_property, setup_wordlist, setup_splunk, setup_sc4s -): +# <1>1 - - SPLUNK - COOKED [fields@274489 t="1627772621.099" h="so1" i="_internal" st="splunkd" s="/opt/splunk/var/log/splunk/metrics.log"] ~~~SM~~~timestartpos::0 timeendpos::29 _subsecond::.099 date_second::41 date_hour::23 date_minute::3 date_year::2021 date_month::july date_mday::31 date_wday::saturday date_zone::0 group::mpool max_used_interval::0 max_used::0 avg_rsv::0 capacity::134217728 used::0 rep_used::0 metric_name::spl.mlog.mpool~~~EM~~~07-31-2021 23:03:41.099 +0000 INFO Metrics - group=mpool, max_used_interval=0, max_used=0, avg_rsv=0, capacity=134217728, used=0, rep_used=0 +def test_splunk_diode_event(record_property, setup_wordlist, setup_splunk, setup_sc4s): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now() @@ -26,7 +24,8 @@ def test_splunk_diode_event( epoch = epoch[:-3] mt = env.from_string( - '{{ mark }} - - SPLUNK - COOKED [fields@274489 t="{{ epoch }}" h="{{ host }}" i="_internal" st="splunkd" s="/opt/splunk/var/log/splunk/metrics.log"] ~~~SM~~~timestartpos::0 timeendpos::29 _subsecond::.099 date_second::41 date_hour::23 date_minute::3 date_year::2021 date_month::july date_mday::31 date_wday::saturday date_zone::0 group::mpool max_used_interval::0 max_used::0 avg_rsv::0 capacity::134217728 used::0 rep_used::0 metric_name::spl.mlog.mpool~~~EM~~~07-31-2021 23:03:41.099 +0000 INFO Metrics - group=mpool, max_used_interval=0, max_used=0, avg_rsv=0, capacity=134217728, used=0, rep_used=0' + "\n" + '{{ mark }} - - SPLUNK - COOKED [fields@274489 t="{{ epoch }}" h="{{ host }}" i="_internal" st="splunkd" s="/opt/splunk/var/log/splunk/metrics.log"] ~~~SM~~~timestartpos::0 timeendpos::29 _subsecond::.099 date_second::41 date_hour::23 date_minute::3 date_year::2021 date_month::july date_mday::31 date_wday::saturday date_zone::0 group::mpool max_used_interval::0 max_used::0 avg_rsv::0 capacity::134217728 used::0 rep_used::0 metric_name::spl.mlog.mpool~~~EM~~~07-31-2021 23:03:41.099 +0000 INFO Metrics - group=mpool, max_used_interval=0, max_used=0, avg_rsv=0, capacity=134217728, used=0, rep_used=0' + + "\n" ) message = mt.render(mark="<1>1", host=host, epoch=epoch, iso=iso) message_len = len(message) @@ -49,10 +48,8 @@ def test_splunk_diode_event( assert resultCount == 1 -#<1>1 - - SPLUNK - COOKED [fields@274489 t="1627772621.099" h="so1" i="_metrics" st="splunk_metrics_log" s="/opt/splunk/var/log/splunk/metrics.log"] ~~~SM~~~timestartpos::0 timeendpos::29 _subsecond::.099 date_second::41 date_hour::23 date_minute::3 date_year::2021 date_month::july date_mday::31 date_wday::saturday date_zone::0 group::mpool max_used_interval::0 max_used::0 avg_rsv::0 capacity::134217728 used::0 rep_used::0 metric_name::spl.mlog.mpool~~~EM~~~07-31-2021 23:03:41.099 +0000 INFO Metrics - group=mpool, max_used_interval=0, max_used=0, avg_rsv=0, capacity=134217728, used=0, rep_used=0 -def test_splunk_diode_metric( - record_property, setup_wordlist, setup_splunk, setup_sc4s -): +# <1>1 - - SPLUNK - COOKED [fields@274489 t="1627772621.099" h="so1" i="_metrics" st="splunk_metrics_log" s="/opt/splunk/var/log/splunk/metrics.log"] ~~~SM~~~timestartpos::0 timeendpos::29 _subsecond::.099 date_second::41 date_hour::23 date_minute::3 date_year::2021 date_month::july date_mday::31 date_wday::saturday date_zone::0 group::mpool max_used_interval::0 max_used::0 avg_rsv::0 capacity::134217728 used::0 rep_used::0 metric_name::spl.mlog.mpool~~~EM~~~07-31-2021 23:03:41.099 +0000 INFO Metrics - group=mpool, max_used_interval=0, max_used=0, avg_rsv=0, capacity=134217728, used=0, rep_used=0 +def test_splunk_diode_metric(record_property, setup_wordlist, setup_splunk, setup_sc4s): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now() @@ -62,7 +59,8 @@ def test_splunk_diode_metric( epoch = epoch[:-3] mt = env.from_string( - '{{ mark }} - - SPLUNK - COOKED [fields@274489 t="{{ epoch }}" h="{{ host }}" i="_metrics" st="splunk_metrics_log" s="/opt/splunk/var/log/splunk/metrics.log"] ~~~SM~~~timestartpos::0 timeendpos::29 _subsecond::.099 date_second::41 date_hour::23 date_minute::3 date_year::2021 date_month::july date_mday::31 date_wday::saturday date_zone::0 group::mpool max_used_interval::0 max_used::0 avg_rsv::0 capacity::134217728 used::0 rep_used::0 metric_name::spl.mlog.mpool~~~EM~~~07-31-2021 23:03:41.099 +0000 INFO Metrics - group=mpool, max_used_interval=0, max_used=0, avg_rsv=0, capacity=134217728, used=0, rep_used=0' + "\n" + '{{ mark }} - - SPLUNK - COOKED [fields@274489 t="{{ epoch }}" h="{{ host }}" i="_metrics" st="splunk_metrics_log" s="/opt/splunk/var/log/splunk/metrics.log"] ~~~SM~~~timestartpos::0 timeendpos::29 _subsecond::.099 date_second::41 date_hour::23 date_minute::3 date_year::2021 date_month::july date_mday::31 date_wday::saturday date_zone::0 group::mpool max_used_interval::0 max_used::0 avg_rsv::0 capacity::134217728 used::0 rep_used::0 metric_name::spl.mlog.mpool~~~EM~~~07-31-2021 23:03:41.099 +0000 INFO Metrics - group=mpool, max_used_interval=0, max_used=0, avg_rsv=0, capacity=134217728, used=0, rep_used=0' + + "\n" ) message = mt.render(mark="<1>1", host=host, epoch=epoch, iso=iso) message_len = len(message) @@ -70,7 +68,7 @@ def test_splunk_diode_metric( sendsingle(ietf, setup_sc4s[0], setup_sc4s[1][601]) st = env.from_string( - 'mcatalog values(host) values(sourcetype) where index=_metrics host={{ host }}' + "mcatalog values(host) values(sourcetype) where index=_metrics host={{ host }}" ) search = st.render( epoch=epoch, bsd=bsd, host=host, date=date, time=time, tzoffset=tzoffset diff --git a/tests/test_symantec_brightmail.py b/tests/test_symantec_brightmail.py index cfd4d2d2b4..6b483f890b 100644 --- a/tests/test_symantec_brightmail.py +++ b/tests/test_symantec_brightmail.py @@ -25,11 +25,14 @@ def test_symantec_brightmail(record_property, setup_wordlist, setup_splunk, setu epoch = epoch[:-7] mt = env.from_string( - "{{ mark }}{{ bsd }} {{host}} conduit: [Brightmail] (NOTICE:7500.3119331456): [12066] 'BrightSig3 Newsletter Rules' were updated successfully.") + "{{ mark }}{{ bsd }} {{host}} conduit: [Brightmail] (NOTICE:7500.3119331456): [12066] 'BrightSig3 Newsletter Rules' were updated successfully." + ) message = mt.render(mark="<134>", bsd=bsd, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=email host=\"{{ host }}\" sourcetype=\"symantec:smg\"") + st = env.from_string( + 'search _time={{ epoch }} index=email host="{{ host }}" sourcetype="symantec:smg"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -40,7 +43,10 @@ def test_symantec_brightmail(record_property, setup_wordlist, setup_splunk, setu assert resultCount == 1 -def test_symantec_brightmail_msg(record_property, setup_wordlist, setup_splunk, setup_sc4s): + +def test_symantec_brightmail_msg( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) msgid = uuid.uuid4() @@ -50,7 +56,8 @@ def test_symantec_brightmail_msg(record_property, setup_wordlist, setup_splunk, # Tune time functions epoch = epoch[:-7] - mt = env.from_string("""{{ mark }}{{ bsd }} {{host}} bmserver: 1576195989|{{ MSGID }}|VERDICT|someone@example.com|none|default|default\n + mt = env.from_string( + """{{ mark }}{{ bsd }} {{host}} bmserver: 1576195989|{{ MSGID }}|VERDICT|someone@example.com|none|default|default\n {{ mark }}{{ bsd }} {{host}} bmserver: 1576195989|{{ MSGID }}|FIRED|someone@example.com|none\n {{ mark }}{{ bsd }} {{host}} bmserver: 1576195989|{{ MSGID }}|UNTESTED|someone@example.com|safe|opl|content_1574820902092|content_1574820956288|content_1574821059194|content_1574821017042|sys_deny_ip|sys_allow_ip|sys_deny_email|dns_allow|dns_deny|user_allow|user_deny|freq_va|freq_dha|freq_sa|connection_class_0|connection_class_1|connection_class_2|connection_class_3|connection_class_4|connection_class_5|connection_class_6|connection_class_7|connection_class_8|connection_class_9|blockedlang|knownlang\n {{ mark }}{{ bsd }} {{host}} bmserver: 1576195989|{{ MSGID }}|LOGICAL_IP|200.200.200.154\n @@ -67,11 +74,14 @@ def test_symantec_brightmail_msg(record_property, setup_wordlist, setup_splunk, {{ mark }}{{ bsd }} {{host}} bmserver: 1576195988|{{ MSGID }}|MSGID| <7jszytr60wmja@example.com>\n {{ mark }}{{ bsd }} {{host}} bmserver: 1576195988|{{ MSGID }}|SUBJECT|pulse: this is a subject\n {{ mark }}{{ bsd }} {{host}} bmserver: 1576195988|{{ MSGID }}|SOURCE|external\n -{{ mark }}{{ bsd }} {{host}} bmserver: 1576195987|{{ MSGID }}|VERDICT||connection_class_1|default|static connection class 1\n""") +{{ mark }}{{ bsd }} {{host}} bmserver: 1576195987|{{ MSGID }}|VERDICT||connection_class_1|default|static connection class 1\n""" + ) message = mt.render(mark="<1>", bsd=bsd, host=host, MSGID=msgid) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=email host=\"{{ host }}\" sourcetype=\"symantec:smg:mail\"") + st = env.from_string( + 'search _time={{ epoch }} index=email host="{{ host }}" sourcetype="symantec:smg:mail"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -82,4 +92,5 @@ def test_symantec_brightmail_msg(record_property, setup_wordlist, setup_splunk, assert resultCount == 1 + # diff --git a/tests/test_symantec_ep.py b/tests/test_symantec_ep.py index bfa8f39ea7..4c9b731b7a 100644 --- a/tests/test_symantec_ep.py +++ b/tests/test_symantec_ep.py @@ -16,10 +16,14 @@ test_data = [ "{{ mark }}{{ bsd }} {{host}} SymantecServer: Site: Site xxxxx,Server Name: xxxxx,Domain Name: Default,The management server received the client log successfully,yyyyyyy,zzzzzzzz,host.domain.suffix", - "{{ mark }}{{ bsd }} {{host}} SymantecServer: Site: Site xxxxx,Server Name: xxxxx,Domain Name: Default,Client has downloaded the issued Command,yyyyyyy,zzzzzzzz,host.domain.suffix" + "{{ mark }}{{ bsd }} {{host}} SymantecServer: Site: Site xxxxx,Server Name: xxxxx,Domain Name: Default,Client has downloaded the issued Command,yyyyyyy,zzzzzzzz,host.domain.suffix", ] + + @pytest.mark.parametrize("event", test_data) -def test_symantec_ep_agent(record_property, setup_wordlist, setup_splunk, setup_sc4s, event): +def test_symantec_ep_agent( + record_property, setup_wordlist, setup_splunk, setup_sc4s, event +): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now(datetime.timezone.utc) @@ -45,8 +49,11 @@ def test_symantec_ep_agent(record_property, setup_wordlist, setup_splunk, setup_ assert resultCount == 1 + # Apr 14 10:41:51 xxxxx-xxxxx SymantecServer: yyyyyy,Category: 2,LiveUpdate Manager,Event Description: A LiveUpdate session ran successfully. No new updates were available.,Event time: 2020-04-14 10:41:33,Group Name: My Company\Default Group -def test_symantec_ep_agt_system(record_property, setup_wordlist, setup_splunk, setup_sc4s): +def test_symantec_ep_agt_system( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now(datetime.timezone.utc) @@ -56,7 +63,8 @@ def test_symantec_ep_agt_system(record_property, setup_wordlist, setup_splunk, s epoch = epoch[:-7] mt = env.from_string( - "{{ mark }}{{ bsd }} {{host}} " + r"SymantecServer: yyyyyy,Category: 2,LiveUpdate Manager,Event Description: A LiveUpdate session ran successfully. No new updates were available.,Event time: 2020-04-14 10:41:33,Group Name: My Company\Default Group" + "{{ mark }}{{ bsd }} {{host}} " + + r"SymantecServer: yyyyyy,Category: 2,LiveUpdate Manager,Event Description: A LiveUpdate session ran successfully. No new updates were available.,Event time: 2020-04-14 10:41:33,Group Name: My Company\Default Group" ) message = mt.render(mark="<13>", bsd=bsd, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) @@ -74,8 +82,11 @@ def test_symantec_ep_agt_system(record_property, setup_wordlist, setup_splunk, s assert resultCount == 1 + # Apr 14 09:07:42 xxxxx-xxxxx SymantecServer: Site: Site xxxxx-xxxxx,Server Name: xxxxx-xxxxx,Event Description: No updates found for Application Control Data 14.2 RU2. -def test_symantec_ep_scm_system(record_property, setup_wordlist, setup_splunk, setup_sc4s): +def test_symantec_ep_scm_system( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now(datetime.timezone.utc) @@ -85,7 +96,8 @@ def test_symantec_ep_scm_system(record_property, setup_wordlist, setup_splunk, s epoch = epoch[:-7] mt = env.from_string( - "{{ mark }}{{ bsd }} {{host}} " + "SymantecServer: Site: Site xxxxx-xxxxx,Server Name: xxxxx-xxxxx,Event Description: No updates found for Application Control Data 14.2 RU2." + "{{ mark }}{{ bsd }} {{host}} " + + "SymantecServer: Site: Site xxxxx-xxxxx,Server Name: xxxxx-xxxxx,Event Description: No updates found for Application Control Data 14.2 RU2." ) message = mt.render(mark="<13>", bsd=bsd, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) @@ -103,6 +115,7 @@ def test_symantec_ep_scm_system(record_property, setup_wordlist, setup_splunk, s assert resultCount == 1 + # Apr 14 10:03:23 xxxxx-xxxxx SymantecServer: Scan ID: 1581582179,Begin: 2020-04-14 10:01:04,End Time: 2020-04-14 10:02:14,Completed,Duration (seconds): 70,User1: Spiderman,User2: Spiderman,Scan started on selected drives and folders and all extensions.,Scan Complete: Risks: 0 Scanned: 1062 Files/Folders/Drives Omitted: 0 Trusted Files Skipped: 698,Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 1062,Omitted: 0,Computer: yyyyyyy,IP Address: 1.1.1.1,Domain Name: Default,Group Name: My Company\Preprod Tuesday,Server Name: xxxxx-xxxxx def test_symantec_ep_scan(record_property, setup_wordlist, setup_splunk, setup_sc4s): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) @@ -114,7 +127,8 @@ def test_symantec_ep_scan(record_property, setup_wordlist, setup_splunk, setup_s epoch = epoch[:-7] mt = env.from_string( - "{{ mark }}{{ bsd }} {{host}} " + r"SymantecServer: Scan ID: 1581582179,Begin: 2020-04-14 10:01:04,End Time: 2020-04-14 10:02:14,Completed,Duration (seconds): 70,User1: Spiderman,User2: Spiderman,Scan started on selected drives and folders and all extensions.,Scan Complete: Risks: 0 Scanned: 1062 Files/Folders/Drives Omitted: 0 Trusted Files Skipped: 698,Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 1062,Omitted: 0,Computer: yyyyyyy,IP Address: 1.1.1.1,Domain Name: Default,Group Name: My Company\Preprod Tuesday,Server Name: xxxxx-xxxxx" + "{{ mark }}{{ bsd }} {{host}} " + + r"SymantecServer: Scan ID: 1581582179,Begin: 2020-04-14 10:01:04,End Time: 2020-04-14 10:02:14,Completed,Duration (seconds): 70,User1: Spiderman,User2: Spiderman,Scan started on selected drives and folders and all extensions.,Scan Complete: Risks: 0 Scanned: 1062 Files/Folders/Drives Omitted: 0 Trusted Files Skipped: 698,Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 1062,Omitted: 0,Computer: yyyyyyy,IP Address: 1.1.1.1,Domain Name: Default,Group Name: My Company\Preprod Tuesday,Server Name: xxxxx-xxxxx" ) message = mt.render(mark="<13>", bsd=bsd, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) @@ -132,8 +146,11 @@ def test_symantec_ep_scan(record_property, setup_wordlist, setup_splunk, setup_s assert resultCount == 1 -# Apr 14 10:42:32 xxxxx-xxxxx SymantecServer: yyyyyy,...,Blocked,C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.2.3335.1000.105\Bin\ccSvcHst.exe,,Begin: 2020-04-14 10:36:40,End Time: 2020-04-14 10:36:40,Rule: ,3248,C:\PROGRAM FILES (X86)\BIGFIX ENTERPRISE\BES CLIENT\BESCLIENT.EXE,0,,C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.2.3335.1000.105\Bin\ccSvcHst.exe,User Name: SYSTEM,Domain Name: ,Action Type: 55,File size (bytes): ,Device ID: -def test_symantec_ep_behavior(record_property, setup_wordlist, setup_splunk, setup_sc4s): + +# Apr 14 10:42:32 xxxxx-xxxxx SymantecServer: yyyyyy,...,Blocked,C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.2.3335.1000.105\Bin\ccSvcHst.exe,,Begin: 2020-04-14 10:36:40,End Time: 2020-04-14 10:36:40,Rule: ,3248,C:\PROGRAM FILES (X86)\BIGFIX ENTERPRISE\BES CLIENT\BESCLIENT.EXE,0,,C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.2.3335.1000.105\Bin\ccSvcHst.exe,User Name: SYSTEM,Domain Name: ,Action Type: 55,File size (bytes): ,Device ID: +def test_symantec_ep_behavior( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now(datetime.timezone.utc) @@ -143,7 +160,8 @@ def test_symantec_ep_behavior(record_property, setup_wordlist, setup_splunk, set epoch = epoch[:-7] mt = env.from_string( - "{{ mark }}{{ bsd }} {{host}} " + r"SymantecServer: yyyyyy,...,Blocked,C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.2.3335.1000.105\Bin\ccSvcHst.exe,,Begin: 2020-04-14 10:36:40,End Time: 2020-04-14 10:36:40,Rule: ,3248,C:\PROGRAM FILES (X86)\BIGFIX ENTERPRISE\BES CLIENT\BESCLIENT.EXE,0,,C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.2.3335.1000.105\Bin\ccSvcHst.exe,User Name: SYSTEM,Domain Name: ,Action Type: 55,File size (bytes): ,Device ID: " + "{{ mark }}{{ bsd }} {{host}} " + + r"SymantecServer: yyyyyy,...,Blocked,C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.2.3335.1000.105\Bin\ccSvcHst.exe,,Begin: 2020-04-14 10:36:40,End Time: 2020-04-14 10:36:40,Rule: ,3248,C:\PROGRAM FILES (X86)\BIGFIX ENTERPRISE\BES CLIENT\BESCLIENT.EXE,0,,C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\14.2.3335.1000.105\Bin\ccSvcHst.exe,User Name: SYSTEM,Domain Name: ,Action Type: 55,File size (bytes): ,Device ID: " ) message = mt.render(mark="<13>", bsd=bsd, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) @@ -161,6 +179,7 @@ def test_symantec_ep_behavior(record_property, setup_wordlist, setup_splunk, set assert resultCount == 1 + # Apr 14 10:10:10 dummyhost SymantecServer: Site: Site_B,Server Name: Example Server B,Domain Name: Domain_B,Admin: Admin_B,Event Description: Administrator log on failed def test_symantec_ep_admin(record_property, setup_wordlist, setup_splunk, setup_sc4s): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) @@ -172,7 +191,8 @@ def test_symantec_ep_admin(record_property, setup_wordlist, setup_splunk, setup_ epoch = epoch[:-7] mt = env.from_string( - "{{ mark }}{{ bsd }} {{host}} " + r"SymantecServer: Site: Site_B,Server Name: Example Server B,Domain Name: Domain_B,Admin: Admin_B,Event Description: Administrator log on failed" + "{{ mark }}{{ bsd }} {{host}} " + + r"SymantecServer: Site: Site_B,Server Name: Example Server B,Domain Name: Domain_B,Admin: Admin_B,Event Description: Administrator log on failed" ) message = mt.render(mark="<13>", bsd=bsd, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) @@ -190,6 +210,7 @@ def test_symantec_ep_admin(record_property, setup_wordlist, setup_splunk, setup_ assert resultCount == 1 + # Apr 14 10:10:10 dummyhost SymantecServer: ccccc,Local Host IP: 10.0.8.1,Local Port: 50221,Remote Host IP: 10.0.1.2,Remote Host Name: qqqqq,Remote Port: 20362,Outbound,Application: C:/Windows/System32/example_y.exe,Action: Allowed def test_symantec_ep_packet(record_property, setup_wordlist, setup_splunk, setup_sc4s): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) @@ -201,7 +222,8 @@ def test_symantec_ep_packet(record_property, setup_wordlist, setup_splunk, setup epoch = epoch[:-7] mt = env.from_string( - "{{ mark }}{{ bsd }} {{host}} " + r"SymantecServer: ccccc,Local Host IP: 10.0.8.1,Local Port: 50221,Remote Host IP: 10.0.1.2,Remote Host Name: qqqqq,Remote Port: 20362,Outbound,Application: C:/Windows/System32/example_y.exe,Action: Allowed" + "{{ mark }}{{ bsd }} {{host}} " + + r"SymantecServer: ccccc,Local Host IP: 10.0.8.1,Local Port: 50221,Remote Host IP: 10.0.1.2,Remote Host Name: qqqqq,Remote Port: 20362,Outbound,Application: C:/Windows/System32/example_y.exe,Action: Allowed" ) message = mt.render(mark="<13>", bsd=bsd, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) @@ -219,6 +241,7 @@ def test_symantec_ep_packet(record_property, setup_wordlist, setup_splunk, setup assert resultCount == 1 + # Apr 14 10:10:10 dummyhost SymantecServer: Site: Site_B,Server Name: Example Server B,Domain Name: Domain_B,Admin: Admin_B,"Event Description: Policy has been edited: Changed Console mode at [Default]",Client Policy def test_symantec_ep_policy(record_property, setup_wordlist, setup_splunk, setup_sc4s): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) @@ -230,7 +253,8 @@ def test_symantec_ep_policy(record_property, setup_wordlist, setup_splunk, setup epoch = epoch[:-7] mt = env.from_string( - "{{ mark }}{{ bsd }} {{host}} " + r'SymantecServer: Site: Site_B,Server Name: Example Server B,Domain Name: Domain_B,Admin: Admin_B,"Event Description: Policy has been edited: Changed Console mode at [Default]",Client Policy' + "{{ mark }}{{ bsd }} {{host}} " + + r'SymantecServer: Site: Site_B,Server Name: Example Server B,Domain Name: Domain_B,Admin: Admin_B,"Event Description: Policy has been edited: Changed Console mode at [Default]",Client Policy' ) message = mt.render(mark="<13>", bsd=bsd, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) @@ -248,8 +272,11 @@ def test_symantec_ep_policy(record_property, setup_wordlist, setup_splunk, setup assert resultCount == 1 + # Apr 14 10:10:10 dummyhost SymantecServer: Potential risk found,Computer name: ooooo,IP Address: 10.0.0.2,Detection type: System Change HostFile,First Seen: Symantec has known about this file for more than 1 year.,Application name: Microsoft\xAE Windows\xAE Operating System,Application type: 127,Application version: 6.1.7600.16385,Hash type: SHA-256,Application hash: ded6fc40-4365-4ba0-8446-3fa77a30cb6e,Company name: KKK.,LLLL,MMMM,File size (bytes): 3507,Sensitivity: 2,Detection score: 3,COH Engine Version: ,Detection Submissions No,Permitted application reason: Not on the permitted application list,Disposition: Bad,Download site: http://attraction.example.org/,Web domain: tkhwesmptszdody.dm,Downloaded by: c:/users/administrator/desktop/tools/tools/xxxtools.exe,Prevalence: Unknown,Confidence: There is not enough information about this file to recommend it.,URL Tracking Status: on,Risk Level: High,Risk type: 3,Source: Heuristic Scan,Risk name: Trojan.Gen.2,Occurrences: 9,PolicyZZZ,Realtime deferred scanning,Actual action: Left alone,Requested action: Quarantined,Secondary action: Left alone,Event time: 2020-05-04 06:57:02,Inserted: 2020-05-04 06:57:02,End: 2020-05-04 06:57:02,Domain: Domain A,Group: My Company\Default Group,Server: Example Server C,User: user_b,Source computer: fffff,Source IP: 10.0.9.2,Intensive Protection Level: 0,Certificate issuer: Symantec,Certificate signer: Unizeto,Certificate thumbprint: e5:xx:74:3c:xx:01:c4:9b:xx:43:xx:bb:zz:e8:6a:81:10:9f:e4:xx,Signing timestamp: 0,Certificate serial number: 149843929435818692848040365716851702463 -def test_symantec_ep_proactive(record_property, setup_wordlist, setup_splunk, setup_sc4s): +def test_symantec_ep_proactive( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now(datetime.timezone.utc) @@ -259,7 +286,8 @@ def test_symantec_ep_proactive(record_property, setup_wordlist, setup_splunk, se epoch = epoch[:-7] mt = env.from_string( - "{{ mark }}{{ bsd }} {{host}} " + r"SymantecServer: Potential risk found,Computer name: ooooo,IP Address: 10.0.0.2,Detection type: System Change HostFile,First Seen: Symantec has known about this file for more than 1 year.,Application name: Microsoft\xAE Windows\xAE Operating System,Application type: 127,Application version: 6.1.7600.16385,Hash type: SHA-256,Application hash: ded6fc40-4365-4ba0-8446-3fa77a30cb6e,Company name: KKK.,LLLL,MMMM,File size (bytes): 3507,Sensitivity: 2,Detection score: 3,COH Engine Version: ,Detection Submissions No,Permitted application reason: Not on the permitted application list,Disposition: Bad,Download site: http://attraction.example.org/,Web domain: tkhwesmptszdody.dm,Downloaded by: c:/users/administrator/desktop/tools/tools/xxxtools.exe,Prevalence: Unknown,Confidence: There is not enough information about this file to recommend it.,URL Tracking Status: on,Risk Level: High,Risk type: 3,Source: Heuristic Scan,Risk name: Trojan.Gen.2,Occurrences: 9,PolicyZZZ,Realtime deferred scanning,Actual action: Left alone,Requested action: Quarantined,Secondary action: Left alone,Event time: 2020-05-04 06:57:02,Inserted: 2020-05-04 06:57:02,End: 2020-05-04 06:57:02,Domain: Domain A,Group: My Company\Default Group,Server: Example Server C,User: user_b,Source computer: fffff,Source IP: 10.0.9.2,Intensive Protection Level: 0,Certificate issuer: Symantec,Certificate signer: Unizeto,Certificate thumbprint: e5:xx:74:3c:xx:01:c4:9b:xx:43:xx:bb:zz:e8:6a:81:10:9f:e4:xx,Signing timestamp: 0,Certificate serial number: 149843929435818692848040365716851702463" + "{{ mark }}{{ bsd }} {{host}} " + + r"SymantecServer: Potential risk found,Computer name: ooooo,IP Address: 10.0.0.2,Detection type: System Change HostFile,First Seen: Symantec has known about this file for more than 1 year.,Application name: Microsoft\xAE Windows\xAE Operating System,Application type: 127,Application version: 6.1.7600.16385,Hash type: SHA-256,Application hash: ded6fc40-4365-4ba0-8446-3fa77a30cb6e,Company name: KKK.,LLLL,MMMM,File size (bytes): 3507,Sensitivity: 2,Detection score: 3,COH Engine Version: ,Detection Submissions No,Permitted application reason: Not on the permitted application list,Disposition: Bad,Download site: http://attraction.example.org/,Web domain: tkhwesmptszdody.dm,Downloaded by: c:/users/administrator/desktop/tools/tools/xxxtools.exe,Prevalence: Unknown,Confidence: There is not enough information about this file to recommend it.,URL Tracking Status: on,Risk Level: High,Risk type: 3,Source: Heuristic Scan,Risk name: Trojan.Gen.2,Occurrences: 9,PolicyZZZ,Realtime deferred scanning,Actual action: Left alone,Requested action: Quarantined,Secondary action: Left alone,Event time: 2020-05-04 06:57:02,Inserted: 2020-05-04 06:57:02,End: 2020-05-04 06:57:02,Domain: Domain A,Group: My Company\Default Group,Server: Example Server C,User: user_b,Source computer: fffff,Source IP: 10.0.9.2,Intensive Protection Level: 0,Certificate issuer: Symantec,Certificate signer: Unizeto,Certificate thumbprint: e5:xx:74:3c:xx:01:c4:9b:xx:43:xx:bb:zz:e8:6a:81:10:9f:e4:xx,Signing timestamp: 0,Certificate serial number: 149843929435818692848040365716851702463" ) message = mt.render(mark="<13>", bsd=bsd, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) @@ -277,8 +305,11 @@ def test_symantec_ep_proactive(record_property, setup_wordlist, setup_splunk, se assert resultCount == 1 + # Apr 14 10:10:10 dummyhost SymantecServer: qqqqq,Event Description: "Web Attack: Fake Scan Webpage 7",Local Host IP: 10.0.3.4,Local Host MAC: c1411f5F9502,Remote Host Name: eeeee,Remote Host IP: 10.0.3.6,Remote Host MAC: aD31CCFD3eFF,Inbound,TCP,Intrusion ID: 1,Begin: 2020-05-06 09:06:09,End Time: 2020-05-06 09:06:09,Occurrences: 3,Application: C:/Windows/System32/example_x.exe,Location: Internal,User Name: user_h,Domain Name: CompanyXX,Local Port: 1991,Remote Port: 46926,CIDS Signature ID: 25198,CIDS Signature string: Web Attack: Fake Scan Webpage 7,CIDS Signature SubID: 25378,Intrusion URL: https://www.example.org/,Intrusion Payload URL: http://www.example.com/,SHA-256: 6d2fe32dc4249ef7e7359c6d874fffbbf335e832e49a2681236e1b686af78794,MD-5: 70270ca63a3de2d8905a9181a0245e58 -def test_symantec_ep_security(record_property, setup_wordlist, setup_splunk, setup_sc4s): +def test_symantec_ep_security( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now(datetime.timezone.utc) @@ -288,7 +319,8 @@ def test_symantec_ep_security(record_property, setup_wordlist, setup_splunk, set epoch = epoch[:-7] mt = env.from_string( - "{{ mark }}{{ bsd }} {{host}} " + r'SymantecServer: qqqqq,Event Description: "Web Attack: Fake Scan Webpage 7",Local Host IP: 10.0.3.4,Local Host MAC: c1411f5F9502,Remote Host Name: eeeee,Remote Host IP: 10.0.3.6,Remote Host MAC: aD31CCFD3eFF,Inbound,TCP,Intrusion ID: 1,Begin: 2020-05-06 09:06:09,End Time: 2020-05-06 09:06:09,Occurrences: 3,Application: C:/Windows/System32/example_x.exe,Location: Internal,User Name: user_h,Domain Name: CompanyXX,Local Port: 1991,Remote Port: 46926,CIDS Signature ID: 25198,CIDS Signature string: Web Attack: Fake Scan Webpage 7,CIDS Signature SubID: 25378,Intrusion URL: https://www.example.org/,Intrusion Payload URL: http://www.example.com/,SHA-256: 6d2fe32dc4249ef7e7359c6d874fffbbf335e832e49a2681236e1b686af78794,MD-5: 70270ca63a3de2d8905a9181a0245e58' + "{{ mark }}{{ bsd }} {{host}} " + + r'SymantecServer: qqqqq,Event Description: "Web Attack: Fake Scan Webpage 7",Local Host IP: 10.0.3.4,Local Host MAC: c1411f5F9502,Remote Host Name: eeeee,Remote Host IP: 10.0.3.6,Remote Host MAC: aD31CCFD3eFF,Inbound,TCP,Intrusion ID: 1,Begin: 2020-05-06 09:06:09,End Time: 2020-05-06 09:06:09,Occurrences: 3,Application: C:/Windows/System32/example_x.exe,Location: Internal,User Name: user_h,Domain Name: CompanyXX,Local Port: 1991,Remote Port: 46926,CIDS Signature ID: 25198,CIDS Signature string: Web Attack: Fake Scan Webpage 7,CIDS Signature SubID: 25378,Intrusion URL: https://www.example.org/,Intrusion Payload URL: http://www.example.com/,SHA-256: 6d2fe32dc4249ef7e7359c6d874fffbbf335e832e49a2681236e1b686af78794,MD-5: 70270ca63a3de2d8905a9181a0245e58' ) message = mt.render(mark="<13>", bsd=bsd, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) @@ -306,6 +338,7 @@ def test_symantec_ep_security(record_property, setup_wordlist, setup_splunk, set assert resultCount == 1 + # Apr 14 10:10:10 dummyhost SymantecServer: Security risk found,IP Address: 10.0.3.1,Computer name: qqqqq,Source: Definition downloader,Risk name: Backdoor.Joggver,Occurrences: 7,e:\resharper 9.1 + keygen\resharper.8.x.keygen.exe,"Still contains, 2 infected items",Actual action: Quarantined,Requested action: Process terminate pending restartLeft alone,Secondary action: Quarantined,Event time: 2020-05-06 08:29:27,Inserted: 2020-05-06 08:29:27,End: 2020-05-06 08:29:27,Last update time: 2020-05-06 08:29:27,Domain: SomeComp,Group: My Company\\Default Group,Server: Example Server C,User: user_h,Source computer: hhhhh,Source IP: 10.0.4.1,Disposition: Reputation was not used in this detection.,Download site: http://bbbb.example.com/,Web domain: gqtavlakkdkcryl.xn--pgbs0dh,Downloaded by: c:/program files (x86)/ggggg/cccc/application/cccc.exe,Prevalence: This file has been seen by fewer than 100 Symantec users.,Confidence: There is growing evidence that this file is trustworthy.,URL Tracking Status: off,First Seen: Reputation was not used in this detection.,Sensitivity: low,MDS,Application hash: 44d7fb7e-8c40-4a17-9aff-9c4aa0b96696,Hash type: SHA1,Company name: "Sample Inc. a wholly owned subsidiary of Dummy, Inc.",Application name: Setup Factory 7.0 Runtime,Application version: ,Application type: 127,File size (bytes): 1318,Category set: Security risk,Category type: UNKNOWN,Location: AZ - Office,Intensive Protection Level: 0,Certificate issuer: "Realtime deferred scanning",Certificate signer: Comodo,Certificate thumbprint: e5:xx:74:3c:xx:01:c4:9b:xx:43:xx:bb:zz:e8:6a:81:10:9f:e4:xx,Signing timestamp: 0,Certificate serial number: 903804111 def test_symantec_ep_risk(record_property, setup_wordlist, setup_splunk, setup_sc4s): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) @@ -317,7 +350,8 @@ def test_symantec_ep_risk(record_property, setup_wordlist, setup_splunk, setup_s epoch = epoch[:-7] mt = env.from_string( - "{{ mark }}{{ bsd }} {{host}} " + r'SymantecServer: Security risk found,IP Address: 10.0.3.1,Computer name: qqqqq,Source: Definition downloader,Risk name: Backdoor.Joggver,Occurrences: 7,e:\resharper 9.1 + keygen\resharper.8.x.keygen.exe,"Still contains, 2 infected items",Actual action: Quarantined,Requested action: Process terminate pending restartLeft alone,Secondary action: Quarantined,Event time: 2020-05-06 08:29:27,Inserted: 2020-05-06 08:29:27,End: 2020-05-06 08:29:27,Last update time: 2020-05-06 08:29:27,Domain: SomeComp,Group: My Company\\Default Group,Server: Example Server C,User: user_h,Source computer: hhhhh,Source IP: 10.0.4.1,Disposition: Reputation was not used in this detection.,Download site: http://bbbb.example.com/,Web domain: gqtavlakkdkcryl.xn--pgbs0dh,Downloaded by: c:/program files (x86)/ggggg/cccc/application/cccc.exe,Prevalence: This file has been seen by fewer than 100 Symantec users.,Confidence: There is growing evidence that this file is trustworthy.,URL Tracking Status: off,First Seen: Reputation was not used in this detection.,Sensitivity: low,MDS,Application hash: 44d7fb7e-8c40-4a17-9aff-9c4aa0b96696,Hash type: SHA1,Company name: "Sample Inc. a wholly owned subsidiary of Dummy, Inc.",Application name: Setup Factory 7.0 Runtime,Application version: ,Application type: 127,File size (bytes): 1318,Category set: Security risk,Category type: UNKNOWN,Location: AZ - Office,Intensive Protection Level: 0,Certificate issuer: "Realtime deferred scanning",Certificate signer: Comodo,Certificate thumbprint: e5:xx:74:3c:xx:01:c4:9b:xx:43:xx:bb:zz:e8:6a:81:10:9f:e4:xx,Signing timestamp: 0,Certificate serial number: 903804111' + "{{ mark }}{{ bsd }} {{host}} " + + r'SymantecServer: Security risk found,IP Address: 10.0.3.1,Computer name: qqqqq,Source: Definition downloader,Risk name: Backdoor.Joggver,Occurrences: 7,e:\resharper 9.1 + keygen\resharper.8.x.keygen.exe,"Still contains, 2 infected items",Actual action: Quarantined,Requested action: Process terminate pending restartLeft alone,Secondary action: Quarantined,Event time: 2020-05-06 08:29:27,Inserted: 2020-05-06 08:29:27,End: 2020-05-06 08:29:27,Last update time: 2020-05-06 08:29:27,Domain: SomeComp,Group: My Company\\Default Group,Server: Example Server C,User: user_h,Source computer: hhhhh,Source IP: 10.0.4.1,Disposition: Reputation was not used in this detection.,Download site: http://bbbb.example.com/,Web domain: gqtavlakkdkcryl.xn--pgbs0dh,Downloaded by: c:/program files (x86)/ggggg/cccc/application/cccc.exe,Prevalence: This file has been seen by fewer than 100 Symantec users.,Confidence: There is growing evidence that this file is trustworthy.,URL Tracking Status: off,First Seen: Reputation was not used in this detection.,Sensitivity: low,MDS,Application hash: 44d7fb7e-8c40-4a17-9aff-9c4aa0b96696,Hash type: SHA1,Company name: "Sample Inc. a wholly owned subsidiary of Dummy, Inc.",Application name: Setup Factory 7.0 Runtime,Application version: ,Application type: 127,File size (bytes): 1318,Category set: Security risk,Category type: UNKNOWN,Location: AZ - Office,Intensive Protection Level: 0,Certificate issuer: "Realtime deferred scanning",Certificate signer: Comodo,Certificate thumbprint: e5:xx:74:3c:xx:01:c4:9b:xx:43:xx:bb:zz:e8:6a:81:10:9f:e4:xx,Signing timestamp: 0,Certificate serial number: 903804111' ) message = mt.render(mark="<13>", bsd=bsd, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) @@ -335,6 +369,7 @@ def test_symantec_ep_risk(record_property, setup_wordlist, setup_splunk, setup_s assert resultCount == 1 + # Apr 14 10:10:10 dummyhost SymantecServer: nnnnn,Local Host IP: 10.0.0.2,Local Port: 10456,Local Host MAC: B9e90F5c3aC4,Remote Host IP: 10.0.9.2,Remote Host Name: lllll,Remote Port: 58999,Remote Host MAC: 7b6A329f7c1e,others,Inbound,Begin: 2020-05-06 09:18:32,End: 2020-05-06 09:18:32,Occurrences: 8,Application: C:/Windows/System32/example_y.EXE,Rule: Block all other IP traffic and log,Location: Public Network,User: user_f,Domain: XXXXDOMAIN,Action: Blocked,SHA-256: d1616b874a96df2515da372a90bddc00792cbff027f5e097cafa31d3aea8b310,MD-5: 82136b4240d6ce4ea7d03e51469a393b def test_symantec_ep_traffic(record_property, setup_wordlist, setup_splunk, setup_sc4s): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) @@ -346,7 +381,8 @@ def test_symantec_ep_traffic(record_property, setup_wordlist, setup_splunk, setu epoch = epoch[:-7] mt = env.from_string( - "{{ mark }}{{ bsd }} {{host}} " + r"SymantecServer: nnnnn,Local Host IP: 10.0.0.2,Local Port: 10456,Local Host MAC: B9e90F5c3aC4,Remote Host IP: 10.0.9.2,Remote Host Name: lllll,Remote Port: 58999,Remote Host MAC: 7b6A329f7c1e,others,Inbound,Begin: 2020-05-06 09:18:32,End: 2020-05-06 09:18:32,Occurrences: 8,Application: C:/Windows/System32/example_y.EXE,Rule: Block all other IP traffic and log,Location: Public Network,User: user_f,Domain: XXXXDOMAIN,Action: Blocked,SHA-256: d1616b874a96df2515da372a90bddc00792cbff027f5e097cafa31d3aea8b310,MD-5: 82136b4240d6ce4ea7d03e51469a393b" + "{{ mark }}{{ bsd }} {{host}} " + + r"SymantecServer: nnnnn,Local Host IP: 10.0.0.2,Local Port: 10456,Local Host MAC: B9e90F5c3aC4,Remote Host IP: 10.0.9.2,Remote Host Name: lllll,Remote Port: 58999,Remote Host MAC: 7b6A329f7c1e,others,Inbound,Begin: 2020-05-06 09:18:32,End: 2020-05-06 09:18:32,Occurrences: 8,Application: C:/Windows/System32/example_y.EXE,Rule: Block all other IP traffic and log,Location: Public Network,User: user_f,Domain: XXXXDOMAIN,Action: Blocked,SHA-256: d1616b874a96df2515da372a90bddc00792cbff027f5e097cafa31d3aea8b310,MD-5: 82136b4240d6ce4ea7d03e51469a393b" ) message = mt.render(mark="<13>", bsd=bsd, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) diff --git a/tests/test_symantec_proxy.py b/tests/test_symantec_proxy.py index a65b55f255..c34c82a3df 100644 --- a/tests/test_symantec_proxy.py +++ b/tests/test_symantec_proxy.py @@ -25,11 +25,14 @@ def test_bluecoatproxySG_kv(record_property, setup_wordlist, setup_splunk, setup epoch = epoch[:-3] mt = env.from_string( - "{{ mark }} {{ iso }}Z {{host}} bluecoat[0]: SPLV5.1 c-ip=192.0.0.6 cs-bytes=6269 cs-categories=\"unavailable\" cs-host=gg.hhh.iii.com cs-ip=192.0.0.6 cs-method=GET cs-uri-path=/Sample/abc-xyz-01.pqr_sample_Internal.crt/MFAwTqADAgEAMEcwRTBDMAkGBSsOAwIaBQAEFOoaVMtyzC9gObESY9g1eXf1VM8VBBTl1mBq2WFf4cYqBI6c08kr4S302gIKUCIZdgAAAAAnQA%3D%3D cs-uri-port=8000 cs-uri-scheme=http cs-User-Agent=\"ocspd/1.0.3\" cs-username=user4 clientduration=0 rs-status=0 s-action=TCP_HIT s-ip=10.0.0.6 serveripservice.name=\"Explicit HTTP\" service.group=\"Standard\" s-supplier-ip=10.0.0.6 s-supplier-name=gg.hhh.iii.com sc-bytes=9469 sc-filter-result=OBSERVED sc-status=200 time-taken=20 x-bluecoat-appliance-name=\"10.0.0.6-sample_logs\" x-bluecoat-appliance-primary-address=10.0.0.6 x-bluecoat-proxy-primary-address=10.0.0.6 x-bluecoat-transaction-uuid=35d24c931c0erecta-0003000012161a77e70-00042100041002145cc859ed c-url=\"http://randomserver:8000/en-US/app/examples/\"") + '{{ mark }} {{ iso }}Z {{host}} bluecoat[0]: SPLV5.1 c-ip=192.0.0.6 cs-bytes=6269 cs-categories="unavailable" cs-host=gg.hhh.iii.com cs-ip=192.0.0.6 cs-method=GET cs-uri-path=/Sample/abc-xyz-01.pqr_sample_Internal.crt/MFAwTqADAgEAMEcwRTBDMAkGBSsOAwIaBQAEFOoaVMtyzC9gObESY9g1eXf1VM8VBBTl1mBq2WFf4cYqBI6c08kr4S302gIKUCIZdgAAAAAnQA%3D%3D cs-uri-port=8000 cs-uri-scheme=http cs-User-Agent="ocspd/1.0.3" cs-username=user4 clientduration=0 rs-status=0 s-action=TCP_HIT s-ip=10.0.0.6 serveripservice.name="Explicit HTTP" service.group="Standard" s-supplier-ip=10.0.0.6 s-supplier-name=gg.hhh.iii.com sc-bytes=9469 sc-filter-result=OBSERVED sc-status=200 time-taken=20 x-bluecoat-appliance-name="10.0.0.6-sample_logs" x-bluecoat-appliance-primary-address=10.0.0.6 x-bluecoat-proxy-primary-address=10.0.0.6 x-bluecoat-transaction-uuid=35d24c931c0erecta-0003000012161a77e70-00042100041002145cc859ed c-url="http://randomserver:8000/en-US/app/examples/"' + ) message = mt.render(mark="<134>", iso=iso, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netproxy host=\"{{ host }}\" sourcetype=\"bluecoat:proxysg:access:kv\"") + st = env.from_string( + 'search _time={{ epoch }} index=netproxy host="{{ host }}" sourcetype="bluecoat:proxysg:access:kv"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -40,10 +43,13 @@ def test_bluecoatproxySG_kv(record_property, setup_wordlist, setup_splunk, setup assert resultCount == 1 + # # <111>1 $(date)T$(x-bluecoat-hour-utc):$(x-bluecoat-minute-utc):$(x-bluecoat-second-utc).000z $(x-bluecoat-appliance-name) bluecoat - splunk_format - c-ip=$(c-ip) Content-Type=$(quot)$(rs(Content-Type))$(quot) cs-auth-group=$(cs-auth-group) cs-bytes=$(cs-bytes) cs-categories=$(quot)$(cs-categories)$(quot) cs-host=$(cs-host) cs-ip=$(cs-ip) cs-method=$(cs-method) cs-uri-extension=$(cs-uri-extension) cs-uri-path=$(cs-uri-path) cs-uri-port=$(cs-uri-port) cs-uri-query=$(quot)$(cs-uri-query)$(quot) cs-uri-scheme=$(cs-uri-scheme) cs-User-Agent=$(quot)$(cs(User-Agent))$(quot) cs-username=$(cs-username) dnslookup-time=$(dnslookup-time) duration=$(duration) rs-status=$(rs-status) rs-version=$(rs-version) rs_Content_Type=$(rs-Content-Type) s-action=$(s-action) s-ip=$(s-ip) service.name=$(service.name) service.group=$(service.group) s-supplier-ip=$(s-supplier-ip) s-supplier-name=$(s-supplier-name) sc-bytes=$(sc-bytes) sc-filter-result=$(sc-filter-result) sc-filter-result=$(sc-filter-result) sc-status=$(sc-status) time-taken=$(time-taken) x-bluecoat-appliance-name=$(x-bluecoat-appliance-name) x-bluecoat-appliance-primary-address=$(x-bluecoat-appliance-primary-address) x-bluecoat-application-name=$(x-bluecoat-application-name) x-bluecoat-application-operation=$(x-bluecoat-application-operation) x-bluecoat-proxy-primary-address=$(x-bluecoat-proxy-primary-address) x-bluecoat-transaction-uuid=$(x-bluecoat-transaction-uuid) x-exception-id=$(x-exception-id) x-virus-id=$(x-virus-id) c-url=$(quot)$(url)$(quot) cs-Referer=$(quot)$(cs(Referer))$(quot) c-cpu=$(c-cpu) c-uri-pathquery=$(c-uri-pathquery) connect-time=$(connect-time) cs-auth-groups=$(cs-auth-groups) cs-headerlength=$(cs-headerlength) cs-threat-risk=$(cs-threat-risk) r-ip=$(r-ip) r-supplier-ip=$(r-supplier-ip) rs-time-taken=$(rs-time-taken) rs-server=$(rs(server)) s-connect-type=$(s-connect-type) s-icap-status=$(s-icap-status) s-sitename=$(s-sitename) s-source-port=$(s-source-port) s-supplier-country=$(s-supplier-country) sc-Content-Encoding=$(sc(Content-Encoding)) sr-Accept-Encoding=$(sr(Accept-Encoding)) x-auth-credential-type=$(x-auth-credential-type) x-cookie-date=$(x-cookie-date) x-cs-certificate-subject=$(x-cs-certificate-subject) x-cs-connection-negotiated-cipher=$(x-cs-connection-negotiated-cipher) x-cs-connection-negotiated-cipher-size=$(x-cs-connection-negotiated-cipher-size) x-cs-connection-negotiated-ssl-version=$(x-cs-connection-negotiated-ssl-version) x-cs-ocsp-error=$(x-cs-ocsp-error) x-cs-Referer-uri=$(x-cs(Referer)-uri) x-cs-Referer-uri-address=$(x-cs(Referer)-uri-address) x-cs-Referer-uri-extension=$(x-cs(Referer)-uri-extension) x-cs-Referer-uri-host=$(x-cs(Referer)-uri-host) x-cs-Referer-uri-hostname=$(x-cs(Referer)-uri-hostname) x-cs-Referer-uri-path=$(x-cs(Referer)-uri-path) x-cs-Referer-uri-pathquery=$(x-cs(Referer)-uri-pathquery) x-cs-Referer-uri-port=$(x-cs(Referer)-uri-port) x-cs-Referer-uri-query=$(x-cs(Referer)-uri-query) x-cs-Referer-uri-scheme=$(x-cs(Referer)-uri-scheme) x-cs-Referer-uri-stem=$(x-cs(Referer)-uri-stem) x-exception-category=$(x-exception-category) x-exception-category-review-message=$(x-exception-category-review-message) x-exception-company-name=$(x-exception-company-name) x-exception-contact=$(x-exception-contact) x-exception-details=$(x-exception-details) x-exception-header=$(x-exception-header) x-exception-help=$(x-exception-help) x-exception-last-error=$(x-exception-last-error) x-exception-reason=$(x-exception-reason) x-exception-sourcefile=$(x-exception-sourcefile) x-exception-sourceline=$(x-exception-sourceline) x-exception-summary=$(x-exception-summary) x-icap-error-code=$(x-icap-error-code) x-rs-certificate-hostname=$(x-rs-certificate-hostname) x-rs-certificate-hostname-category=$(x-rs-certificate-hostname-category) x-rs-certificate-observed-errors=$(x-rs-certificate-observed-errors) x-rs-certificate-subject=$(x-rs-certificate-subject) x-rs-certificate-validate-status=$(x-rs-certificate-validate-status) x-rs-connection-negotiated-cipher=$(x-rs-connection-negotiated-cipher) x-rs-connection-negotiated-cipher-size=$(x-rs-connection-negotiated-cipher-size) x-rs-connection-negotiated-ssl-version=$(x-rs-connection-negotiated-ssl-version) x-rs-ocsp-error=$(x-rs-ocsp-error) # -def test_bluecoatproxySG_kv_5424(record_property, setup_wordlist, setup_splunk, setup_sc4s): +def test_bluecoatproxySG_kv_5424( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now(datetime.timezone.utc) @@ -54,11 +60,14 @@ def test_bluecoatproxySG_kv_5424(record_property, setup_wordlist, setup_splunk, epoch = epoch[:-3] mt = env.from_string( - "{{ mark }}1 {{ iso }}Z {{host}} bluecoat - splunk_format - c-ip=192.0.0.6 cs-bytes=6269 cs-categories=\"unavailable\" cs-host=gg.hhh.iii.com cs-ip=192.0.0.6 cs-method=GET cs-uri-path=/Sample/abc-xyz-01.pqr_sample_Internal.crt/MFAwTqADAgEAMEcwRTBDMAkGBSsOAwIaBQAEFOoaVMtyzC9gObESY9g1eXf1VM8VBBTl1mBq2WFf4cYqBI6c08kr4S302gIKUCIZdgAAAAAnQA%3D%3D cs-uri-port=8000 cs-uri-scheme=http cs-User-Agent=\"ocspd/1.0.3\" cs-username=user4 clientduration=0 rs-status=0 s-action=TCP_HIT s-ip=10.0.0.6 serveripservice.name=\"Explicit HTTP\" service.group=\"Standard\" s-supplier-ip=10.0.0.6 s-supplier-name=gg.hhh.iii.com sc-bytes=9469 sc-filter-result=OBSERVED sc-status=200 time-taken=20 x-bluecoat-appliance-name=\"10.0.0.6-sample_logs\" x-bluecoat-appliance-primary-address=10.0.0.6 x-bluecoat-proxy-primary-address=10.0.0.6 x-bluecoat-transaction-uuid=35d24c931c0erecta-0003000012161a77e70-00042100041002145cc859ed c-url=\"http://randomserver:8000/en-US/app/examples/\"") + '{{ mark }}1 {{ iso }}Z {{host}} bluecoat - splunk_format - c-ip=192.0.0.6 cs-bytes=6269 cs-categories="unavailable" cs-host=gg.hhh.iii.com cs-ip=192.0.0.6 cs-method=GET cs-uri-path=/Sample/abc-xyz-01.pqr_sample_Internal.crt/MFAwTqADAgEAMEcwRTBDMAkGBSsOAwIaBQAEFOoaVMtyzC9gObESY9g1eXf1VM8VBBTl1mBq2WFf4cYqBI6c08kr4S302gIKUCIZdgAAAAAnQA%3D%3D cs-uri-port=8000 cs-uri-scheme=http cs-User-Agent="ocspd/1.0.3" cs-username=user4 clientduration=0 rs-status=0 s-action=TCP_HIT s-ip=10.0.0.6 serveripservice.name="Explicit HTTP" service.group="Standard" s-supplier-ip=10.0.0.6 s-supplier-name=gg.hhh.iii.com sc-bytes=9469 sc-filter-result=OBSERVED sc-status=200 time-taken=20 x-bluecoat-appliance-name="10.0.0.6-sample_logs" x-bluecoat-appliance-primary-address=10.0.0.6 x-bluecoat-proxy-primary-address=10.0.0.6 x-bluecoat-transaction-uuid=35d24c931c0erecta-0003000012161a77e70-00042100041002145cc859ed c-url="http://randomserver:8000/en-US/app/examples/"' + ) message = mt.render(mark="<134>", iso=iso, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netproxy host=\"{{ host }}\" sourcetype=\"bluecoat:proxysg:access:kv\"") + st = env.from_string( + 'search _time={{ epoch }} index=netproxy host="{{ host }}" sourcetype="bluecoat:proxysg:access:kv"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -69,4 +78,5 @@ def test_bluecoatproxySG_kv_5424(record_property, setup_wordlist, setup_splunk, assert resultCount == 1 -# \ No newline at end of file + +# diff --git a/tests/test_tanium.py b/tests/test_tanium.py index 021fde6d39..c459f32f71 100644 --- a/tests/test_tanium.py +++ b/tests/test_tanium.py @@ -1,4 +1,3 @@ - # Copyright 2019 Splunk, Inc. # # Use of this source code is governed by a BSD-2-clause-style @@ -44,4 +43,3 @@ def test_tanium_question(record_property, setup_wordlist, setup_splunk, setup_sc record_property("message", message) assert resultCount == 1 - diff --git a/tests/test_tenable.py b/tests/test_tenable.py index 7303563f8f..33b0b78099 100644 --- a/tests/test_tenable.py +++ b/tests/test_tenable.py @@ -11,18 +11,22 @@ from .timeutils import * import pytest + env = Environment() -#<134>May 7 12:39:29 nnm.home.cugnet.net nnm: 192.168.100.1:0|192.168.100.60:0|17|18|Generic Protocol Detection|This plugin determines the IP protocols running on the remote machine.|The remote host is utilizing the following IP protocols : protocol number 17 (udp) |NONE +# <134>May 7 12:39:29 nnm.home.cugnet.net nnm: 192.168.100.1:0|192.168.100.60:0|17|18|Generic Protocol Detection|This plugin determines the IP protocols running on the remote machine.|The remote host is utilizing the following IP protocols : protocol number 17 (udp) |NONE testdata = [ - '{{ mark }}{{ bsd }} {{ host }} nnm: 127.0.0.1:0|127.0.0.2:0|17|18|Generic Protocol Detection|This plugin determines the IP protocols running on the remote machine.|The remote host is utilizing the following IP protocols : protocol number 17 (udp) |NONE', - '{{ mark }}{{ bsd }} {{ host }} nnm: 127.0.0.3:8080|127.0.0.4:0|6|0|new-open-port|NNM identifies which ports are open or listening on a host. This is detected by observing the response sent from a server or the \'SYN-ACK\' sent when receiving a connection.||INFO', - '{{ mark }}{{ bsd }} {{ host }} nnm: 127.0.0.5:53|127.0.0.6:51329|17|7117|SSL Client Error Code Detection|The client has responded with an SSL error message of : 'Close notify ' Level : 'Warning' Source IP : 192.168.100.1 Dest. IP : 192.168.100.60 |Plugin Output N/A|NONE' + "{{ mark }}{{ bsd }} {{ host }} nnm: 127.0.0.1:0|127.0.0.2:0|17|18|Generic Protocol Detection|This plugin determines the IP protocols running on the remote machine.|The remote host is utilizing the following IP protocols : protocol number 17 (udp) |NONE", + "{{ mark }}{{ bsd }} {{ host }} nnm: 127.0.0.3:8080|127.0.0.4:0|6|0|new-open-port|NNM identifies which ports are open or listening on a host. This is detected by observing the response sent from a server or the 'SYN-ACK' sent when receiving a connection.||INFO", + "{{ mark }}{{ bsd }} {{ host }} nnm: 127.0.0.5:53|127.0.0.6:51329|17|7117|SSL Client Error Code Detection|The client has responded with an SSL error message of : 'Close notify ' Level : 'Warning' Source IP : 192.168.100.1 Dest. IP : 192.168.100.60 |Plugin Output N/A|NONE", ] + @pytest.mark.parametrize("event", testdata) -def test_tenable(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event): +def test_tenable( + record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s, event +): host = get_host_key dt = datetime.datetime.now() @@ -37,7 +41,8 @@ def test_tenable(record_property, setup_wordlist, get_host_key, setup_splunk, se sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) st = env.from_string( - "search index=netfw _time={{ epoch }} sourcetype=\"tenable:nnm:vuln\" (host=\"{{ host }}\" OR \"{{ host }}\")") + 'search index=netfw _time={{ epoch }} sourcetype="tenable:nnm:vuln" (host="{{ host }}" OR "{{ host }}")' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) diff --git a/tests/test_tintri.py b/tests/test_tintri.py index 91cf883419..9e74898bce 100644 --- a/tests/test_tintri.py +++ b/tests/test_tintri.py @@ -14,7 +14,9 @@ # <165>1 2007-02-15T09:17:15.719Z router1 mgd 3046 UI_DBASE_LOGOUT_EVENT [junos@2636.1.1.1.2.18 username="user"] User 'user' exiting configuration mode # @pytest.mark.xfail -def test_tintri(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s): +def test_tintri( + record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s +): host = get_host_key dt = datetime.datetime.now(datetime.timezone.utc) @@ -25,12 +27,15 @@ def test_tintri(record_property, setup_wordlist, get_host_key, setup_splunk, set epoch = epoch[:-3] mt = env.from_string( - "{{ mark }}{{ iso }} {{ host }} : Scrubbed@ 2021-03-22T13:55:01.620956-04:00 tomcat: [https-jsse-nio-443-exec-8,com.tintri.log.LogBase] WARN : USER:AUDIT:LOG-AUDIT-0083: [358966] Reset credentials [POST /api/v310/userAccount/reset#012[Severity:WARNING , Facility:LOCAL6]\n") + "{{ mark }}{{ iso }} {{ host }} : Scrubbed@ 2021-03-22T13:55:01.620956-04:00 tomcat: [https-jsse-nio-443-exec-8,com.tintri.log.LogBase] WARN : USER:AUDIT:LOG-AUDIT-0083: [358966] Reset credentials [POST /api/v310/userAccount/reset#012[Severity:WARNING , Facility:LOCAL6]\n" + ) message = mt.render(mark="<165>", iso=iso, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=infraops host=\"{{ host }}\" sourcetype=\"tintri\"") + st = env.from_string( + 'search _time={{ epoch }} index=infraops host="{{ host }}" sourcetype="tintri"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -39,4 +44,4 @@ def test_tintri(record_property, setup_wordlist, get_host_key, setup_splunk, set record_property("resultCount", resultCount) record_property("message", message) - assert resultCount == 1 \ No newline at end of file + assert resultCount == 1 diff --git a/tests/test_ubiquiti_unifi.py b/tests/test_ubiquiti_unifi.py index 93fb3de204..57ee56e0e9 100644 --- a/tests/test_ubiquiti_unifi.py +++ b/tests/test_ubiquiti_unifi.py @@ -13,9 +13,12 @@ env = Environment() -#<27>Nov 8 17:28:43 US8P60,18e8294876c3,v4.0.66.10832 switch: DOT1S: dot1sBpduReceive(): Discarding the BPDU on port 0/7, since it is an invalid BPDU type +# <27>Nov 8 17:28:43 US8P60,18e8294876c3,v4.0.66.10832 switch: DOT1S: dot1sBpduReceive(): Discarding the BPDU on port 0/7, since it is an invalid BPDU type -def test_ubiquiti_unifi_us8p60(record_property, setup_wordlist, setup_splunk, setup_sc4s): + +def test_ubiquiti_unifi_us8p60( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now() @@ -25,11 +28,14 @@ def test_ubiquiti_unifi_us8p60(record_property, setup_wordlist, setup_splunk, se epoch = epoch[:-7] mt = env.from_string( - "{{mark}}{{ bsd }} US8P60,18e8294876c3,v4.0.66.10832 switch: DOT1S: dot1sBpduReceive(): Discarding the BPDU on port 0/7, since it is an invalid BPDU type {{key}}") + "{{mark}}{{ bsd }} US8P60,18e8294876c3,v4.0.66.10832 switch: DOT1S: dot1sBpduReceive(): Discarding the BPDU on port 0/7, since it is an invalid BPDU type {{key}}" + ) message = mt.render(mark="<27>", bsd=bsd, key=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netops sourcetype=ubnt:switch \"{{key}}\"") + st = env.from_string( + 'search _time={{ epoch }} index=netops sourcetype=ubnt:switch "{{key}}"' + ) search = st.render(epoch=epoch, key=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -40,8 +46,11 @@ def test_ubiquiti_unifi_us8p60(record_property, setup_wordlist, setup_splunk, se assert resultCount == 1 -#<29>Nov 10 20:46:02 US24P250,f09fc26f4419,v4.0.54.10625 switch: TRAPMGR: Cold Start: Unit: 0 -def test_ubiquiti_unifi_switch_us24p250(record_property, setup_wordlist, setup_splunk, setup_sc4s): + +# <29>Nov 10 20:46:02 US24P250,f09fc26f4419,v4.0.54.10625 switch: TRAPMGR: Cold Start: Unit: 0 +def test_ubiquiti_unifi_switch_us24p250( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now() @@ -51,11 +60,14 @@ def test_ubiquiti_unifi_switch_us24p250(record_property, setup_wordlist, setup_s epoch = epoch[:-7] mt = env.from_string( - "{{mark}}{{ bsd }} US24P250,f09fc26f4419,v4.0.54.10625 switch: TRAPMGR: Cold Start: Unit: {{key}}") + "{{mark}}{{ bsd }} US24P250,f09fc26f4419,v4.0.54.10625 switch: TRAPMGR: Cold Start: Unit: {{key}}" + ) message = mt.render(mark="<27>", bsd=bsd, key=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netops sourcetype=ubnt:switch \"{{key}}\"") + st = env.from_string( + 'search _time={{ epoch }} index=netops sourcetype=ubnt:switch "{{key}}"' + ) search = st.render(epoch=epoch, key=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -66,8 +78,11 @@ def test_ubiquiti_unifi_switch_us24p250(record_property, setup_wordlist, setup_s assert resultCount == 1 -#<30>Nov 10 11:49:46 U7PG2,788a2056b181,v4.0.66.10832: logread[5495]: Logread connected to 10.2.0.9:514 -def test_ubiquiti_unifi_ap_u7pg2(record_property, setup_wordlist, setup_splunk, setup_sc4s): + +# <30>Nov 10 11:49:46 U7PG2,788a2056b181,v4.0.66.10832: logread[5495]: Logread connected to 10.2.0.9:514 +def test_ubiquiti_unifi_ap_u7pg2( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now() @@ -77,11 +92,14 @@ def test_ubiquiti_unifi_ap_u7pg2(record_property, setup_wordlist, setup_splunk, epoch = epoch[:-7] mt = env.from_string( - "{{mark}}{{ bsd }} U7PG2,788a2056b181,v4.0.66.10832: logread[5495]: Logread connected to 10.2.0.9:514") + "{{mark}}{{ bsd }} U7PG2,788a2056b181,v4.0.66.10832: logread[5495]: Logread connected to 10.2.0.9:514" + ) message = mt.render(mark="<27>", bsd=bsd) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netops sourcetype=ubnt:wireless") + st = env.from_string( + "search _time={{ epoch }} index=netops sourcetype=ubnt:wireless" + ) search = st.render(epoch=epoch) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -92,7 +110,8 @@ def test_ubiquiti_unifi_ap_u7pg2(record_property, setup_wordlist, setup_splunk, assert resultCount == 1 -#<4>Nov 10 23:04:06 USG kernel: [LAN_LOCAL-default-A]IN=eth0.2004 OUT= MAC= SRC=10.254.3.1 DST=224.0.0.251 LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=32463 DF PROTO=UDP SPT=5353 DPT=5353 LEN=328 + +# <4>Nov 10 23:04:06 USG kernel: [LAN_LOCAL-default-A]IN=eth0.2004 OUT= MAC= SRC=10.254.3.1 DST=224.0.0.251 LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=32463 DF PROTO=UDP SPT=5353 DPT=5353 LEN=328 def test_ubiquiti_unifi_usg(record_property, setup_wordlist, setup_splunk, setup_sc4s): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) @@ -103,11 +122,14 @@ def test_ubiquiti_unifi_usg(record_property, setup_wordlist, setup_splunk, setup epoch = epoch[:-7] mt = env.from_string( - "{{mark}}{{ bsd }} usg-{{host}} kernel: [LAN_LOCAL-default-A]IN=eth0.2004 OUT= MAC= SRC=10.254.3.1 DST=224.0.0.251 LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=32463 DF PROTO=UDP SPT=5353 DPT=5353 LEN=328") + "{{mark}}{{ bsd }} usg-{{host}} kernel: [LAN_LOCAL-default-A]IN=eth0.2004 OUT= MAC= SRC=10.254.3.1 DST=224.0.0.251 LEN=348 TOS=0x00 PREC=0x00 TTL=255 ID=32463 DF PROTO=UDP SPT=5353 DPT=5353 LEN=328" + ) message = mt.render(mark="<27>", bsd=bsd, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netfw sourcetype=ubnt:fw host=usg-{{host}}") + st = env.from_string( + "search _time={{ epoch }} index=netfw sourcetype=ubnt:fw host=usg-{{host}}" + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) diff --git a/tests/test_varonis.py b/tests/test_varonis.py index 4015db3a7d..e343808e11 100644 --- a/tests/test_varonis.py +++ b/tests/test_varonis.py @@ -44,4 +44,3 @@ def test_varonis(record_property, setup_wordlist, setup_splunk, setup_sc4s): record_property("message", message) assert resultCount == 1 - diff --git a/tests/test_vmware.py b/tests/test_vmware.py index 7729b86eec..a4c105e41c 100644 --- a/tests/test_vmware.py +++ b/tests/test_vmware.py @@ -15,9 +15,11 @@ env = Environment() -#vpxd 123 - - Event [3481177] [1-1] [2019-05-23T09:03:36.213922Z] [vim.event.UserLoginSessionEvent] [info] [VSPHERE.LOCAL\svc-vcenter-user] [] [3481177] [User VSPHERE.LOCAL\svc-vcenter-user@192.168.10.10 logged in as pyvmomi Python/2.7.13 (Linux; 4.9.0-7-amd64; x86_64)] +# vpxd 123 - - Event [3481177] [1-1] [2019-05-23T09:03:36.213922Z] [vim.event.UserLoginSessionEvent] [info] [VSPHERE.LOCAL\svc-vcenter-user] [] [3481177] [User VSPHERE.LOCAL\svc-vcenter-user@192.168.10.10 logged in as pyvmomi Python/2.7.13 (Linux; 4.9.0-7-amd64; x86_64)] def test_linux_vmware(record_property, setup_wordlist, setup_splunk, setup_sc4s): - host = "testvmw-{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + host = "testvmw-{}-{}".format( + random.choice(setup_wordlist), random.choice(setup_wordlist) + ) pid = random.randint(1000, 32000) dt = datetime.datetime.now(datetime.timezone.utc) @@ -29,12 +31,18 @@ def test_linux_vmware(record_property, setup_wordlist, setup_splunk, setup_sc4s) iso_header = dt.isoformat()[0:23] epoch = epoch[:-3] - mt = env.from_string("{{ mark }}1 {{ iso_header }}Z {{ host }} vpxa {{ pid }} - - Event [3481177] [1-1] [{{ iso }}Z] [vim.event.UserLoginSessionEvent] [info] [VSPHERE.LOCAL\svc-vcenter-user] [] [3481177] [User VSPHERE.LOCAL\svc-vcenter-user@192.168.10.10 logged in as pyvmomi Python/2.7.13 (Linux; 4.9.0-7-amd64; x86_64)]\n") - message = mt.render(mark="<144>", iso_header=iso_header, iso=iso, host=host, pid=pid) + mt = env.from_string( + "{{ mark }}1 {{ iso_header }}Z {{ host }} vpxa {{ pid }} - - Event [3481177] [1-1] [{{ iso }}Z] [vim.event.UserLoginSessionEvent] [info] [VSPHERE.LOCAL\svc-vcenter-user] [] [3481177] [User VSPHERE.LOCAL\svc-vcenter-user@192.168.10.10 logged in as pyvmomi Python/2.7.13 (Linux; 4.9.0-7-amd64; x86_64)]\n" + ) + message = mt.render( + mark="<144>", iso_header=iso_header, iso=iso, host=host, pid=pid + ) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=infraops host={{ host }} {{ pid }} sourcetype=\"vmware:vsphere:esx\"") + st = env.from_string( + 'search _time={{ epoch }} index=infraops host={{ host }} {{ pid }} sourcetype="vmware:vsphere:esx"' + ) search = st.render(epoch=epoch, host=host, pid=pid) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -45,8 +53,11 @@ def test_linux_vmware(record_property, setup_wordlist, setup_splunk, setup_sc4s) assert resultCount == 1 + def test_linux_vmware_nix(record_property, setup_wordlist, setup_splunk, setup_sc4s): - host = "testvmwe-{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + host = "testvmwe-{}-{}".format( + random.choice(setup_wordlist), random.choice(setup_wordlist) + ) pid = random.randint(1000, 32000) dt = datetime.datetime.now(datetime.timezone.utc) @@ -58,12 +69,18 @@ def test_linux_vmware_nix(record_property, setup_wordlist, setup_splunk, setup_s iso_header = dt.isoformat()[0:23] epoch = epoch[:-3] - mt = env.from_string("{{ mark }}1 {{ iso_header }}Z {{ host }} sshd {{ pid }} - - - Generic event\n") - message = mt.render(mark="<144>", iso_header=iso_header, iso=iso, host=host, pid=pid) + mt = env.from_string( + "{{ mark }}1 {{ iso_header }}Z {{ host }} sshd {{ pid }} - - - Generic event\n" + ) + message = mt.render( + mark="<144>", iso_header=iso_header, iso=iso, host=host, pid=pid + ) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=infraops host={{ host }} {{ pid }} sourcetype=\"nix:syslog\"") + st = env.from_string( + 'search _time={{ epoch }} index=infraops host={{ host }} {{ pid }} sourcetype="nix:syslog"' + ) search = st.render(epoch=epoch, host=host, pid=pid) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -72,11 +89,16 @@ def test_linux_vmware_nix(record_property, setup_wordlist, setup_splunk, setup_s record_property("resultCount", resultCount) record_property("message", message) - assert resultCount == 1 + assert resultCount == 1 + -#<46>1 2019-10-24T21:00:02.403Z {{ host }} NSXV 5996 - [nsxv@6876 comp="nsx-manager" subcomp="manager"] Invoking EventHistoryCollector.readNext on session[52db61bf-9c30-1e1f-5a26-8cd7e6f9f552]52032c51-240a-7c30-cd84-4b4246508dbe, operationID=opId-688ef-9725704 -def test_linux_vmware_nsx_ietf(record_property, setup_wordlist, setup_splunk, setup_sc4s): - host = "testvmw-{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) +# <46>1 2019-10-24T21:00:02.403Z {{ host }} NSXV 5996 - [nsxv@6876 comp="nsx-manager" subcomp="manager"] Invoking EventHistoryCollector.readNext on session[52db61bf-9c30-1e1f-5a26-8cd7e6f9f552]52032c51-240a-7c30-cd84-4b4246508dbe, operationID=opId-688ef-9725704 +def test_linux_vmware_nsx_ietf( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): + host = "testvmw-{}-{}".format( + random.choice(setup_wordlist), random.choice(setup_wordlist) + ) pid = random.randint(1000, 32000) dt = datetime.datetime.now(datetime.timezone.utc) @@ -87,12 +109,16 @@ def test_linux_vmware_nsx_ietf(record_property, setup_wordlist, setup_splunk, se iso_header = dt.isoformat()[0:23] epoch = epoch[:-3] - mt = env.from_string("{{ mark }}1 {{ iso_header }}Z {{ host }} NSX - SYSTEM [nsx@6876 comp=\"nsx-manager\" errorCode=\"MP4039\" subcomp=\"manager\"] Connection verification failed for broker '10.160.108.196'. Marking broker unhealthy.\n") + mt = env.from_string( + '{{ mark }}1 {{ iso_header }}Z {{ host }} NSX - SYSTEM [nsx@6876 comp="nsx-manager" errorCode="MP4039" subcomp="manager"] Connection verification failed for broker \'10.160.108.196\'. Marking broker unhealthy.\n' + ) message = mt.render(mark="<144>", iso_header=iso_header, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=infraops host={{ host }} sourcetype=\"vmware:vsphere:nsx\"") + st = env.from_string( + 'search _time={{ epoch }} index=infraops host={{ host }} sourcetype="vmware:vsphere:nsx"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -103,9 +129,12 @@ def test_linux_vmware_nsx_ietf(record_property, setup_wordlist, setup_splunk, se assert resultCount == 1 + # def test_linux_vmware_nsx_fw(record_property, setup_wordlist, setup_splunk, setup_sc4s): - host = "testvmw-{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) + host = "testvmw-{}-{}".format( + random.choice(setup_wordlist), random.choice(setup_wordlist) + ) pid = random.randint(1000, 32000) dt = datetime.datetime.now() @@ -114,12 +143,16 @@ def test_linux_vmware_nsx_fw(record_property, setup_wordlist, setup_splunk, setu # Tune time functions epoch = epoch[:-7] - mt = env.from_string("{{ mark }} {{ bsd }} {{ host }} dfwpktlogs: {{ pid }} INET match PASS domain-c7/1001 IN 60 TCP 10.33.24.50/45926->10.33.24.9/8140 S\n") + mt = env.from_string( + "{{ mark }} {{ bsd }} {{ host }} dfwpktlogs: {{ pid }} INET match PASS domain-c7/1001 IN 60 TCP 10.33.24.50/45926->10.33.24.9/8140 S\n" + ) message = mt.render(mark="<144>", bsd=bsd, host=host, pid=pid) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=infraops host={{ host }} {{ pid }} sourcetype=\"vmware:vsphere:nsx\"") + st = env.from_string( + 'search _time={{ epoch }} index=infraops host={{ host }} {{ pid }} sourcetype="vmware:vsphere:nsx"' + ) search = st.render(epoch=epoch, host=host, pid=pid) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -131,8 +164,12 @@ def test_linux_vmware_nsx_fw(record_property, setup_wordlist, setup_splunk, setu assert resultCount == 1 -def test_linux_vmware_vcenter_ietf(record_property, setup_wordlist, setup_splunk, setup_sc4s): - host = "testvmw-{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) +def test_linux_vmware_vcenter_ietf( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): + host = "testvmw-{}-{}".format( + random.choice(setup_wordlist), random.choice(setup_wordlist) + ) pid = random.randint(1000, 32000) dt = datetime.datetime.now(datetime.timezone.utc) @@ -143,12 +180,16 @@ def test_linux_vmware_vcenter_ietf(record_property, setup_wordlist, setup_splunk iso_header = dt.isoformat()[0:23] epoch = epoch[:-3] - mt = env.from_string("{{ mark }}1 {{ iso_header }}Z {{ host }} vmon 2275 - - Reset fail counters of service\n") + mt = env.from_string( + "{{ mark }}1 {{ iso_header }}Z {{ host }} vmon 2275 - - Reset fail counters of service\n" + ) message = mt.render(mark="<144>", iso_header=iso_header, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=infraops host={{ host }} sourcetype=\"vmware:vsphere:vcenter\"") + st = env.from_string( + 'search _time={{ epoch }} index=infraops host={{ host }} sourcetype="vmware:vsphere:vcenter"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -159,8 +200,11 @@ def test_linux_vmware_vcenter_ietf(record_property, setup_wordlist, setup_splunk assert resultCount == 1 + # <111>1 2020-06-18T08:44:09.039-05:00 host View - 73 [View@6876 Severity="AUDIT_SUCCESS" Module="Broker" EventType="BROKER_USERLOGGEDIN" UserSID="S-1-5-21-873381292-3070774752-20851"] -def test_linux_vmware_horizon_ietf(record_property, setup_wordlist, setup_splunk, setup_sc4s): +def test_linux_vmware_horizon_ietf( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) pid = random.randint(1000, 32000) @@ -172,12 +216,16 @@ def test_linux_vmware_horizon_ietf(record_property, setup_wordlist, setup_splunk iso_header = dt.isoformat()[0:23] epoch = epoch[:-3] - mt = env.from_string('{{ mark }}1 {{ iso_header }}Z {{ host }} View - 73 [View@6876 Severity="AUDIT_SUCCESS" Module="Broker" EventType="BROKER_USERLOGGEDIN" UserSID="S-1-5-21-873381292-3070774752-20851"]\n') + mt = env.from_string( + '{{ mark }}1 {{ iso_header }}Z {{ host }} View - 73 [View@6876 Severity="AUDIT_SUCCESS" Module="Broker" EventType="BROKER_USERLOGGEDIN" UserSID="S-1-5-21-873381292-3070774752-20851"]\n' + ) message = mt.render(mark="<144>", iso_header=iso_header, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=infraops host={{ host }} sourcetype=\"vmware:horizon\"") + st = env.from_string( + 'search _time={{ epoch }} index=infraops host={{ host }} sourcetype="vmware:horizon"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -188,7 +236,10 @@ def test_linux_vmware_horizon_ietf(record_property, setup_wordlist, setup_splunk assert resultCount == 1 -def test_vmware_bsd_nix(record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s): + +def test_vmware_bsd_nix( + record_property, setup_wordlist, get_host_key, setup_splunk, setup_sc4s +): host = "testvmwe-" + get_host_key dt = datetime.datetime.now() @@ -198,12 +249,15 @@ def test_vmware_bsd_nix(record_property, setup_wordlist, get_host_key, setup_spl epoch = epoch[:-7] mt = env.from_string( - "{{ mark }} {{ bsd }} {{ host }} sshd[195529]: something something\n") + "{{ mark }} {{ bsd }} {{ host }} sshd[195529]: something something\n" + ) message = mt.render(mark="<166>", bsd=bsd, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=infraops host={{ host }} sourcetype=\"nix:syslog\"") + st = env.from_string( + 'search _time={{ epoch }} index=infraops host={{ host }} sourcetype="nix:syslog"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) diff --git a/tests/test_zscaler_proxy.py b/tests/test_zscaler_proxy.py index b8cbe50c26..34f46120fe 100644 --- a/tests/test_zscaler_proxy.py +++ b/tests/test_zscaler_proxy.py @@ -13,8 +13,8 @@ env = Environment() -#Note the long white space is a \t -#2019-10-16 15:44:36 reason=Allowed event_id=6748427317914894361 protocol=HTTPS action=Allowed transactionsize=663 responsesize=65 requestsize=598 urlcategory=UK_ALLOW_Pharmacies serverip=216.58.204.70 clienttranstime=0 requestmethod=CONNECT refererURL=None useragent=Windows Windows 10 Enterprise ZTunnel/1.0 product=NSS location=UK_Wynyard_VPN->other ClientIP=192.168.0.38 status=200 user=first.last@example.com url=4171764.fls.doubleclick.net:443 vendor=Zscaler hostname=4171764.fls.doubleclick.net clientpublicIP=213.86.221.94 threatcategory=None threatname=None filetype=None appname=DoubleClick pagerisk=0 department=Procurement, Generics urlsupercategory=User-defined appclass=Sales and Marketing dlpengine=None urlclass=Bandwidth Loss threatclass=None dlpdictionaries=None fileclass=None bwthrottle=NO servertranstime=0 md5=None +# Note the long white space is a \t +# 2019-10-16 15:44:36 reason=Allowed event_id=6748427317914894361 protocol=HTTPS action=Allowed transactionsize=663 responsesize=65 requestsize=598 urlcategory=UK_ALLOW_Pharmacies serverip=216.58.204.70 clienttranstime=0 requestmethod=CONNECT refererURL=None useragent=Windows Windows 10 Enterprise ZTunnel/1.0 product=NSS location=UK_Wynyard_VPN->other ClientIP=192.168.0.38 status=200 user=first.last@example.com url=4171764.fls.doubleclick.net:443 vendor=Zscaler hostname=4171764.fls.doubleclick.net clientpublicIP=213.86.221.94 threatcategory=None threatname=None filetype=None appname=DoubleClick pagerisk=0 department=Procurement, Generics urlsupercategory=User-defined appclass=Sales and Marketing dlpengine=None urlclass=Bandwidth Loss threatclass=None dlpdictionaries=None fileclass=None bwthrottle=NO servertranstime=0 md5=None def test_zscaler_proxy(record_property, setup_wordlist, setup_splunk, setup_sc4s): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) @@ -26,11 +26,14 @@ def test_zscaler_proxy(record_property, setup_wordlist, setup_splunk, setup_sc4s epoch = epoch[:-7] mt = env.from_string( - "{{ date }} {{ time }}\treason=Allowed\tevent_id=6748427317914894361\tprotocol=HTTPS\taction=Allowed\ttransactionsize=663\tresponsesize=65\trequestsize=598\turlcategory=UK_ALLOW_Pharmacies\tserverip=216.58.204.70\tclienttranstime=0\trequestmethod=CONNECT\trefererURL=None\tuseragent=Windows Windows 10 Enterprise ZTunnel/1.0\tproduct=NSS\tlocation=UK_Wynyard_VPN->other\tClientIP=192.168.0.38\tstatus=200\tuser=first.last@example.com\turl=4171764.fls.doubleclick.net:443\tvendor=Zscaler\thostname={{host}}.fls.doubleclick.net\tclientpublicIP=213.86.221.94\tthreatcategory=None\tthreatname=None\tfiletype=None\tappname=DoubleClick\tpagerisk=0\tdepartment=Procurement, Generics\turlsupercategory=User-defined\tappclass=Sales and Marketing\tdlpengine=None\turlclass=Bandwidth Loss\tthreatclass=None\tdlpdictionaries=None\tfileclass=None\tbwthrottle=NO\tservertranstime=0\tmd5=None") + "{{ date }} {{ time }}\treason=Allowed\tevent_id=6748427317914894361\tprotocol=HTTPS\taction=Allowed\ttransactionsize=663\tresponsesize=65\trequestsize=598\turlcategory=UK_ALLOW_Pharmacies\tserverip=216.58.204.70\tclienttranstime=0\trequestmethod=CONNECT\trefererURL=None\tuseragent=Windows Windows 10 Enterprise ZTunnel/1.0\tproduct=NSS\tlocation=UK_Wynyard_VPN->other\tClientIP=192.168.0.38\tstatus=200\tuser=first.last@example.com\turl=4171764.fls.doubleclick.net:443\tvendor=Zscaler\thostname={{host}}.fls.doubleclick.net\tclientpublicIP=213.86.221.94\tthreatcategory=None\tthreatname=None\tfiletype=None\tappname=DoubleClick\tpagerisk=0\tdepartment=Procurement, Generics\turlsupercategory=User-defined\tappclass=Sales and Marketing\tdlpengine=None\turlclass=Bandwidth Loss\tthreatclass=None\tdlpdictionaries=None\tfileclass=None\tbwthrottle=NO\tservertranstime=0\tmd5=None" + ) message = mt.render(mark="<134>", date=date, time=time, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netproxy sourcetype=\"zscalernss-web\" hostname={{host}}.fls.doubleclick.net") + st = env.from_string( + 'search _time={{ epoch }} index=netproxy sourcetype="zscalernss-web" hostname={{host}}.fls.doubleclick.net' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -41,7 +44,8 @@ def test_zscaler_proxy(record_property, setup_wordlist, setup_splunk, setup_sc4s assert resultCount == 1 -#2020-03-02 02:51:56 reason=Allowed event_id=6799437957281873922 protocol=HTTP action=Allowed transactionsize=623 responsesize=512 requestsize=111 urlcategory=Internet Services serverip=13.107.4.52 clienttranstime=3 requestmethod=GET refererURL="None" useragent=Microsoft NCSI product=NSS location=Road Warrior ClientIP=136.35.16.85 status=200 user=mdutta@acme.com url="www.msftconnecttest.com/connecttest.txt" vendor=Zscaler hostname=www.msftconnecttest.com clientpublicIP=136.35.16.85 threatcategory=None threatname=None filetype=None appname=generalbrowsing pagerisk=0 department=Default Department urlsupercategory=Internet Communication appclass=General Browsing dlpengine=None urlclass=Business Use threatclass=None dlpdictionaries=None fileclass=None bwthrottle=NO servertranstime=3 md5=None contenttype=text/plain trafficredirectmethod=Z_APP rulelabel=None ruletype=None mobappname=None mobappcat=None mobdevtype=None bwclassname=General Surfing bwrulename=No Bandwidth Control throttlereqsize=0 throttlerespsize=0 deviceappversion=1.5.1.8 devicemodel=20QF000CUS devicemodel=20QF000CUS devicename=mdutta devicename=mdutta deviceostype=Windows OS deviceostype=Windows OS deviceosversion=Windows 10 Enterprise deviceplatform= clientsslcipher=None clientsslsessreuse=UNKNOWN clienttlsversion=None serversslsessreuse=UNKNOWN servertranstime=3 srvcertchainvalpass=UNKNOWN srvcertvalidationtype=None srvcertvalidityperiod=None srvocspresult=None srvsslcipher=None srvtlsversion=None srvwildcardcert=UNKNOWN serversslsessreuse="UNKNOWN" dlpidentifier="0" dlpmd5="None" epochtime="1583117516" filename="None" filesubtype="None" module="General Browsing" productversion="5.7r.78.218665_84" reqdatasize="0" reqhdrsize="111" respdatasize="22" resphdrsize="490" respsize="512" respversion="1.1" tz="GMT" + +# 2020-03-02 02:51:56 reason=Allowed event_id=6799437957281873922 protocol=HTTP action=Allowed transactionsize=623 responsesize=512 requestsize=111 urlcategory=Internet Services serverip=13.107.4.52 clienttranstime=3 requestmethod=GET refererURL="None" useragent=Microsoft NCSI product=NSS location=Road Warrior ClientIP=136.35.16.85 status=200 user=mdutta@acme.com url="www.msftconnecttest.com/connecttest.txt" vendor=Zscaler hostname=www.msftconnecttest.com clientpublicIP=136.35.16.85 threatcategory=None threatname=None filetype=None appname=generalbrowsing pagerisk=0 department=Default Department urlsupercategory=Internet Communication appclass=General Browsing dlpengine=None urlclass=Business Use threatclass=None dlpdictionaries=None fileclass=None bwthrottle=NO servertranstime=3 md5=None contenttype=text/plain trafficredirectmethod=Z_APP rulelabel=None ruletype=None mobappname=None mobappcat=None mobdevtype=None bwclassname=General Surfing bwrulename=No Bandwidth Control throttlereqsize=0 throttlerespsize=0 deviceappversion=1.5.1.8 devicemodel=20QF000CUS devicemodel=20QF000CUS devicename=mdutta devicename=mdutta deviceostype=Windows OS deviceostype=Windows OS deviceosversion=Windows 10 Enterprise deviceplatform= clientsslcipher=None clientsslsessreuse=UNKNOWN clienttlsversion=None serversslsessreuse=UNKNOWN servertranstime=3 srvcertchainvalpass=UNKNOWN srvcertvalidationtype=None srvcertvalidityperiod=None srvocspresult=None srvsslcipher=None srvtlsversion=None srvwildcardcert=UNKNOWN serversslsessreuse="UNKNOWN" dlpidentifier="0" dlpmd5="None" epochtime="1583117516" filename="None" filesubtype="None" module="General Browsing" productversion="5.7r.78.218665_84" reqdatasize="0" reqhdrsize="111" respdatasize="22" resphdrsize="490" respsize="512" respversion="1.1" tz="GMT" def test_zscaler_proxy_new(record_property, setup_wordlist, setup_splunk, setup_sc4s): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) @@ -53,11 +57,15 @@ def test_zscaler_proxy_new(record_property, setup_wordlist, setup_splunk, setup_ epoch = epoch[:-7] mt = env.from_string( - "{{ date }} {{ time }}"+ ' reason=Allowed event_id=6799437957281873922 protocol=HTTP action=Allowed transactionsize=623 responsesize=512 requestsize=111 urlcategory=Internet Services serverip=13.107.4.52 clienttranstime=3 requestmethod=GET refererURL="None" useragent=Microsoft NCSI product=NSS location=Road Warrior ClientIP=136.35.16.85 status=200 user=mdutta@acme.com url="www.msftconnecttest.com/connecttest.txt" vendor=Zscaler hostname={{host}}.fls.doubleclick.net clientpublicIP=136.35.16.85 threatcategory=None threatname=None filetype=None appname=generalbrowsing pagerisk=0 department=Default Department urlsupercategory=Internet Communication appclass=General Browsing dlpengine=None urlclass=Business Use threatclass=None dlpdictionaries=None fileclass=None bwthrottle=NO servertranstime=3 md5=None contenttype=text/plain trafficredirectmethod=Z_APP rulelabel=None ruletype=None mobappname=None mobappcat=None mobdevtype=None bwclassname=General Surfing bwrulename=No Bandwidth Control throttlereqsize=0 throttlerespsize=0 deviceappversion=1.5.1.8 devicemodel=20QF000CUS devicemodel=20QF000CUS devicename=mdutta devicename=mdutta deviceostype=Windows OS deviceostype=Windows OS deviceosversion=Windows 10 Enterprise deviceplatform= clientsslcipher=None clientsslsessreuse=UNKNOWN clienttlsversion=None serversslsessreuse=UNKNOWN servertranstime=3 srvcertchainvalpass=UNKNOWN srvcertvalidationtype=None srvcertvalidityperiod=None srvocspresult=None srvsslcipher=None srvtlsversion=None srvwildcardcert=UNKNOWN serversslsessreuse="UNKNOWN" dlpidentifier="0" dlpmd5="None" epochtime="1583117516" filename="None" filesubtype="None" module="General Browsing" productversion="5.7r.78.218665_84" reqdatasize="0" reqhdrsize="111" respdatasize="22" resphdrsize="490" respsize="512" respversion="1.1" tz="GMT"') + "{{ date }} {{ time }}" + + ' reason=Allowed event_id=6799437957281873922 protocol=HTTP action=Allowed transactionsize=623 responsesize=512 requestsize=111 urlcategory=Internet Services serverip=13.107.4.52 clienttranstime=3 requestmethod=GET refererURL="None" useragent=Microsoft NCSI product=NSS location=Road Warrior ClientIP=136.35.16.85 status=200 user=mdutta@acme.com url="www.msftconnecttest.com/connecttest.txt" vendor=Zscaler hostname={{host}}.fls.doubleclick.net clientpublicIP=136.35.16.85 threatcategory=None threatname=None filetype=None appname=generalbrowsing pagerisk=0 department=Default Department urlsupercategory=Internet Communication appclass=General Browsing dlpengine=None urlclass=Business Use threatclass=None dlpdictionaries=None fileclass=None bwthrottle=NO servertranstime=3 md5=None contenttype=text/plain trafficredirectmethod=Z_APP rulelabel=None ruletype=None mobappname=None mobappcat=None mobdevtype=None bwclassname=General Surfing bwrulename=No Bandwidth Control throttlereqsize=0 throttlerespsize=0 deviceappversion=1.5.1.8 devicemodel=20QF000CUS devicemodel=20QF000CUS devicename=mdutta devicename=mdutta deviceostype=Windows OS deviceostype=Windows OS deviceosversion=Windows 10 Enterprise deviceplatform= clientsslcipher=None clientsslsessreuse=UNKNOWN clienttlsversion=None serversslsessreuse=UNKNOWN servertranstime=3 srvcertchainvalpass=UNKNOWN srvcertvalidationtype=None srvcertvalidityperiod=None srvocspresult=None srvsslcipher=None srvtlsversion=None srvwildcardcert=UNKNOWN serversslsessreuse="UNKNOWN" dlpidentifier="0" dlpmd5="None" epochtime="1583117516" filename="None" filesubtype="None" module="General Browsing" productversion="5.7r.78.218665_84" reqdatasize="0" reqhdrsize="111" respdatasize="22" resphdrsize="490" respsize="512" respversion="1.1" tz="GMT"' + ) message = mt.render(mark="<134>", date=date, time=time, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netproxy sourcetype=\"zscalernss-web\" hostname={{host}}.fls.doubleclick.net") + st = env.from_string( + 'search _time={{ epoch }} index=netproxy sourcetype="zscalernss-web" hostname={{host}}.fls.doubleclick.net' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -68,6 +76,7 @@ def test_zscaler_proxy_new(record_property, setup_wordlist, setup_splunk, setup_ assert resultCount == 1 + # def test_zscaler_proxy_pri(record_property, setup_wordlist, setup_splunk, setup_sc4s): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) @@ -80,11 +89,14 @@ def test_zscaler_proxy_pri(record_property, setup_wordlist, setup_splunk, setup_ epoch = epoch[:-7] mt = env.from_string( - "{{mark}}{{ date }} {{ time }}\treason=Allowed\tevent_id=6748427317914894362\tprotocol=HTTPS\taction=Allowed\ttransactionsize=663\tresponsesize=65\trequestsize=598\turlcategory=UK_ALLOW_Pharmacies\tserverip=216.58.204.70\tclienttranstime=0\trequestmethod=CONNECT\trefererURL=None\tuseragent=Windows Windows 10 Enterprise ZTunnel/1.0\tproduct=NSS\tlocation=UK_Wynyard_VPN->other\tClientIP=192.168.0.38\tstatus=200\tuser=first.last@example.com\turl=4171764.fls.doubleclick.net:443\tvendor=Zscaler\thostname={{host}}.fls.doubleclick.net\tclientpublicIP=213.86.221.94\tthreatcategory=None\tthreatname=None\tfiletype=None\tappname=DoubleClick\tpagerisk=0\tdepartment=Procurement, Generics\turlsupercategory=User-defined\tappclass=Sales and Marketing\tdlpengine=None\turlclass=Bandwidth Loss\tthreatclass=None\tdlpdictionaries=None\tfileclass=None\tbwthrottle=NO\tservertranstime=0\tmd5=None") + "{{mark}}{{ date }} {{ time }}\treason=Allowed\tevent_id=6748427317914894362\tprotocol=HTTPS\taction=Allowed\ttransactionsize=663\tresponsesize=65\trequestsize=598\turlcategory=UK_ALLOW_Pharmacies\tserverip=216.58.204.70\tclienttranstime=0\trequestmethod=CONNECT\trefererURL=None\tuseragent=Windows Windows 10 Enterprise ZTunnel/1.0\tproduct=NSS\tlocation=UK_Wynyard_VPN->other\tClientIP=192.168.0.38\tstatus=200\tuser=first.last@example.com\turl=4171764.fls.doubleclick.net:443\tvendor=Zscaler\thostname={{host}}.fls.doubleclick.net\tclientpublicIP=213.86.221.94\tthreatcategory=None\tthreatname=None\tfiletype=None\tappname=DoubleClick\tpagerisk=0\tdepartment=Procurement, Generics\turlsupercategory=User-defined\tappclass=Sales and Marketing\tdlpengine=None\turlclass=Bandwidth Loss\tthreatclass=None\tdlpdictionaries=None\tfileclass=None\tbwthrottle=NO\tservertranstime=0\tmd5=None" + ) message = mt.render(mark="<134>", date=date, time=time, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netproxy sourcetype=\"zscalernss-web\" hostname={{host}}.fls.doubleclick.net") + st = env.from_string( + 'search _time={{ epoch }} index=netproxy sourcetype="zscalernss-web" hostname={{host}}.fls.doubleclick.net' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -95,7 +107,8 @@ def test_zscaler_proxy_pri(record_property, setup_wordlist, setup_splunk, setup_ assert resultCount == 1 -#<118>Mar 1 22:05:35 [10.225.64.143] ZscalerNSS: The NSS free memory has decreased to 1.40 GB which is below the recommended 1.55 GB {{host}} + +# <118>Mar 1 22:05:35 [10.225.64.143] ZscalerNSS: The NSS free memory has decreased to 1.40 GB which is below the recommended 1.55 GB {{host}} def test_zscaler_nss_alerts(record_property, setup_wordlist, setup_splunk, setup_sc4s): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) @@ -106,11 +119,14 @@ def test_zscaler_nss_alerts(record_property, setup_wordlist, setup_splunk, setup epoch = epoch[:-7] mt = env.from_string( - "{{mark}}{{ bsd }} [10.0.0.143] ZscalerNSS: The NSS free memory has decreased to 1.40 GB which is below the recommended 1.55 GB {{host}}") + "{{mark}}{{ bsd }} [10.0.0.143] ZscalerNSS: The NSS free memory has decreased to 1.40 GB which is below the recommended 1.55 GB {{host}}" + ) message = mt.render(mark="<134>", bsd=bsd, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netops sourcetype=\"zscalernss-alerts\" \"{{host}}\"") + st = env.from_string( + 'search _time={{ epoch }} index=netops sourcetype="zscalernss-alerts" "{{host}}"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -121,7 +137,8 @@ def test_zscaler_nss_alerts(record_property, setup_wordlist, setup_splunk, setup assert resultCount == 1 -#{"LogTimestamp": "Mon Mar 2 02:57:01 2020","Customer": "Acme, Inc.","SessionID": "qdLxaTYtMbsCQllNaCZ2","ConnectionID": "qdLxaTYtMbsCQllNaCZ2,aZcOpy7yN8iPncqmSuAv","InternalReason": "","ConnectionStatus": "active","IPProtocol": 6,"DoubleEncryption": 0,"Username": "nlipper@acme.com","ServicePort": 8384,"ClientPublicIP": "73.144.81.255","ClientPrivateIP": "","ClientLatitude": 42.000000,"ClientLongitude": -84.000000,"ClientCountryCode": "US","ClientZEN": "US-OH-8290","Policy": "Any Any Allow","Connector": "DFA Azure-2","ConnectorZEN": "US-OH-8290","ConnectorIP": "10.202.4.68","ConnectorPort": 35992,"Host": "10.26.1.19","Application": "DFA IP SPACE","AppGroup": "Dynamically Discovered Apps","Server": "0","ServerIP": "10.26.1.19","ServerPort": 8384,"PolicyProcessingTime": 120,"CAProcessingTime": 445,"ConnectorZENSetupTime": 46610,"ConnectionSetupTime": 47200,"ServerSetupTime": 22207,"AppLearnTime": 0,"TimestampConnectionStart": "2020-02-29T20:42:01.228Z","TimestampConnectionEnd": "","TimestampCATx": "2020-02-29T20:42:01.228Z","TimestampCARx": "2020-02-29T20:42:01.228Z","TimestampAppLearnStart": "","TimestampZENFirstRxClient": "","TimestampZENFirstTxClient": "","TimestampZENLastRxClient": "","TimestampZENLastTxClient": "","TimestampConnectorZENSetupComplete": "2020-02-29T20:42:01.275Z","TimestampZENFirstRxConnector": "","TimestampZENFirstTxConnector": "","TimestampZENLastRxConnector": "","TimestampZENLastTxConnector": "","ZENTotalBytesRxClient": 0,"ZENBytesRxClient": 0,"ZENTotalBytesTxClient": 0,"ZENBytesTxClient": 0,"ZENTotalBytesRxConnector": 0,"ZENBytesRxConnector": 0,"ZENTotalBytesTxConnector": 0,"ZENBytesTxConnector": 0,"Idp": "IDP Config"} + +# {"LogTimestamp": "Mon Mar 2 02:57:01 2020","Customer": "Acme, Inc.","SessionID": "qdLxaTYtMbsCQllNaCZ2","ConnectionID": "qdLxaTYtMbsCQllNaCZ2,aZcOpy7yN8iPncqmSuAv","InternalReason": "","ConnectionStatus": "active","IPProtocol": 6,"DoubleEncryption": 0,"Username": "nlipper@acme.com","ServicePort": 8384,"ClientPublicIP": "73.144.81.255","ClientPrivateIP": "","ClientLatitude": 42.000000,"ClientLongitude": -84.000000,"ClientCountryCode": "US","ClientZEN": "US-OH-8290","Policy": "Any Any Allow","Connector": "DFA Azure-2","ConnectorZEN": "US-OH-8290","ConnectorIP": "10.202.4.68","ConnectorPort": 35992,"Host": "10.26.1.19","Application": "DFA IP SPACE","AppGroup": "Dynamically Discovered Apps","Server": "0","ServerIP": "10.26.1.19","ServerPort": 8384,"PolicyProcessingTime": 120,"CAProcessingTime": 445,"ConnectorZENSetupTime": 46610,"ConnectionSetupTime": 47200,"ServerSetupTime": 22207,"AppLearnTime": 0,"TimestampConnectionStart": "2020-02-29T20:42:01.228Z","TimestampConnectionEnd": "","TimestampCATx": "2020-02-29T20:42:01.228Z","TimestampCARx": "2020-02-29T20:42:01.228Z","TimestampAppLearnStart": "","TimestampZENFirstRxClient": "","TimestampZENFirstTxClient": "","TimestampZENLastRxClient": "","TimestampZENLastTxClient": "","TimestampConnectorZENSetupComplete": "2020-02-29T20:42:01.275Z","TimestampZENFirstRxConnector": "","TimestampZENFirstTxConnector": "","TimestampZENLastRxConnector": "","TimestampZENLastTxConnector": "","ZENTotalBytesRxClient": 0,"ZENBytesRxClient": 0,"ZENTotalBytesTxClient": 0,"ZENBytesTxClient": 0,"ZENTotalBytesRxConnector": 0,"ZENBytesRxConnector": 0,"ZENTotalBytesTxConnector": 0,"ZENBytesTxConnector": 0,"Idp": "IDP Config"} def test_zscaler_lss_zpa_app(record_property, setup_wordlist, setup_splunk, setup_sc4s): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) @@ -133,11 +150,15 @@ def test_zscaler_lss_zpa_app(record_property, setup_wordlist, setup_splunk, setu epoch = epoch[:-7] mt = env.from_string( - "{\"LogTimestamp\": \"{{ lss_time }}" + '","Customer": "Acme, Inc.","SessionID": "qdLxaTYtMbsCQllNaCZ2","ConnectionID": "qdLxaTYtMbsCQllNaCZ2,aZcOpy7yN8iPncqmSuAv","InternalReason": "","ConnectionStatus": "active","IPProtocol": 6,"DoubleEncryption": 0,"Username": "nlipper@acme.com","ServicePort": 8384,"ClientPublicIP": "73.144.81.255","ClientPrivateIP": "","ClientLatitude": 42.000000,"ClientLongitude": -84.000000,"ClientCountryCode": "US","ClientZEN": "US-OH-8290","Policy": "Any Any Allow","Connector": "DFA Azure-2","ConnectorZEN": "US-OH-8290","ConnectorIP": "10.202.4.68","ConnectorPort": 35992,"Host": "10.26.1.19","Application": "DFA IP SPACE","AppGroup": "Dynamically Discovered Apps","Server": "0","ServerIP": "{{host}}","ServerPort": 8384,"PolicyProcessingTime": 120,"CAProcessingTime": 445,"ConnectorZENSetupTime": 46610,"ConnectionSetupTime": 47200,"ServerSetupTime": 22207,"AppLearnTime": 0,"TimestampConnectionStart": "2020-02-29T20:42:01.228Z","TimestampConnectionEnd": "","TimestampCATx": "2020-02-29T20:42:01.228Z","TimestampCARx": "2020-02-29T20:42:01.228Z","TimestampAppLearnStart": "","TimestampZENFirstRxClient": "","TimestampZENFirstTxClient": "","TimestampZENLastRxClient": "","TimestampZENLastTxClient": "","TimestampConnectorZENSetupComplete": "2020-02-29T20:42:01.275Z","TimestampZENFirstRxConnector": "","TimestampZENFirstTxConnector": "","TimestampZENLastRxConnector": "","TimestampZENLastTxConnector": "","ZENTotalBytesRxClient": 0,"ZENBytesRxClient": 0,"ZENTotalBytesTxClient": 0,"ZENBytesTxClient": 0,"ZENTotalBytesRxConnector": 0,"ZENBytesRxConnector": 0,"ZENTotalBytesTxConnector": 0,"ZENBytesTxConnector": 0,"Idp": "IDP Config"}') + '{"LogTimestamp": "{{ lss_time }}' + + '","Customer": "Acme, Inc.","SessionID": "qdLxaTYtMbsCQllNaCZ2","ConnectionID": "qdLxaTYtMbsCQllNaCZ2,aZcOpy7yN8iPncqmSuAv","InternalReason": "","ConnectionStatus": "active","IPProtocol": 6,"DoubleEncryption": 0,"Username": "nlipper@acme.com","ServicePort": 8384,"ClientPublicIP": "73.144.81.255","ClientPrivateIP": "","ClientLatitude": 42.000000,"ClientLongitude": -84.000000,"ClientCountryCode": "US","ClientZEN": "US-OH-8290","Policy": "Any Any Allow","Connector": "DFA Azure-2","ConnectorZEN": "US-OH-8290","ConnectorIP": "10.202.4.68","ConnectorPort": 35992,"Host": "10.26.1.19","Application": "DFA IP SPACE","AppGroup": "Dynamically Discovered Apps","Server": "0","ServerIP": "{{host}}","ServerPort": 8384,"PolicyProcessingTime": 120,"CAProcessingTime": 445,"ConnectorZENSetupTime": 46610,"ConnectionSetupTime": 47200,"ServerSetupTime": 22207,"AppLearnTime": 0,"TimestampConnectionStart": "2020-02-29T20:42:01.228Z","TimestampConnectionEnd": "","TimestampCATx": "2020-02-29T20:42:01.228Z","TimestampCARx": "2020-02-29T20:42:01.228Z","TimestampAppLearnStart": "","TimestampZENFirstRxClient": "","TimestampZENFirstTxClient": "","TimestampZENLastRxClient": "","TimestampZENLastTxClient": "","TimestampConnectorZENSetupComplete": "2020-02-29T20:42:01.275Z","TimestampZENFirstRxConnector": "","TimestampZENFirstTxConnector": "","TimestampZENLastRxConnector": "","TimestampZENLastTxConnector": "","ZENTotalBytesRxClient": 0,"ZENBytesRxClient": 0,"ZENTotalBytesTxClient": 0,"ZENBytesTxClient": 0,"ZENTotalBytesRxConnector": 0,"ZENBytesRxConnector": 0,"ZENTotalBytesTxConnector": 0,"ZENBytesTxConnector": 0,"Idp": "IDP Config"}' + ) message = mt.render(mark="<134>", lss_time=lss_time, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netproxy sourcetype=\"zscalerlss-zpa-app\" \"{{host}}\"") + st = env.from_string( + 'search _time={{ epoch }} index=netproxy sourcetype="zscalerlss-zpa-app" "{{host}}"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -148,8 +169,11 @@ def test_zscaler_lss_zpa_app(record_property, setup_wordlist, setup_splunk, setu assert resultCount == 1 -#<111>{"LogTimestamp": "Mon Mar 2 02:57:01 2020","Customer": "Acme, Inc.","SessionID": "qdLxaTYtMbsCQllNaCZ2","ConnectionID": "qdLxaTYtMbsCQllNaCZ2,aZcOpy7yN8iPncqmSuAv","InternalReason": "","ConnectionStatus": "active","IPProtocol": 6,"DoubleEncryption": 0,"Username": "nlipper@acme.com","ServicePort": 8384,"ClientPublicIP": "73.144.81.255","ClientPrivateIP": "","ClientLatitude": 42.000000,"ClientLongitude": -84.000000,"ClientCountryCode": "US","ClientZEN": "US-OH-8290","Policy": "Any Any Allow","Connector": "DFA Azure-2","ConnectorZEN": "US-OH-8290","ConnectorIP": "10.202.4.68","ConnectorPort": 35992,"Host": "10.26.1.19","Application": "DFA IP SPACE","AppGroup": "Dynamically Discovered Apps","Server": "0","ServerIP": "10.26.1.19","ServerPort": 8384,"PolicyProcessingTime": 120,"CAProcessingTime": 445,"ConnectorZENSetupTime": 46610,"ConnectionSetupTime": 47200,"ServerSetupTime": 22207,"AppLearnTime": 0,"TimestampConnectionStart": "2020-02-29T20:42:01.228Z","TimestampConnectionEnd": "","TimestampCATx": "2020-02-29T20:42:01.228Z","TimestampCARx": "2020-02-29T20:42:01.228Z","TimestampAppLearnStart": "","TimestampZENFirstRxClient": "","TimestampZENFirstTxClient": "","TimestampZENLastRxClient": "","TimestampZENLastTxClient": "","TimestampConnectorZENSetupComplete": "2020-02-29T20:42:01.275Z","TimestampZENFirstRxConnector": "","TimestampZENFirstTxConnector": "","TimestampZENLastRxConnector": "","TimestampZENLastTxConnector": "","ZENTotalBytesRxClient": 0,"ZENBytesRxClient": 0,"ZENTotalBytesTxClient": 0,"ZENBytesTxClient": 0,"ZENTotalBytesRxConnector": 0,"ZENBytesRxConnector": 0,"ZENTotalBytesTxConnector": 0,"ZENBytesTxConnector": 0,"Idp": "IDP Config"} -def test_zscaler_lss_zpa_app_pri(record_property, setup_wordlist, setup_splunk, setup_sc4s): + +# <111>{"LogTimestamp": "Mon Mar 2 02:57:01 2020","Customer": "Acme, Inc.","SessionID": "qdLxaTYtMbsCQllNaCZ2","ConnectionID": "qdLxaTYtMbsCQllNaCZ2,aZcOpy7yN8iPncqmSuAv","InternalReason": "","ConnectionStatus": "active","IPProtocol": 6,"DoubleEncryption": 0,"Username": "nlipper@acme.com","ServicePort": 8384,"ClientPublicIP": "73.144.81.255","ClientPrivateIP": "","ClientLatitude": 42.000000,"ClientLongitude": -84.000000,"ClientCountryCode": "US","ClientZEN": "US-OH-8290","Policy": "Any Any Allow","Connector": "DFA Azure-2","ConnectorZEN": "US-OH-8290","ConnectorIP": "10.202.4.68","ConnectorPort": 35992,"Host": "10.26.1.19","Application": "DFA IP SPACE","AppGroup": "Dynamically Discovered Apps","Server": "0","ServerIP": "10.26.1.19","ServerPort": 8384,"PolicyProcessingTime": 120,"CAProcessingTime": 445,"ConnectorZENSetupTime": 46610,"ConnectionSetupTime": 47200,"ServerSetupTime": 22207,"AppLearnTime": 0,"TimestampConnectionStart": "2020-02-29T20:42:01.228Z","TimestampConnectionEnd": "","TimestampCATx": "2020-02-29T20:42:01.228Z","TimestampCARx": "2020-02-29T20:42:01.228Z","TimestampAppLearnStart": "","TimestampZENFirstRxClient": "","TimestampZENFirstTxClient": "","TimestampZENLastRxClient": "","TimestampZENLastTxClient": "","TimestampConnectorZENSetupComplete": "2020-02-29T20:42:01.275Z","TimestampZENFirstRxConnector": "","TimestampZENFirstTxConnector": "","TimestampZENLastRxConnector": "","TimestampZENLastTxConnector": "","ZENTotalBytesRxClient": 0,"ZENBytesRxClient": 0,"ZENTotalBytesTxClient": 0,"ZENBytesTxClient": 0,"ZENTotalBytesRxConnector": 0,"ZENBytesRxConnector": 0,"ZENTotalBytesTxConnector": 0,"ZENBytesTxConnector": 0,"Idp": "IDP Config"} +def test_zscaler_lss_zpa_app_pri( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now() @@ -160,11 +184,15 @@ def test_zscaler_lss_zpa_app_pri(record_property, setup_wordlist, setup_splunk, epoch = epoch[:-7] mt = env.from_string( - "{{mark}}{\"LogTimestamp\": \"{{ lss_time }}" + '","Customer": "Acme, Inc.","SessionID": "qdLxaTYtMbsCQllNaCZ2","ConnectionID": "qdLxaTYtMbsCQllNaCZ2,aZcOpy7yN8iPncqmSuAv","InternalReason": "","ConnectionStatus": "active","IPProtocol": 6,"DoubleEncryption": 0,"Username": "nlipper@acme.com","ServicePort": 8384,"ClientPublicIP": "73.144.81.255","ClientPrivateIP": "","ClientLatitude": 42.000000,"ClientLongitude": -84.000000,"ClientCountryCode": "US","ClientZEN": "US-OH-8290","Policy": "Any Any Allow","Connector": "DFA Azure-2","ConnectorZEN": "US-OH-8290","ConnectorIP": "10.202.4.68","ConnectorPort": 35992,"Host": "10.26.1.19","Application": "DFA IP SPACE","AppGroup": "Dynamically Discovered Apps","Server": "0","ServerIP": "{{host}}","ServerPort": 8384,"PolicyProcessingTime": 120,"CAProcessingTime": 445,"ConnectorZENSetupTime": 46610,"ConnectionSetupTime": 47200,"ServerSetupTime": 22207,"AppLearnTime": 0,"TimestampConnectionStart": "2020-02-29T20:42:01.228Z","TimestampConnectionEnd": "","TimestampCATx": "2020-02-29T20:42:01.228Z","TimestampCARx": "2020-02-29T20:42:01.228Z","TimestampAppLearnStart": "","TimestampZENFirstRxClient": "","TimestampZENFirstTxClient": "","TimestampZENLastRxClient": "","TimestampZENLastTxClient": "","TimestampConnectorZENSetupComplete": "2020-02-29T20:42:01.275Z","TimestampZENFirstRxConnector": "","TimestampZENFirstTxConnector": "","TimestampZENLastRxConnector": "","TimestampZENLastTxConnector": "","ZENTotalBytesRxClient": 0,"ZENBytesRxClient": 0,"ZENTotalBytesTxClient": 0,"ZENBytesTxClient": 0,"ZENTotalBytesRxConnector": 0,"ZENBytesRxConnector": 0,"ZENTotalBytesTxConnector": 0,"ZENBytesTxConnector": 0,"Idp": "IDP Config"}') + '{{mark}}{"LogTimestamp": "{{ lss_time }}' + + '","Customer": "Acme, Inc.","SessionID": "qdLxaTYtMbsCQllNaCZ2","ConnectionID": "qdLxaTYtMbsCQllNaCZ2,aZcOpy7yN8iPncqmSuAv","InternalReason": "","ConnectionStatus": "active","IPProtocol": 6,"DoubleEncryption": 0,"Username": "nlipper@acme.com","ServicePort": 8384,"ClientPublicIP": "73.144.81.255","ClientPrivateIP": "","ClientLatitude": 42.000000,"ClientLongitude": -84.000000,"ClientCountryCode": "US","ClientZEN": "US-OH-8290","Policy": "Any Any Allow","Connector": "DFA Azure-2","ConnectorZEN": "US-OH-8290","ConnectorIP": "10.202.4.68","ConnectorPort": 35992,"Host": "10.26.1.19","Application": "DFA IP SPACE","AppGroup": "Dynamically Discovered Apps","Server": "0","ServerIP": "{{host}}","ServerPort": 8384,"PolicyProcessingTime": 120,"CAProcessingTime": 445,"ConnectorZENSetupTime": 46610,"ConnectionSetupTime": 47200,"ServerSetupTime": 22207,"AppLearnTime": 0,"TimestampConnectionStart": "2020-02-29T20:42:01.228Z","TimestampConnectionEnd": "","TimestampCATx": "2020-02-29T20:42:01.228Z","TimestampCARx": "2020-02-29T20:42:01.228Z","TimestampAppLearnStart": "","TimestampZENFirstRxClient": "","TimestampZENFirstTxClient": "","TimestampZENLastRxClient": "","TimestampZENLastTxClient": "","TimestampConnectorZENSetupComplete": "2020-02-29T20:42:01.275Z","TimestampZENFirstRxConnector": "","TimestampZENFirstTxConnector": "","TimestampZENLastRxConnector": "","TimestampZENLastTxConnector": "","ZENTotalBytesRxClient": 0,"ZENBytesRxClient": 0,"ZENTotalBytesTxClient": 0,"ZENBytesTxClient": 0,"ZENTotalBytesRxConnector": 0,"ZENBytesRxConnector": 0,"ZENTotalBytesTxConnector": 0,"ZENBytesTxConnector": 0,"Idp": "IDP Config"}' + ) message = mt.render(mark="<134>", lss_time=lss_time, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netproxy sourcetype=\"zscalerlss-zpa-app\" \"{{host}}\"") + st = env.from_string( + 'search _time={{ epoch }} index=netproxy sourcetype="zscalerlss-zpa-app" "{{host}}"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -175,7 +203,8 @@ def test_zscaler_lss_zpa_app_pri(record_property, setup_wordlist, setup_splunk, assert resultCount == 1 -#{"LogTimestamp": "Mon Mar 2 02:57:05 2020","Customer": "Acme, Inc.","Username": "chuffma@acme.com","SessionID": "lCINpOrrZl3pGQCVYP+E","SessionStatus": "ZPN_STATUS_AUTHENTICATED","Version": "1.5.1.8.191135","ZEN": "US-IL-8706","CertificateCN": "WJJ26L69Y6bmncPqV/YRQXe17aDzRf6Z0M1n7CU7UaQ=@acme.com","PrivateIP": "","PublicIP": "174.97.166.11","Latitude": 44.000000,"Longitude": -88.000000,"CountryCode": "","TimestampAuthentication": "2020-02-27T13:04:55.000Z","TimestampUnAuthentication": "","TotalBytesRx": 46997613,"TotalBytesTx": 2232391,"Idp": "IDP Config","Hostname": "","Platform": "","ClientType": "zpn_client_type_zapp","TrustedNetworks": ,"TrustedNetworksNames": ,"SAMLAttributes": "{\"FirstName\":[\"Christopher\"],\"LastName\":[\"Huffman\"],\"Email\":[\"chuffma@acme.com\"],\"GroupName\":[\"zScaler_ZPA\"]}","PosturesHit": ,"PosturesMiss": ,"ZENLatitude": 41.000000,"ZENLongitude": -88.000000,"ZENCountryCode": "US"} + +# {"LogTimestamp": "Mon Mar 2 02:57:05 2020","Customer": "Acme, Inc.","Username": "chuffma@acme.com","SessionID": "lCINpOrrZl3pGQCVYP+E","SessionStatus": "ZPN_STATUS_AUTHENTICATED","Version": "1.5.1.8.191135","ZEN": "US-IL-8706","CertificateCN": "WJJ26L69Y6bmncPqV/YRQXe17aDzRf6Z0M1n7CU7UaQ=@acme.com","PrivateIP": "","PublicIP": "174.97.166.11","Latitude": 44.000000,"Longitude": -88.000000,"CountryCode": "","TimestampAuthentication": "2020-02-27T13:04:55.000Z","TimestampUnAuthentication": "","TotalBytesRx": 46997613,"TotalBytesTx": 2232391,"Idp": "IDP Config","Hostname": "","Platform": "","ClientType": "zpn_client_type_zapp","TrustedNetworks": ,"TrustedNetworksNames": ,"SAMLAttributes": "{\"FirstName\":[\"Christopher\"],\"LastName\":[\"Huffman\"],\"Email\":[\"chuffma@acme.com\"],\"GroupName\":[\"zScaler_ZPA\"]}","PosturesHit": ,"PosturesMiss": ,"ZENLatitude": 41.000000,"ZENLongitude": -88.000000,"ZENCountryCode": "US"} def test_zscaler_lss_zpa_bba(record_property, setup_wordlist, setup_splunk, setup_sc4s): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) @@ -187,11 +216,15 @@ def test_zscaler_lss_zpa_bba(record_property, setup_wordlist, setup_splunk, setu epoch = epoch[:-7] mt = env.from_string( - "{\"LogTimestamp\": \"{{ lss_time }}" + '","ConnectionID":"6N9BHIHZrwGXJXG7q4sn,dUPdoZAgr6vJKlv588GG","Exporter":"unset","TimestampRequestReceiveStart":"2020-03-01T22:39:30.679Z","TimestampRequestReceiveHeaderFinish":"2020-03-01T22:39:30.679Z","TimestampRequestReceiveFinish":"2020-03-01T22:39:30.680Z","TimestampRequestTransmitStart":"2020-03-01T22:39:30.680Z","TimestampRequestTransmitFinish":"2020-03-02T02:28:53.277Z","TimestampResponseReceiveStart":"2020-03-01T22:39:30.707Z","TimestampResponseReceiveFinish":"2020-03-02T02:28:53.309Z","TimestampResponseTransmitStart":"2020-03-01T22:39:30.707Z","TimestampResponseTransmitFinish":"2020-03-02T02:28:51.762Z","TotalTimeRequestReceive":1193,"TotalTimeRequestTransmit":13762597414,"TotalTimeResponseReceive":13762601379,"TotalTimeResponseTransmit":13761054628,"TotalTimeConnectionSetup":1037,"TotalTimeServerResponse":-13762570100,"Method":"GET","Protocol":"HTTPS","Host":"accountman.dfamilk.com","URL":"/remoteDesktopGateway","UserAgent":"","XFF":"","NameID":"carlos.garcia.11@acme.com","StatusCode":101,"RequestSize":2246,"ResponseSize":3823185,"ApplicationPort":443,"ClientPublicIp":"162.205.86.162","ClientPublicPort":49330,"ClientPrivateIp":"","Customer":"{{host}}","ConnectionStatus":"zfce_mt_remote_disconnect","ConnectionReason":"BRK_MT_CLOSED_FROM_ASSISTANT"}') + '{"LogTimestamp": "{{ lss_time }}' + + '","ConnectionID":"6N9BHIHZrwGXJXG7q4sn,dUPdoZAgr6vJKlv588GG","Exporter":"unset","TimestampRequestReceiveStart":"2020-03-01T22:39:30.679Z","TimestampRequestReceiveHeaderFinish":"2020-03-01T22:39:30.679Z","TimestampRequestReceiveFinish":"2020-03-01T22:39:30.680Z","TimestampRequestTransmitStart":"2020-03-01T22:39:30.680Z","TimestampRequestTransmitFinish":"2020-03-02T02:28:53.277Z","TimestampResponseReceiveStart":"2020-03-01T22:39:30.707Z","TimestampResponseReceiveFinish":"2020-03-02T02:28:53.309Z","TimestampResponseTransmitStart":"2020-03-01T22:39:30.707Z","TimestampResponseTransmitFinish":"2020-03-02T02:28:51.762Z","TotalTimeRequestReceive":1193,"TotalTimeRequestTransmit":13762597414,"TotalTimeResponseReceive":13762601379,"TotalTimeResponseTransmit":13761054628,"TotalTimeConnectionSetup":1037,"TotalTimeServerResponse":-13762570100,"Method":"GET","Protocol":"HTTPS","Host":"accountman.dfamilk.com","URL":"/remoteDesktopGateway","UserAgent":"","XFF":"","NameID":"carlos.garcia.11@acme.com","StatusCode":101,"RequestSize":2246,"ResponseSize":3823185,"ApplicationPort":443,"ClientPublicIp":"162.205.86.162","ClientPublicPort":49330,"ClientPrivateIp":"","Customer":"{{host}}","ConnectionStatus":"zfce_mt_remote_disconnect","ConnectionReason":"BRK_MT_CLOSED_FROM_ASSISTANT"}' + ) message = mt.render(mark="<134>", lss_time=lss_time, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netproxy sourcetype=\"zscalerlss-zpa-bba\" \"{{host}}\"") + st = env.from_string( + 'search _time={{ epoch }} index=netproxy sourcetype="zscalerlss-zpa-bba" "{{host}}"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -203,8 +236,10 @@ def test_zscaler_lss_zpa_bba(record_property, setup_wordlist, setup_splunk, setu assert resultCount == 1 -#{"LogTimestamp": "Mon Mar 2 02:51:53 2020","Customer": "Acme, Inc.","SessionID": "NNz9t5AY1Rq5dzyLbNRB","SessionType": "ZPN_ASSISTANT_BROKER_CONTROL","SessionStatus": "ZPN_STATUS_AUTHENTICATED","Version": "19.102.2","Platform": "el7","ZEN": "US-NY-8180","Connector": "St Albans-1","ConnectorGroup": "St Albans Connector","PrivateIP": "192.168.16.15","PublicIP": "184.80.224.186","Latitude": 44.000000,"Longitude": -73.000000,"CountryCode": "","TimestampAuthentication": "2020-02-27T07:03:53.689Z","TimestampUnAuthentication": "","CPUUtilization": 1,"MemUtilization": 16,"ServiceCount": 0,"InterfaceDefRoute": "eth0","DefRouteGW": "192.168.16.1","PrimaryDNSResolver": "192.168.16.16","HostUpTime": "1572630032","ConnectorUpTime": "1579500006","NumOfInterfaces": 2,"BytesRxInterface": 63778867197,"PacketsRxInterface": 669441337,"ErrorsRxInterface": 0,"DiscardsRxInterface": 1181261,"BytesTxInterface": 50473462713,"PacketsTxInterface": 492668679,"ErrorsTxInterface": 0,"DiscardsTxInterface": 0,"TotalBytesRx": 6979022,"TotalBytesTx": 47705494} -def test_zscaler_lss_zpa_connector(record_property, setup_wordlist, setup_splunk, setup_sc4s): +# {"LogTimestamp": "Mon Mar 2 02:51:53 2020","Customer": "Acme, Inc.","SessionID": "NNz9t5AY1Rq5dzyLbNRB","SessionType": "ZPN_ASSISTANT_BROKER_CONTROL","SessionStatus": "ZPN_STATUS_AUTHENTICATED","Version": "19.102.2","Platform": "el7","ZEN": "US-NY-8180","Connector": "St Albans-1","ConnectorGroup": "St Albans Connector","PrivateIP": "192.168.16.15","PublicIP": "184.80.224.186","Latitude": 44.000000,"Longitude": -73.000000,"CountryCode": "","TimestampAuthentication": "2020-02-27T07:03:53.689Z","TimestampUnAuthentication": "","CPUUtilization": 1,"MemUtilization": 16,"ServiceCount": 0,"InterfaceDefRoute": "eth0","DefRouteGW": "192.168.16.1","PrimaryDNSResolver": "192.168.16.16","HostUpTime": "1572630032","ConnectorUpTime": "1579500006","NumOfInterfaces": 2,"BytesRxInterface": 63778867197,"PacketsRxInterface": 669441337,"ErrorsRxInterface": 0,"DiscardsRxInterface": 1181261,"BytesTxInterface": 50473462713,"PacketsTxInterface": 492668679,"ErrorsTxInterface": 0,"DiscardsTxInterface": 0,"TotalBytesRx": 6979022,"TotalBytesTx": 47705494} +def test_zscaler_lss_zpa_connector( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now() @@ -215,11 +250,15 @@ def test_zscaler_lss_zpa_connector(record_property, setup_wordlist, setup_splunk epoch = epoch[:-7] mt = env.from_string( - "{\"LogTimestamp\": \"{{ lss_time }}" + '","Customer": "{{host}}","SessionID": "NNz9t5AY1Rq5dzyLbNRB","SessionType": "ZPN_ASSISTANT_BROKER_CONTROL","SessionStatus": "ZPN_STATUS_AUTHENTICATED","Version": "19.102.2","Platform": "el7","ZEN": "US-NY-8180","Connector": "St Albans-1","ConnectorGroup": "St Albans Connector","PrivateIP": "192.168.16.15","PublicIP": "184.80.224.186","Latitude": 44.000000,"Longitude": -73.000000,"CountryCode": "","TimestampAuthentication": "2020-02-27T07:03:53.689Z","TimestampUnAuthentication": "","CPUUtilization": 1,"MemUtilization": 16,"ServiceCount": 0,"InterfaceDefRoute": "eth0","DefRouteGW": "192.168.16.1","PrimaryDNSResolver": "192.168.16.16","HostUpTime": "1572630032","ConnectorUpTime": "1579500006","NumOfInterfaces": 2,"BytesRxInterface": 63778867197,"PacketsRxInterface": 669441337,"ErrorsRxInterface": 0,"DiscardsRxInterface": 1181261,"BytesTxInterface": 50473462713,"PacketsTxInterface": 492668679,"ErrorsTxInterface": 0,"DiscardsTxInterface": 0,"TotalBytesRx": 6979022,"TotalBytesTx": 47705494}') + '{"LogTimestamp": "{{ lss_time }}' + + '","Customer": "{{host}}","SessionID": "NNz9t5AY1Rq5dzyLbNRB","SessionType": "ZPN_ASSISTANT_BROKER_CONTROL","SessionStatus": "ZPN_STATUS_AUTHENTICATED","Version": "19.102.2","Platform": "el7","ZEN": "US-NY-8180","Connector": "St Albans-1","ConnectorGroup": "St Albans Connector","PrivateIP": "192.168.16.15","PublicIP": "184.80.224.186","Latitude": 44.000000,"Longitude": -73.000000,"CountryCode": "","TimestampAuthentication": "2020-02-27T07:03:53.689Z","TimestampUnAuthentication": "","CPUUtilization": 1,"MemUtilization": 16,"ServiceCount": 0,"InterfaceDefRoute": "eth0","DefRouteGW": "192.168.16.1","PrimaryDNSResolver": "192.168.16.16","HostUpTime": "1572630032","ConnectorUpTime": "1579500006","NumOfInterfaces": 2,"BytesRxInterface": 63778867197,"PacketsRxInterface": 669441337,"ErrorsRxInterface": 0,"DiscardsRxInterface": 1181261,"BytesTxInterface": 50473462713,"PacketsTxInterface": 492668679,"ErrorsTxInterface": 0,"DiscardsTxInterface": 0,"TotalBytesRx": 6979022,"TotalBytesTx": 47705494}' + ) message = mt.render(mark="<134>", lss_time=lss_time, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netproxy sourcetype=\"zscalerlss-zpa-connector\" \"{{host}}\"") + st = env.from_string( + 'search _time={{ epoch }} index=netproxy sourcetype="zscalerlss-zpa-connector" "{{host}}"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) @@ -231,8 +270,10 @@ def test_zscaler_lss_zpa_connector(record_property, setup_wordlist, setup_splunk assert resultCount == 1 -#{"LogTimestamp": "Fri May 31 17:34:48 2019","Customer": "ANZ Team/zdemo in beta","Username": "ZPA LSS Client","SessionID": "cKgzUERSLl09Y+ytH8v5","SessionStatus": "ZPN_STATUS_AUTHENTICATED","Version": "19.12.0-36-g87dad18","ZEN": "broker1b.pdx2","CertificateCN": "slogger1b.pdx2.zpabeta.net","PrivateIP": "","PublicIP": "34.216.108.5","Latitude": 45.000000,"Longitude": -119.000000,"CountryCode": "US","TimestampAuthentication": "2019-05-29T21:18:38.000Z","TimestampUnAuthentication": "","TotalBytesRx": 31274866,"TotalBytesTx": 25424152,"Idp": "Example IDP Config","Hostname": "DESKTOP-2K299HC","Platform": "windows","ClientType": "zpn_client_type_zapp","TrustedNetworks": "TN1_stc1","TrustedNetworksNames": "145248739466947538","SAMLAttributes": "myname:jdoe,myemail:jdoe@zscaler.com","PosturesHit": "sm-posture1,sm-posture2","PosturesMisses": "sm-posture11,sm-posture12","ZENLatitude": 47.000000,"ZENLongitude": -122.000000,"ZENCountryCode": ""} -def test_zscaler_lss_zpa_auth(record_property, setup_wordlist, setup_splunk, setup_sc4s): +# {"LogTimestamp": "Fri May 31 17:34:48 2019","Customer": "ANZ Team/zdemo in beta","Username": "ZPA LSS Client","SessionID": "cKgzUERSLl09Y+ytH8v5","SessionStatus": "ZPN_STATUS_AUTHENTICATED","Version": "19.12.0-36-g87dad18","ZEN": "broker1b.pdx2","CertificateCN": "slogger1b.pdx2.zpabeta.net","PrivateIP": "","PublicIP": "34.216.108.5","Latitude": 45.000000,"Longitude": -119.000000,"CountryCode": "US","TimestampAuthentication": "2019-05-29T21:18:38.000Z","TimestampUnAuthentication": "","TotalBytesRx": 31274866,"TotalBytesTx": 25424152,"Idp": "Example IDP Config","Hostname": "DESKTOP-2K299HC","Platform": "windows","ClientType": "zpn_client_type_zapp","TrustedNetworks": "TN1_stc1","TrustedNetworksNames": "145248739466947538","SAMLAttributes": "myname:jdoe,myemail:jdoe@zscaler.com","PosturesHit": "sm-posture1,sm-posture2","PosturesMisses": "sm-posture11,sm-posture12","ZENLatitude": 47.000000,"ZENLongitude": -122.000000,"ZENCountryCode": ""} +def test_zscaler_lss_zpa_auth( + record_property, setup_wordlist, setup_splunk, setup_sc4s +): host = "{}-{}".format(random.choice(setup_wordlist), random.choice(setup_wordlist)) dt = datetime.datetime.now() @@ -243,11 +284,15 @@ def test_zscaler_lss_zpa_auth(record_property, setup_wordlist, setup_splunk, set epoch = epoch[:-7] mt = env.from_string( - "{\"LogTimestamp\": \"{{ lss_time }}" + '","Customer": "{{host}}","Username": "ZPA LSS Client","SessionID": "cKgzUERSLl09Y+ytH8v5","SessionStatus": "ZPN_STATUS_AUTHENTICATED","Version": "19.12.0-36-g87dad18","ZEN": "broker1b.pdx2","CertificateCN": "slogger1b.pdx2.zpabeta.net","PrivateIP": "","PublicIP": "34.216.108.5","Latitude": 45.000000,"Longitude": -119.000000,"CountryCode": "US","TimestampAuthentication": "2019-05-29T21:18:38.000Z","TimestampUnAuthentication": "","TotalBytesRx": 31274866,"TotalBytesTx": 25424152,"Idp": "Example IDP Config","Hostname": "DESKTOP-2K299HC","Platform": "windows","ClientType": "zpn_client_type_zapp","TrustedNetworks": "TN1_stc1","TrustedNetworksNames": "145248739466947538","SAMLAttributes": "myname:jdoe,myemail:jdoe@zscaler.com","PosturesHit": "sm-posture1,sm-posture2","PosturesMisses": "sm-posture11,sm-posture12","ZENLatitude": 47.000000,"ZENLongitude": -122.000000,"ZENCountryCode": ""}') + '{"LogTimestamp": "{{ lss_time }}' + + '","Customer": "{{host}}","Username": "ZPA LSS Client","SessionID": "cKgzUERSLl09Y+ytH8v5","SessionStatus": "ZPN_STATUS_AUTHENTICATED","Version": "19.12.0-36-g87dad18","ZEN": "broker1b.pdx2","CertificateCN": "slogger1b.pdx2.zpabeta.net","PrivateIP": "","PublicIP": "34.216.108.5","Latitude": 45.000000,"Longitude": -119.000000,"CountryCode": "US","TimestampAuthentication": "2019-05-29T21:18:38.000Z","TimestampUnAuthentication": "","TotalBytesRx": 31274866,"TotalBytesTx": 25424152,"Idp": "Example IDP Config","Hostname": "DESKTOP-2K299HC","Platform": "windows","ClientType": "zpn_client_type_zapp","TrustedNetworks": "TN1_stc1","TrustedNetworksNames": "145248739466947538","SAMLAttributes": "myname:jdoe,myemail:jdoe@zscaler.com","PosturesHit": "sm-posture1,sm-posture2","PosturesMisses": "sm-posture11,sm-posture12","ZENLatitude": 47.000000,"ZENLongitude": -122.000000,"ZENCountryCode": ""}' + ) message = mt.render(mark="<134>", lss_time=lss_time, host=host) sendsingle(message, setup_sc4s[0], setup_sc4s[1][514]) - st = env.from_string("search _time={{ epoch }} index=netproxy sourcetype=\"zscalerlss-zpa-auth\" \"{{host}}\"") + st = env.from_string( + 'search _time={{ epoch }} index=netproxy sourcetype="zscalerlss-zpa-auth" "{{host}}"' + ) search = st.render(epoch=epoch, host=host) resultCount, eventCount = splunk_single(setup_splunk, search) diff --git a/tests/timeutils.py b/tests/timeutils.py index 0e89bd0e48..b4341fc4c4 100644 --- a/tests/timeutils.py +++ b/tests/timeutils.py @@ -6,13 +6,15 @@ def insert_char(string, char, integer): return string[0:integer] + char + string[integer:] + def removeZero(tz): - return re.sub(r'\b0+(\d)(?=:)', r'\1', tz) + return re.sub(r"\b0+(\d)(?=:)", r"\1", tz) + def time_operations(dt): # Generate an ISO 8601 (RFC 5424) compliant timestamp with local timezone offset (2020-02-12T12:46:39.323-08:00) # See https://stackoverflow.com/questions/2150739/iso-time-iso-8601-in-python - iso = dt.astimezone().isoformat(sep='T', timespec='microseconds') + iso = dt.astimezone().isoformat(sep="T", timespec="microseconds") # Generate an BSD-style (RFC 3164) compliant timestamp with no timezone (Oct 25 13:08:00) bsd = dt.strftime("%b %d %H:%M:%S")